GDPR Compliance Statement
Updated: October 26, 2022
MOCA System (hereinafter “we”) is committed to ensuring the security and protection of the personal data we process and to a data protection approach that is consistent and compliant with regulations.
The purpose of this GDPR Compliance Statement is to describe how we approach our GDPR compliance program. It will explain how we implement roles, policies, procedures, controls, and measures for data protection in order to ensure continued compliance with the GDPR.
What is the GDPR?
The EU General Data Protection Regulation (Regulation2016/679) (GDPR) was put into effect on May 25th, 2018 to strengthen individuals’ rights to personal data and harmonize local data protection laws across Europe. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU
The GDPR Principles
We consider the privacy and security of individuals and their data as vitally important.
Our principles for processing personal data are as follows:
- We process personal data lawfully, fairly and in a transparent manner.
- We collect personal data only for specified, explicit and legitimate purposes.
- We collect and keep personal data only to the extent it is necessary in relation to the purposes for which they are processed.
- We ensure that the personal data we store is up-to-date and accurate.
- We comply with the GDPR as a controller that processes the data of users who sign up for Airfob Portal & Airfob Pro, our mobile access control system. We also do so as a processor that stores personal data on behalf of our users who directly register and manage the data. In addition, Airfob Portal & Airfob Pro users must also comply with the GDPR as controllers themselves.
- We ensure that the aforementioned principles can be applied to our services, and help our users to comply with the GDPR as well.
Rights of the data subject under the GDPR
With regard to the personal data we store and manage, Airfob Portal & Airfob Pro users may request the following information from us.
- Personal data we hold about individuals
- The categories of personal data we collect from individuals
- The purpose of collecting and processing personal data
- Data retention periods
- Procedures for the rectification or completion of inaccurate or incomplete personal data
- Where applicable, procedures for requesting the erasure of personal data, or for restricting the processing of personal data and objecting to direct marketing in accordance with data protection laws
- Information concerning all our automated decision-making processes
The above applies only to Airfob Portal & Airfob Pro users, not to individuals who are registered and managed by these Airfob Portal & Airfob Pro users. Cases such as these shall be dealt with in accordance with users’ own policies.
Plans for GDPR compliance
We have taken, and will take, the following steps to comply with GDPR:
- We have analyzed the personal data collected through our service.
- We have established procedures and policies to restrict the processing of personal data.
- We have updated our response procedures to personal data breaches and incidents.
- We have updated our policies on data protection, data retention, information security, cookies, and privacy.
- We have reviewed all processing activities to identify legal grounds for the processing of personal data and ensure whether each ground is appropriate for the activities concerned.
Protection measures under the GDPR
We take the privacy and security of individuals and their data very seriously and take all reasonable precautionary measures in order to protect the personal data we process.
To protect personal data from unauthorized access, alteration, disclosure, or destruction, we have the following information security policies and procedures in place along with multiple levels of security measures:
- Risk management: We evaluate and manage service-related risks as part of our risk management process. Our risk management process is set out in our regulations.
- Information security management: We have information security management systems (ISMS) in place that are aligned with model industry standards, such as ISO 27001 and ISO 27701. They cover the security policies, organizations, processes, and controls that are needed to meet compliance standards and security requirements we have identified.
- Personal security: We have security processes for the employment, retention, and contract termination of individual employees. We carry out background investigations, ensure continued awareness of security standards, and implement physical and logical access controls. In conjunction with legal requirements and restrictions, we also identify and resolve risks, and carry out other security measures according to roles and positions.
- Asset management: We process customer data in accordance with contracts, terms and conditions, privacy policies, or other relevant service documents. We manage the IT resources used in our services in accordance with our in-house standards and processes.
Where data or assets are set to be erased and destroyed, we follow the processes we’ve established to remove equipment and storage media properly prior to physical destruction.
- Access control: Our Airfob Portal & Airfob Pro services are protected by means of networks and logical security systems. Based on industry-standard cloud services, we provide web-based processing for any personal data that has been registered and managed by our users after they sign up for the service, make inquiries, and create their websites. Only authorized personnel can access this data processing system.
- Development security: Our Airfob Portal & Airfob Pro services are developed according to our R&D proceedings. Each step of the development process, including analysis, development, implementation, testing, and distribution, is covered by security requirements and procedures.
- Physical security: Our Airfob Portal & Airfob Pro services use industry-standard cloud services.
- Operations security: We follow industry standards and best practices, such as automation whenever possible and recommendations offered by our cloud service provider, in order to configure the cloud environment that is used securely in our Airfob Portal & Airfob Pro services. In addition, we keep updating the software we use and resolve reported vulnerabilities through automated and manual measures.
