DSGVO-Konformität

Disclaimer: The following information does not constitute legal advice, and we assume no legal liability. We have sought legal counsel ourselves, and this page reflects our own interpretation of the legal situation. If you have concerns regarding GDPR compliance, please forward this page to your legal professionals.
The GDPR, the General Data Protection Regulation (EU) 2016/679, is a European Union regulation that has caused a stir worldwide. You probably still remember when it first came into force and there was great uncertainty in the business world regarding compliance. Some consider it an overreaching law, while others were very grateful that legislators took measures to protect digital privacy.

We've been dealing with GDPR (and its compliance) since we founded our company. And yes, it requires considerable effort to implement everything correctly, but it's remarkably fair legislation. When you look closer, you quickly realize that legislators deliberately left room for businesses while keeping the digital privacy of data subjects at the center.

Is bchic analytics GDPR compliant?

Our GDPR compliance is relevant from two perspectives:

  • When we process personal data for our own purposes, acting as a controller (for example, when processing data of our customers, employees, etc.).
  • When we process personal data of our customers' website visitors and thus act as a processor.

The following information focuses on how bchic acts in GDPR-compliant manner in the latter case, as a processor.

How we ensure GDPR compliance:

  • We align ourselves with the fundamental intention of GDPR. The central goal of the regulation is to protect the privacy and personal data of people in the EU. In everything we do, we ask ourselves whether it could create a risk for our customers' website visitors.
  • We believe in the principle of data minimization. Collecting less data is one of the most effective ways to reduce risks for data subjects.
  • We have a lawful basis for every data processing activity we perform. Additionally, we conduct Data Protection Impact Assessments whenever a significant change is planned (e.g., when we had to activate heavily anonymized IP access logs after a DDoS attack).
  • We recommend our customers conduct a Legitimate Interest Assessment, which can be easily created based on the information provided on our website.
  • We provide our customers with a Data Processing Agreement (DPA) in accordance with Article 28(3) GDPR.

Our role as a processor

According to GDPR, you as our customer are the controller for the processing of personal data on your website. Regarding the personal data processed as part of your use of bchic analytics, we are the processor, meaning we process this data exclusively on your behalf.

As a processor, we are subject to various GDPR requirements, including:

  • Conclusion of a Data Processing Agreement (DPA) with you as the controller, which also includes audit and inspection rights (Article 28(3)). More information on this can be found below.
  • Ensuring confidentiality and instruction-bound processing by all persons who process data under our responsibility (Article 29, Article 28, Article 32(4)).
  • Maintaining records of all processing activities we carry out on your behalf (Article 30(2)).
  • Cooperation with supervisory authorities (Article 31).
  • Risk assessment and implementation of technical and organizational measures to ensure an appropriate level of security (Article 32).
  • Immediate notification in the event of a personal data breach (Article 33).

Personal data we process (as a processor)

Detailed information can be found on our data processing page. In brief:

  • We process personal data on your behalf, specifically IP addresses and user agent data, as long as you are our customer. After termination of the business relationship, this data is completely deleted.
  • We retain pseudonymized data for approximately 48 hours. After that, the so-called hash salts (a more detailed explanation can be found on our site) are removed from our system. From this point on, there is effectively no way to restore the data via brute-force attack.
  • The hashes used are based on the SHA256 algorithm. A successful brute-force attack on these hashes would, according to calculations, require approximately 10⁴⁴ times the global gross world product (GWP). For comparison: GWP in 2019 was approximately 88.08 trillion US dollars. Although the data is initially pseudonymized, reverse calculation is practically impossible after removal of the hash salts, as the number of possible combinations is simply too large.

The Data Processing Agreement (DPA) including audits/reviews

The Data Processing Agreement (DPA) is the central document that governs our processing of personal data on your behalf.

The DPA is already part of our contractual relationship as soon as you become a customer. You don't need to request a signed version for the contract to be valid (if you still want a signed version, simply follow the instructions on the linked page!).

Your obligations as a controller

As a controller, you are not only required to conclude a binding contract with all processors, you must also regularly review (audit) them. GDPR doesn't specify exactly what these audits should look like, but fortunately there are practical guidelines from data protection authorities.