What is the GDPR?
Organizations established in the EU and processing personal data of EU-based individuals are, in almost all cases, required to comply with the GDPR since May 25, 2018.
The GDPR updates and harmonizes the framework for processing personal data in the European Union, and brings with it new obligations for organizations and new rights for individuals.
We have been fully committed to complying with the requirements of the GDPR. We have taken these new requirements to heart and made changes to our products, contracts and policies to ensure that we were fully in compliance with the GDPR.
Have we nominated a Data Protection Officer?
Yes. His identity has been communicated to the CNIL, the independent French administrative regulatory body whose mission is to ensure that data privacy law is applied.
How can I get in touch with the DPO?
Do we ensure that our third party providers are or will be compliant in time?
Yes. We’re have been reviewing all of our third party providers’ policies regarding GDPR, notably including:
What is a Personal Data Breach?
A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Do we have a notification procedure in case of a Personal Data Breach?
We have specific data breach notification procedures in place, respecting the deadlines of the GDPR in communicating any breach.
What are the Rights employees can exercise?
The Rights employees can exercise are :
Right of Access: Employees may request to access their Personal Information and obtain a copy of the Personal Information which is being processed by RandomCoffee. In the event that employees request to know what Personal Information is being processed by us, we will provide employees with the following information free of charge: purposes of processing; categories of Personal Information processed; recipient(s) of Personal Information; length of time during which the Personal Information will be stored; employees’ privacy rights; and information on data transfers.
Right of Rectification: Employees may request to change, update or complete any missing data we process about them.
Right of Erasure: Employees may at any time withdraw their consent to our processing of their Personal Information. In this case, if there is no overriding legitimate interest for continuing the processing of their Personal Information (e.g. to comply with our legal obligations, resolve disputes, enforce our agreements, etc.) and the Personal Information is no longer necessary in relation to the purpose for which it was originally collected, we will erase the data.
Right of Restriction of Processing: Employees may request us to restrict processing of their Personal Information if one of the following applies: (i) the accuracy of the Personal Information is contested by the employee; (ii) the processing is unlawful; or (iii) if we no longer need the Personal Information.
Right to Data Portability: Employees have the right to receive their Personal Information in a structured, commonly used and machine-readable format.
How can employees exercise their Rights?
Employees can exercise their Rights by sending an email to firstname.lastname@example.org
What type of Personal Data do we collect?
Following the Privacy by Design principle, we only collect the data that we need, which in our case is at minimum the First Name, the Last Name & the Professional Email.
Then, upon customer requests, we may collect other personal data such as the employee’ department, or any other relevant data to deliver the service.
How do we collect the Personal Data?
It depends on each customer, but the main way to collect Personal Data is through a registration form that Employees must fill themselves, therefore ensuring consent.
We also are integrated with SAP SuccessFactors & may integrate with other HRIS.
Where do we store the Personal Data we collect?
The data is stored on a RDS database on AWS (Amazon Web Services) in Francfort, Germany. The data is never replicated or copied out the region.
How long do we store the Personal Data?
We keep the data for 18 months. After our system automatically deletes the Personal Data.