This article provides a quick summary of how One Model adheres to GDPR as a data processor and supports customers in their obligations as data controllers. Topics are called out under headings below with reference to specific articles of the General Data Protection Regulation (GDPR) were appropriate. An easy to navigate text of the GDPR can be found here: https://gdpr-info.eu/
Processor and Controller (Articles 24 and 28)
One Model is a data processor. Our customers are data controllers. One Model does not process data except on instructions from customers. One Model will process data according to a mutually agreeable Data Processing Agreement (DPA).
Data Collection (Articles 13 and 14))
One Model processes data collected through other systems and thus does not play a role in obtaining or recording the consent of the data subject.
Geographic Hosting (Articles 44 to 49)
One Model uses Amazon Web Services (AWS) for hosting. We can host the solution in an AWS region that aligns with your company’s GDRP compliance programs. For example, hosting in the EU if desired.
Data Subjects and Nature of the Data to be Processed (Articles 5 and 6)
One Model only processes data that is provided by our customers and which our customers permit One Model to process. The specific sources of data integrated within One Model varies by customer. Typically, however, the data subjects affected by processing include employees, applicants, and contractors. Other data subjects may be included depending on the project.
The data processed typically includes personally identifiable information like name and email, along with employment data such as recruiting, performance, training, work location, job changes, etc. Again, the exact nature of the data to be processed will vary by customer.
Security of Processing (Article 32)
As a processor of data, One Model takes appropriate measures to ensure the security of data processing.
Customer data is encrypted at rest and in transit.
One Model restricts customer data access to those employees who are required to have access in order to support the customer.
One Model provides advanced role based security features within the solution, giving customers fine-grained control over who can access specific categories of data (columns), specific records (rows) and at what level of detail.
One Model maintains backup and data validation processes in order to ensure the availability and integrity of data, as well as disaster recovery processes to ensure that availability can be restored in the event of a significant incident.
One Model employees are required to participate in data security training and adhere to data security policies.
One Model maintains separate databases per customer (single tenant) and has appropriate policies in place regarding identification and handling of customer confidential data.
Supporting Data Controllers in their Responsibilities (Articles 12 - 24, 32 - 36)
One Model supports its customers in their responsibilities as data controllers. This includes timely notification to the controller in the event of a data breach and prior consultation regarding data processing techniques which may result in a high risk of non compliance.
This also includes supporting controllers in responding to data subjects who choose to exercise their rights to data access, rectification, and erasure (right to be forgotten).
One Model will act promptly in the event that a customer informs us that a data subject requires a copy of their data, a modification to their data, or to have their data erased. Oftentimes, these data modifications will occur naturally in One Model, provided the requested changes have been made in the source data system. However, One Model will provide additional assurance or take additional actions as needed.
Data Protection Officer (Article 37)