GDPR

What is GDPR?

General Data Protection Regulation (GDPR) is a regulation set forth by the EU, which aims to protect people by regulating when and how data about people can be used, stored and processed.

The full text of the regulation is here.

When do GDPR laws apply?

GDPR laws applies whenever a company processes data, which can identify a person.

This data can be (but are not limited to) email adresses, names, adresses, phone numbers, locations, photos etc.. 

Do GDPR laws apply to Otiom?

Yes, Otiom stores names, aliases and optional photos of people, which is later combined with a calculated location and Otiom is thus required to fulfill all of the requirements of GDPR.

What is a data controller?

A data controller is a legal entity which collects, stores and processes personal identifiable data on its own.

See GDPR Article 4, item 7

What is a data processor? 

A data processor is a legal entity which processes personal identifiable data on behalf of a data controller, which instructs the data processor on how to process the data. 

See GDPR Article 4, item 8

When is a data processor agreement required?

When a data controller transfers data containing personal identifiable data (Article 4, item 1) to a data processor with the purpose of processing the data on behalf of the data controller under the instructions of the data controller.

Thus 3 separate elements must all be required before a data processor agreement is required.

1. The data controller must transfer personal identifiable data to a data processor 
2. The purpose must be to process the transferred personal data
3. The data controller must provide instructions on how to process the data

Is a DPA required when dealing with Otiom?

No, according to the 3 requirements from above. 

1. Is there a transfer of personal identifiable data from data owner to Otiom? 
   Yes. (name/alias/photo of Otiom user)
2. Is the purpose to process said data?
   No. The purpose of Otiom is to provide the last known location for person in order to bring this person home to safety, which cannot be done on the data provided from the data controller. Otiom does it’s own data processing on data Otiom collects on its own for the purpose of providing the best possible last known location for a person. To Otiom it doesn’t matter what you write in the Alias field or which photo you upload. The service will perform identical.
3. Is Otiom processing the transferred data on instructions from the data owner?
   No, no instructions are provided by the data owner.

Can we make a DPA with Otiom anyway?

Yes, even though it is not required, it is possible and we welcome agreements that provide better data protection.

We have ready to download and sign DPAs here:

• English version
• Danish version
• German version
• Dutch version

All are based on the EU standard version published by the EU commision here

Please send the signed DPA or any questions to dpo@otiom.com

Does Otiom have a DPIA?

Yes, we have a DPIA on the collection of locations of an Otiom-user here: Otiom-DPIA 

Which data does the customer provide Otiom with?

• Email address for login
• Name of person using login
• Password for login (stored hashed/oneway encrypted)
• Alias of Otiom User (identification of the person using an Otiom)
• Optional image associated with Otiom User
• Optional name(s) of Otiom tag(s)

Which data does Otiom collect in order to fulfill the service provided?

• BLE Advertisements
• BLE signal strengths
• BLE MAC addresses
• Satelitte Auxilary data
• Satelitte locations
• Cell tower info
• Calculated GPS locations

Which data does Otiom return to fulfill the service:

• Graphical map with a line/point Indicating the last known location of an Otiom user along with provided Name/alias and optional photo.