BackWPup, Backups and GDPR

Dear BackWPup user, you surely also already heard something about the EU General Data Protection Regulation (GDPR) and you somehow have to deal with this topic – so do we. In this documentation we want to give you some information about what we already did to comply with the new data protection regulations, and we want to answer your questions about BackWPup, backups and GDPR.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a new law which regulates data protection for the whole EU. It’s the law’s aim to standardise processes where personal data are used. Furthermore, the law focuses on the protection of the rights natural persons have regarding their personal data. It’s going to be in force on May 25th, 2018, after two years of transition period.

All companies using personal data of EU citizens, no matter the size, are affected by this new law. Website owners not being totally private are affected, too. Maybe you’re one of the affected?

Companies being affected by the GDPR now have extensive documentation obligations about the handling process of personal data. The GDPR grants affected persons – those whose data are processed – the following rights:

The right to

• information
• deletion
• correction
• contradiction
• migration

of stored personal data.

In case you want to know more about it, we collected some useful links.

Related Links

https://gdpr-info.eu/

https://www.codeinwp.com/blog/complete-wordpress-gdpr-guide/

What We do to Protect Your Data

Since the beginning of this year, we work in the background to make our services and products GDPR compliant. We already dealt intensely with this complex topic where a lot has been unclear in the beginning.

Now we implemented quite some things in our shops and in our support. For example, we made an audit of personal data for all plugins we use, we modified our contact forms and updated our privacy policy.

Of course, we will work continuously to fulfil the data protection regulations, as the topic data protection and the rights of our users are very important to us.

What you should take care of as BackWPup user

Does BackWPup handle with personal data?

BackWPup doesn’t send any personal data to us. However, BackWPup stores the personal data on your website in a backup. Make the backup GDPR compliant is the responsibility of the website owner. Further below you can read how BackWPup supports to make your backup GDPR compliant.

In this way BackWPup helps to create a GDPR compliant backup

On blog.ebertlang.com und datenschutz-praxis.de (german) you find interesting blog posts with an overview what a GDPR compliant backup is about and how a backup tool does support the GDPR compliance of your website. We also summarized it here for you:

• The backup functionality is automatable and can run in the background – you can set this both with BackWPup FREE and PRO
• Fast restore of data – since BackWPup PRO version 3.5 we implemented the brand new restore feature which allows you to restore backups in an emergency case.
• Selection of data to be backed up is possible – With BackWPup you can decide which data you want to store in your backup and which not. You can choose both database tables and data.
• User administration with privilege system available – BackWPup provides a special user role “BackWPup admin”. A user with this role only has access to the BackWPup setting pages – in case you need support and need to give access to your website or in case an employee shall only be responsible for that.
• The backup tool creates logs about the backups – possible both with BackWPup PRO and FREE
• The website owner is informed when there are backup problems – possible both with BackWPup PRO and FREE
• Encryption of backups – server-side encryption available for Amazon S3 in FREE and PRO version of BackWPup. Symmetric (AES-256) or asymmetric (RSA) encryption for backups in BackWPup Pro starting with version 3.6.
• Changes of data to be backed up need to be confirmed – Confirmation happens by clicking the save button on BackWPup settings page.

Do you need an Data Processing Agreement (DPA) with us?

As BackWPup user you don’t need a DPA with us, because we don’t handle any of your data. BackWPup only creates backups of your website, the plugin doesn’t send any personal data to us.

However, if you upload a backup to a cloud provider (GDrive, Dropbox, etc.) with BackWPup, you transmit personal data to that provider. Therefore you need a Data Processing Agreement with that provider. In the following we provide the links to GDPR information and Data Processing Agreements of all BackWPup backup destination providers:

• Google Drive
  • For GSuite: https://support.google.com/a/answer/2888485?hl=en
• Dropbox
  • https://www.dropbox.com/security/GDPR
  • https://assets.dropbox.com/documents/en/legal/data-processing-agreement-dfb-013118.pdf
• Amazon Glacier and Amazon S3
  • https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls
  • https://eu-west-1.console.aws.amazon.com/console/dpa/document
• Microsoft Azure
  • https://www.microsoft.com/en-us/trustcenter/default.aspx
  • http://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=8532
• Rackspace Cloud Files
  • https://www.rackspace.com/sites/default/files/legal/rackspace_dpa.pdf
• Sugarsync – We will add this link soon
  

What do you have to consider in a support case?

As BackWPup FREE user, please ask your questions on wordpress.org. We offer personal support only to our PRO users. Although we answered support tickets of FREE users in the past, we will, with GDPR in force, only deal with support requests of PRO users in our support system. Please understand that the implementation of GDPR in support tickets requires a great deal of time and effort.

In case you need to give us access to your website to solve a support problem:

• please set up a new user for our support team and delete the user when your support ticket is solved. We will also delete the access data you gave us.
• please ensure we do not get access to personal data of your customers or users. Best practice is to set up a user with BackWPup Admin role when we need to access your site. In this case we do not get acces to the whole site but only to the BackWPup settings pages. Please also ensure we do not get access to backups containing personal data of your customers or users.

Do you have further questions we didn’t answer yet? Please use our contact form.

We will inform you as soon as there are any news about GDPR being in relation to BackWPup.

Please understand that this article isn’t a legal advice. We cannot take responsibility on the accuracy of the statements.