Commitment to GDPR
Maintaining the security, integrity, and confidentiality of your data is our top priority.
Bizimply’s GDPR Commitment
1.0 Introduction
The General Data Protection Regulation (GDPR) is a comprehensive data protection law designed to harmonise and strengthen the privacy and data protection rights of individuals within the European Union (EU). GDPR sets out strict requirements for any organisation that collects, stores, or processes personal data belonging to EU residents, ensuring personal data is handled securely, lawfully, and transparently.
GDPR is retained in domestic law as the UK GDPR, although the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The key principles, rights and obligations remain the same.
1.1 Who Does GDPR Apply To?
GDPR applies to all organisations operating within the EU, as well as any organisations outside of the EU that process the personal data of EU residents. “Personal data” refers to any information relating to an identified or identifiable individual, such as employees, customers, or other stakeholders.
GDPR applies to all organisations operating within the EU and UK, as well as any organisations outside of the EU/UK that process the personal data of EU/UK residents. “Personal data” refers to any information relating to an identified or identifiable individual, such as employees, customers, or other stakeholders.
1.2 Implications of GDPR for Organisations
Under GDPR, organisations must demonstrate robust technical and organisational measures to ensure the security and lawful processing of personal data. Compliance requires ongoing efforts, including maintaining up-to-date policies, conducting regular assessments, fulfilling data subject requests (such as access or deletion requests), and reporting any data breaches within mandated timeframes.
1.3 Bizimply’s Approach to GDPR Compliance
Bizimply is fully committed to GDPR compliance. Our dedicated privacy and security teams continuously evaluate and update our practices, product features, and internal policies to meet GDPR requirements and help our customers uphold their compliance obligations.
1.4 Shared Responsibility
Under GDPR, Bizimply acts as a Data Processor on behalf of our customers, who act as Data Controllers. While Bizimply provides a secure platform and implements data protection measures, the responsibility for obtaining the necessary consents, determining the relevance of stored data, and responding to data subject requests ultimately lies with the Data Controller. A Data Processing Agreement (DPA), typically embedded within our Terms of Service or License Agreement, formalizes this relationship. The definition of Data Controller and Processors can be found here.
2.0 Customer Obligations as Data Controllers
2.1 Data Subject Consent
2.2 Data Minimisation
2.3 Access Controls
2.4 Data Retention and Deletion
3.0 Our Obligations as Data Processors
3.1 Data Access Requests
As a Data Processor, Bizimply will assist Controllers in responding to Data Subject Access Requests (DSARs) to correct, amend, or delete personal data. Customers can delete employee data directly in many cases, and if additional support is needed, our customer support team can assist.
3.2 Data Breach Reporting
In the event of a data breach, Bizimply will notify the appropriate supervisory authorities and affected customers without undue delay, and in accordance with GDPR requirements (within 72 hours where feasible).
3.3 Privacy Impact Assessments (PIAs)
Before implementing any high-risk data processing activities, Bizimply will carry out Privacy Impact Assessments to identify, assess, and mitigate risks to data subjects’ rights and freedoms.
3.4 Demonstrating Compliance
We maintain documentation, policies, and security measures that allow our customers to demonstrate GDPR compliance in relation to the services provided by Bizimply.
3.5 Privacy by Design
“Privacy by Design” under the GDPR requires data processors to implement privacy-enhancing measures from the outset of any data processing activities and continuously maintain these practices to ensure compliance. This is more detailed in the Secure Development Policy.
4.0 Our Commitment to Ongoing Compliance
- GDPR Program: We have an established GDPR program to ensure continuous alignment with regulatory requirements, updating our policies, procedures, and controls as needed.
- Updated Terms: Our Terms of Service and Data Processing Agreements are regularly reviewed and updated to align with evolving data protection standards and to support our customers’ compliance efforts.
- Data Storage in the EU: All customer data is securely stored within the EU using Amazon Web Services (AWS). For more information on AWS security, please refer to the AWS Security documentation.
- Data Protection Officer (DPO): We have appointed a DPO who oversees our data protection strategy, ensuring that our processes and procedures remain in compliance with GDPR and other relevant data protection laws.
- Data Flow Documentation: Bizimply documents data flows within our products and internal operations to ensure personal data remains secure and properly managed at all times.
- ISO 27001:2013 Compliance: We are ISO 27001/2022 certified to reinforce our commitment to industry-best information security standards and practices.
- Links to Policies and Agreements: Bizimply Privacy & Cookies Policy, Security & Data Privacy, Terms and Condition of Business
5.0 Existing Protections
Encryption and Security Controls: All data within Bizimply is encrypted. We implement and maintain an Information Security Management System (ISMS) certified with ISO 27001/2022, involving rigorous staff training, risk management, and adherence to industry best practices.
6.0 Frequently Asked Questions
6.1 How are Subject Access Requests (SARs) handled?
As a Data Processor, Bizimply cannot independently fulfill SARs from employees. If we receive a SAR directly, we will forward it to you, the Data Controller, to address. You can then use the Bizimply platform or support services to respond appropriately.
6.2 Do employees need to give consent?
In many cases, processing employee data is in the “legitimate interests” of the employer or required to fulfill a contractual obligation (e.g., payroll). However, transparency is key. Clearly communicate what data is being captured, why it is needed, how it is stored, and who has access. Ensure that any data collected is for a legitimate business purpose.
6.3 Will Bizimply automatically delete employee data after a required retention period?
No. Bizimply will not automatically delete data. It is the Data Controller’s responsibility to determine and enforce appropriate data retention schedules. Upon request, Bizimply can support data deletion if needed. However, Bizimply will delete all Data on the Customers account 30 Days after the Customer has churned.
