Overview:

• Preamble
• docu tools as data processor
• Data transfer
• docu tools as controller (data controller)
• Legitimate Interests
• What docu tools does for DGPR
• Internal processes, Security and Data transfer
• Personal data access requests
• Documentation
• Training

Preamble

On 25th May 2018 the European Union‘s new General Data Protection Regulation came into force. The new GDPR has a great impact on all companies which process personal data of European Union citizens, or of the European Union. Docu tools of course also processes personal data. We have therefore spent considerable time to ensure that we follow the new GDPR regulations properly.

This article offers a brief overview of your data related rights and responsibilities when using docu tools for your building documentation and will illustrate the steps docu tools has taken to fulfil the new GDPR regulations.

docu tools as controller

We act for every docu tools client as data controller, as per Article 28 of the GDPR. Each docu tools user enters personal data in docu tools within their account, which is contact data. The client is therefore responsible for the personal data he/she shares. Docu tools acts as data processing controller of this data. 

Contacts are not identical to the personal data of team members. Individuals invited to a project team keep the authority over their personal data, as they have their own account. Typically, a professional relationship exists between the docu tools client and his team members for his projects. This professional relationship therefore also regulates the relationship regarding the GDPR.

If you therefore use docu tools for the management of contacts in your projects, it means you commission docu tools as data controller to manage certain data processes in your name. The relationship between controller and the responsible user must according to Article 28 of the GDPR be agreed in written form (this agreement can be signed in electronic form, according to §9 of Article 28).

The General Terms and Conditions and the Data Protection Regulations for the docu tools client are used. Both these documents therefore also serve as data processing contract, in which you declare that you have tasked docu tools with the management of personal data which you control, and the responsibility of both parties is defined. Docu tools only processes and manages the personal data of your clients and/or partners based on your instruction as data controller.

Docu tools offers its clients a series of ways to collect further data, on top of the standard personal contact data collected from project team members and partners. For example, plans with personal data in plan heads, photographing building sites with participating and non-participating people, etc. is in principle within the legal sphere of a docu tools client. Docu tools is not able to automatically erase, read, process, or hide such data.

With the docu tools App some mobile devices enable GPS data collection. This data will only be captured when a pin is set or a photograph is taken. A continuous documentation of movement is not possible with docu tools.

Data transfer

A topic our clients often ask about is data transfer outside the EU. The DGPR sets very strict rules for the transfer of data outside its area of responsibility. Without these it would be impossible to appropriately execute the law. 

Docu tools is responsible for the fulfilment of these data transfer regulations. Because our clients have a contractual relationship with docu tools GmbH -which is based in Austria - the data transfer remains within the EU. Docu tools has ensured that the docu tools services (docu tools Cloud) are based in the EU.  

To give our clients total transparency about data transfers we will always provide an up-to-date list of all docu tools data processors in our data protection statement. This list will also always explain what data is of concern here, and how we have ensured that all data is appropriately protected, even if it were to leave the EU. We do this by ensuring that our third-party-suppliers are either certified by the EU-US Privacy Shield, or they have signed the standard contractual clause of the European Commission.

We hope this helps you to understand the requirements of the EU’s GDPR. If you have any further questions, please contact service@docu-tools.com.

docu tools as controller (data controller)

Docu tools also acts as controller (data controller) for personal data which we collect from you via your use of our web App, mobile App, and website.

1. We process data which is required to fulfil our contract with you (DGPR Article 6(1)(b)).
2. We process data to fulfil our legal responsibilities (DGPR Article 6(1)(c)). This especially concerns financial data and data needed for our accountability to the DGPR.
3. We process personal data for our own legitimate interests in accordance with DGPR Article 6(1)(f).

Legitimate Interests

• The improvement of our software to help you become even more productive;
• The insurance that your data and docu tools systems are secure;
• Responsible marketing of our product and its features.

Docu tools, as controller (data controller) of your data, is required to ensure that all your rights are protected as per GDPR regulations. If you have any further questions or feedback, please write to service@docu-tools.com.

What docu tools does for DGPR

As docu tools is based within the EU we want to implement the EU’s new DGPR as quickly and efficiently as possible. We respect the requirements and demands of our clients and users and their partners in relation to data protection and will continue to improve in fulfilling them. We therefore took technical and management measures in accordance with the DGPR in order to protect the personal data processed in docu tools as well as possible. 

Internal Processes, Security and Data transfer

A major measure for fulfilling the requirements of the GDPR means implementing processes that secure the visibility and accountability of all data processes. We have inserted elements into our product development cycle to create functions which at their heart work according to a principle of ‘data protection by design’. All access to contact data which we process on behalf of our clients is strictly limited. Our internal processes and protocols ensure that we fulfil our legal responsibilities according to GDPR guidelines.

We have introduced processes and tools for the collaboration with third-party providers which ensure that our third-party providers meet the high expectations of docu tools and our clients concerning data protection and security. We therefore save all our clients’ data in a data center in Germany (Frankfurt) to ensure an appropriate level of data security according to GDPR guidelines. 

Personal data access

The owners of personal data of the user stand at the heart of the DGPR. We are prepared to respond to user requests to delete, edit or transfer data. This means that our Service Team and our software developers supporting the Service Team can help you with all your requests in relation to data access.

Documentation

Our General Terms and Conditions and our GDPR are regularly checked and tested to further increase our transparency, and to ensure that our documentation meets the requirements of the GDPR. Because these documents form the basis of our collaboration with our clients we have a great desire to openly and thoroughly explain to you our responsibilities and your rights. Furthermore, we constantly document and archive our data processing activities as per our GDPR accountability.

Training

Our staff continuously receives training regarding all the above discussed topics to ensure the requirements of the DGPR are fulfilled. Training in data protection laws and security standards are a permanent feature for all our existing and new staff. Each division receives customized information about how to work with personal data. 

The safeguarding of the data protection rights of the individual, as well as the responsible use of personal data, is a key part of the corporate culture of docu tools.