Orangedev and the GDPR
Orangedev guarantees its customers the correct application of the provisions of the GDPR for the services provided.
The processing of data through our software takes place separately for each Service through the “ Special Conditions for the Processing of Personal Data” (DPA), customized for the specific Service, generally provided as a document in its own right.
The Data Controller is Orangedev Srl, with its registered office at via Panciatichi 40, 50127 Florence. Any interested party can contact us by sending a request to email@example.com
Processing of Customer’s personal data
The data of our customers are managed with the utmost care, in accordance with the directives of the GDPR regulation. </ span>
Default and design privacy
Our software has always been designed and created following the concept “Data protection by default and by design”.
Data integrity and security
We use data encryption for which we believe we must guarantee an adequate level of security for the risk of their loss or theft.
Log conservation by law
We take responsibility for keeping the logs in accordance with the law for the period prescribed by Italian law.
Access logs and audit logs can be exported by the service administrators through special tools made available at any time during the period of validity of the contract.
Users can delete their data at any time. When a definitive deletion request is sent (such as the deletion of an account used for the provision of our Services), the data will be removed from any system within a maximum of 90 days, unless otherwise required by law.
In order to maintain security and prevent data processing in violation of the regulation, we take the risk of assessing the risks inherent in processing and implement measures to mitigate such processing risks such as encryption to protect data in transit.
To detect possible software vulnerabilities, we use internally developed tools; we also carry out periodic tests to verify possible violations.
We have prepared the “Treatments Register”, or a register of the processing activities carried out, available to the controlling authority.
All Orangedev employees have followed internal training courses related to the requirements of the GDPR and are constantly updated and sensitized on the issues of security and confidentiality of the data we process . </ span>
Orangedev as Data Controller
Orangedev srl acts as “Data Controller” when it determines the purposes and means of processing personal data. This is the case in which Orangedev collects data for billing, for service improvement, for sales initiatives, requests for technical assistance, commercial management or, even, when Orangedev processes personal data of its employees.
In this case, “your” data hosted on the services of Orangedev, are not affected by the processing, unlike some information concerning you or your employees (for example information regarding identity and contact details of your contact in Orangedev within a Support Request).
More generally, Orangedev guarantees:
- limit the collection of data to those strictly necessary;
- not use personal data for purposes other than those for which they were originally collected;
- keep personal data for a limited period, ie for the entire duration of the contract and the following 12 months;
- not transfer this data to third parties who are not part of the companies of the Group or who are not involved in the execution of the contract.
Orangedev as Data Processing Manager
Orangedev srl acts as “Data processing manager” when processing personal data on behalf of a Data Controller, for example when using Orangedev services and archiving users’ personal data on Orangedev’s infrastructure. Within the limits of its technical constraints, Orangedev will treat the hosted data exclusively according to the indications, and on behalf of the Clients, who are the Data Controllers or have received instructions to be authorized by any other Owners to allow Orangedev the Treatment.
In these cases Orangedev undertakes to:
- process personal data solely for the purpose of the correct execution of services;
- not transfer your data outside the EU;
- implement high security standards in order to guarantee a high level of security for our services;
- notify you as soon as possible in the event of a data breach;
- assist you in fulfilling your regulatory obligations by providing you with adequate documentation of our services.
What Orangedev customers need to do
The new legislation requires taking a series of measures to adequately protect the data of the people with whom your company or office is operating, for example the data of your employees and your customers.
So the first thing to do is become aware :
- Informed (for example here www.garanteprivacy.it/guida-all-application-of-regional-regulation-in-material-of-protection-dehyde-personals < / a>, http://ec.europa.eu/justice /smedataprotect/index_it.htm and here https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_it ) and evaluate which of the changes introduced by the new Regulation are applicable to your business.
- Consult an expert to get legal advice about your company;
- Communicate to your customers / employees, for active services with us, that the Data Processor is Orangedev;
DPO (Data Protection Officer) contact details
Paragraph 7 of article 37 of the European Privacy Regulation EU / 2016/679 (GDPR) requires each data controller or each data processor to make public the contact data of their DPO (Data Protection Officer) and inform the Data Protection Authority.
In compliance with this rule, Orangedev s.r.l. publishes the contact details of our DPO as communicated to the italian Data Protection Authority on 17/07/2020:
Who is the Data Controller:
The Data Controller is the person who determines the purposes and means of processing personal data.
Who is the Data Processor:
Data Processor is the person who processes personal data on behalf of a Data Controller.
What is personal information?
Personal data is all information relating to an identified or identifiable living person.
What are sensitive data?
Sensitive data are those that can reveal racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership in parties , trade unions, associations or organizations of a religious, philosophical, political or union nature, health status and sexual life.
Example of personal data:
- first and last name;
- home address;
- e-mail address, such as firstname.lastname@example.org;
- ID card number;
- location data (eg the positioning function on a mobile phone);
- an IP (Internet Protocol) address;
- a cookie ID;
Examples of data not considered personal:
- Company registration number of a company;
- e-mail address not referable to a well-identified person, for example “ email@example.com “;
- anonymised data.
What constitutes data processing?
The treatment includes a wide range of operations performed on personal data, including those with manual or automated means. Includes the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction of personal data.
Who is the owner of the data hosted and stored on Orangedev’s services?
The data stored by the customer, who uses Orangedev services, remains the property of the customer. Orangedev does not access or use these data unless it is strictly necessary and within the limits of its technical constraints.
In which cases can Orangedev access Customer data hosted and stored on our services?
Orangedev accesses data only in the following situations:
- for the purpose of executing the services and in particular for optimizing assistance to customers when they contact Orangedev technical support. In this case, access to user data remains controlled thanks to precise authorizations and activity logs;
- to fulfill legal obligations in the context of strictly controlled judicial and / or administrative requests.