GDPR (General Data Protection Regulation) became effective as of May 25, 2018. The GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.
Our commitment to the GDPR
Our policy is to respect all laws that apply to our business and this includes the GDPR. We are committed to helping our customers stay in compliance with GDPR and/or their local requirements.
- In addition, here are a few things that our group is committed to doing to ensure our compliance with GDPR and that of our customers:
Where we are transferring data outside of the EU, we commit to having the appropriate data transfer mechanisms in place as required by GDPR.
- Commitment to follow the appropriate security measures and precautions in accordance with GDPR and other privacy laws outside of the EU.
- Notification to regulators of breaches and promptly communicating any breaches to customers and users.
- We will ensure that employees authorised to process personal data have committed to confidentiality.
- Annual risk assessments on all vendors, processors and sub-processors to ensure the highest level of security and data processing frameworks including GDPR compliancy.
- Where appropriate, we will offer contractual language documenting our commitments to our customers to support their GDPR obligations.
- You have a direct contact for data protection and GDPR, the Data Protection Officer. For any questions, please contact: firstname.lastname@example.org
Our role under the GDPR
We act as a data controller for your company data. We’ve mapped out everywhere your data exists and how it moves throughout our systems.
- Privacy. We’ve taken a very deliberate approach to respecting our clients’ privacy. We only collect the data we need at any point to provide the promised services. We have implemented privacy by design to ensure the collection and retention of data is minimized to only what is critically needed.
- Data Categories. We categorize the data we collect and receive in the following ways: Client Company Data and Worker Data.
- Client Company Data. This category of data relates to information specific to the account-holding company that is using the services of our entities within the group. We only collect the minimum required data to provision and operate your account. In addition to provided data, we also collect application-specific information such as your IP address(es). This information is used to provide diagnostics for support and to protect the system from unauthorised use.
- Employee Data. Any employee data collected is to provide the contractual services to the client company. The standard set of data collected is derived from the minimum requirements to perform the services that which have been contracted to do. Employee data is, if configured as such using an API, be used for facilitating payroll processing and HR services. Application-specific information, such as your IP address(es), is collected and used to provide diagnostics for support and to protect the system from unauthorised use.
Frequently Asked Questions
We have implemented many systems and security measures to ensure data remains safe in transit and at rest, this always being encrypted. The infrastructure has been architected and designed with security and privacy at the forefront. All data resides on “private” networks and are not directly attached to the internet. A layered security model is in place and is configured as per industry best practice. The group engages third party penetration testing consultants that regularly review and test the environment.
- The right to be informed – The data subject has the right to be informed about what personal data has and is processing about him/her.
- The right of access – The data subject has the right to full and instant access to all personal data relating to him or her.
- The right to rectification – The data subject has the right to the rectification of any inaccurate data concerning him or her.
- The right to erasure – The data subject has the right to erase any or all data the controller has of the subject without any undue delay.
- The right to restrict processing – The data subject has the right to restrict/inform the controller how, what and when their personal data is processed for.
- The right to data portability – The data subject shall have the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transit those data to another controller without hindrance from the controller to which the personal data have been provided.
- The right to object – The data subject shall have the right to object, on grounds relating to his or her situation, at any time to processing of personal data concerning him or her.
- The right in relation to automated profiling – The data subject has the right to decline controllers to use their personal data for automated decision making and profiling. The controller must offer an option to the data subjects if they wish to use personal data for this.
*Please note that not all rights can be exercised if the following applies:
- There is a legal obligation to process the data in question through the EU or member state law to which the controller is subject to or it is a risk that needs to be carried out in the public interest or in the exercise of official authority vested in the controllers.
- There is a public interest in the area of public health.
- In case of archiving in the public interest, for scientific, historical research or statistical purposes insofar as the deletion of the requested data might seriously impair the achievement of the objectives of that processing.
- The data is needed to establish, exercise or defend legal claims.
To exercise any of your rights above please contact: email@example.com
To place a data subject request or any other questions relating to the use of your data please email: firstname.lastname@example.org