One and a half years after the introduction of the GDPR (General Data Protection Regulation), many companies are still unsure what has to be changed. This also applies to the electronic access control and digital lock technology. Andreas Grauvogl, the responsible product manager for the subject of GDPR at SimonsVoss, answers the most important questions of data protection here in connection with the 3060 system and the locking system management (LSM) software from SimonsVoss.
GIT SECURITY: Mr Grauvogel, what personal data is stored in the LSM software?
Andreas Grauvogl: The first and second names, title, address, telephone, e-mail, staff number, user name, department, location/building, date started/left, birthday, cost center and a photo can all be stored. In principle though only the second name and the staff number are so-called compulsory fields, and necessary for the use of LSM. The customer must decide which of the other fields to use, depending upon the operational requirements of the business. Particularly sensitive categories of personal data acc. Article 9 of the GDPR are not saved.
For what purpose is personal data stored?
Andreas Grauvogl: It is fundamentally necessary to assign the identification media used (e.g. a transponder) to a particular person (e.g. employee) in order to make full use of an electronic locking system. Ultimately, data is stored to ensure secure access rights assignment.
How long is personal data stored in the software?
Andreas Grauvogl: Data is maintained at least for the duration of possession of an identification medium (e.g. during employment), because the system needs this data at least for this period. The duration of storage of data, for example in reports, can be altered by the locking system administrator and adapted to the needs of the company.
Is personal data in the software protected from access by third parties?
The end user of the locking system and the software is fundamentally responsible for system administration and assigning access rights.
And for that reason it is not possible to open the graphic user interface to access the data without a password and the corresponding user rights. All data is secured by a multi-level encryption process in the SimonsVoss 3060 locking system itself. Automatic transfer, usage or processing by SimonsVoss with regard to business operations does not take place.
Can the stored data be made available as a copy on request?
Andreas Grauvogl: As from Version 3.4, provided the appropriate user-rights are available, all data gathered about a person can be made available as a copy by the customer using the export function, for example for the purposes of an audit. This permits the customer to fulfill the requirements for the provision of information acc. Art. 15 GDPR Paragraph 3.
Can personal data be deleted from the software?
Andreas Grauvogl: Personal data can correspondingly be removed from the software by the customer upon request by an affected person acc. Art. 17 GDPR (as from version 3.4) and the relevant database deleted. We have described the procedure step-by-step in our software handbook. In addition, SimonsVoss is preparing its own module on the subject of fulfilling the requirements of the GDPR in the training documentation for the 3060 digital locking and access control system as well as for the LSM Software.
Companies under obligation
It has been in force since 25th May 2018 and applies to all companies in the EU that process personal data: the European General Data Protection Regulation (GDPR).
Among other things, the subject of liability and the frequently mentioned associated penalties of up to 20 million Euro or 4% of the previous year’s annual turnover has caused uncertainty and a negative atmosphere. The existing interpretation leeway of the EU directives on data protection first of all requires some additional clarification by the authorities and the courts before legal clarity can be obtained for those affected. The directive has a multiple effect on various different company processes. Sticking points are often the technical implementation of data protection, the physical data storage, the storage location, the password protection etc.
“We are in contact with our customers on the subject of data protection in digital locking systems”, says Andreas Grauvogl, the product manager responsible at SimonsVoss for the subject of GDPR , “and have established that many companies rely upon the software manufacturer. But in fact, the companies themselves are obliged to make use of the options made available by the manufacturers in order to operate in conformance with the GDPR.“