General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world

The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs). GDPR covers the European Economic Area (EEA).

Roles in GDPR

The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:

• Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to identify someone from it.
• Data subject — The person whose data is processed. These are your member, customers or site visitors.
• Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles subscription data, this is you.
• Data processor — A third party that processes personal data on behalf of a data controller. This is Us (Upodi red.).
• Data processing — Any action performed on data, whether automated or manual. This is what Upodi does as a data processor on your behalf, as the data controller.

Transfer of personal data outside EEA

The GDPR does not require that data processing activities are limited to the EU, but regulates the transfer of personal data outside of the European Economic Area (EEA). In order to do that, the GDPR provides for different transfer mechanisms.

Upodi ensures the protection of our customers' data from end to end through the implementation of strong technical and organizational measures including, our data retention periods, data storage and transfers, and encryption protocols. All of which are publicly available under the principles of accountability and transparency we prioritize as part of the Visma group.

We also have in place EU Model standard contractual clauses in our Data Processing Addendum, and in place with all our vendors to ensure any data transfers are done properly and securely.

Requirement of data processing agreement

If you are a data controller, the GDPR requires that you enter into an agreement with your data processors. This agreement is referred to as “Data Processing Agreement" and sets out how a controller and a processor meet the requirements of the GDPR.

You can enter a Data Processing Agreement agreement with Upodi here.

We leverage third-parties in the processing of personal data. These entities are commonly referred to as “sub-processors". We use cloud infrastructure provider Microsoft to host Upodi. As required under the GDPR, we have put in place appropriate measures with our sub-processors that will allow us to secure the personal data we process on your behalf.

If you are one of our customers, use the above form to get a DPA, and we will include an exhaustive list of the sub-processors we use.

Should I avoid storing any data then?

The simple answer is NO. GDPR is about explaining the use of the data, not prohibit the storing the data. In addition, there are several country specific laws that might require that you store data. Examples of these are the Act of Bookkeeping ("bogføringsloven") in Denmark, similar used in the Nordics.

Any subscription business store various data on its members, users and/or tenants. Most of these data are not subject to the scope of Personal Data.

Safe data to store

To allow proper invoicing and payment processing, storing the following information is a minimum requirement:

• Name and/or company name.
• Address, zip, postal and city.
• Country.
• Email address and/or phone number.
• Customer number, id or identification.

Unsafe to store

Though Upodi provide the ability to store any type of data, we suggest to avoid storing the following Personal Data:

• CPR, citizen, personal number
• Biometrics information such as shoe-sizes, clothes-sizes, food and allergies preference
• Medical information
• Any health oriented information

Should you require to store some of these data due to the nature of your subscription business, allow us to help you with a data termination service as part of Upodi, which cleanses data from dormant and cancelled members, users and/or subscriptions.

Acting on request

Moreover you must document, explain and act on the data subjects’ privacy rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

Our API allow you to retrieve the full dataset of any member, enabling you to provide the full data overview on request.

Data residency

When creating a Upodi tenant, you specify a geography (not a data center). All tenant data stored by Upodi at rest are retained in that geography. Data may transit or be processed in other geographies subject to your configuration (typically application integrations and payment providers), however core components will be retained in the region for processing subject to our DPA.

The list of geographies you can choose from includes:

• EU (primary Ireland, secondary Netherlands). This is our default location.
• US (primary east cost, secondary west cost)

Communication to your customers

By default, no communication will be processed to your customers. However, you may configured to setup email templates and/or assign domains. This will trigger email communication from our service to your customers.

Email communication is ephemerally processed using our sub processor, Mailgun by Sinch. Email communication will be processed in the resource's Data Location specified by you during tenant provisioning (EU or US).

Email communication delivery logs are available in Upodi. Domain sender identification (from data) are stored in the resource's Data Location until explicitly deleted. Recipient's email addresses that result in hard bounced messages will be temporarily retained for spam and abuse prevention and detection.

👍

You are not obligated to use our email communication infrastructure

You can void setting up any email templates in the platform. This will result in no email communication from Upodi to your customers on your behalf.

Communication to you

Our service provide email communication to you from type to type. Examples include password reset, invitation for users etc. System email communication is processed by Mailgun by Sinch in our EU geography, regardless of your choice of data location of your tenant. There is no opt out.

We work committed to reduce the data included in system emails, and limit the scope to full name of user and tenant.

Payment processing

Upodi integrate with many payment providers. Residency of payment provider data, follow the data processing requirements of said payment provider. We certify each payment provider annually, and will only process the minimum required data to fulfill the payment request (typically a token only).

No customer details are transferred onto the payment provider. Please consult the data processing agreement of your payment provider before engaging Upodi.