GDPR stands for General Data Protection Regulation. It is an act of the European Parliament, the Council of the European Union, and the European Commission that aims to improve data protection for all individuals within the European Union by making it well-defined and unified among all the EU member states. The goal is to give people back control of personal data.

GDPR has been legally binding since May 25th, 2018.

If you cooperate with partners based in the EU, you must consider GDPR when running your business.

XTRF allows your company to meet the new legal requirements. The provisions of the regulation are applied by the following functionalities:

• Accessing and correcting personal data by clients and vendors via the Client Portal and the Vendor Portal.

• Erasing personal data from the XTRF system upon request by the data owner (client, vendor, or employee).

• Tracking consents from clients and vendors for processing of their personal data (by means of Custom Fields or Categories).

• Exporting personal data to a structured, commonly used, and machine-readable format (CSV).

GDPR encourages organizations to take a ‘privacy by design’ approach, which means that privacy and data protection should be a key consideration of any project, both in its early stages and throughout its lifecycle. In XTRF, the design process plays a crucial role in system development and ensures high quality. Providing privacy and data protection to our clients and their partners has always been a key priority for us. For this reason, we have included a special phase in the design process to investigate how changes in system behavior may affect the privacy and security of personal data.

We have also defined three design principles strictly focused on GDPR:

• XTRF system must allow for fulfilment of GDPR requirements, but must not impose a way how they should be fulfilled.

• XTRF system may simplify the fulfillment of GDPR requirements by delivering functions that facilitate or automate GDPR-related operations, but they should be enabled only when specifically requested by the user.

• XTRF system may suggest and recommend to the user how to configure the system to meet GDPR requirements.

XTRF company acts as a data controller of the personal data of XTRF system owners (including your organization). When using the XTRF onCloud service, XTRF company is also a processor of the personal data of the XTRF owner's partners. The XTRF system owner (your organization) is a data controller of their partners' personal data.

XTRF implements security procedures to help protect all data stored in the XTRF system from security attacks. This applies to both services, XTRF on-cloud and XTRF on-premises. Security mechanisms used by XTRF include:

• Secure password-protected database.

• A file system with permission-based access restrictions.

• Secure communication between a web browser and server via HTTPS protocol using a certificate signed by a trusted authority.

• Regular off-site backups.

The XTRF system can store personal data of your clients (client contact persons), vendors (vendor contact persons), and users (i.e., your employees). Depending on a person's role, different types of personal data can be provided and stored in their profile in XTRF.

Personal data types that can be stored in the XTRF system:

• Name.

• Gender.

• Billing address.

• Mailing address.

• Phone/fax numbers.

• E-mail addresses.

• Department.

• Position.

• Contact languages, Native languages.

• Social media identifiers.

• Photos.

• Payment methods (bank account data or other payment method identifiers).

• Tax numbers.

• Contract number.

• HR Data.

• Certificates, CVs, education, work experience, etc.

• Username in other systems.

• Languages, specializations, and rates.

• IT Tools.

• Vendor Holidays.

We advise against storing other types of personal data (e.g., credit card numbers) in the XTRF system.

To simplify personal data administration (in accordance with GDPR), personal data should be stored only in specific areas and fields in the system. When stored properly, the data are secure and easy to track or erase when necessary. We advise against storing personal data in any other place (e.g. Custom Fields).

XTRF system areas where personal data can be safely stored:

According to GDPR, a person (data owner) can request to erase their personal data from a data controller's system. Being an XTRF user, you may be requested by your client, vendor, or employee to do so. XTRF allows you to erase the personal data of a client (client contact person), vendor (vendor contact person), or employee from the system, including:

• Client, vendor, or employee profile.

• Client or vendor contact person profile.

• Projects, quotes, and opportunities.

• CRM items.

• History entries.

Additionally, it is possible to archive projects and quotes and move all associated files (including those containing personal data) to an external location, where they can be safely deleted. For details, see the Archive projects and quotes guide.

GDPR requires a data controller to obtain consent from the owner for the processing of their personal data. Every consent needs to be:

• Unbundled.

• Active opt-in.

• Granular.

• Named.

• Easy to withdraw.

XTRF system allows you to track the consents from your clients and vendors via Custom Fields. You can name the Custom Field by the consent in question and introduce it as a checkbox or a simple ‘Yes / No’ dropdown scoped at clients, vendors, or contact persons. Alternatively, you can use Categories to mark clients and vendors who have given you their data processing consents.

According to GDPR, personal data needs to be portable. This means it should be possible to export it to a structured, commonly used, and machine-readable format upon request by the data owner.

XTRF Smart Views (which, among other things, are used to display lists of vendors, clients, and their contact persons) offer an export function that can be used to satisfy the GDPR requirements. You can select one or more profiles and export their data into the CSV file format. For details, see the Data import and export guide.

Open