General Data Protection Regulation (GDPR)

At absence.io we worked hard to ensure our app and processes are GDPR compliant. We fully believe that just because the GDPR is serious business, doesn’t mean that we can’t make it a little fun and exciting—after all data security is in the best interest of everyone.

 

So, what’s the GDPR all about? Firstly, GDPR stands for General Data Protection Regulation and will replace and build on the Data Protection Directive (DPD) of 1995. Previously, DPD depended on regulation changes on state level; however, with GDPR, the laws will go in effect EU-wide without the need for state members to introduce laws themselves.

 

Secondly, the GDPR doesn’t only apply to EU-based businesses, but also to businesses that monitor and process the data of EU citizens. This means that whether you’re in the North Pole or down under, as long as you handle the data of EU citizens, you too will have to be GDPR compliant.

 

With the introduction of the GDPR on 25 May 2018, as a ‘data processor’, absence.io will have to ensure that not only do we take certain security measures to protect the personal data of EU citizens, but that we also set up transparent and secure ways of handling personal data.

 

Therefore, our team is fully dedicated to meeting all the GDPR mandates to ensure that absence.io is not only compliant, but that we also provide more quality experiences for those who trust us with their personal data.

 

Meet Alan, the CEO of Deer Ltd., a company in Spain, an EU member state. Deer Ltd. and its employees are all subscribers of absence.io. We at absence.io are ‘data processors’ since we handle the personal data of data subjects (e.g. employees at Deer Ltd.) on behalf of data controllers (e.g. Deer Ltd.). In this instance, Deer Ltd., is responsible for the personal data of their data subjects (i.e. their employees). Since we use third-party services to handle some user data, we’ll also have to consider the procedures related to ‘data (sub)processors’.

 

Alan has recently been made aware of the GDPR mandates and would like to know what we've done at absence.io to meet the May 25th deadline.

 

Below you’ll find a detailed list of what we’ve changed or added to be GDPR compliant.

 

 

Mandate

What does it mean?

What we've done

Lawful basis of processing

For us to use the data of the employees at Deer Ltd., we need their expressed consent and their knowledge of what they are consenting to; contract related matters (sending invoices, negotiation); or the presence of ‘legitimate interest’.

At absence.io all personal data collected are used only in relation to the users’ absence.io account. Phone calls, emails and other forms of communication that may use personal data are directly related to our software and/or activities performed within our software (notification emails).

Consent

For Alan and his employees at Deer Ltd. to give absence.io consent, we need to ensure that they:

a) know what they are opting into;

b) they need to positively opt-in, and just because they opt in once, doesn’t mean we can assume they consent to everything;

c) the consent agreement needs to be detailed and informative, meaning that they need to know the exact ways we process their data and what we use it for.

We are implementing an additional step during registration that will ask all users to consent to the processing and usage of their data for marketing, support and contractual purposes. In addition, users will be able to re-confirm their consent. Once given, our systems will keep note of this so that in the future our users will not receive any emails from us if they have not explicitly given their consent.

Withdrawal of consent (or opt out)

Just as easily as Alan and his employees can opt-in, they also need the ability to opt-out at any time.

Users receiving emails from absence.io will have the ability to opt-out of emails within the email itself. Otherwise, users can also opt-out in their account settings at any time.

Cookies

Alan and his employees need to be made aware.

absence.io will not only inform you that we are using cookies, but which types of cookies we are using and whether you consent to these terms.

More on cookies here.

Deletion (or ‘the right to be forgotten’)

Alan and his employees have the right to request that absence.io permanently delete all personal data pertaining to them. This includes any email and phone call exchanges and other submissions.

At absence.io we’re making it easier for you to delete your data on request. Currently we are working on a deletion workflow based on data categories that will make sure that we only keep the data that we need to deliver absence.io as a service to you. We will make sure that we perform an automatic and permanent deletion of data sets not needed anymore according to legal requirements.

Since we use sub-processors, we’ll also make sure that your data is deleted from their servers.

Access / Portability

Not only can Alan and his employees request to delete their data, they can also request that we grant them access to the personal data we have on them. Once requested, we must provide the personal data we have in an accessible format.

absence.io will readily give you your data upon request in an easily readable manner. On top of that, if needed, we will also provide you with an export of your data from our sub-processors.

Modification

If any personal data pertaining to Alan or his employees changes at any time, they can edit any incorrect or incomplete information at any time.

absence.io allows you to edit personal data at your own discretion. We delimit this with roles and rights to ensure that not everyone with access to a company’s absence.io account can edit information.

Admins, HR and owners have the rights to change user and account information.

Users will have to contact their company’s HR or admin who will be able to access their profile to make any changes.

Security Measures

Under the GDPR, data processors (e.g. absence.io) and data sub-processors (i.e. third-party organizations that handle personal data on behalf of data processors) must ensure various safeguards and protocols for data protection. This includes encryption, pseudonymization and anonymization of personal data to limit and control access.

At absence.io, we are committed to strengthening our security to keep your data safe. On top of industry practices like end-to-end encryption, penetration testing and encryption at rest, we are adding tighter security protocols that are compliant with the GDPR.

 

Was this article helpful? 1 out of 3 found this helpful