- Vulnerability management: We identify potential vulnerabilities through multiple methods, including scanning, security tests, source code diagnosis, and cyber threat intelligence. Reported vulnerabilities are evaluated and resolved via established processes and measures. We offer a responsible public channel for our security manager to report any issues found.
- Security testing and inspection: We cooperate with a third-party security service provider to carry out regular penetration tests. We manage test results, which are kept confidential, through our processes and measures for managing vulnerabilities.
- Security event management: We monitor the conditions of our data processing system to identify events and incidents that may influence our services and data. Events that may be a security risk are managed through the operational processes of our management and security departments.
- Business continuity and backup: We back up and regularly test customer data to ensure that the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) can be met under our in-house regulations.
- Endpoint security: We examine and monitor malware to detect malicious programs and files in our employees’ work environments. We also have features that filter and block spam and scam emails.
International data transfer
In addition, as we store the personal data registered and managed directly by our users on their behalf, we ensure that we inform them of the relevant details, scope, and obligations through our Data Processing Agreement and receive their consent before doing so.
For more questions about GDPR, please contact us.
For more questions about this Compliance Statement or our data protection policies, please contact us: firstname.lastname@example.org
GDPR Compliance – Questions & Answers
1. What is the GDPR?
The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) was put into effect on May 25, 2018 to strengthen individuals’ rights to personal data and harmonize local data protection laws across Europe. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.
2. Does MOCA System comply with the GDPR?
Yes, MOCA System complies with Regulation (EU) 2016/679 (“GDPR”).
3. What role does MOCA System play according to the GDPR?
MOCA System acts as a controller that processes the data of users who sign up for Airfob Portal & Airfob Pro, a mobile access control system.
In addition, MOCA System serves as a processor that stores personal data on behalf of its users, who directly register and manage the data.
As a controller and processer according to the GDPR, MOCA System ensures the secure management of personal data through informed consent, lawful contracts, and appropriate protective measures.”
4. What is the role of MOCA System's Airfob Portal & Airfob Pro Applications users?
Those who use our Airfob Portal & Airfob Pro Applications services act as controllers for the data subjects they directly register and manage.
The users have authority and responsibility over all the data they directly process, and they are also responsible for carrying out necessary safety measures accordingly.
The users, who directly register and manage data subjects, shall not only evaluate carefully and satisfy themselves that they have a lawful basis under the GDPR for processing the data subject’s personal data in light of the purposes they are seeking to achieve but must also prove that they are implementing appropriate measures for data security. This relates to the GDPR principles, such as lawfulness, fairness and transparency, accuracy, purpose limitation, data minimization, storage limitation, integrity, and confidentiality. It also relates to individual rights over personal data.
Users must determine whether the Airfob Portal & Airfob Pro Applications services can securely process personal data (such as through privacy impact assessments etc.) and utilize the services we provide in a safe manner.
5. Does MOCA System access or manage the data of Airfob Portal & Airfob Pro users?
MOCA System does not access personal data that has been directly registered and managed by Airfob Portal & Airfob Pro users themselves. We are not responsible for any information, including personal data, processed by the users. The users are responsible for complying with relevant laws and for handling and processing data appropriately.
6. What personal data is processed by MOCA System's Airfob Portal & Airfob Pro Applications?
MOCA System’s Airfob Portal & Airfob Pro Applications can store emails, nicknames, passwords, company names, names, phone numbers, nationality, and more. The storage of personal data may differ depending on the information directly registered by users.
7. What sensitive information is processed by MOCA System's Airfob Portal & Airfob Pro Applications?
MOCA System’s Airfob Portal & Airfob Pro Applications utilizes mobile credentials. Sensitive information related to faces and fingerprints is not used.
8. What personal data is processed by MOCA System's Airfob Pass & Airfob Space Application?
MOCA System’s Airfob Pass & Airfob Space Application are mobile applications that enable your smartphone to be used as an access card. It stores your name and mobile card information and allows you to register additional information, such as your department or company name.
9. What measures does MOCA System have in place for protecting personal data?
MOCA System’s Airfob Portal & Airfob Pro Applications encrypts all personal data before storage and provides encrypted communications (https) when transferring data. We utilize verified encryption algorithms (one-way and two-way encryption functions: SHA-256 and AES-256, and TCP communication: TLS 1.2).
In addition, we implement other protective measures, such as inspection logs, data backup, and systems for detecting and blocking web-based attacks.