In GDPR the personal data which is covered by the legislation has two distinct actors: Data Controller and Processor.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data.
A processor is the entity which processes that personal data in some manner on behalf of the controller.
This means that our customers are identified as the data controllers while FRENDS is a data processor.
In this regard FRENDS will ensure that you as the data controller will be able to fullfill all of your legal obligations regarding GDPR inside FRENDS.
FRENDS actively monitors possible data breaches on a platform level using Azure Security Center best practices outlined here (Detecting Threats With Azure Security Center).
We will commit to notifying you within 36 hours of a detected breach and it's severity.
This will give you enough time to notify your end users as a data controller of the breach.
We will also expect you to notify us of a breach resulting in other systems within 72 hours.
Under GDPR any individual within EU can ask you, the data controller, if their personal data is being processed, where and for what purpose.
FRENDS has native monitoring tools and supports full data auditing, meaning you can find all integration flows where an individual's data has been processed.
From this monitoring data you can discern where the data has been used and for what purpose.
You can use any data fields or combination of fields to search for integration flow executions containing an individuals data.
Note that only data that has actually been processed in FRENDS can be searched. If for example FRENDS only transferred a secured file, where the contents of that file contain personal data, that is not considered to have been processed in FRENDS.
Under GDPR any individual within EU can ask that you, the data controller, erase all personal data regarding that individual.
In FRENDS similarly to finding all integration flow instances containing an individuals data those same integration flow instances can be deleted, using FRENDS native features, from all data locations within FRENDS.
Deleting an integration flow instance removes all data associated with that integration flow instance, meaning you will lose the data itself and the information on where it was used.
Note that while you are able to remove personal infromation of an individual in FRENDS, FRENDS is not able to remove that information from the systems that have been integrated into.
Using the features listed under 'Right to Access' you can find out specifically each system and application where FRENDS has used the personal information in.
GDPR introduces the concept of 'Privacy by Design' which means that data controllers and processors should take steps to minimize the risk involved in handling personal data.
In FRENDS we tackle this by enabling customers to use 'data minimization', where the integration flows can be implemented to only process the absolute minimal amount of personal data.
This 'data minimization' can be implemented when accessing personal data or systems by dropping (scrubbing) data fields that contain unnecessary personal data.
Data minimization can also be natively configure in regards to FRENDS logging, meaning you can process data fields, but drop/scrub them when logging monitoring and audit trail infromation.
FRENDS also contains out-of-the-box fine grained user management tools, which you can use to limit the number of people who can view monitoring data containing personal information.
User management can also be tailored to fit your organizations authentication protocols and security policies.
HiQ Finland Oy Data Controller
HiQ Finland Oy Data Protection Officer
This policy is effective as of 1 October 2018.
We have been around for over 25 years now as the first version of FRENDS was launched in 1989 to automate the communication between gas stations and the parent companys centralized IT.Understood