Which data protection rules do I have to comply with?

Häufige VPA Fragen

Which data protection rules do I have to comply with?

Du bist hier:
< Alle Themen

Since my-vpa is legally obligated to regularly instruct you in data protection, these rules will be regularly displayed in my-vpa for you to confirm. During your VPA activity, you must comply with the following data protection guidelines:

  1. Customer personal data

    You must not process, disclose, make accessible or use in any other way any personal data that becomes known to you without authorization for any purpose other than the purpose of fulfilling the task. This refers to all data that provide information about a natural person – i.e. Mr. X, Ms. Y, e.g. when Mr. X was born, where he lives, what his name is, how many children he has, what kind of car he drives, etc. – that you have access to. 

  2. Customer digital data

    All digital data that you receive or create from your customers may only be stored in the my-vpa Owncloud. Digital data are all forms of digital documents, pictures, voice messages and videos. Thus, you must not store this data, for example, outside the my-vpa Owncloud on a terminal device (PC, laptop, smartphone, tablet, etc.), an external data carrier (USB stick, etc.) or another storage cloud (Dropbox, etc.). In addition, you must never make this data available to third parties.

  3. Trade and company secrets

    You are obliged to maintain confidentiality with regard to all company and trade secrets that come to your knowledge about customers. Trade and company secrets are all facts, circumstances and processes relating to a company that are not public but are only accessible to a limited group of people. Trade secrets are technical knowledge; company secrets, on the other hand, concern commercial knowledge (e.g. sales, earnings, customer lists, sources of supply, conditions, market strategies).

 

Technical-organizational measures (TOM) (as of May 2018)

The rules of this Technical Organizational Measures (TOM) ensure that you process and protect personal data of your my-vpa customers in a legally compliant manner when working for my-vpa. Basically, you must always comply with the following three rules:

  1. Please never mix up my-vpa customer data with private data Never mix up my-vpa data of a customer with that of other customers or your private or other data or make it known to others.

  2. Please protect the digital my-vpa task data of your customers Digital data are all forms of digital documents, pictures, voice messages and videos that you receive in the course of task processing. You should never give this data to third parties. If you have received work material from the customer by mail, you must keep it safe and destroy or return it immediately after completing the task in accordance with data protection regulations.
  3. Please protect your client’s my-vpa communication data Important: You should only communicate with your customer via the communication channels provided by my-vpa. Attention: Communication via private phones, smartphones (also WhatsApp or similar), private Skype accounts is therefore not allowed.

 

I) Privacy rules that apply to your PC

  1. Please set up a login password 
    Your PC must be protected with a password known only to you of at least 8 characters, a number and a special character and must be changed noticeably every 120 days
  2.  Please activate the screen lock
    The screen lock must be activated on your PC after max. 2 minutes of password input. Lock the PC manually before you leave the place. How to  activate the lock you can find here.
  3.  Please always protect the screen view
    When you work for my-vpa, your monitor should not be read by other people. This also applies to laptops in public places. Use a privacy filter in this case, for example.
  4. Please use only protected WLAN
    If you work for my-vpa, you are only allowed to use WLANs that are encrypted according to the WPA2 standard. Click on “Security” in the network environment to check the WLAN.
  5. Please store my-vpa customer data exclusively in the Owncloud.
    You should never store customer data outside your Owncloud folder on your PC. Never store customer data on internal or external storage devices (USB sticks, Dropbox, etc.).
  6. Please install a high performance virus scanner.
    You need to install a state-of-the-art virus scanner with automatic updates on your PC. Here you can find a good and free virus scanner for all operating systems.

  7. Please encrypt your PC hard disk
    You need to encrypt the hard disk of your PC. Here you can find instructions for Windows. For Apple OSX systems, please activate the “FileVault” feature under “System Preferences”.

  8. Please use only the OX email client and no desktop clients to receive and send my-vpa

    In the case of e-mails you may only use our e-mail client. The use of IMAP or POP3 (Outlook, Thunderbird, …) is explicitly forbidden.

 

II) Privacy rules for your smartphone

  1. Please set up a login pass word
    Your smartphone must be protected with a password known only to you with at least 8 characters, a number and a special character and must be changed clearly every 120 days. Biometric functions like fingerprint or retina scan are also ok.
  2. Please activate the display lock
    The display lock must be activated on your smartphone after max. 2 minutes with password entry. Under iOS and Android you can find this setting e.g. under the item “Display”.
  3. Please always protect the display view
    When  working  for my-vpa your display should not be seen by other people.
  4. Please use protected WLAN only
    When working with your smartphone for my-vpa you may only use WLANs that are at least encrypted according to the WPA2 standard (small lock symbol next to WLAN name).
  5. Please store customer data exclusively in the Owncloud

    You should never store customer data outside your Owncloud folder on your smartphone (e.g. in contact data). Use the Owncloud app as described in the tutorials.

