Consent and transparency have long inherited the margins of organizations' pursuit of customer information. And the EU's General Data Protection Regulation (GDPR) is a much-needed push to bring them to the center.

With the regulations coming into force by May 2018, it hands EU customers the power to control their personal information that businesses store and handle, without tradeoffs.

Our GDPR Commitment

The core of Brennpunkt OG internal operations underpins protecting the personal data of our customers. We only collect and store information that is necessary to offer our service, and we do this with the consent of our customers. Adding to this, our approach towards privacy, security, and data protection aligns with the goals of GDPR.

Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent unauthorized access and processing of personal data. 

We are committed to being fully GDPR-compliant by 25th May 2018. To accomplish this, we've set up an internal compliance team (with functional heads) that has been working with an external specialist, to assess our requirements and roll out the required changes.

Brennpunkt OG as a Data Controller

Brennpunkt OG recognizes its responsibilities as a data controller towards its customers. Detailed out below are all the steps we are taking towards fulfilling all legal obligations under GDPR, as a data controller.

Data Categorization and Analysis

• We have carried out a detailed data mapping exercise to track the flow of personal data through our systems.
• We have established and are maintaining a clean data repository that is constantly updated. This gives us control over the data flowing through our systems, with clear processes for handling, securing, and storing this data.

Data Retention

• The next step we took was to establish an automated data retention mechanism. This is how our data retention process works, when a customer closes their account with us:

1. a) We will clear the customer’s Personally Identifiable Information (PII), and all end-user data from our databases, within a period of 120 days.
2. b) The only data retained by us will be that which is needed from a compliance and legal standpoint, like invoices, subscription information, audit logs, etc.

This is a conscious effort on our part to avoid storing and processing any customer data beyond the necessary period.

We have a data processing addendum for our customers, that incorporates our GDPR principles. Please reach out to our compliance team (service@brennpunktcoffee.at) if you require a signed copy of the same.

Consent Mechanism

• We will actively start collecting consent from our customers from May 25th, wherever it’s applicable - especially in the case of any marketing communication sent to them.
• To give our customers the option to withdraw their consent at any given time, an easy process is being placed for our customers to provide consent during sign up, and actively manage their consent settings within the app. We want our customers to have complete control over whether they want to receive any communication from us, and what they want to receive.

Feature Development and GDPR Principles

• We have an active process in place that will guarantee all our features meet the standards of GDPR. Our product and engineering teams will take into account Privacy by Design and Privacy by Default while designing features and pushing them to production.

Contact Details

This is only the first step towards our commitment to help you handle the requirements of data privacy and protection. We encourage you to reach out to us at service@brennpunktcoffee.at if you have any questions regarding privacy, data security, data protection and compliance.