Note: While we can provide tools to assist, Tommy is not able to provide legal advice concerning GDPR compliance for your business/team. You will need to seek independent legal advice tailored to your business’ specific needs.We’ve also created the following FAQ’s to help customers stay informed about the GDPR and what Tommy is doing to be compliant of this regulation.
Is Tommy complaint with GDPR?
What is Personal Data?
Who does it affect?
What are the main rights of Data Subjects?
How data is used: EU individuals should have access to know how Personal Data concerning them is being processed, where and for what purpose.
- Right of access: Entitles individuals to obtain from the Data Controller confirmation as to whether or not Personal Data concerning them exists. Furthermore, the Data Controller shall provide a copy of the Personal Data, free of charge, in an electronic format if requested.
- Right to be forgotten: Entitles EU individuals to have the Data Controller delete their Personal Data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data portability: EU Individuals have the right to obtain and reuse their Personal Data for their own purposes across different services. On request, Data Controllers must give individuals their data in an easy to read format or pass it directly to the new provider.
- Data breach notifications: Data breaches that may pose a risk to EU individuals must be notified to the relevant Data Protection Agency (DPA) within 72 hours and to affected individuals without undue delay.
- Privacy by design: It is a legal requirement to design products and services with data protection measures in mind. Privacy settings must also be set at a high level by default, and Personal Data is not processed unless necessary for specific purposes.
What is the difference between a Data Processor and a Data Controller? How do I know what my business is?
A “Data Controller” is an organisation that collects Personal Data from EU residents. A “Data Processor” is an organisation that processes EU resident Personal Data on behalf of a Data Controller.
In the case of Tommy, our customers are “Data Controllers” as they collect information from their Team Members (name, contact details, email, time clocking photos). Because we hold and process this data in the Tommy Application under instruction, we (Tommy) are the “Data Processor”.
Where is my personal data stored?
As an employee, how do I request that Tommy delete my data?
1.Delete your Tommy account
To delete your account in Tommy, please follow the instructions provided in our Help Docs. You’ll need to log in to Tommy to delete your account. If you can’t remember your log-in details please follow our reset password link.
Following these steps will delete your Tommy personal account, however, it won’t delete the information your current or previous Teams hold about you in their Tommy accounts (personal information, timesheets, shifts, tasks, journals, employment terms).
2.Delete your Team account
To delete the information your current or previous Teams holds about you, you need to send a request directly to this Team owner asking them to delete your Team account. They can then delete your Team account in Tommy.
If you have joined multiple Teams, you will need to contact each Team owner individually.
As a Team Owner, how do I delete a Team Member account?
Who can delete a Team Member account?
When I delete an account, how much data is deleted?
All data associated with that account including contact details, previous timesheets, previous time clocking events, all data directly associated with the Team Member account.
In the case of some data which is not Personal Data nor directly associated to the Team Member, partial records may remain in a non-identified manner. Specifically, a Shift/Booking whereby a Team Member may have been associated with a Shift/Booking, that Shift/Booking may remain, though its association with the deleted Team Member is removed and replaced with a “Deleted Team Member” association to maintain operational data integrity where possible.
Can I recover a deleted account?
Further questions?
If you have more detailed questions about how Tommy is GDPR compliant or what it means for your, please contact [email protected]
For extensive information about the GDPR please visit.
https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en
