General Data Protection Regulation

Last Updated: November 2020

What is the General Data Protection Regulation? 

The General Data Protection Regulation (GDPR) is a new set of rules designed to improve data privacy and create consistent privacy laws across the European Union. Effective May 25, 2018, the GDPR was created to replace the 1995 EU Directive as well as fragmented national data privacy laws. The Regulation makes companies and subcontractors more responsible for protecting individuals’ personal data.

Data Protection Commitments

As a French-born company, PeopleDoc is fully committed to GDPR compliance across PeopleDoc services. We have updated our data protection policies and practices and we are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts.

Data Processing Agreements

PeopleDoc is considered a Data Processor and shall help and cooperate with Data Controllers (Customers) in their obligations regarding data protection laws and regulations. The only exception to this is the PeopleDoc Service MyPeopleDoc (“MyPeopleDoc”), where PeopleDoc acts as a Data Controller. 

PeopleDoc has made available for its Customers a Data Processing Agreement. For additional information, please contact privacy@people-doc.com.

Processing According to Instructions

PeopleDoc processes customer data only at the express instruction of Customers (Data Controllers) and does not profile or use our clients’ personal data for advertising purposes.

Personnel Confidentiality Commitments 

All PeopleDoc employees are required to sign a confidentiality agreement and complete mandatory security and privacy trainings that specifically address responsibilities and expected behaviour with respect to the protection of information.

 ____________________

Use of Sub-Processors

PeopleDoc directly conducts the majority of data processing activities required to provide the PeopleDoc Services. However, we do engage some third-party vendors to assist in supporting specific parts of these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver at least the same level of security and privacy that PeopleDoc offers its Customers.

We make information available about PeopleDoc sub-processors here and we include commitments relating to sub-processors in our agreements.

 ____________________

Security Standards and Certifications

PeopleDoc operates an infrastructure designed to provide security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with privacy safeguards and secure communications between PeopleDoc Services.

Our customers and regulators expect independent verification of security, privacy, and compliance controls. PeopleDoc undergoes independent third-party audits on a regular basis to provide this assurance.

ISO/IEC 27001:2013 (Cloud Security)

ISO 27001 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. PeopleDoc has been certified compliant with ISO:IEC 27001:2013 for PeopleDoc Services.

SSAE16 / ISAE 3402 (SOC 2)

The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. PeopleDoc has the SOC 2 report for the PeopleDoc Services.

 ____________________

Cooperation with the Customers (Data Controllers)

Data Subject's Rights

Customers can use the PeopleDoc Services functionalities to help access, rectify, restrict the processing of, or delete any data on our systems. Furthermore, PeopleDoc is fully available to assist Customers fulfilling data subjects rights and requests.

Data Protection Team

PeopleDoc customers have a dedicated team where data protection related enquiries can be directed at privacy@people-doc.com.

Incident Notifications

PeopleDoc will promptly inform Customer and Data Subjects, when applicable, of incidents involving personal data.

 ____________________

Data Return and Deletion 

Administrators can export data, via the functionalities available in PeopleDoc Services, at any time during the term of the agreement. 

When PeopleDoc receives a complete deletion instruction from Customer (such as when a deleted document can no longer be recovered from the “trash”), the relevant data will be deleted from all systems unless retention obligations apply.

 ____________________

International Data Transfers 

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Appropriate safeguards can be provided for by standard contractual clauses; An adequate level of protection can be confirmed by adequacy decisions such as the ones that supports the EU-U.S.and Swiss Privacy Shields. 

PeopleDoc contractually commits  to maintain a mechanism that facilitates transfers of personal data outside of the EU, as required by the GDPR.

 ____________________

HR Service Delivery GDPR Fact Sheets

• UKG HR Service Delivery’s Workflow Manager (Process Automation), incl. Robotic Process Automation
  
  
• UKG People Assist (Employee Case Management), incl. Knowledge Portal
  
  
• UKG Document Manager (Employee File Management), incl. Smart Document Generation and eSignature

 ____________________