A Practical Guide for GDPR compliance

Using HSNM Hotspot Manager in compliance with the GDPR

With this document, we would define the guidelines to make HSNM be compliant with the European regulation GDPR (General Data Protection Regulation) in force from 25/05/2018.

HSNM Hotspot Manager allows you to meet all requirements defined by GDPR, provided that it is used according to the rules. In other words, the system allows you to comply with the regulation but thanks to all the current possibilities of parameterization, it can also be used “out of the norm”. It seems like a paradox but since HSNM Hotspot Manager is used globally, outside of the European Union there are no such obligations or rather there aren’t if they don’t process European citizens’ data. It follows that companies or organizations will use the system under applicable laws in their area.

Essentially, it’s important to know the laws you must comply with and the possibilities offered by HSNM Hotspot Manager to configure the system properly.

At various points, we have reported respectively where to intervene (applicability), what to do (description) and notes/references (in italics) to use HSNM Hotspot Manager according to the GDPR.

Operating procedure to properly configure your HSNM Hotspot Manager

Step 1

Applicability of the system

%Device% must be updated to version 5.0.181 or greater.

Step 2

Applicability: System, General options, or specific to single manager

Edit a proper Privacy Policy for each manager also defining how data is processed, to whom it is forwarded, how long it should be kept, etc.

  • The holder shall always specify the contact details of the DPO (Data Protection Officer), if any, the legal basis of the processing, what its legitimate interest is, if the latter constitutes the legal basis of the processing, as well as if he transfers personal data to third countries and, if so, through which means.
  • Specify the retention period of the data or the criteria followed to establish this retention period, and the right to complain to the supervisory authority.
  • If the treatment involves automated decision processes (including profiling), the informative report must specify it and must indicate the logic of these decision-making processes and the expected consequences for the person concerned.
  • Concise, clear, intelligible to the person concerned and easily accessible; it is necessary to use a clear and simple language, and for the minors it is necessary to provide suitable information.
  • The informative report (specifically governed by articles 13 and 14 of the regulation) shall be provided to the person concerned prior to collect data.
  • The informative report shall also include the categories of personal data being processed. In all cases, the holder must specify his identity and that of any representative, the purposes of the processing, the rights of the subjects concerned (including the right to data portability), if there is a person in charge of the processing and its identity, and what are the recipients of the data.
  • It is appropriate that the holders of the processing should verify that the information currently used meets all the criteria.

If the company is not located in the European Union but works with its citizens, it shall comply with the regulation

Step 3

Applicability: manager’s domain

In the “Users Login Interface”, select “Welcome Portal”.

Warning, you must have the “Welcome Portal” module.

In the “Data to Customize Users Registration” section, scroll down to “Request the Email Address” and select “Yes”.

It is necessary to request the email address in order to send the registration data with username, password, URL to access to the Terms of Service, the Privacy Policy and the user profile.

In the “Data to Customize Users Registration” section, scroll down to “Request Acceptance Conditions” and select “Yes”.

It is good practice to make users accept also the Terms of Service edited at system level in the “General Options” or in the “Manager“.

In the “User Agreements” section, scroll down to “Request Acceptance Processing Personal Data” and select “Yes”.

Consent must be given prior to any processing. It must be unequivocal and therefore boxes with “pre-check” are not allowed.

In the “Options for the Email Address” section, enable the “Send Email Notification” check.

In the “Email Registration Notification” field, edit the email text to be sent, with the variables (%UserName%) for the username and (%Password%) for the password, the URL to consult the Privacy Policy (http://HSNMUrl/terms.php?id=ManegerID), the URL to consult the Terms of Service (http://HSNMUrl/privacy.php?id=ManagerID) and the URL to access the system, even remotely, when not directly connected to a gateway http://HSNMUrl/portal/index.php?domain=DomainName&hotspotname=GatewayName). In so doing, the users will be able to access their User Profile App. Users have the ability to download a Pdf file reporting their registration data.

The party concerned has the right to access its data, to erase (“right to be forgotten”) and to have a copy.

Step 4

Applicability: template (used by the domain or, more specifically, for the gateway).

In the template, in the “Welcome Portal” section, the “Hide Profile App” field must not be active.
In this way, the users can access the User Profile App, check, modify, erase their data and also erase references to compiled surveys, quizzes or tests, thus making them anonymous.

Step 5

Applicability: System Users (at the system, reseller and manager level)

From the contextual menu of system, reseller and manager, select “System Users” and, for each listed user, select “Edit”. In the “User Permission” section, in the “User’s Password” field, do not give permission to read, so as to restrict or prevent the display and export of passwords.

Further updates for the GDPR contained in version 6, ETA middle June 2018

Step 1

Possibility to insert, in the body of the emails sent for notifying the registration, the “%ExternalWelcomePortalLoginURL%” variable to automatically insert the URL to access the Welcome Portal, even when not directly connected to a gateway.

Step 2

In the email sent to users for confirming the registration, you will have the possibility to edit the %DownloadUserProfilePdf% variable containing the URL that lets the users download a PDF file with the registration data.

Step 3

In the Privacy Policy and in the Terms of Service defined at the system and manager level, it will be possible to define the version and revision date. If the version changes, at the login, the user will be prompted to accept the privacy and/or terms one more time.

Step 4

In the user data, the version and revision date of the Privacy Policy and of the Terms of Service accepted by the user will be displayed.

Step 5

The system will allow remote access, when not connected to a gateway, in a simpler and clearer way, without displaying the unnecessary URL: http://HSNMUrl/portal/index.php?domain=DomainName&hotspotname=GatewayName&language=en&slogin (Automatically edited by the “%ExternalWelcomePortalLoginURL%” variable).