!First of all USE ENCRYPTED COMMUNICATION as much as possible!
If you send sensitive data across the public net I request you to encrypt to my PGP key!

Now my GDPR "light" agreement (private and non-commercial use only)

This is my personal and private instance of ERPNext. None of the things in here is commercial.
I will at no point be using data stored in here for commercial applications.

During Covid-19 I invested quite some time into bringing this "Interaction Portal" to life.
It has the sole purpose to make even my personal interaction compliant also with data protection regulation.
None of what I commit here would legally be needed for myself as a private non-commercial entity.

Data processing (no agreement needed for private application)
GDPR wise we are legally safe as this is a non-commercial instance of data processing from EU perspective:
running on hardware in Helskinki, FI and maintained by PloenK.NeT d.o.o. Novi Sad, RS on my behalf.

No other party than the ones named in section "DPs - Data Processors" is involved in data processing:
the system is running an encrytped virtual instance of Ubuntu 18.04 LTS with access by only myself.

I am personally commited to comply with all not only regulatory but privacy requirements as a privacy enthusiast so here a brief documentation on how data is proccessed by my systems.

Quick overview of a very simple setup:

DPs - Data Processors
I have two data processing parties contracted
  • Google Apps for Business (and Google Cloud)
  • Calendly, LLC
  • my virtual server
    • running in an encrypted container only accessible by myself
    • located in Finland under EU GDPR regulation
    • with no Data Processing Agreement published on our website other than this one

Processing of Contact Data
In order to operate the infrastructure of this system I am commited to only store and process vitally needed personal information of contacts in the system. The stored information spans across
  • name (first, middle and last name)
  • email addres (multiple if submitted by the user)
  • relation to the customer (if not an individual customer and therefor contact)
  • phone number (multiple if submitted by the user)
  • physical address / location (only those of the customer locations)
    • billing address
    • delivery address
    • personal addresses (not visible to other users in the customer records)

Processes handling personal contact data

Submitting information
always lets the data store in my server system locally.

Data submission through our Data Processors (as named above) enable automated intake of data to the comfort of my contacts. only the now named cases do not store in our systems directly but need this contracted processing:
  • scheduling of support and consulting sessions through Calendly
    • user chooses an available slot ==> no personal data involved
    • user enteres their (and upto 10 guests) email address/es ==> needed to send meeting invitation/s (not stored)
    • user enters their phone number (only if not willing to use our conference system GoToMeeting that does not ask for personal data) ==> needed to call customer contact
    • user enters their mobile number (only if SMS reminder for the meeting requested) ==> needed to send SMS reminder
  • receiving and sending email correspondence with the customer through Google Mail (Apps for Business)
    • user sends email with clear name ==> needed to identify contact
    • user's email address ==> needed to send reply as requested
  • sending updates and changes to the customer user
    • user submits email address to a newsletter topic ==> no link to personal contact data
  • storing of personal contact data for mobile applications
    • user consents to store their contact information in Google Contacts through API ==> needed to communicate from mobile devices of dedicated agents
    • only email address/es, phone number/s and name are stored in Google Contacts

Deletion of personal data

You can "Request to Delete Data" at any time to initiate an automated and irreversible process that will

Please, note that your data in any technically related application as named below will be anonymized:
  • ERPNext (this system)
  • NextCloud (my private groupware and cloud) https://dings.bums.li/
  • contact data (will be deleted completely 90 days from last transaction)
    • email address remains in "User Id" filed
  • all personal data replaced with dummy data
    • first name
    • middle name
    • last name
    • email address
    • phone
    • mobile no
    • email ids
  • Google Apps for Business (if you have been asked to link your account)
    • all contact data
  • Calendly
    • no contact data have been stored

Definitions

Customer
As this is a private non-commercial installation customer refers to an organization the contact belongs to.
The customer must be understood as a data set only to structure relations rather that an impersonation.

Customer Data
The data submitted, stored, sent or received through our systems by the customer or their user.

Customer Personal Data
Personal Data refers to contact's data stored in records maintained by or for the user of a customer.

Data Incident
“Data Incident” means a breach of my security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Contact Data on systems managed by or otherwise controlled by myself or my Data Processors..

Data Processors
Data Processor refers to a contracted party processing data to the sole purpose of our vital business processes. All our Data Processors are named in the corresponding section above.

Privacy Shield
“Privacy Shield” means, as applicable, the EU-U.S. Privacy Shield legal framework, the Swiss-U.S. Privacy Shield legal framework, and any equivalent legal framework that may apply between the UK and the United States.

User
User refers to the contact that has access to the system and submits, stores, sends or receives data.

DPO - Data Protection Officer
We do not need a DPO right now as long as we only use the system for private correspondence.