GDPR AT BIZIMPLY
Commitment to GDPR
Maintaining the security, integrity, and confidentiality of your data is our top priority.
Bizimply & The General Data Protection Regulations (GDPR)
What is GDPR?
Bizimply has created this page to provide a detailed overview of the steps Bizimply’s SaaS application offers to your organisation to help operate within the confines of the GDPR regulation. However, Bizimply still recommends that you engage with your Data Protection Officer and or legal counsel to fully verify compliance.
The GDPR came into effect on the 25th of May 2018. It sets out a series of EU laws concerning how data of EU citizens is processed and used. The objective of the regulation is to strengthen and standardise data protection laws for all EU citizens.
The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned.
At Bizimply the protection of our customers data is our top priority. We know that many organisations have questions of how we comply with the regulations to ensure that we are protecting your data.
GDPR and obligations as a Controller and Data Processor
Under European data protection law, organisations processing personal data are divided into “Controllers”, or the entities which control the personal data, and “Processors”, the entities that process personal data only on the instructions of the Controllers. The GDPR applies to both Controllers and Processors.
Bizimply provides a SaaS Workforce Management platform for our customers. Whilst we actively develop and support this system, we are effectively both a data controller and a data processor to our customers who are the data controllers. Our customer’s employees are data subjects. When Bizimply processes data on our customer’s behalf, the customer must have an appropriate legal basis for Bizimply to process this data.
How has the GDPR changed the EU data protection laws?
The GDPR enhances and improves the EU data protection laws in several ways.
1. Data Subject Requests
The GDPR provides expanded rights for EU data subjects such as:
- Deletion: This right is sometimes referred to as the “right to be forgotten”. The data subject has the right to require that the Controller erase personal data about him/her in certain conditions. These include if the personal data is no longer necessary for the original purpose of the processing or if the data subject withdraws consent for the processing. This right has been extended to the online world as a means to require internet service providers to delete out-of-date publicly available information, in particular that information which appears in search results.
- Restriction: Under the GDPR, a data subject has the right to obtain from a Controller a restriction on the processing of personal data in a number of circumstances, including if the accuracy of the personal data is contested by the data subject for a certain period of time. A restriction on processing means that the organisation holding the data is entitled to continue to store it but cannot process it any further.
- Portability of personal data: Data subjects also now have the right, in some circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable format.
As a Bizimply customer, you (the Controller) control how your user’s (data subject) data may be processed by Bizimply (Processor) or a third-party company (SubProcessor).
If a Data Subject requests information on their data from us or any SubProcessor we will notify the Controller. We will provide the Controller with the ability to access, rectify, delete, export personal data at any time by emailing us at firstname.lastname@example.org.
2. Data Protection by Design and by Default
a. Information Security Management Systems
The GDPR requires Controllers and Processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented. At Bizimply we have a robust Information Security Management System which takes into account the risks and security requirements when processing confidential client data.
b. Data Protection Impact Assessments
Where certain processing is likely to be classified as “high risk” to data subjects, the Controller may be required to carry out a data protection impact assessment identifying the impact of the proposed processing operations on the personal data. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organisation time to come up with a way to mitigate them before the project is underway.
3. Breach notification
The GDPR requires organisations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected data subjects. Controllers must notify the relevant data protection authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned. If circumstances require it, Controllers may also be required to communicate the data breach to data subjects e.g. identity theft or breach of confidentiality. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach.
Consent is subject to additional requirements under the GDPR. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes through a statement or clear affirmative action”. The concept of consent is used throughout the GDPR to legitimize certain processing activities from a legal perspective.
The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when the personal data are collected. This information includes the identity and contact details of the Controller, the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner.
6. Data Privacy Officer
On the security side, the GDPR requires many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations who process sensitive personal data on a large scale. You can contact our Data Protection Officer at email@example.com or by writing to them at Data Protection Officer, Bizimply, The Digital Depot, Thomas St, Dublin 8, D08TCV4.
7. Data Retention
Bizimply’s data retention period is 12 months after a customer churns. When the data controller requests for personal data to be deleted for a data subject, the request will be completed within 30 days. Churned customer data is deleted 12 months after the churn date.
8. Records of Consent
As a processor, we rely on our customers to ensure that personal data are collected on the basis of one of the GDPR lawful grounds for processing. It is the obligation of the controller to obtain consent from your employees to process their data.
You, as a controller, can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; (vi) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.
9. Security of Processing
GDPR and obligations as a Controller and Data Processor
Under the General Data Protection Regulation, you have the right to portability, rectification, access, and consent removal of your data. All requests will be responded to within 72 hours.
If you require any assistance in the enforcement of your rights as a data controller or data subject please send your request in writing to firstname.lastname@example.org.