GDPR compliance
The main goal of the GDPR is to regulate how organisations handle personal data and protect the privacy of citizens of the European Union. The GDPR applies to all companies that do business with EU citizens or process data of EU citizens regardless of the location of the company that is processing such data. eLabNext is a brand of Bio-ITech BV, part of Eppendorf Group. The GDPR, therefore, applies to Bio-ITech B.V. (”Bio-ITech”), and we are committed to protecting the privacy of our customers.
Bio-ITech as a Data Processor
For all users with a registered account in one of the Bio-ITech software applications, personal data is stored in our systems. The role of Bio-ITech as the supplier of software is dependent on the chosen hosting solution. For end-users using Bio-ITech software in the Cloud or in a Private Cloud, Bio-ITech is regarded as the Data Processor according to the GDPR. For end-users with the application hosted on a local server, so-called On-Premise installation, Bio-ITech acts as a sub-processor as it only provides software updates and support but does not have direct access to the data.
How do we protect your personal data?
As a Data Processor, Bio-ITech has taken strict measures and implemented the required procedures to guarantee the safety of its customers' data. As proof of its effort, Bio-ITech has been IEC/ISO27001 certified since 2016.
The most important measures that have been taken to ensure the protection of personal data as well as confidentiality, integrity and availability of services provided by Bio-ITech as a Data Processor are:
- Secured communication via SSL encryption
- Periodic off-site encrypted data back-ups (every 24 hours) for disaster recovery (kept up to 6 months)
- Disaster recovery procedures
- Real-time system monitoring and logging
- Firewall and network configuration such that servers are not directly connected to the internet
- System maintenance, including the installation of security patches
- Security features to protect system access, such as two-factor authentication and IP restriction
- Privacy features to block storage of personal information by end-users
- Confidentiality agreements as part of all employee contracts
- Access to systems by Bio-ITech employees on a need-to-access basis
Right to Access
The GDRP dictates that all EU citizens have the right to access the personal data that is stored by others. To provide full system functionality, the following minimal set of personal data is stored in Bio-ITech’s software applications:
* In case federated login (e.g. LDAP/AD/ AD FS/ Single Sign-On) is active, passwords are not required and not stored
In addition to the required personal data, the system has the option to store other personal data, such as job title or the organisation address. All Bio-ITech software applications provide direct access to all personal data in the user profile from where the user has the option to remove or change any personal information in the system. For customers with a Private Cloud or On-Premises installation, the System Administrator / Key-User can change the privacy policy for GDPR compliance in the system setting.
Right to be Forgotten
The GDPR gives each citizen in Europe the right to be forgotten. Considering that an essential function of our software products is to provide full traceability of data, the removal of personal data from the system would counteract the possibility of tracking who stored data in the system. For that reason, our applications do not support a software function that can be operated by an end-user to delete an account, including all personal data. To claim your right to be forgotten and to remove all personal data from your account, please contact our customer care team to guide you through our formal data removal procedure. During this procedure, approval of the organisation to which the system is licensed is requested so that Bio-ITech cannot be held accountable for any loss of data as a result of the data removal.
Data-portability
All Bio-ITech software applications offer the option to export data. Depending on the data, the software offers the option to end-users to export data as CSV, PDF, or HTML. The software has a so-called Application Programming Interface (API) available to structure the data in any format.
Request Information
Bio-ITech will keep you informed on its websites about its compliance with the GDPR requirements. Should you have any questions or concerns, please do not hesitate to contact our legal department at security@elabnext.com.