The General Data Protection Regaulation (GDPR) is an EU regulation that came into effect in May 2018. GDPR restricts how businesses handle personal data; that is, data that can be used to identify individuals. It does not restrict business-to-business data handling.
The GDPR uses some specific terminology. Data processing refers to almost any handling of personal data. A data processor carries out the processing. A data controller determines how personal data will be processed. A data subject is a person identifiable by personal data. Personal data is required to be processed in accordance with 6 principles.
PurelyHR takes data privacy and the security of our customers very seriously. We’re committed to ensuring the highest standards of data security and our team works to ensure all our services comply with GDPR.
You are the data controller when you decide the “purposes” and “means” of any processing of personal data. With PurelyHR, the Account Administrator is the individual responsible for the employee data being entered and stored in the system.
Data controllers must adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.
Individual employees of our clients who seek access to their data or who seek to correct, amend or delete inaccurate data should direct their requests to their Account Administrator, also known as a PurelyHR customer. Account Administrators are able to remove and update all personal information and data without the involvement of PurelyHR.
While PurelyHR operates the majority of its services as a data processor, there are some instances in which we operate as a data controller when working with Account Administrators and other third-party businesses. When PurelyHR is processing data as a data processor acting on your behalf, your business needs to have your own legal basis to process and share the data with us.
Our mission is to make the data processing and control compliance process as painless as possible for PurelyHR customers. PurelyHR has the following features for GDPR compliance:
In the rare event of a data breach, our system is set up to detect and notify our customers of any incidents. Once a breach has been detected, we will notify affected users without undue delay so that they can take appropriate protective steps.
All PurelyHR users have access to view their personal data used in the system except when Account Administrators manually set the “Profile Information View” to MINIMAL in the Staff module’s account settings. At this point, users can view only basic profile information (their name, email address, job title, hired date, department and office). In order to avoid issues and allow users to access all their personal information, Account Administrators should verify that the default setting for “Profile Information View” is set to ALL.
Data Subjects’ personal information stored in PurelyHR is self-editable when a setting is enabled for employees. Account Administrators can control this parameter in account settings in the Staff module. In the case where Data Controllers choose to restrict profile information editing, Data Subjects will need to request changes from their Account Administrators who have access to edit information on their behalf.
The Data Controller has control over the user’s information. PurelyHR has granted Account Administrators access to permanently delete disabled users from their account at their own convenience upon request from the Data Subject.
The PurelyHR Marketing team understands the importance of privacy, therefore we’ve implemented an email preference setting within PurelyHR’s Account Preferences page to accept or refuse the processing of information for direct marketing or other types of communication. These email subscription settings can also be accessed from the emails themselves.
Data Controllers now have the ability to download employee data stored in PurelyHR directly from their User Profile in Staff. The data will be easily exported/imported in a standardized format.
We have account policy consent measures compliant with GDPR to receive and store explicit consent from Data Controllers upon account creation.