GDPR: Frequently asked questions

Are you a data controller or processor?

Under the terms of the GDPR, LeaveWizard is a data processor and our customers the data controller. We collect the data of customers and their staff members to enable us to perform services that we have been contracted to provide. This is our lawful basis for processing under article 6 of the GDPR. As the data controller the customer determines what purposes the data held will be used for.


Data Protection Principles


Do you process data in accordance with the data protection principles of accuracy and minimisation?

We only ever process personal data for the purposes for which it is collected and we only collect the data that we need to enable us to carry out our contract with the customer. We have systems in place to ensure that data is kept up to date as much as possible. Data subjects have the ability to update their data directly to ensure this is the case.


Do you have a data retention policy?

We have a data retention policy that sets out our procedures for the retention and disposal of the data that we hold to ensure that personal data is not stored for longer than is necessary. This is detailed in our Terms and Conditions clause 14.5 and our full policy is available on request.


Rights of data subjects


Are individuals able to have their data erased or rectified on request?

The LeaveWizard app enables users to directly manage, rectify and update their data as required, depending on the settings their administrator as the data controller has configured. We also have processes in place to permanently cease processing personal data where required to do so and to delete specific data from servers and databases, backups and applications.


Are individuals informed of their rights regarding the processing of their data?

Our Privacy Policy clearly sets out information for individuals about the way we collect and use their personal information and their rights in relation to this.


Access to personal data


Do you have a documented policy or procedure for handling Subject Access Requests (SARs)?

Under the GDPR everyone has the right to obtain confirmation that their data is being processed and to have access to that data. If someone makes such a request this is a Subject Access Request (SAR). As a data processor, LeaveWizard does not have direct responsibility for responding to a SAR. This responsibility lies with the data controller which is the company or organisation with which LeaveWizard has a contract. However, we recognise the importance of providing full support to our customers as data controllers to enable them to respond to SARs in the required time. We have a documented procedure in place to ensure that we can support SARs quickly and efficiently. More information is available on request.


Information security


Do you have a documented programme that specifies the technical, administrative and physical safeguards for personal data?

We have a comprehensive Information Security Management System which provides technical, administrative and physical safeguards for the personal information we process and store. This includes specific policies regarding Information Security, Data Retention and other areas. Our work is also governed by a Data Protection Policy which describes how data must be collected, handled and stored to meet the company’s data protection standards and to comply with the requirements set out by the GDPR. More information is available on request.


Are industry standard encryption algorithms and technologies employed for transferring, storing, and receiving individuals' personal information?

When your data is moving between you and us, everything is encrypted and sent securely using HTTPS. We also encrypt your data at rest using Transparent Data Encryption.


Where do you host or store personal data?

Personal data is stored in the Microsoft Azure Public cloud hosted in their Northern and West Europe data centres.

Microsoft’s computers are housed in secure data centres with heavily restricted access with numerous levels of security to prevent unauthorised access to those servers including firewalls and passwords. Microsoft provide comprehensive details on Azure Security and Privacy here.


How long do you hold data for? And how do you dispose of it when no longer needed?

Customer data is retained for the duration of its contract with LeaveWizard. If the contract is terminated, we retain the data for a further 30 days to allow the customer to extract any data they may wish to keep and to allow for the account to be closed. After that the data is anonymised, unless the customer requests deletion in a shorter time frame. A backup of customer data is retained for 180 days after the end of a contract, after which time it is deleted. See clause 14.5 of our Terms & Conditions


Can personal data be restored quickly in the event of a physical or technical incident?

All data is stored in a secure, encrypted, remote backup system. All data is backed up frequently, and those backups are tested regularly, to ensure that we can respond quickly and restore data quickly in the event of an incident.


Data breach response obligations


Do you have a documented plan for dealing with security breaches? Have you ever had a security breach?

We have a plan in place which sets out the initial steps that must be followed in the event of a data breach to investigate and contain the breach, as well as a recovery plan including damage limitation if necessary. To date we have never had a security breach.


Are procedures in place to notify data controllers in the event of a breach?

Our documented breach management plan ensures that the data controller will be immediately notified in the event of a breach. The plan gives our employees clear guidance about when notification is required and what information needs to be reported.


International data transfers


What is the legal transfer adequacy mechanism for transfers outside of the EEA?

As detailed in our Terms & Conditions clause 7.8, all data transfers to countries outside of the EEA or who are not recognised as offering adequate levels of protection have been undertaken through one of the following mechanisms: (a) in accordance with the Swiss-US and EU-US Privacy Shield Framework and Principles issued by the US Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (the Privacy Shield Principles) or (b) the Standard Contractual Clauses.


Use of sub-processors


What are your arrangements for using sub-processors?

As detailed in our Terms & Conditions clause 8.4, we work with a number of authorised subcontractors to enable us to deliver the LeaveWizard service. A list of our current authorised subcontractors is available on our website. At least 10 days before enabling a new subcontractor to access or process personal data, we will add the subcontractor to the list, to which customers can subscribe for updates via email. Any customer can object to the engagement of the new subcontractor in writing within ten days, after which time the new subcontractor will be deemed as approved.


Will your approved subcontractors be GDPR compliant?

We have ensured that all the approved subcontractors we currently work with are GDPR compliant and we have ensured through our contracts with them that they are subject to the same obligations regarding privacy and security of personal data as we are.


Do you have a data protection officer?

Rich Allen is responsible for data protection matters and GDPR compliance. You can contact him by emailing [email protected]