Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected or processed. This makes sense: EU laws apply in the EU.
The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" -- EU-speak for what we in the U.S. call personally identifiable information (PII) -- as part of a marketing survey, then the data would have to be protected GDPR-style.
We encourage you to seek legal counsel if you are concerned about your organization’s compliance with GDPR.
Optimum GDPR Compliance: How does Optimum fit in with all this?
GDPR compliance goes way beyond your payroll/HR software vendor. However, your payroll/HR software vendor is one piece in a larger puzzle that encapsulates each entity’s GDPR compliance. As defined in the GDPR, the rights of the user/client (referred to as “data subject” in the regulation itself) are:
1. The right to erasure
- This is the most well-known parts of the GDPR. It is sometimes also known as the “right to be forgotten.”
Optimum provides the ability to delete user information from its system.
2. The right to restriction of processing
- You still keep the data but mark it as “restricted” and don’t touch it without further consent by the user.
Optimum provides the ability to define user to employee access security.
3. The right to data portability
- The ability to export one’s data in a machine-readable format. e.g. CSV, XML, JSON, Excel.
Optimum provides the ability to export all employee-related data into multiple file formats. i.e. exporting employee reports to Excel, CSV.
4. The right to rectification
- The ability to get personal data corrected.
Optimum provides the ability to maintain employee data. The employer would need to define and implement a procedure for allowing the employee to request corrections.
5. The right to be informed
- The right to get human-readable information.
The employer would need to define their policy for its use of the employee’s data and provide this to the employees.
6. The right of access
- The user should be able to see all the data you have about them.
Optimum provides the ability to run/export reports from the system to display information stored about employees.