GDPR – Records Management Policy of Estratos Digital GmbH for the ‘Lunda’ Fundraising Form
1.1. This policy, together with the associated standards, applies to the management of all documents and records, in all technical or physical formats or media, created or received by the Estratos Digital GmbH in the conduct of its business activities on the ‘Lunda’ fundraising form. It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.
1.2. Estratos Digital GmbH is committed to maintaining the confidentiality of its information and ensuring that all records within Estratos Digital GmbH are only accessible by the appropriate individuals. In line with the requirements of the General Data Protection Regulation (GDPR), Estratos Digital GmbH also has a responsibility to ensure that all records are only kept for as long as is necessary to fulfil the purpose(s) for which they were intended.
1.3. Estratos Digital GmbH has created this policy to outline how records are stored, accessed, monitored, retained and disposed of, in order to meet its statutory requirements. This policy applies to all records created, received, maintained or processed by staff of Estratos Digital GmbH in undertaking its functions on ‘Lunda’.
1.4. Records are defined as all documents which facilitate the business carried out by Estratos Digital GmbH and are retained for a period of time which has been defined, in order to provide evidence of its transactions and activities. Documentation may be processed in electronic format, hard copies are only printed and held if it is required under law, by a Client of Estratos Digital GmbH acting as data processor of a given data or by the data subject.
1.5. This document complies with the requirements set out in the GDPR. The retention periods outlined in this policy are good practice guidelines, and the decision making process of Estratos Digital GmbH should ensure that specific requirements for setting shorter retention periods are considered when implementing these timeframes by the controller of the given data.
2. Legal framework
2.1. This policy has due regard to legislation including, but not limited to, the following:
General Data Protection Regulation (2016)
Personal Data Protection Act of Austria (Datenschutzgesetz, 1999)
2.2. This policy will be implemented in accordance with the following policies and procedures:
Security and Complience Policy for the ‘Lunda’ fundraising form
terms and conditions of Estratos Digital products
3.1. Estratos Digital GmbH as a whole has a responsibility for maintaining its records and recordkeeping systems in line with statutory requirements.
3.2. The Managing Partner holds overall responsibility for this policy and for ensuring it is implemented correctly.
3.3. The Data Protection Officer (hereinafter: DPO) supports the management of records.
3.4. The Managing Partner is responsible for promoting compliance with this policy and reviewing the policy on an annual basis, in conjunction with the DPO.
3.5. The Managing Partner is responsible for ensuring that all records are stored securely, in accordance with the retention periods outlined in this policy, and are disposed of correctly.
3.6. All staff members are responsible for ensuring that any records for which they are responsible are accurate, maintained securely and disposed of correctly, in line with the provisions of this policy.
3.7. The Managing Partner is responsible for ensuring that any contracts held with third parties who process personal identifiable information (considered as data processors or subprocessors as outlined in the GDPR) are compliant with the GDPR.
4. Management of personal data as a data processor
4.1. Estratos Digital GmbH operates ‘Lunda’ fundraising form to provide IT solutions for political fundraising campaigns as a data processor. ‘Lunda’ is an opt-in only tool facilitating the communication of the client organisations (political parties, politicians, NGO’s, advocacy groups, hereinafter referred as Clients) with private individuals who had freely given their consent for the use of the product. The rights and duties of the controller are exercised by the Clients without any limitations.
4.2. The following information is stored by Estratos Digital GmbH as processor via ‘Lunda’:
the messages sent and received by the data subject via ‘Lunda’,
donation withdrawal information: contact details (such as name and email address) of the beneficiary, zip code, country, phone number (for purposes of multi-factor authentication and to send you important messages), further donation withdrawal related information if the relevant tax and donation regulations require their procession (tax identification number, registration number, address, etc.), and any information the beneficiary choose to provide,
donation information: contact details (such as name and email address) of the donor, zip code, country, phone number (for purposes of multi-factor authentication and to send you important messages), further donation related information if the relevant tax and donation regulations require their procession (tax identification number, address, etc.), and information the donor choose to provide.
4.3 Estratos Digital GmbH will comply with its Clients instructions unless EU or EU Member State law to which Estratos Digital GmbH is subject requires other processing of Customer Personal Data, in which case Estratos Digital GmbH will inform its Client (unless that law prohibits Estratos Digital from doing so on important grounds of public interest). Client instructions are to be given in written form, normally by the electronic means used for the communication between the parties.
