Note: While we can provide tools to assist, Tommy is not able to provide legal advice concerning GDPR compliance for your business/team. You will need to seek independent legal advice tailored to your business’ specific needs.
We’ve also created the following FAQ’s to help customers stay informed about the GDPR and what Tommy is doing to be compliant of this regulation.
Is Tommy complaint with GDPR?
Tommy is complaint with the GDPR, and continues to regularly audit for compliance. Tommy is committed to maintaining the security of your data. Tommy understands the responsibility that comes with looking after your data and we use best-practice systems to ensure it is safety stored, securely managed, and that we have Privacy by Design principles in our product development process.
What is Personal Data?
Any information related to a natural person (individual) that can be used to directly or indirectly identify a person. It can be anything from a name, a photo, an email address, bank details, or a computer IP address.
Who does it affect?
The GDPR applies to any organisation that processes Personal Data of EU individuals, regardless of whether the organisation has a physical presence in the EU. For Tommy customers, that’s any organisation with one or more Team Members or Contacts in the EU.
What are the main rights of Data Subjects?
How data is used: EU individuals should have access to know how Personal Data concerning them is being processed, where and for what purpose.
- Right of access: Entitles individuals to obtain from the Data Controller confirmation as to whether or not Personal Data concerning them exists. Furthermore, the Data Controller shall provide a copy of the Personal Data, free of charge, in an electronic format if requested.
- Right to be forgotten: Entitles EU individuals to have the Data Controller delete their Personal Data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data portability: EU Individuals have the right to obtain and reuse their Personal Data for their own purposes across different services. On request, Data Controllers must give individuals their data in an easy to read format or pass it directly to the new provider.
- Data breach notifications: Data breaches that may pose a risk to EU individuals must be notified to the relevant Data Protection Agency (DPA) within 72 hours and to affected individuals without undue delay.
- Privacy by design: It is a legal requirement to design products and services with data protection measures in mind. Privacy settings must also be set at a high level by default, and Personal Data is not processed unless necessary for specific purposes.
What is the difference between a Data Processor and a Data Controller? How do I know what my business is?
A “Data Controller” is an organisation that collects Personal Data from EU residents. A “Data Processor” is an organisation that processes EU resident Personal Data on behalf of a Data Controller.
In the case of Tommy, our customers are “Data Controllers” as they collect information from their Team Members (name, contact details, email, time clocking photos). Because we hold and process this data in the Tommy Application under instruction, we (Tommy) are the “Data Processor”.
Where is my personal data stored?
All personal data collected from EU residents is stored in the United States of America.
As an employee, how do I request that Tommy delete my data?
Because your data is held by both Tommy (your Tommy account) and your current or previous Teams (your company employee account for example), the process to delete your data in Tommy requires two steps.
1.Delete your Tommy account
To delete your account in Tommy, please follow the instructions provided in our Help Docs. You’ll need to log in to Tommy to delete your account. If you can’t remember your log-in details please follow our reset password link.
Following these steps will delete your Tommy personal account, however, it won’t delete the information your current or previous Teams hold about you in their Tommy accounts (personal information, timesheets, shifts, tasks, journals, employment terms).
2.Delete your Team account
To delete the information your current or previous Teams holds about you, you need to send a request directly to this Team owner asking them to delete your Team account. They can then delete your Team account in Tommy.
If you have joined multiple Teams, you will need to contact each Team owner individually.
As a Team Owner, how do I delete a Team Member account?
Tommy has introduced the ability to delete a Team Member’s personal information contained within a Team Account. To delete a Team Member account and its associated Personal Data the Team Member account must first be disabled. For specific instructions on how to delete a Team Member account please see our Help Docs.
Who can delete a Team Member account?
Only Team Owner / Administrator can delete accounts.
When I delete an account, how much data is deleted?
All data associated with that account including contact details, previous timesheets, previous time clocking events, all data directly associated with the Team Member account.
In the case of some data which is not Personal Data nor directly associated to the Team Member, partial records may remain in a non-identified manner. Specifically, a Shift/Booking whereby a Team Member may have been associated with a Shift/Booking, that Shift/Booking may remain, though its association with the deleted Team Member is removed and replaced with a “Deleted Team Member” association to maintain operational data integrity where possible.
Can I recover a deleted account?
No, once an account is deleted it cannot be recovered.
If you have more detailed questions about how Tommy is GDPR compliant or what it means for your, please contact firstname.lastname@example.org
For extensive information about the GDPR please visit