GDPR Settings

(Requires Regulatory Compliance Module) The General Data Protection Regulation (GDPR) is a part of European Union (EU) law regarding data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of data subjects. The GDPR Settings in EFT can also be used to address other privacy regulations, such as California's CCPA and HIPAA.

EFT and the Web Transfer Client provide settings so that you can address each relevant article in the GDPR for those who access EFT and the Web Transfer Client. For example, the "Right to be Forgotten" (delete account) is part of the GDPR's data privacy rules. A user can exercise their right to be forgotten in their account profile, if the EFT administrator has configure Article 17 to be "Exercised via EFT's web client."

When the module expires, the GDPR Settings dialog box appears dimmed. However, you can still create Event Rules to an EU Data Subject's status, such as creating a File Uploaded event with a User account action set to change the user's status. Therefore, if your trial expires, examine your Event Rules and adjust as needed.

To configure the GDPR settings

  1. In the administration interface, connect to EFT and in the left pan, click the Site.

  2. In the right pane, click the Web tab.

  3. Next to GDPR & DPIA, click Configure. The GDPR Settings dialog box appears.

  4. Refer to Article-by-Article settings below for guidance on how to configure each article.

The GDPR Settings dialog box is used to specify an Article-by-Article setting for user privacy policy for EFT web portals that may be accessed or shared with EU members.

Each of the applicable articles is listed in the GDPR Settings dialog box with a drop-down list with which you specify the setting. For example, the setting could be Not applicable or Doesn't apply if no EU members are expected to have user accounts on EFT.

For the Purpose, Necessity, Risk mitigation, and DPO assigned articles, when you click its Browse button, another dialog box appears in which you can provide additional data, such as the email address of the Data Protection Officer. A data protection impact assessment (DPIA) report can be run from this dialog box after the articles are each defined. The logged in administrator account must have Manage reporting and Manage personal data permission set in the server's administration tab. (The server administrator account is assigned these permissions by default when the account is created.)

Certain GDPR articles (described below in Article-by-Article settings) must be set to "Exercised via EFT's web client" for the setting to appear in the user account's profile in the WTC.

Article-by-Article settings

Items in the list below that are marked with a single asterisk * are default settings. However, if Material scope is set to Not in scope, then all items below marked with a double asterisk ** become the defaults. The numbers indicate the level of risk with that setting. For example, "Not in scope" is 0 risk; Unknown or Undefined is 1 for that article. The higher the total number of all of the articles assessed, the more risk there is. With the default settings, the total risk number is 21.

  • Article 2: Material scope: Specify whether the operations carried out by EFT, or users managed by EFT, fall within scope of GDPR regulations.

    • Unknown or undefined* 1

    • In scope 0

    • Not in scope (2.2) 0 (If you select this value, then all remaining controls appears dimmed/unselectable, and the defaults marked with ** are applied.)

  • Article 3: Territorial scope: Specify whether the territorial scope. Note that if In Union is chosen, all accounts will be marked as EU Data Subjects by default.

    • Unknown or undefined* 1

    • In Union, all subjects in scope (3.1) 0 (If you select this value, then EFT automatically, optionally, modifies each "Unknown" to "Yes" for EU data subject status.)

    • Not in union, subjects may be in scope (3.2) 0

    • In scope due to international laws (3.3) 0

    • Territory doesn't apply (not in scope)** 0

    • Click the browse button to specify that EU subject status should appear in the Web Transfer Client, and whether the user can change their EU subject status in the WTC.

  • Article 5: Processing principles: Specify whether your assessment, with oversight from your Data Protection Officer, indicates that in context of EFT's operations, Article 5 principles have been met

    • Unknown or undefined* 1

    • General guidance not yet met 1

    • General guidance met 0

    • Principles don't apply (not in scope)** 0

  • Article 6: Lawfulness of processing: Specify what the legal basis is for processing of PD with regard to EFT's file transfer operations or user account details or fields that might contain PD.

    • Unknown or undefined* 1

    • Data subject consent (6.1.a) 0 (If you select this setting, then EFT checks for users that are EU data subject accounts where consent was rescinded or denied and contain personal data.)

    • Contractual, vital interest, et. al. (6.1.b-f) 0

    • Other basis (6.2-4) 0

    • No PD is processed or stored for user 0

    • Not applicable (N/A)** 0

  • Article 7: Conditions for consent: Specify whether data subjects have been provided with a mechanism for both providing or rescinding consent,  in context with personal data stored by EFT or transferred by EFT.

    • Unknown or undefined* 1

    • Set via EFT ToS or Privacy Policy agreement 0

    • Set via external ToS or Privacy Policy agreement 0

    • Other method that can be demonstrated 0

    • Not applicable (N/A)** 0

  • Article 8: Age restrictions: Specify whether you have measures in place to adhere to the age-restriction rules specified under Article 8, with regard to minors, in the context of EFT operations.

    • Unknown or undefined* 1

    • Enforced via EFT ToS or Privacy Policy 0

    • Enforced via external ToS or Privacy Policy 0

    • Enforced via other means 0

    • Not applicable (N/A)** 0

  • Article 12: Transparent information: Specify whether you have mechanisms in place to clearly communicate to EU data subjects how, when, where, and why personal data is collected, used, stored, etc.

    • Unknown or undefined* 1  

    • Communicated via EFT's Privacy Policy 0

    • Communicated via external Privacy Policy 0

    • Communicated via other means 0

    • Not applicable (N/A)** 0

  • Article 13: Direct collection: Specify how information is conveyed in compliance with Article 13 when personal data was obtained directly from the data subject (such as via account self-provisioning).

