Kelio and GDPR
Speed up your GDPR compliance with Kelio software!
Introducing a workforce management and access control software solution means using and processing personal data. Organisations in the European Union must therefore comply with the requirements of the GDPR – the General Data Protection Regulation.
The GDPR regulation for HR and Access Control software
Any organisation in the European Union that processes its staff personal data is subject to the provisions of the GDPR, stipulating:
- security of personal data collected
- compliance with personal data legislation
- implementation of a responsible management approach towards this data (including a data breach alert procedure)
- appointment of a single contact person
Kelio software and compliance with the GDPR
Using workforce or access control software does not in itself guarantee GDPR compliance but is valuable in managing personal data correctly. With this software you can:
- redefine a framework for personal data processing
- centralise hosting and protect data better (secure system, access rights, etc.)
- respond more quickly and easily to requests to exercise rights
Kelio Time and Attendance, HR management and Access Control have been designed to assist organisations in complying with GDPR, by defining a framework for processing and protecting staff personal data.
"Privacy by design" in Kelio
Article 25.1: Privacy by Design consists of taking into account rights and obligations concerning personal data from the moment a processing activity is created or modified, and taking proactive measures to prevent any incidents relating to breach of privacy.
Mandatory data input fields restricted to the fields essential for the processing of an employee's contract. To comply with the right to consent (opt-in), and to avoid optional data being input without the consent of data subjects, configuration of Kelio user profiles can disallow the input of optional data.
Ultra-precise management of user rights, enabling the assignment of highly customised rights and the communication of relevant data to authorised persons only (assignment of rights by profile, by individual, by reason, by data field, etc.). By default, the software offers restricted access rights. Kelio allows you to give individual employees read-only or edit access to their HR file, for example.
"Privacy by default" in Kelio
Article 25.2: All personal data, in whatever format (paper, digital), whether sensitive or not, must be kept secure. An organisation must ensure that access to such data is protected (access control by badge, cabinets locked by key) but also preserve paper records against deterioration (protection from fire, water, etc.).
High data security in Kelio software: whether in licence mode (data encryption, regular security audits, required authentication, etc.) or in SaaS mode (highly secure hosting with ISAE3402 and ISO27001 certification, highly secure firewalls, backup redundancy, etc.).
Physical security of your buildings with Kelio Access Control, promoting personal data protection: lost access badges deactivated, authorised access rights aligned with staff attendance planning, monitoring of access events in the event of an incident, etc.
Exercising of rights relating to personal data
Article 12: Data subjects who have communicated their data (employees, customers) have certain rights in respect of their data. They are able to access, rectify, request erasure of their data, etc. The organisation must ensure that it is able to respect these rights at any time and for all processing activities and this within a maximum period of one month.
Right of access (Article 15) / rectification (Article 16): with Kelio, you can assign rights to employees allowing them to freely access their personal data and/or the right to modify their employee file with complete autonomy.
Right to be forgotten (Article 17): the deletion of data and all technical traces can be performed in Kelio software. This can be carried out by a Kelio administrator, on request from an individual with proof of identity. In HR, this right is restricted by the statutory obligations regarding retention and deletion of documents. Kelio includes a customisable automatic clearing function, to trigger the deletion of data once the relevant retention period has expired.
Data portability (Article 20): the reporting and export of data in standard formats (PDF, Excel, CSV) is offered by Kelio, enabling data extraction by software administrators.
Assistance in producing the minimum documentation requirement
The GDPR introduces the notion of the organisation's accountability. It has a duty to be proactive about data protection and to demonstrate this through the minimum documentation requirements.
Provision of a pre-completed template of the data processing register for Kelio, to facilitate completion of the minimum documentation requirement set out in the GDPR (Article 30).
The company's response to the GDPR
Companies and organisations (the "Data Controller") retain full responsibility for the management and protection of personal data, whether the processing activity is performed in-house or subcontracted to a third party.
The company is a "Data Processor" for its customers within the context of the services it provides in respect of hosting in SaaS mode, software integration and support/maintenance. Beyond the existing security measures already in place (software security, surveillance of premises, backups, regular security audits, etc.), we have implemented additional measures with a view to increasing its adherence to the requirements expressed by the GDPR
- Appointment of a Data Protection Officer (DPO), as per Article 37, and a data protection steering committee. Our DPO is the point of contact specialising in personal data protection responsible for maintaining privacy and correct application of the rules set out in the GDPR. This person establishes and oversees the Personnal Data Management Policy in the organisation. For all information:
- Raising staff awareness in its design team, consultants/technicians and support advisers regarding the requirements for confidentiality and management of personal data
- Contractual undertakings in respect of its customers as "Data Controllers" as per Article 28: (commitment to notification, etc.).
Specific details for professionals who process staff HR data
In addition to data management in Kelio, other technical and organisational measures must not be overlooked:
- Awareness-raising: members of your staff working with HR or access control software on a regular basis and who process personal data must be made aware of the requirements of the GDPR and be familiar with the mechanisms in place concerning personal data security. This is especially relevant where personal data relating to staff is sensitive, such as biometric controls (digital fingerprints), trade union affiliations or medical data (Article 9).
- Lock out: an organisation cannot retain irrelevant or unnecessary data and must therefore delete the rights of any employee who leaves the organisation so that they do not retain the same access rights. This also applies to an employee who changes department or job title: their former rights need to be deleted and new rights created relevant to their position.
- Automatic clearing: each type of data and document has a retention expiry date. The organisation must ensure that automatic clearing is set up on expiry of each retention period for different information types. This reduces the risk of breach.
- Appointment of a DPO: this is recommended in all cases, but is only mandatory in certain cases as detailed in Article 37, particularly for public authorities organisations that manage sensitive data or where the core activity requires regular and systematic monitoring of data subjects on a large scale (e.g. hospitals, etc.).
- Notification of data breaches: in the event of a data breach (data is leaked, altered, unintentionally destroyed or lost), the organisation must assess the significance of this breach and its impact before notifying its supervisory authority, where relevant.