GDPR is a commonly used shorthand to identify the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

You can find the complete regulation here.

How we approach GDPR compliance is a prime example of what we mean when we say Connhex is an IoT suite, not a platform.

We offer a comprehensive solution for device manufacturers: legal aspects are just as important as technical ones if your goal is to provide a service to your users. GDPR compliance is one of those things that comes easy if one keeps it as a constraint during the initial design phase: otherwise there could be fatal flaws impossible to patch.

And if you're not convinced on the importance of protecting personal data just from a moral standpoint, sanctions can be quite heavy (see below).

No, you're not - and incidentally you won't be by choosing any IoT solution.

You should have a 360-degree view when reasoning about GDPR. For example, no one but your company can:

  • adhere to the principles relating to the processing of personal data (Article 5). One above all: you are expected to only acquire data relevant to the purpose of processing (data minimisation, see also Article 25)
  • establish whether a data protection impact assessment is needed (Article 35)
  • designate a data protection officer (Article 37)

To the best of our knowledge: no, there isn't - nor it can exist at all.

If you have a role in deciding what data is collected, you are the data controller: there's no way any supplier can guarantee your compliance to GDPR - no matter what their sales representatives say 😉

In GDPR terminology, Compiuta is a data processor. This means Compiuta (or any other data processor) must:

  • provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject
  • process the personal data only on documented instructions from the controller (you)
  • ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights
  • make available to the controller all information necessary to demonstrate compliance

For the complete list of obligations, see Article 28.

The GDPR includes consultation between the actions performed on personal data that classify as processing - see Article 4.

Since we need to maintain, update and support Connhex instances, we need to have access to database clusters.

We don't take this responsibility lightly: Connhex databases containing personal data are accessible only to a limited number of people inside Compiuta and we keep a log of any action performed when accessing them.

There are two ways Connhex helps you with compliance:

  • by implementing tools that address specific obligations or data subject rights. For a first look at what those are, see the GDPR compliance map: you can also contact us to get information about design details of those tools, should you need it.
  • uses best practices and state of the art approaches to ensure security of processing (see Article 32)

See Article 83: up to 20.000.000 € or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.

Definitely: we have a clear understanding of what personal data means and have lots of resources you can access. Just contact us!