(Swipe for more >>>)
Is eBoss compliant? What measures are in place?
Q: I am completing a compliance report. What steps can I say eBoss has put in place to ensure compliance with GDPR?
A: We have ensured that each of the following steps will either be in place before May 25th, or is already a standard part of eBoss company policy:
1. All data subject data is stored on servers located within the EU only;
2. All data subject data is encrypted;
3. Data subject data is also pseudonymised;
4. Data subject data is backed up and easily recovered or restored to prevent permanent loss;
5. No data subject data is ever transferred to a location which is not protected by the GDPR or regulation that has been recognised as equivalent to the GDPR;
6. We have updated the terms of service and privacy policies for web users, customers, and clients;
7. we have informed web users, customers, and clients of their new rights and obligations under the GDPR;
8. We have established new service agreements for data controllers which limit the services provided by eBoss and our subprocessors to those that remain within GDPR best practices at all times;
9. we have selected subprocessors only if they are able to demonstrate GDPR compliance prior to May 25th;
10. we have undertaken orientation and staff training on best practices under the GDPR;
11. we have undertaken preliminary risk assessments on the processing of data subjects’ personal data;
12. we have mapped a thorough and ongoing risk assessment process which will continue to update our understanding of the GDPR and create a knowledge base of risks and threats to personal data that we process.
- Article 28, GDPR
- Article 32, GDPR
eBoss as a Data Processor
Q: We use eBoss as a data processor for our recruitment agency. But now we need to assure compliance across all of our service providers. Does eBoss have any GDPR certification for its services?
A: At the time of writing, there is no official accreditation or certificate to prove GDPR compliance. Compliance can be demonstrated with self-assessment and reporting. Additionally, you may wish to read the eBoss Statement on GDPR.
All eBoss products are compliant to the highest standards under the GDPR. We introduced elements of Privacy By Design to our development workflows some time ago,so every eBoss product is GDPR compliant.
- Article 43, GDPR
What is a Controller–Processor Agreement?
Q: What is a Data Controller – Processor Agreement? How can I obtain one? Will it affect my eBoss service?
A: A Data Controller – Processor Agreement is a legal document which sets out the legal rights, duties, and obligations of the data controller and a service provider acting as a processor.
As part of our GDPR readiness programme, eBoss has put together a standard controller – processor agreement, which is ready for our customers.
In some cases, we may be issuing these agreements to customers with specific processing needs. Otherwise, you can request a controller-processor agreement for your business to help speed up compliance. Contact our GDPR representatives to obtain a personalised copy of the agreement.
The eBoss controller – processor agreement is supplementary to your ongoing terms of service. The products and support that you receive from eBoss will not be in any way impacted by the agreement.
- Article 28(1), GDPR
- Article 30, GDPR
- Recital 81, GDPR
What security measures has eBoss taken?
Q: What specific security steps has eBoss taken to protect its software and hardware, and my data?
A: All eBoss processes have been developed with Privacy By Design. They meet the highest standards of data security as set out by the GDPR, and our team is trained to ensure best practice when handling your data.
To ensure this level of privacy remains in place, it is therefore understandable that we do not share specific technical information about our software systems.
- Article 40, GDPR
Where are the eBoss servers located?
Q: The GDPR controls the transmission of personal data to unregulated destinations. Can you tell me whether eBoss servers are located in a location which complies with the law?
A: Yes. The eBoss servers are all situated within the European Union.
Additionally, we will not be able to alter the location of our servers without your prior written consent, as per our processing agreement.
- Article 4(23), GDPR
- Article 44, GDPR
- Recital 101, GDPR
Does eBoss have a Data Protection Officer?
Q: Who do I speak to when I want to discuss data security matters with eBoss? I understand that the details of the Data Protection Officer should be made public – why can I not find information about the eBoss DPO?
A: eBoss acts as the data controller to a very limited set of personal data – none of which falls into the category of “special types of sensitive personal data. Following specific legal guidance, we have assessed that it would not be necessary to hire a DPO for the oversight of these processes. However, our team is fully updated with GDPR issues, and we do have dedicated Data Protection Representatives in our support team. You can contact our support staff through the usual channels. Alternatively, you can may ask questions relating to GDPR directly to our data protection representatives.
- Article 35, GDPR
- Article 37, GDPR
- Article 38, GDPR
Do I have the Right To Access My Data?
Q: GDPR allows me to obtain a copy of my data as part of my Right To Access. Can I retrieve a copy of all my company data stored with eBoss? And, if so – how?
A: As an eBoss customer, you are of course welcome to receive a copy of all of the company data that you have secured using our software. This is part of our basic service to our customers, however. It is unrelated to the GDPR.
Due to the valuable, and often sensitive, nature of the data you have stored on eBoss servers, some additional security steps may be required before we release your data to you.
Data will usually be sent in .csv format.