General Data Protection Regulation (일반개인정보보호법, GDPR)

개요

새로운 개인정보법 및 Odoo에서의 모범 사례 소개

2018년 5월 25일 이후, General Data Protection Regulation (일반개인정보보호법, GDPR) 이 발효되어, 모두를 위한 정보보호 및 개인정보보호의 새로운 시대가 열리게 되었습니다. GDPR에 대해서 많은 내용을 듣거나 읽으셨겠지만 실제로 비즈니스에 어떤 의미인지 및 새로운 규정을 준수하기 위해 무엇을 해야 하는지는 정확히 이해하기 어려울 수 있습니다.

Odoo는 보안 및 개인정보보호 관련하여 모범 사례를 따르기 위해 최선을 다하고 있습니다. 당사는 모든 사용자 및 고객들에게 동일한 수준의 보호 조치를 제공하고 있으며, 고객 위치나 시민권에 따라 차별하지 않습니다. 그리고 개인정보 뿐 아니라 모든 정보에 대하여 이러한 모범 사례를 적용합니다.

이에 따라 Odoo SA와 관련 자회사는 GDPR를 준수합니다.

GDPR에 대해 알아야 할 사항

EU 규정에서는, EU 개인정보 보호지침과 같은 기존 개인정보 보호와 관련된 법률을 조화시키고 현대화하는 것을 목표로 하고 있습니다. 유럽 내에서 개인정보 처리 및 개인정보의 자유로운 흐름과 관련하여 일반 자연인을 보호하기 위한 규정을 제정합니다.

이것은 지침이 아니라 규정인 관계로, 각 국가에서 국내법으로 전환할 필요없이 모든 EU 회원국에서 즉시 적용할 수 있습니다. EU 국가에서 세부 사항에 대한 해석의 여지는 제한되어 있으나, 기본적인 규칙은 모든 사람에게 동일하게, 모든 EU 지역에서 동일하게 적용됩니다.

GDPR은 또한 소셜미디어, 클라우드 컴퓨팅, 사이버 범죄 및 개인정보 보호 및 보안 측면에서 야기되는 주요 문제점들을 고려하여 이 규정을 다음 천년으로 상정합니다.

In a nutshell: Don't panic!

GDPR is not a world-breaking new legislation, and it is fundamentally a good thing for citizens and businesses.

긍정적인 방향으로 이끕니다!

We want to emphasize that GDPR can be great for you and your customers. Complying to the GDPR may initially represent a lot of work, but there are upsides to the new rules:

• Increased trust from your customers and users
• Simplification: same rules are applied in all countries across EU
• Rationalization and centralization of your organizational processes

The purpose of GDPR is to give individuals more oversight on their personal data. If your company puts in place the correct strategies and systems, it will be easier to manage, more secure and safer for the years to come.

What are the risks if you aren't compliant?

The maximum penalty for non-compliance is an administrative fine of 20 million euros, or 4% of your global annual turnover, whichever is higher. A smaller maximum of 10 million euros or 2% of your global annual turnover is applicable for lesser infringements.

These maximums are meant to be dissuasive for businesses of all sizes, but GDPR also requires the fines to be kept proportionate.

Supervisory authorities (also known as Data Protection Authorities: DPAs) must take into account the circumstances of each case, including the nature, gravity, and duration of the infringement. These DPAs are also granted powers to investigate and impose corrective actions, which include the limitation of the infringing activities, without necessarily imposing a fine.

Another risk if you do not comply is the loss of trust from your customers and prospects, who care about the way you process their data!

Finally, many DPAs have hinted that they won't impose fines in 2018 yet, but they expect businesses to demonstrate that they are working towards compliance.

Key principles of GDPR

범위

The regulation applies to any processing of personal data by any organization:

1. If the controlling or processing organization is located in the EU
2. If the organization is not located in the EU, but the processing involves personal data of data subjects located in the EU, and is related to commercial offerings or behavior monitoring.

The scope therefore includes non-EU companies, which was not the case with older legislation.

역할

The regulation distinguishes two main types of entities:

• Data controller: any entity who determines the purposes and means of the processing of personal data, alone or jointly. As a general rule, every organization is a controller for its own data.
• Data processor: any entity who processes data on behalf of a data controller.

For example, if your company owns a database hosted on the Odoo Cloud, you are the controller for that database, and Odoo SA is only a data processor. If you instead use Odoo on premise, you are both controller and processor of the data.

