OpusCapita GDPR compliance support for customers

The introduction of the  EU General Data Protection Regulation (GDPR) has been the most significant change in data privacy regulation in 20 years. For those for whom the GDPR is still new we recommend to get familiar with its general contents and purpose, especially the roles and responsibilities of data controller (GDPR Article 24) and data processor (GDPR Article 28).

Here you will find documents and updates intended for supporting GDPR compliance in cooperation with our customers. These pages will be periodically updated to reflect the latest changes and developments in OpusCapita GDPR information and are provided as a free service to OpusCapita customers to help them to maintain their respective GDPR compliance records.

Compliance with GDPR

OpusCapita acknowledges that customers have trusted us the processing their personal data and seeks to ensure that the legal obligations that apply to our customers (as data controllers) and OpusCapita and its sub-contractors (as data processors) can be complied with.

To ensure this, OpusCapita as a processor has taken the following measures and is continuously optimizing them:

  • OpusCapita services have been compliant with the EU member state legislations that implemented Directive 95/46/EC. 
  • OpusCapita pursues a group wide program to comply with the regulations required by the EU Data Protection Regulation (679/2016). 
  • OpusCapita carries out necessary GDPR compliance training, including compulsory training on all personnel on code of conduct, data protection and data security. 
  • OpusCapita has been making the necessary changes to internal processes (e.g. relating to record keeping on processing activities and data lifecycle management), as well as undertaken detailed data mapping activities and where necessary also Data Privacy Impact Assessments. 
  • Because certain underlying service elements are outsourced to partners, OpusCapita has updated the supplier agreements – where necessary – and verified subcontractors’ security controls and GDPR compliance.
  • In addition, updates have already been made to OpusCapita general terms of agreement, supplier agreement processes and data processing agreements, and other internal and external legal and compliance materials.
  • OpusCapita aims to help its business partners to capture the personal data process end-to-end by providing a Data Processing Agreement designed for OpusCapita services, to ensure both the customer and OpusCapita and its sub-processors fulfil their legal requirement to document and agree in writing the necessary details concerning the data processing of personal data.
  • OpusCapita has appointed local Data Protection Officers where required by applicable regulations.

The key instrument to structure and manage GDPR compliance between customers (data controllers) and their suppliers (data processors) is the data processing agreement. OpusCapita customers can take care of the contractual documentation required for GDPR compliance by executing the data processing agreement (DPA). The primary responsibility to define the scope, content and purpose of processing in the DPA is on the data controller (OpusCapita’s customer). OpusCapita’s DPA has been designed for our products and services so that customers do not need to add any further details, but can just print it out, sign and return to the dedicated email address.

How to submit your Data Processing Agreement

Below, you find the GDPR compliant data processing agreement designed for OpusCapita customers. It also contains the information required according to GDPR as pre-configured generic information which you are requested to check. Please note that due to our limited resources we are not able to review and comment customer-specific data processing agreements and strongly recommend the use of our DPA that is available in several languages.

Please fill in your company details, print, sign and send a pdf copy of the completed DPA with annexes and return address to this email address: DPA@opuscapita.com so that we will be able to countersign and send back to you.

You can supplement the DPA with attachments containing additional information necessary for your DPA compliance records (subprocessors and TOM – information security measures).

Purpose and elements of Data Processing Agreement

OpusCapita processes personal data on behalf of its customers based on the services agreements that we have signed with the customers. Most of customer agreements contain already high level data protection provisions setting out the roles and responsibilities of customer as the data controller and OpusCapita as the data processor and the mutual obligation to comply with the data protection legislation. The data processing agreement you find on this page will supplement the services agreement and includes such additional details as required by the GDPR.

OpusCapita standard terms of agreement contain specific data protection terms that enable OpusCapita and its customers to comply with the GDPR requirements . If you have purchased services from OpusCapita based on OpusCapita the above referred standard terms during 2017 or thereafter, you are already covered by the GDPR contractual framework and your contractual documentation can be accomplished simply by supplementing it by the additional information using the templates found on these pages. Alternatively, you can download and sign our DPA.

