OpusCapita GDPR compliance support for customers
The EU General Data Protection Regulation (GDPR) is the most significant change in data privacy regulation in 20 years. For those who are new to the GDPR we recommend to get familiar with its general contents and purpose, especially the roles and responsibilities of data controller (GDPR Article 24) and data processor (GDPR Article 28).
Here you will find documents and updates intended for supporting GDPR compliance in cooperation with the customers. These pages will be periodically updated to reflect the latest changes and developments in OpusCapita GDPR information, and are provided as a free service to OpusCapita customers to help them to maintain their respective GDPR compliance records.
The key instrument to structure and manage GDPR compliance between customers (data controllers) and their suppliers (data processors) is the data processing agreement. Here OpusCapita customers can take care of the contractual documentation required for GDPR compliance by executing the data processing agreement (DPA). The primary responsibility to define the scope, content and purpose of processing in the DPA is on the data controller (OpusCapita’s customer). With the help of the DPA and standard attachments customers can define the necessary details and print them out, sign and return to the dedicated email address.
OpusCapita acknowledges that customers have trusted us the processing their personal data and seeks to ensure that the legal obligations that apply to our customers (as data controllers) and OpusCapita and its sub-contractors (as data processors) can be complied with.
To ensure this, OpusCapita as a processor has taken the following measures:
- OpusCapita services have been compliant with the EU member state legislations that implemented Directive 95/46/EC.
- OpusCapita has pursued a group wide program to implement the changes required by the EU Data Protection Regulation (679/2016) to reach compliance with GDPR before the regulation becomes effective.
- OpusCapita carries out necessary GDPR compliance training, including compulsory training on all personnel on code of conduct, data protection and data security.
- OpusCapita has been making the necessary changes to internal processes (e.g. relating to record keeping on processing activities and data lifecycle management), as well as undertaken detailed data mapping activities and where necessary also Data Privacy Impact Assessments.
- Because certain underlying service elements are outsourced to partners, OpusCapita is updating the supplier agreements and verifying subcontractors’ security controls and GDPR readiness.
- In addition, updates have already been made to OpusCapita general terms of agreement, supplier agreement processes and data processing agreements, and other internal and external legal and compliance materials.
- OpusCapita aims to help its business partners to capture the personal data process end-to-end by providing a Data Processing Agreement designed for OpusCapita services, to ensure both the customer and OpusCapita and its sub-processors fulfil their legal requirement to document and agree in writing the necessary details concerning the data processing of personal data.
- OpusCapita is governed by parent Group Data Protection Officer (DPO) and has appointed local Data Protection Officers where required by applicable regulations.
OpusCapita processes personal data on behalf of its customers based on the services agreements that we have signed with the customers. Most of customer agreements contain already high level data protection provisions setting out the roles and responsibilities of customer as the data controller and OpusCapita as the data processor and the mutual obligation to comply with the data protection legislation. The data processing agreement you find on this page will supplement the services agreement and includes such additional details as required by the GDPR.
OpusCapita standard terms of agreement have also been amended to enable OpusCapita and its customers to comply with the GDPR requirements (see section 9). If you have purchased services from OpusCapita based on OpusCapita the above referred standard terms during 2017 or thereafter, you are already covered by the GDPR contractual framework and your contractual documentation can be accomplished simply by supplementing it by the additional customer specific information concerning the data processing using the templates found on these pages. In other cases, you can sign the full DPA.
Customer’s responsibility is to analyze what kind of personal data and documents they provide and process with OpusCapita systems and services, and to ensure that they are entitled to provide such data for processing by OpusCapita.
Accordingly, Customer should, as part of service agreement with OpusCapita or by a subsequent DPA, ensure that the agreement sets out
- the subject matter and duration of the processing,
- the nature and purpose of the processing,
- the type of personal data and categories of data subjects, and
- the obligations and rights of the customer as the controller,
- together with the related data processing instructions, in accordance with the requirements of the GDPR and other applicable data protection legislation.
This site is designed to help you with this analysis by providing the DPA and related documentation.
The subject matter and purpose of the processing towards customer’s own clients and for customer internal purposes such as personnel and suppliers, should be defined by the customer before they enter into services agreement with OpusCapita. OpusCapita will process the data as a part of the predefined services in accordance with the services agreement and the DPA.
