The essentials

The GDPR stands for General Data Protection Regulation and is a regulation in EU law on data protection and privacy for all individuals within the European Union.

We can define three roles:

  • Data Subject – the person about whom the data is stored
  • Data Controllers – the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processors – the natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

In this case, Sqills acts as data processor of personal data that is being processed within S3 Passenger.

Data Protection Officer

Based on the fact that Sqills is processing personal data on a large scale on a daily basis, a Data Protection Officer (DPO) is appointed.

We have analysed the requirements and obligations of the regulation with regards to our S3 Passenger system. This has resulted in a list of planned actions and developments. My task in this is to inform and advice Sqills, its employees and customers. Besides that, I monitor compliance with the regulation and act as the contact point.

Inge van Gisbergen - DPO and Team lead within Sqills

Sqills Security Monitoring

To successfully detect breaches, we have set the right sort of controls in place which gives us the capacity to detect and respond to security events. By implementing an Information Security Management System and gaining the ISO 27001:2013 certificate in 2016, we already took a big step in protecting sensitive data during the complete life cycle of our software.

Our multidisciplinary security team, responsible for ensuring that we remain committed to our high security standards, is continuously looking for ways to improve our security settings even more and making our own employees aware of the latest security measurements. Recently, we have implemented an intrusion detection system. We can identify any malicious activity by monitoring our network 24×7.

Data handling

The GDPR specifies ways to process data before using personal information. Besides that, at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

This means that on request of a data subject customer needs to change the personal data to make sure that the Personal Data that is being processed will be correct. Data can be protected by using several methods such as deleting certain data, anonymising data and cleansing data.

S3 Passenger built-in functionality

Our S3 Passenger system supports the ability to let the system (in a background timer process) “anonymise” booking and payment data that is older than a certain number of days (e.g. two-year old data). This helps operators to meet privacy legislation requirements, as the booking details including financial statistics and occupancy rates of services etc. can remain in the system, while the involved customer and passenger(s) are no longer recognisable in any personal manner.

S3 Passenger also provides functionality to change data subject Personal Data on several levels. Users of the S3 Passenger backend have options to change customer, passenger and agent information in the backend. When added to the agent portal, agents will be able to change agent detail information depending on their rights. Besides that, S3 Passenger provides in some API calls to update customer, passenger and agent information.

Beyond a period of several years, the production system can delete any historic data it no longer needs on a transactional level. Besides deleting data, S3 also supports the anonymisation of data. The difference between deletion and anonymisation is the fact that with deletion the data is physically removed from S3 Passenger instead of being masked in case of anonymisation. With anonymisation the data is still stored within S3 Passenger, but personal data is not readable anymore. This information can still be used for reviewing or analysing data.

Besides the procedures for archiving, anonymisation, deletion, also selective cleansing of certain data is relevant. In parallel with longer term procedures for purging, cleansing may already reduce the data size significantly and “clean up” elements that are effectively irrelevant to keep longer term. The definition of cleanUp timers is that they update existing records, throwing away those columns like BLOB’s etc. that take up most disk space, while keeping the original record structure and record count. Although relevant in this context, these procedures have less to do with privacy related GDPR legislation as such.

Security Standards

As you could read above, Sqills is ISO 27001:2013 certified. As we keep on continue to strive for the highest level of Quality and Security management, it won’t take long before we are PCI-DSS certified as well. Get in touch for all your inquiries about our security handlings.