GDPR implementation part 3: Mapping our “world”

This is the third post in our series on Runbox’ GDPR implementation.

After having structured our GDPR project, the next piece of necessary groundwork was to map out status on relevant facts about important areas of our business. The reason is that it’s impossible to establish and maintain good security and privacy – and to determine GDPR compliancy — if the “territory” is not clearly described.

The “territory”

The “territory” in question was foremost and first of all,

  • The email service delivery system, that is the Webmail and backend systems and files – the development platform that is used, the components of which the system is built, the dependencies between the components, description of access points etc. – while being well aware of that the GDPR compliancy also includes Privacy of Design requirements.

Other realms that are necessary to describe were for example:

  • The economic system in which the company operates; i.e. mapping out the network of organizations with which our company is involved – including partners, associates, suppliers, financial institutions, government agencies, and so on – in order to serve our customers.
  • Server infrastructure with all physical links and channels, and not the least: All software components.
  • Data networks, including how and where our serves are connected to the Internet, but also the Local Area Network at our premises.
  • Data catalogue, including of course all personal data, that is, what kind of data are registered on customers and also employees and partners/associates as well.
  • Applications of all sorts necessary to run the company – applications that are managerial of nature.

Level of description

One problem encountered is how detailed the descriptions should be. Too many details will make the job unnecessarily big in the first place, followed by a lot of maintenance to keep the documentation current.

We chose to start with a “helicopter view”, to obtain an overview of the different realms with the intention to fine-grain the documentation depending on the requirements of the ultimate goal: To identify areas where privacy and security is of concern, ticking off issues that are well taken care of in light of the GDPR, or followed up with measures to improve the situation to achieve GDPR compliancy.

Of course, the GDPR Implementation Project is not a sequential one, as development projects seldom are. Therefore, from time to time we had to go back and adjust our planning tools when needs arose.

The next blog post in this series will concern our Information Security Policy.

Continue Reading →

GDPR implementation part 2: Structuring our GDPR project

As mentioned in our previous blog post about our GDPR project plan, we structured our implementation plan in 14 sub-projects.

In this blog post we’ll take a look at the first of these sub-projects.

Mapping status compared to the Regulation

The foundation for the sub-projects was (of course) the requirements in the GDPR Regulation, which we had mapped in subproject # 1: Compliancy Status Tables mapping Runbox’ status compared to regulations.

In order to prepare ourselves, we did that before the final regulation was decided. We also did this for the requirements from the Norwegian Personal Data Regulation at that point in time.

Of course, the mapping had to be made compliant with the final version of the GDPR after the EU decision in 2016 – and so we did.

Controller and processor

At that point in time, we had our project nicely structured in the 14 sub-projects mentioned above. That was pretty easy, because of the mapping we had done. An important fact in this context, is that Runbox is a controller and a processor as well, depending on the circumstances, according to the GDPR definitions. It was important to be exact about where and when.

Subprojects definitions and delimitations

In the GDPR we found some important points that we had to consider:

  • Our agreement with our main processor, Copyleft Solutions – and what about the agreements with our affiliates, partners and the like? Are confidentiality clauses regarding protection of personal data adequate any longer?
  • Do our Terms of Service and Privacy Policy correspond to the new requirements?
  • What changes have to be done in our systems to fulfill GPDRs requirement regarding customers’ rights?
  • Do we have a systematic documentation of our systems, and what about access control?
  • Does our information security policy cover the necessary elements, and is our risk analysis up to date?
  • What about the processing of personal data we do for internal processing? Obviously it was necessary to take a look into the agreements we have with internal and external personnel.
  • What about the internal control mechanism we have – do they comply?

Those points (and some more) made the foundation for establishing delimitations between each sub-project, which we will continue blogging about in the weeks to come.

Continue Reading →

Runbox’ road to GDPR compliance

How we did it and what we learned on the way

In our blog post May 25, 2018 we described the main areas of Runbox’ GDPR implementation.

On this Data Privacy Day we’d like to update you on our GDPR implementation, how we did it, and what we learned on the way.

There is an enormous amount of information out there describing GDPR content, simple copies of the regulation, some templates of varying quality – and a lot of warnings.

So first of all, let’s recap what the GDPR is.

What is the GDPR, and why did it come about?

In 2012, the European Union (EU) first proposed a set of rules for protection of data inside and outside the EU. An important reason for this decision was a desire to improve the ability for individuals to control data registered about themselves.

In 2016, the GDPR (General Data Protection Regulation) was formally adopted by the European Parliament and the Council of the European Union to take effect for all individuals within the EU and the European Economic Area (EEA).

Runbox’ approach to the GDPR

Runbox' GDPR Implementation

At Runbox, which is located in the privacy bastion Norway and within the EEA, we started the GDPR planning and implementation process as early as 2014.

At that point in time, we had followed the process in the EU about a comprehensive reform of the EU’s 1995 data protection rules. In the spring of 2014, the European Parliament demonstrated strong support for the GDPR proposal set forward by the Article 29 Working Party. (You can find more information about the history of the GDPR in the article The History of the General Data Protection Regulation.) Shortly thereafter, in September 2014, our GDPR Compliancy Project was launched.

We didn’t know at that time when the GDPR would take effect, but we knew the direction – that is: The GDPR was indicated to move in the direction of existing Norwegian privacy regulations, based on Article 29 Working Party documents.

Our GDPR project plan

We structured our implementation project in 14 partly parallel sub-projects, and after the decision by the European Parliament and of the Council by April 27, 2016, we updated our project plan towards the target date May 25, 2018.

We started out mapping exactly our position compared to Article 29 proposal, which in 2015 was replaced by The European Data Protection Board, and then we went ahead to work out our main planning document, Rules and Regulations for Information Security Management.

The groundwork was done, and we proceeded the project towards fulfillment of our obligations regarding privacy under the new legislation, implemented in Norwegian law by July 20, 2018.

We will share more information in forthcoming blog posts, so stay tuned!

Continue Reading →

GDPR and Updates to our Terms and Policies

On May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) takes effect in all countries in the European Economic Area (EEA).

Norway, where Runbox is located, is part of the EEA and is implementing these regulations through its own legislation.

We welcome these new regulations as they greatly strengthen the rights of the individual to digital privacy and security, which we always have promoted and supported.

What is the GDPR?

The GDPR is a set of regulations declaring that the individual should have control over their personal data by specifying how such data may be collected, processed, and stored.

The regulations require that businesses and organizations integrate this right into their business practices through policies, procedures, and technologies that safeguard the users’ privacy.

Important principles are that personal data are processed lawfully, for legitimate purposes, and with explicit consent from the user. This means that your personal data can only be collected with your permission.

The regulation also sets forth a number of rights on the part of users of digital services:

  • The right to transparency about how data is processed.
  • The right to access and information about collected data.
  • The right to rectify stored data.
  • The right to erase data (“right to be forgotten”).
  • The right to restriction of processing.
  • The right to data portability.

GDPR also recognizes the term “privacy by design”, which means that privacy shall be considered in all circumstances when personal data is processed or stored. By also introducing “privacy by default”, GDPR states that appropriate measures must be implemented to ensure that personal data collected is only used for the specific purpose for which the consent is given.

How does Runbox implement the GDPR?

At Runbox we believe that the privacy and security of your data is essential, and that it’s important for you to be aware of your rights and your options when it comes to your personal data.

Runbox has therefore been working on the implementation of the GDPR throughout our organization and our services over the past three years.

The activities that implement the GDPR in Runbox can be divided into 3 main areas:

  • Internal policies and procedures
  • Partners and contractors
  • Protection of users’ rights

The first two areas include documentation of information security management and internal policies and procedures, as well as data processing and confidentiality agreements with our partners, contractors, and staff.

The third area relates directly to you as a Runbox user, and includes the terms and policies that govern your use of our services, how we aim to inform and educate our users about privacy, and how we are implementing tools and utilities that safeguard your privacy rights.

Runbox’ main areas of GDPR implementationRunbox' GDPR Implementation

Revised Terms of Service and Privacy Policy

As part of our GDPR implementation the Runbox Terms of Service and Privacy Policy have been revised:

While the Terms of Service has only been updated with minor changes, the Privacy Policy has been restructured and amended. It provides a comprehensive overview of the policies that govern your privacy as a Runbox user, and describes in an accessible way the types of data Runbox collects in order to responsibly and reliably operate an email service.

It also lays out how user data are processed and stored, how they are being protected, and what rights you have as a user of our services.

It’s important to us that you are informed about your rights and your options with regards to your privacy. We ask that you review the revised terms and policies by May 25, 2018 when they take effect, and invite you to contact us with any questions or concerns.

Continue Reading →

Our path to GDPR compliance — and how it will strengthen the protection of your personal data

Runbox has been focusing on privacy and information security from day one, and have paid attention to the strict Norwegian legislation concerning the processing of personal data ever since.

Norway is a member of European Economic Area (EEA) and as such has to implement certain EU regulations, even if Norway is not a member of the European Union (EU). When the European Parliament and the Council decided new legislation for the protection of personal data, that legislation also applied in Norway and has to be implemented by May 25, 2018.

The legislation, titled General Data Protection Regulation (GDPR), contains rules for how personal data should be processed. Using the terms of GDPR, this includes how, when, and under which conditions, personal data

  • can be collected, processed and stored, which demands explicit consent, and explicit stated purpose;
  • shall be rectified;
  • shall be deleted (right to be forgotten);
  • shall be released to the person that owns the data (right to portability);
  • could be transferred to third parties for processing, where a Data Processing Agreement (DPA) is mandatory;
  • could be transferred to processors outside EEA.

At Runbox we have followed the development of this new EU legislation from the very beginning, and as early as 2014 we initiated a project in order to become GDPR compliant.

As a first step we started developing a planning document which includes detailed plans for making our information security management complete and consistent. The document laid out a number of activities which are now outlined in 15 sub-projects, of which some are completed, and others are in process of being completed.

However, information security is a continuous effort and the sub-projects will give rise to additional activities far beyond the GDPR framework.

We will keep you updated.

Continue Reading →

Protecting Your Privacy – The Runbox Commitment

We’ve said it before, and we’ll say it again. The need for data privacy and the ability to communicate freely has never been more critical. Both individuals and businesses rely on secure online communication to safeguard sensitive information, especially as surveillance technologies continue to monitor and exploit digital interactions. At Runbox, we believe that privacy is more than just a feature; it is the core value that guides our service and our operations. Located in Norway, we are deeply committed to user privacy, which is supported by the country’s strong legal framework. Here, we explore why our location is vital for your privacy protection and how it aligns with the General Data Protection Regulation (GDPR).

The Right to Privacy

Privacy is not just a fundamental human right; it’s a cornerstone of our online lives, particularly when it comes to email communication. At Runbox, we understand the significance of protecting our users’ privacy. We view data privacy as an essential aspect of our operations and are committed to safeguarding it through stringent practices.

Norway’s Strong Privacy Laws

Norway’s privacy laws are among the most comprehensive in the world, and the robust privacy legislation provides a solid framework for protecting user data. As a Norwegian company, Runbox is subject to The Personal Data Act, which prioritizes user privacy over commercial interests. Stringent privacy regulations require transparent data collection and processing based on user consent. This legal framework creates a protective barrier for your data, and it holds companies like ours accountable for our actions. It means that we only collect minimally necessary data in order to provide services to you.

The Norwegian privacy laws are enforced by the Norwegian Data Protection Authority, which oversees compliance and provide independent oversight. This authority enforces strict regulations and ensures that organizations uphold their privacy obligations. This gives you peace of mind that your personal information is secure.

Compliance with GDPR

Runbox is compliant with the General Data Protection Regulation (GDPR), because Norway is a part of the European Economic Area (EEA). The GDPR is one of the strictest data protection frameworks globally. GDPR emphasizes principles such as user consent, data minimization, and individuals’ rights to control their personal data. This alignment with GDPR means that we collect only the essential information needed to provide our services, always with your explicit consent. We have clear policies on how we collect, store, and handle information. This ensures that our users have control over their personal data.

GDPR also grants you various rights, such as the right to access your data, the right to rectification, and the right to erase your data. At Runbox, we respect and uphold these rights, ensuring that your control over your information is never compromised.

User Empowerment

User empowerment is a fundamental principle at Runbox. We focus on giving individuals control over their personal data and online privacy. We strive to make our policies clear and accessible, because we believe that every user deserves to understand how their data is handled. Our Privacy Policy outlines exactly what information we collect, how it’s used, and the measures we take to protect it. We don’t hide behind complicated jargon or obscure language. Instead, we present the information in straightforward terms so that users can make informed decisions about their data.

Runbox Privacy Commitment

We explicitly state our commitment to user privacy in our Terms of Service and Privacy Policy. Runbox does not scan your emails for advertising purposes, nor do we share your data with third parties without your explicit consent. We actively protect you from external tracking and data misuse. Our servers, housed in secure facilities in Norway, ensure your email and account data remain safe from unauthorized access.

Protection against Surveillance

Runbox ensures that your data cannot be used for purposes other than what it was originally collected for, except with your consent. If a legal request is made for your data, it must first go through a complex process involving Norwegian authorities, and a court order is required before any information can be disclosed. Requests from foreign authorities, including those from the U.S., must follow a diplomatic process that ensures adherence to Norwegian law. Additionally, Norwegian law prohibits surveillance of your communications unless authorized by a valid court order, and independent oversight bodies ensure that any surveillance is lawful and minimal. This commitment to privacy means that your data is shielded from unnecessary access, government surveillance, and unauthorized use.

Transparency

Runbox believes in transparency. We are committed to ensuring that any requests for user data from national or foreign authorities are met with rigorous scrutiny, and we will only disclose information under strict legal requirements. Our Transparency Report is a testament to our commitment to keeping users informed and empowered regarding their privacy rights.

Key Highlights of Runbox’s Privacy Practices

  1. Norwegian Jurisdiction: Runbox operates under Norwegian privacy laws, ensuring high standards of data protection.
  2. Data Storage: All email and account data is stored in Norway, on our own secure servers.
  3. Strict Disclosure Policies: We do not disclose account information or email data unless strict legal requirements are met.
  4. No Data Mining: We do not scan your emails for advertisement purposes or share your data with third parties.
  5. Limited data retention: We are not obligated to maintain extensive traffic logs, which enables us to delete your data promptly upon request.
  6. Enhanced Security: We utilize SSL encryption for all server connections, ensuring that your data remains secure during transmission.
  7. No External Tracking: Our hosting provider does not log any traffic to or from our servers, further protecting your privacy.
  8. You Retain Control: You control your own data and may change, export, or delete it at any time.
  9. Perfect Forward Secrecy: We enforce Perfect Forward Secrecy on all web connections, ensuring that transmitted data cannot be decrypted retroactively.

In Summary

Choosing Runbox means choosing a secure email provider that prioritizes your privacy and peace of mind. By trusting Runbox, you can communicate freely, knowing that your privacy is safeguarded by some of the world’s most stringent regulations. In these uncertain political times, where privacy is increasingly under threat, Runbox’s compliance with Norwegian privacy laws and GDPR offers a crucial safeguard for users. With its strong legal protections and oversight, we ensure that your data remains shielded from government surveillance and unauthorized access, providing a rare level of security and peace of mind in an era of global data vulnerabilities.

For more information about our privacy commitments, visit the Runbox Privacy Policy page. Your privacy matters, and at Runbox, we are dedicated to protecting it.

You can find more information about how we deal with requests for access to data here.

We have written extensively on this subject. Check out our series on GDPR here.

What’s your privacy worth?

Continue Reading →

The Hidden World of Privacy Policies

Our personal information is a valuable commodity, and privacy policies have become an essential part of the online landscape. But for most users, privacy policies are a maze of legal jargon, dense paragraphs, and complex terms. These policies often obscure how our data is being used. Instead of clarifying the truth, they make it hard for consumers to fully understand what they’re agreeing to.

(more…)

Continue Reading →

Runbox: The Sustainable Choice for Secure Email Services

At Runbox, we believe in a world where our digital communications can have a positive impact on the environment. Our mission is to reduce energy consumption and minimize our ecological footprint, both as an organization and as individuals. We believe that every action, including sending an email, should contribute to a sustainable future. By choosing Runbox, you’re not just using a secure email service – you’re making a conscious choice to support sustainable practices and contribute to the protection of the planet.

(more…)

Continue Reading →

The FTC’s Report on Big Tech’s Personal Data Overreach: What You Need to Know

The Federal Trade Commission (FTC) has released a report exposing how Big Tech companies are overstepping privacy boundaries in their quest for user data. The report reveals the massive amount of personal information these companies collect, store, and profit from. Often, this is done without clear user consent or transparency. As concerns over data privacy grow, the report highlights the urgent need for stronger regulation and more responsible data practices.

In this blog post, we’ll break down the key findings of the FTC’s report and discuss how this overreach affects your privacy, along with what actions you can take to protect your data.

Key Findings of the FTC’s Report on Big Tech’s Data Practices

The FTC’s report, titled “A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services” offers an in-depth look at how major technology companies, including Facebook (Meta), Google, Amazon, and others, are handling your personal data. Below are some of the major findings:

(more…)

Continue Reading →

Runbox is not on Meta or X (Twitter) – Because Privacy Matters

Social media platforms like Meta (Facebook, Instagram) and X (Twitter) are huge parts of our online lives. They’re where we catch up with friends, get our news, and share ideas. But while these platforms bring us together in a lot of ways, they also come with big problems—especially when it comes to privacy and misinformation. For a company like Runbox, being part of these platforms just doesn’t make sense. Here’s why.

(more…)

Continue Reading →