GDPR / AVG

The General Data Protection Regulation (GDPR) affects your business in combination with the use of Simplicate, as Simplicate processes personal data on behalf of your company. On this page, you'll find out how Simplicate helps you stay compliant with GDPR / AVG.

Privacy is receiving increasing attention, and for good reason. It’s important to understand what happens to data and to prevent it from being used for unintended purposes.

The General Data Protection Regulation (GDPR) is a regulation from the EU. In the Netherlands, it is known as the Algemene Verordening Gegevensbescherming (AVG). GDPR and AVG are therefore the same.

The purpose of the regulation is to give individuals confidence that everything is being done to prevent their data from being used for unknown processes. It also ensures that data is not leaked or ends up in the hands of companies, institutions, or individuals without the person's consent.

In the Netherlands, the supervisory authority for compliance is the Autoriteit Persoonsgegevens.

If your company handles personal data—which is almost always the case—then you must comply with this legislation.

A lot of information has recently been shared about the origins and consequences of the law by various parties. In this article, we explain how Simplicate helps you meet the legal requirements.

Under GDPR / AVG legislation, different roles are defined for the parties involved. These are as follows:

In this context:

Additionally, Simplicate is also a controller for the personal data we collect ourselves. This includes data for marketing to our prospects, providing support to users, and processing employee data.

We’ve listed the most important considerations under the GDPR. First, we outline the rights of ‘data subjects’ and your obligations as a company. Below that, we explain how Simplicate helps you comply:

Companies must be able to delete personal data if the individual requests it and if no valid counterarguments exist.

In Simplicate, you can delete personal data. Deleting a person also results in the physical deletion of the record. The data is retained in backups for a maximum of 30 days and is then fully deleted.

If a person is linked to, for example, quotes or projects in the system, you cannot delete them immediately due to existing relationships. You must first unlink the person from these modules before deletion is possible.

A data subject has the right to export their data so it can be used elsewhere.

Simplicate offers export options (e.g., Excel) and API functionalities to retrieve data from the software, which are sufficient to meet this part of the legislation.

A data subject has the right to access and request their stored data.

In Simplicate, you can easily search for a person. By opening the record, you can see exactly which personal data is stored. You can then share this with the individual who requested access. If an individual requests access to their data, you can export it using the export function, allowing them to verify what data is recorded and whether it is correct.

You are not allowed to keep personal data longer than needed. It's important to consider the retention period in your process design.

You can add a ‘retention period’ date field to personal data, where you register the final retention date. This allows you to search and filter to create overviews of data that exceeds the retention period.

You must have a legal basis for processing each piece of personal data. This could be, for example, a contractual obligation or explicit consent from the individual.

You can add custom fields to record the legal basis for processing the data. These fields allow you to generate lists of individuals for whom the legal basis has not yet been recorded.

Data must be processed in a way that ensures appropriate security. This means personal data must be protected against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.

A data breach occurs when personal data ends up in the hands of unauthorized parties. While often viewed as a technical issue, breaches can also happen in other ways, for example:

Companies are required to report data breaches to the Autoriteit Persoonsgegevens within 72 hours, unless it can be proven that the breach poses no risk to the collected personal data.

At Simplicate, we take security and data privacy very seriously. Our architecture ensures that all environments and databases of different clients are physically separated. All our data traffic is encrypted. If you'd like more information about the measures we take, you can read this article.

Simplicate has an internal incident management procedure, which outlines the steps we take in the event of a data breach.

Simplicate’s software also includes an extensive authorization module that allows you to manage data access rights for all users. You can also see which individuals and API keys have access to (exports of) personal data. This helps reduce the risk of data and security breaches.

As a processor of the personal data you, as the controller, collect, record, and manage, we enter into a Data Processing Agreement. This agreement outlines the roles and responsibilities between us. The agreement is made available for signing to the Account Owner, who must have signing authority in your Simplicate environment.