Appogee HR and our commitment to GDPR
APPOGEE HR AND OUR COMMITMENT TO GDPR
The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and is the most significant piece of European privacy legislation in the last twenty years. GDPR strengthens the rights that EU individuals have over their personal data, unifies data protection laws across Europe and places more responsibility on customers of HR software (as data controllers) and on providers of HR SaaS software (as data processors).
For many organisations holding your data centralized in a secure system like Appogee HR can help you meet your GDPR requirements as a data controller.
Appogee HR is committed to providing the controls needed to assist our clients to meet their obligations as a data controller under GDPR, and our own as a data processor, as GDPR compliance takes effect on May 25th 2018. Our users can leverage Appogee HR services with confidence understanding the robust data protection capabilities built-in to our services.
We’ve been making important updates to our services and have introduced new contractual commitments including a Data Processing Agreement that directly address GDPR requirements.
DISCLAIMER: This webpage summarises our position with respect to GDPR and actions you can take as you prepare for GDPR. You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice. This webpage does not form part of the contractual agreement between you, your company and Appogee HR. For full information you should refer to our Data Processing Amendment.
Where do we stand?
Data Processing Agreement
Appogee HR has issued a Data Processing Agreement which amends our Terms of Service previous to May 25th 2018 and is incorporated in our TOS after that date. This includes contractual commitments for GDPR and clearly articulates our privacy terms for our customers. The agreement can be found here: https://www.appogeehr.com/data-processing-agreement/ . All customer administrators should accept these terms under the Legal and Compliance section within the Administration/Licensing section of our services.
Processing of Data
Appogee HR commits to processing Customer Personal Data submitted, stored, sent or received by our customers (as controller) and their end-users for the purposes of providing the Services and related technical support only. The services themselves have comprehensive configuration and security controls built-in which give you as the customer the ability to directly decide configure the instructions on how this data is processed.
Appogee HR is releasing (planned for May 2018) a new “Employee Deletion During Term” feature which will allow your HR Managers to mark Archived Employees for permanent deletion when you choose. The user will then be moved to a “Employee Deletion Pending” status and remains in archived view for 7 days (in case of inadvertent deletion). After 7 days, the formerly Archived Employee is automatically deleted and moved to a “Deleted Employees” view, retaining only basic information for audit purposes but removing all other Personal Data related to that employee. All customer personal data that you have selected for deletion will be fully purged from our backups within 180 days (which is our contractual commitment to you in our Data Processing Amendment).
Shortly after contract expiry Appogee HR will delete all customer personal data from our production services and all customer personal data will be fully purged from our backups within 180 days (which is our contractual commitment to you in our Data Processing Agreement).
Security Measures, Controls and Assistance.
Appogee HR incorporates security by design. Amongst the core features of the service are that it is built on the state-of-the-art Google Cloud Platform (GCP) and is hosted in Google’s own European data-centres which are certified under ISO 27017 for cloud security and ISO 27018 for protection of personally identifiable information in public clouds. All data held in Appogee HR is encrypted both at rest and in transit between our service and your browser and is fully backed up. Our service is subject to penetration tests and protected by Google’s advanced intrusion detection services. Appogee HR supports advanced authentication including the use of G-Suite and Office 365 account authentication and integration (if configured by our customers).
Security Certifications, Audits and Reports
Appogee HR maintains the UK Government’s CyberEssentials Plus certification and our data hosting providers maintain certifications including ISO 27001, ISO 27018. We also contractually agree to meet the rights of audit required under GDPR.
Customer Additional Security Controls
Appogee HR provides additional security controls within the admin sections of the service to allow our customers to take steps to secure Customer Data to help meet their obligations as data controllers. These include: multiple security roles (including Employee, Manager, HR and Admin) which can be combined with the ability to configure different access rights (including read, edit, no access, masked) for individual types of personal data held in the service. The service also includes comprehensive auditing to allow our customers to track data updates and modifications. These combine to give our customers maximum flexibility to meet their obligations as a data controller under GDPR.
Appogee HR will notify customers promptly following any data incidents and take reasonable steps to minimize harm and secure customer data. Notifications will be made to the administrators or customer data protection office as configured in the admin section of our service.
Appogee HR provides assistance in the form of the additional security controls and our data processing agreement to help customers with their impact assessments.
Data Subject Rights
Access; Rectification; Restricted Processing; Portability.
Appogee HR is highly configurable allowing data subjects and/or their HR managers (as configured by the customer) to have full control and self-service to access, rectify and restrict processing of Customer Data, including deletion. Appogee HR is releasing a new Employee Export feature to allow export by customer of all data and files relating to a specific employee to support portability (planned May 2018).
Data Subject Requests.
If Appogee HR receives a data subject request from your employees to in relation to Customer Personal Data, we will advise the data subject to submit his/her request to customer, and the customer will be responsible for responding to any such request by using the functionality of the services.
Data in Appogee HR is held solely within the EEA and in Google’s European data centres. Our hosting contract with Google is also subject to EU Model Contract Clauses which have also gained confirmation of compliance from European Data Protection Authorities, affirming that GCP contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world, in accordance with the Data Protection Directive, if required by Appogee HR for exceptional operational, availability or security reasons for performance of the contract and provision of the Services.
Information about our subprocessors, including their functions and locations, is available at https://www.appogeehr.com/terms/subprocessors
Where do you stand?
Independent Legal Advice
You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation.
Assessment and configuration of Appogee HR’s Security Measures and Controls
As a customer you are responsible for reviewing the Security Documentation and evaluating whether the Services, our security measures and the additional security controls available to your administrators and HR Managers will meet your needs; including with respect to any security obligations of Customer under the European Data Protection Legislation (GDPR) and/or Non-European Data Protection Legislation, as applicable.
In order to achieve compliance with GDPR customers of Appogee HR should familiarise themselves with their obligations under the regulations as a data controller; in particular you should consider creating an updated and precise inventory of the personal data that your process and control in our services; you should review the lawful basis on which you process that data and review how your organisation configures it’s advanced security roles and access settings in our services.
Acceptance of Data Processing Agreement and notification of customer Data Protection Officers
Our Appogee HR Data Processing Agreement (https://www.appogeehr.com/data-processing-agreement/ ) amends our existing Terms of Service and meets the statutory requirements for an agreement between you as a controller and us as a processor of your personal data under GDPR. A representative of your company should agree to these terms under the new Legal and Compliance section in the Licencing section of the service ( https://hr.appogeehr.com/config/licensing ).
You can also notify us of your Data Protection Officer by entering their details in the same Legal and Compliance section.
If you have specific questions about GDPR compliance we’d like to hear from you by email at: firstname.lastname@example.org .