Our GDPR commitment
We support our partners, clients and users in understanding, preparing and applying the General Data Protection Regulation (GDPR). The GDPR is the most comprehensive EU-Privacy Legislation to date and enters into effect on the 25th of May 2018. The statutory obligation to report data breaches still applies.
In addition to further strengthening and standardising the protection of user’s data in the European Union, the law requires new or additional obligations for all organisations that process personal data of EU citizens, regardless of where an organisation is situated.
Preparing for the GDPR
The new privacy requirements of the GDPR are significant and our entire team has worked hard to bring our range of products, processes, and additional contractual obligations in line with this.
Measures we have taken to achieve this include:
- The continuous improvement of our security infrastructure and accompanying processes.
- Ensuring that our contracts and other legal documents meet the new guidelines.
- Ensuring that a suitable and comprehensible Data Processing Agreement is available, which clients will conclude with us in order for the processing of personal data by Virtual Vaults to be in accordance with the GDPR.
- Conducting an audit of our subprocessors to examine whether they meet our high standards.
- Bringing our services and platform in line with the GDPR in the field of data retention and data portability.
We continue to monitor the guidance around GDPR compliance and keep our clients and users informed about this.
The security of client data and the accompanying user data is the guiding principle for everything we do and make. We have taken even more measures for the purpose of the GDPR in the following matters:
- We have significantly invested in a robust and very experienced security and privacy team. The team works pro-actively on incident prevention and in the event of a potential incident can act in accordance with the GDPR Personal data breach notification guidelines (EN).
- Virtual Vaults is already ISO: 27001:2013-certified and complies with the Nederland ICT: Data Pro Code, which is fully focused on the GDPR legislation.
- The authentication process is further strengthened by e.g. making 2-factor authentication mandatory for logging in.
- Additional data encryption layers have been implemented in the platform.
- The processing and saving of client data on the Virtual Vaults platform within the EU/EEA is guaranteed. The processing of users’ accounts data (for example e-mail addresses) by one of our subprocessors is in most cases limited to the EU/EEA.
- Virtual Vaults requires that all its subprocessors must be certified in accordance with a widely shared standard such as for example ISO 27001 or SOC 2. If they process data outside the EU, they must also comply with the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield.
If you would like further information regarding Virtual Vault’s security measures, you can find them here on our security page.
Which measures should you take as a client of Virtual Vaults?
Depending on what jurisdiction you fall under, there are a number of matters that you might have to take into consideration on the effectuation of the GDPR:
- If your organisation processes personal data of residents of the European Union, you must conclude a Data Processing Agreement with Virtual Vaults.
- If you process or store personal data, you should conduct an audit of your internal security infrastructure and accompanying processes. This includes applying at least 2-factor authentication and data encryption on all systems.
- Preferably work only with subprocessors who are established in the EU and apply the same strict requirements we have set out.
- If possible, minimalise the chance of a data leak by not placing personal data in a Vault, or by anonymising this personal data in advance.
- Oblige employees to use a password manager to be able to securely manage complex passwords.
Would you like to know more?
Our Data Protection Officer is available for questions or comments regarding the implementation of the GDPR. Please send an e-mail for this purpose to firstname.lastname@example.org.