The GDPR and the Vienna Test System
The requirements of the GDPR with regard to the security of personal data are taken into account in the Vienna Test System (from version 8.10) as follows:
1. The Vienna Test System installed on a customer’s system (local/server)
Security of processing
- SCHUHFRIED protects the access to personal data.
All personal data in the Vienna Test System is stored in a database (Microsoft SQL Server) access to which is protected by a user name and password. Access to the Vienna Test System is secured by means of personal logins with passwords; in addition, four security levels enable user rights to be restricted. An individual’s data and test results can of course – for the purposes of the GDPR – be deleted at any time.
As of version 8.10, the following additional features are available:
- The option to anonymize personal data when exporting it.
- The option to protect automatically generated PDFs by means of a password.
- Record of logins.
- SCHUHFRIED ensures the long-term confidentiality, integrity, availability and resilience of its systems and services in connection with data processing.
- Communication between the VTS components (WTS Service, Testplayer and AdminClient) is secured via encryption. It corresponds to the current state of the art with regard to confidentiality, integrity and authorisation.
- All relevant personal data is stored in a database (Microsoft SQL Server). Access to the database is further protected by a user name and password.
- Availability and resilience are determined by the system requirements (computer or server configuration). This configuration may need to be adapted to meet the customer’s needs (e.g. better CPUs, memory, etc.). The Vienna Test System supports systems ranging from single-workstation solutions to server systems with load balancing.
- SCHUHFRIED has processes in place to ensure that the effectiveness of its technical and organizational measures for ensuring the security of data processing are regularly reviewed, assessed and evaluated.
As part of our certified QM system, SCHUHFRIED’s software development process uses the SCRUM system. SCRUM is an agile and iterative development process that involves customers from a very early stage. The high quality of the product is achieved by means of the following measures:
- Unit tests – automatic tests ensure that the source code is thoroughly checked. These tests are performed daily.
- Automated software tests ensure consistently high test coverage. These test cases are performed daily.
- Manual tests – a team of software testers check the functionality of the product manually when necessary. In particular, they work on newly implemented work items.
Declaration of consent
From version 8.10 the Vienna Test System provides an option for obtaining the test candidate’s declaration of consent to testing automatically and recording this consent in a GDPR-compliant manner. Test administrators can enter details such as the length of time for which the data will be kept, rights with regard to notification, deletion and/or the imposition of restrictions, the right to object, or information on the reason for collecting the data.
Data-protection-friendly default settings
SCHUHFRIED has taken steps to minimize collection of data by the Vienna Test System. By requiring entry only of the personal data that is needed to link the test candidate to his/her test results and ensure proper scoring of the tests (i.e. the person’s name and age), SCHUHFRIED reduces data to the bare essentials. All other data is entered at the discretion of the test administrator. Personal data can be hidden in the Vienna Test System’s main window.
As of version 8.10, the following default settings for data protection are possible:
- Records of access within the Vienna Test System.
- Warnings if processes are launched that may cause concern from the point of view of the GDPR (e.g. turning off the password needed to log in).
2. Testing conducted in the Vienna Test System hosted by SCHUHFRIED
SCHUHFRIED is a reliable partner of companies that host the Vienna Test System with SCHUHFRIED. We of course comply internally with all the requirements of the GDPR. All the points listed in Section 1 apply, because testing is conducted in the Vienna Test System.
In addition, the following measures have been put in place at SCHUHFRIED:
- SCHUHFRIED staff are trained in GDPR issues and undertake to treat all the information from the hosted system as confidential.
- The SCHUHFRIED company offers the following cloud solution:
Azure-Cloud: Public access for management of the hosting system is protected with a specific user name and password. In the event of disruption, the database can be restored from backups covering the previous 30 days. These backups are stored on an external storage device in Azure. The physical server is located in a Microsoft computing center as close to the customer’s premises as possible.
- The cloud solution uses Windows Defender for virus protection.
- The status of the hosting systems is constantly monitored; in the event of disruption the monitoring system notifies the relevant system administrators by email or text message.
SCHUHFRIED is contractually committed to availability of 99.9%. The availability of the Vienna Test System services is checked automatically every ten minutes; this ensures that any problems are detected promptly. SCHUHFRIED is notified immediately of any breakdown of the service.
Using a Microsoft SQL server for data storage ensures a high level of availability.
The Vienna Test System also provides the option to back up the database periodically. The database backup can be used to restore the original data in the Vienna Test System.
3. Testing in the Vienna Test System conducted via VTS online
Testing in the Vienna Test System via VTS online meets the GDPR requirements as outlined in Section 2 (hosting by SCHUHFRIED). In addition, the following measures have been put in place by SCHUHFRIED:
- Access to the VTS online is secured by means of a user name and password.
- Test results saved in VTS online can be secured by means of a password and deleted.
- Any email addresses that are entered because they are necessary for test invitations or test results must always be confirmed.