GDPR Compliance
Decconz Multi-ERP Suite is fully compliant with the European Union's General Data Protection Regulation (GDPR). We are committed to protecting the privacy and personal data of all our users.
1. GDPR Overview
Fully GDPR Compliant
Decconz Multi-ERP Suite complies with all requirements of the General Data Protection Regulation (GDPR) effective from May 25, 2018.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect in the European Union (EU) on May 25, 2018. It strengthens the rights of individuals regarding their personal data and imposes strict rules on organizations that collect, process, or store personal data.
Applicability: GDPR applies to all organizations that process personal data of individuals in the EU, regardless of where the organization is located. As Decconz serves customers globally, including in the EU, we fully comply with GDPR requirements.
1.1 Key GDPR Concepts
Personal Data
Any information relating to an identified or identifiable natural person ('data subject').
Data Processing
Any operation performed on personal data, including collection, storage, and use.
Data Controller
The entity that determines the purposes and means of processing personal data.
Data Processor
The entity that processes personal data on behalf of the controller.
1.2 Our Role Under GDPR
Depending on the context, Decconz Multi-ERP Suite acts as both a Data Controller and a Data Processor:
| When We Are | What It Means | Examples |
|---|---|---|
| Data Controller | We determine how and why personal data is processed | Customer account information, marketing data |
| Data Processor | We process data on behalf of our customers | Business data uploaded by customers to our ERP |
2. GDPR Principles We Follow
GDPR is built around seven key principles that govern the processing of personal data. At Decconz, we have embedded these principles into our data processing activities:
1. Lawfulness, Fairness & Transparency
We process personal data lawfully, fairly, and transparently. We provide clear information about how we use personal data.
2. Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
3. Data Minimization
We only collect personal data that is adequate, relevant, and limited to what is necessary for our purposes.
4. Accuracy
We take reasonable steps to ensure personal data is accurate and kept up to date, and we rectify inaccurate data without delay.
5. Storage Limitation
We keep personal data in a form that permits identification for no longer than necessary for our purposes.
6. Integrity & Confidentiality
We process personal data securely using appropriate technical and organizational measures against unauthorized processing.
7. Accountability
We are responsible for and can demonstrate compliance with all GDPR principles.
2.1 Lawful Bases for Processing
Under GDPR, we must have a lawful basis for processing personal data. The lawful bases we rely on include:
| Lawful Basis | Description | When We Use It |
|---|---|---|
| Consent | You have given clear consent | Marketing communications, analytics cookies |
| Contract | Processing necessary for a contract | Providing ERP services, billing, support |
| Legal Obligation | Processing required by law | Tax records, regulatory compliance |
| Legitimate Interests | Our interests balanced against yours | Service improvement, fraud prevention |
3. Your Data Protection Rights
Under GDPR, you have specific rights regarding your personal data. At Decconz, we have implemented processes to help you exercise these rights easily:
Right to Access
You can request copies of your personal data. We provide this within 30 days.
Right to Rectification
You can request correction of inaccurate or incomplete personal data.
Right to Erasure
You can request deletion of your personal data under certain circumstances.
Right to Restrict Processing
You can request restriction of processing of your personal data.
Right to Data Portability
You can request transfer of your data to another organization or to you.
Right to Object
You can object to processing of your personal data in certain situations.
Right to Automated Decisions
You have rights regarding automated decision making and profiling.
Right to Withdraw Consent
You can withdraw consent at any time where processing is based on consent.
How to Exercise Your Rights
- Account Dashboard: Use our self-service tools in your account settings
- Email Request: Send your request to privacy@decconz-erp.com
- Data Protection Officer: Contact our DPO using the information in Section 5
- Verification: We may need to verify your identity before processing requests
- Response Time: We respond to all requests within 30 days as required by GDPR
3.1 No Fee Usually Required
You will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
4. Our GDPR Compliance Measures
We have implemented comprehensive measures to ensure GDPR compliance across our organization:
Our Data Protection Framework
Data Mapping & Inventory
We maintain a comprehensive record of all personal data processing activities.
Privacy by Design
We integrate data protection into our development processes from the outset.
Security Measures
We implement appropriate technical and organizational security measures.
Staff Training
We provide regular GDPR and data protection training to all employees.
Regular Audits
We conduct regular data protection impact assessments and audits.