Customer’s responsibility is to analyze what kind of personal data and documents they provide and process with OpusCapita systems and services, and to ensure that they are entitled to provide such data for processing by OpusCapita.

 

Accordingly, Customer should, as part of service agreement with OpusCapita or by a subsequent DPA, ensure that the agreement sets out

  • the subject matter and duration of the processing,
  • the nature and purpose of the processing,
  • the type of personal data and categories of data subjects, and
  • the obligations and rights of the customer as the controller, together with the related data processing instructions, in accordance with the requirements of the GDPR and other applicable data protection legislation.

This site is designed to help you with this analysis by providing the DPA and related documentation.

What kind of data is processed by OpusCapita?

The subject matter and purpose of the processing towards customer’s own clients and for customer internal purposes such as personnel and suppliers, should be defined by the customer when they enter into services agreement with OpusCapita. OpusCapita will process the data as a part of the predefined services in accordance with the services agreement and the DPA.

Typically, the personal data is end user identification data used to administer the access and operation of OpusCapita’s services purchased by the customer. The second layer of personal data is related to the data used by the customer’s finance and procurement functions, namely Source-to-Pay or Order-to Cash processes. In many cases the data can be embedded in such a way that it is not possible to be directly and electronically identified as personal data. One example could be when personal data is incorporated in the scanned image of incoming purchase invoices that we process and forward for you. Such data may also be included in other electronic messages that we process between our customers and their business partners in our messaging platforms, and on our eProcurement and Portal solutions we provide to our customer’s use as a service (SaaS or cloud services).

Data subjects and categories of data

As the subject matter of the processing is Business-to-Business invoices, electronic messages and related payment data, in the vast majority of the cases the personal data is of a basic, non-sensitive nature and does not contain any specific categories of personal data in the meaning of the GDPR. The types of persons concerned (data subjects) are mainly employees or contractors of the customer or those of the customer’s client or supplier.

Typically, the personal data that is processed is related to the user rights administration and monitoring in a cloud service, such as customer’s employees’ or contractors’ name, title, user-ID, email address, telephone number or other such basic identification data that is needed to establish and maintain the customer relationship, the user accounts and logs, and to provide a secure end user access to the cloud service. Name and title may also appear as contact person on the invoices that are being processed and as inspectors and approvers of the invoices in the invoice workflow solutions. Such information originates from customers, is necessary to operate the solution and needed for the fulfilment of the purpose of the services agreement and is in most cases entered into the process and solutions by the customer’s personnel.

The duration of the processing is equal to the length of the terms of the services agreement. In majority of the cases the agreements are entered into for an indefinite period and can be terminated by either party, unless the procurement rules have dictated to apply a fixed contract term.

Unless customer has purchased archiving services or a longer data retention is an element of the service according to the service description, or different process is separately agreed, the customer data is deleted from OpusCapita platforms and facilities after the processing and service quality assurance and monitoring tasks regarding the relevant batch of customer data have been successfully completed.

List of subcontractors (subprocessors)

Below, you find the general of the third parties that participate data processing activities with most of the services provided by OpusCapita. The listed subcontractors (subprocessors) are processing personal data as a part of the services provided to OpusCapita’s customers. These are typically data center providers and data infrastructure providers. Product specific lists of subcontractors will be made available upon request regarding providers of specific technical services such as digitizing in a specific country within or outside the EU. Processing of data outside EU or EEA is governed by EU standard contractual clauses (2010/87/EU) that the partner is required to sign and adhere to. The list of subcontractors will be updated in the event of a change or update. Therefore, customers are advised to visit these pages periodically if they wish to review the current information. In case of major changes, we will also invite you to visit these GDPR pages or receive a separate notice in our service portal.

Customer-specific exceptions

Due to the nature of the subcontractors’ services, it may not be possible to design customer-specific exceptions, or it may carry a cost that renders such alternative not feasible to either party. Therefore OpusCapita seeks to establish and maintain such technology and service partners that have sufficient security and service levels to be able to serve the whole customer base. Eventual customer non-acceptance of a subcontractor or any security issue that is stemming from a customer’s company-wide technology or infrastructure choice or that otherwise cannot reasonable adapted to by OpusCapita, will therefore need to be resolved by such customer discontinuing the use of the particular service in question, as stipulated in the DPA.

The key instrument to structure and manage GDPR compliance between customers (data controllers) and their suppliers (data processors) is the data processing agreement. OpusCapita customers can take care of the contractual documentation required for GDPR compliance by executing the data processing agreement (DPA). The primary responsibility to define the scope, content and purpose of processing in the DPA is on the data controller (OpusCapita’s customer). OpusCapita’s DPA has been designed for our products and services so that customers do not need to add any further details, but can just print it out, sign and return to the dedicated email address.

How to submit your Data Processing Agreement

Below, you find the GDPR compliant data processing agreement designed for OpusCapita customers. It also contains the information required according to GDPR as pre-configured generic information which you are requested to check. Please note that due to our limited resources we are not able to review and comment customer-specific data processing agreements and strongly recommend the use of our DPA that is available in several languages.

Please fill in your company details, print, sign and send a pdf copy of the completed DPA with annexes and return address to this email address: DPA@opuscapita.com so that we will be able to countersign and send back to you.

You can supplement the DPA with attachments containing additional information necessary for your DPA compliance records (subprocessors and TOM – information security measures).

Purpose and elements of Data Processing Agreement

OpusCapita processes personal data on behalf of its customers based on the services agreements that we have signed with the customers. Most of customer agreements contain already high level data protection provisions setting out the roles and responsibilities of customer as the data controller and OpusCapita as the data processor and the mutual obligation to comply with the data protection legislation. The data processing agreement you find on this page will supplement the services agreement and includes such additional details as required by the GDPR.

OpusCapita standard terms of agreement contain specific data protection terms that enable OpusCapita and its customers to comply with the GDPR requirements . If you have purchased services from OpusCapita based on OpusCapita the above referred standard terms during 2017 or thereafter, you are already covered by the GDPR contractual framework and your contractual documentation can be accomplished simply by supplementing it by the additional information using the templates found on these pages. Alternatively, you can download and sign our DPA.

Customer’s responsibility is to analyze what kind of personal data and documents they provide and process with OpusCapita systems and services, and to ensure that they are entitled to provide such data for processing by OpusCapita.

 

Accordingly, Customer should, as part of service agreement with OpusCapita or by a subsequent DPA, ensure that the agreement sets out

  • the subject matter and duration of the processing,
  • the nature and purpose of the processing,
  • the type of personal data and categories of data subjects, and
  • the obligations and rights of the customer as the controller, together with the related data processing instructions, in accordance with the requirements of the GDPR and other applicable data protection legislation.

This site is designed to help you with this analysis by providing the DPA and related documentation.

What kind of data is processed by OpusCapita?

The subject matter and purpose of the processing towards customer’s own clients and for customer internal purposes such as personnel and suppliers, should be defined by the customer when they enter into services agreement with OpusCapita. OpusCapita will process the data as a part of the predefined services in accordance with the services agreement and the DPA.

Typically, the personal data is end user identification data used to administer the access and operation of OpusCapita’s services purchased by the customer. The second layer of personal data is related to the data used by the customer’s finance and procurement functions, namely Source-to-Pay or Order-to Cash processes. In many cases the data can be embedded in such a way that it is not possible to be directly and electronically identified as personal data. One example could be when personal data is incorporated in the scanned image of incoming purchase invoices that we process and forward for you. Such data may also be included in other electronic messages that we process between our customers and their business partners in our messaging platforms, and on our eProcurement and Portal solutions we provide to our customer’s use as a service (SaaS or cloud services).

Data subjects and categories of data

As the subject matter of the processing is Business-to-Business invoices, electronic messages and related payment data, in the vast majority of the cases the personal data is of a basic, non-sensitive nature and does not contain any specific categories of personal data in the meaning of the GDPR. The types of persons concerned (data subjects) are mainly employees or contractors of the customer or those of the customer’s client or supplier.

Typically, the personal data that is processed is related to the user rights administration and monitoring in a cloud service, such as customer’s employees’ or contractors’ name, title, user-ID, email address, telephone number or other such basic identification data that is needed to establish and maintain the customer relationship, the user accounts and logs, and to provide a secure end user access to the cloud service. Name and title may also appear as contact person on the invoices that are being processed and as inspectors and approvers of the invoices in the invoice workflow solutions. Such information originates from customers, is necessary to operate the solution and needed for the fulfilment of the purpose of the services agreement and is in most cases entered into the process and solutions by the customer’s personnel.

The duration of the processing is equal to the length of the terms of the services agreement. In majority of the cases the agreements are entered into for an indefinite period and can be terminated by either party, unless the procurement rules have dictated to apply a fixed contract term.

Unless customer has purchased archiving services or a longer data retention is an element of the service according to the service description, or different process is separately agreed, the customer data is deleted from OpusCapita platforms and facilities after the processing and service quality assurance and monitoring tasks regarding the relevant batch of customer data have been successfully completed.

List of subcontractors (subprocessors)

Below, you find the general of the third parties that participate data processing activities with most of the services provided by OpusCapita. The listed subcontractors (subprocessors) are processing personal data as a part of the services provided to OpusCapita’s customers. These are typically data center providers and data infrastructure providers. Product specific lists of subcontractors will be made available upon request regarding providers of specific technical services such as digitizing in a specific country within or outside the EU. Processing of data outside EU or EEA is governed by EU standard contractual clauses (2010/87/EU) that the partner is required to sign and adhere to. The list of subcontractors will be updated in the event of a change or update. Therefore, customers are advised to visit these pages periodically if they wish to review the current information. In case of major changes, we will also invite you to visit these GDPR pages or receive a separate notice in our service portal.

Customer-specific exceptions

Due to the nature of the subcontractors’ services, it may not be possible to design customer-specific exceptions, or it may carry a cost that renders such alternative not feasible to either party. Therefore OpusCapita seeks to establish and maintain such technology and service partners that have sufficient security and service levels to be able to serve the whole customer base. Eventual customer non-acceptance of a subcontractor or any security issue that is stemming from a customer’s company-wide technology or infrastructure choice or that otherwise cannot reasonable adapted to by OpusCapita, will therefore need to be resolved by such customer discontinuing the use of the particular service in question, as stipulated in the DPA.

Important documents

Technical and Organisational Measures (TOM)

General descriptions of the technical and organizational measures that OpusCapita is taking to ensure data privacy and data security.

Go to TOM

List of subprocessors

Third parties that participate in activities on processing personal data as a part of the services provided to OpusCapita’s customers.

Open list

Data Processing Agreement

GDPR compliant data processing agreement designed for OpusCapita customers, with the GDPR required information pre-configured for you to check.

Download

Product Statements

Further details on how OpusCapita products and services support customer’s GDPR compliance

You will find here detailed summaries per OpusCapita product and service addressing the key issues that are relevant from GDPR compliance point of view. Depending on which product or service your company is using you can focus on the ones that are relevant for you. The product-specific information supplements the general descriptions found on this page.

FURTHER INFORMATION

If you are not able to complete and sign the Data Processing Agreement (DPA) found on these pages without additional assistance, please send us email to DPA@opuscapita.com with your contact details and specific request, so that we can assist you.

(OpusCapita needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.)