OpusCapita GDPR compliance support for customers

The introduction of the  EU General Data Protection Regulation (GDPR) has been the most significant change in data privacy regulation in 20 years. For those for whom the GDPR is still new we recommend to get familiar with its general contents and purpose, especially the roles and responsibilities of data controller (GDPR Article 24) and data processor (GDPR Article 28).

Here you will find documents and updates intended for supporting GDPR compliance in cooperation with our customers. These pages will be periodically updated to reflect the latest changes and developments in OpusCapita GDPR information and are provided as a free service to OpusCapita customers to help them to maintain their respective GDPR compliance records.

Compliance with GDPR

OpusCapita acknowledges that customers have trusted us the processing their personal data and seeks to ensure that the legal obligations that apply to our customers (as data controllers) and OpusCapita and its sub-contractors (as data processors) can be complied with.

To ensure this, OpusCapita as a processor has taken the following measures and is continuously optimizing them:

  • OpusCapita services have been compliant with the EU member state legislations that implemented Directive 95/46/EC. 
  • OpusCapita pursues a group wide program to comply with the regulations required by the EU Data Protection Regulation (679/2016). 
  • OpusCapita carries out necessary GDPR compliance training, including compulsory training on all personnel on code of conduct, data protection and data security. 
  • OpusCapita has been making the necessary changes to internal processes (e.g. relating to record keeping on processing activities and data lifecycle management), as well as undertaken detailed data mapping activities and where necessary also Data Privacy Impact Assessments. 
  • Because certain underlying service elements are outsourced to partners, OpusCapita has updated the supplier agreements – where necessary – and verified subcontractors’ security controls and GDPR compliance.
  • In addition, updates have already been made to OpusCapita general terms of agreement, supplier agreement processes and data processing agreements, and other internal and external legal and compliance materials.
  • OpusCapita aims to help its business partners to capture the personal data process end-to-end by providing a Data Processing Agreement designed for OpusCapita services, to ensure both the customer and OpusCapita and its sub-processors fulfil their legal requirement to document and agree in writing the necessary details concerning the data processing of personal data.
  • OpusCapita has appointed local Data Protection Officers where required by applicable regulations.

What kind of data is processed by OpusCapita?

The subject matter and purpose of the processing towards customer’s own clients and for customer internal purposes such as personnel and suppliers, should be defined by the customer when they enter into services agreement with OpusCapita. OpusCapita will process the data as a part of the predefined services in accordance with the services agreement and the DPA.

Typically, the personal data is end user identification data used to administer the access and operation of OpusCapita’s services purchased by the customer. The second layer of personal data is related to the data used by the customer’s finance and procurement functions, namely Source-to-Pay or Order-to Cash processes. In many cases the data can be embedded in such a way that it is not possible to be directly and electronically identified as personal data. One example could be when personal data is incorporated in the scanned image of incoming purchase invoices that we process and forward for you. Such data may also be included in other electronic messages that we process between our customers and their business partners in our messaging platforms, and on our eProcurement and Portal solutions we provide to our customer’s use as a service (SaaS or cloud services).

Data subjects and categories of data

As the subject matter of the processing is Business-to-Business invoices, electronic messages and related payment data, in the vast majority of the cases the personal data is of a basic, non-sensitive nature and does not contain any specific categories of personal data in the meaning of the GDPR. The types of persons concerned (data subjects) are mainly employees or contractors of the customer or those of the customer’s client or supplier.

Typically, the personal data that is processed is related to the user rights administration and monitoring in a cloud service, such as customer’s employees’ or contractors’ name, title, user-ID, email address, telephone number or other such basic identification data that is needed to establish and maintain the customer relationship, the user accounts and logs, and to provide a secure end user access to the cloud service. Name and title may also appear as contact person on the invoices that are being processed and as inspectors and approvers of the invoices in the invoice workflow solutions. Such information originates from customers, is necessary to operate the solution and needed for the fulfilment of the purpose of the services agreement and is in most cases entered into the process and solutions by the customer’s personnel.

The duration of the processing is equal to the length of the terms of the services agreement. In majority of the cases the agreements are entered into for an indefinite period and can be terminated by either party, unless the procurement rules have dictated to apply a fixed contract term.

Unless customer has purchased archiving services or a longer data retention is an element of the service according to the service description, or different process is separately agreed, the customer data is deleted from OpusCapita platforms and facilities after the processing and service quality assurance and monitoring tasks regarding the relevant batch of customer data have been successfully completed.

List of subcontractors (subprocessors)

Below, you find the general of the third parties that participate data processing activities with most of the services provided by OpusCapita. The listed subcontractors (subprocessors) are processing personal data as a part of the services provided to OpusCapita’s customers. These are typically data center providers and data infrastructure providers. Product specific lists of subcontractors will be made available upon request regarding providers of specific technical services such as digitizing in a specific country within or outside the EU. Processing of data outside EU or EEA is governed by EU standard contractual clauses (2010/87/EU) that the partner is required to sign and adhere to. The list of subcontractors will be updated in the event of a change or update. Therefore, customers are advised to visit these pages periodically if they wish to review the current information. In case of major changes, we will also invite you to visit these GDPR pages or receive a separate notice in our service portal.

