Generate PDF

Tips & Tricks  | Agfa Graphics, Mortsel, Belgium  | 11 April 2018

GDPR compliancy for Apogee WebApproval users

GDPR stands for General Data Protection Regulation. This legislation intends to harmonize the protection of individuals' data across the European Union (EU), Iceland, Liechtenstein and Norway. This page describes the impact GDPR has on printers and print service providers who use WebApproval, the online upload and page approval solution for Apogee Prepress users.

GDPR focuses on the protection of personal data, which is any information that relates to an identified or identifiable natural person. This includes people's names, addresses, physical or genetic information, IP addresses, location data, business transactions, etc. The legislation harmonizes the multitude of different laws that previously existed in various EU member states. It is known by other names in certain member states, such as AVG (Netherlands), DSGVO (Germany), RGPD (France & Spain) or RODO (Poland).

GDPR-in-EU-member-states

The GDPR becomes enforceable on 25 May 2018. If your company is located in the EU or you have customers within the EU, you must comply with the GDPR legislation. Companies that are not compliant risk substantial fines.

GDPR makes a distinction between a controller – ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’ –  and a processor – ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. In the case of WebApproval, any printing company using this application acts as both the controller and the processor. As a controller, you need to share GDPR-related information with your customers. If online platforms such as WebApproval are used for processing the data of an order, you also need to have certain processes in place to be compliant.

GDPR

Below you will find a list of GDPR-related action points regarding Apogee WebApproval. Agfa Graphics strives to make sure WebApproval can be used in a GDPR-compliant fashion. As a WebApproval user, you need to be aware of the measures Agfa Graphics has taken, and you need to make sure that, with regard to customers, your usage of the platform is compliant with GDPR legislation. The guidelines below are for informational purposes only and not for providing legal advice. When the text below refers to WebApproval users, this means users as well as printer and company administrators.

Storage of personal data

  • WebApproval stores a limited amount of personal data of all users. Some fields are mandatory, such as the user’s full name and e-mail address. Others are optional, such as phone, mobile and fax numbers. Users can see these fields and modify them. Certain user actions in WebApproval are also stored in the database. The WebApproval portal should include a privacy statement; a text that provides users with answers to the following questions:
    • What personal information is being collected?
    • Who is collecting it?
    • How is it collected?
    • Why is it being collected?
    • How will it be used?
    • Who will it be shared with?
    • What will be the effect of this on the individuals concerned?
    • Is the intended use likely to cause individuals to object or complain?

Version 10.5 of WebApproval offers an option to create such a privacy policy and make it available to all users. Provided the Privacy Policy hotfix (HF_79165) is installed, the necessary configuration settings can be found in the Preferences menu.

Apogee Webapproval v10.1

Once a privacy policy has been created and activated, users can access it by clicking the cogwheel in the top right corner of the WebApproval window.

Apogee Webapproval v10.1

Users of older versions of WebApproval are recommended to upgrade to the latest WebApproval release.

  • In a separate Record of Data Processing Activities, you should document which data are stored, who has access and why these data are needed. There are Microsoft Word or Excel templates for this available for download on the web. This document should include information about the use of WebApproval.
  • Security conscious customers such as banks, large corporations or (non)-governmental organisations may request that you sign a Data Processing Agreement (DPA) – a contract to guarantee their data are processed in accordance with the GDPR requirements. If your WebApproval service is used by print brokers to process jobs of their customers, they may also insist on the use of a DPA. There are graphic arts trade associations who offer DPA templates. You can save time by having your legal and IT team validate such a DPA and suggesting to customers and partners that they all use that same template.
  • In automated workflow systems, Apogee Prepress may receive job data, including profile data about users, from a Management Information System (MIS). Apogee will use this information to add those users to its database. Keep in mind that in such a setup the management of user data within the MIS must also comply with the GDPR guidelines.    

Data confidentiality and security

It is important that all personal data are transferred and stored in a secure fashion.

  • All data communication between the user’s browser and WebApproval should use the encrypted HTTPS protocol. In browsers, this is indicated by a small padlock icon in front of the URL. The use of encryption is supported by WebApproval, provided an SSL certificate has been purchased and installed. By combining this with the use of a reverse proxy server, the online service is even better protected. Contact your Agfa services team or dealer if you need assistance with the installation and configuration of a reverse proxy server and security certificates.
Apogee Webapproval v10.1
  • When users access the web portal and leave their browser window open, WebApproval won’t automatically close the session after a certain time. Recommend to customers that they lock their desktop to minimize the risk of other people tampering with account data. Automatic session time-outs will be implemented in a future release of WebApproval.
  • Optimizing data security means limiting administrator level access to your servers and making sure all storage is redundant and backed up regularly.
  • When a security breach leads to a data leak, the local supervisory authority must be informed of this within 72 hours. All affected users must also be warned. An example of such a leak can be a disloyal or former employee who copied user data or documents to make them available to a competitor. To minimize such risks, immediately deactivate the account of employees with admin level access rights who leave the company. Also, take the necessary measures to minimize the risks of data theft by hackers. When a data breach occurs, you must not only report this but also document which measures were taken to avoid that such a breach can reoccur in the future.
  • If you share or sell user data to other parties, users must be aware of this.

Accuracy of personal data

Personal data should be accurate and kept up to date. This means users must, upon simple request, be able to access their personal data and have the possibility of having them corrected. The privacy statement should explain how users can access and update their respective data.

Data retention policy

Personal data should not be retained for longer than necessary. If WebApproval is no longer being used by a customer, you are expected to delete the user profile data it contains within a reasonable time frame. How long personal data are retained is up to you to decide. It is acceptable to do this only after a few years, since customers sometimes switch between suppliers and retaining user profile data if they become a customer again after a year is perfectly fine. You are allowed to archive user profile data, prior to deleting them. This can be done for all accounts using the Configuration Manager tool.

Right to be forgotten

Users have the right to have their personal data removed in WebApproval. Since they cannot delete their profile data themselves, a WebApproval administrator has to do this for anyone asking to be removed. In your privacy policy, you need to document the procedure that users should follow. It can be as simple as asking them to send an e-mail with their full name, company name and the subject line ‘Delete my account’.

Consent must be freely given

The GDPR legislation puts certain restrictions on your ability to subscribe customers to a newsletter. You cannot add WebApproval users to the mailing list of your promotional e-mail or print newsletter without those users’ explicit consent or legitimate interest.

 

In summary, it is essential that your WebApproval users can access your privacy policy, that you have a Record of Data Processing Activities in place and that the storage and transfer of WebApproval data are secure. Once those basic requirements are covered, you can focus on the other aspects of the GDPR legislation. If you have any GDPR-related questions regarding Apogee WebApproval, please contact your local Agfa sales organization.

Apogee WebApproval

Apogee WebApproval

Apogee WebApproval is an interactive portal for uploading and approving pages – resulting in fewer errors and more satisfied customers.

Contact us

Questions?  Fill out our contact form below and we will contact you asap.

 
*
*
*
*
 
 
 
*