OpusCapita GDPR compliance support for customers
The introduction of the EU General Data Protection Regulation (GDPR) has been the most significant change in data privacy regulation in 20 years. For those for whom the GDPR is still new we recommend to get familiar with its general contents and purpose, especially the roles and responsibilities of data controller (GDPR Article 24) and data processor (GDPR Article 28).
Here you will find documents and updates intended for supporting GDPR compliance in cooperation with our customers. These pages will be periodically updated to reflect the latest changes and developments in OpusCapita GDPR information and are provided as a free service to OpusCapita customers to help them to maintain their respective GDPR compliance records.
The key instrument to structure and manage GDPR compliance between customers (data controllers) and their suppliers (data processors) is the data processing agreement. Here OpusCapita customers can take care of the contractual documentation required for GDPR compliance by executing the data processing agreement (DPA). The primary responsibility to define the scope, content and purpose of processing in the DPA is on the data controller (OpusCapita’s customer). OpusCapita’s DPA has been designed for our products and services so that customers do not need to add any further details, but can just print it out, sign and return to the dedicated email address.
OpusCapita acknowledges that customers have trusted us the processing their personal data and seeks to ensure that the legal obligations that apply to our customers (as data controllers) and OpusCapita and its sub-contractors (as data processors) can be complied with.
To ensure this, OpusCapita as a processor has already taken the following measures before GDPR came into force and is continuously optimizing them:
- OpusCapita services have been compliant with the EU member state legislations that implemented Directive 95/46/EC.
- OpusCapita pursues a group wide program to comply with the regulations required by the EU Data Protection Regulation (679/2016).
- OpusCapita carries out necessary GDPR compliance training, including compulsory training on all personnel on code of conduct, data protection and data security.
- OpusCapita has been making the necessary changes to internal processes (e.g. relating to record keeping on processing activities and data lifecycle management), as well as undertaken detailed data mapping activities and where necessary also Data Privacy Impact Assessments.
- Because certain underlying service elements are outsourced to partners, OpusCapita has updated the supplier agreements - where necessary - and verified subcontractors’ security controls and GDPR compliance.
- In addition, updates have already been made to OpusCapita general terms of agreement, supplier agreement processes and data processing agreements, and other internal and external legal and compliance materials.
- OpusCapita aims to help its business partners to capture the personal data process end-to-end by providing a Data Processing Agreement designed for OpusCapita services, to ensure both the customer and OpusCapita and its sub-processors fulfil their legal requirement to document and agree in writing the necessary details concerning the data processing of personal data.
- OpusCapita has appointed Group Data Protection Officer (DPO) and local Data Protection Officers where required by applicable regulations.
OpusCapita processes personal data on behalf of its customers based on the services agreements that we have signed with the customers. Most of customer agreements contain already high level data protection provisions setting out the roles and responsibilities of customer as the data controller and OpusCapita as the data processor and the mutual obligation to comply with the data protection legislation. The data processing agreement you find on this page will supplement the services agreement and includes such additional details as required by the GDPR.
OpusCapita standard terms of agreement contain specific data protection terms that enable OpusCapita and its customers to comply with the GDPR requirements . If you have purchased services from OpusCapita based on OpusCapita the above referred standard terms during 2017 or thereafter, you are already covered by the GDPR contractual framework and your contractual documentation can be accomplished simply by supplementing it by the additional information using the templates found on these pages. Alternatively, you can download and sign our DPA.
Customer’s responsibility is to analyze what kind of personal data and documents they provide and process with OpusCapita systems and services, and to ensure that they are entitled to provide such data for processing by OpusCapita.
Accordingly, Customer should, as part of service agreement with OpusCapita or by a subsequent DPA, ensure that the agreement sets out
- the subject matter and duration of the processing,
- the nature and purpose of the processing,
- the type of personal data and categories of data subjects, and
- the obligations and rights of the customer as the controller,
- together with the related data processing instructions, in accordance with the requirements of the GDPR and other applicable data protection legislation.
This site is designed to help you with this analysis by providing the DPA and related documentation.
The subject matter and purpose of the processing towards customer’s own clients and for customer internal purposes such as personnel and suppliers, should be defined by the customer when they enter into services agreement with OpusCapita. OpusCapita will process the data as a part of the predefined services in accordance with the services agreement and the DPA.
