GDPR Timesheet Compliance
General Data Protection RegulationClickTime & GDPR
At ClickTime, we provide high-quality time and expense management applications for businesses. We’re happy to announce that we are in compliance with the General Data Protection Regulation (GDPR).
What is GDPR?
The EU Regulation 2016/679, also referred to as the General Data Protection Regulation (GDPR), intends to strengthen and consolidate data protection for all European Union (EU) residents and addresses the export of personally identifiable information (PII) outside the European Economic Area (EEA).
Who needs to be GDPR-compliant?
All organizations operating in the EU and/or processing personal data of EU residents. Personal data is any information relating to an identified or identifiable natural person.
Definitions
Terms are to be interpreted as intended in the original regulation:
- ‘personal data’ means any information relating to an identified or identifiable natural person. (End-users)
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (Our customers)
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (ClickTime)
- ‘Sub-processors’ means a natural or legal person, public authority, agency or body other than the data subject, controller, and processor who, under the direct authority of the controller or processor, are authorized to process personal data.
GDPR Overview
How we use, store, and protect customer data.
Data use
The information stored or transmitted via ClickTime is used for operational and improvement purposes, to help our customers use and access our services, respond to their inquiries, and send service-related communications.
Data ownership and control
When our Customers trust ClickTime with their data, they remain the sole owners of such information. Therefore, the customer is the controller of such data and ClickTime is the processor.
ClickTime’s sub-processors
We maintain an updated list with name of sub-processors and locations used for hosting or other processing of data. For more information please visit our sub-processors list found here.
Data Processing Addendum
ClickTime’s Data Processing Addendum (DPA) provides our customers with the contractual commitments to be GDPR-compliant. This agreement outlines our guarantee that customers can:
- Respond to requests from data subjects to access, rectify or delete personal data.
- Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects according to GDPR guidelines.
To receive our DPA, please complete our DPA Request Form.
Security
At ClickTime, security is a top priority. We secure your data by assuring that physical and network protection is monitored around the clock. For example, ClickTime servers are hosted at a Tier 1 colocation facility with SOC 2 certification , the databases reside in RAID arrays, and sensitive data is encrypted with AES. For more information you can see our security page or contact privacy@clicktime.com.
Privacy Policy
We take privacy very seriously. ClickTime does not disclose our customers’ data except as necessary to provide the services to the customer and to comply with law. For more information please visit our Privacy Policy.
Model Clauses
Standard Contractual Clauses (Model Clauses) are a set of standard provisions approved by the European Commission to enable European entities to legally transfer personal data outside the EU. Through these clauses, ClickTime agrees to process an individual’s personal data on behalf of the customer and in compliance with the customer’s instructions. Please email gdpr@clicktime.com to obtain our Data Processing Addendum and Model Clauses.
Data Subject Requests
How we evaluate, respond, and authorize access, rectification and erasure.
Data subject right of access, rectification, and erasure for EU residents
As indicated previously and outlined in ClickTime’s DPA, if a data subject exercises their right to access, rectification and/or erasure, we will contact our customer in order to receive the authorization to make the changes. If our customer doesn’t reply within reasonable time, ClickTime will evaluate, respond, and inform the data subject of the decision and schedule for the action within 30 days (of receipt of the request). As stated in the GDPR, if our customer or ClickTime decides not to take action on the request, the data subject will be informed of the reasons for the decision and the possibility of lodging a complaint with a supervisory authority. For more information please contact gdpr@clicktime.com.