The European Union’s General Data Protection Regulation (hereinafter the GDPR) comes into effect on 25 May 2018. This new piece of legislation has a great impact on every business that handles the personal data of EU residents or within the EU.
Please note: We have updated our Terms of Service and Privacy Policy to respect changes required by the GDPR. We have also adjusted contracts with our subcontractors and our internal processes where new duties are mandated by the GDPR.
This article provides an overview of personal data handling relevant to Datamolino as your invoice processing platform.
The GDPR distinguishes between Data Controllers and Data Processors. Data Controller is the person or business that determines the purposes and means of the processing of personal data. Data Processor is the person or business that processes personal data solely on behalf of, and as directed by, data controllers.
Data processing and constent
According to the Article 6 of the GDPR, there are several grounds for lawful processing of personal data.
GDPR Article 6(1):
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Datamolino is required by law to process and retain certain kinds of data, especially with regards to billing and tax purposes. We always process the data only to the extent required by legal regulations. For type of data where Datamolino is not lawfully required to process the data, we may ask for your consent to process the data according to GDPR Article 6(1)(a)
Datamolino as the data controller
Datamolino acts as the data controller for the personal data we collect about you, the user of our web app, mobile apps, and website. We process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)), as well as data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
We also process your personal data for legitimate interests in line with GDPR Article 6(1)(f).
The ‘legitimate interests’ include:
User on-boarding and customer support
Data analytics about your app usage that helps us to improve the app
Making sure that your data and our systems are safe and secure
Responsible marketing of our product and its features
As the controller for your personal data, Datamolino is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out to us at support@datamolino.com with the subject: GDPR Privacy.
Datamolino as the data processor
The people that you invite to your Datamolino Folders as users are also your data subjects, and you are considered the data controller for this personal data.
If the documents or emails that you upload to your Datamolino Folders contain personal data, you re considered the data controller for this personal data.
In our Terms of Service and Privacy Policy, we refer to this data as Client Data [TOS and PP are pending update that is due before GDPR takes effect].
Using Datamolino to manage your invoice processing needs means that you have engaged Datamolino as a data processor to carry out certain processing activities on your behalf.
According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article). This is where our Terms of Service and Privacy Policy come in. These two documents also serve as your data processing contract, setting out the instructions that you are giving to Datamolino with regard to processing the personal data you control and establishing the rights and responsibilities of both parties. Datamolino will only process your Client Data based on your instructions as the data controller.
All customers have a contractual relationship with our EU entity, based in Slovakia.
Datamolino and the GDPR
As a company with roots in Europe, we appreciate the privacy needs of Datamolino users as well as their customers and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Datamolino.
With GDPR effective on May 25th, 2018, all our processes are GDPR compliant.
When it comes to data storage: Similar to many SaaS providers, we use Amazon Web Services with servers located in Ireland.
In preparation for the GDPR and in a nutshell we have taken the following steps:
We conducted a GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to be compliant with GDPR on and after May 25th, 2018. - DONE
We have mapped how personal data flows throughout our systems and services. - DONE
We have reviewed our key third-party vendor arrangements to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements. - DONE
We have updated our external-facing policies to be GDPR compliant and informed our users about any changes that are relevant to their use of our system. - DONE