PeopleSpheres and the GDPR

Is PeopleSpheres compliant with the GDPR?

Yes, PeopleSpheres and its solutions respect the GDPR.

If you would like to know more about PeopleSpheres’ RGPD obligations, you can read the rest of this article or the explanatory material provided by our teams. For any additional questions, do not hesitate to contact our Data Protection Officer (DPO) at the following e-mail address: [email protected]

Does PeopleSpheres have a GDPR Compliant certification?

Our goal is to obtain certification in 2019. PeopleSpheres is currently studying possible certifications in France. One of the certifications that has caught our attention is the AFAQ Data Protection certification.

We will keep you informed of all changes.

How does PeopleSpheres handle the treatment of GDPR?

The data protection regulations are part of the logical follow-up of the Data Protection Act. We therefore had a base. This new regulation added principles and obligations: we have deployed the necessary resources for the proper implementation and application of these new rules. Today, a DPO manages the various topics related to this issue.

What method was used to comply?

First, we started by reading the legislation. After reading and understanding it, we identified the important points and possible improvements to our daily practices.

The aim was to further develop the evaluation already done. PeopleSpheres consulted the CNIL Governance label, which incorporates the principles of the GDPR. Finally, these two phases gave us a clear and precise plan of action.

The rest of the methodology was based on the fundamentals of risk management: assessment, prioritization, correction and prevention.

What are the data storage locations at PeopleSpheres?

We have obtained different storage locations thanks to our partners. Most of the data is stored in France, the rest is stored in England.

Are we required to have an exclusively local data storage?

No, the legislation imposes an obligation on the safe storage of data and requires a framework for non-EU data transfers.

If you want to transfer data outside of the European Union, you will need to look at whether the CNIL authorizes data transfers to this country.

The link below gives you access to a world map that lets you estimate the level of security that the country can offer you.

https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde

Which rules and terms must be respected in terms of anonymization?

The GDPR modifies the rules concerning deletion/ anonymization through two elements:

– Chapter II, Article 5, paragraph (e): “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”

– Chapter III, Section 3, Article 17: Right to erasure (“right to be forgotten”).

These two articles must therefore be taken into account.

The first principle is retention, which should be applied as long as necessary. The retention period varies according to the needs of the activity and the legal obligations.

Please consult this article to find out more: https://www.service-public.fr/professionnels-entreprises/vosdroits/F10029.

The second principle is the right to be forgotten. When the mandatory retention period is exceeded, the data can be deleted on the person’s request.

Please consult this article for more information: https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre3#Article17

Does PeopleSpheres make explanatory material available?

We are aware of the apprehension and the effect that this law might have on HR managers. This is why all of our clients will find explanatory material for the GDPR in the PeopleSpheres Support Center.

If you wish to consult this material, type “GDPR” in Search.

You will have access to the following documents:

– GDPR: Rights of the persons concerned

– GDPR: Inform my employees

– GDPR: NeoSpheres Compliance Action Plan

– GDPR: Write your internal policy regarding data protection

– GDPR: Legal bases and legitimate interests*

– GDPR: Enter MonPortailRH in my register of processing operations

What GDPR rules and principles must consultants adhere to?

Consultants are subject to very strict internal rules that they must respect:

– Confidentiality

– Rules for limiting the retention of data

– Rules for securing the transfer of files

– Acting on written instructions

Keep in mind that the team of consultants is not required to answer all your questions on the protection of your data. You will be directed to the Data Protection Officer who will answer all your questions.

Can we receive unencrypted files?

No. Our company has strengthened these procedures so sending files containing personal data is no longer possible: consultants can no longer accept these documents.

For more information, you can request our explanatory guide of this new operation.

Randomization and generalization are the two main approaches to anonymizing data. Most publishers use one of these two methods.

Regarding the deletion of data, we are able to erase data from the active base: it will be deleted when the back-up bases are synchronized.

With regards to exercise of a right concerning the processing of personal data, what is the legal deadline to manage the request?

If you wish to exercise one of your rights, a reply must be provided within one month of the company receiving your request.

If the company receives many requests, it can add an additional response time of two months (which makes a maximum of three months).

However, the company must keep you informed of this change of deadline within one month of receipt of your application. The company is not required to specify deadlines.