Click to enlarge/reduce        The GDPR regulation for HR and access control software

Any organisation that processes the personal data of its staff within the European Union is subject to the provisions of the GDPR, which requires:

security of personal data collected

adherence to legislation relating to personal data

implementation of a responsible management approach in respect of such data (including an alert procedure in the event of data breach)

appointment of a contact person – a single point of contact.

Click to enlarge/reduce        Kelio software and compliance with the GDPR

As a software publisher, responsible for its design, hosting and maintenance, Kelio SAS acts as a Sub-contractor, within the meaning of GDPR. This sub-contracted processing takes place within the framework of a contractual relationship with its clients, who remain responsible for the data processing that takes place and its controls.

 

icn_infohelp

Any information concerning the processing of personal data must be requested directly from Kelio's client company or organisation.

 

Aware of the inherently sensitive nature of data managed through its software products, the company KELIO SAS has always been especially attentive in implementing measures to protect and manage this information.

In addition to observing the relevant texts, for several years the company KELIO SAS has taken proactive measures that reflect the requirements now regulated by GDPR (ISO 27001-certified SaaS offering, annual security audits, etc.).

 

As a sub-contractor, we have also taken the following measures:

Appointment of a DPO (Data Protection Officer) in charge of managing private data for the company KELIO SAS and a single point of contact for its clients. For further information: dpo@kelio.com

Building awareness of staff in its design team, its consultants/technicians and support advisors regarding the requirements for confidentiality and management of personal data

Contractual committments including specific clauses dedicated to respect for personal data

the "Privacy by Design" and "Privacy by Default" are applied right from design stage in order to guarantee the highest possible level of protection for personal data:

oRaising staff awareness,

oMandatory data input fields restricted to those fields essential for the processing of an employee's contract. To comply with the right to consent (opt-in), and to avoid optional data being input without the consent of data subjects, the configuration of Kelio user profiles can disallow the input of optional data.

oUltra-precise management of user rights, allowing for the assignment of hyper-customised rights and the communication of relevant data to authorised persons only (assignment of rights by profile, by individual, by reason type, by data field, etc.). By default, the software proposes restricted access rights. Kelio allows you to give individual employees read-only or edit access to their HR file, for example.

Exercising of rights relating to personal data

oRight of access / rectification: with Kelio, you can assign rights to employees allowing them to freely access their personal data and/or the right to modify their employee file with complete autonomy.

oRight to be forgotten : the deletion of data and all technical traces can be performed in Kelio software. This can be carried out by a Kelio administrator, at the request of an individual with proof of identity. In HR, this right is restricted by the statutory obligations regarding retention and deletion of documents. Kelio includes a customisable automatic clearing function, to trigger the deletion of data once the relevant retention period has expired.

oData portability: the reporting and export of data in standard formats (PDF, Excel, CSV) is provided in Kelio, allowing the extraction of data by software administrators.

Assistance with producing the minimum documentation requirement: Provision of a pre-completed template of the data processing register for Kelio, to help with completing the minimum documentation requirement as specified in the GDPR.