Personal Data

GDPR gives a broad definition of personal data: any information relating to an identified or identifiable natural person. An identifiable person is one that can be identified, directly or indirectly, by means of their names, emails, phone numbers, biometric information, location data, financial data, etc. Online identifiers (IP addresses, device IDs, …) are also in scope.

This applies in business contexts too: info@odoo.com is not considered personal, but john.smith@odoo.com is, because it can be used to identify a physical person within a company.

GDPR also requires a higher level of protection for sensitive data, which includes specific categories of personal data such as health, genetic, racial or religion information.

Data Processing Principles

In order to be compliant, processing activities must observe the following rules:
(as listed in Article 5 of GDPR)

1. Lawfulness, fairness and transparency: to collect data, you must have a legal basis, a clear purpose, and you must inform the subject about it.

   • Have a simple and clear Privacy Policy, and refer to it everywhere you collect data
   • Verify the legal basis for each of your data processing activities

2. Purpose limitation: once collected for a purpose, request permission if you want to use it for a different purpose.

   e.g. - You can't decide to sell your customer data if it was not collected for that purpose.

3. Minimisation: you must only collect the data necessary for your purpose

4. Accuracy: reasonable steps should be taken to make sure that data is kept updated, with regard to the purpose

   예시 - 반송 메일을 확인하시기를 부탁드리며, 주소를 수정 또는 삭제하시기 바랍니다.

5. Storage limitation: personal data should only be kept for the duration needed to fulfill its primary purpose.

   Define time limits for erasure or review of the personal data you process, depending on their purpose.

6. Integrity and Confidentiality: data processors must implement appropriate access control, security and data loss prevention measures, in accordance with the types and extents of data being processed.

   e.g. - Make sure your backup system is working, have proper security controls in place, use encryption to protect sensitive data such as passwords, ...

7. Accountability: data controllers are responsible for, and must be able to demonstrate compliance with all above processing principles.

   • Establish and maintain a data mapping reference for your organization, describing the compliance of your processing activities
   • Inform your customers via a clear Privacy Policy

Legal Basis

In order to be lawful under GDPR (first principle), processing of personal data must be based on one of six possible legal bases, as listed in Article 6 (1):

1. Consent. Valid when the data subject has explicitly and freely given consent after being properly informed, including a clearly stated and specific purpose. The burden of proof for all of this lies on the controller.
2. Necessary for the performance of a contract, or to fulfill requests from the data subject, in preparation for a contract.
3. Compliance with a legal obligation that is imposed on the controller.
4. Protecting a vital interest. When the processing is necessary to save a life.
5. Public interest or official authority.
6. Legitimate interest. Applicable when the controller has a legitimate interest that is not overridden by the interests and fundamental rights of the data subject.

One major change brought by GDPR over previous data privacy regulation is the stricter requirements for obtaining valid consent.

Data Subject Rights

Existing data privacy rights for individuals are further expanded by the GDPR. Organizations must be prepared to handle requests from data subjects in a timely manner (within 1 month), free of charge:

1. Right to Access - Individuals have the right to know what and how their personal data is being processed, in full transparency;
2. Right to Rectification - Individuals have the right to obtain correction or completion of their personal data;
3. Right to Erasure - Individuals have the right to obtain deletion of their personal data for legitimate reasons (consent withdrawn, no longer necessary for the purpose, etc.);
4. Right to Restriction - Individuals can request that the controller stops processingtheir personal data, if they do not want or cannot request full deletion;
5. Right to Object - Individuals have the right to object to certain processing of their personal data at any time, for example for direct marketing purposes;
6. Data Portability - Individuals have the right to request that personal data held by a controller be provided to them, or to another controller.

How you should prepare for GDPR

Here are the key steps we suggest for a GDPR compliance roadmap:

1. 회사에서 시행하는 데이터 처리 작업에 대한 데이터 매핑을 설정하여 현재 진행 상황를 명확하게 파악할 수 있습니다. 정보보호 담당 부서에서는 스프레드시트 서식을 사용하여 업무에 활용합니다. 각각의 프로세스에 대한 개인정보 유형과 수집 방법, 업무 목적과 법적 근거 및 삭제 방침, 구현과 관련된 기술적 및 조직적 보안 조치, 그리고 관련된 하청업체(진행업체) 와 같은 내용을 문서화합니다.

