d-basics and the GDPR

From 25 May 2018 the General Data Protection Regulation (GDPR) enters into force and below you will find answers to the most important questions concerning the use of the software of d-basics and the GDPR.
 

The GDPR entitles you to the following rights:

  • Access
    You have the right to access the data collected by d-basics B.V., to be informed about the purpose for which the data were collected and to know whether they were shared with any third parties.
  • Data portability
    This right entitles you to request the data d-basics B.V. has about you, so that you can file them for personal (re-)usage or to pass them along to another organisation.
  • Removal
    You have the right to register a request to have the data d-basics has stored about you removed. Please note, however, that following the removal of the data you will no longer be able to use the d-basics data extraction software and you will not be able to access or use the d-basics Portal.
  • Rectification and completion
    You have the right to complete or amend the data stored by d-basics B.V. or you may register a request for d-basics B.V. to do this on your behalf.
  • Objection
    You have the right to object to the processing of your data by d-basics B.V. You may also register a request to process less data.
  • Transparancy
    It should be clear to you why d-basics B.V. collects, uses, or consults personal data, or how it processes these data in any other way.

This document outlines the implementation of these rights by d-basics B.V. and how it affects the use of the d-basics B.V. software.

To understand the impact of the GDPR on the use of the d-basics software fully, a distinction must be made between:

  • The collected data of the users of the d-basics software by d-basics B.V.
  • The (personal) data copied and sent from the accounting package by the d-basics software

Personal data users d-basics software

D-basics B.V. processes the following details from the users of the d-basics software:

  • First and last name
  • Sex
  • Business address details
  • Job title
  • Business telephone numbers
  • Email address
  • Other personal details that you add yourself to your d-basics Portal profile
  • Log information on how you use the d-basics software
  • Technical information on how you configured the d-basics software
  • Information related to help desk activities, such as tickets (including comments and status updates)
  • IP-address
  • Bank details

Data collected by d-basics software

The d-basics data extraction software copies information from your accounting package, turns it into data files and sends these to external recipients such as factoring companies, banks, etc.

The nature of the information collected and sent by the d-basics software is very diverse and it depends on the specific purpose for which the software is being used.

Within computer environment of user

To understand the influence of the GDPR on the use of the d-basics data extraction software fully, it is important to realise that the d-basics data extraction software is installed within the computer environment of the user (sender) and that the software is used and controlled by this same user.

During regular use d-basics B.V. has access neither to the software nor to the (personal) data that are being processed through it. Consequently, d-basics B.V. cannot be seen as a processor as such when it concerns the usage of the d basics software for importing and sending information.

Special personal data

D-basics B.V. will never ask for special personal data from d-basics software users.

It is, however, possible that special personal data, such as race, political preferences, or social security information, is copied and sent from your accounting package when information is imported and sent using the d basics data extraction software.

When the d-basics software is used to import and send special personal data it is the responsibility of the sender that this process complies with GDPR guidelines.

Remote support

To support clients adequately, d-basics B.V. employees will use remote desktop software to connect to the computer of d-basics software users.

During the remote desktop session the d-basics B.V. employee will see data as it is displayed on the user’s computer screen, which may include personal data.

Users who give their permission for a remote desktop connection are asked not to have person-al data on display during the remote desktop session.

User has full control

A remote desktop connection can only be established with the cooperation of a user of the d basics software. The user retains full control during such a session and can break the connection at any moment he/she chooses.

After the connection has been broken the d-basics B.V. employee will not be able to re-establish the connection independently.

The data that were visible at the time of the desktop connection will not be copied to d-basics B.V.

Test data

There are times when d-basics B.V. employees will ask users of the d-basics software for a copy of a database and/or data files. These copies are used to add links to new accounting packages to the d-basics data extraction software or to improve or expand existing links to accounting packages.

Providing these copies is not part of the regular usage of the d-basics software and in such cases clear agreements on the conditions under which the copies are provided will always be made with the user concerned.

If the databases or data files concerned contain special personal data d basics B.V. will request users to make this known beforehand. In this case d-basics B.V. will refrain from copying the parts that contain the data concerned.

D-basics B.V. only collects the essential personal data for the purpose of legal obligations, legitimate interest, as part of an agreement, or because we have been given permission to do so.

