2. How long do we keep the log files for? Also if an unmanaged customer stops the service and asks for deletion of all data and the vps ( I guess we are obliged to delete everything but if that customers was dealing in unlawful activities and the police asks for information we won’t have any to give. (hoe does this work?)
3. If a customer complains about a bridge on their website that is handled by them on a shared hosting platform are we required to have tools that will identify such bridge and from where it came from? Now we use tools to prevent this from happening such as brute force attacks, sql injection etc…
4. Just to add further the data we ask and keep for Billing purposes for the customers is as follows:
Company Name, Contact Name, Address, V.A.T number, Email address
We use the above only for billing and email them for maintenance and invoices. Are the above considered Personal data as all this c an be found on their website? We don’t provide this info to 3rd parties.
1. All documents except for the ones in folder 4 “Managing Data Subject Rights” can be used by both processors and controllers so we strongly suggest you go through all of them. Also, there is a document called List of Documents EU GDPR Toolkit where you can find out which documents are mandatory according to the EU GDPR.
2. Regarding the retention period the EU GDPR in article 5 - Principles relating to processing of personal data (https://advisera.com/eugdpracademy/gdpr/principles-relating-to-processing-of-personal-data/) states that personal data shall not be kept for “ longer than is necessary for the purposes for which the personal data are processed” this means that controllers have to delete the data once is no longer needed for processing unless there is a specific legal requirement that allows them to keep them for longer ( e.g regulatory compliance). As far as your activity as a processor goes the retention periods should be defined by the controllers and communicated to you. If a manages services customer asks you to delete the data you need first to assess if you can comply with the request or not by assessing the local legislation and if there is no reason to hold on to the data for longer you can delete it.
3. Your platform should be designed to prevent and detect data breaches. However, if the data breach originates from a customer is the duty of the customer to detect an report the breach when necessary (EU GDPR article 33 - Notification of a personal data breach to the supervisory authority - https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/; EU GDPR article - Communication of a personal data breach to the data subject - https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/) . If the customer has a breach on their website is their duty to deal with that and notify the appropriate entities, you however, if acting as a processor might be required to assist.
4. The contact name and email address (provided it belong to an individual) on invoices are personal data. Usually invoices have to be kept by companies for regulatory compliance for periods up to 15 years. You should check your local legislation (usually the Tax Code) to see which is the retention period for invoices .