Many companies are currently sending their employees to work from home. To ensure that collaboration with colleagues works optimally even from home, cloudplan offers emergency packages that can be rolled out extremely quickly in order to be able to ensure the ability to work.
If you want to keep your business going, you have to think about full digitization to avoid buying scanners and other items for many home offices.
Before Corona, you could personally interview a colleague or even send him paper documents for approval. Scanners were also available in the office to digitize documents and contracts to send them via email.
Now, many work from home offices and the printers, scanners or workbooks are no longer available.
eSigning does not require a scanner
Documents and contracts are mostly digital e.g. available as an office document. These files can be used directly as a template for an electronic signature. I.e. the signature is generated directly with the mouse or on the smartphone.
cloudplan offers various options here:
- Sign with the mouse on the screen.
- Choose a suitable font and let the computer do the writing.
- Sign with your finger on your mobile phone or tablet.
- A qualified electronic signature (QES) is available as an option for a few selected use cases. The user is identified using a certified process.
Regulated by law
The starting point for local legislation on electronic signatures was an EU regulation that was published in 2014 with effect from July 1, 2016. Here the equation of a qualified electronic signature (QES) with a handwritten signature was described and that simple electronic signatures can be used as evidence in court.
- Employment contracts
- application forms
- Confidentiality agreement
Qualified electronic signature (QES)
- Fixed-term employment contract
- Temporary employment contract
- Credit agreement
Competitive factor Workflow
There are usually defined processes that must be followed before sending a document to be signed. For example, permits have to be obtained or people have to be informed before documents are sent.
These processes can be executed in cloudplan with a quick and easy to create workflow.
Any number of steps can be defined for a workflow and an unlimited number of participants can be selected for each workflow step.
A purchase order should be released.
- The department starts a purchase order as a workflow.
- The responsible manager checks and releases the purchase order.
- Two persons who are authorized to sign, receive the workflow for signature.
- After both have signed, the order in the role “must see” is sent to the recipient of the order.
- The department receives a confirmation that the order has been triggered.
- From this step, the workflow can optionally be continued by the partner and e.g. a confirmation will be sent upon dispatch etc.
Store the content in the cloudplan document management system with extensive search functions
Sign your contracts and agreements electronically and save up to 75% in time!
Our day-to-day work is largely determined by business processes. These define the necessary steps and participants as well as the sequence of actions to achieve a goal.
Digital workflows map these processes, i.e. they have a trigger and consist of several parallel or sequential work steps and have a defined end.
New functions for document management in cloudplan will soon be available to you. This includes document workflows, electronic signatures, global search and contract management functions.
You can map the entire life cycle of a file with a number of new functions and find and analyze data across all of your company data with a powerful search.
Categorizing and adding attributes
Attributes can be added to each file manually or automatically so that individual or combined attributes can then be found using a search function.
Adding attributes manually
Automatically assigned attributes
For each folder, you can either assign certain previously defined attributes such as “confidential”, “internal” etc. to the newly created documents, or attributes are added by the system when the workflow is terminated.
You have the choice between a workflow in which all signatures are made on a single document, or one document is created for each signer.
The form and signature fields can be freely placed in the document.
Users can sign on their smartphone, desktop, by scan or text.
Various use cases such as company, purchase or guarantee contracts can be covered as well as e.g. the confirmation of a new DSVGO agreement with employees.
Create forms based on existing documents that can be used as templates, or create new workflow forms with your own fields. These can contain input fields, the contents of which you can search for after completing the workflow.
For example, information requested by a user in a form during a workflow can be stored in individual “tags” which can be searched for later.
Special attributes are offered for managing contracts, which make it extremely easy to find and process. For example, you can search for expiring contracts in the near future or have automatic reminders sent to you.
You can combine as many contract attributes as you like in a search, such as department, closing date, outgoing / incoming amounts, cost centers, etc.
Store on your own infrastructure with 100% data sovereignty.
Diverse options for mapping internal processes
All new features will be available shortly.
Full integration through integrated eSigning without the need for additional products
Millions of documents are searched globally in a very short time.
In May 2016, the new EU General Data Protection Regulation (EU-GDPR) took effect. Within two years, affected companies and in particular providers of storage solutions must ensure that their services conform to the new laws. For example, there is a requirement that the location of the server is no longer definitive for the application of the data protection directive, but rather the location of the user. This has wide-ranging consequences for the field of data forwarding, management, and potential necessity for future deletion. Violations can lead to fines in the millions. We explain the essential changes and potential consequences for your company so that you can take timely action.
Overview of the most important changes to the EU-GDPR
After years of discussion across Europe, the new EU General Data Protection Regulation was approved in May 2016. While it has the goal of strengthening the rights of EU citizens and protecting them against data abuse and security risks, some companies need to take substantial efforts to comply with the regulation. One of the essential changes is that when the data protection laws are applied, the location of the server is no longer definitive, but rather the permanent residence of the user. This means that EU citizens have some rights that can be more extensive than those of other users of the same services. Also important is that potential violations of the regulation threaten significant fines of up to 4% of annual sales or 20 million euro, whichever is greater. The fine can thus easily reach hundreds of millions of euros for large companies. This is because it applies to the annual sales of the entire company, not just an individual legal person or sub-corporation.
The new regulation of the data protection law does provide for individual national regulations in some cases. Overall, however, the regulation that took force on 25/05/2016 applies uniformly across Europe, with an initial grace period of 2 years, through May 2018.
Check early whether your data is affected
Does your company keep sensitive customer data? Do you have plans to upload it to a public cloud, or have you already done so? This can be a security risk. Even if you delete it later, it is possible that the cloud provider will not cooperate fully and the data will not really be deleted. According to a study performed by IDG Research Services in 2016 about cloud security1, data loss and stolen data, in addition to other issues, are near the top of the list of potential security risks in cloud computing. Most of these risks primarily affect external cloud providers located outside of Germany, but overall it is clear that it is better to leave your data right where it belongs: within your company!
