General Data Protection Regulation

At Lucca, we did not wait for the GDPR to ensure the privacy and security of your data. However, this regulation does reinforce some of our obligations. We have therefore taken the necessary steps to comply. You will find the details below.

Lucca’s solutions manage information (vacations, expense reports, payslips, personnel files, etc.) which is “personal data” as defined by the General Data Protection Regulation (GDPR) in force since May 25, 2018.

Consequently, if you are one of our clients, you are subject to the provisions of the GDPR, on two levels:

  • your relationship with us, as we act as your data processor  (article 28 of the GDPR),
  • your relationship with your employees, as you are acting as a data controller of their personal data  through our solutions (Article 24 of the GDPR).

In addition, we manage personal information to communicate, in particular by email, with the administrators of our solutions as well as with our leads. As such, we act as a data controller.

Definitions of the major concepts

The GDPR is a dense and complex document whose provisions sometimes leave room for interpretation or may seem abstract. It is nevertheless important to know these 4 definitions to better understand it.

Personal data

Any information relating to an identified or identifiable natural person. The term “personal data” is frequently encountered.

In Lucca, employee records, an absence request, an evaluation are therefore personal data, like almost all of the information you manage in our solutions.

Processing of personal data

This is any operation or set of operations carried out on personal data, such as collection, recording, retention, modification, access, deletion etc.

Lucca carries out several processing operations on personal data on behalf of its clients. For example, throughout the duration of the contract with its clients, Lucca retains the personal data of employees and deletes them within 30 days of the end of the contract. 

Data controller

Any legal or natural person who determines the purposes and means of processing personal data. The data controller is responsible for compliance with the GDPR within their organization, and in particular for respect of the rights of employees (access permission, right to erasure, etc.).

All our clients are therefore data controller.

Data processor 

Legal or natural person who processes personal data on behalf of the data controller..

Lucca has the status of data processor with respect to all its clients.

Lucca’s commitments as a data processor 

If you are a Lucca client, then we are your data processor. As such, we undertake to comply with our obligations as defined in Article 28 of the GDPR. As a result, we have appointed a Data Protection Officer (DPO) who may be contacted via rgpd@lucca.fr.

As a data processor, we also make the following commitments:

  • Only process the personal data of your employees in the context of the performance and execution of Lucca online services to which you have subscribed. Never sell or use your employee data for marketing purposes.

Information email information for administrators

  • Our online service includes the sending of emails addressed exclusively to the administrators of our clients’ solutions and intended to inform them of the news on and developments of Lucca products. As such, we act as data controller for the processing of these data.
  • Not transfer your data outside the EU, unless you opt for data hosting in Switzerland.

Hosts 

For customers residing in Switzerland, we use two data processor to host our solutions and, therefore, the hosting of employees’ personal data:

  • Microsoft Azure on servers located in Switzerland,
  • the GCP company, on servers located in Switzerland, used only for encrypted backups
  • Notify you of changes to the data processor we use to process some of your personal data, and ensure that these data processor are GDPR-compliant.
  • Restrict access to your personal data only to duly authorized Lucca employees, in particular to assist you in the context of support functions.
  • Guarantee a high level of data security and protection.
  • Make our employees aware of the confidential nature of personal data, the issues of data security and the regulations applicable to the protection of this data.
  • Notify you of data breaches within 48 hours of becoming aware of them.

Question

What measures have been introduced by Lucca in terms of data security and privacy?

Lucca has implemented security measures to ensure the integrity and confidentiality of the personal data entrusted to it. As such, Lucca obtained ISO 27001 certification in July 2022, which reflects our commitment to information security. In particular:

  • Systematic encryption of data in transit on the public network,
  • Replication of production data on a geographically remote site,
  • Encrypted off-site backups (AES 256) at GCP Storage (Zurich),
  • Deletion of personal data when it leaves the production area,
  • Regular security audits and penetration tests,
  • Secure development policy with blocking controls.

Finally, we regularly assess the risks and adapt the level of our security appropriately.

Your obligations as a data controller

You manage, through our solutions, the personal data of your employees.

As a result, your employees have rights over this data. It is your responsibility to allow them to exercise  them. Lucca solutions help you fulfill this obligation.

Access permission (article 15 of the GDPR)

The data subject shall have the right to obtain from the data controller access to his or her personal data.

Depending on the settings of the solution, employees have access to the information that concerns them (or can request access to it from their administrator). Only you, as the data controller, must or must not give this possibility to your employees.

Right to rectification (article 16 of the GDPR)

The data subject shall have the right to obtain from the data controller  without undue delay the rectification of inaccurate personal data concerning him or her.

The Poplee Core HR solution by its nature (employee self service) allows employees to edit all or part of their personal data themselves.

The right to be forgotten (Article 17 GDPR)

The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay

We provide our clients  with a module dedicated to the management of the right to be forgotten. Reserved for administrators of our solutions, it allows them to delete personal data, especially for former employees. To learn more about this module

Questions

Do I need to obtain the consent of employees before using Lucca solutions? 

Given the unequal nature of the employer-employee relationship, it is rare for employees to be able to freely give their consent, unless the acceptance or refusal has no negative impact on their employee status.

Consent is only one of the 6 legal bases provided by Article 6 of the GDPR to ensure the lawfulness of the processing of personal data. Therefore, depending on the purposes that you have previously determined for your processing, it is up to you to determine the legal basis that will be adapted. 

Lucca’s commitments as data processor

We may collect and process personal data for the purposes of managing our clients, suppliers and leads, but also for the purposes of executing our contracts with our clients.

In particular, we use certain personal data of the administrators of our solutions (surname, first name, professional email, role) to communicate with them and provide them with maintenance and functional support services, as well as information on developments and news of our solutions.

We have provided the possibility for administrators to disable the receipt of this information, but in such a case they may not be fully informed of all functions and/or developments of the Lucca solutions.

  • Limit data collection to those that are strictly useful.
  • Do not use the data collected for purposes other than those for which it was collected.
  • Give the administrators of our solutions rights of access, rectification or erasure of their personal data.
  • Implement appropriate technical and organizational measures to guarantee a high level of security.