The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and is the most significant piece of European privacy legislation in the last twenty years. GDPR strengthens the rights that EU individuals have over their personal data, unifies data protection laws across Europe and places more responsibility on customers of HR software (as data controllers) and on providers of HR enterprise software (as data processors).
For many organisations holding your data centralized in a secure system like HubbubHR can help you meet your GDPR requirements as a data controller.
HubbubHR is committed to providing the controls needed to assist our clients to meet their obligations as a data controller under GDPR, and our own as a data processor, to ensure compliance with the GDPR which took effect on May 25th 2018. Our customers can leverage HubbubHR services with confidence understanding the robust data protection capabilities built-in to our services.
We’ve been making important updates to our services and have introduced new contractual commitments including a Data Processing Agreement that directly address GDPR requirements.
DISCLAIMER: This information summarises our position with respect to GDPR and actions you can take as you prepare for GDPR. You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this overview is intended to provide you with, or should be used as a substitute for, legal advice. This overview does not form part of the contractual agreement between you, your company and HubbubHR (Ode Systems Incorporated). For full information refer to our Data Processing Agreement: http://www.hubbubhr.com/trust/gdpr/dataprocessingagreement.
Here is where we stand
Data Processing Agreement
HubbubHR provides a Data Processing Agreement which amends our Terms and Conditions previous to May 25th 2018 and is incorporated in our Terms of Conditions after that date http://www.hubbubhr.com/terms-and-conditions. This includes contractual commitments for GDPR and clearly articulates our privacy terms for our customers. The Data Processing Agreement can be found here: http://www.hubbubhr.com/trust/gdpr/dataprocessingagreement. A representative of your company should accept these terms.
Processing of Data
HubbubHR commits to processing Customer Personal Data submitted, stored, sent or received by our customers (as controller) and their end-users for the purposes of providing the Services and related technical support only. The services themselves have comprehensive configuration and security controls built-in which give you as the customer the ability to directly decide configure the instructions on how this data is processed.
HubbubHR provides a “Employee Deletion During Term” feature which will allow your HR Managers to mark Archived Employees for permanent deletion when you choose. The user will then be moved to an “Employee Deletion Pending” status and remains in archived view for 7 days (in case of inadvertent deletion). After 7 days, the formerly Archived Employee is automatically deleted and moved to a “Deleted Employees” view, retaining only basic information for audit purposes but removing all other Personal Data related to that employee. All customer personal data that you have selected for deletion will be fully purged from our backups within 180 days (which is our contractual commitment to you in our Data Processing Amendment).
HubbubHR automatically deletes all customer personal data from our production services 60 days after trial expiry or contract expiry. Furthermore, upon trial expiry or contract expiry, all customer personal data will be fully purged from our backups within 180 days (which is our contractual commitment to you in our Data Processing Agreement.
Security Measures, Controls and Assistance
HubbubHR incorporates security by design. Amongst the core features of the service are that it is built on the state-of-the-art Microsoft Platform and is hosted in Microsoft Azure Cloud’s own European data-centres certified under ISO 27017 for cloud security and ISO 27018 for protection of personally identifiable information in public clouds. For further information please see: https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27017 and https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27018 . All data held in HubbubHR is encrypted both at rest and in transit between our service and your browser and is fully backed up. Our service is protected by Microsoft’s advanced intrusion detection services. HubbubHR supports advanced authentication including the use of Active Directory account authentication and integration (if configured by our customers).
Security Certifications, Audits and Reports
HubbubHR’s data hosting provider Microsoft Azure Cloud maintains certifications including ISO 27001 and ISO 27018. For further information please see: https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001, https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27018 and https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. We also contractually agree to meet the rights of audit required under GDPR.
Customer Additional Security Controls
HubbubHR provides additional security controls within the admin sections of the service to allow our customers to take steps to secure Customer Data to help meet their obligations as data controllers. These include: multiple security roles (including Employee, Manager, HR and Admin) which can be combined with the ability to configure different access rights (including read, edit, no access, hidden) for individual types of personal data held in the service. The service also includes comprehensive auditing to allow our customers to track data updates, deletions and modifications. These combine to give our customers maximum flexibility to meet their obligations as a data controller under GDPR.
HubbubHR will notify customers promptly following any data incidents and take reasonable steps to minimize harm and secure customer data. Notifications will be made to the administrators as configured in the admin section of our service.
HubbubHR provides assistance in the form of the additional security controls and our data processing agreement to help customers with their impact assessments.
Data Subject Rights
Access; Rectification; Restricted Processing; Portability
HubbubHR is highly configurable allowing data subjects and/or their HR managers (as configured by the customer) to have full control and self-service to access, rectify and restrict processing of Customer Data, including deletion. HubbubHR provides an Employee Data Export feature to allow export by customer of all data and files relating to a specific employee to support portability.
Data Subject Requests
If HubbubHR receives a data subject request from your employees to in relation to Customer Personal Data, we will advise the data subject to submit his/her request to customer, and the customer will be responsible for responding to any such request by using the functionality of the services.
For customers with GDPR requirements, data in HubbubHR is held solely within the EEA and in Microsoft Azure Cloud’s European data centres. Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-U.S. Privacy Shield and EU Model Clauses. For further information please see: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx and for further information as of July 16, 2020 please see: https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/
Information about our subprocessors, including their functions and locations, is available at http://www.hubbubhr.com/trust/gdpr/subprocessors
Where do you stand?
Independent Legal Advice
You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation.
Assessment and Configuration of HubbubHR’s Security Measures and Controls
As a customer you are responsible for reviewing the Security Documentation and evaluating whether the Services, our security measures and the additional security controls available to your administrators and HR Managers will meet your needs; including with respect to any security obligations of Customer under the European Data Protection Legislation (GDPR) and/or Non-European Data Protection Legislation, as applicable.
In order to achieve compliance with GDPR customers of HubbubHR should familiarise themselves with their obligations under the regulations as a data controller; in particular you should consider creating an updated and precise inventory of the personal data that your process and control in our services; you should review the lawful basis on which you process that data and review how your organisation configures it’s advanced security roles and access settings in our services.
Acceptance of Data Processing Agreement and Notification of Customer Data Protection Officers
Our HubbubHR Data Processing Agreement http://www.hubbubhr.com/trust/gdpr/dataprocessingagreement amends our existing Terms of Conditions and meets the statutory requirements for an agreement between you as a controller and us as a processor of your personal data under GDPR. A representative of your company should agree to these terms. You can also notify us of your Data Protection Officer by providing this information to HubbubHR. The HubbubHR Data Protection Team can be contacted by Customer’s Administrators or Customer’s Data Protection Officer by raising a case by email to firstname.lastname@example.org
If you have specific questions about GDPR compliance we’d like to hear from you by email at:
Daniel Mayer, Chief Customer Advocate and Chief Compliance Officer
604-831-0579 or 1-866-610-0365