Last Updated: May 2018
The General Data Protection Regulation (GDPR) is a new set of rules designed to improve data privacy and create consistent privacy laws across the European Union. Effective May 25, 2018, the GDPR was created to replace the 1995 EU Directive as well as fragmented national data privacy laws. The Regulation makes companies and subcontractors more responsible for protecting individuals’ personal data.
As a French-born company, PeopleDoc is fully committed to GDPR compliance across PeopleDoc services. We have updated our data protection policies and practices and we are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts.
Data Processing Agreements
PeopleDoc is considered a Data Processor and shall help and cooperate with Data Controllers (Customers) in their obligations regarding data protection laws and regulations. The only exception to this is the PeopleDoc Service MyPeopleDoc (“MyPeopleDoc”), where PeopleDoc acts as a Data Controller.
PeopleDoc has made available for its Customers a Data Processing Agreement. For additional information, please contact firstname.lastname@example.org.
Processing According to Instructions
PeopleDoc processes customer data only at the express instruction of Customers (Data Controllers) and does not profile or use our clients’ personal data for advertising purposes.
Personnel Confidentiality Commitments
All PeopleDoc employees are required to sign a confidentiality agreement and complete mandatory security and privacy trainings that specifically address responsibilities and expected behaviour with respect to the protection of information.
PeopleDoc directly conducts the majority of data processing activities required to provide the PeopleDoc Services. However, we do engage some third-party vendors to assist in supporting specific parts of these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver at least the same level of security and privacy that PeopleDoc offers its Customers.
We make information available about PeopleDoc sub-processors here and we include commitments relating to sub-processors in our agreements.
PeopleDoc operates an infrastructure designed to provide security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with privacy safeguards and secure communications between PeopleDoc Services.
A more detailed discussion of our Infrastructure Security can be found in our Security e-book.
Our customers and regulators expect independent verification of security, privacy, and compliance controls. PeopleDoc undergoes independent third-party audits on a regular basis to provide this assurance.
ISO/IEC 27001:2013 (Cloud Security)
ISO 27001 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. PeopleDoc has been certified compliant with ISO
SSAE16 / ISAE 3402 (SOC 2)
The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. PeopleDoc has the SOC 2 report for the PeopleDoc Services.
Data Subject's Rights
Customers can use the PeopleDoc Services functionalities to help access, rectify, restrict the processing of, or delete any data on our systems. Furthermore, PeopleDoc is fully available to assist Customers fulfilling data subjects rights and requests.
Data Protection Team
PeopleDoc customers have a dedicated team where data protection related
PeopleDoc will promptly inform Customer and Data Subjects, when applicable, of incidents involving personal data.
Administrators can export data, via the functionalities available in PeopleDoc Services, at any time during the term of the agreement.
When PeopleDoc receives a complete deletion instruction from Customer (such as when a deleted document can no longer be recovered from the “trash”), the relevant data will be deleted from all systems unless retention obligations apply.
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
Appropriate safeguards can be provided for by standard contractual clauses; An adequate level of protection can be confirmed by adequacy decisions such as the ones that
PeopleDoc contractually commits to maintain a mechanism that facilitates transfers of personal data outside of the EU, as required by the GDPR.