Privacy and GDPR Home

Below are the answers to many of the common questions we get asked.


General Information

Who we are

Based in Sheffield, Myhrtoolkit Ltd was founded in 2005 and has traded continuously since then. We have a current establishment of 13 people, delivering the myhrtoolkit online hr system – which is specifically designed for small and medium sized businesses. You can read more about the company and the business by visiting


Who controls the data?

All personal user data collected remains under the control of our individual customers who act as the data controller. Through the tools provided by the myhrtoolkit system, data controllers have sole control of all data which is added to the system and which individual functions of the system are used or not. The responsibility for establishing the lawful bases for processing rests with the data controller. There is a useful whitepaper here. In relation to our customer facing business, myhrtoolkit act as data processor and do control data added or removed from the system.


What data is held?

GDPR relates only to personal information, and it is highly likely that not all data added will be personal information. As the data controller, each individual customer is responsible for the personal (and all other) data added to the Toolkit.

Users can add and change personal information about themselves. There is a corresponding notifications to alert management to such changes. Access controls are provided to allow customer control of who has access to what. We recommend using these and being aware of who can add what.

It is the responsibility of data controllers to establish the appropriate lawful bases for processing of any personal information which they choose to input into myhrtoolkit.


Where is our data held?

All customer data is hosted wholly within the EEA within a data centre certified to ISO 27001.


Are you regulated?

Yes, by the Information Commissioner’s Office (ICO) as Data Processors.


Do you have a Data Protection Policy?

Please follow the link in our Privacy and GDPR portal /privacy/.


Do you have a Privacy Policy?

A copy of our Privacy Statement can be found on our website – /privacy/privacy-users/.


Do you share my data with anyone?

We do not routinely disclose personal information to third parties outside of myhrtoolkit. The only circumstances in which we will disclose such information to third parties would be where either:

  • Myhrtoolkit Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • Myhrtoolkit was under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use.


How can I get information about me corrected?

In relation to access or requests for corrections, given the nature of our system and its integrated tools, we provide data controllers with the ability to rectify the data under their control. Should any questions arise about usage, our service desk is always happy to help.


How do I raise a data security or privacy issue?

All enquiries and complaints in relation to data protection or privacy matters should be addressed to Data Protection, myhrtoolkit, 233 Edmund Road, Sheffield, S2 4EL, or by email via [email protected]


Data Access

Who has access to our data?

Customer user data is held in a highly secure system, hosted by our hosting partner Google Cloud Platform You may like to read our Security Statement here Beyond the customer, and anyone they may grant access to, myhrtoolkit will only access identifiable personal information after obtaining the permission of the customer.


Do you sub-contract any services to 3rd parties?

We work with several trusted partners:

Google Cloud Platform, who are our hosting partner, including disaster recovery back-ups (
Mail Gun, who provide a secure in-app main service (
Amazon S3 (AWS), who support our disaster recovery back-up (


How do you control who at Myhrtoolkit has access to my data?

Myhrtoolkit employees are not required to access customer data to complete their day-to-day responsibilities. Each instance of access is separately authorised in line with our Customer Data Access Policy,



Do you have a dedicated Data Protection and/or Information Security Officer?

Name or title of DPO Managing Director
email [email protected]
Address Data Protection, myhrtoolkit, 233 Edmund Road, Sheffield, S2 4EL
Telephone 0345 225 0414


What measures do you have in place to keep my data safe?

Security measures are outlined in our Security Statement, see


How would security incidents affecting our data be formally reported to us?

To view our data breach process, see


Back-up and Disaster Recovery

What about Backups?

We understand the importance of regular reliable backups to ensure system availability and continuity; as such, we operate 2 entirely separate backup routines for the purposes of disaster recovery. The first is managed by our hosting partner, Google Cloud Platform, who make a daily back up of all changes and take a full back up once a week. These are stored in their secure data centre over a 2 week rolling period. Additionally, myhrtoolkit take a full daily back up which is stored for 30 days off-site with a different PCI DSS Level 1 service provider. Before this leaves our servers, the back-up is encrypted, transmitted over a secure connection and remains encrypted whilst it is outside our network. Both facilities are based entirely in the EEA. Please note that individual data, records or documents cannot be extracted from this back up.


Do you encrypt my data?

Our certificates are encrypted with 256-bit encryption, and all data thtat passes between you and our servers is encrypted with industry standard 128-bit encryption.
For further details on how we keep your data secure, please review our Security Statement,


For how long do you retain my data?

In regular use, information is held as long as the Data Controller allows it to be. Tools to edit or delete fields or remove whole user records are provided. Leavers are managed through a secure process allowing different levels of sanitisation or anonymisation.
Following a customer serving notice to terminate their use of myhrtoolkit, an account operates normally until the final day of contract, usually the day before the next monthly invoice would have been issued. During this period we are happy to assist in data extraction.
Customer data is then archived for a further 30 days before all data is deleted rendering it non-recoverable.
Following the archive period, account data then resides in the disaster recovery back up for a further 30 days.
After this point, the only data retained is company level data appropriate for recording the previous existence of our commercial relationship. No personal data is stored.

Stage Period Access
Normal usage Until final day of contract Full
Archive 30 days Can be reinstated on request (fees apply)
Data Recovery back up 30 days No


Do you have a business continuity and disaster recovery plan?

Should the occasion arise, we have plans in place which would allow us to continue providing service to you, these are fully documented and regularly tested.