GDPR Recommendations for Cloud Softphone apps¶
Starting May 25th, the GDPR regulation will come into effect. Services operated by EU companies, or having customers in EU countries will have to be compliant with this regulation. We are providing the following recommendations on how to achieve GDPR compliance for providers using our Cloud Softphone platform.
The full text of GDPR can be found at http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf.
GDPR requires to inform users about several important points with regard to the collection and processing of their personal data. It is mandatory to provide this information.
Cloud Softphone includes a “EULA” (End User License Agreement) feature. EULA is a page which is shown after the app is installed and launched for the first time. The EULA must be agreed to before the user can start using the app. This makes it ideal for this purpose.
All apps should have EULA configured in order to be GDPR-compliant.
EULA should contain general “Terms and Conditions” for your service and we recommend including the following information with regards to GDPR:
These points cover the processing of personal data by Cloud Softphone platform ONLY. In case you collect additional data from your customers and process them in other ways, like for marketing purposes, you may need to give your customers additional information.
1. Identity of Personal Data Controller¶
The controller of the personal data as defined in Article 4.7 of GDPR is: CONTROLLER_CONTACT_DETAILS. Data Protection Officer can be contacted at DPO_CONTACT_DETAILS.
According to Article 4.7 of GDPR, controller determines the purposes and means of the processing of personal data, while processor processes personal data on behalf of the controller. By this logic, you as the service provider are the controller, while Alien Licensing, GmbH is the processor. GDPR requires publishing the contact details of the controller. Any telephony service also requires Data Protection Officer, whose contact details also need to be published here. We can provide the service of Data Protection Officer if needed.
2. Lawful Purpose¶
For the correct functionality of the service, certain data fulfilling the definition of “personal data” given by paragraph 4.1 of GDPR needs to be processed. This data is stored and processed solely for the purpose of enabling the features of the Service. By accepting this EULA, you are entering a contract and personal data is lawfully processed in accordance to paragraph 6.1.b of GDPR.
The Personal Data is stored on servers within the European Union and the United States of America. In case the servers are located in the USA, they are always hosted at centers which participate in EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce and the European Commission.
This information is correct for servers hosted by us. In case you decide to host any servers on your premises, you may need to adjust this paragraph accordingly.
4. Time Period¶
The Personal Data is necessary for the correct operation of the Service. They will be processed as long as the service is in use. In case you decide to stop using the Service and uninstall the related apps, all Personal Data will be removed from our servers within a period of 7 days, with the exception of data we are required to hold for compliance with a legal obligation which requires processing by Union or Member State law, as specified in GDPR Article 17.3.
5. Right to be forgotten, rectification of Personal Data¶
You have the right to request erasure of your Personal Data by GDPR Article 17 and 18). To do so, uninstall the apps and the data will be removed automatically as specified in the “Time Period” paragraph. The service depends on the Personal Data being processed and can not work correctly without it. The Personal Data originates from the input given by the user; rectification can be done by editing the data within the app at any time.
6. Collected Data¶
SIP Account Credentials¶
Required for Push Notifications and WebRTC app to work. They are being used to register the account on the server and forward any incoming calls and messages to the device via Push Notifications.
Address Book Data¶
Required for “Contact Sync” and “Smart Contacts” feature to work. A copy of your Address Book is kept on the server and used to show your address book in WebRTC app and to notify you about your contacts that also use the Service.
When using features which require server components, like Push Notifications or Contact Sync and Smart Contacts, or any web services, the IP address and browser information may be logged by the servers. The logs are automatically rotated and the information in them is only processed when troubleshooting specific issues, or when required by law.
The servers collect information whether the app has been actively used within the current month, for accounting/billing purposes. The data has a form of pseudonymized identifier which is reported by the app when it is used and the time since the last report is more than 14 days.
In case you are hosting SIPIS and WEBIS servers on your own premises, the first paragraph can be omitted, because the SIP account credentials are naturally known to you as the SIP service provider and they are not shared with anyone. In case you are not using Contact Sync or Smart Contacts feature, feel free to omit the second paragraph as well.
7. Data Portability¶
You have the right to request a copy of your Personal Data in a portable format.
In case someone requests the data in a portable format, we will need to solve the authentication of this request (GDPR Article 12.6). We will need to know SIP username and password to make sure we give copy of the data to the right person. In some cases, the users don’t even know their SIP username and password though, we will need other means of identification, like phone number + PIN verification. We will cooperate with providers to resolve more complex cases.
You have the right to lodge a complaint with a supervisory authority.