4.1 Technical Security Measures
Security Implementation
- Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
- Access Controls: Role-based access controls and multi-factor authentication
- Network Security: Firewalls, intrusion detection, and DDoS protection
- Regular Backups: Daily encrypted backups with geographic redundancy
- Vulnerability Scanning: Regular security testing and penetration testing
- Incident Response: Formal procedures for security incident response
4.2 Organizational Measures
| Measure | Description | Status |
|---|---|---|
| Data Protection Officer | Appointed DPO overseeing GDPR compliance | ✓ Implemented |
| Privacy Policies | Comprehensive privacy documentation | ✓ Implemented |
| Processor Agreements | GDPR-compliant contracts with all processors | ✓ Implemented |
| Data Protection Impact Assessments | Regular DPIAs for high-risk processing | ✓ Implemented |
| Staff Training | Annual GDPR training for all employees | ✓ Implemented |
| Record of Processing Activities | Maintained as required by Article 30 | ✓ Implemented |
5. Data Protection Officer (DPO)
In accordance with GDPR Article 37, we have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance.
Data Protection Officer
Our DPO is independent, reports directly to our highest management level, and has the expertise and resources necessary to fulfill their duties under GDPR.
Dr. Emma Richardson
dpo@decconz-erp.com
+1 (800) 555-5678
123 Business Avenue
Suite 500
San Francisco, CA 94107
5.1 DPO Responsibilities
Our DPO is responsible for:
Monitoring Compliance
Monitoring our compliance with GDPR and other data protection laws.
Training & Awareness
Raising awareness and training staff involved in processing operations.
Advising & Informing
Advising on data protection impact assessments and monitoring performance.
Cooperation
Cooperating with supervisory authorities and acting as contact point.
Contacting the DPO: You can contact our DPO directly with any questions about our data protection practices or to exercise your GDPR rights. The DPO is available to both our customers and regulatory authorities.
6. Data Breach Notification
GDPR requires data controllers to notify supervisory authorities and affected individuals of personal data breaches under certain circumstances. We have established robust procedures for handling data breaches.
Our Data Breach Response Plan
- Detection & Assessment: Immediate assessment of any suspected breach
- Containment: Taking immediate steps to contain the breach
- Investigation: Thorough investigation to understand cause and impact
- Notification: Notifying authorities within 72 hours if required
- Communication: Informing affected individuals without undue delay
- Remediation: Implementing measures to prevent recurrence
- Documentation: Maintaining records of all breaches
6.1 When We Notify
| Situation | Notification Requirement | Timeline |
|---|---|---|
| Risk to Rights | Notify supervisory authority | Within 72 hours |
| High Risk to Individuals | Notify affected individuals | Without undue delay |
| Processor Breach | Notify us immediately | Without undue delay |
6.2 Information Provided
In the event of a notifiable breach, we will provide:
- Description of the nature of the breach
- Categories and approximate number of individuals affected
- Categories and approximate number of personal data records concerned
- Contact details of our DPO
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Prevention First: While we have robust breach response procedures, our primary focus is on preventing breaches through strong security measures, regular testing, and employee training.
7. International Data Transfers
GDPR imposes restrictions on the transfer of personal data outside the European Economic Area (EEA). We ensure all international data transfers comply with GDPR requirements.
Our Transfer Mechanisms
Adequacy Decisions
We transfer data to countries with adequacy decisions from the European Commission.
Standard Contractual Clauses
We use EU-approved SCCs for transfers to third countries without adequacy decisions.
Binding Corporate Rules
For intra-group transfers, we implement binding corporate rules where applicable.
Derogations
In limited circumstances, we may rely on specific derogations under Article 49.
7.1 Our Data Locations
We primarily store and process data in the following locations:
| Data Type | Primary Location | Backup Location | Transfer Mechanism |
|---|---|---|---|
| EU Customer Data | Frankfurt, Germany (EU) | Dublin, Ireland (EU) | Within EEA |
| US Customer Data | Virginia, USA | Oregon, USA | SCCs |
| Global Customer Data | Singapore | Tokyo, Japan | SCCs |
| Backup Data | Multiple EU Locations | Multiple Global Locations | SCCs/BCRs |
7.2 Third-Party Processors
We use carefully selected third-party processors who also comply with GDPR requirements. All processors are subject to:
- Data processing agreements incorporating GDPR requirements
- Regular security and compliance assessments
- Transparency about sub-processors
- Requirements to implement appropriate security measures
- Obligations to assist with data subject rights requests
Transparency: We maintain a list of our sub-processors which is available upon request. We notify customers of any changes to sub-processors and provide an opportunity to object.
Questions About GDPR Compliance?
Our Data Protection Officer and privacy team are available to answer your questions about GDPR, data protection, or your rights under European data protection laws.