GDPR Compliancy for PrintSphere Users

The GDPR (General Data Protection Regulation) legislation intends to harmonize the protection of individuals’ data across the European Union (EU), Iceland, Liechtenstein and Norway. This page describes the impact GDPR has on printers and print service providers who use PrintSphere, the cloud-based data sharing and automation solution of Agfa.

GDPR focuses on the protection of personal data, which is any information that relates to an identified or identifiable natural person. This includes people’s names, addresses, physical or genetic information, IP addresses, location data, business transactions, etc. GDPR harmonizes the multitude of different laws that previously existed in various EU member states. It is known by other names in certain member states, such as AVG (Netherlands), DSGVO (Germany), RGPD (France & Spain) or RODO (Poland).

The GDPR becomes enforceable on 25 May 2018. If your company is located in the EU or you have customers within the EU, you must comply with the GDPR legislation. Companies that are not compliant risk substantial fines.

Below you find GDPR-related information that applies to PrintSphere. Agfa strives to make sure this cloud service can be used in a GDPR-compliant fashion. As a PrintSphere user, you need to be aware of the measures Agfa has taken and you need to make sure that, with regard to customers, your usage of the platform is compliant with the GDPR legislation. The guidelines below are for informational purposes only and not for the purpose of providing legal advice.

Companies using PrintSphere are considered to be a controller – ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Agfa Graphics is the processor – ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

Your GDPR responsibilities as a controller

As a controller you need to share GDPR-related information with your customers. If online platforms such as PrintSphere are used for processing the data of an order, you also need to have certain processes in place to be compliant. When the text below refers to PrintSphere users, it refers to PrintSphere users as well as administrators.

Storage of personal data

• PrintSphere stores a limited amount of personal data of all users. Depending on the role of those users and with which platform (ProductionCenter or SphereCenter) their accounts were added, the amount of data gathered and the level of access users have to their profile data differs.
• For users added via ProductionCenter, the following personal data are stored: first and last name, e-mail address, user name, phone, mobile and fax numbers, and language. The user’s role and default unit/e-mail preferences are also stored, along with optional remarks.
• For users added via SphereCenter, the following personal data are stored: first and last name, e-mail address, user name, language and salutation. The groups that users belong to and their allocated storage space are also stored.
• On the PrintSphere website, users can see their full name, e-mail address and the groups they belong to. They cannot change these settings but they can alter their language, profile picture and notification preferences.

These are the actions you need to take:

• PrintSphere should include a privacy statement. In the next major update, PrintSphere 2.5, you will be able to make such a privacy policy available to users using a new Advanced > Configure Privacy Policy menu option in SphereCenter. Add your privacy policy for each language that your users use.

Users will be able to consult this privacy policy from the drop-down menu in the top right corner of PrintSphere.

Until this privacy policy tool is in place, you can refer users to a privacy policy page you publish on your website.
A privacy statement should provide answers to the following questions:
– What personal information is being collected?
– Who is collecting it?
– How is it collected?
– Why is it being collected?
– How will it be used?
– Who will it be shared with?
– What will be the effect of this on the individuals concerned?
– Is the intended use likely to cause individuals to object or complain?

• In a separate Record of Data Processing Activities you should document which personal data are stored, who has access and why these data are needed. This applies to all of your business processes, not just PrintSphere. There are Microsoft Word or Excel templates for this available for download on the web.
• In automated workflow systems, user accounts may get added to PrintSphere automatically, based on job data that are forwarded by a Management Information System (MIS). In such a setup, the management of user data within the MIS must also comply with the GDPR guidelines.

Data confidentiality and security

It is important that all personal data are transferred and stored in a secure fashion.

• All data communication between the user’s browser and PrintSphere uses the encrypted HTTPS protocol.
• When users access PrintSphere and leave their browser window open, PrintSphere will leave that session open. It is recommended that users lock their account when they leave their computer or mobile device unattended.
• When a security breach leads to a data leak, the authorities (and possibly your users) must be made aware of this. An example of such a leak could be a disloyal employee who creates a list of all the users to make it available to a competitor. To avoid this, immediately deactivate the account of employees with admin level access rights who leave the company. When a data breach occurs, you must document which measures were taken to avoid that such a breach can reoccur in the future.

