Data Processing & GDPR Compliance

1. Data Processing Agreement (DPA)

For customers in the EU/EEA, Peoplova acts as a Data Processor on behalf of your company (the Data Controller). We have in place a comprehensive Data Processing Agreement that complies with GDPR requirements.

EU Standard Contractual Clauses (SCCs): Our DPA incorporates EU SCCs for any data transfers outside the EEA.

To request a copy of our full DPA, please contact [email protected].

2. Your Role as Data Controller

Your company is the Data Controller of employee personal data. You are responsible for:

• Obtaining lawful basis for processing (usually employment contract)
• Providing privacy notices to employees
• Responding to data subject requests (access, deletion, portability, etc.)
• Reporting data breaches to supervisory authorities if required
• Maintaining records of processing activities

3. Peoplova as Data Processor

Peoplova is a Data Processor. We:

• Process data only on your documented instructions
• Process data only for the duration and scope you specify
• Implement appropriate technical and organizational security measures
• Ensure any sub-processors are also GDPR-compliant
• Assist you with fulfilling data subject requests
• Delete or return data upon contract termination

4. Legal Basis for Processing

Our processing of employee data is lawful under GDPR Article 6 because it is:

• Contract Necessity: Necessary to provide HR management services you've contracted for
• Legal Obligation: Some processing is required to comply with employment and tax laws
• Legitimate Interests: We have a legitimate interest in maintaining service security and preventing fraud

5. Data Retention Schedule

Data Type	Retention Period	Legal Basis
Active Employee Data	Duration of employment + 7 years	Tax/Legal obligation
Salary & Payroll Data	7 years	Tax authority retention requirements
Leave/Absence Records	3 years	Employment law requirements
Performance Reviews	3 years	Employment/dispute resolution
Audit Logs	1 year	Security/compliance monitoring
Support/Contact Records	2 years	Service improvement

6. Data Subject Rights

6.1 Right to Access (Article 15)

Employees can request access to their personal data held by Peoplova. Submit requests to your company's HR administrator or contact [email protected].

6.2 Right to Rectification (Article 16)

Employees can request correction of inaccurate personal data. Updates can be made through the app or submitted to HR.

6.3 Right to Erasure (Article 17)

Employees can request deletion of personal data, subject to legal retention requirements. Data may be anonymized instead of deleted if retention is legally required.

6.4 Right to Restrict Processing (Article 18)

Employees can request restrictions on how their data is used. We will honor valid requests and pause processing accordingly.

6.5 Right to Data Portability (Article 20)

Employees can request their data in a structured, commonly used, machine-readable format (e.g., CSV, JSON). We will provide within 30 days.

6.6 Right to Object (Article 21)

Employees can object to certain types of processing, except where we have a compelling legal basis (e.g., employment contract).

6.7 Rights Related to Automated Decision-Making (Article 22)

Peoplova does not make automated decisions with legal or significant effects without human oversight.

7. Sub-Processors

We use the following sub-processors for data processing:

• Stripe — Payment processing (PCI DSS Level 1)
• Mailjet — Transactional email delivery (SOC 2 Type II)
• Google Analytics — Usage analytics (anonymized data)
• DigitalOcean — Cloud hosting and infrastructure (SOC 2 certified)

We have Data Processing Agreements in place with all sub-processors. We maintain a current list of sub-processors; if we change sub-processors, we will notify affected customers.

8. International Data Transfers

Data Location: Employee data is stored primarily in the United States (DigitalOcean data centers).

Standard Contractual Clauses: For EU/EEA customers, we rely on EU SCCs to authorize international transfers. Our DPA incorporates the approved SCCs.

Adequacy Decision: If transfers are to non-adequate countries, SCCs provide appropriate safeguards.

9. Data Breach Notification

In the event of a personal data breach:

1. We will investigate the breach immediately
2. We will notify your company within 24 hours of confirmation
3. We will provide details: scope, individuals affected, likely consequences, and remediation steps
4. You (as Data Controller) are responsible for notifying supervisory authorities and affected individuals as required by GDPR Article 33-34
5. We will cooperate fully with any investigation by authorities

10. DPIA & Risk Management

Data Protection Impact Assessment (DPIA): For high-risk processing, we conduct DPIAs and can provide copies upon request.

Risk Management: We maintain a Risk Register and review security measures annually. Critical vulnerabilities are addressed within 48 hours.

11. Data Protection Officer (DPO)

Peoplova designates a Data Protection Officer to oversee GDPR compliance:

Email: [email protected]

You can contact our DPO with any privacy or data protection concerns.

12. Assistance with Compliance

We assist you in fulfilling your obligations as Data Controller:

• Providing documentation for Privacy Impact Assessments
• Generating reports for data subject access requests
• Exporting employee data in portable formats
• Securely deleting data upon contract termination
• Responding to supervisory authority inquiries

13. Your Compliance Responsibilities

Your company (as Data Controller) is responsible for:

• Obtaining lawful basis for processing before storing employee data
• Providing privacy notices to employees (fair processing information)
• Processing only the minimum necessary data for your HR purposes
• Reporting certain breaches to authorities and individuals as required
• Maintaining records of processing activities (Records of Processing)
• Drafting and maintaining privacy policies for your employees

14. Contact Us

For questions about GDPR compliance or our Data Processing Agreement:

• Data Protection Officer: [email protected]
• Support: [email protected]
• Submit a support ticket