In a nutshell
GDPR is a new EU law aimed at personal privacy. It is designed to replace the current privacy
laws in each of the 28 EU member states and have one privacy law throughout the EU.

GDPR strengthens privacy rights for the consumer – users (e.g. customers, employees) are given more
control of the way companies are processing and using their personal data. They can give and revoke
permission to use the data, get insight in what data is used and how it is used.

• The company must explain why they need each piece of information;
• The user must explicitly accept the use of their data for that specific purpose;
• The user must be able to get information about what data is stored and how their data is used;
how this information can be obtained must be made clear in a privacy policy.
• The user must be able to revoke permission to use their information.

While the GDPR is an EU regulation, it is important to note that it applies to all businesses worldwide as long
as they are processing the personal data of EU citizens. Failure to comply may result in fines of up to 4% of
annual revenue or €20 Million, whichever is higher.

Companies can still collect personal information. But;

General Data Protection Regulation

GDPR
&

The General Data Protection Regulation (GDPR) applies to
personal information about people. Personal information includes
information such as a person’s name, email address, mailing
address, photograph, social links and IP address.

The regulation also has strict rules for sensitive information like
medical history. In addition to this, sensitive personal information
under GDPR includes data elements such as the racial or ethnic
origin of the data subject, political opinions, religious beliefs or
other beliefs of a similar nature, membership of a trade union,
sexual life, and criminal background.

In case of sensitive data, a company not only needs one of the
reasons mentioned above to process this data, but also one of
the reasons mentioned in GDPR Article 9, Processing of special
categories of personal data.

GDPR generally does not apply to company data or any other
non-personal data.

You can find more info on GDPR here:
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

A company can process this personal data lawfully based on any
of the following reasons (GDPR Article 6)

• Consent
• Contract
• Legal Obligation
• Vital Interest
• Public Task
• Legitimate interests

Important terminology:

Data Controller
A controller determines the purposes
and means of processing personal
data.

Data Processor
A processor is responsible for
processing personal data on behalf of
a Data Controller.

Data processing
Any operation or set of operations
which is performed on personal data
or on sets of personal data, whether
or not by automated means, such as
collection, recording, organization,
structuring, storage, adaptation or
alteration, retrieval, consultation, use,
disclosure by transmission,
dissemination or otherwise making
available, alignment or combination,
restriction, erasure or destruction.

Data Subject
A natural person whose personal data
is processed by a controller or
processor.

The Basics of GDPR

Kopano is an intuitive open source collaboration platform that helps teams boost productivity and increase
efficiency. It includes real-time messaging, file sharing, video calls, email, calendaring, online editing and
more. When using Kopano, you can see what is happening to your data anytime and anywhere: on-premises
or in the (hybrid) cloud. This gives you the advantage of having control over your installation and data and
prevents you from having to rely on a data processor (who might depend on others as well).

Communication and collaboration software as such is not specifically designed to store personal data but by
its nature will almost certainly contain personal data. For example, when using email, you will have to use
email addresses, which in most cases will be considered personal data (even business email addresses).

Due to the sensitive nature of the information that can be stored in emails etc., we encourage Kopano
customers to put the right measures and procedures in place to secure this information as well as possible.

Possible measures may include:

Kopano does not offer possibilities to gather statistics, do profiling or promotions.

Kopano and GDPR

Security/technical Internal Policies

Limit physical and remote access to the
system

Don’t allow others access to your mailbox
other than through the application (use of
delegates and permissions)

Use up-to-date and professional antivirus
and SPAM protection software

Use secure connections

When applicable/possible use encrypted
storage

Use of two factor authentication

Have a proper back-up procedure in place

Create awareness among users

Enforce password policies

Limit printing of data

Regulate access to the system by sysadmins
Have a policy for putting data on devices like
USB-drives and other external storages

Define terms on how long to store data

Document all the measures you take

Important Data Subject Requests

While every effort has been made to ensure the accuracy and completeness of information included in this
document, Kopano B.V. gives no guarantees or takes responsibility for any errors and/or omissions the
document may contain.

Data subject right What does it mean How to handle in Kopano

The right of access

Disclaimer

Individuals have the right to
access their personal data and
supplementary information.

The right of access allows
individuals to be aware of and
verify the lawfulness of the
processing.

Through the (Advanced) Search
function in Kopano, items which
relate to Data Subjects can be
found. After screening (you must be
very careful not to expose personal
data from others, which would
constitute a data breach in itself)
this information can be provided to
the Data Subject.

The right to rectification The GDPR includes the right of
individuals to have inaccurate
personal data rectified or
completed if it is incomplete.

Data can easily be updated in
Kopano through the normal user
interface.

The right to erasure This entitles the data subject
to have the Data Controller
erase his/her personal data,
cease further dissemination of
the data, and potentially have
third parties cease processing
of the data.

Through the (Advanced) Search
function in Kopano, items which
relate to Data Subjects can be
found. The appropriate data can
then be deleted.

E: info@kopano.com T: +31 (0) 15 750 4712W: www.kopano.com | |Get in touch