If you share or sell user profile data to other parties, users must be aware of this.

Accuracy of personal data

Personal data should be accurate and kept up to date. This means users must be able to see their personal data and be able to correct them. The privacy statement should explain how users can request or update their respective data. Since users have only limited editing capabilities in the PrintSphere web user interface, we recommend including a statement that users can request an overview or update their personal data by e-mail.

Data retention policy

Personal data should not be retained for longer than necessary. If someone is no longer using PrintSphere, you are expected to delete that user’s profile data within a reasonable time frame. How long personal data are retained is up to you to decide. It is acceptable to do this after a few years only, since customers sometimes switch between suppliers, and having their PrintSphere accounts at hand if they become a customer again after a year, is perfectly fine.
You are allowed to archive user profile data, prior to deleting them. Given the limited data present in PrintSphere accounts, this makes little to no sense.

Right to be forgotten

Users have the right to have their personal data removed in PrintSphere. Since they cannot delete their profile data themselves, a PrintSphere administrator has to do this for anyone asking to be removed. In your privacy policy, you need to document the procedure that users should follow. It can be as simple as asking them to send an e-mail with their full name and the subject line ‘Delete my PrintSphere account’.

Consent must be given freely

The GDPR legislation puts certain restrictions on your ability to subscribe people to a newsletter.
E-mail marketing is a powerful way to reach out to customers, but you cannot add PrintSphere users to a mailing list without those users’ consent or legitimate interest.

Agfa’s GDPR responsibilities as a processor

PrintSphere is hosted by Agfa, who acts as a processor of the personal data you manage. Agfa commits to complying with the GDPR legislation. Below are key responsibilities as a processor:

• Processor’s obligation of confidentiality
  Processors must ensure that the personal data that they process are kept confidential.
• Records of processing activities
  In order to ensure compliance, EU data protection law requires processors to ensure that they keep records of their data processing activities, and that the information in those records is provided to (or is available on request by) Data Processing Agreements.
• Data security
  EU data protection law obliges processors to ensure the security of personal data that they process.
• Data breach reporting
  One of the key issues in maintaining the security of personal data is ensuring that the relevant decision makers are aware of any data breaches and are able to react accordingly.
• Liability of processors
  EU data protection law recognizes the possibility that processors may be liable for breaches of their legal or contractual obligations. Processor duties include, but are not limited to:
  • Processing data only as instructed by the controller
  • Using appropriate technical and organizational measures to protect personal data
  • Assisting the controller with data subject requests
  • Only appointing sub-processors with the permission of the controller.
  • Ensuring that sub-processors it engages meet these requirements

Specifically with regards to PrintSphere, the following points are important:

• Each PrintSphere account has a main administrator. This is the person who is the first to get access to SphereCenter and has the ability to add other administrators. This user account (containing a first name, last name, salutation and e-mail address) is managed by Agfa. To have this account updated, please contact your local Agfa services team or dealer.
• The PrintSphere License and Service Agreement has been updated to accommodate GDPR requirements. It can be consulted by clicking the License Agreement link in the top left menu bar of SphereCenter. If you prefer to establish a separate Data Processing Agreement with Agfa, please provide such a document to your local Agfa sales organization or dealer. They will have it validated and signed by the Agfa headquarters legal team. There are graphic arts trade associations who offer a model contract that you can use as a template.

In summary, it is essential that your PrintSphere users can access your privacy policy as soon as the option to publish such a policy is added to the software. You also need to have a Record of Data Processing Activities in place. Once those basic requirements are covered, you can focus on the other aspects of the GDPR legislation. If you have any GDPR-related questions regarding PrintSphere, please contact your local Agfa sales organization.