    • Unknown or undefined* 1

    • Communicated via EFT's Privacy Policy 0

    • Communicated via external Privacy Policy 0

    • Communicated via other means 0

    • Not applicable (N/A)** 0

  • Article 14: Indirect collection: Specify how information is conveyed in compliance with Article 14 when personal data was obtained indirectly from the data subject (such as via Active Directory provisioning).

    • Unknown or undefined* 1

    • Communicated via EFT's Privacy Policy 0

    • Communicated via external Privacy Policy 0

    • Communicated via other means 0

    • Not applicable (N/A)** 0

  • Article 15: Right of access: Specify the means by which users can access the personal data associated with their account or stored on their behalf or transferred by them, if applicable.

    • Unknown or undefined* 1

    • Exercised via EFT's web client 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 16: Right to rectify: Specify the means by which data subjects can modify (rectify) the personal data associated with their account or stored on their behalf or transferred by them, if applicable.

    • Unknown or undefined* 1

    • Exercised via EFT's web client 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 17: Right to be forgotten: Specify the means by which data subjects can request deletion of their account and removal of their personal data, were applicable, in context with EFT.

    • Unknown or undefined* 1

    • Exercised via EFT's web client 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 18: Right to restrict: Specify the means by which data subjects can restrict access to or use of the personal data associated with their account or stored on their behalf or transferred through EFT.

    • Unknown or undefined* 1

    • Exercised via EFT's web client 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 19: Right to be notified: Specify the means by which data subjects are notified if their personal data is modified or deleted, within EFT context, if applicable.

    • Unknown or undefined* 1

    • Exercised via EFT's event rules 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 20: Right to export: Specify the means by which EU data subjects can export a copy of the personal data associated with their account or stored on their behalf or transferred by them, if applicable.

    • Unknown or undefined* 1

    • Exercised via EFT's event rules

    • Exercised via EFT's web client 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 21: Right to object: Specify the means by which users can object to the use of the personal data associated with their account or stored on their behalf or transferred by them, if applicable.

    • Unknown or undefined* 1

    • Exercised via EFT's web client 0

    • Exercised upon request 0

    • Exercised via other means 0

    • Not applicable (N/A)** 0

  • Article 32: (1.a) Encrypted PD: EFT selects the default based on current configuration, whether user account fields marked as personal data are encrypted. You can select a value, if desired.

    • EFT is not encrypting PD* 1

    • EFT is encrypting PD* 0  

    • A compensating control is in place 0

    • Not applicable (N/A)** 0

  • Article 32: (4) Limited access: EFT selects the default based on whether there is more than one EFT administrator, and if so, whether at least one does NOT have access to personal data.

    • Multiple administrators, no limitations applied* 1

    • Multiple administrators, limitations applied* 0 (EFT automatically sets the default depending on configuration; if set, the other items are not available for selection.)

    • Single administrator, requires full access* 0

    • A compensating control is in place 0

    • Not applicable (N/A)**

  • Article 35: (7.a) Purpose: This article requires that you document the express purpose and legitimate interest for processing of personal data, for the DPIA report.

    • Purpose and legitimate interest supplied 0, not supplied* 1 (A Browse button opens a dialog box in which you can supply the purpose and legitimate interest. If data is in provided in the dialog box, then "supplied" is displayed; however, you can still select N/A if desired.)

    • Other or external measures 0

    • Not applicable (N/A)** 0

  • Article 35: (7.b) Necessity: This article requires that you document the necessity and proportionality of the processing operations in relation to the purposes, for the DPIA report.

    • Necessity and proportionality supplied 0, not supplied* 1  (A Browse button opens a dialog box in which you can note the necessity. If data is in provided in the dialog box, then "supplied" is displayed; however, you can still select N/A if desired.)

    • Other or external measures

    • Not applicable (N/A)** 0

  • Article 35: (7.c) Risk assessment: This article requires that you document the risks to the rights and freedoms of data subjects. EFT's DPIA report can assist with fulfilling this requirement.

    • EFT generated DPIA report* 0

    • Other or external measures 0

    • Not applicable (N/A)** 0

  • Article 35: (7.d) Risk mitigation: This article requires that you document the measures and safeguards to mitigate risks to the rights and freedoms of data subjects.

    • Measures and safeguards supplied 0, not supplied* 1 (A Browse button opens a dialog box in which you can note the risk mitigation. If data is in provided in the dialog box, then "supplied" is displayed; however, you can still select N/A if desired.)

    • Other or external measures

    • Not applicable (N/A)** 0

  • Article 37: DPO assigned: Specify the email address for the Data Protection Officer (DPO) or equivalent. (The email variable %SERVER.PRIVACY_DPO_EMAIL% can be used in Event Rules.)

    • Data Protection Officer assigned 0, not assigned* 1 (A Browse button opens a dialog box in which you can provide the email address of the DPO.)

    • Other or external measures 0

    • Not applicable (N/A)** 0

  • Article 46: Transfer safeguards: Specify whether EFT is configured to use its Content Integrity Control (CIC) action or external process for identifying personal data contained within transferred files

    • EFT CIC/ICAP is enabled 0, not enabled* 1 (Similar to Article 32 (encryption), EFT will auto detect if ICAP is enabled and preselect the correct value accordingly. You can still change to external or N/A if desired.)

    • Other or external measures 0 (If ICAP is enabled, EFT checks if there are any affected rules that either process files, such as Folder Monitor, File Uploaded, Folder Downloaded, or have Copy/Move operations defined that are missing the CIC action.)

    • Not applicable (N/A)** 0

Related Topics