GDPR - Policy

Myhrtoolkit GDPR policy

The General Data Protection Regulation (GDPR) confers statutory rights to individuals and responsibilities/obligations to organisations. The sections below describe the key areas and highlight how myhrtoolkit fulfil our responsibilities.
Any references to the GDPR below are by necessity summarised and cannot be relied upon as legal advice.  We would recommend referring to the Regulation and obtaining appropriate legal advice.

Data Controllers and Data Processors


Data Controller

Individual customers act as Data Controllers and are responsible for all data input, modification and deletion from the system. They are also responsible for ensuring that they have a suitable policy in place, which sets out the data which is processed and the lawful basis for that processing. This is not myhrtoolkit’s responsibility.

Data Processor

The myhrtoolkit online HR system is provided by Myhrtoolkit Limited, who act as the Data Processor.

Some elements of the GDPR applies to both parties, others just to one.

Our Agreement

End Customers
Our agreement with end customers is contained primarily within a licence agreement. This is available within the myhrtoolkit system.
Individual Users
Individual users of the system can read our User Guidance.
Both the licence agreement and user guidance should be read in conjunction with our Privacy Policy for Users.

Obligations on us as a Data Processor


Article 30: Documentation

Each data processor shall maintain a record of all categories of processing activities carried out on behalf of a data controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
(b) the categories of processing carried out on behalf of each controller
(c) any transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
(d) a general description of the technical and organisational security measures.
Myhrtoolkit maintains appropriate documentation regarding our processing activities.

Article 33 / 34: Breach notification

The GDPR will introduce a duty on Data Controllers to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. There is an obligation on us to inform you of a data breach. This is also set out in our new GDPR compliant terms and conditions (licence agreement).

Article 37: Data Protection Officer (DPO)

This says: “The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
Whilst we do not believe Myhrtoolkit is required by law to appoint a DPO, we have made the decision to appoint one nonetheless. Myhrtoolkit have appointed a data protection officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about data protection, including any requests to exercise your legal rights, please contact your employer first. If you are not able to resolve the issue, please contact myhrtoolkit’s DPO using the details set out below.

Full name of legal entity: Myhrtoolkit Limited
Name or title of DPO: Managing Director
Email address:
Telephone number: 0345 225 0414


Article 44: Transfers of personal data to third countries or international organisations

There are restrictions on the transfer of personal data outside the European Union to third countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Our servers are located wholly withing the EEA. Our hosting partner is Google Cloud Platform (GCP), with additional backup storage with Amazon S3.

Rights of Individuals under GDPR

Most of the obligations concerning individuals’ rights fall on the Data Controller directly. However, we will be happy to assist as and when required.

Article 13: Right to be informed

Where personal data is processed, the Data Controller is required to provide the data subject with specified information.
We provide our users with ‘fair processing information’, through privacy policies to provide transparency in how personal data is used. We have a number of different privacy policies, dependant on your relationship with myhrtoolkit.
You can view our privacy policy for users to find out more.

Article 15: Right of access

The act ensures that individuals have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information such as a Privacy Policy

An individual user can make a Subject Access request to see what information is held about them. In most cases and in the first instance, this request will be made to the Data Controller. Details of our process can be found on our page about GDPR and Subject Access Requests.

Article 16: Right to rectification

Article 16 states that Data Subject shall have the right to obtain from their Data Controller without undue delay, the rectification of inaccurate personal data concerning him or her.
The myhrtoolkit system provides controllers with full editable access to all data subjects and their data as standard.

Article 17: Right to erasure (the right to be forgotten)

This provides the right to erasure is also known as ‘the right to be forgotten’. For users of myhrtoolkit this is likely to occur where either

  • they leave their current organisation – we provide organisations with configurable deletion tools to manage this (Leavers Support Guide)
  • their organisation ceases to use the myhrtoolkit system – There is a robust process in place to delete all Personal Data

Myhrtoolkit provides tools for controllers that provide controls as to how leaver data is managed via policy setting. There are also options to amend some user data manually such as file note and audit data. A full delete is also provided. [user guide coming soon].

Article 18: Right to restrict processing

This part of the act says “The data subject shall have the right to obtain from the controller restriction of processing” under a number of circumstances.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.”
The scope of this right is limited by the circumstances and will depend on the situation.

Article 19: Right to Notification regarding any rectification or erasure of personal data or restriction of processing

This sets out how Data Controllers must communicate any rectification to or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17 and 18. This must be to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

Article 20: The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Myhrtoolkit provides portability, primarily via .csv format spreadsheets; for guidance see our support guide on exporting employee data.

Article 21: Right to object

Individuals have the right to object to processing that falls into a number of different categories:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistic


Article 22: Rights related to automated decision making and profiling

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Myhrtoolkit does not undertake any processing that falls into this category.


free data migration
unlimited free support
3 month MOT