Typically, the personal data is related to the customer’s finance and procurement functions, namely Source-to-Pay or Order-to Cash processes. In many cases the data can be embedded in such a way that it is not possible to be directly and electronically identified as personal data. One example could be when personal data is incorporated in the scanned image of incoming purchase invoices or outgoing invoices to your business customers that we process and forward for you. Such customer data may also be included in other electronic messages that we process between our customers and their business partners in our messaging platforms, and on our eProcurement and Cash Management solutions we provide to our customer’s use as a service (SaaS or cloud services).
As the subject matter of the processing is Business-to-Business invoices, electronic messages and related payment data, in the vast majority of the cases the personal data is of a basic, non-sensitive nature and does not contain any specific categories of personal data in the meaning of the GDPR. The types of persons concerned (data subjects) are mainly employees or contractors of the customer or those of the customer’s customer or supplier.
Typically, the personal data that is processed is related to the user rights administration and monitoring in a cloud service, such as customer’s employees’ or contractors’ name, title, user-ID, email address, telephone number or other such basic identification data that is needed to establish and maintain the customer relationship, the user accounts and logs, and to provide a secure end user access to the cloud service. Name and title may also appear as contact person on the invoices that are being processed and as inspectors and approvers of the invoices in the invoice workflow solutions. Such information originates from customers, is necessary to operate the solution and needed for the fulfilment of the purpose of the service agreement and is in most cases entered in the process and solutions by the customer.
The duration of the processing is equal to the length of the terms of the services agreement. In majority of the cases the agreements are entered into for an indefinite period and can be terminated by either party, unless the procurement rules have dictated to apply a fixed contract term.
Unless customer has purchased archiving services or a longer data retention is an element of the service according to the service description, or different process is separately agreed, the customer data is deleted from OpusCapita platforms and facilities after the processing and service quality assurance and monitoring tasks regarding the relevant batch of customer data have been successfully completed.
Here you find the current data processing agreement designed for OpusCapita customers. It contains also the necessary annexes that include in a pre-configured format the generic information that GDPR requires to be included. You need to review and supplement this information by specifying more in detail the purpose of processing, data subjects and categories of data.
Please fill in, print, sign and send a pdf copy of the completed DPA with annexes and return address to this email address: DPA@opuscapita.com so that we will be able to countersign and send back to you.
You can supplement the DPA with the following attachments containing additional information necessary for your DPA compliance records (subprocessors and TOM - information security measures):
Here you find the current list of the third parties that participate data processing activities with most of the services provided by OpusCapita. The listed subcontractors (subprocessors) are processing personal data as a part of the services provided to OpusCapita’s customers. These are typically data center providers and data infrastructure providers. Product specific lists of subcontractors will be made available regarding providers of specific technical services such as digitizing and specific cloud services. The subcontractors generally process personal data within the EU or EEA. Processing of data outside EU or EEA is governed by EU standard contractual clauses (2010/87/EU) that the partner is required to sign and adhere to. The list of subcontractors will be updated in the event of a change or update. Therefore, customers are advised to visit these pages periodically if they wish to review the current information. In case of major changes, we will also invite you to visit these GDPR pages separately.
Due to the nature of the subcontractors’ services, it may not be possible to design customer-specific exceptions, or it may carry a cost that renders such alternative not feasible to either party. Therefore OpusCapita seeks to establish and maintain such technology and service partners that have sufficient security and service levels to be able to serve the whole customer base. Eventual customer non-acceptance of a sub-contractor or any security issue that is stemming from a company-wide technology or infrastructure choice or that otherwise cannot reasonable adapted to by OpusCapita will therefore need to be resolved by such customer discontinuing the use of the particular service in question.
Here you find the current general descriptions of the technical and organizational measures that OpusCapita is taking to ensure data privacy and data security. OpusCapita is constantly developing its platforms and processes to respond to the evolving information security and regulatory requirements.
In the future you will find here more detailed summaries per OpusCapita product and service addressing the key issues that are relevant from GDPR compliance point of view. Depending on which product or service your company is using you can focus on the ones that are relevant for you. The product specific information supplements the general descriptions found on this main page.
Cash Management Product Statement
Product Information Management Product Statement
eProcurement Product Statement
Invoice Receiving Product Statement
Invoice Sending Product Statement
Business Network Portal Product Statement
Invoice Automation Product Statement
OC Archive Product Statement
B2B Intergration Service Product Statement
Please review the information below and then check the appropriate box/boxes as a sign of your review and approval. This information helps us to serve you better and contact you if you need help.