The General Data Protection Regulation (GDPR) (EU Regulation 2016/679) becomes enforceable from 25th May 2018, after a two-year transition period. Compared to the old Data Protection Directive (Directive 95/46/EC) from 1995, the new regulation strengthens the consumer rights, increases penalty payments significantly and must not be transformed into national law by the member states.
How is data protection handled at VAT4U?
“The protection of natural persons in relation to the processing of personal data is a fundamental right.” (Art. 8 (1) of the Charter of Fundamental Rights of the EU)
At VAT4U, we take this very seriously and fully support the new Data Protection Regulation.
Together with our internal data protection officer, we made sure that we are fully compliant with the new GDPR. We have implemented a wide range of different measures to ensure that you and your clients personal data as well as other confidential data is properly protected in VAT4U.
Whenever you transfer your data to VAT4U, this is done through protected connections. Your data is saved on secured servers and continuously backed up. Our VAT4U network is tested quarterly on its security through penetration testing to prevent any potential vulnerable spots. Moreover, we have extensive internal policies and perform regular data protection trainings for our teams. We always keep your data confidential and do not share it with third parties (with the exceptions of tax administrations or fiscal representatives, if required). Our facilities are protected with alarm systems and all confidential documents are locked and appropriately destroyed if no longer needed.
In the following, we would like to give you a short overview of what we exactly do to protect your data:
Which personal data is collected at VAT4U?
VAT4U only collects personal data which is needed for the submission of VAT refund claims. This personal data mainly includes:
- Contact details of the client (name, e-mail address, telephone number etc.)
- Traveller details: We store invoices/invoice scans and travel expense reports that might include the name, address and contact details of the traveller. However, this data is not actively collected or used.
VAT4U also collects non-personal data, like general company information (name, address, tax number/VAT number, country) of the supplier and client, invoice number, Invoice date, net amount, VAT amount, description of the goods/services, internal travel expense number (barcode) and cost centre.
More information may be collected if needed for the VAT claim.
VAT4U does not collect any sensitive personal data like information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health, etc. as named in Art. 9 (1) of the GDPR.
VAT4U never shares data with third parties unless its mandatory to execute our service and e.g. submit data to tax administrations or consult local fiscal representatives. Local partners are carefully selected and legally obliged by VAT4U to comply with the GDPR via data processing contracts.
VAT4U does not sell any personal data.
How is your data technically protected?
The connection to the VAT4U application is secured via HTTPS. This means that the data is transferred to and from VAT4U encrypted and authenticated so that no “man-in-the-middle” can get access to the data on its way.
Your data is then stored on ISO/IEC 27001 certified servers in the European Union (Germany and France).
Only authorized VAT4U users can access the data with user name and secure passwords (minimum requirements).
The data is also secured against sudden loss or destruction by continues back-ups on physically separate servers and mirroring of hard drives in the RAID 5 procedure.
The access to the internal VAT4U network is only possible for users authorized by the network administrator. A connection to the network outside the offices is only possible via VPN. For every login a username and password must be entered. A user is automatically logged out after a short period of inactivity.
The security of the VAT4U network is checked by penetration testings on a quarterly basis. If this would disclose any vulnerable spots, immediate action is taken to eliminate those.
In addition to this, all devices used in the VAT4U network are of course protected against malware and unauthorized access with anti-virus applications, firewalls, passwords and encrypted hard drives.
What are the internal data protection and security policies at VAT4U?
VAT4U has assigned an internal data protection officer, who has, in close cooperation with the management, set up internal policies that help to protect personal and other confidential data. These internal policies comprise among others:
- Clean desk policy
- Use of save passwords
- No private use of emails and internet
- No opening of links or attachments in emails of unknown senders
- Use of document shredders
- Lock personal computers when leaving the work place
- Turn on the alarm system of the office prior to leaving
The data protection officer makes sure that these policies are lived. He also informs the employees about these rules in half-yearly data protection trainings or whenever a new employee joins the company.
In addition to the actions already outlined, we have implemented many more measures. This starts from the building security (alarm system, surveillance cameras, safety locks, etc.) and ends with the professional destruction of no longer needed documents, according to BDSG/DIN 66399.
After all we hope you are confident that your data is in a safe place at VAT4U.