We are committed to our customers’ success, including compliance with the GDPR and EU Data Protection laws in general. Similar to existing privacy laws, compliance with the GDPR requires a partnership between Timekeepr and our customers in their use of our services. Timekeepr affirms its commitment to comply with the provisions of the GDPR in the delivery of our service to our customers when the GDPR comes into effect. We have closely analyzed the requirements of the GDPR, and are working to make enhancements to our products and processes to support compliance with this regulation.
What is GDPR?
Who does it apply to?
The GDPR applies to all organisations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
What implications does GDPR have for organisations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organisations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.
How has Timekeepr been preparing for the GDPR?
Timekeepr will be compliant with the GDPR when it becomes enforceable in May 2018. We are working with customers around the world to answer their questions and to help them prepare for using Timekeepr’s Services after the GDPR becomes effective. Additionally, our privacy team is reviewing Timekeepr’s current product features and practices to ensure we support our customers with their GDPR compliance requirements.
Under GDPR, Timekeepr is a Data Processor and we process personal information on behalf of our customers, who are Data Controllers. It is the Data Controller’s responsibility to obtain consent from their employees for any personal data that they collect. The customer will then grant Timekeepr permission to process this information, under a Data Processing Agreement (DPA) or End User License Agreement.
- Data Subject Consent
As a controller you must have consent for storing data about your employees or any other subject whose data is entered into your Timekeepr account. We would recommend that this consent be outlined on all employment contracts with employees or third parties.
- Only Required Data
As a customer of Timekeepr you are responsible for ensuring that the data you hold about your employees is limited to what is needed, adequate and relevant for the specific purpose.
- Data Access
You must ensure that you have set correct system access roles for users to limit and protect the data that they can access.
- Data Removal
It is your responsibility to ensure that personal data is removed from all systems when it is no longer needed. Our systems are designed to maintain a high level of integrity, meaning that your data will remain as entered and unchanged. It is up to you to comply with any legal obligation you have to store data in each system you use and to determine the length of time it is stored for.
Our Obligations as Processors
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors (like Timekeepr) who guarantee their ability to implement the technical and organisational requirements of the GDPR. While the existing product today can comply with GDPR, doing so may not be as simple as it could be. Our goal is to make this as easy as possible.
- Data Access Requests
Our customers can respond to requests from data subjects (Employees) to correct, amend or delete personal data. Currently deleting of employee data from Timekeepr must be requested by contacting firstname.lastname@example.org but we will be releasing feature updates to allow customers to have complete control.
- Reporting Data Breaches
Under the GDPR, Timekeepr is required to report data breaches to the DPA within 72 hours. As part of our information security incident management procedure, appropriate communications will be made, including notifications to all affected parties.
- Conduct Privacy Impact Assesments (PIA)
A PIA is essentially a risk assessment of proposed processing of personal data. If we are making any changes to how we process personal data that is likely to result in a high risk to the data subject’s rights, a PIA must be carried out prior to commencing any processing.
- Demonstrate Compliance
Customers using Timekeepr will be able to demonstrate GDPR compliance pertaining to Timekeepr's services.
Frequently Asked Questions
How will we handle Subject Access Requests? (SAR)
Timekeepr act as a Data Processor on behalf of its customers so we are not able to process SARs on your behalf. If we receive a SAR from one of your employees we will forward the request to you.
Do employees now need to give consent?
The processing of HR data is in the legitimate interest of the employer and required to fulfill a contractual obligation. In order to ensure that the rights of employees are not unfairly compromised, there must be full and transparent disclosure of what data processing is taking place and for what purposes. We would recommend to our customers to make it clear to their employee what data is captured, where it is being stored (you may used something other than Timekeepr to store employee data) and ensure that data captured is for a legitimate business reason.
By law we are required to keep employee data for 7 years, will Timekeepr automatically delete the data after the 7 years?
No. Timekeepr as the processor will not auto delete data but at the data controller’s (Customers) request employee data can be removed from Timekeepr. It is up to the controller to determine the length of time to keep data in Timekeepr.
Is the current data we gather on employees all valid in terms of the new GDPR guidelines?
It is up to the controller (Customer) to determine what data is required. GDPR legislation states that: “Personal data shall be limited to what is necessary in relation to the purposes for which they are processed.” In other words, the information you keep on Timekeepr should only be relevant to what is required for legitimate business purposes.
Is their any privacy concerns with regards to tracking employee location data?
Timekeepr has the functionality to track employee location in the background only when they are clocked in. This is a legitimate interest of the employer to guarantee the whereabouts and health and safety of their staff at all times while on company time. In order for this feature to be activated, the user has to grant explicit permission consent which expresses the purpose for which the background location will be used. If a user decides not to grant this permission, we will not track that employee location in the background when clocked in. When the employee clocks out, we will stop any existing background location tracking.