Most of the security controls are managed and integrated with our ISO 27001 processes, whilst others have been governed through policies, agreements and new processes being communicated and implemented. We have also made several changes to our portal to support the portals data controllers, so they can easier carry out their GDPR obligations.

Mercell has implemented the appropriate security controls to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Furthermore are there implemented processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures, for ensuring the overall security of the processing.

All principles have been included into existing ISO 27001 processes, to assure relevant compliance within our existing processes.

All relevant user rights are the responsibility of the data controllers, and all users must therefore approach their user administrator, or their local DPO – Data Protection Officer, to request registration and fulfillment of their user rights. Mercell has improved several of these processes, making it easier for the data controllers to comply with their obligations.

Our Privacy policy follows the guidelines from the EU GDPR and explains how the personal information is being used in the portal.

For protocols, there are implemented logs that log all incoming privacy requests, the processing events, and the privacy breach notifications. Mercell has developed their own standard data processing agreement together with some larger customers, whilst still securing that it can be appropriate for almost all of our portal customers.