GDPR Challenge 7: Control the usage of documents by external parties.

Posted by Daniela Di Noi on 2/21/18 9:19 AM

Find me on:

In this series, with Bart Van Bouwel and Jean-Luc Goedermans, from CDI-Partners, we set out 7 challenges to handle documents in a GDPR compliant way.

As we have seen documents, spreadsheets and other files are easily copied and shared across devices. This can be unwanted behavior, an employee copying customer data on a USB key before leaving the company, but mostly this is wanted behavior, working on a document with colleagues, sharing information within a department, sending out a work order to an external partner. And our seventh challenge is about the last example. How do you control information you shared with an external party?

Why would this be necessary? The most important article covering this situation is Article 19 “Notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.”

When you share personal data with third parties, you should be able to notify them after a request for deletion or rectification. When you share structured data, this will almost always be done under a formal contract, transferring files or granting access to your databases through web services. Contracts should address the procedure to comply with Article 19.

Sharing word or PDF documents and spreadsheets, will often be done in an informal way: by sending out emails or using file sharing utilities like Dropbox.

So, when a data subject asks to be forgotten, can you inform all parties that have received information?


Once again, the solution lies in using a content management system. You stop sending out emails with documents, you share links to documents in your system. And not only can you keep track of who you shared the information with, you know if and when this party has read the document and if and when the information was downloaded. With this knowledge, you could even automate notifications after a request for deletion. If someone asks to be forgotten and the information was not downloaded, just revoke access rights. When the information was downloaded, send out a mail with the notification.

With Alfred GDPR we try, first, to minimize copies of documents, creating a single source of (document) truth which is easier to protect. Instead of email attachments to third parties, linking and sharing of documents are promoted and facilitated. With linking and sharing, full audit and access control are at your disposal. Tooling-wise, Alfred Desktop and Alfred Finder make it really easy to send links to documents and sharing them with a restricted audience. Downloads can be disabled, such that we only offer a service to consult the document, not to download a copy.


Alfred GDPR Xenit


Alfresco allows to share a folder or a document with partners and people you assign. Using Alfred Edge’s cloud authentication, these documents can even be shared outside your company walls with strong authentication for your external partners and customers. Links can entail strong authentication of the person accessing your document; we can make them secure, valid for a limited time and inside a specific geographic zone.

When employees, for good reasons, download a document for internal purposes, full audit information is available. Every consultation is logged. Even sending a document attached in an email can be added to the audit log if the operations is executed out of the safe harbor of Alfred GDPR.

Some previewers operate by downloading a document locally before displaying it. With streaming technology, a document never has to be downloaded, you can consult the content without a local copy. Alfred GDPR optionally offers such a streaming viewer if you need the additional protection. Last but not least, it is possible to watermark (PDF) documents such that there private or sensitive character is explicit and awareness about their private nature is increased. Water-marking is possible in preview and in the creation of a “GDPR protected PDF copy”. 

Through the seven challenges, we have listed what you need to comply with the GDPR. Combined with unique GDPR functionalities of Alfred GDPR, Alfresco is the most appropriate environment to store, modify, archive, and delete your files. Long story, short, Alfresco is your chance to manage unstructured data under the regulation.

You can contact us for any specific request and we will glad to help you and provide our support.


The series is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. 


Topics: Alfresco, Metadata, GDPR, Compliance, personal data, Security, sensitive data, governance, breaches, Alfred Desktop, Alfred, document, Storing data, securing of processing, third parties

About Xenit 


Xenit is a Belgium-based IT company, focusing  on content services solutions, and covering all document-related business processes, from data migration to digital archive to hybrid/cloud hosting solution, to help organizations get control of their information. Premier Partner and System Integrator of Alfresco Digital Business Platform, Xenit has more than 10 years of experience in Alfresco Content and Process Services.


Subscribe to Email Updates

Recent Posts

Posts by Topic

see all