Our Compliance with the GDPR

Effective Date: August 6, 2021

1. Our Commitment

By setting high data protection standards, the General Data Protection Regulation (EU) 2016/679 (GDPR) is designed to protect the fundamental human right to privacy. When offering you our software solutions under the brand ‘Passwork’, including, without limitation, the on-premises version of Passwork, we strive to ensure that any personal data processed through Passwork is processed in a lawful, fair, and transparent manner. We are also committed to helping our clients to understand how we comply with the GDPR.
To comply with our obligations under the GDPR, we have updated our policies and procedures and made them available for your consultation at any time

2. Our Compliance with the GDPR

The GDPR’s updated requirements are significant and our team has adapted our services, operations, policies, and contractual commitments to help us and our clients to comply with the requirements set by the GDPR. The measures that we have implemented include, but are not limited to:
  • Investments in our security infrastructure;
  • Updates to relevant contractual terms;
  • Support for international data transfers by means of our data processing agreements offered to our clients (the “DPA”) and data processing agreements concluded with our data processors; and
  • Offering data portability and data management tools, including: data import, export, amendment, and deletion tools whereby our clients may access, import, export, update, and delete their data through their interface.
We also monitor the guidance around GDPR compliance from privacy-related regulatory bodies and update the features of Passwork and our contractual commitments accordingly.
We will provide you with regular updates regarding our data protection practices, so that you stay up-to-date with them.

3. Our Role under the GDPR

As a provider of Passwork, we act both as a data controller and data processor. Our role depends on the specific situation that involves the processing of personal data:
  • We act as a data controller when we ask our clients to submit their personal data for account registration purposes, payment processing purposes, or if they contact us directly. As a data controller, we comply with our obligations and remain solely responsible for the personal data obtained directly from our clients.
  • We act as a data processor in the situations when our clients conclude a service contract with us and certain personal data is submitted, uploaded, generated, or otherwise processed by our clients through Passwork. In such cases, the obligations applicable to data processors under the GDPR will apply to us. To ensure that we process personal data on behalf of our clients in compliance with the GDPR, we offer for conclusion our DPA, a copy of which is available by contacting us at [email protected].

4. Our Security Infrastructure

Protecting personal data belonging to our clients and processed on behalf of them is of utmost importance to us. Therefore, we have set high standards for security and take administrative, organisational and technical security measures to protect personal data submitted through Passwork from loss, misuse, unauthorised access, and disclosure. The security measures implemented by us include:
  • Maintaining adequate access control mechanisms (e.g., two-factor authentication, password protection, and limited access) covering any systems, servers, or files in which personal data is stored;
  • DDOS mitigation;
  • Using SSL encryption for any transmission of personal data electronically;
  • Limiting access to personal data by our officers, directors, employees, consultants, and representatives only to the specific purposes; and
  • Adhering to the highest information security standards and conducting regular information security audits.
    • We also make use of technology partners and third-party service providers who are carefully selected as complying with the highest data protection and information security standards.

    5. International Data Transfers: Standard Contractual Clauses

    The GDPR sets strict requirements for transfer of personal data outside the EU. To ensure that EU residents’ personal data remains safe and secure, the GDPR allows such international transfers only if certain safeguards are implemented, such as (the list is not exhaustive):
    • The third country is deemed by the EU as ensuring adequate level of protection (check here for more information);
    • Standard Contractual Clauses govern such transfers;
    • Approved certification mechanisms are used; or
    • Approval from data protection supervisory authorities is received.
    To comply with the GDPR requirements and ensure that the personal data processed through Passwork by our clients remains secure, we offer our DPA based on Standard Contractual Clauses to meet adequacy and security requirements for our clients who operate in the EU or submit EU resident’s personal data through Passwork. The DPA is available by contacting us at [email protected].

    6. Contact

    Fulfilling our data protection commitments is important to us. If you have any questions about our GDPR compliance or would like to how more how we can help you with compliance, please contact us.
    • Email: [email protected]
    • Postal address: Passwork Oy, Pasilankatu 2, 00240 Helsinki, Finland