Information about data protection
Everything you need to know about data protection within the framework of the General Data Protection Regulation (GDPR).
Some fundamental concepts
When “processing” personal data, three parties act:
- The data controller
Sometimes also referred to as the “controller”. This is the party that request the processing of your data. In most cases, this is an organisation that exchanges documents with you through Doccle. - The data processor
This is the party that actually performs an action with the data, at the request of a data controller. - The person concerned
That is you as a Doccler, together with all other Doccle users.
The data controllers are the companies for which you have a “connection” via Doccle. You do this, for example, to receive invoices or other documents from the company, or to make payments to them. When adding such a connection, you as a Doccler give explicit permission to process your data. After all, without this data these companies and organisations are unable to provide you their services via Doccle.
The data controllers are responsible for taking the technical and organisational measures that are necessary for demonstrably carrying out the data processing in accordance with GDPR. The obligations of controllers concern principles such as lawfulness, reasonableness, transparency, purpose limitation, data minimisation and accuracy, as well as fulfilment of your rights.
The data controller determines the purposes and means for processing personal data, while the data processor processes the data by order of this controller.
Doccle only has the function of data controller if you upload documents yourself, create and manage your profile, use your eID or itsme, make payments through Doccle, conclude a SEPA direct debit, electronically sign or make a Scan & Pay payment via our mobile app. In that case Doccle processes your data based on your implicit consent. Find out more about these processing operations here.
The specific nature of the Doccle service provision means that we are data processor as well as data controllers in certain cases.
What do we do with the general data protection regulation?
We require ourselves, and all organisations that make use of the platform, to provide sufficient guarantees. We are determined that adequate technical and organisational measures are taken to ensure processing complies with the requirements of the GDPR legislation.
The working areas that are subject to GDPR
- Expertise in the field of data security (technical and human awareness)
- Clear agreements in the area of data processing
- Processing operations must take place according to instructions that have been laid down clearly
- Confidentiality obligations of staff
- Clear agreements with our sub-processors
- Security of services
- Availability, integrity and resilience of all parties
- Tests, audit rights and rights of perusal
- Encryption of data that is in transit or are on a server
- Access checks (logical and physical)
- Vulnerabilities management, incident management
- Inherent product and code security
- Procedures with regard to removal of data
- Procedures with regard to user rights
- Mechanisms regarding an adequate protection level when transferring data to a different country
- Standards and Certifications: we promote obtaining Certifications such as ISO/IEC/ 27001:2013
Your possibilities as a Doccle user
We ourselves make a “Data protection officer” available for all Docclers. You can always contact this officer on: dpo@doccle.be.
We encourage all Docclers to ask questions or submit notifications on the security of their data, as each notification is a test for our security policy and the measures that we take and apply on a daily basis.
Transparency is of important value for us, and therefore you as a Doccler can retrieve, correct or remove quite a lot of information. If, in addition, you have other questions, you can always leave behind a questionnaire. You can fill this in by logging in and clicking through to “settings – data processing operations and privacy”, in that way we are sure that you are truly the person you claim to be. We make every effort to process the questions as soon as possible, and never exceed the legal term of thirty days.
We subject every question to careful verification. If the question concerns a processing operation of one or multiple organisations that make use of the platform, we will contact these organisations in order to provide you with a suitable answer.