Typically, the personal data is end user identification data used to administer the access and operation of OpusCapita’s services purchased by the customer. The second layer of personal data is related to the data used by the customer’s finance and procurement functions, namely Source-to-Pay or Order-to Cash processes. In many cases the data can be embedded in such a way that it is not possible to be directly and electronically identified as personal data. One example could be when personal data is incorporated in the scanned image of incoming purchase invoices that we process and forward for you. Such data may also be included in other electronic messages that we process between our customers and their business partners in our messaging platforms, and on our eProcurement and Cash Management solutions we provide to our customer’s use as a service (SaaS or cloud services).
As the subject matter of the processing is Business-to-Business invoices, electronic messages and related payment data, in the vast majority of the cases the personal data is of a basic, non-sensitive nature and does not contain any specific categories of personal data in the meaning of the GDPR. The types of persons concerned (data subjects) are mainly employees or contractors of the customer or those of the customer’s client or supplier.
Typically, the personal data that is processed is related to the user rights administration and monitoring in a cloud service, such as customer’s employees’ or contractors’ name, title, user-ID, email address, telephone number or other such basic identification data that is needed to establish and maintain the customer relationship, the user accounts and logs, and to provide a secure end user access to the cloud service. Name and title may also appear as contact person on the invoices that are being processed and as inspectors and approvers of the invoices in the invoice workflow solutions. Such information originates from customers, is necessary to operate the solution and needed for the fulfilment of the purpose of the services agreement and is in most cases entered into the process and solutions by the customer’s personnel.
The duration of the processing is equal to the length of the terms of the services agreement. In majority of the cases the agreements are entered into for an indefinite period and can be terminated by either party, unless the procurement rules have dictated to apply a fixed contract term.
Unless customer has purchased archiving services or a longer data retention is an element of the service according to the service description, or different process is separately agreed, the customer data is deleted from OpusCapita platforms and facilities after the processing and service quality assurance and monitoring tasks regarding the relevant batch of customer data have been successfully completed.
Here you find the GDPR compliant data processing agreement designed for OpusCapita customers. It also contains the information required according to GDPR as pre-configured generic information which you are requested to check. Please note that due to our limited resources we are not able to review and comment customer-specific data processing agreements and strongly recommend the use of our DPA that is available in several languages.
Please fill in your company details, print, sign and send a pdf copy of the completed DPA with annexes and return address to this email address: DPA@opuscapita.com so that we will be able to countersign and send back to you.
You can supplement the DPA with the following attachments containing additional information necessary for your DPA compliance records (subprocessors and TOM - information security measures):
Here you find the general of the third parties that participate data processing activities with most of the services provided by OpusCapita. The listed subcontractors (subprocessors) are processing personal data as a part of the services provided to OpusCapita’s customers. These are typically data center providers and data infrastructure providers. Product specific lists of subcontractors will be made available upon request regarding providers of specific technical services such as digitizing in a specific country within or outside the EU. Processing of data outside EU or EEA is governed by EU standard contractual clauses (2010/87/EU) that the partner is required to sign and adhere to. The list of subcontractors will be updated in the event of a change or update. Therefore, customers are advised to visit these pages periodically if they wish to review the current information. In case of major changes, we will also invite you to visit these GDPR pages or receive a separate notice in our service portal.
Due to the nature of the subcontractors’ services, it may not be possible to design customer-specific exceptions, or it may carry a cost that renders such alternative not feasible to either party. Therefore OpusCapita seeks to establish and maintain such technology and service partners that have sufficient security and service levels to be able to serve the whole customer base. Eventual customer non-acceptance of a subcontractor or any security issue that is stemming from a customer’s company-wide technology or infrastructure choice or that otherwise cannot reasonable adapted to by OpusCapita, will therefore need to be resolved by such customer discontinuing the use of the particular service in question, as stipulated in the DPA.
Here you find the current general descriptions of the technical and organizational measures that OpusCapita is taking to ensure data privacy and data security. OpusCapita is constantly developing its platforms and processes to respond to the evolving information security and regulatory requirements.
You will find here detailed summaries per OpusCapita product and service addressing the key issues that are relevant from GDPR compliance point of view. Depending on which product or service your company is using you can focus on the ones that are relevant for you. The product-specific information supplements the general descriptions found on this main page.
Cash Management Product Statement
eProcurement Product Statement
Invoice Receiving Product Statement
Invoice Sending Product Statement
Business Network Portal Product Statement
Invoice Automation Product Statement
OC Archive Product Statement
B2B Intergration Service Product Statement
If you are not able to complete and sign the Data Processing Agreement (DPA) found on these pages without additional assistance, please send us email to DPA@opuscapita.com with your contact details and specific request, so that we can assist you.