General Data Protection
Regulation at Lucca

At Lucca, we did not wait for the GDPR to ensure the confidentiality and security of your data. This being said, the GDPR has heightened some of our obligations. We have thus taken the necessary compliance measures, as outlined below.

Our solutions manage information (on employee leave, expense reports, HR files, etc.) that qualifies as “personal data” pursuant to the definition given by the General Data Protection Regulation (GDPR), in effect since 25 May 2018.

Accordingly, if you are one of our clients, you are subject to the provisions of the GDPR in two contexts:

  • in the context of your relationship with us, inasmuch as we are acting as your processor (GDPR, Article 28)
  • in the context of your relationship with your members of staff, inasmuch as you are acting as the controller of their personal data by using our solutions.

We also manage personal data to communicate, in particular through email, with the administrators of our solutions and with our prospects. When acting in this capacity, we are the controller.

We are your processor

You are controller

Definitions of main concepts

The GDPR is a dense and challenging piece of legislation (99 articles), which is sometimes abstract when laying down guidelines, thereby leaving quite a bit of leeway in terms of interpretation. This being said, it is important for you to be familiar with the following 4 definitions.


The natural or legal person who or which determines the purposes and the means of the processing of personal data. The controller is responsible for compliance with the GDPR within his, her or its organisation, and in particular compliance with the rights of members of staff (right of access, right to erasure, etc.)

All clients of our solutions accordingly qualify as controllers.

Personal data

Any information relating to an identified or identifiable natural person [...].

At Lucca, an email, a request for leave of absence, or a performance review will thus qualify as personal data, as does virtually all of the information you manage using our solutions.


The natural or legal person who or which processes personal data on behalf of the controller.

Lucca acts as a processor as regards all of its clients.

Special categories of personal data

Personal data revealing racial or ethnic origin, political opinion, religion, trade union membership, sexual orientation, genetic data and biometric data are considered “sensitive” by the GDPR and their processing is prohibited, subject to a few exceptions, including when processing is based on the explicit consent of the data subjects.

By default, Lucca solutions do not process these types of data. However, they can be provided you have the right to process such data, to outsource such processing and you previously inform us in writing. Please note that Lucca is not a certified “health data host” and, accordingly, that you should not process this type of data using Lucca solutions.


Lucca’s commitments as a processor

If you are a Lucca client, then we are your processor. In this respect, we agree to comply with our obligations as defined in Article 28 of the GDPR. We have come into compliance with the requirements under the GDPR, in particular by appointing a Data Protection Officer (DPO), whom you can contact by writing to

We also make the following commitments:

Only to process the personal data of your members of staff in the course of the performance and implementation of the online Lucca services to which you have subscribed. We will never sell or use data concerning your members of staff for marketing purposes.

Not to transfer your data outside the EU, unless you opt for the hosting service dedicated to our Swiss clients

To inform you of any change in the processors we use to store or process some of your personal data, and to ensure that any such processors are also in compliance with the GDPR.

To restrict access to your personal data to only those members of our staff who are duly authorised to provide you with assistance as part of our support functions

To assure you of a high level of security and protection of your data.

To ensure our members of staff are aware of the confidential nature of personal data and, as necessary, provide them with training on applicable data protection legislation.

To notify you within 24 hours in case of any data breach.


I subscribed to Lucca services before 25 May 2018. Does my company need to enter into a new agreement with you?

No, a new agreement is not necessary. Our Terms and Conditions have been modified so that our agreements now cover all of the requirements under the GDPR relating to the liability of the processor as regards the controller.

If such modifications do not meet with your approval, you have the possibility of terminating your subscription, at no cost to you, by giving notice of 30 days. Unless we receive notice of termination from you on or before 31 August 2018, you will be deemed to have accepted them “as is”.

Our General Terms and Conditions are enforceable against us, except in case of Specific Terms of Conditions, if any, which prevail over the General Terms and Conditions.

They express all of our commitments in relation to personal data. This is why it is not necessary to execute an amendment covering personal data.

Is Lucca’s security and confidentiality policy in line with the GDPR?