  6. Please encrypt your smartphone 
    Apple iOS devices are encrypted by default when you enter a passcode. For Android, this works differently for each device. Instructions: enter “S8 Encryption” on YouTube for example.
  7. Please use only the OX email app and no email apps from other providers.
    To receive and send my-vpa emails, you should only use the “OX Mail” app from the Playstore/Appstore on your smartphone. IMAP or POP3 is not allowed.
  8. Please always install all iOS/Android updates.
    Install all updates when they are offered by the manufacturers. Do not install apps that are not certified in the respective app store.

 

 

Frequently asked questions

Question Is this agreement done with the confirmation on 25.05 in the my-vpa app or do I have to send you an agreement separately and if so in which form?
Answer Yes, it is done with the electronic confirmation.

Question Do I have to delete all emails, Skype chats of past clients for whom I once did a project and with whom I am currently no longer in contact?
Answer No, you will be explicitly notified by the software when and which data you need to delete.

Question I still have completed projects stored on OwnCloud. Do I have to delete them all now?
Answer No, they are automatically deleted by the system.

Question What does old customer data mean? Some tasks were one-offs, so I can assume that these are “old” and can now be deleted. However, I also have “old projects” or “old emails” from customers that I suspect I might work with again in the future – it might be unwise to delete all old data on these customers?!
Answer You do not have to ac tively delete customer data. You will be explicitly notified by the software if and which data you need to delete.

Question From time to time I discuss task details with my customer via Skype. Based on this conversation, I usually formulate a written description of the task, but I don’t always directly record all the instructions in detail. Do I have to do that?
Answer No

Question With some customers I communicate at their request via Slack, Whatsapp, etc.. Am I allowed to do this and do I have to do anything special to protect the data when I do so?
Answer The TOM states that you are not allowed to communicate with the customer via private communication channels such as WhatsApp due to the protection of personal data. However, there is an exception for this case: as long as the customer gives written permission for this in the task, it is allowed. Important: the customer must explicitly write in the task that he wants communication via e.g. WhatsApp to process this task. In short, the customer must actively request this in writing in the task. If this is written in the task by the customer ( doesn’t apply for tasks posted by a VPA), then it is possible. Thus, the customer must give written approval for each individual task. A short sentence is sufficient for this purpose, but it is only valid for this task and not automatically for the next task. When communicating via WhatsApp, for example, you do not have to take any security measures.  

Question Can I save non-personal task data on an external storage device, e.g. an USB stick?
Answer No. You can save your task data only in OwnCloud (web or desktop client).

Question Hard disk encryption does not work for me. I have Windows Home Edition.
Answer In this case do not encrypt your whole hard disk, but only the OwnCloud folder on your hard disk. You can find instructions here.

Question Can I use Windows Defender as a virus scanner?
Answer Yes.

Question My current Windows password has only 7 characters and the password will not be changed again via an automatic prompt for another month. Is that soon enough?
Answer No, please change the password manually right now.

Question Can’t Imap/Prop3 be allowed after all, as it will reduce my response speed to customer emails?
Answer Unfortunately, Imap/Prop3 cannot be allowed according to the German Data Protection Act (DSGVO), as the e-mails are then stored directly on the end device and are no longer centrally accessible by my-vpa. However, central access must be guaranteed. We know that this is an annoying restriction, but unfortunately we cannot change this. The only possible solutions are

  1. Use OX in the web browser, this works on all devices and the user also receives notifications.
  2. The my-vpa mobile app ( to be released in May 2018) informs the user via push notifications about new events (e.g. new chats), which should increase the general reaction speed and also reduce the need for emails.

Question Will it no longer be permitted in the future for my customer to contact me by phone with important questions?
Answer The TOM states that you may only communicate with your customer via the communication channels provided by my-vpa. Attention: communication via private phones, smartphones (also WhatsApp or similar), private Skype accounts is therefore forbidden.

Question Can the assistant store data on other channels (e.g. Google Drive) upon written approval of the customer?
Answer Here the same as for private communication systems. The customer must explicitly specify this in “any” task.

Question What about password sharing, regarding customer portals, etc.? May these be communicated via emails?
Answer The customer alone decides how passwords etc. are to be passed on. For security reasons, however, it is advisable not to send any “secret” data via e-mail, but to do so by telephone or to send the password and user name in separate e-mails. Credit card data, bank rates, etc. never via email.