6.4 Is all current data gathered on employees valid under GDPR?
As the Data Controller, you are responsible for ensuring that the data collected is limited to what is necessary and proportionate to the stated purpose. Avoid collecting or retaining data that is not relevant to legitimate business needs.
6.5 Contact and Support
If you have any questions or need assistance with your GDPR compliance efforts related to Bizimply’s services, please contact our support team at [email protected]. Our team is available to guide you through best practices and assist with any data protection inquiries.
Bizimply & The General Data Protection Regulations (GDPR)
What is GDPR?
Bizimply has created this page to provide a detailed overview of the steps Bizimply’s SaaS application offers to your organisation to help operate within the confines of the GDPR regulation. However, Bizimply still recommends that you engage with your Data Protection Officer and or legal counsel to fully verify compliance.
The GDPR came into effect on the 25th of May 2018. It sets out a series of EU laws concerning how data of EU citizens is processed and used. The objective of the regulation is to strengthen and standardise data protection laws for all EU citizens.
What is the DPA 2018?
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018.
It sits alongside and supplements the UK GDPR – for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers. The ‘applied GDPR’ provisions, enacted in 2018 were removed with effect from 1 Jan 2021 and are no longer relevant. The processing of manual unstructured data and processing for national security purposes now fall under the scope of the UK GDPR regime.
The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned.
At Bizimply the protection of our customers data is our top priority. We know that many organisations have questions of how we comply with the regulations to ensure that we are protecting your data.
GDPR and obligations as a Controller and Data Processor
Under European data protection law, organisations processing personal data are divided into “Controllers”, or the entities which control the personal data, and “Processors”, the entities that process personal data only on the instructions of the Controllers. The GDPR applies to both Controllers and Processors.
Bizimply provides a SaaS Workforce Management platform for our customers. Whilst we actively develop and support this system, we are effectively both a data controller and a data processor to our customers who are the data controllers. Our customer’s employees are data subjects. When Bizimply processes data on our customer’s behalf, the customer must have an appropriate legal basis for Bizimply to process this data.
How has the GDPR changed the EU data protection laws?
The GDPR enhances and improves the EU data protection laws in several ways.
1. Data Subject Requests
The GDPR provides expanded rights for EU data subjects such as:
- Deletion: This right is sometimes referred to as the “right to be forgotten”. The data subject has the right to require that the Controller erase personal data about him/her in certain conditions. These include if the personal data is no longer necessary for the original purpose of the processing or if the data subject withdraws consent for the processing. This right has been extended to the online world as a means to require internet service providers to delete out-of-date publicly available information, in particular that information which appears in search results.
- Restriction: Under the GDPR, a data subject has the right to obtain from a Controller a restriction on the processing of personal data in a number of circumstances, including if the accuracy of the personal data is contested by the data subject for a certain period of time. A restriction on processing means that the organisation holding the data is entitled to continue to store it but cannot process it any further.
- Portability of personal data: Data subjects also now have the right, in some circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable format.
As a Bizimply customer, you (the Controller) control how your user’s (data subject) data may be processed by Bizimply (Processor) or a third-party company (SubProcessor).
If a Data Subject requests information on their data from us or any SubProcessor we will notify the Controller. We will provide the Controller with the ability to access, rectify, delete, export personal data at any time by emailing us at [email protected].
2. Data Protection by Design and by Default
a. Information Security Management Systems
The GDPR requires Controllers and Processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented. At Bizimply we have a robust Information Security Management System which takes into account the risks and security requirements when processing confidential client data.
b. Data Protection Impact Assessments
Where certain processing is likely to be classified as “high risk” to data subjects, the Controller may be required to carry out a data protection impact assessment identifying the impact of the proposed processing operations on the personal data. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organisation time to come up with a way to mitigate them before the project is underway.
3. Breach notification
The GDPR requires organisations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected data subjects. Controllers must notify the relevant data protection authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned. If circumstances require it, Controllers may also be required to communicate the data breach to data subjects e.g. identity theft or breach of confidentiality. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach.
4. Consent
Consent is subject to additional requirements under the GDPR. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes through a statement or clear affirmative action”. The concept of consent is used throughout the GDPR to legitimize certain processing activities from a legal perspective.
5. Transparency
The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when the personal data are collected. This information includes the identity and contact details of the Controller, the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner.
6. Data Privacy Officer
On the security side, the GDPR requires many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations who process sensitive personal data on a large scale. You can contact our Data Protection Officer at [email protected] or by writing to them at Data Protection Officer, Bizimply, The Digital Depot, Thomas St, Dublin 8, D08TCV4.
7. Data Retention
Bizimply’s data retention period is 12 months after a customer churns. When the data controller requests for personal data to be deleted for a data subject, the request will be completed within 30 days. Churned customer data is deleted 12 months after the churn date.
8. Records of Consent
As a processor, we rely on our customers to ensure that personal data are collected on the basis of one of the GDPR lawful grounds for processing. It is the obligation of the controller to obtain consent from your employees to process their data.
You, as a controller, can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; (vi) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.
9. Security of Processing
Our Data Processing Addendum has been added to our Terms of Service.
Our Privacy Policy is available here for reference.
More information on our security protocols can be found here.
GDPR and obligations as a Controller and Data Processor
Under the General Data Protection Regulation, you have the right to portability, rectification, access, and consent removal of your data. All requests will be responded to within 72 hours.
If you require any assistance in the enforcement of your rights as a data controller or data subject please send your request in writing to [email protected].
Bizimply fully complies with the GDPR and DPA 2018.
