Under the terms of the GDPR, LeaveWizard is a data processor and our customers the data controller. We collect the data of customers and their staff members to enable us to perform services that we have been contracted to provide. This is our lawful basis for processing under article 6 of the GDPR. As the data controller the customer determines what purposes the data held will be used for.
We only ever process personal data for the purposes for which it is collected and we only collect the data that we need to enable us to carry out our contract with the customer. We have systems in place to ensure that data is kept up to date as much as possible. Data subjects have the ability to update their data directly to ensure this is the case.
We have a data retention policy that sets out our procedures for the retention and disposal of the data that we hold to ensure that personal data is not stored for longer than is necessary. This is detailed in our Terms and Conditions clause 14.5 and our full policy is available on request.
The LeaveWizard app enables users to directly manage, rectify and update their data as required, depending on the settings their administrator as the data controller has configured. We also have processes in place to permanently cease processing personal data where required to do so and to delete specific data from servers and databases, backups and applications.
Under the GDPR everyone has the right to obtain confirmation that their data is being processed and to have access to that data. If someone makes such a request this is a Subject Access Request (SAR). As a data processor, LeaveWizard does not have direct responsibility for responding to a SAR. This responsibility lies with the data controller which is the company or organisation with which LeaveWizard has a contract. However, we recognise the importance of providing full support to our customers as data controllers to enable them to respond to SARs in the required time. We have a documented procedure in place to ensure that we can support SARs quickly and efficiently. More information is available on request.
We have a comprehensive Information Security Management System which provides technical, administrative and physical safeguards for the personal information we process and store. This includes specific policies regarding Information Security, Data Retention and other areas. Our work is also governed by a Data Protection Policy which describes how data must be collected, handled and stored to meet the company’s data protection standards and to comply with the requirements set out by the GDPR. More information is available on request.
When your data is moving between you and us, everything is encrypted and sent securely using HTTPS. We also encrypt your data at rest using Transparent Data Encryption.
Personal data is stored in the Microsoft Azure Public cloud hosted in their Northern and West Europe data centres.
Microsoft’s computers are housed in secure data centres with heavily restricted access with numerous levels of security to prevent unauthorised access to those servers including firewalls and passwords. Microsoft provide comprehensive details on Azure Security and Privacy here.
Customer data is retained for the duration of its contract with LeaveWizard. If the contract is terminated, we retain the data for a further 30 days to allow the customer to extract any data they may wish to keep and to allow for the account to be closed. After that the data is anonymised, unless the customer requests deletion in a shorter time frame. A backup of customer data is retained for 180 days after the end of a contract, after which time it is deleted. See clause 14.5 of our Terms & Conditions
All data is stored in a secure, encrypted, remote backup system. All data is backed up frequently, and those backups are tested regularly, to ensure that we can respond quickly and restore data quickly in the event of an incident.
We have a plan in place which sets out the initial steps that must be followed in the event of a data breach to investigate and contain the breach, as well as a recovery plan including damage limitation if necessary. To date we have never had a security breach.
Our documented breach management plan ensures that the data controller will be immediately notified in the event of a breach. The plan gives our employees clear guidance about when notification is required and what information needs to be reported.
As detailed in our Terms & Conditions clause 7.8, all data transfers to countries outside of the EEA or who are not recognised as offering adequate levels of protection have been undertaken through one of the following mechanisms: (a) in accordance with the Swiss-US and EU-US Privacy Shield Framework and Principles issued by the US Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (the Privacy Shield Principles) or (b) the Standard Contractual Clauses.
As detailed in our Terms & Conditions clause 8.4, we work with a number of authorised subcontractors to enable us to deliver the LeaveWizard service. A list of our current authorised subcontractors is available on our website. At least 10 days before enabling a new subcontractor to access or process personal data, we will add the subcontractor to the list, to which customers can subscribe for updates via email. Any customer can object to the engagement of the new subcontractor in writing within ten days, after which time the new subcontractor will be deemed as approved.
We have ensured that all the approved subcontractors we currently work with are GDPR compliant and we have ensured through our contracts with them that they are subject to the same obligations regarding privacy and security of personal data as we are.
Rich Allen is responsible for data protection matters and GDPR compliance. You can contact him by emailing [email protected]