WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is a cornerstone of EU privacy law, which aims to protect the personal data of individuals being used by organisations. The Regulation took effect from 25 May 2018, binding enterprises to compliance if they wish to operate within the European Union. The objective of the Regulation is to:
“Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
In GDPR terms, personal data means any information relating to a person or any information which can be used to identify a person. Resultantly, any collection, use and storage of personal data by a company is subject to the rules within the GDPR.
In summary, the rights given to Data Subjects under GDPR, gives them the powers to hold both Controllers and Processors accountable for the lawful processing of that Data Subject’s personal information.
CONTROLLERS, PROCESSORS AND DATA SUBJECTS
In GDPR terms, a Controller is the natural or legal person who, alone or jointly, determines the means of the processing of personal data.
A Processor is any natural or legal person who processes personal data on the behalf of the controller.
A Data Subject is the natural person to whom the personal data being processed relates.
Putting this into context, you, the Client are the Controller for your Employees’ or Data Subjects’ personal data. SimplePay is acting as a Processor for your benefit, processing your employees’ personal data in order to assist you in your payroll obligations. The relevance of this is that a party’s role determines their rights, obligations and liabilities.
SIMPLEPAY AND GDPR: OVERVIEW
As a processor in terms of Article 4, SimplePay processes data on behalf of other organisations (Controllers). In exercising our responsibilities as a processor, we also aim to ensure that you remain compliant with the same ease to which you’ve become accustomed.
That’s why, although we always have and always will take our privacy obligations seriously, in 2018 we embarked on a thorough and multi-faceted programme to identify and rectify any shortcomings in our policies and / or processes. Luckily, as privacy and confidentiality are cornerstones of our system and culture, we found we were already largely compliant. Below are some of the projects we’ve undertaken since the GDPR’s enactment to ensure any compliance gaps were closed:
DATA PROTECTION OFFICER
Pursuant to Article 37 GDPR, SimplePay has designated the role of a Data Protection Officer (DPO) within the company. Our DPO’s role, amongst other duties, includes advising SimplePay and its employees on their obligations under the GDPR, monitoring compliance and liaising with the Data Protection Commission (DPC).
Should you need to contact SimplePay’s Data Protection Officer, you can do so at [email protected].
EXERCISE OF DATA SUBJECTS’ RIGHTS
Under GDPR, individuals have enhanced rights in respect of the data they share with processors and controllers:
Further detail on these rights can be found in Chapter 3 GDPR. In light of these rights, we have implemented internal policies and workflows to allow us to respond to requests within the required timeframe.
SimplePay implemented additional functionality to ensure full compliance with the GDPR in the following scenarios:
Requests in terms of the above will need to be made by full access users. Any employee queries will be directed to the relevant full access administrator on the account for actioning in their capacity as a Controller. If a situation arises where such a request cannot be complied with by the administrator (Controller), SimplePay will assess the situation and assist to the best of our ability, in alignment with the GDPR.
As we are based outside of the EU, Article 27 required that we appoint an EU representative to handle certain data subject requests and queries. In compliance with this, we have appointed DataRep to act as our representative. Any queries requiring the input of our representative, should please be directed to them as follows:
Data Protection Representative Limited
(Company number: 616588)
12 Northbrook Road
Republic of Ireland
Please note that if you choose to mail your enquiry, it is essential that you mark your letters for “DataRep” and not “SimplePay”, or your enquiry may not reach them. Please refer clearly to SimplePay in your correspondence.
We will gladly provide a copy of the written confirmation of appointment if necessary.
THIRD PARTY APPS, SUPPLIERS AND INTEGRATIONS
We have researched and confirmed that all apps and suppliers we use as well as those with which we integrate are fully GDPR compliant. Below you will find links to the GDPR pages of our partners, integrated apps and internal tools: