GDRP Compliance Analysis

Last Updated: September 27, 2021

Under the GDPR, Uptomic is a Data Processor, and our customers are Data Controllers.

Service Statement

CV and Job Parsing and Formatting

Uptomic SaaS service does not store documents sent to it for parsing or formatting, nor does it store the results from such processing. All processing takes place in memory. Neither documents nor results are ever written to disk or any other persistent storage unless directed so by customers, in which case the storage is owned and controlled by the customer and not Uptomic. Typically processing time is less than 3 seconds, after which the memory is reclaimed.

GDRP Applicable Articles

The following sections identify articles from GDRP relevant to Uptomic Data Processor responsibilities.

Chapter 2 - Principles

Article 9 - Processing of special categories of personal data

Our software only processes data contained in the resume or CV and does not use any other data source or processing. Although resumes/ CVs may contain data that is referred to in paragraph 1, paragraph 2e exempts us from Article 9.

Chapter 3 – Rights of the data subject

Article 13 - Information to be provided where personal data are collected from the data subject

Uptomic’s formatting services provides data specified in the formatting template and available from the CV. This allows the data controller to output the provided data to exactly meet the formatting requirements.

Article 15 - Right of access by the data subject

Since Uptomic stores no data sent to its SaaS CV formatting Services, and retains no PII ever, the data controller never needs contact Uptomic to accomplish its duties under this Article, as only the data controller, not Uptomic, has any such data.

Article 16 - Right to rectification

Since Uptomic stores no data sent to its SaaS parsing and formatting Services, and retains no PII ever, the data controller never needs to contact Uptomic to accomplish its duties under this Article, as only the data controller, not Uptomic, has any such data.

Article 20 - Right to data portability

Uptomic CV formatting service provides output in the customer specified format. This makes the information documented and portable, helping data controllers meet the obligations of 20.1

Chapter 4 – Controller and processor

Article 28 - Processor

Uptomic does use other processors and provides their GDRP compliances statements on request.

Article 29 – Processing under the authority of the controller or processor

Uptomic provides no batch processing directly. Each transaction is initiated and directed solely by the data controller and processed by Uptomic only as instructed.

Article 30 - Records of processing activities

Article 30.5 exempts Uptomic from this article. All records are fully maintainable and reportable by the data controller.

Article 31 - Cooperation with the supervisory authority

Uptomic will cooperate with supervisory authority if requested.

Article 32 - Security of processing

Uptomic encrypts all traffic between servers and subprocessors.

Article 33 - Notification of a personal data breach to the supervisory authority

See Uptomic DPA.

Article 34 - Communication of a personal data breach to the data subject

See Uptomic DPA.

Article 37 - Designation of the data protection officer

Uptomic is exempt from needing this position but elected to appoint one anyway.

Uptomic’s Data Protection Officer  - Michael Galkovsky (michael@uptomic.co)