Avatar Mike Noordermeer Privacy, security and GDPR compliance

Mike Noordermeer | Published February 6, 2018

From the 25th of May, the General Data Protection Regulation (GDPR) will take effect in the European Union (EU). This regulation aims to strengthen and unify data protection for all individuals within the EU. At Eveoh, we have been working on the implementation details of this new regulation. With this blog post we would like to provide an update on the work that has been done and what we will be doing in the upcoming months.

Data Processing Agreement

Under the GDPR, a Data Processing Agreement (DPA) is required between the Controller (our customers) and the Processor (us). A DPA is already in place between Eveoh and some of our customers, mainly due to customers contacting us during their preparations for the GDPR. We will now take this a step further and actively approach our customers requesting a DPA to be signed. We have a standard DPA available and we strongly prefer to use this DPA in order to have a consistent DPA for all our customers.

Over the next weeks, we will approach our customers with our suggested DPA and will ask them to return a signed copy of this DPA. We kindly request customers to promptly respond to this and want to emphasize that our customers are ultimately responsible for their student and staff data.

Privacy policy

MyTimetable 3.7 will include a condensed privacy policy explaining how Eveoh processes the data of students and staff in MyTimetable. Under the GDPR, our customers need to provide a full privacy policy on their own website. This policy should explain end-users their rights and the contact details of the customer. The condensed privacy policy in MyTimetable will include a link to the customer’s full privacy policy.

Security review

Last year, we drafted a first version of our information security policy. One of the improvements listed in this policy was a full security review of MyTimetable. We are pleased to report CAST Company has completed this security review. The security review included an architectural review, penetration test and code analysis. Some minor issues were found, which will be addressed in an upcoming MyTimetable version or in further improvements of our hosting platform. The full security report as well as our response will be available for our customers soon. Please contact us for more details.