Cookie Consent
This website uses cookies to improve the user experience. By clicking accept, you agree to the use of cookies. You can object by clicking decline. Find more details in our privacy policy.
This is how we implement the new European General Data Protection Regulation, here at Boxcryptor.
Andrea Pfundmeier, CEO and Co-Founder at Boxcryptor
Andrea Pfundmeier | CEO
Thursday, April 19, 2018

Boxcryptor’s GDPR Journey Part 4: Dealing with Third Party Providers

Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation. We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.

Read the other parts of the series here:

Part 1 – Getting an overview (Steps 1-4) Part 2 – Optimization of existing processes (Steps 5-8) Part 3 – Internal implementation and external data protection officers Part 5 – Encryption Part 6 – Before GDPR is past GDPR

Step 9: Review of Third Party Providers

Third party providers are companies and services we depend on to manage our business. In the framework of the new GDPR, the term applies to all providers processing personal data on our account. Here are some examples:

  • Mailchimp – email newsletter distribution
  • Onapply – web-based job application processing
  • Salesforce – invoicing and customer retention management
  • Dropbox – storage of company data

As described in step 2 (documenting processes) I have already compiled a complete list of third party services. Now every one of them has to be checked for GDPR compliance. For this reason, I did conducted research on the providers’ websites for information on the status of their GDPR-compliance measures. Some companies have been assiduously and are already providing extensive information on that matter, e.g. Mailchimp’s GDPR information page. For the companies I was able to find all necessary information, I added a checkmark on my list. In all other cases I contacted the respective company and asked for a statement, following these questions: 1. What is the current status of GDPR implementation? 2. When will GDPR compliance be achieved? 3. When will the company be able to send me the respective documents?

In some cases, the companies responded quite extensively, in others I simply got redirected to the law department or received a date, GDPR compliance is supposed to be achieved. The answers were put on my list and I created templates for further requests so I will not lose track in the future.

Third Party Providers and the External Data Protection Officer

In part 3 of our GDPR article series I also mentioned the installment of an external data protection officer (DPO) – despite being not legally obligated to do so. But as CEO, I am factually not allowed (by law) to take on this position. Furthermore, none of our employees has enough capacities to take on this responsibility. In addition, the necessary initial and following trainings would probably cause a collapse of our current start-up structures. I furthermore consider the fact that internal DPOs are nonredeemable - an interesting information for some employers.

Supervision of service providers and the implementation of guidelines for commissioned data processing are part of the DPO’s work. In recruiting a DPO for our company, industry knowledge was a crucial criterion for me. For us, as an IT company it is essential that our service providers know our internal processes and the tools we are working with. Further I need partners who are open-minded towards future innovations.

Apart from that I consciously choose a regional DPO, to keep personal contact as simple as possible. Short distances for trainings and other appointments are really important to me – as is mutual trust. To see whether this may develop throughout our collaboration, we agreed to a one-year contract duration, initially.

As it applies to many topics, having conversations with other entrepreneurs and exchanging experiences about external DPOs proves to be rather successful. By doing so, you will certainly receive valuable references.

Поделиться этой записью

Получите наш эксклюзивный, бесплатный справочный документ о GDPR

Справочный документ с полным обзором GDPR: Мы собрали самую важную информацию, которая поможет Вам в ваших исследованиях GDPR. Ваш бизнес готов к четвёртой промышленной революции и Вы хотите использовать возможности, которые приносит GDPR? Тогда получите наш эксклюзивный, бесплатный справочный документ сейчас.

Вводя мой адрес электронной почты, я согласен/согласна с тем, что Secomba GmbH будет отправлять мне информацию по электронной почте. Я могу отозвать это соглашение в любое время.