At Lucca, we did not wait for the GDPR to ensure the privacy and security of your data. However, this regulation does reinforce some of our obligations. We have therefore taken the necessary steps to comply. You will find the details below.
Lucca's solutions manage information (vacations, expense reports, payslips, personnel files, etc.) which is "personal data" as defined by the General Data Protection Regulation (GDPR) in force since May 25, 2018.
Consequently, if you are one of our clients, you are subject to the provisions of the GDPR, on two levels:
In addition, we manage personal information to communicate, in particular by email, with the administrators of our solutions as well as with our leads. As such, we act as a data controller.
The GDPR is a dense and complex document whose provisions sometimes leave room for interpretation or may seem abstract. It is nevertheless important to know these 4 definitions to better understand it.
Any information relating to an identified or identifiable natural person. The term “personal data” is frequently encountered.
In Lucca, employee records, an absence request, an evaluation are therefore personal data, like almost all of the information you manage in our solutions.
This is any operation or set of operations carried out on personal data, such as collection, recording, retention, modification, access, deletion etc.
Lucca carries out several processing operations on personal data on behalf of its clients. For example, throughout the duration of the contract with its clients, Lucca retains the personal data of employees and deletes them within 30 days of the end of the contract.
Any legal or natural person who determines the purposes and means of processing personal data. The data controller is responsible for compliance with the GDPR within their organization, and in particular for respect of the rights of employees (access permission, right to erasure, etc.).
All our clients are therefore data controller.
Legal or natural person who processes personal data on behalf of the data controller.
Lucca has the status of data processor with respect to all its clients.
If you are a Lucca client, then we are your data processor. As such, we undertake to comply with our obligations as defined in Article 28 of the GDPR. As a result, we have appointed a Data Protection Officer (DPO) who may be contacted via firstname.lastname@example.org.
As a data processor, we also make the following commitments:
Only process the personal data of your employees in the context of the performance and execution of Lucca online services to which you have subscribed. Never sell or use your employee data for marketing purposes.
Our online service includes the sending of emails addressed exclusively to the administrators of our clients' solutions and intended to inform them of the news on and developments of Lucca products. As such, we act as data controller for the processing of these data (see here).
Not transfer your data outside the EU, unless you opt for data hosting in Switzerland.
We use four data processor to host our solutions and, therefore, the hosting of employees’ personal data:
for customers residing in Switzerland:
Notify you of changes to the data processor we use to process some of your personal data, and ensure that these data processor are GDPR-compliant.
Restrict access to your personal data only to duly authorized Lucca employees, in particular to assist you in the context of support functions.
Guarantee a high level of data security and protection.
Make our employees aware of the confidential nature of personal data, the issues of data security and the regulations applicable to the protection of this data.
Notify you of data breaches within 48 hours of becoming aware of them.
I subscribed to Lucca services before May 25, 2018. Does my company need to enter into a new contract with Lucca?
No, it is not necessary. The GDPR applies to relationships with our clients regardless of the signing of specific clauses to this effect. However, you can contact our DPO (email@example.com) should you wish to sign a Data Processing Agreement (DPA) in order to supervise the processing carried out by Lucca. In addition, our general terms and conditions have been edited so that our contracts now include all the provisions of the GDPR relating to the responsibilities of the data processor with respect to the data controller. For clients who signed a contract before May 25, 2018, should you not agree to such changes, you have the option of terminating your subscription, free of charge with 30 days notice. In the absence of termination before August 31, 2018, you will be deemed to have accepted them as such.
What measures have been introduced by Lucca in terms of data security and privacy?
Lucca has implemented security measures to ensure the integrity and confidentiality of the personal data entrusted to it. As such, Lucca obtained ISO 27001 certification in July 2022, which reflects our commitment to information security.
Finally, we regularly assess the risks and adapt the level of our security appropriately.
You manage, through our solutions, the personal data of your employees.
As a result, your employees have rights over this data. It is your responsibility to allow them to exercise them. Lucca solutions help you fulfill this obligation.
The data subject shall have the right to obtain from the data controller access to his or her personal data.
Depending on the settings of the solution, employees have access to the information that concerns them (or can request access to it from their administrator). Only you, as the data controller, must or must not give this possibility to your employees.
The data subject shall have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her.
The Poplee Core HR solution by its nature (employee self service) allows employees to edit all or part of their personal data themselves.
The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay
We provide our clients with a module dedicated to the management of the right to be forgotten. Reserved for administrators of our solutions, it allows them to delete personal data, especially for former employees. To learn more about this module
Do I need to obtain the consent of employees before using Lucca solutions?
Given the unequal nature of the employer-employee relationship, it is rare for employees to be able to freely give their consent, unless the acceptance or refusal has no negative impact on their employee status.
Consent is only one of the 6 legal bases provided by Article 6 of the GDPR to ensure the lawfulness of the processing of personal data. Therefore, depending on the purposes that you have previously determined for your processing, it is up to you to determine the legal basis that will be adapted.
We may collect and process personal data for the purposes of managing our clients, suppliers and leads, but also for the purposes of executing our contracts with our clients.
In particular, we use certain personal data of the administrators of our solutions (surname, first name, professional email, role) to communicate with them and provide them with maintenance and functional support services, as well as information on developments and news of our solutions.
We have provided the possibility for administrators to disable the receipt of this information, but in such a case they may not be fully informed of all functions and/or developments of the Lucca solutions.
Under no circumstances can these responses constitute legal advice. We invite you to consult your counsel on these matters.