The General Data Protection Regulation (GDPR) provides consistent standards across the EU to protect the rights of its citizens for how their personal data is being used. It went into effect on May 25, 2018 and applies to all companies that uses personal data from EU citizens.
We fully support the GDPR and think it’s a good thing to treat customers and their data with care and respect. Our mission is to help companies like yours manage their time off more efficiently and that requires a fair and secure use of personal data that was given with full consent and transparency.
In this article, we’ll provide a quick overview of GDPR and the ways in which Leave Dates is complying.
An overview of GDPR
GDPR replaced the existing EU privacy directive 95/46/EC, which was in place for over 20 years. The GDPR strengthens and expands the privacy rights of individuals and impacts any company that processes the personal data of EU citizens.
For example, if you have employees based in the EU then the GDPR applies to you.
The Data Protection Principles set forth in the GDPR include requirements such as:
- Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
- Personal data should only be collected to fulfil a specific purpose and it should only be used for that purpose. Organizations must specify why they need personal data when they collect it.
- Personal data should be held no longer than necessary to fulfil its purpose.
- People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.
We’d encourage you to consult with your legal counsel for the most complete understanding of the GDPR.
Your rights under the GDPR
Under the GDPR you have a number of rights. Here we have described how Leave Dates satisfies those rights.
Right to be informed
This document, alongside our Privacy Policy, Cookie Policy and Terms give you complete visibility of how we use your personal data in Leave Dates.
Right of access and data portability
Please get in contact if you would like to receive a report of the data we hold on you.
Right of rectification
Leave Dates gives both the admin user and the employee themselves the ability to rectify any inaccurate or incomplete personal data. Individuals can manage their own personal data via their profile page.
Right to be forgotten
We make it easy for you to delete your account which removes all personal data from our database. This action is non-recoverable. How to delete my account
Right to restrict processing
As a user of Leave Dates, you have control over how your data is used.
- You may request 'private' leave which means that others in your company cannot see the type of leave you are taking. Read more about Private leave.
- By default birthdays (day and month only) are shared with your team but you can restrict this in your profile page.
- If you wish not to receive emails from us, you can turn them off using the following methods:
- Emails relating to new requests, approvals and the daily summary report can be turned off in your profile page
- Other emails (not directly related to booking or approving leave) can be turned off by clicking the unsubscribe button at the bottom of the email.
As an admin user of Leave Dates, you have control over who can see each other in the Wall Chart. Read more
Leave Dates uses role-based permissions to ensure that all users can only perform the actions they need to perform and to restrict the amount of data that each individual has access to.
Right to object
If you would like to object to how your personal data is being used, please get in contact with us.
Rights of automated decision making and profiling
Leave Dates does not perform any automated decision making or profiling of our users.
Security and Data Management
We take considerable efforts to protect your data and have outlined our security practices in a separate article - Data Security
We do not perform any archiving or removal of data above the user-initiated actions. After a leave year has passed, the admin user can choose whether to delete (or hide) that calendar (via the settings->calendars) screen or retain the data for a retention period.
All users have the option to delete their account at any time, at which point all personal data is removed. You can find more information about this here.
Sub-processors
Under the GDPR, a sub-processor is any business that may process your data as a side effect of using the Leave Dates service.
Here is our list of our current sub-processors:
Sub-processor |
Purpose |
Further information |
Interxion Nederlands B.V. | Cloud hosting |
All servers and databases are hosted in the Interxion data centre, located in Amsterdam. The data centre is ISO 27001 compliant. |
Amazon Web Services |
Sending system-generated emails |
We use region eu-west-1 (Ireland) |
Stripe Payments Europe, Limited |
Payment processing |
https://stripe.com/gb/guides/general-data-protection-regulation |
Pusher |
Web push notifications |
|
OneLogin |
Mobile app push notifications |
|
Cloudflare |
Security and firewall services |
|
Sentry |
Error tracking |
|
Zendesk |
Customer support |
https://www.zendesk.co.uk/company/privacy-and-data-protection/#gdpr-sub |
Mailchimp |
Email distribution |
If you have any questions or concerns regarding GDPR and Leave Dates, please get in contact.