GDPR Compliancy

Compliancy

1. Introduction
   1. The purpose of the data processing is to provide a service for Lost and Found that assists the Controller in processing lost property according to the local legislation.
   2. The Controller submits personal data into the Faundit platform (https://db.faundit.com) manually or via an API connection to PMS systems (optional).
   3. After receiving the data from the Controller, the Processor uses the personal data only as a means to return the lost property to the owner (data subjects), as agreed in Terms and Conditions.
   4. Definitions
      1. The Processor: Faundit ApS (VAT no.: DK-40990062), Nørre Allé 70A, 1., 8000 Aarhus.
      2. The Controller: The organisation who has entered into an agreement with the Processor.
      3. Data subjects: The customers of the Controller (usually guests or visitors), who have lost an item at the Controller's property.
2. Description of the processing
   1. The Processor processes personal data while the data subjects have an open case with the Controller.
   2. Any information handed over by the Controller will only be used with the purpose of returning Lost and Found items.
   3. Personal data include information of low privacy levels such as names, e-mail addresses, addresses, phone numbers, periods of the visit to the Controller, and descriptions of lost property.
   4. Responsible for the data protection at the Processor: Casper Hofmann Larsen, CEO.
3. Access to Data
   1. The personal data is stored using a sub-processor on servers located in Europe. As our sub-processor handles all hosting, no data will be stored with the Processor. The Processor ensures that the sub-processor is compliant with the data. Certificate of compliance with sub-processor can be obtained here:https://www-static.cdn.prismic.io/www-static/558313d0-83f9-47d3-a227-6f9a8a86e526_SOC2-Report-IX-Germany-2021.pdf
   2. Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   3. Any access to personal data is password protected and monitored by the Processor.
   4. The data subjects can at all times revisit their interaction site with the Processor to see what personal data is stored about the data subject.
   5. Additionally, the data subjects have the right to rectify, be forgotten, restrict processing, and object. The data subjects have the right to obtain and reuse their data (GDPR Article 40). By contacting hi@faundit.com these rights will be met.
   6. Any personal data will be anonymized 3 months after its use is terminated (GDPR Article 32), meaning when the lost property is expected to have left the Controller. By law, the Controller needs to get rid of the data subjects' items' within a country-specific timespan. When the Controller no longer is handling the data subjects' items, the Processor ends the processing of data (GDPR Article 25).
   7. Should the Controller fail to terminate the handling of the data subjects' items, the Processor will as a failsafe anonymise the personal data after one year.
   8. The processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (GDPR Article 46).
4. Security protocols
   1. The personal data is stored securely and backed up every week at a minimum with the Processor’s hosting sub-processor. No data will be stored locally at the Processor’s physical location (GDPR Article 32).
   2. Selected team members will have granted access to the data by the responsible at the Processor if required for their work. Every 3 months, all passwords will be updated and the data access requirements will be evaluated.
   3. Every month, a data assessment report is generated that validates the internal protocols are functional as intended (GDPR Article 24). The report shows anonymised data and a list of data subjects with more than a year's history. This should be empty.
   4. Every January, the Processor will make an impact assessment to identify and minimise data protection risks. The Controller will be informed of any high risks that are not fixed within 30 days of discovery.
   5. In the unlikely event of a data breach, the Processor will notify the Danish Data Protection Agency (Datatilsynet) within 72 hours. Any Controller and data subject (with Controllers approval) will also be notified immediately after the data breach (GDPR Article 34).
   6. Any liability and disputes will be handled in accordance with the signed DPA.
5. Sub-processors
   1. The Processor will inform the Controller at least 30 days in advance of any changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes (GDPR Article 28).
   2. List of sub-processors as follows