At Oomnitza, we understand the value of data and the importance of protecting it.
As of May 25, 2018, the new General Data Protection Regulation (GDPR) protects the rights of Europeans to access and control their personal data. At Oomnitza we’re working across our organization to ensure compliance with the GDPR and other privacy laws like the California Consumer Privacy Act (CCPA), and understand that our customers will want to know how they can configure Oomnitza products and services in a way that will help them with their own compliance efforts.
This guide describes how certain features and functionality in Oomnitza products can assist with your obligations under privacy law, for example, as a data controller under the General Data Protection Regulation (GDPR), or as a business under the California Consumer Privacy Act (CCPA). Oomnitza is considered a third-party data processor under the GDPR, and a service provider under the CCPA, because it handles the personal data or personal information of its customers' end-users on behalf of its customers (or subscribers).
Data controllers and businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law.
When reviewing compliance of data within Oomnitza please also keep in mind that quite a lot of the data that is stored within Oomnitza is derived from underlying systems like your HR system, Single Sign-On System or Client Management tool. This makes it essential to verify which of the data elements in question are originating from which system of record to then update or delete the information in the originating system rather than within Oomnitza as Oomnitza will only display a copy of such data. Furthermore, it is important to understand that typically Oomnitza is a company internal tool that stores information about employees and maybe contractors. As such you should also review your employment contracts and statement of work with your contractors about the ability to store any such information.
What PII data is stored within Oomnitza?
The data that is stored within Oomnitza depends on the configuration of the system and customers may even extend the default data model by adding more fields to e.g. the user object that may potentially store PII data. As such it is highly advised to review your specific configuration on any such PII data that may have been added within your instance of Oomnitza. Based on that we can only outline the PII data that is part of the default implementation of Oomnitza and how it is used within such default.
The minimum amount of information to fulfill the business purpose of the Oomnitza system is the user's name and email:
- The user’s name is part of the user information and exists in Oomnitza for asset association/assignment.
- The user’s email is part of the user information and is used for workflow and saved searches notifications that must be sent to a given mailbox.
You may have additional PII data as follows:
- User’s Phone: This field is completely optional, and may be used for a holistic overview.
- User’s Address: This field is completely optional, and may be used for a holistic overview.
- User’s Location: This field is completely optional, and may be used for a holistic overview.
Meeting an access obligation
Individuals from certain regions have a right of access. On request, you may have an obligation to inform an end-user or agent where their personal data is being held and for what purposes.
If a data subject requests a copy of their personal data, you can either grant that user access to the Oomnitza web application or export the user’s data from within the people tab of Oomnitza.
Meeting a correction obligation
Individuals from certain regions have a right to rectification, or the right to have inaccuracies in their personal data corrected. On request, you may have an obligation to provide the individual with their personal data and fix inaccuracies or add missing information.
Both help desk users/agents and administrators can access and update user data in Oomnitza. End users can also access and update some of their personal data.
If an end-user or agent requests their personal data, you can export the data from Oomnitza within the people tab of Oomnitza.
Meeting an erasure or deletion obligation
Individuals from certain regions have a right to erasure, or the right to be forgotten or deleted. On request, you may have an obligation to delete the personal data of an individual.
The workflow for deleting the personal data of an end-user or agent is as follows:
- Delete personal data from the originating system.
- Sync the updated data into Oomnitza
- Delete the end-user or agent from Oomnitza.
Meeting a data portability obligation
Individuals from certain regions have a right to data portability. On request, you may have an obligation to provide an individual with their personal data or to transmit the data to another organization.
To accommodate this, you can export a user’s data from within the People tab in Oomnitza.
Meeting the objection obligation
Individuals from certain regions have a right of objection, or the right to object to direct marketing. You may have an obligation to stop processing personal data for direct marketing purposes when you receive an objection from an individual.
If you get an objection from an individual about the notifications sent by Oomnitza, you can stop all notifications by removing the user’s email subscription within Oomnitza. The user can also control this themselves by following the unsubscribe link from within the notification he or she received.
This document is for informational purposes only and does not constitute legal advice. Readers should always seek legal advice before taking any action with respect to the matters discussed herein.