Standards and compliance

Role-based access controls (RBAC) are implemented to restrict access to personal data based on the principle of least privilege. Access to personal data is limited to authorized personnel only, and authentication mechanisms are in place to verify users' identities.

The platform by itself follows the principle of data minimization. Hovewer forms and data modeling capabilities are fully owned by developers of registry regulations. Thus, developers should carefully select the type and amount of information requested and collected. By doing so, they aim to limit the data collection process to the bare essentials, thereby reducing the potential risks associated with excessive data exposure. This not only safeguards user privacy but also aligns with prevailing data protection regulations that emphasize the importance of minimizing personal data processing.

Personal data is retained only for as long as required to fulfill the intended purposes, since Registries Platform has been developed to meet a legal obligation under national legislation for government organizations, the prolonged storage of user data is utilized.

The Registry Platform doesn’t utilize pseudonymization techniques to replace identifiable information with reversible identifiers in order to reduce the risk of unauthorized access in favour of other more critical security controls.

The Registries Platform limits the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes. It means that platform limits the amount of PII that the organization (platform owner) collects indirectly (e.g. through web logs, system logs, etc.).

The organization (platform owner) should limit the collection of PII to what is adequate, relevant and necessary in relation to the identified purposes throught the registry regulations modeling. There is only one place where personal data leave the footprint beyond the business process scope is a historical data which is gathered as non-repudiation control.

The Registries Platform limits the processing of PII to that, which is adequate, relevant and necessary for the identified purposes. All the personal data collected through the modeled business processes handled to fulfill the objectives of user-initiated request only. Default settings prioritize data protection, minimizing the processing of personal data by disabling external system integrations. All the data related to business processes are transparently available for the data principal in user portal.

The Registries Platform ensures that PII is as accurate and complete as is necessary for the purposes for which it is processed. In order to achieve its ambedded data validation control on business process modeling stage, digital documents validation and registry regulations' changes as well.

Temporary files and data which are produced as intermediaries of bussiness processes execution are automatically deleted once appropriate process is finished.

The Registry Platform currently does not implement any specific data disposal approach.

Transmission of PII is controlled by ensuring that only authorized systems have access to transmission systems, and by following the appropriate processes to ensure that PII is transmitted without a compromise to the correct recipients.

The Registries Platform utilizes secure data exchange gateway. Its a modern organizational and technical solution that allows state bodies and local self-government bodies to use secure information interdepartmental interactions via the Internet by exchanging electronic messages between their information systems.

The Registry Platform is designed to satisfy almost all requirements of organization in terms of data processing due to extensive registry regulation development capabilities.

Registry regulation modeler can create a business processes which will let the data principal to access provided information in order to satisfy the right to access.

Another business process can be created and designed in a way to satisfy the right for rectification. It can utilize different approaches such as data re-upload for actualization or correction purposes.

The Registry Platform has been developed to meet legal obligation under national legislation for government organizations, thus the prolonged storage of user data is utilized.

The platform is still subject to data protection laws and regulations, which may include provisions regarding the right to erasure. These laws outline the circumstances under which individuals can request the deletion of their personal data.

User is able to submit written erasure requests in order to trigger a data erasure process. Upon receiving a valid erasure request, the organization (platform owner) assesses whether the conditions for erasure are met based on legal requirements and the specific context of the data processing.

If the erasure request is approved, the platform administrator takes steps to delete the personal data in accordance with the applicable laws.

There is only one place where personal data leaves the footprint so far is a historical data which is gathered as non-repudiation control.

Certain exceptions may apply, such as legal obligations or public interest considerations that override the right to erasure. Organization (platform owner) must carefully balance individual rights with other legal obligations.

The General Data Protection Regulation (GDPR) is a crucial legal framework dictating the principles and obligations for processing personal data in the European Union. Compliance with GDPR is imperative for any organization handling personal data, especially at the registry level. As a systematic data collection, a registry often contains sensitive personal information, necessitating strict adherence to GDPR guidelines.

To align with GDPR, the registry owner should:

Complying with GDPR at the registry level is a legal and ethical obligation for registry owners. It involves adhering to the regulation’s requirements and proactively developing data structures and business processes that ensure proper data management and privacy protection.