Group 10911

GDPR and Privacy

We take privacy seriously

24SevenOffice works hard to maintain the privacy of data you entrust with us. As part of 24SevenOffice ISO 27001 certification, compliance to privacy laws and regulations is an important element. Data you store in 24SevenOffice Services is yours - we put our security program in place to protect it, and use it only as permitted in our Customer License Agreement (CLA) and Privacy Notice. We never share your data across customers and never sell it.

Read more about 24SevenOffice and privacy in our security section or read answers to the most common questions about privacy below.

 

24SevenOffice privacy and GDPR

FAQ about Privacy Questions

  • The General Data Protection Regulation, often referd to as the ‘GDPR’, is the data protection legislation act of the European Union (EU). The aim of the GDPR is to protect the privacy and personal data of individuals (data subjects) residing in the EU. Norway is a member of the EEA (European Economic Area/European Economic Cooperation), and most, if not all, practical purposes are subject to the same rules and regulations as EU countries in relation to privacy.
  • GDPR apply to all processing of personal data. In this context, all businesses that market a product or monitor the behavior of people in the EU/EEA, have to apply to the GDPR.
  • Yes, company size is irrelevant to the GDPR. A controller or processor could even be a single natural person if he or she is processing personal data.
  • Start with getting an overview over what personal data you process in all of your different IT systems. Do you have lawfull basis for processing these data? Should some of them be deleted? If a data subject asks you to delete data, do you have procedures to do that?
  • You can read about how 24SevenOffice process personal data in the Privacy Notice and in the Data Processor Agreement.
  • Yes, if you are a customer of 24SevenOffice you need to have a data processor agreement. But you do not need to sign additional documents. When accepting the Customer License Agreement (CLA) to use 24SevenOffice you also enter into the 24SevenOffice data processor agreement.
  • No, the responsibility to comply to the GDPR lies with your own company. It is your responsbility to follow the regulations in the GDPR, that includes what type of data you are processing, the lawfully basis for processing and deleting. 24SevenOffice will help you to be compliant by providing the 24SevenOffice ERP Service and following the requirements to GDPR by doing so.
  • 24SevenOffice has different reasons for processing personal data about data subjects. It can be based on a contract (to provide the 24SevenOffice ERP Service), legal (to follow laws and regulations) or by consent (e.g to provide you with information)

  • No, consent is just one of several legal grounds for 24SevenOffice to process personal data. Other legal ground for processing of personal data might be where processing is necessary for performance of the agreement (delivering the 24SevenOffice ERP Service) or where there are legal obligations to do so.
  • 24SevenOffice datacenter is located in the EU/EES. 24SevenOffice MRP (Masterplan) is hosted in USA. See list of 24SevenOffice sub-processors for more information
  • 24SevenOffice uses different kind of sub-processors that might be subject to the Schrems II verdict. Hosting of the services is mainly in the EU/EES, but the ownership of some of these sub-processors might be in third countries like USA (e.g. AWS, Microsoft and Google). See the sub-processors list, including what kind of additional security measures the different sub-processors offers.
  • No, you do not have the right to request that personal data be deleted, just because it is personal data. However, you can request that certain data may be deleted. What kind of personal data that may be deleted depends on the basis for processing, the type of data, its relevance for the purpose of processing, and whether or not other legal provisions override the right to erasure (e.g. the accounting law in each country). 24SevenOffice has routines for handling inquiries about personal data from customers"
  • There is no universal answer to this question. It always depends on each specific case. The most important aspect, is time spent required tasks and how much you are spening on external consultant services.

Resources