GDPR Compliance

From 25 May 2018 onwards the General Data Protection Regulation (GDPR) goes into effect. The main goal of the GDPR is to regulate how organisations handle personal data and protect the privacy of citizens of the European Union. The GDPR applies to all companies that do business with EU citizens or process data of EU citizens regardless of the location of the company that is processing such data. The GDPR therefore applies to Bio-ITech B.V. (”Bio-ITech”) and we are committed to protect the privacy of our customers.

Bio-ITech as a Data Processor

Of all persons with a registered account in one of the Bio-ITech software applications, personal data is stored in our systems. The role of Bio-ITech as the supplier of software is dependent on the chosen hosting solution. For end-users using Bio-ITech software in the Cloud or in a Private Cloud, Bio-ITech is regarded as the Data Processor according to the GDPR. For organisations with the application hosted on a local server, so-called On-Premise installation, Bio-ITech acts as a sub-processor as it only provides software updates and support but does not have direct access to the data.

How we protect your personal data

As a Data Processor, Bio-ITech has taken strict measures and implemented the required procedures to guarantee the safety of data of its customers. As a proof of its effort, Bio-ITech has been IEC/ISO27001:2013 certified since 2016. A copy of the ISO27001:2013 certificate can be downloaded at www.bio-itech.nl/en/quality-assurance.

The most important measures that have been taken to ensure the protection of personal data as well as confidentiality, integrity and availability of services provided by Bio-ITech as a Data Processor are:

  • Secured communication via SSL encryption
  • Periodic off-site encrypted data back-ups (every 24 hours) for disaster recovery (kept up to 6 months)
  • Disaster recovery procedures
  • Real-time system monitoring and logging
  • Firewall and network configuration such that servers are not directly connected to the internet
  • System maintenance including the installation of security patches
  • Security features to protect system access, such as two-factor authentication and IP restriction
  • Privacy features to block storage of personal information by end-users
  • Confidentiality agreements as part of all employee contracts
  • Access to systems by Bio-ITech employees on need-to-access basis

Right to Access

The GDRP dictates that all EU citizens have the right to access the personal data that is stored by others. To provide full system functionality the following minimal set of personal data is stored in Bio-ITech’s software applications:

Personal DataPersonal Data TypePurpose
First NameRegularTogether with the Last Name used as display name in the system
Last NameRegularTogether with the First Name used as display name in the system
Organisation Email AddressRegularUsed to login and to provide system functionalities, such as forget password, receipt of invitations, messaging and notifications
GroupRegularResearch group or department a user works in
OrganisationRegularThe organisation the user works in
IP addressRegularIP address used for logging purpose and various security purposes (e.g. hacking attempts, 2FA)
PasswordSpecialPassword used for authentication purpose. Passwords are stored in a hashed (encrypted) format in the database
* In case federated login (e.g. LDAP/AD/ AD FS/ Single Sign-On) is active, passwords are not required and not stored

In addition to the required personal data, the system has the option to store other personal data, such as job title or the organisation address. All Bio-ITech software applications provide direct access to all personal data in the user profile from where the user has the option to remove or change any personal information in the system. For customers with a Private Cloud or On-Premises installation, the System Administrator / Key-User can change the privacy policy for GDPR compliancy in the system setting.

Right to be Forgotten

The GDPR gives each citizen in Europe the right to be forgotten. Considering that an essential functionality of our software products is to provide full traceability of data, the removal of personal data from the system would counteract the possibility to track who stored data in the system. For that reason, our applications do not support a software function that can be operated by an end-user to delete an account including all personal data. To claim your right to be forgotten and to remove all personal data of your account, please contact our customer care team to guide you through our formal data removal procedure. During this procedure, approval of the organisation to which the system is licensed is requested so that Bio-ITech cannot be held accountable for any loss of data as a result of the data removal.

Data Portability

All Bio-ITech software applications offer the option to export data. Depending on the data, the software offers the option to end-users to export data as CSV, PDF or in HTML. To structure the data in any format, the software has a so-called Application Programming Interface (API) available.

Request Information

Bio-ITech will keep you informed on its websites about its compliance with the GDPR requirements. Should you have any questions or concerns, please do not hesitate to contact our legal department at security@bio-itech.nl.