   You will need to maintain this data mapping regularly, as your processes evolve.
2. Based on step 1, choose a Remediation Strategy for any processing where you do not have a legal basis (e.g. missing consent) or where you do not have appropriate security measures in place. Adapt your processes, your internal procedures, your access control rules, backups, monitoring, etc.
3. Update and publish a clear Privacy Policy on your website. Explain what personal data you process, how you do it, and what are the rights of individuals with regard to their data.
4. Review your Contracts with a legal counsel, and adapt them to GDPR.
5. Decide how you will answer the various kinds of Data Subject Requests.
6. Prepare your Incident Response Procedure in case of data breach.

Depending on your situation, other elements could be added to the list, such as the appointment of a Data Protection Officer. Consult your internal processing experts and your legal counsels to determine any other relevant measure.

How is Odoo compliant with GDPR

At Odoo, implementing privacy and security best practices is not a new idea. As a Cloud hosting company, we're constantly revising and improving our systems, tools and processes, in order to maintain a great and secure platform.

Our GDPR Roles

Our responsibilities in terms of personal data protection depend on our various data processing activities:

Our Roles	데이터 처리	Kind of data
Data Controller & Processor	On Odoo.com	Personal data provided to us by our direct customers and prospects, our partners and all direct users of Odoo.com (names, emails, addresses, passwords ...)
Data Processor	On Odoo Cloud (Odoo Online, Odoo.sh and other Odoo Enterprise Services)	Any personal data stored in the databases of our customers, hosted in the Odoo Cloud or transferred to us for the purpose of using one of our services. The owner of the database is the data controller.
No role	온프레미스	Any data located in Odoo databases hosted on-premise or in any hosting not operated by us.

Our GDPR documents

As a Data Controller, our activities are covered in our 개인정보 처리방침, which has been updated for GDPR. This policy explains as clearly as possible what data we process, why we process it, and how we do it. Closely related to this, our 보안 방침 explains the security best practices we implemented at Odoo, at all levels (technical and organizational) in order to guarantee that your data is processed in a safe and secure manner.

In addition to those policies, our activities as a Data Processor are subject to the acceptation of our Odoo 엔터프라이즈 가입 계약. This agreement has been updated in order to add the necessary Data Protection Clauses (often referred to as a "Data Processing Agreement"), as required by the GDPR.
As a Customer of Odoo S.A. you don't have anything to do to accept these changes, you already benefit from the new guarantees, and we will consider that you agree if we don't hear anything from you!

In addition to these documents, we have also updated our website to insert privacy notices in all relevant places, in order to keep our users informed at all times.

How does Odoo help you implement GDPR best practices

Using Odoo to manage your business cannot be sufficient for GDPR compliance, because the regulation applies to your whole organization. However, because Odoo centralizes your data, reduces data redundancy, and implements granular access rights and security controls, it can be a great help to comply with the GDPR.

Here are some ways we think Odoo can help you in the context of GDPR, for both on-premise and Cloud-hosted Odoo databases.

Right to Access (Art. 15) and Right to Data Portability (Art. 20)

• Odoo provides some tools for the data subjects to access and update their personal information in self-service mode:
  • The customer portal allows users to browse contractual documents: address and contacts, invoices, quotations, orders, tasks, helpdesk tickets, purchases, subscriptions, delivery orders, payments as well as communications around these documents.
  • The mailing lists page, allows users to review and manage their subscriptions (Example for odoo.com: https://www.odoo.com/groups)
  • The forum profile allows your forum users to review all their activities at a glance
• If you need to export all data, or to communicate private data that is not accessible through the portal, some manual steps are needed.
  Usually you can reach all relevant documents directly from top bar on the contact form of the users, where they are linked. You can then export all information with the “Print as PDF” feature of your browser, or with the Action>Export menu, from the list of contacts or the list of their documents.
  Both options provide GDPR compliant electronic formats.
• In addition to that, you might have information not linked to the contact form, that the data subject might have entered in a separate context. You should also review those, searching by name or email address, for example
  • 행사 구독
  • Leads & Opportunities in your CRM

Right to be forgotten (Art. 17)

GDPR grants data subjects the right to request erasure of their personal data, under specific conditions, such as:

• The data is not necessary anymore according to the purpose;
• They withdraw consent for a processing that was based on consent only;
• The processing is otherwise unlawful.

If you determine that the request is legitimate, and you have confirmed the identity of the subject,  you can attempt to delete the corresponding contact in Odoo. This is safe: the system will block the operation if a business document still refers to the contact (invoice, contact, delivery order, forum post, etc.). In that case, you should decide whether you have other obligations to keep these documents, and must decline the erasure request.

