GDPR and Staffcloud
On 25 May 2018, the new EU General Data Protection Regulation (GDPR) came into effect. We have received questions from our clients concerning this topic, wanting to know what exactly GDPR is, and why Staffcloud is GDPR compliant despite the company being located in Switzerland.
In order to answer some of these questions and to highlight the effects of GDPR, we have compiled some information to clarify what exactly GDPR is. The data contained here was collected for informational purposes only and is not designed to act as legal advice. We recommend that you work with a data protection expert to find out exactly how GDPR might affect you.
What is GDPR?
GDPR is short for the new European General Data Protection Regulation, which describes how personal data is to be handled. It replaces the 1995 Data Protection Directive with adjusted and updated content, and it came into effect on 25 May 2018.
Why are companies outside the EU, e.g. in Switzerland, still affected by GDPR?
Although it is an EU law, this regulation does not only affect companies within the EU. All service and goods providers who handle EU residents' data or who work with companies in the EU must be GDPR compliant. It is thus applicable to almost all companies, regardless of location. Any organisation found to violate GDPR may be fined up to 20 million euros or 4% of their yearly global sales revenue (whichever amount is higher.)
Staffcloud is affected by GDPR because we work with clients in several EU countries, and because of our subsidiary, which is located in Romania.
What is personal data?
Personal data may include, for example: names, birthdates, e-mail addresses, bank data, social security numbers or even gender and clothing sizes. In short, all data that gives an indication of who the users might be.
What are Staffcloud's contact details regarding GDPR?
Data Protection Officer: Thomas Ungricht, CMO of Staffcloud
What happens to personal employee data in Staffcloud?
Staffcloud processes personal data on behalf of the client. This includes actions defined in the main contract between the two parties or in the general terms and conditions. The client retains all responsibility for data protection and solely decides on the purpose and the measures taken for the processing of such personal data that is handed over to Smartbridge. Within the scope of our general terms and conditions, the client is solely responsible for complying with the legal regulations of data protection laws, particularly for the legality of transferring data to Smartbridge and the legality of data processing (“Controller” as defined by Art. 4 No. 7 GDPR).
Can personal data be deleted in Staffcloud?
Yes. Staffcloud has developed a distinct process for irrevocably deleting all personal data for individual employees. Only the employer can carry out this deletion. It requires that the employer has been handed a request by the respective employee for the deletion of their personal data beforehand.
Where is personal data stored?
The Staffcloud servers are located in Frankfurt, Germany.
Which technologies are employed by Staffcloud in order to secure personal data?
- We record every process, error or data alteration within the software. This ensures that we can reconstruct any incident in detail.
- Every client is given a dedicated database and dedicated file system storage which runs completely independently from those of other clients.
- Our software's data security is regularly monitored through so-called penetration tests and with audits.
- We employ the cryptographic protocol TLS 1.2
- Our data centre, where all data is stored, is compliant with, among others, C5, ISO 9001, 27001, 27017 and 27018.
What are the rules concerning Staffcloud employees and their access to personal data?
All access to personal data is secured through the distribution of roles and permissions within Staffcloud systems. Staffcloud employees can only access data on a "need to know" basis - the principle being that they are awarded the least privilege, which means that they only have the minimum access level required to fulfil their tasks.
We also help our clients in becoming GDPR compliant by ensuring that the roles defined and awarded by the system cannot endanger data security by accident.
Why has data security been important for Staffcloud since before GDPR?
The arrival of GDPR could be discerned as early as 2016, and this is when Staffcloud started implementing processes in preparation for its coming into effect.
Everyone at Staffcloud - from the leaders to the developers - takes the security of our products and the protection of our clients' and employees' personal data very seriously. Our clients trust us with their data; the protection of this data is therefore of utmost importance to our business.
We think that data protection is made up of internal processes as well as technical measures. We do everything in our power to ensure that we have the right people, processes and qualifications in place to protect our clients' data, while also ensuring that our product is bulletproof from a technical perspective.