This FAQ aims to answer common questions regarding the new Data Processing Agreement that was sent out to our customers in April 2018. If you do not find your answer here, please contact firstname.lastname@example.org.
Q: How do I fill out the appendix?
A: The appendix specifies which personal data Signicat process on your behalf. You must fill it in because we do not know which data you send us.
But we can give you guidance:
1) If you are using any eIDs either for identification or e-signature, then you must tick Personal name and National Identity Number. If you know that you do not, and will not, receive national identity numbers (“fødselsnummer” in Norway, “personnummer” in Sweden, “CPR” in Denmark, “Hetu” in Finland), you can leave this empty. Otherwise, it won’t hurt to place a tick.
2) For e-signature customers, if you send us personal information in documents that are to be signed, then you may need to tick additional boxes, according to the personal info you send in documents.
Q: What is a Data Processing Agreement (DPA), and why do we need one in the first place?
A: European data protection law states that a Data Controller can use a supplier for processing of personal data only if this processing is regulated in a Data Processing Agreement (DPA). The data processing agreement shall state the purpose of the processing, what data is processed, how they shall be protected, and more. It is both parties responsibility that such a DPA is in place.
Q: What is the deadline for Norwegian customers?
A: The GDPR is effective from May 25th, and all customers in EU should have GDPR compliant agreements. But for customers in EEA, GDPR need to be approved locally, and for Norway in particular, this means that it will be effective July 1st. This means that the deadline for Norwegian customers is July 1st. Note that Norwegian customers which also operates in EU countries will have to comply 25th of May.
Q: Is my company/organization a Data Controller?
A: All of Signicat’s customers process personal data. Most of Signicat’s customers are Data Controllers and use Signicat as a Data Processor. Some of Signicat’s customers are Data Processors themselves, processing personal data on behalf of another party which is a Data Controller. In the latter case, Signicat is a sub-data-processor, and we still need a DPA.
Q: But we are not storing any personal data?
A: It is a common misconception that data protection laws are about storage, and that if you do not store personal data, you do not have to worry about GDPR. In fact, all collection, processing, transfer and storage personal data is regulated, and referred to simply as processing.
Q: So what does Signicat do with our personal data?
A: Signicat must process personal data in order to deliver the agreed-upon identification and/or e-signature services to our customers. If we identify your customers or users, we must collect personal data like name, date-of-birth etc. If you use us for e-signature, we likewise must identify the signer, but in addition, the documents often contain personal data.
Q: We already have a GDPR-compliant Data Processing Agreement with Signicat.
A: If you already have entered into a GDPR compliant DPA with Signicat, please briefly notify us by replying to the email you received from email@example.com. We’re sorry for the inconvenience.
Q: What’s new with the GDPR?
A: The concept of a DPA is not new with the GDPR, but there are new, explicit and stricter requirements to the content of the DPA. This means that existing DPA’s normally are not compliant.
Q: Who will sign the DPA?
A: The DPA will be signed by both parties. Signicat will sign the DPA when you have filled it out with the information describing your data processing, and signed it. Signicat does not know which individuals have signing rights in your organization. It should be someone authorized to enter into agreements on behalf of the organization.
Q: How can I read through the agreement before signing?
A: The link can be used several times. To get a copy of the agreement, follow the link and press the download button on the first page. When you are ready to sign, follow the link again.
Q: Will we get a signed copy of the DPA?
A: Yes, you will receive a signed copy of the agreement when Signicat also has signed it.