Sales: 91 Wimpole Street, London, W1G 0EF
+44 020 35147594
Click here to contact us
On the 25th of May 2018, a European privacy law, known as the General Data Protection Regulation (GDPR) went into effect. The law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents. The GDPR applies no matter where you are located.
The GDPR strengthens the rights that individuals have, regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
"Controller” – means the natural or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…". From the point of view of Exelsys HCM this is the customer who is using Exelsys.
"Processor” - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.". From the point of view of Exelsys this is Exelsys.
The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.
Exelsys customers will typically act as the Data Controller for any personal data they provide to the Exelsys platform with regard to their use of the Exelsys HCM Online Service. The Data Controller determines the purposes and means of processing personal data, while the Data Processor processes data on behalf of the Data Controller. In this context of the GDPR terminology Exelsys is a Data Processor and processes personal data on behalf of the Data Controller.
Through self-service, Exelsys provides access to personal data and each data subject is able to view the data maintained by the Data Controller. Also the functionality exists which allows the data Controller to erase the data of data subjects completely or to anonymise it, removing any personal identification which can link the data to the person who requested "to be forgotten".
Exelsys uses the Microsoft Azure Platform, which is a very secure cloud platform managed by Microsoft. Azure helps to provide highly secure, available and scalable applications. Microsoft has achieved security compliance audit certifications for Windows Azure services from various compliance regulators (ISO 27001, SSAE 16, ISAE 3402, ISO 22301:2012, EU Model Clauses and HIPAA BAA).
Exelsys allows the Data Controller if requested by a data subject to export the data subject’s data to an XML file. This may be required for moving personal data from one employer to another. Data administrators have at their disposal a variety of tools for exporting data.
Exelsys is committed to maintain a high level of security, to meet all GDPR expectations which apply to Data Processors. By using the Exelsys HCM online service, we can be assured that Exelsys has the technical infrastructure in place which goes above and beyond regulation requirements.
Data Controllers in addition to other requirements, are required to only use Data Processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR.
Here is how Exelsys is addressing various aspects of the GDPR regulation:
Exelsys Limited, Reg. No. 6807312
Registered Office: 21 Aylmer Parade, Aylmer Road, London N2 0AT, United Kingdom
Sales Office: Office: 12 Burleigh Street, London WC2E 7PX, United Kingdom