20210127 GDPR Statement
GDPR applies to any system where personal information of an EU citizen is required. Personally Identifiable information (PII) must be collected by the owner of the system in order for the system to function.
For this statement, we call upon three definitions from the GDPR:
Data Subject - The person whose data is being stored.
Data Controller -The Party requesting the data being collected for a specific use. This is the BluB0X customer.
Data Processor - Third-Party who utilizes the data a Data Controller obtains in order to perform a task, such as access control for a building.
BluB0X provides a security platform to its customers who deploy the system to protect an asset, often a building or other location where people come to work or reside. The customer is the Data Controller with respect to GDPR, and the BluSKY Platform is the Data Processor that uses software to control the customer’s building.
Use of personal data is required in order to provide the features included in the BluSKY platform. The system only needs a minimal amount of PII in order to function, as little as a name and a card number for each person who will enter the location.
Consent to store PII is obtained via the terms of the EULA and SULA documents.
Data retention is a decision for the Data Controller, not the Data Processor. Its the Data Controller’s responsibility to determine what data it stores, and BluB0X recommends that the bare minimum PII be stored to meet the goals of the Customer. BluB0X provides a means by which the Data Controller can delete a Person’s PII as needed, in accordance with Data Controller’s policies. While BluB0X doesn’t provide a default data retention period it does provide the means by which data can be deleted, therefore the Data Controller can meet its Policy requirements for data.
BluB0X provides industry-standard encryption for its customers, which allows for the BluSKY platform to be deployed in a GDPR compliant manner. It also provides permission-based restriction on data stored and limits it view to a limited number of people who require access to support the system.
BluSKY uses industry-standard methods for securing your data in transit and on our servers. Details can be found at: https://knowledge.blub0x.com/BluB0X_Information_Security_Plan
Currently, BluB0X Security maintains data center presence in United States, consisting of multiple data centers. Data from EU customers will be stored there. Per Chapter 5 Article 44 of GDPR, this is acceptable as long as the data enjoys the same level of protection that GDPR defines.
Security systems by definition are not “compliant” out of the box. They must be deployed by the Data Controller in a compliant manner, properly handling the PII of the Data Subjects through solid policy and procedure.
Currently, BluB0X has deployed systems in the EU and its customers are satisfied with the performance and security that the BluSKY Platform provides.