GDPR roles and definitions relating to Ultria:
GDPR applies to both Controllers and Processors that are established in the EU and also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behavior of individuals as far as such behavior takes place within the EU.
GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, and the obligations and rights of both parties.
Article 4 EU GDPR defines data controllers and data processors as below:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
In other words, the data controller determines the purposes for which and the means by which personal data is processed and the data processor processes personal data only on behalf of the controller. The data processor is usually a third-party external to the company.
In general, the controller assumes responsibility for all personal data collected and must ensure that rights of the data subject and the controller’s own legal obligations are also covered by the processor.
The Data Processing Agreement is important, so that both parties understand their responsibilities and liabilities. When it comes to Ultria, our customers are data controllers when they use Ultria applications (Source to Pay suite of procurement performance solutions). Ultria is a data processor on behalf of the customer by means of Data Processing Addendum.
ULTRIA’ DATA PROCESSING AGREEMENT (DPA)
Ultria’ Data Processing Agreement terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure). By having such DPA in place with the required terms, we are ensuring that we are complying with the GDPR.
PREPARING FOR EUROPE’S BIGGEST EVER CHANGE TO DATA REGULATIONS – How Ultria is getting ready for GDPR?
GDPR roles and definitions relating to Ultria:
At Ultria we have state-of-the-art security to ensure that data from our prospects and customers is never compromised. We know that security is crucial to you; therefore, security is our top priority and it is fundamental to successful operation of Ultria. We devote significant resources to continually improve our world-class security infrastructure. The result: unsurpassed security and privacy for our customers’ information.
Standards and Specifications:
Ultria relies on SOC 2 Type I & II audits and reports to build trust and confidence. The SOC 2 Type I report provides reasonable assurance over the effectiveness of the controls at Ultria which are directly or indirectly relevant to our customers financial reporting and SOC 2 type II report provides reasonable assurance over the controls that are relevant to the Trust Service Principals of Service Organization Control (security, availability and confidentiality). The SOC 2 Type II report also describes the operating effectiveness of these controls and it is the most comprehensive type of report. With our SOC2 audit report, we can assure our customers that we meet the most demanding requirements for the security, availability and confidentiality of their information.
Also, Ultria follows ISO 27001:2013 ISMS standard and we have developed our policies and procedures based on this framework. Ultria is in the process of incorporating GDPR compliance management structure in our current ISMF, which is cross-functional and represents all key areas within the business. The current ISMS risk management process is also under review to incorporate privacy risk management.
Key pointers surrounding GDPR pertaining to Ultria
Access to Data
- Personal data can be accessed only by a user who has been authorized by Ultria authorization mechanisms
Right to Rectification
- Ultria has the right to edit or correct customer’s personal data in the user profile during the contract period.
Erasure of Data
- Ultria deletes all customer data which, upon termination / expiry
Authorization and Disclosure control
- Customers can manage authorization, authentication and role based access in Ultria’ solution.
Privacy by Design and by Default
- For development of any feature Ultria considers GDPR regulations and standard security guidelines.
Data Breach Notification
- Ultria services are obligated to notify, within 72 hours, in case of any data breach without any undue delay.
- Ultria ensures ongoing subprocessor compliance using corporate standard purchasing processes by subprocessor contract vetting and assessment of security risks. This is in accordance with the DPA.
- Ultria services keep the records of processing activities in accordance with GDPR requirements for data processors to aid customers to fulfill their obligations.
- Ultria will deliver all the ongoing accountability activities such as regular risk assessment and security assessment of applications, network, and IT infrastructure; documented security programs and policies; and regular security trainings with guaranteed assurance.
Data Subject Rights
- Ultria has the provision to help the customers with privacy related questions and assist the customers when they have any query towards the security of personal information.
Personal Data Processing
Ultria (a cloud solution provider) executes all the suitable terms of accountability and technology. This includes maintaining the records of all the activities being processed, assessments of the impact on privacy.
‘Ultria abides by the Data Processing addendum (DPA) as a significant part of the customer contract. These agreements incorporate data protection assurances to the customer by including standard contractual clauses included in the contract.
Ultria employees are obligated to pass the data protection and privacy/ security awareness trainings annually. These trainings will cover privacy principles and security topics.
Ultria solutions are protecting the confidentiality, integrity and availability of their data and provide the above accountability continuously.