This FAQ aims to answer common questions regarding the new Data Processing Agreement that is sent out to our customers in April 2018. If you do not find your answer here, please contact email@example.com.
Q: What is a Data Processing Agreement (DPA), and why do we need one in the first place?
A: European data protection law states that a Data Controller can use a supplier for processing of personal data only if this processing is regulated in a Data Processing Agreement (DPA). The data processing agreement shall state the purpose of the processing, what data is processed, how they shall be protected, and more. It is both parties responsibility that such a DPA is in place.
Q: Is my company/organization a Data Controller?
A: All of Signicat's customers process personal data. Most of Signicat's customers are Data Controllers, and use Signicat as a Data Processor. Some of Signicat's customers are Data Processors themselves, processing personal data on behalf of another party which are Data Controller. In the latter case, Signicat is a sub-data-processor, and we still need a DPA.
Q: But we are not storing any personal data?
A: It is a common misconception that data protection laws is about storage, and that if you do not store personal data, you do not have to worry about GDPR. In fact, all collection, processing, transfer and storage personal data is regulated, and referred to simply as processing.
Q: So what do Signicat do with our personal data?
A: Signicat must process personal data in order to deliver the agreed-upon identification and/or e-signature services to our customers. If we identify your customers or users, we must collect personal data like name, date-of-birth etc. If you use us for e-signature, we likewise must identify the signer, but in addition, the documents often contain personal data.
Q: How do I fill out the appendix?
A: The appendix specifies which personal data Signicat process on your behalf. You must fill it in, because we do not know which data you send us.
But we can give you some guidance: If you are using any eIDs either for identification or e-signature, then you must tick for Personal name. If you also receive national identity numbers ("fødselsnummer" in Norway, "personnummer" in Sweden, "CPR" in Denmark, "Hetu" in Finland), you must tick off for that as well. If the eID method returns contact information, you should tick off for that.
For e-signature customers, if you send us personal information in documents that are to be signed, then you may need to tick off additional boxes.
Q: We already have a GDPR-compliant Data Processing Agreement with Signicat.
A: If you already have entered into a GDPR compliant DPA with Signicat, please briefly notify us by replying to the email your received from firstname.lastname@example.org. We're sorry for the inconvenience.
Q: What's new with the GDPR?
A: The concept of a DPA is not new with the GDPR, but there are new, explicit and stricter requirements to the content of the DPA. This means that existing DPA's normally are not compliant.
Q: Who will sign the DPA?
A: The DPA will be signed by both parties. Signicat will sign the DPA when you have filled it out with the information describing your data processing, and signed it. Signicat do not know which individuals have signing rights in your organization. It should be someone authorized to enter into agreements on behalf of the organization.
Q: How can I read through the agreement before signing?
A: The link can be used several times. To get a copy of the agreement, follow the link and press the download button on the first page. When you are ready to sign, follow the link again.
Q: Will we get a signed copy of the DPA?
A: Yes, you will receive a signed copy of the agreement when Signicat also has signed it.