# Welcome to the World of # GDPR 🎉 “The thrilling adventure where data has rights, and lawyers have fun.” We’ll explore GDPR and how QFieldCloud’s DPA makes sure your data behaves like a polite Swiss tourist — tidy, on time, and respectful of local laws. --- # Warm-up: Let’s Talk Data 🤔 Before we dive into GDPR and DPAs, a few quick questions. --- # What is a data breach? 🕵️‍♂️ - ❤️ A hacker steals data - 👍 My password is on a Post-it stuck to my monitor - 🎉 Someone loses a USB stick on the train --- # What does DPA stand for? 🧩 - ❤️ Data Protection Alliance - 👍 Data Processing Agreement - 🎉 Double Pizza Agreement --- # What do you do when a data breach happens? ⚡ - ❤️ Report it immediately - 👍 Take a deep breath first - 🎉 Say nothing, maybe no one will notice --- # When 💩 Hits the Fan 🤯 - Data breach is detected - Systems might be compromised - Customers may be affected - Clock starts ticking — GDPR gives you 72h to act --- # The user perspective 📷 ### Imagine you upload personal photos for a photo book - 🗑️ Concern 1: Data loss → all photos are gone 😱 - 👀 Concern 2: Unauthorized access → someone sees very personal photos 🙈 --- # What do I want as a user? 🎯 - 🛡️ Protection against loss and misuse - 📍 Information on where my data is stored - ✅ Certainty that my data is completely deleted if I request it --- # What is a DPA? 🤓 ### A Data Processing Agreement defines - 👤 Who can do what with the data - ⏳ How long the data is stored - 🔄 What happens to the data when the contract ends - 🔐 Which security measures are mandatory --- # Origin of the DPA 📜 ### The Mailman and the “Postal Secret” <img src="./assets/postal.jpg"> --- # Legal Basis for the DPA? 📜 ### Based on government regulations - 🇪🇺 EU: GDPR - 🇨🇭 Switzerland: revDSG (revised Swiss Data Protection Act) - 🎯 Goal: unified rules and clear responsibilities --- # GDPR in One Sentence 📝 ### Don’t be creepy with people’s data. --- # Personal Data: It’s Not Just Names 🧑‍💻 Sure, names and emails count. But so do GPS tracks, selfies, device IDs… If it can point to you, GDPR wants a word. --- # Personal vs. Non-Personal Data? 🔍 - 🌳 Tree height measurements? - 📋 Tree height + “collected by Bob”? - 🏠 Tree height + “collected by Bob at his house”? --- # Assume It’s Personal Data Anyway 🫂 It’s safer. Like always bringing a rain jacket in the Alps — you might not need it, but when you do, you really do. Our DPA is built on this assumption: we process everything under GDPR-grade protections. --- # Retention: Not Forever 🕰️ GDPR says: Keep it only as long as needed. Our DPA says: When the party’s over, we delete your data unless Swiss or EU law says otherwise. Plus: we certify that deletion to you — pinky swear. --- # Notification Requirements for Data Breaches 📢 - 🇪🇺 EU GDPR: Notify supervisory authority within 72h (Art. 33 GDPR) - 🇨🇭 Switzerland (revFADP): No fixed limit — report “as soon as possible” - 🇺🇸 USA: Depends on state, often 30 days or less - 📝 Organization-dependent: Internal policies or DPAs can set shorter deadlines than the law 💡 Key takeaway: Law = minimum standard, but a DPA or internal policy can require stricter timelines. --- # OPENGIS.ch / QFieldCloud’s DPA Promise 🤝 - 🇨🇭 Swiss hosting in ISO 27001 datacenters - 🔒 Access is controlled by roles & permissions - 🔍 Subprocessors vetted & listed transparently - 🗑️ Delete data at contract end - 🛠️ Assist with GDPR rights and DPIAs - 🚨 Notify you of data breaches within 48h --- # 3 Takeaways 💡 - 🛡️ We take data protection at QFC very seriously → we can confidently show this to customers, especially for OnPrem requests - 👍 React quickly if a breach is found → we have deadlines (48h) - 😌 Don’t panic → take a breath, then contact the QFC team --- # Closing 🚀 GDPR and a DPA are not just paperwork. They’re our safety net, our customer guarantee, and our trust promise. With QFieldCloud, you’re on the safe side of data protection.