Yes. Lucca has implemented the necessary security measures to ensure the integrity and the confidentiality of the personal data entrusted to it.

More specifically, we:

  • systematically encrypt data transiting over the public network,
  • synchronise production data on an hourly basis at a remote location (Business Continuity Plan),
  • make an encrypted daily back-up on Azure (Disaster Recovery Plan),
  • erase personal data when such data leave the production area,
  • manage infrastructure access using two levels of security: VPN + individual account, and periodically review accounts,
  • conduct security audits and penetration testing on a regular basis,
  • implement a systematic code review to ensure secure deployments.

In addition, Lucca has chosen OVH and Azure as hosts as the certification level of these companies (ISO 27001, PCI-DSS) ensures optimal infrastructure security.

Lastly, we carry out regular risk assessments and adapt our security level accordingly.


Your obligations as the controller

You manage, via our solutions, the personal data of your members of staff.

As a result, your members of staff have rights in relation to such data. It is your responsibility to permit them to exercise such rights. Our solutions can help you meet your obligations.

Right of access (GDPR, Article 15)

The data subject has the right to obtain from the controller access to personal data concerning him or her…

Depending on the configuration settings of the solution, members of staff will have access to personal data concerning them (or can request access thereto). As the controller, only you can provide this possibility (or not) to your members of staff.

Right to rectification (GDPR, Article 16)

The data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her…

By its nature (employee self-service), the Poplee solution allows your members of staff to themselves modify all or some of the personal data concerning them.

Right to be forgotten (GDPR, Article 17)

The data subject has the right to obtain from the controller, without undue delay, the erasure of personal data concerning him or her…

We provide our clients with a module dedicated to management of the right to be forgotten. Reserved to the administrators of our solutions, this module allows them to mass delete personal data, in particular for staff having left the company or else, to pseudonymise data. Pseudonymisation consists in modifying the identification data (surname, name) in such a manner that the data can no longer be attributed to a specific data subject.


Do I need to obtain the consent of my members of staff before I can start using Lucca solutions? *

No, you don’t, especially as if you were to, such consent would not be a valid legal ground (it would not be “freely given”, considering the imbalance in the relationship between the employer and the employee.

Consent is only one of the 6 conditions laid down by Article 6 of the GDPR to ensure the lawfulness of the processing of personal data.

The lawfulness of your use of Lucca solutions to manage the personal data of your members of staff is based on Article 6.1.(b) of the GDPR (processing necessary for the performance of a contract).

* Under no circumstances should these answers be interpreted as constituting legal advice or legal guidance. We therefore invite you to consult your legal adviser on these topics.

Are Lucca solutions concerned by the requirements under Article 9 of the GDPR in relation to the management of special categories of data (political opinions, religious beliefs, trade union membership, sexual orientation, etc.)?*

In their default configuration, Lucca solutions do not process any of the special data mentioned in Article 9 of the GDPR (sensitive data)…

However, the Poplee application, which by its nature is similar to a database, allows a company so wishing to collect and process data of any nature and, therefore, possibly sensitive data.

If this is your case, our Terms and Conditions require you to previously notify us.

We draw your attention to the fact that Lucca does not have “health data” certification and that health data should in no event be processed in the context of the services.

We remind you that if you decide to process sensitive data, you are subject to the strict requirement (barring the exceptions provided by the GDPR) of obtaining the consent of your members of staff and ensuring that such consent is freely given.


Lucca’s commitments as a controller

We may collect and process personal data for client, supplier, and prospect management purposes, and for the purposes of performance of our contracts with our clients.

In particular, we use certain personal data of the administrators of our solutions (name, professional email, role) to communicate with them and to provide them with maintenance and support (hotline) services, as well as information on upgrades to and news about our solutions.

We have provided for the possibility for administrators to unsubscribe from such information but, in such case, they risk not being fully informed of all of the features of the Lucca solution.

Limiting the collection of data to what is strictly useful.

Not to use the data collected for any other purposes other than those for which they were collected.

Providing administrators of our solutions with an effective way to exercise their right of access, to rectification or erasure of their personal data.

Implementing appropriate technical and organisational measures to guarantee a high level of security.