More specifically:

  • Accounting and invoicing
    Your personal data are used to carry out regular accounting actions such as invoicing and receivables management.
  • Client contact and support
    Your personal data are used to communicate with you. Often this concerns the necessary support to install or use the d-basics software and this communication usually takes place by telephone, email, or through our ticket system. D-basics B.V. also communicates about important updates of the d-basics software and about the availability of the help desk.
  • Access to the d-basics software
    Your personal data are used to create a user account. You need this account to be able to use the d-basics software.
  • Usage of the d-basics software
    Your personal data are used to check the proper functioning and the security of the d-basics software.
  • Improvement of the d-basics software
    Your personal data are used for the maintenance and development of the d-basics software.
  • Backup of settings
    During the regular use of the d-basics data extraction software a copy of the settings of this software is synchronised with the d-basics Portal. If passwords are synchronised, they are encrypted in such way that they cannot be decrypted by d-basics B.V.
    The synchronised settings do not contain (personal) data that were copied from the accounting package.
  • Website visit
    Information is collected during visits to the d-basics B.V. websites regarding the use of the websites concerned and the origin of the visitors.

Granting permission for cookies

When you visit the d-basics B.V. websites you are requested permission for the use of cookies. These functional, tracking, analytical, and 3rd party cookies are used by d-basics B.V. to optimise visits to the websites.

Access to your personal data

D-basics B.V. employees have access to the personal data of users of the d-basics software as part of their daily support, management, and development activities.

As previously indicated, d-basics B.V. employees do not have access to the data that are sent by users through the d-basics software.

Sharing personal data with third parties

D-basics B.V. only shares your personal data if this is strictly essential. For example, sharing takes place if services are being used that were purchased by d-basics B.V. for operational reasons, such as hosting at Microsoft Azure (within Western Europe) and the analysing of website visits by Google Analytics.

D-basics B.V. is constantly taking preventative measures to ensure your privacy and data are kept secure:

Organisational measures

  • Employees must sign a confidentiality agreement
  • Employees are given instructions and training about privacy and information security.
  • The d-basics B.V. privacy policy provides employees with guidelines on how to handle your privacy and data responsibly.
  • The internal processes and procedures at d-basics B.V. are constantly reevaluated
  • Your data are only accessible to those who need access to them based on their job descrip-tion.

Technical measures

D-basics B.V. constantly re-assesses whether the software developed by d-basics B.V. as well as the infrastructure used by d-basics B.V. provide a sufficient level of warranty to adequately process personal data.

Examples of measures that were taken to this effect are:

  • SSL certificates
    Connection to all d-basics B.V. online environments is encrypted using SSL certificates. Additionally, the d-basics data extraction software sends the information imported from the accounting package to the recipient through an encrypted connection provided the recipient has taken the technical measures to establish such an encrypted connection.
  • Penetration tests
    In order to check the security of the products developed by d-basics B.V., “pentests” are executed periodically.
  • Backups
    D-basics B.V. makes a daily backup of all the servers used by d-basics B.V. and the data stored on them. These backups are encrypted and are stored at different locations.
  • Active network management
    D-basics B.V. carries out active network management that is aimed at minimising any risks. Among other things, this consists of consistently installing updates, using firewalls, multiple means of protection against cyber risks, and carrying out daily network scans.
  • Data in Europe
    Information collected by d-basics B.V. is stored on our own d-basics B.V. servers. Where it concerns data in the d-basics Portal, it is stored in the European Microsoft Azure environ-ment.

In case of a data breach d-basics B.V. will notify the Authority for Personal Data within 36 hours if the breach is discovered by d-basics B.V. D-basics B.V. will notify the Authority for Personal Data within 48 hours if the data breach is brought to the attention of d-basics B.V. by another party. D-basics B.V. will also notify those who are affected by the data breach.

D-basics B.V. requests anyone who suspects a data breach to notify d-basics B.V. of the potential issue. You will find the relevant contact details at Contact information.

As previously indicated d-basics B.V. is not necessarily a data processor if a user copies and sends data to an external recipient from the accounting package using the d-basics data extraction software.

In this case d-basics B.V. has no access to the data that were sent and as such is unable to influence the way the data are being sent.

Where d-basics B.V. is the processor of the personal data you provided, you are required to close a data processing agreement with us.

This situation occurs, for example, when a factoring company sends a request - which includes personal data - to d-basics B.V. on behalf of their clients for the installation of the d-basics software.

This is when d-basics B.V. will process data which fall under the responsibility of the factoring company, making the factoring company responsible for closing a data processing agreement. In this case, the factoring company is responsible for the personal data and d-basics B.V. will be the data processor.

To make the process of closing a data processing agreement as smooth as possible, d-basics B.V. drafted their own data processing agreement which is fully compliant with the GDPR guidelines and is based on the model provided by Netherlands ICT.

This data processing agreement includes matters such as which personal data will be processed, why they are being processed, the confidentiality clause, sub-processors, security measures and audits.

Click here for more information about the d-basics data processing agreement.

If you wish to contact us about the GDPR you may contact d-basics B.V. as follows: