General Data Protection Regulation (GDPR)

• Why

• For which services

• GRPR applies to Second

  • Limited purpose

  • Lawful legal basis

  • Information of the persons concerned

  • Data security

  • Transfer of data outside the EU

  • Internal procedures

• Password Management Policy

Why

GDPR or General Data Protection Regulation is a set of rules about how companies should process the personal data of people concerned, within the European Union.

The GDPR defines the responsibilities of organizations to ensure the confidentiality and protection of personal data. It grants to the concerned people certain rights.

It also gives regulators the power to demand proof of their liability, or even to impose fines, in cases where an organization does not comply with GDPR requirements.

The GDPR puts companies based in the European Union and those based outside Europe on an equal footing and puts an end to unfair competition.

For which services

For all marketplaces services.

Second use natively Cookiebot services on every platform.

GRPR apply to Second

Limited purpose

Definition: Personal data can only be collected and processed for specific, explicit and legitimate purposes.

• At Second we collect the data for:

  • Users accounts

  • Listings creation and publication

  • Bookings creations

  • Payments

  • KPI’s

Lawful legal basis

Definition: The processing must correspond to one of the legal bases provided for by the GDPR (legal obligation, contract, legitimate interest, consent...). When the processing is based on consent, it is important to ensure that it has been validly collected.

• Second is “in accordance with Article 6-1-b of the General Data Protection Regulation, the processing is necessary for the performance of the contract to which the customer has subscribed.”

Information of the persons concerned

Definition: They must be informed in a precise and transparent manner before the processing is implemented. Various information must be communicated to them: purposes, legal basis, retention period, rights of access, rectification, etc.

• Second inform employees, customers, and users thanks to contract, general pages on the platform such as cookies pages, general terms, and conditions of sale.

Data security

Technical and organizational measures must be put in place to guarantee a level of security adapted to the risk (pseudonymization, encryption, confidentiality clauses, authorizations, backups, logging, audits, etc.). The risks to be taken into account include destruction, alteration, disclosure, or unauthorized access.

• At Second, we make security controls on the platform each week, we also have security procedures in the office, for computer access, and more.

Transfer of data outside the EU

This must be supported by specific tools or solutions if the third country does not offer an adequate level of protection.

• None of our data leaves the European Union.

Internal procedures

Procedures for handling complaints and requests from data subjects (right of access, rectification, opposition, portability, etc.)

To illustrate this point, here is a part of our charter on data protection:

• “Second is not a data company. We do not exploit our customer’s data nor their user’s data, and therefore we have no economic interest in any data processing activities.

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights related to automated decision making and profiling”

• Data security: data breach notification management procedures, etc.

  • email for password level of security

  • Weekly security check (detectify)

• Relations with subcontractors (service providers, suppliers, etc.): procedures for contracting, auditing, etc.

  • The contracts define the limits

• Awareness and training of the company's personnel to the regulations and the problems of personal data

  • Security documentation is accessible by all company's personnel on confluence, and during each onboarding and once a year company's personnel have to pass a test to keep up to date.

• Taking into account data protection by design and by default: when designing an application, new processing…

  • At each step of the development process, security is taken into account.

Password Management Policy

The Password management policy in Second follow several rules in order to be compliant.

By creating a new password, please make sure you respect all these cases:

• Minimum password length: 10 characters, it can be increased

• Contain at least:

  • 1 uppercase character (A-Z)

  • 1 lowercase character (A-Z)

  • 1 digit (0-9)

  • 1 special character

• The new password must be different from the previous one

• The user should not use the first part of his email address

There is no expiration date for passwords.

Users do not have to change their password at the first connection because the password is not generated by the application but by the users themselves.

Users have 10 unsuccessful access attempts before they are locked out for 10 minutes.

Second, do not allow the choice of one of the last 8 passwords created on the application.

The passwords are not known by the employees and/or its subcontractors.

The solution protects the stored passwords thanks to the default hash by symfony, in practice on the libraries installed by default script, sodium (Argon2), or more rarely bdkdf2. The cryptographic salt is integrated in these algorithms. In short, respect of symfony best practices.

By enabling the Audit bundle, any change in entity status is stored and logged. Also stored and logged are the accounts responsible for the entity state change, including its login address. This applies to users, managers, and administrators. The technical operators are traced via the VCS Bitbucket of all interventions.

There is no expiration date on the above-mentioned logs.