The General Data Protection Regulation (GDPR) confers statutory rights to individuals and responsibilities/obligations to organisations. The sections below describe the key areas and highlight how myhrtoolkit fulfil our responsibilities.
Any references to the GDPR below are by necessity summarised and cannot be relied upon as legal advice. We would recommend referring to the Regulation and obtaining appropriate legal advice.
Individual customers act as Data Controllers and are responsible for all data input, modification and deletion from the system. They are also responsible for ensuring that they have a suitable policy in place, which sets out the data which is processed and the lawful basis for that processing. This is not myhrtoolkit’s responsibility.
The myhrtoolkit online HR system is provided by Myhrtoolkit Limited, who act as the Data Processor.
Some elements of the GDPR applies to both parties, others just to one.
Our agreement with end customers is contained primarily within a licence agreement. This is available within the myhrtoolkit system.
Individual users of the system can read our User Guidance.
Each data processor shall maintain a record of all categories of processing activities carried out on behalf of a data controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
(b) the categories of processing carried out on behalf of each controller
(c) any transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
(d) a general description of the technical and organisational security measures.
Myhrtoolkit maintains appropriate documentation regarding our processing activities.
The GDPR will introduce a duty on Data Controllers to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. There is an obligation on us to inform you of a data breach. This is also set out in our new GDPR compliant terms and conditions (licence agreement).
This says: “The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
Whilst we do not believe Myhrtoolkit is required by law to appoint a DPO, we have made the decision to appoint one nonetheless. Myhrtoolkit have appointed a data protection officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about data protection, including any requests to exercise your legal rights, please contact your employer first. If you are not able to resolve the issue, please contact myhrtoolkit’s DPO using the details set out below.
|Full name of legal entity:||Myhrtoolkit Limited|
|Name or title of DPO:||Managing Director|
|Telephone number:||0345 225 0414|
|Postal address:||Edmund House, 233 Edmund Road, Sheffield S2 4EL|
There are restrictions on the transfer of personal data outside the European Union to third countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Our servers are located wholly withing the EEA. Our hosting partner is Google Cloud Platform (GCP), with additional backup storage with Amazon S3.
Most of the obligations concerning individuals’ rights fall on the Data Controller directly. However, we will be happy to assist as and when required.
Where personal data is processed, the Data Controller is required to provide the data subject with specified information.
We provide our users with ‘fair processing information’, through privacy policies to provide transparency in how personal data is used. We have a number of different privacy policies, dependant on your relationship with myhrtoolkit.
The act ensures that individuals have the right to obtain:
An individual user can make a Subject Access request to see what information is held about them. In most cases and in the first instance, this request will be made to the Data Controller. Details of our process can be found on our page about GDPR and Subject Access Requests.
Article 16 states that Data Subject shall have the right to obtain from their Data Controller without undue delay, the rectification of inaccurate personal data concerning him or her.
The myhrtoolkit system provides controllers with full editable access to all data subjects and their data as standard.
This provides the right to erasure is also known as ‘the right to be forgotten’. For users of myhrtoolkit this is likely to occur where either
Myhrtoolkit provides tools for controllers that provide controls as to how leaver data is managed via policy setting. There are also options to amend some user data manually such as file note and audit data. A full delete is also provided. [user guide coming soon].
This part of the act says “The data subject shall have the right to obtain from the controller restriction of processing” under a number of circumstances.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.”
The scope of this right is limited by the circumstances and will depend on the situation.
This sets out how Data Controllers must communicate any rectification to or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17 and 18. This must be to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Myhrtoolkit provides portability, primarily via .csv format spreadsheets; for guidance see our support guide on exporting employee data.
Individuals have the right to object to processing that falls into a number of different categories:
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Myhrtoolkit does not undertake any processing that falls into this category.