The Nuxeo Platform offers all the necessary capabilities to build an application that ensures the maximum level of compliance with user privacy and security regulations.
The Nuxeo Platform, by itself, cannot ensure GDPR compliance as the GDPR is not about certifying any technical solution; it is about ensuring that the management of personally identifiable information (PII) are satisfying individual rights requirements per GDPR mandates, such as the right to access, the right to erasure, portability, etc.
Indeed, the main concerns are focused on the way personal data is used and stored, the ability to quickly respond to Subject Access Requests, the security controls in place to protect personal data integrity and confidentiality, etc.
Individuals are free to either store the data for personal use or to transmit it to another data controller. The data must be received “in a structured, commonly used and machine-readable format.”
The Nuxeo Platform offers several features that allow you to export documents natively. The export component should be chosen depending on your requirements.
|Export Components||Implementation||Needs Configuration||Adapted for Folder Structure Export||Document Type and Property Value Export|
|ZIP XML Export||Native||No||Yes||No|
|PDF Concatenation||Studio feature||Yes||No||No|
|Nuxeo FS Exporter||Addon||No||Yes||No|
Individuals should obtain from the confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
- All the actions (download, search, edit, etc.) that were executed on a document
- The exact date of an action
- The version of the document in which an action was executed
The audit entries can be read from a document-context or from the Nuxeo Web UI Administration menu. New events can be created from Nuxeo Studio and therefore be tracked in the platform.
The individuals should have the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her.
Nuxeo allows you to bulk edit any document property by either building a custom form and operation with Nuxeo Studio or by creating your custom component based on Nuxeo Stream for huge volumes.
The individuals should have the right to obtain the erasure of personal data concerning him or her without undue delay and the controller should have the obligation to erase personal data without undue delay.
With the proper permissions, it is possible to delete a document unitary or several documents (from a folder view or a query). The deletion can be triggered by any other Nuxeo interface such as the REST API, CMIS or any Nuxeo SDK Client.
As described in Trash Service page, documents are first moved to the trash before being permanently deleted. The Nuxeo Platform removes the personal information references from the binary storage as well as from within the database.
The individuals should have the right to object at any time to processing of personal data concerning him or her, including profiling based on those provisions.
You can create specific document properties to identify whether a document being used for a particular processing activity is following the best practice for this type of workflow. In addition to triggering automatic processes with listeners and scheduling jobs, you can alternatively use custom security policies to instantly restrict a specific user or group from accessing a document to.
The term "Privacy by Design" refers to the data protection through technology design, in other words: apply privacy by design principles to applications, services and products when designing, developing, and testing.
Privacy by design concepts, applied to a Nuxeo-based application, require an understanding of the capabilities offered by the Nuxeo Platform. The following sections are particularly interesting to read: