Instructions for preparing a privacy policy - Product Data Management software Vertex

With the entry into force and application of the General Data Protection Regulation (GDPR), special attention must be paid to the processing of personal data. The purpose of the regulation is to protect individuals and afford them rights. For different organizations, the regulation provides an opportunity to inventory existing data repositories and develop a sustainable approach to storing accurate, up-to-date, and crucial business information. As data storage capacity multiplies, the accuracy of information becomes critically important. Moreover, various systems storing data may overlap, leading to potential inconsistencies.

The following text describes what should be considered when preparing documentation for Vertex Flow, a product data management tool, in compliance with the GDPR. A centralized product data management system provides the opportunity to build inherent and default data protection measures for safeguarding personal data and other sensitive information, such as copyrighted material.

For detailed descriptions of registry and privacy policies, please visit the Data Protection Ombudsman's website at http://tietosuoja.fi

Data Controller

The data controller for the product data management software is the organization (company or entity) that owns the usage rights. Vertex Systems Oy acts as the technical administrator of the software under a separate maintenance agreement but does not act as the data controller.

Company Name, Business ID

Address

Contact Person for Registry Matters

The designated person responsible for inquiries related to the personnel registry of the product data management product within the organization is:

Name

Contact Information (including email, phone number)

Registry Name

The name of the registry, which identifies the system and describes its purpose as accurately as possible, is Vertex Flow Product Data Management Software.

Purpose of Processing Personal Data

User Data The purpose of processing personal data in Product Data Management Software is the management of user information within the software. Personal user accounts are required for using the software. The data controller creates user accounts and assigns them to the user(s) for the performance of their service relationship or work duties.

Other Personal Data

Personal data may also be stored in the information management system for purposes other than user management. The system can be used similar to a CRM system for managing customer information through project, product, or customer objects. This customer information may include names and contact details of individuals that have arisen from customer relationships or other activities. The information management system can also serve as a separate repository for registries containing personal data (e.g., Excel-based tables containing personal information). The information management software may be connected through technical interfaces to other information systems. These include Vertex CAD integration, LDAP user management, ERP enterprise resource planning integration, or a separate general information management interface. Through these interfaces, personal data related to users or other personal data (e.g., CRM usage) can be transmitted. The purpose of processing this personal data may include managing, maintaining, developing partner or customer relationships, or providing various types of services.

Register Data Content

Regarding user data within the system:

• User information: username, name, email address, and possibly other information related to user groups and organization.

• Product data management software archival information (e.g., document creator or modifier): name, date, and time.

• Historical data of actions performed by users in the product data management software (e.g., user log, example actions: viewing a document, editing a document, creating a new document): username, date, time, IP address.

• Application server log data: IP address, date, and time.

The content of other personal data may vary depending on the implementation method. Typically, project or customer records include a designated contact person as well as email, phone, or address details. Information stored about individuals should be specified (e.g., name, address, phone number). Use cases for personal data may include buyer personal data recorded for Flow's product unit or information about individuals involved in a project. It is in the data controller's interest to store only necessary information in the system that is not otherwise available. This minimizes the existence of duplicate or conflicting information.

The data content does not involve automated profiling or further processing of personal data by the information system.

Regular Data Sources

Data in the Vertex information management system is collected as a result of the data controller's operations, such as establishing a work or customer relationship. The information may be obtained directly from the data subject or from other systems. If the company's other systems are integrated into the Vertex information management system and data is transferred automatically between them, this is considered data disclosure (data obtained from elsewhere). If such integrations are implemented, the details of these integrations should be described in this section.

Regular Data Disclosures

Data Disclosure to Partners

If your company grants access to the Vertex information management system to subcontractors or other partners, describe how data is disclosed to them. We recommend establishing terms of use agreements with partners before granting access to the system or updating existing agreements with current partners to clarify liability issues. By default, data from the Vertex information management system is automatically disclosed only to Vertex CAD systems. Such data includes designer and customer information transferred to project cards, for example.

System Integrations

If your company has integrated other systems into the Vertex information management system, regular data disclosures may occur in this context. If such integrations are implemented, details of these integrations should be described here.

Transfer of Data Outside the EU or EEA

Are personal data transferred outside the European Union or the European Economic Area? If Vertex information management system users are located outside the EU, data transfers to outside the European Union or the European Economic Area may occur as described in this section.

Principles of Register Protection

The Vertex information management system is installed on a server designated by the organization that owns the usage rights. In this context, it is ensured that access to user data is restricted to system administrators only. Users must log into the system with personal credentials, and their usage can be monitored through various means, including user log data. User log data records actions performed by users at specific times, such as viewing or editing specific documents. Ensure proper backup of the system and retention of backups in an appropriate manner. If the system is accessed from outside the local network, connections should be secure (e.g., using HTTPS or VPN) and users' passwords should be sufficiently strong.

The system may store information or documents that may contain personal data subject to data protection regulations. In the case of such documents, system users should consider the necessity and appropriateness of the information. However, if a document is stored in the system, users must restrict access rights appropriately using the system's access control features. These actions help prevent unintended or deliberate illegal modification or destruction of information.

Describe the principles of system protection at a level that ensures security without compromising it, avoiding overly detailed descriptions.

Right of Access and Right to Request Data Correction, Rectification, or Deletion

Under the GDPR, the data subject has the right, with certain exceptions, to request correction of their data and the right to request deletion, also known as the right to be forgotten. Vertex information management software may retain personal data on a case-by-case basis for archiving purposes in the public interest. This data may include personal user information within the system, even if the person's employment has already ended. Specify here how requests should be made and where they should be addressed. For example, requests can be submitted in writing to the data controller.

Other Rights Related to the Processing of Personal Data

According to the GDPR, explicit consent from the data subject is required for storing data in the registry. If the system is used similar to a CRM system, explicit consent must be obtained from individuals whose data is to be stored in the system. This consent must be verifiable - when and how the consent was obtained. Consent can be requested, for example, via email, which will be saved and linked to the personal data.

Children's Privacy

Children under 16 years of age have special privacy considerations that must be addressed in the privacy notice. This situation may arise, for example, if your organization hires summer workers and/or trainees with access to the system.