Using HSNM Hotspot Manager in compliance with the GDPR

With this document, we would define the guidelines to make HSNM be compliant with the European regulation GDPR (General Data Protection Regulation) in force from 25/05/2018.

HSNM Hotspot Manager allows you to meet all requirements defined by GDPR, provided that it is used according to the rules. In other words, the system allows you to comply with the regulation but thanks to all the current possibilities of parameterization, it can also be used “out of the norm”. It seems like a paradox but since HSNM Hotspot Manager is used globally, outside of the European Union there are no such obligations or rather there aren’t if they don’t process European citizens’ data. It follows that companies or organizations will use the system under applicable laws in their area.

Essentially, it’s important to know the laws you must comply with and the possibilities offered by HSNM Hotspot Manager to configure the system properly.

At various points, we have reported respectively where to intervene (applicability), what to do (description) and notes/references (in italics) to use HSNM Hotspot Manager according to the GDPR.

Operating procedure to properly configure your HSNM Hotspot Manager

%Device% must be updated to version 5.0.181 or greater.

Edit a proper Privacy Policy for each manager also defining how data is processed, to whom it is forwarded, how long it should be kept, etc.

• The holder shall always specify the contact details of the DPO (Data Protection Officer), if any, the legal basis of the processing, what its legitimate interest is, if the latter constitutes the legal basis of the processing, as well as if he transfers personal data to third countries and, if so, through which means.
• Specify the retention period of the data or the criteria followed to establish this retention period, and the right to complain to the supervisory authority.
• If the treatment involves automated decision processes (including profiling), the informative report must specify it and must indicate the logic of these decision-making processes and the expected consequences for the person concerned.
• Concise, clear, intelligible to the person concerned and easily accessible; it is necessary to use a clear and simple language, and for the minors it is necessary to provide suitable information.
• The informative report (specifically governed by articles 13 and 14 of the regulation) shall be provided to the person concerned prior to collect data.
• The informative report shall also include the categories of personal data being processed. In all cases, the holder must specify his identity and that of any representative, the purposes of the processing, the rights of the subjects concerned (including the right to data portability), if there is a person in charge of the processing and its identity, and what are the recipients of the data.
• It is appropriate that the holders of the processing should verify that the information currently used meets all the criteria.

If the company is not located in the European Union but works with its citizens, it shall comply with the regulation

In the “Users Login Interface”, select “Welcome Portal”.

Warning, you must have the “Welcome Portal” module.

In the “Data to Customize Users Registration” section, scroll down to “Request the Email Address” and select “Yes”.

It is necessary to request the email address in order to send the registration data with username, password, URL to access to the Terms of Service, the Privacy Policy and the user profile.

In the “Data to Customize Users Registration” section, scroll down to “Request Acceptance Conditions” and select “Yes”.

It is good practice to make users accept also the Terms of Service edited at system level in the “General Options” or in the “Manager“.

In the “User Agreements” section, scroll down to “Request Acceptance Processing Personal Data” and select “Yes”.

Consent must be given prior to any processing. It must be unequivocal and therefore boxes with “pre-check” are not allowed.

In the “Options for the Email Address” section, enable the “Send Email Notification” check.

In the “Email Registration Notification” field, edit the email text to be sent, with the variables (%UserName%) for the username and (%Password%) for the password, the URL to consult the Privacy Policy (http://HSNMUrl/terms.php?id=ManegerID), the URL to consult the Terms of Service (http://HSNMUrl/privacy.php?id=ManagerID) and the URL to access the system, even remotely, when not directly connected to a gateway http://HSNMUrl/portal/index.php?domain=DomainName&hotspotname=GatewayName). In so doing, the users will be able to access their User Profile App. Users have the ability to download a Pdf file reporting their registration data.

The party concerned has the right to access its data, to erase (“right to be forgotten”) and to have a copy.

In the template, in the “Welcome Portal” section, the “Hide Profile App” field must not be active.
In this way, the users can access the User Profile App, check, modify, erase their data and also erase references to compiled surveys, quizzes or tests, thus making them anonymous.

From the contextual menu of system, reseller and manager, select “System Users” and, for each listed user, select “Edit”. In the “User Permission” section, in the “User’s Password” field, do not give permission to read, so as to restrict or prevent the display and export of passwords.

Further updates for the GDPR contained in version 6, ETA middle June 2018