4.4. Estratos Digital GmbH gives direct access for Clients to individual records containing personal data, as well as the right to delete those records without any further actions of Estratos Digital GmbH. In this case, anonymized user related data might appear for operational reasons in the logs and backups for an additional maximum length of 15 months before they get ultimately wiped out.
5. Retention of personal data as a data processor
5.1. The retention periods for individual records processed by Estratos Digital GmbH via products under point 4.1. and the action that will be taken after the retention period are based on a system of double opt-in. Names and messages sent and received by the data subject via the products are deleted automatically on the basis of the withdrawal of consent given for the use of the products by the data subject. E-mail addresses, phone numbers and ZIP codes are deleted automatically either by the withdrawal of consent given for the use of the products by the data subject or by the withdrawal of the separate consent given for the use of these contact data by the data subject.
All the data contained and obtained through the Lunda forms will be retained as long as we continue providing such service to Clients. However, following the expiry of the contract with a concrete client, we will only retain the data for thirty days [30 days] after the end of the contractual relationship with the controller to allow the Client to have time to download the data they own. For a set of data that are indispensable for Estratos Compliance with Austria bookkeeping law and financial duties, it will be retained for a period of seven years [7 years]. These periods refer to Lunda’s Client data, which excludes Users and donors' data.
5.2. Electronic copies of any information and files will be destroyed in line with the retention periods above.
6. Storing and protecting personal data
6.1. The DPO will undertake a risk analysis to identify which records are vital to Estratos Digital GmbH’s management and these records will be stored in the most secure manner.
6.2. Estratos Digital GmbH assures the operation of an effective back up system to ensure that all data can still be accessed in the event of a security breach, e.g. malware or ransomware attack and prevent any loss or theft of data for the purpose of compliance with the principle of integrity and confidentiality under the GDPR and business continuity. Backups of personal data must be made on a regular basis. Backed-up information will be stored off the premises, using a backup service which is operated by a provider who is compliant with the GDPR. Estratos Digital GmbH has a system restore protocol in place.
6.3. Estratos Digital GmbH provides 24/7 DevOps support for its Clients and a constant monitoring of the proper functioning of its products and infrastructure. Estratos Digital GmbH runs integrity and load test of its systems to ensure safe functioning.
6.4. Estratos Digital GmbH maintains secure user identification methods for its Clients.
6.5. Confidential paper records are kept in a locked filing cabinet, drawer or safe, with restricted access only to those personnel who require access to fulfil their delegated duties in accordance with their job role. Confidential paper records including records containing personal information are not left unattended or in clear view when held in a location with general access.
6.6. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed-up off-site.
6.7. Data is not saved on removable storage.
6.8. Unecripted memory sticks and are not used to hold personal information.
6.9. All electronic devices (including portable devices) used by Estratos Digital GmbH are password-protected to protect the information on the device in case of theft. Estratos Digital GmbH staff members must enable electronic devices to allow the remote blocking or deletion of data in case of theft.
6.10. Estratos Digital GmbH staff members do not use non-encrypted personal laptops, computers, phones or other electronic devices for business purposes which involve the downloading or storing of personal identifiable or confidential data.
6.11. All members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
6.12. Emails containing sensitive, personal or confidential information are encrypted or password-protected to ensure that only the recipient is able to access the information. The password will be shared with the recipient in a secure and appropriate format.
6.13. Data stored on encrypted hard drives or USBs must not be stored on or downloaded to personal devices.
6.14. All documents which are accessed by members of the staff externally to their premise via a portable electronic device must be done so utilising services designated by Estratos Digital GmbH. Personal accounts must not be used to access Estratos Digital GmbH data.
6.15. All staff members apply a ‘clear desk policy’ to avoid unauthorised access to physical records containing sensitive, confidential or personal information. All confidential information will be stored in a securely locked filing cabinet, drawer or safe with restricted access.
6.16. Personal data must not be stored on the hard drive of any device unless it is running appropriate encryption software.
6.17. Data must be subject to a robust password protection regime. Password sharing is not permitted.
6.18. Computers must be locked when not staffed to prevent unauthorised access.
6.19. Under no circumstances are visitors allowed access to confidential or personal information. Visitors accessing areas containing sensitive information are supervised at all times.
