Compliance with the GDPR ruling

What is GDPR?

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Is GDPR relevant to me?

If you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. Here is a helpful article to GDPR if your company is outside of the EU.

How can TimeMoto help you stay GDPR Compliant?

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject. All data is shared with both the employer and employee. The employee can individually access all their data from TimeMoto Cloud application or through any Time Clock.

2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it. Use the TimeMoto Cloud features to collect the relevant information to stay compliant with your local labour law.

3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified. Check out your local labour laws to understand what that means for you.

4. Accuracy — You must keep personal data accurate and up to date. Employee’s can review and change their personal data at any time on any Time Clock or on their TimeMoto Cloud account.

5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose. All data is stored on the Cloud. With Cloud Essential Plan or Plus Plan we can hold unlimited data history, even with a Free Plan we will hold up to 3 months of data history.

6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). All our Time Clocks are integrated with the latest encryption technology to protect the identification method of its users. See the Time Clocks page for more information.

7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Terminology used in Article 5.1-2:

Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

Data subject — The person whose data is processed. These are your customers or site visitors. Or in TimeMoto’s case employees and employer.  

Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. This refers to cloud servers like TimeMoto.