General Data Protection Regulation

What is the GDPR?

The GDPR (General Data Protection Regulation) is a regulation by the EU that seeks to harmonize existing data protection laws across Europe. As the most significant data protection development in decades, the GDPR is designed to strengthen and standardize data protection rules for the processing of personal data of EU residents.

How the GDPR does define personal data?

The GDPR defines personal data as any information that can help to identify an individual. This includes information such as name, address, e-mail address, phone number, ID number, IP address and credit card information.

What does it mean to process data?

As defined by the GDPR, processing data means any operation performed on personal data, whether by automated means or not. This is a broad definition which includes a wide range of activities, such as collecting, organizing, storing, modifying, using, combining, or deleting personal data.

What are a data controller and data processor?

A data controller is the person or organization that, either alone or jointly with others, determines the purposes and means of the processing of personal data. A data processor is the person or organization processing personal data on behalf of the data controller. EPLAN has the role of a data controller.

When the GDPR did come into force?

The GDPR was approved and adopted by the EU Parliament in April 2016. However, the law is only applied since 25 May 2018 after a transition period of two years. This means that all companies within the scope of the GDPR have to be compliant now and are subject to enforcement by national data protection authorities (DPAs) and courts.

How does the GDPR apply in Germany?

The data protection rules for companies as laid down, for instance, in the BDSG were largely replaced by the GDPR. Furthermore, as the GDPR is an EU regulation it is directly applicable in all EU Member States and does not require any national implementing laws.

What are the requirements of the GDPR?

The GDPR imposes requirements on companies that collect or process personal data, including compliance with six central principles:

  • Legality, processing in good faith and transparency in the processing and use of personal data. The companies have to provide data subjects with a clear understanding of how their data will be used and need a legitimate basis for processing that data.
  • The processing of personal data is limited to specified, explicit and legitimate purposes.
  • The collection and storage of personal data will be limited to what is proportionate and necessary for the purpose (minimization of data).
  • The accuracy of personal data is ensured and it is possible to delete or rectify them.
  • EPLAN is taking reasonable steps to ensure that personal data held are accurate and can be rectified in the event of errors.
  • Storage limits for personal data. EPLAN ensures that personal data are retained for as long as is necessary for the purposes for which they were collected.
  • The security, integrity and confidentiality of personal data must be guaranteed.

Why does EPLAN uses sub-processors and what are they?

EPLAN uses certain sub-processors as defined in §4.8 GDPR to assist in providing his cloud services. A sub-processor is a third party data processor engaged by EPLAN who agrees to receive personal data from the EPLAN cloud intended for processing activities to be carried out (i) on behalf of  customers; (ii) in accordance with customer instructions as communicated by EPLAN; and (iii) in accordance with the terms of a written contract between EPLAN and the sub-processor.

Sub-Processor List

Name Transferred Data Purpose Location
HubSpot Origin of the user (previous page, Reference link) Analytics to optimize user experience EU
Microsoft User database, uploaded files Cloud hosting service, file storage Europe (EU)
Twilio E-Mail Address, Last name Email service provider Europe, US
Google Analytics

Browser information

(language, resolution, installed plugins, type, time zone, duration, previous page)

Analytics to optimize user experience Europe, US