The GDPR and the Vienna Test System
The requirements of the GDPR with regard to the security of personal data are taken into account in the Vienna Test System (from version 8.9) as follows:
1. The Vienna Test System installed on a customer’s system (local/server)
Security of processing
- SCHUHFRIED pseudonymizes and encrypts personal data.
All personal data in the Vienna Test System is stored in a database (Microsoft SQL Server) access to which is protected by a user name and password. Access to the Vienna Test System is secured by means of personal logins with passwords; in addition, four security levels enable user rights to be restricted. An individual’s data and test results can of course – for the purposes of the GDPR – be deleted at any time.
Version 8.10 provides the following additional features:
- Pseudonymization of the personal data in the database so that database administrators cannot read it.
- The option to anonymize personal data when exporting it.
- The option to protect automatically generated PDFs by means of a password.
- Record of logins.
- SCHUHFRIED ensures the long-term confidentiality, integrity, availability and resilience of its systems and services in connection with data processing.
- Communication between the VTS components (WTS Service, Testplayer and AdminClient) uses Microsoft’s standard WCF (Windows Communication Foundation) and is secured using the WCF’s encryption system. In terms of confidentiality, integrity and authorization, this communication method is state-of-the-art.
- All relevant personal data is stored in a database (Microsoft SQL Server) in pseudonymized form. Access to the database is further protected by a user name and password.
- Availability and resilience are determined by the system requirements (computer or server configuration). This configuration may need to be adapted to meet the customer’s needs (e.g. better CPUs, memory, etc.). The Vienna Test System supports systems ranging from single-workstation solutions to server systems with load balancing.
- SCHUHFRIED has processes in place to ensure that the effectiveness of its technical and organizational measures for ensuring the security of data processing are regularly reviewed, assessed and evaluated.
As part of our certified QM system, SCHUHFRIED’s software development process uses the SCRUM system. SCRUM is an agile and iterative development process that involves customers from a very early stage. The high quality of the product is achieved by means of the following measures:
- Unit tests – automatic tests ensure that the source code is thoroughly checked. These tests are performed daily.
- Automated software tests ensure consistently high test coverage. These test cases are performed daily.
- Manual tests – a team of software testers check the functionality of the product manually when necessary. In particular, they work on newly implemented work items.
Declaration of consent
From version 8.11 the Vienna Test System provides an option for obtaining the test candidate’s declaration of consent to testing automatically and recording this consent in a GDPR-compliant manner. Test administrators can enter details such as the length of time for which the data will be kept, rights with regard to notification, deletion and/or the imposition of restrictions, the right to object, or information on the reason for collecting the data.
Data-protection-friendly default settings
SCHUHFRIED has taken steps to minimize collection of data by the Vienna Test System. By requiring entry only of the personal data that is needed to link the test candidate to his/her test results and ensure proper scoring of the tests (i.e. the person’s name and age), SCHUHFRIED reduces data to the bare essentials. All other data is entered at the discretion of the test administrator. Personal data can be hidden in the Vienna Test System’s main window.
- The following default data protection settings are planned for version 8.11:
Records of access within the Vienna Test System.
- Warnings if processes are launched that may cause concern from the point of view of the GDPR (e.g. turning off the password needed to log in).
2. Testing conducted in the Vienna Test System hosted by SCHUHFRIED
SCHUHFRIED is a reliable partner of companies that host the Vienna Test System with SCHUHFRIED. We of course comply internally with all the requirements of the GDPR. All the points listed in Section 1 apply, because testing is conducted in the Vienna Test System.
In addition, the following measures have been put in place at SCHUHFRIED:
- The SCHUHFRIED company offers cloud solutions via two systems:
- The SCHUHFRIED cloud: This system can only be managed from the company’s network, e.g. via VPN. In the event of disruption a backup of the hosting for a period of up to two weeks can be restored. To make this possible, a backup server saves the backups on an external medium that is stored separately from the hosting service. The physical server is located in a certified computing center in Austria.
- Azure-Cloud: Public access for management of the hosting system is protected with a specific user name and password. In the event of disruption, the database can be restored from backups covering the previous 30 days. These backups are stored on an external storage device in Azure. The physical server is located in a Microsoft computing center as close to the customer’s premises as possible.
SCHUHFRIED is contractually committed to availability of 99.9%. The availability of the Vienna Test System services is checked automatically every ten minutes; this ensures that any problems are detected promptly. SCHUHFRIED is notified immediately of any breakdown of the service.
Using a Microsoft SQL server for data storage ensures a high level of availability.
The Vienna Test System also provides the option to back up the database periodically. The database backup can be used to restore the original data in the Vienna Test System.
3. Testing in the Vienna Test System conducted via the SCHUHFRIED webshop
Testing in the Vienna Test System via the SCHUHFRIED webshop meets the GDPR requirements as outlined in Section 2 (hosting by SCHUHFRIED). In addition, the following measures have been put in place by SCHUHFRIED:
- Access to the webshop is secured by means of a user name and password.
- Test results saved in the webshop can be secured by means of a password and deleted.
- Any email addresses that are entered because they are necessary for test invitations or test results must always be confirmed.
- Automatically generated emails containing test results are secured by a password.