6.20. The physical security of Estratos Digital GmbH’s offices and storage systems, and access to them, is reviewed termly (and documented) by the person with responsibility for sites in conjunction with the DPO. If an increased risk in vandalism, burglary or theft is identified, this will be reported to the Managing Partner and extra measures to secure data storage will be put in place. Data Protection Impact Assessments are undertaken where required.
6.21. Archive rooms should be lockable and secure, and be able to maintain restricted access.
6.22. All members of Estratos Digital GmbH’s staff are obliged to sign a non-disclosure agreement before given access to personal data. Estratos Digital GmbH takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary and criminal action.
6.23. The DPO is responsible for supporting continuity and recovery measures are in place to ensure the security of protected data.
7. Subprocession security
7.1. Before onboarding subprocessors, Estratos Digital GmbH conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
7.5. Estratos Digital GmbH uses the Google Cloud Platform service to store and access personal data provided by data processor/subprocessor Google Ireland Limited, (Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Data Processing and Security Terms of the firms are available at: https://cloud.google.com/terms/data-processing-terms.)
7.6. Estratos Digital GmbH uses Sendgrid (that is a service provided by Twilio Ireland Limited, a company registered in the Republic of Ireland, whose registered address is 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland. DPA: https://www.twilio.com/en-us/legal/data-protection-addendum) as a directly integrated mass email sender of Lunda for receipts and transaction related automated emails.
7.7. Estratos Digital GmbH uses Twilio Segment (Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Dublin, Ireland D01 C4E0 - https://segment.com/product/gdpr/ ) to provide data synchronization services.
7.8. Estratos Digital GmbH requires subprocessors to use full disk encryption for data storage during data processing based on the Google Cloud Platform to guarantee that the data never reaches the cloud in an unencrypted state during network transmission.
8. Accessing information
8.1. Estratos Digital GmbH is transparent with data subjects as a data controller, the information we hold and how it can be accessed.
8.2. Estratos Digital GmbH as a data processor provides its Clients all the relevant information to enable them to act as a transparent data controller.
9.1. Estratos Digital GmbH stores data in a multi-tenant environment on the servers of the cloud service providers under point 7.2 and 7.3. Estratos Digital GmbH also logically isolates the Client’s data.
9.2. Estratos Digital GmbH keeps a continuous and verifiable log file on all the operations performed upon the processed personal data.
10. Data incidents
10.1 If Estratos Digital GmbH becomes aware of a Data Incident, Estratos Digital GmbH will: (a) notify the Client of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
10.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Estratos Digital GmbH recommends Client take to address the Data Incident.
10.3 Notification(s) of any Data Incident(s) will be delivered by e-mail or at Estratos Digital GmbH’s discretion, by direct communication (for example, by phone call or an in-person meeting).
10.4 Estratos Digital GmbH will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
10.5 Any notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Estratos Digital GmbH or any of its data processors/subprocessors of any fault or liability with respect to the Data Incident.
11. Information audit
11.1. Estratos Digital GmbH will conduct an information audit on a regular basis against all information held by it to ensure that they are correctly managed in accordance with the GDPR.
11.2. The information audit may be completed in a number of ways, including, but not limited to interviews with staff members with key responsibilities to identify information and information flows, questionnaires to key staff members to identify information and information flows.
11.3. The DPO is responsible for completing the information audit.
11.4. Estratos Digital GmbH cooperates with its Clients with all their audits and monitoring activities aiming for the compliance with GDPR.
12. Disposal of data
12.1. All records containing personal information or information must be disposed of in a way which ensures they are unreadable or unreconstructable. Paper records must be shredded using a cross cut shredder, CDs/DVD should be cut into small pieces and hard drives must be wiped according to the nature of the data stored on them.
12.2. In case of opt-out performed by the data subject, the relevant personal data must also be deleted from the log file under point 9.2, with the exception of the case a statutory regulation, the Client or the data subject required it otherwise in accordance with the GDPR.
13. Monitoring and review
13.1. This policy will be reviewed on an annual basis by the Managing Partner in conjunction with the DPO – the next scheduled review date for this policy is November 2022.
13.2. Any changes made to this policy will be communicated to all members of staff and clients.