NetSupport Notify and GDPR Compliance

Introduction

The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

NetSupport Notify is a simple, one-way messaging and alerting tool that enables the user to send a short message to multiple desktop devices.

How does NetSupport Notify process personal data?

NetSupport Notify allows the user to type a message which could potentially contain personal information. The message is then displayed at the targeted desktops and recorded in the notification server’s history.

When the message is sent, the sender can choose to set NetSupport Notify to record acknowledgements. If this option is set when the user at the desktop acknowledges the message, NetSupport Notify will automatically record the logon user name for the desktop. This username is recorded with the message acknowledgment.

Where is the personal data stored?

The notification server holds a small database that contains the history of messages that are sent and the acknowledgment of these messages. The database is a single file called gateway.db on the Notification server. The Gateway database will only store data for the period set in the configuration; the default data retention period is 30 days.

What data is collected and stored?

The table below lists all the personal information that is processed by NetSupport Notify.

NetSupport Notify and the GDPR Data subject rights

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. For further information and guidance see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

If you are intending to record acknowledgements for notification messages, you should ensure that is referenced in your privacy policy.

The right of access

Under GDPR, individuals have the right to access their personal data. This allows individuals to be aware of and verify the lawfulness of the processing.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

NetSupport Notify’s Notification server history can be exported to a CSV file format and this can used to provide access to the data stored, if required.

The right to rectification

Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

NetSupport Notify only records the logged-on user name. If this user name is incorrect, then the system being used to manage the user name should be used to correct the information.

The right to erasure

Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For information on when this right is applicable, see the ICO guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

Acknowledgement and message history data is only stored in NetSupport Notify for the time period set on the notification server. If data needs to be deleted before this data retention period, please contact our Technical Support team.

The right to restrict processing

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. The right is not absolute and only applies in certain circumstances. In most cases, you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

NetSupport Notify’s feature to require acknowledgements is optional, so this data processing can be restricted by not using this option.

The right to data portability

The right to data portability only applies:

• to personal data that an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• when processing is carried out by automated means.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

This would not apply to any data processed by NetSupport Notify.

The right to object

The Guidance from the ICO states that:

“Individuals must have an objection on “grounds relating to his or her particular situation” And that you must stop processing the personal data unless, You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; “

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

NetSupport Notify’s feature to require acknowledgements is optional, so this data processing can be restricted by not using this option.

Rights in relation to automated decision making and profiling

The GDPR has provisions on:

• automated individual decision-making (making a decision solely by automated means without any human involvement); and
• profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/