GDPR (General Data Protection Regulation) is the European Union’s new regulation on data protection and privacy for all individuals within EU, which is effective from May 25, 2018. This article gives information about Form Publisher’s compliance with GDPR and the answers to your key questions during your review of Form Publisher as your data processor.
Awesome Gapps (your service provider) is committed to respecting your privacy and your customers privacy by complying to GDPR policy. Form Publisher (the service) - an add-on based on Google Apps technologies that provides automation of document generation and approval workflow, would be considered a Data Processor.
Form Publisher commitment towards GDPR
Here are the key information (as FAQ) of our commitment towards GDPR compliance, safety/protection of your data & features that may support the compliance of our customers. You may want to consult these while reviewing or choosing Form Publisher as your data processor:
Is Form Publisher GDPR compliant?
Yes. Form Publisher is GDPR compliant as on May 25, 2018
Does your Data Processing Agreement (DPA) confirm Form Publisher compliance with GDPR?
How does Form Publisher comply with the legal requirements for transferring data?
Form Publisher DPA has been updated to confirm our compliance with the GDPR.
As detailed in the DPA, the application of lawful data transfer mechanisms for our customers who wish to transfer personal data to a third country (outside the EEA) in accordance with Article 45 or 46 of the GDPR, relies on entering into Standard Contractual Clauses or offer any alternative transfer solution, if requested (for example, the EU-U.S. Privacy Shield)
Do you currently adhere to Binding Corporate Rules (BCR)?
Where is Form Publisher data stored?
Form Publisher is built over and run entirely on Google Cloud environment. All data is stored and hosted on Google servers. The data is NEVER stored or transferred to any entity other than Google.
Please note that Google is committed to complying with the GDPR for G Suite and Google Cloud Platform Services.
Do you have a Data Protection Officer (DPO)?
No. Considering the nature and the scale of personal data being processed by Form Publisher, appointing a Data Processing Officer (DPO) is not applicable to us.
What data controls do you have in place?
Form Publisher, as an add-on for Google Forms, requires you to login with your Google Account credentials to install and use it.
The authentication entirely relies on Google authentication services to allow you to login. Form Publisher does NOT have access to your Google account or your password at any time. All data that are sent from or to Form Publisher is transmitted securely.
The first time you install Form Publisher, it requests your authorization to access certain services in your Google account and to act on your behalf. Form Publisher requests the permissions that are absolutely necessary to offer its functionality to you. Your authorization is limited to the functionality of the service. Form Publisher neither propagates these permissions not allows access to your files/folders to anyone (including Form Publisher support team) automatically.
Who can access my data, under what circumstances and what can they see? Is this access tracked?
Only you have access to your data or the data of your subscribers (data subjects) at any point in time, except for only one instance where you will explicitly grant access to your files when you seek any technical assistance from Form Publisher support team.
Form Publisher relies entirely on Google Document Service API & Google Forms Service API to automate document generation. It uses Gmail API for sending notifications and Google Cloud Functions to invoke workflow functions in real-time as and when approvals happen.
Form Publisher uses your Google form data only until it creates personalized documents for you. Similarly the generated documents are referenced during the workflow by their IDs. At no time are we storing a copy of the content of your Google data or generated documents.
How does your organisation handle instances when customers or prospects request their data be removed from your system(s)?
Form Publisher, as a data processor, uses the data that is absolutely necessary for Form Publisher to provide its service to its customers (data controllers). We never store any data of your subscribers (data subjects). So the right to deletion of your data subject's request can be decided and handled completely at your level and in no case you need to notify us on the same.
However, as a Form Publisher customer, you may request to get your data deleted, only if you have decided to stop using Form Publisher, as deleting your data will interrupt or stop Form Publisher from providing its service for you.
You can send us your request for deletion of your data, to email@example.com. We will permanently delete them from our database and send you a confirmation on the same.
Do you have in place a security breach notification process?
Yes. As detailed in our DPA, in the event of a data incident, we will notify the affected customers promptly and without undue delay and take reasonable steps to minimize harm and secure customer data. The notification will be delivered to the notification email address of the customers. Please note that you (the customer) are solely responsible for ensuring that the notification email address is current and valid.
What risk management processes do you have in place?
Our risk management processes include a robust internal monitoring system (including Stackdriver) and monitoring by a Security Review Board and. Its practices are governed by our Incident Response Policy (effective 1 November 2017).
If an issue is detected by the monitoring system, by our Security Review Board, or by notification received from our service provider (like Google Firebase), the severity of the incident is assessed immediately and is directly reported to the engineering team.
The Incident Response Plan includes reporting any major impact incidents and the measures in our Form Publisher status page: http://status.form-publisher.com. In case of incidents impacting a small number of specific customers, they will be contacted privately.
Regardless of the incident severity level, customer support tickets in the support platforms firstname.lastname@example.org that are related to the incident will be regularly updated with the incident status.
What third party organisations do you work with that may also have access to the data we share with you?
Do you provide offer any legal advice or guidance for Form Publisher customers (data controllers)?
No. We do not and cannot offer any legal advice or guidance on what actions and how you (a data controller) may need to take to comply with GDPR. However, please be ensured that we are committed to provide you with the tool that may help you comply with the regulations.
We have a series of detailed articles on your data security and confidentiality with Form Publisher. We invite you to reference these articles which can provide you explanations of what, why and how your data is processed by Form Publisher:
- [DATA ACCESS] What permissions are needed to use Form Publisher?
- [DATA ACCESS] Why share your Google Form and your templates with Edit access?
- [DATA STORAGE] What data is stored by Form Publisher and how is it used?
- [DATA PROCESSING] How are your personalized documents generated by Form Publisher?
- [DATA PROCESSING] How does Form Publisher send documents via email notifications on form submission?
- [DATA PROCESSING] How does Form Publisher send approval notifications during the workflow?
- [DATA DELETION] How to have your data deleted from Form Publisher?