GDPR, Hrvey and you
This guide tells you everything you need to know about the GDPR, Hrvey and you. In short, Hrvey is GDPR compliant, and we help you to be too.
What is the GDPR?
The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law coming into effect on May 25, 2018. It replaces previous EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual to know which personal data a company stores about them, and to have this extracted or deleted.
Does it affect my company?
Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. Even if you are not subject to the GDPR then you still get to enjoy the benefits of the additional data rights that the GDPR grants you, since Hrvey treats all our customers the same.
In the context of GDPR, Hrvey is what is called a Data Processor, while our customers are Data Controllers, since we only process their personal information at their instruction and when they provide us with it. (We consider you to have instructed us to gather data on your behalf when you accept our terms of service and create an organization in our system)
What do I need to do to be GDPR compliant?
- Consent: It is the data controller’s duty to ensure that they have consent from the individuals (employees) whose information is collected and stored - you would typically do this through your employment contracts. Note that in some jurisdictions there is an implied consent implicit in a job contract to collect HR related data and there is also in many jurisdictions an obligation for employers to collect records of leave, so that this collection does not require explicit consent from the employees. Note that this does not constitute legal advice, and you should still contact a lawyer to ensure your employment contracts are GDPR-compliant.
- Security: You are required to store all personal data securely
- Right to be forgotten: In case an employee requests it, you are required to tell them all the personal information you store about them. And if they withdraw their consent (e.g. by quitting their job) and request deletion of all these personal data you must do so, except in cases where your jurisdiction requires you to keep records for a certain amount of time.
- Data Processing Agreement: As a data controller you must have a contract - called a Data Processing Agreement or DPA - in place with all data processors that you send personal information to. This contract reaffirms both parties’ commitment to upholding the GDPR, formalizes which personal data you are authorizing the collection of, and obligates the data processor to assist you with the extraction or deletion of personal data, when you receive requests to do so.
How does Hrvey help me be GDPR compliant?
Hrvey is GDPR compliant and helps you be too!
- Security: Hrvey follows all security best practices. All data is stored securely on our servers, all communication between your browser and our site is encrypted, user passwords are hashed and salted and our system is constantly kept up-to-date with the latest security patches. We are committed to keeping your data safe.
- Right to be forgotten: We have automated tools in place to extract or delete all personal data about an employee. If you receive a request for this, simply contact us via the support chat or send an email to email@example.com and we will assist you in this.
- Data Processing Agreement: We wanted to make this easy for you, so we have created a self-service portal where organization owners can accept and download a Data Processing Agreement between your organization and Hrvey. If you are the owner, you do so now on the Data Processing Agreement self-service page. You can see an example DPA here
We are here for you
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don’t hesitate to contact us at firstname.lastname@example.org.