Nexus

Nexus strives to make it as easy as possible for our customers to comply with the requirements of GDPR, which was introduced on May 25, 2018. We will continuously review the functionality of Nexus GO Cards in terms of GDPR. 

Implemented functionality

The following functionality is implemented in Nexus GO Cards, to help you to be compliant with GDPR:

Traceability

In Nexus GO Cards, we log customers' successful and failed logins, as well as successful logins of administrative staff. Creation and modification of data is logged at user level, but not specifically the searches each user has done.

Availability

In Nexus GO Cards, everyone has their own login, and access . Unless their is a federation, the login is based on Nexus MFA mechanism using Smart ID Mobile. Access to personal data is restricted.

To gain access to the Nexus order portal, you and your company need to Card Management Portal, your organization must be a Nexus GO customer. Then we together define the right people and right permissions to be linked to each client account with a secure authentication methodOnce the first users have been added to the organization, users with admin privileges can add or remove users in Nexus Card Management Portal.

Users with the right privileges have access to previous orders (, as long as they do not delete the personal data). Users with the right permissions have access to administering other users' tasks.

Correction

To correct order data you place a new order and then erase the personal data from the old order. The user with user-administration rights can edit user information.

Security

All Nexus' handling of personal data and card data is strictly confidential and with high data security. We collect Nexus only collects the information that our customers that you request.

Nexus has implemented a range of technical and organizational measures, such as establishing internal controls and information security practices to protect the data we handle handled on behalf of the customer. The purpose is to protect our customers' information from accidental or temporary loss, damage or change, unauthorized disclosure or access, or unauthorized destruction.

Removal

The customer has the option to decide whether , by default, personal order data is deleted immediately should be deleted a certain time after a card has been produced and delivered, or if the data is stored for some time for re-ordering . The customer can also manually remove personal data on their order history in Nexus’ order portal. The text will then disappear from the web page and will be erased in the system when that order is produced and invoicedpurposes. 

Traceability

Traffic to and from the service is logged. All logs are automatically removed after 90 days.

Important notice

A major part of GDPR is about internal routines. Organizations are responsible for personal data, regardless of whether it is a HR system, CRM system, security system, PACS system, real estate system or other. Each organization must ensure that staff handle personal data properly. This includes, among other things, having a legal basis for processing personal data, keeping track of the personal data being processed and the context in which to handle only the information necessary for the purpose expressed, deleting data when no longer required, and to inform and, where necessary, obtain consent from registered persons.

Please also observe Observe that the GDPR acknowledges that data protection rights are not absolute and must be balanced proportionately with other rights – including the “freedom to conduct a business”. For more information on the ability of EU member states to introduce exemptions, see the section on derogations and special conditions. EU: General Data Protection Regulation. 

As a regulation, the GDPR will be directly effective in EU member states without the need for implementing legislation. However, on numerous occasions, the GDPR does allow member states to legislate on data protection matters. This includes occasions where the processing of personal data is required to comply with a legal obligation, relates to a public interest task or is carried out by a body with official authority. Numerous articles also state that their provisions may be further specified or restricted by member state law. Processing of employee data is another significant area where member states may take divergent approaches. Organizations working in sectors where special rules often apply, for example health and financial services, should: (1) consider if they would benefit from such special rules, which would particularize or liberalize the GDPR; and (2) advocate these accordingly. They should also watch for member states seeking to introduce special rules, which may prove restrictive or inconsistent across member states.