Other important changes within the new regulation that affect both your business customers and potential end customers are:
- Consent & right to information: Customers of your company must explicitly consent to the storage of their data and can request information at any time about what information you have stored about them.
- Data transferability: Customers should have the principle ability to transfer their data, exactly as they are, to another provider. How exactly this is to be done has not yet been clarified.
- Right to be forgotten: Customers of your company must have the ability at any time “to be forgotten”. This means that all data that relates to the customer and is not needed (anymore) to execute the business relationship must be deleted by you upon request. This applies not only to the master data, but also ordering histories, complaint records, and sales numbers. If you have already transmitted the data to third parties, you must also actively see to it being deleted for the affected party and must confirm the same to the affected party.
- Minimum age: Depending on the member state, your customers must have reached a minimum age of 13 or 16 when registering, and this must be proven by suitable means.
- Local complaints: Customers can report incidents to their local data protection office in their own language, and do not need to address you directly.
- Discovered security gaps and successful hacker attacks: These must be reported to the responsible authorities immediately, and not just in critical cases, if customer data is affected.
- Operational data protection officer: It is mandatory to assign one, if you pursue activities that can involve data protection risk (for example, if you collect bank and bank account data).
- EU representative: Foreign companies without a location or headquarters in the EU must assign an EU representative in most cases.
Differences between data protection law in the US and Germany
While the essential laws about data protection in Germany and Europe are derived from the fundamental right to informational self-determination, data protection in the USA is more a result of consumer protection laws. The converse argument implies that on the other side of the Atlantic, data protection is viewed more pragmatically and companies are subjected more to negotiated agreements than to strictly regimented laws.
The main differences between the two continents look like this:
|Germany / Europe||US (+ some other countries)|
|Federal Data Protection Law (BDSG), EU-GDPR||Data protection has no legislative foundation|
|Subject to EU rules and regulations||US government has wide-ranging freedom of action to monitor data traffic thanks to the “Patriot Act”|
|Data secrecy is largely ensured||Data secrecy as such is pretty much unknown|
|Right to informational self-determination||Self-regulation of market participants|
|Federal Office for Information Security||No (independent) agency has responsibility for data protection|
|Data typically remains within the data protection boundaries of a country||Data is transmitted worldwide with no limitations and stored “somewhere” as needed|
|Penalties and orders, regulatory approach||“Blame and shame” process (virtual pillory in case of violations), pragmatic approach|
|Agencies must be informed immediately when sensitive data is at risk||Internal attempts to fix data leaks first, before an agency needs to be involved|
|Laws are applied regardless of any possible encryption||Unencrypted data is rarely considered worthy of protection|
In the USA, the interests of companies and security agencies are protected above all, and data protection is treated relatively carelessly in practice. The EU, and Germany in particular, focus on the rights of individuals and data protection is considered a fundamental human right.
Data protection and security
So what do you need to consider in order to be on the right side of the law?
First of all, you need to decide precisely which provider you will trust to work with you to protect your internal company data. To do so, you should ask the following questions when selecting your cloud provider:
- Is the provider located in the EU, or even better, in Germany? The laws that apply in this country are often simply not familiar (enough) to providers in other countries. Nevertheless, as a company owner you are responsible for compliance when it comes to your customers’ data.
- Can the intended solution also function without an active Internet connection?
- Is the data encrypted for transmission? What standard is it based on?
- Is the transmission of data limited to only what is absolutely necessary?
- Is the data encrypted whenever it is saved by the provider? What security standard is used?
- Does the provider have an interest in keeping your data secure, or might it benefit from the data that you upload (for advertising, tracking, selling data, spying?)
- Can it guarantee that it works to the new EU-GDPR (2018) and will help you with compliance?
If you have made user data accessible in a public cloud, and it has potentially been transmitted to other countries outside the EU, you will most probably be in violation of the law no later than the middle of 2018. If the provider there is not able, or refuses, to work to the EU standard, then you might even be required to request that the data be deleted and enforce that request. This cannot only take a lot of time in some cases, but it can also become very expensive.
What to do if relocation is necessary?
If you have already saved your data on servers whose operators may not work to applicable EU law, we recommend taking the following steps:
- Clarify which data has already been transmitted where, and to what extent you can replace the current solution with a cloud located in Germany.
- Identify the prerequisites for an appropriate level of data protection under the new EU regulation.
- If you decide to use cloudplan: have one of our consultants present a customised solution for you and install it at your location if desired.
- Test the solution(s) with real data.
- Transfer back the data stored elsewhere out of the clouds and onto your own systems.
- Load particular, non-sensitive data to a public cloud, if desired.
- Request that your previous provider deletes the existing data, referencing applicable EU data protection law (so-called revocation of consent).
- Also request that the provider deletes the data completely from third-party systems, or confirms that your data has not fallen into the hands of any third parties.
- Have all deletion procedures confirmed in writing once they are complete and search for parts of the data on Google, for example, in order to check.
Cloudplan is happy to help you with the execution of such deletion and transfer procedures and will provide individual advice on what procedure makes the most sense in your case.
The handling of data and the cloud is similar to your company’s vehicle fleet. You make it available to your employees and engage third parties to performance maintenance and service. It would be more than aggravating if employees of the maintenance company were to take and copy confidential documents from the vehicles, or if the vehicles were used off-road, outside of their specified use. If you and your service provider not only speak the same language when it comes to data protection, but also are in the same boat with regard to potential liability questions, then your risk remains minimal. So, put your trust only in those cloud solutions that meet the latest EU standard and contact us today.