General Data Protection Regulation
The Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data “(hereinafter” the ” Regulation “), which came into force on May 25, 2018, reinforces some of the obligations of companies that process personal data. This Regulation nevertheless reinforces some of our obligations. We have therefore taken all the necessary steps to be compliant.
If you are one of our clients, you are subject to the provisions of the GDPR in two ways:
- Your relationship with LUMAPPS
> we act as your Subcontractor – we are a Data Processor (article 28 of the Regulation)
- Your relationships with your employees, users of the Lumapps solution
> you are the Data Controller of their personal data.
Personal data: means any information relating to a natural person identified directly or indirectly, or identifiable (eg name, phone number, date of birth, etc.).
Data Controller: means any legal or natural person who determines the purposes and means of a personal data processing. The Data Controller is in charge of the respect of the GDPR within his organization, including the rights of employees (right of access, right to modify, right to erasure, etc.).
Data Processor: means any natural or legal person who processes personal data on behalf of the Data Controller on the basis of the instructions he has given.
Data Subject: means any person whose personal data is being collected, held or processed. Personal Data can refer to anything from his/her name, home address or his/her posts on social media.
2. The commitments of LumApps as Data Processor
- Only process personal data of employees, users in connection with the execution of Lumapps online services to which you have subscribed. We will never sell or use employees, user data for marketing or commercial purposes..
> Within the services which we offer our customers, we identified the data we need:
– Authentication Data: email address. Password (for precise purposes such as the authentication)
– Directory Data: first name, last name, title, position (if need for organization chart). Location (if necessary). An ID interns.
> All this data is collected for specific purposes and is only kept for the duration of the service. We only process the data entrusted to us for specific and defined purposes
– We act on instruction of our customers
– We guarantee the confidentiality and the integrity of the data
– Our subcontractors are required to respect the obligations and instructions of our customers.
– We collaborate with our customers so that they can answer their obligations in particular in term of exercising the rights of concerned people or carrying out impact analysis
– We ensure the security of entrusted Data
– We are committed to implementing the reversibility of entrusted data
– We formalize and give to our customers all the necessary documentation to demonstrate the respect for our obligations
– We give you a right of access, rectification, right to be forgotten via the address email@example.com
An answer will be sent to you within a maximum of one month from the receipt of your request.
- Training and sensitization of our staff on the issues of data protection and security: we have at your disposal the register of training for our staff.
- Do not transfer your data outside the European Union unless you give us your written consent.
- You guarantee a high level of security and protection of your personal data.
– Google Cloud infrastructure compliant with GDPR requirements (Google Infrastructure Security Design and Google Cloud Platform)
– Encryption of our databases: we use Google Encryption.
– Audits of our subcontractors
– Surveillance and detection of possible weaknesses
– Deletion of personal data in accordance with European regulations
– Secure development taking into account good security practices and the protection of personal data (anonymous or fictitious test data)
– Implementation of processes with our customers for escalation or incidents
– Security certification process
- Notify the customer in writing within 24 hours of becoming aware to LumApps a breach of Personal Data
3. Your commitments as Data Controller
> Your are responsible for controlling the personal data you communicate to LumApps as part of their use of the services. Data controller defines the purpose of personal data and its processing.
> Your are responsible for controlling the data. You are responsible for putting in place appropriate technical and organizational measures to ensure and prove that the data is processed in accordance with the Regulation. The obligations concern the principles of legality, fairness, transparency, limitation of purpose, minimization and accuracy of data, as well as respect for the rights of data subjects.
> You manage, through our solutions, the personal data of your employees. As a result, your employees have rights to this data. It is your responsibility to allow them to exercise them. Lumapps helps you fulfill this obligation via the address firstname.lastname@example.org
- Right of access (Article 15 of the Regulation): The Data Subject has the right to obtain from the Data Controller access to his / her Personal Data. Depending on the configuration of the solution, employees have access to information that concerns them (or may request access to it). You alone, as a controller, should or should not give this opportunity to your employees.
- Right of rectification (Article 16 of the Regulation): The Data Subject has the right to obtain from the Data Controller, as soon as possible, the rectification of the Personal Data concerning him which are inaccurate.
- Right to be forgotten (Article 17 of the Regulation): The Data Subject has the right to obtain from the Data Controller the erasure, as soon as possible, of personal data concerning him/her.