Our Locations

Sales: 91 Wimpole Street, London, W1G 0EF

Call Us

+44 020 35147594

  • The General Data Protection Regulation (GDPR)

    On the 25th of May 2018, a European privacy law, known as the General Data Protection Regulation (GDPR) will go into effect. The law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents. The GDPR applies no matter where you are located.


    The GDPR strengthens the rights that individuals have, regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.






The GDPR strengthens the rights that individuals have, regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.


  • Individuals will have greater control of who has their data, and how it will be used
  • Organizations must report on data breaches within 72 hours
  • Organizations will be bound by more stringent rules for obtaining consent from individuals on how their data can be used

What are the requirements?



"Controller” – means the natural or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…". From the point of view of Exelsys HCM this is the customer who is using Exelsys.


"Processor” - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.". From the point of view of Exelsys this is Exelsys.


The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.

Exelsys customers will typically act as the Data Controller for any personal data they provide to the Exelsys platform with regard to their use of the Exelsys HCM Online Service. The Data Controller determines the purposes and means of processing personal data, while the Data Processor processes data on behalf of the Data Controller. In this context of the GDPR terminology Exelsys is a Data Processor and processes personal data on behalf of the Data Controller.

The right to access and be forgotten

Through self-service, Exelsys provides access to personal data and each data subject is able to view the data maintained by the Data Controller. Also the functionality exists which allows the data Controller to erase the data of data subjects completely or to anonymise it, removing any personal identification which can link the data to the person who requested  "to be forgotten".


Secure Infrastructure

Exelsys uses the Microsoft Azure Platform, which is a very secure cloud platform managed by Microsoft. Azure helps to provide highly secure, available and scalable applications. Microsoft has achieved security compliance audit certifications for Windows Azure services from various compliance regulators (ISO 27001, SSAE 16, ISAE 3402, ISO 22301:2012, EU Model Clauses and HIPAA BAA).


Learn More

Data Portability

Exelsys allows the Data Controller if requested by a data subject to export the data subject’s data to an XML file. This may be required for moving personal data from one employer to another. Data administrators have at their disposal a variety of tools for exporting data.


How is Exelsys addressing the GDPR Requirements



Exelsys is committed to maintain a high level of security, to meet all GDPR expectations which apply to Data Processors. By using the Exelsys HCM online service, we can be assured that Exelsys has the technical infrastructure in place which goes above and beyond regulation requirements.


Data Controllers in addition to other requirements, are required to only use Data Processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR.


Here is how Exelsys is addressing various aspects of the GDPR regulation:


FAQ
The Exelsys Privacy Statement as well as the Terms of Service are readily available from within the platform and can be viewed by any individual who has a right to access the Exelsys Online Service. The Exelsys Policies have been updated to be GDPR compliant.
Exelsys employees are required to sign a confidentiality agreement and commit to abide by the Exelsys Information Security Policy as well as to attend relevant trainings. The Exelsys Information Security Policy outlines expected behaviour with respect to the protection of information.
Exelsys is based on Windows Azure PaaS, an infrastructure from Microsoft that provides the security, performance, and reliability normally found in only the most sophisticated IT departments. The cloud model allows companies of all shapes and sizes to leverage this infrastructure, which would otherwise be out of reach for most.  Azure is a secure, rock solid, open and flexible cloud platform managed by Microsoft. Azure helps us to provide highly secure, available, scalable applications and deliver great SaaS solutions to customers anywhere around the world.
The Exelsys Terms of Service have evolved to provide notifying the Data Controller within 72 hours of any data breaches.
According to the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Exelsys operates global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication, and safe operation by administrators.
Exelsys is committed to maintain a high level of security, to meet all GDPR expectations which apply to Data Processors. Exelsys is utilises the Microsoft Azure platform and uses the Azure PaaS model. It therefore takes full advantage of the security features available in Windows Azure Cloud Services. Microsoft has achieved security compliance audit certifications for Windows Azure services from various compliance regulators (ISO 27001, SSAE 16, ISAE 3402, ISO 22301:2012, EU Model Clauses and HIPAA BAA). Exelsys customers can be confident that their data is safely guarded during transmission, storage and processing in the cloud.
In addition to the above features and functionality, Azure SQL Database also participates in regular audits and has been certified against a number of compliance standards. For more information, see the Microsoft Azure Trust Center, where you can find the most current list of SQL Database compliance certifications. Exelsys uses encryption to protect data in transit and at rest. Data in transit to Exelsys is protected using HTTPS, which is activated by default for all users. Exelsys HCM encrypts content stored at rest, without any action required from customers, using one or more encryption mechanisms.
Exelsys HCM is a multi-tier application where information travels through different layers. With N-Tier architecture, where “n” is any number of distinct tiers that an application is broken into. By deconstructing the main building blocks into tiers, each tier can be separated, distributing the processing load and increasing the security and scalability of the application. Windows Azure runs in geographically-dispersed data centres managed and operated by Microsoft, delivering a 99.95% service-level agreement for high availability. Microsoft operations staff have years of experience in delivering the world's largest online services with 24/7 continuity.
Users access the Exelsys application by providing a user code and password. Password complexity and other password attributes are controlled by the security profile associated with the user account. Each company administrator can create a number of security profiles and associate them with user accounts. Passwords are doubly encrypted, firstly by the application using hash algorithms and then by the SSL/TLS transmission protocol.
Exelsys maintains detailed audit logs of any data changes recording the user, the data changed and the date and time that the change occurred. In addition, Exelsys keeps a detailed log of all the data processing operations, showing the function used to access or process data, the user who executed it and the date and time it occurred.
Exelsys HCM processes data according to the instructions of Data Controller Administrators. Data Controller Administrators execute functions of the system to process data. For any other processing required by the customer (Data Controller) that cannot be done by the Data Controller Administrators using the Exelsys HCM Platform functionality, customers are required to submit clear instructions to Exelsys in writing.
Exelsys backs up the encrypted data daily, going back 30 days using the Azure Point-in-time restore mechanism. In addition, Exelsys uses Active Geo-replication. Using Active Geo-Replication, a separate readable secondary database in a separate region to that of the primary data centre is used and can be switched over in the case a disaster happens in the primary data centre.
Our customers and regulators expect independent verification of security, privacy, and compliance controls. Exelsys does regular vulnerability and penetration tests at least once a year, conducted by companies who are Qualified Security Assessors (QSA).
Exelsys uses Microsoft as a sub-processor as described above to provide the data centre infrastructure and database services. No other sub-processors are being used.
Data Controller Administrators can export customer data, via the functionality of Exelsys HCM, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities. Data Controller Administrators can also delete customer data, via the functionality of Exelsys HCM Online Service, at any time. When Exelsys receives a complete deletion instruction from a customer who terminates the service, Exelsys will delete the relevant customer data from all its systems within a maximum period of 45 days. Data Controller Administrators have at their disposal several functions allowing them to delete data that is no longer necessary to the company, such as old job applicants.
Exelsys is designed to provide for 99.95% availability with very fast transaction times. When customers sign up they have the option to select to have their data located in the Microsoft Azure Data Centre in the UK or the Netherlands. In addition to the main data centre selected, the data as part of the disaster recover plan policy is also stored in another Microsoft Azure Data Centre within the European Union, usually in Ireland. In the case of a technical or physical incident that will prevent access to the data in the main data centre, access can be restored using the backup site in a timely manner