PeopleSpheres and the GDPR

We guarantee industry-standard compliance

PeopleSpheres is committed to information security

We hold ourselves to the highest standards

  • Treatment records: continuos monitoring and updates
  • Internal control and awareness: operational procedures, policies, and ongoing awareness policies
  • Revision of contractual terms and conditions: review of all partnership and subcontracting T&Cs and operational advice for PeopleSpheres customers
  • Data Protection Officer: appointed DO with allocated budget, time, and resources. Oversees internal and external communication.
Organizational Compliance

A solution built to secure your data

  • Access Control: ability to create and manage roles, access mapping according to individual rights, including visibility, editing and deletion permissions.
  • Encryption: sensitive data, databases and passwords of customer files are encrypted. Secure data transfers.
  • Partitioning: dedicated database for every customer, with internal visibility restrictions managed via role-based permissions
  • Exercising Rights: PeopleSpheres is designed to facilitate the exercise of rights regarding personal data granted by GDPR, including right to access, delete, export, etc
Technical Compliance

End-to-end security controls

At PeopleSpheres, we strive to be your trusted partner by becoming a leading example of security, reliability and transparency. Our comprehensive approach to data security and compliance includes:

  • Certified infrastructure
  • Audited by Sysdream: pentests, DDOS, etc.
  • Recurring customer audits
  • Internal auditing by our DO
  • Data hosted in France
  • Disk encryption and end-to-end encryption of remote backups
  • High granularity of data deletion rules (PSO monitoring)
End-to-end security controls

Learn about our security and GDPR compliance in more detail

Is PeopleSpheres compliant with the GDPR?

+

Yes, PeopleSpheres and its solutions respect the GDPR. 

If you would like to know more about PeopleSpheres’ GDPR obligations, you can read the rest of this article or the explanatory material provided by our teams. For any additional questions, do not hesitate to contact our Data Protection Officer (DPO) at the following e-mail address: dpo@peoplespheres.com 

Does PeopleSpheres have GDPR compliance certification?

+

Yes, PeopleSpheres is currently certified with the AFAQ Data Protection certification. 

Does PeopleSpheres have GDPR compliance certification? How does PeopleSpheres handle the treatment of GDPR?

+

The data protection regulations are part of the logical follow-up of the Data Protection Act. This new regulation added principles and obligations: we have deployed the necessary resources for the proper implementation and application of these new rules. Today, a DPO manages the various topics related to this issue. 

What method is used to comply?

+

First, we started by reading the legislation. After reading and understanding it, we identified the important points and possible improvements to our daily practices. 

The aim was to further develop the evaluation already done. PeopleSpheres consulted the CNIL Governance label, which incorporates the principles of the GDPR. Finally, these two phases gave us a clear and precise plan of action. 

The rest of the methodology was based on the fundamentals of risk management: assessment, prioritization, correction and prevention. 

Where is data stored?

+

We have obtained different storage locations thanks to our partners. Most of the data is stored in France, the rest is stored in England. 

Are we require to have an exclusively local data storage?

+

No, the legislation imposes an obligation on the safe storage of data and requires a framework for non-EU data transfers. 

If you want to transfer data outside of the European Union, you will need to look at whether the CNIL authorizes data transfers to this country. 

The link below gives you access to a world map that lets you estimate the level of security that the country can offer you. 

https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde 

Does PeopleSpheres have explanatory material available?

+

We are aware of the apprehension and the effect that this law might have on HR managers. This is why all of our clients will find explanatory material for the GDPR in the PeopleSpheres Support Center. 

If you wish to consult this material, type “GDPR” in Search. 

You will have access to the following documents: 

– GDPR: Rights of the persons concerned 

– GDPR: Inform my employees 

– GDPR: NeoSpheres Compliance Action Plan 

– GDPR: Write your internal policy regarding data protection 

– GDPR: Legal bases and legitimate interests* 

– GDPR: Enter MonPortailRH in my register of processing operations 

What GDPR rules must consultants adhere to?

+

Consultants are subject to very strict internal rules that they must respect: 

– Confidentiality 

– Rules for limiting the retention of data 

– Rules for securing the transfer of files 

– Acting on written instructions 

Keep in mind that the team of consultants is not required to answer all your questions on the protection of your data. You will be directed to the Data Protection Officer who will answer all your questions. 

Can we receive encrypted files?

+

No. Our company has strengthened these procedures so sending files containing personal data is no longer possible: consultants can no longer accept these documents. 

For more information, you can request our explanatory guide of this new operation. 

Randomization and generalization are the two main approaches to anonymizing data. Most publishers use one of these two methods. 

Regarding the deletion of data, we are able to erase data from the active base: it will be deleted when the back-up bases are synchronized. 

Which rules and terms must be respected in terms of anonymization?

+

The GDPR modifies the rules concerning deletion/ anonymization through two elements: 

– Chapter II, Article 5, paragraph (e): “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” 

– Chapter III, Section 3, Article 17: Right to erasure (“right to be forgotten”). 

These two articles must therefore be taken into account. 

The first principle is retention, which should be applied as long as necessary. The retention period varies according to the needs of the activity and the legal obligations. 

The second principle is the right to be forgotten. When the mandatory retention period is exceeded, the data can be deleted on the person’s request. 

Please consult this article for more information: https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre3#Article17 

What is the legal deadline to manage requests to exercise rights regarding personal data?

+

If you wish to exercise one of your rights, a reply must be provided within one month of the company receiving your request. 

If the company receives many requests, it can add an additional response time of two months (which makes a maximum of three months). 

However, the company must keep you informed of this change of deadline within one month of receipt of your application. The company is not required to specify deadlines.