General Data Protection Regulation (GDPR)
Overview of the new privacy laws
As of May 25th, 2018, the General Data Protection Regulation (GDPR) comes into effect, opening a new era of data protection and privacy for everyone. While you've certainly heard and read a lot of information about GDPR, it can be difficult to understand exactly what it means for your business, in practical terms, and what you should do to be compliant with the new rules.
At Arox, we are committed to following best practices in terms security and privacy. We strive to provide the same level of protection to all users and customers, without distinction on their location or citizenship. And we apply those best practices for all data, not just personal data.
So Arox Solutions - Professional Badminton Solutions UG is fully compliant with GDPR.
Our system is based on ODOO ERP and as ODOO fully integrates GDPR into every step and process, it is quite easy to give every customer/partner the data subject rights as follows:
Data Subject Rights
Existing data privacy rights for individuals are further expanded by the GDPR. Organizations must be prepared to handle requests from data subjects in a timely manner (within 1 month), free of charge:
Right to Access - Individuals have the right to know what and how their personal data is being processed, in full transparency;
Right to Rectification - Individuals have the right to obtain correction or completion of their personal data;
Right to Erasure - Individuals have the right to obtain deletion of their personal data for legitimate reasons (consent is withdrawn, no longer necessary for the purpose, etc.);
Right to Restriction - Individuals can request that the controller stops processing their personal data if they do not want or cannot request full deletion;
Right to Object - Individuals have the right to object to the certain processing of their personal data at any time, for example for direct marketing purposes;
Data Portability - Individuals have the right to request that personal data held by a controller be provided to them, or to another controller
Right to Access (Art. 15) and Right to Data Portability (Art. 20)
We provide some tools for the data subjects to access and update their personal information in self-service mode:
The customer portal allows browsing contractual documents: address and contacts, invoices, quotations, orders, tasks, helpdesk tickets, purchases, subscriptions, delivery orders, payments as well as communications around these documents.
The mailing lists page, allows users to review and manage their subscriptions
The forum profile allows your forum users to review all their activities at a glance
Right to be forgotten (Art. 17)
GDPR grants data subjects the right to request the erasure of their personal data, under specific conditions, such as:
The data is not necessary anymore according to the purpose;
They withdraw consent for processing that was based on a consent only;
The processing is otherwise unlawful.
If we determine that the request is legitimate, and we have confirmed the identity of the subject, we will attempt to delete the corresponding contact in our system. This is safe: the system will block the operation if a business document still refers to the contact (invoice, contact, delivery order, forum post, etc.). In that case, you should decide whether you have other obligations to keep these documents, and must decline the erasure request.
If you have no legal reason to keep the personal info, but cannot, or do not want to delete a document or contact, consider anonymizing it instead. You can rename the contact and change its recognizable data (email, address, etc.), or you can re-assign documents to a generic Anonymous contact. Once properly anonymized, this data will not be personal data anymore.
Restriction of Processing (Art. 18) and Consent Withdrawal (Art. 7)
Users will often ask to be unsubscribed from commercial emails. If your mailings were sent via Odoo, users can do it themselves using the footer's unsubscribe link. But you can also manually tick the "opt-out" field on contact or lead/opportunity. Records marked “opt-out” are automatically excluded from mass-mailing campaigns, but can still receive direct messages from users (e.g. quotations, invoices).
Right to Rectification (Art. 16) and Data Accuracy (Art. 5 (1) d)
Invalid/changing email addresses are a common source of data error. When email integration is properly configured (by default in our system), our ERP handles email bounces in your mass-mailings and increments a Bounce field with the number of bounced messages. You can periodically review your contacts or prospects with a custom search on "Bounce greater than 0" and cleanup/delete them.
Followers of Odoo Discuss channels are automatically unsubscribed after 10 bounces.
In terms of rectification, users and customers can also correct their own personal data (name, email, address) through the Odoo portal.
Consent (Art. 7)
When you collect personal data via Odoo’s default mechanisms (e.g. contact form, mailing-list subscription, event subscriptions), you have to establish a purpose and legal basis for the processing. This greatly depends on how you will use the data.
However, if you plan to use the collected data for other purposes, you need to obtain explicit consent for each purpose from the user. The recommended way is to add checkboxes to your form to get the consent for each specific purpose (e.g. "Please send me discounts and promotions on similar products via email"). To do this with Odoo, you can:
Use Odoo Studio to add a checkbox (boolean) field on the document collecting personal data (e.g. Leads/Opportunity), to represent consent for this purpose
Add the checkbox to your website form via Odoo's website builder
Use this field when processing data for this purpose, for example in your marketing campaigns segment filters
Privacy by Design (Art. 25)
Security by Design is at the heart of our R&D work at Odoo, and we apply security best practices to make our software Safe, robust and resilient for everyone.
Access Control - The default group-based access control mechanism of Odoo allows you to restrict access to personal data according to each user's role and needs. (e.g: a project manager might not need access to Job Applications). If you review the user groups assignations and maintain them properly when roles change in your organization, you have a strong privacy basis. You can easily add or modify user groups to tailor them to your organization.
Record Rules - To fine-tune access to personal data, you can use the concept of Record Rules, which let you restrict access to documents according to any criterion based on field values. Record Rules can block read and/or write operations, and they work on a per-document basis. For more information, please refer to our documentation.
Passwords - Odoo stores user passwords with industry-standard secure hashing. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords at all.
Employee Data - One area where Odoo databases are likely to include sensitive personal data is the Private Information tab of the employee form and their contracts. This part of the Employees Directory is only visible to HR personnel ("HR Officer" group), who need it for their job. We've recently extended this protection to the personal address of employees, which are stored as Contacts, by adding a new address type ("Private") that is visible only to HR personnel. This is already available in the preview version of Odoo 12.0 (and Odoo Online as of saas-11.4),and we're working on adding it to older versions.
Security of Processing (Art. 25 & 32)
If you use Odoo Online or Odoo.sh services, we implement security and privacy best practices at all levels. You can find our more about it in our Security Policy. If you use Odoo on-premise, you are responsible for following security best practices. You can start with the security recommendations of our deployment documentation.