GDPR Management#

Overview#

Since the update to version 1.8.0 of 27 April 2018, the attendance system has fully implemented the tools required for personal data protection — GDPR.

GDPR (General Data Protection Regulation) is the EU regulation on the protection of personal data, which took effect uniformly across the EU on 25 May 2018.

It is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council and, in the Czech Republic, replaces the existing personal data protection framework based on Directive 95/46/EC and the related Act No. 101/2000 Coll., on the protection of personal data.

The Regulation clearly defines the following terms:

Data controller:

a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

Data processor:

a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller

The data controller is always the user of the attendance system; the processor may be, for example, an external accounting firm.

As the controller, you always designate, within the company’s organizational structure, the list of authorized persons of the data controller. To grant this permission to yourself or to another company administrator, please contact your iTA system provider.

Handling of Personal Data#

In the attendance system, we consider every employee’s data to be private. This applies in particular to their name, personnel numbers, date of birth, and similar information. In addition to these, employee attendance records can also be considered private.

In general, the following requirements must be met:

Protect the Data We Store From Access by Third Parties#

All employees’ personal data, including their backups, is stored at the highest possible security standard on Microsoft Azure servers in Germany, the country with the strictest personal data protection laws in the world.

The database is protected with a very strong password and can only be accessed from specifically allowed IP addresses.

Personal data is transferred between the cloud server and the user exclusively over an encrypted connection using the https:// protocol, with website authenticity verified by a certificate.

Manage Access to Personal Data for System Users#

Our software lets you manage access permissions and configure access for each user according to the employer’s individual requirements.

In the role of the distributor, we can request access to the system via remote management. To obtain this permission, we ask the customer for access via a link in the Support  Contact Us section:

../../_images/contact-us-1.png ../../_images/contact-us-2.png

A PIN code is then generated; once it is shared with the administrator and access is approved, the support technician gains remote access. The administrator approves the access and thereby grants rights for a fixed period of 1 hour. All these events are recorded in the personal data disclosure log (who requested access, who approved it, etc.).

Provide Records of Access to Each Employee’s Personal Data on the Employee’s Request#

Every employee has the right and option to request a log showing when and by whom their personal data was viewed, as well as a list of the data recorded about them.

We collect records of every access to an employee’s personal data.

Only the authorized person of the data controller — designated directly by the data controller, as described in the introduction to the GDPR chapter — has access to these options.

Maintain Database Consistency When Restoring From a Backup#

As mentioned, backups are stored on dedicated servers located in Germany.

When restoring from these backups, an employee may have been anonymized or deleted in the meantime. At the moment of restoration, the data must therefore not contain personal data of deleted employees. To meet these requirements, all data is compared with the current database during restoration and evaluated to determine which data should be restored.