If you have no legal reason to keep the personal info, but cannot, or do not want to delete a document or contact, consider anonymizing it instead. You can rename the contact and change its recognizable data (email, address, etc.), or you can re-assign documents to a generic Anonymous contact. Once properly anonymized, this data will not be personal data anymore.

Restriction of Processing (Art. 18) and Consent Withdrawal (Art. 7)

사용자가 상업적 목적의 이메일에 대해서 수신 거부 요청을 해오는 경우도 자주 있습니다. 우편물이 Odoo를 통해 전송된 경우, 사용자는 하단에 있는 구독 취소 링크를 통해 직접 취소도 가능합니다. 아니면 귀하가 연락처나 영업제안/영업기회 메뉴에서 "거부" 필드를 수동으로 선택할 수도 있습니다. “거부”로 표시된 레코드는 대량 메일 발송시 자동으로 제외되지만, 사용자가 직접 보내는 메시지는 여전히 확인이 가능합니다 (예: 견적서나 청구서).

Right to Rectification (Art. 16) and Data Accuracy (Art. 5 (1) d)

Invalid/changing email addresses are a common source of data error. When email integration is properly configured (by default on Odoo Cloud), Odoo handles email bounces in your mass-mailings, and increments a Bounce field with the number of bounced messages. You can periodically review your contacts or prospects with a custom search on "Bounce greater than 0" and cleanup/delete them.

Followers of Odoo Discuss channels are automatically unsubscribed after 10 bounces.

In terms of rectification, users and customers can also correct their own personal data (name, email, address) through the Odoo portal.

Consent (Art. 7)

When you collect personal data via Odoo’s default mechanisms (e.g. contact form, mailing-list subscription, event subscriptions), you have to establish a purpose and legal basis for the processing. This greatly depends on how you will use the data.

If the purpose is specific and obvious (e.g. store registered event participants to keep them informed about the tenure of the event ; subscribe someone to the mailing list they chose), you do not need to ask for their explicit consent (the personal data is necessary for a contract - Art. 6 (1) b). However you still need to make the purpose clear to the user, and refer to your Privacy Policy page where you give more information. You can use Odoo's website builder to edit the forms and add the required mentions.

However, if you plan to use the collected data for other purposes, you need to obtain explicit consent for each purpose from the user. The recommended way is to add checkboxes to your form to get the consent for each specific purpose (e.g. "Please send me discounts and promotions on similar products via email"). To do this with Odoo, you can:

1. Use Odoo Studio to add a checkbox (boolean) field on the document collecting personal data (e.g. Leads/Opportunity), to represent consent for this purpose
2. Add the checkbox in your website form via Odoo's website builder
3. Use this field when processing data for this purpose, for example in your marketing campaigns segment filters

Privacy by Design (Art. 25)

Security by Design is at the heart of our R&D work at Odoo, and we apply security best practices to make our software Safe, robust and resilient for everyone.

Access Control - The default group-based access control mechanism of Odoo allows you to restrict access to personal data according to each user's role and needs. (e.g: a project manager might not need access to Job Applications). If you review the user groups assignations and maintain them properly when roles change in your organization, you have a strong privacy basis. You can easily add or modify user groups to tailor them to your organization.

Record Rules - To fine tune access to personal data, you can use the concept of Record Rules, which let you restrict access to documents according to any criterion based on field values. Record Rules can block read and/or write operations, and they work on a per-document basis. For more information, please refer to 참고 문서.

Passwords - Odoo stores user passwords with industry-standard secure hashing. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords at all.

Employee Data - One area where Odoo databases are likely to include sensitive personal data is the Private Information tab of the employee form and their contracts. This part of the Employees Directory is only visible to HR personnel ("HR Officer" group), who need it for their job. We've recently extended this protection to the personal address of employees, which are stored as Contacts, by adding a new address type ("Private") that is visible only to HR personnel. This is Odoo 12.0의 미리보기 버전 (및 saas-11.4 기준 Odoo 온라인)에서 이미 사용 가능,and we're working on adding it to older versions.

Security of Processing (Art. 25 & 32)

If you use Odoo Online or Odoo.sh services, we implement security and privacy best practices at all levels. You can find our more about it in our 보안 방침.
If you use Odoo on-premise, you are responsible for following security best practices. You can start with the 보안 권장 사항 of our deployment documentation.