From discussions with Baloise data protection advisors, we can identify the following action items:
1) Baloise Cloud Approval:
Needed, because we use Baloise cloud infrastructure hosted by Microsoft Azure.
Fill in a short summary and file it to cloud advisory board.
2) Data Policy: Needed as we process Data from users, It should cover the following aspects:
a) What data is how processed and why.
What data do we actually collect? (IP, Images, name of survey)
How is the data processed? (technical processing step, transfer steps), where is it stored, for how log is it stored
Why is the data collected? How does it serve the functionality and what do we do with the data on top of that (e.g. processing accumulated data for statistical purposes).
b) Disclaimer: "By using this service the user is responsible to be compliant with any data protection policy and law regulation that applies in his/hers country or company"
3) Define AGB section:
Terms of usage (Free for use & no warranty etc.)
Needs counseling with law department
4) Automatic data-removal mechanism
a) Implement data remove after x Days inside server component
b) Implement option for users to delete data on demand.
have to be evaluate with legal