NetSupport Notify and GDPR Compliance

Introduction

The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the EU GDPR has been designed to meet the requirements of the digital age. Subsequently, upon leaving the EU, the Data Protection Act 2018 was updated to enact the UK GDPR, replicating the EU GDPR. 

The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing.  

The UK GDPR aims to standardise the regulation of data protection laws and processing across the UK, to work within the EU, as well as influence other legislation across the globe; affording individuals stronger, more consistent rights to access and control their personal information. 

NetSupport Notify is a simple, one-way messaging and alerting tool that enables the user to send a short message to multiple desktop devices. 

The following sections are designed to help you with your Record of Processing Activities, any risk assessments you may need to complete, any due diligence needed during purchase/procurement and to help you with information you may need for your Privacy Notice. 

How does NetSupport Notify process personal data?

NetSupport Notify allows the user to type a message which could potentially contain personal information. The message is then displayed at the targeted desktops and recorded in the notification server’s history. 

When the message is sent, the sender can choose to set NetSupport Notify to record acknowledgements. If this option is set when the user at the desktop acknowledges the message, NetSupport Notify will automatically record the logon username for the desktop. This username is recorded with the message acknowledgment. 

Where is the personal data stored?

The notification server holds a small database containing the history of messages that are sent and the acknowledgment of these messages. The database is a single file called gateway.db on the   Notification server. The Gateway database will only store data for the period set in the configuration; the default data retention period is 30 days. 

What data is collected and stored?

The following table lists all the personal information processed by NetSupport Notify. 

* The Lawful Basis for processing is decided by the Data Controller (the customer) and not by NetSupport. This table gives the suggested basis is for public authorities/companies and other organisations respectively. Please confirm with your Data Protection Officer/Data Protection lead as to the correct Lawful Basis. 

NetSupport Notify and the GDPR Data subject rights

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. For further information and guidance, see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

If you are intending to record acknowledgements for notification messages, you should ensure that is referenced in your privacy policy. 

The right of access

Under GDPR, individuals have the right to access their personal data. This allows individuals to be aware of and verify the lawfulness of the processing. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

NetSupport Notify’s Notification server history can be exported to a CSV file format and this can be   used to provide access to the data stored, if required. 

The right to rectification

Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

NetSupport Notify only records the logged-on username. If this username is incorrect, then the  system being used to manage it should be used to correct the information. 

The right to erasure

Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For information on when this right is applicable, see the ICO guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

Acknowledgement and message history data is only stored in NetSupport Notify for the time period set on the notification server. If data needs to be deleted before this data retention period, please contact our Technical Support team. 

The right to restrict processing

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. The right is not absolute and only applies in certain circumstances. In most cases, you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

NetSupport Notify’s feature to require acknowledgements is optional, so this data processing can be restricted by not using this option. 

The right to data portability

The right to data portability only applies: 

• to personal data that an individual has provided to a controller; 
• where the processing is based on the individual’s consent or for the performance of a contract; and 
• when processing is carried out by automated means. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

This would not apply to any data processed by NetSupport Notify. 

The right to object

The guidance from the ICO states that: 

“Individuals must have an objection on ‘grounds relating to his or her particular situation‘. And that  you must stop processing the personal data unless, ‘You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual’.” 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

NetSupport Notify’s feature to require acknowledgements is optional, so this data processing can be restricted by not using this option. 

Rights in relation to automated decision making and profiling

The GDPR has provisions on:

• automated individual decision-making (making a decision solely by automated means without any human involvement); and 
• profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/

NetSupport Notify does not perform any automated decision making. 

If you have any further questions regarding this document or any other queries regarding NetSupport Notify, please contact us