I just read the Data Processing Agreement (DPA). It leaves me confused. On the one hand KoBo claims to be GDPR compliant. On the other hand in clause 11.3., users (Controllers) seem to have to encrypt data to be GDPR compliant. Quote: “11.3 Controller acknowledges that, in addition to entering into the EU Standard Contractual Clauses as attached hereto as Attachment 3, it may, depending on the circumstances of the case, need to take supplementary measures to ensure that the use of the Services is compliant with Chapter 5 of the GDPR. One of these measures would be to store Personal Data on the KoBoToolbox Server only in an encrypted form.”
Encryption is only possible when collecting data with KoBoCollect. We want to use KoBo to collect membership data for our NGO. This means we want to use the web-forms. How can we be GDPR compliant then? Is there a difference between the Humanitarian Organizations Server and the “Open Server” (kf.kobotoolbox.org)?
Unfortunately, your message does not answer my question.
Hence, I will ask in simpler terms. If I collect personal data through the forms/surveys created by me and want to be GDPR compliant, what do I have to do? Can I use the kf.kobotoolbox.org server or the humanitarian server (hosted by UNOCHA)? Do I have to use encryption additionally?
I understand that encryption only works if data is collected using KoBoCollect. Is this correct?