Customer-specific exceptions

Due to the nature of the subcontractors’ services, it may not be possible to design customer-specific exceptions, or it may carry a cost that renders such alternative not feasible to either party. Therefore OpusCapita seeks to establish and maintain such technology and service partners that have sufficient security and service levels to be able to serve the whole customer base. Eventual customer non-acceptance of a subcontractor or any security issue that is stemming from a customer’s company-wide technology or infrastructure choice or that otherwise cannot reasonable adapted to by OpusCapita, will therefore need to be resolved by such customer discontinuing the use of the particular service in question, as stipulated in the DPA.

What kind of data is processed by OpusCapita?

The subject matter and purpose of the processing towards customer’s own clients and for customer internal purposes such as personnel and suppliers, should be defined by the customer when they enter into services agreement with OpusCapita. OpusCapita will process the data as a part of the predefined services in accordance with the services agreement and the DPA.

Typically, the personal data is end user identification data used to administer the access and operation of OpusCapita’s services purchased by the customer. The second layer of personal data is related to the data used by the customer’s finance and procurement functions, namely Source-to-Pay or Order-to Cash processes. In many cases the data can be embedded in such a way that it is not possible to be directly and electronically identified as personal data. One example could be when personal data is incorporated in the scanned image of incoming purchase invoices that we process and forward for you. Such data may also be included in other electronic messages that we process between our customers and their business partners in our messaging platforms, and on our eProcurement and Portal solutions we provide to our customer’s use as a service (SaaS or cloud services).

Data subjects and categories of data

As the subject matter of the processing is Business-to-Business invoices, electronic messages and related payment data, in the vast majority of the cases the personal data is of a basic, non-sensitive nature and does not contain any specific categories of personal data in the meaning of the GDPR. The types of persons concerned (data subjects) are mainly employees or contractors of the customer or those of the customer’s client or supplier.

Typically, the personal data that is processed is related to the user rights administration and monitoring in a cloud service, such as customer’s employees’ or contractors’ name, title, user-ID, email address, telephone number or other such basic identification data that is needed to establish and maintain the customer relationship, the user accounts and logs, and to provide a secure end user access to the cloud service. Name and title may also appear as contact person on the invoices that are being processed and as inspectors and approvers of the invoices in the invoice workflow solutions. Such information originates from customers, is necessary to operate the solution and needed for the fulfilment of the purpose of the services agreement and is in most cases entered into the process and solutions by the customer’s personnel.

The duration of the processing is equal to the length of the terms of the services agreement. In majority of the cases the agreements are entered into for an indefinite period and can be terminated by either party, unless the procurement rules have dictated to apply a fixed contract term.

Unless customer has purchased archiving services or a longer data retention is an element of the service according to the service description, or different process is separately agreed, the customer data is deleted from OpusCapita platforms and facilities after the processing and service quality assurance and monitoring tasks regarding the relevant batch of customer data have been successfully completed.

List of subcontractors (subprocessors)

Below, you find the general of the third parties that participate data processing activities with most of the services provided by OpusCapita. The listed subcontractors (subprocessors) are processing personal data as a part of the services provided to OpusCapita’s customers. These are typically data center providers and data infrastructure providers. Product specific lists of subcontractors will be made available upon request regarding providers of specific technical services such as digitizing in a specific country within or outside the EU. Processing of data outside EU or EEA is governed by EU standard contractual clauses (2010/87/EU) that the partner is required to sign and adhere to. The list of subcontractors will be updated in the event of a change or update. Therefore, customers are advised to visit these pages periodically if they wish to review the current information. In case of major changes, we will also invite you to visit these GDPR pages or receive a separate notice in our service portal.

Customer-specific exceptions

Due to the nature of the subcontractors’ services, it may not be possible to design customer-specific exceptions, or it may carry a cost that renders such alternative not feasible to either party. Therefore OpusCapita seeks to establish and maintain such technology and service partners that have sufficient security and service levels to be able to serve the whole customer base. Eventual customer non-acceptance of a subcontractor or any security issue that is stemming from a customer’s company-wide technology or infrastructure choice or that otherwise cannot reasonable adapted to by OpusCapita, will therefore need to be resolved by such customer discontinuing the use of the particular service in question, as stipulated in the DPA.

Product Statements

Further details on how OpusCapita products and services support customer’s GDPR compliance

You will find here detailed summaries per OpusCapita product and service addressing the key issues that are relevant from GDPR compliance point of view. Depending on which product or service your company is using you can focus on the ones that are relevant for you. The product-specific information supplements the general descriptions found on this page.

FURTHER INFORMATION

If you are not able to complete and sign the Data Processing Agreement (DPA) found on these pages without additional assistance, please send us email to DPA@opuscapita.com with your contact details and specific request, so that we can assist you.

(OpusCapita needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.)