GDPR - frequently asked questions

> >

Frequently asked questions

Below are the answers to many of the common questions we get asked.

General information

Who we are

Based in Sheffield, Myhrtoolkit Ltd was founded in 2005 and has traded continuously since then, delivering the myhrtoolkit online hr system – which is specifically designed for small and medium sized businesses. In April 2021, myhrtoolkit was acquired by Agilio Software. This means that we are part of the Agilio Group and have extended our product offering, so not only do we have myhrtoolkit, we also have iLearn SME, an online training platform for small and medium sized businesses.

You can read more about the company and the business by visiting www.myhrtoolkit.com

Who controls the data?

All personal user data collected remains under the control of our individual customers who act as the data controller. Through the tools provided by the myhrtoolkit system, data controllers have sole control of all data which is added to the system and which individual functions of the system are used or not. The responsibility for establishing the lawful bases for processing rests with the data controller. We have created a useful whitepaper on GDPR and HR software. In relation to our customer facing business, myhrtoolkit act as data processor and do control data added or removed from the system.

What data is held?

UK GDPR relates only to personal information, and it is highly likely that not all data added will be personal information. As the data controller, each individual customer is responsible for the personal (and all other) data added to a myhrtoolkit account.

Users can add and change personal information about themselves. There is a corresponding notifications to alert management to such changes. Access controls are provided to allow customer control of who has access to what. We recommend using these and being aware of who can add what.

It is the responsibility of data controllers to establish the appropriate lawful bases for processing of any personal information which they choose to input into myhrtoolkit.

Where is our data held?

All customer data is hosted wholly within the EEA within a data centre certified to ISO 27001.

Are you registered with the Information Commissioner's Office?

Yes, we are registered with the Information Commissioner’s Office (ICO) as Data Processors.

Do you have a Data Protection Policy?

Please follow the link in our Privacy and UK GDPR portal /privacy/.

Do you have a Privacy Policy?

A copy of our Privacy Statement can be found on our website – /privacy/privacy-users/.

Do you share my data with anyone?

We do not routinely disclose personal information to third parties outside of myhrtoolkit. The only circumstances in which we will disclose such information to third parties would be where either:

Myhrtoolkit Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets. As previously mentioned, we were acquired by the Agilio Group in 2021.
Myhrtoolkit was under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use.

How can I get information about me corrected?

In relation to access or requests for corrections, given the nature of our system and its integrated tools, we provide data controllers with the ability to rectify the data under their control. Should any questions arise about usage, our service desk is always happy to help.

How do I raise a data security or privacy issue?

All enquiries and complaints in relation to data protection or privacy matters should be addressed to Data Protection, myhrtoolkit Limited, Unit 18 Jessops Riverside, 800 Brightside Lane, Sheffield, S9 2RX. via privacy@agiliosoftware.com

Data access

Who has access to our data?

Customer user data is held in a highly secure system, hosted by our hosting partner Google Cloud Platform (for more information see their page Why Google Cloud?) You may also like to read our Security Statement to find out more. Beyond the customer, and anyone they may grant access to, myhrtoolkit will only access identifiable personal information after obtaining the permission of the customer.

Do you sub-contract any services to 3rd parties?

We work with several trusted partners, and you can see the list of them all here: https://www.myhrtoolkit.com/privacy/licence/

How do you control who at myhrtoolkit has access to my data?

Myhrtoolkit employees are not required to access customer data to complete their day-to-day responsibilities. Each instance of access is separately authorised in line with our Customer Data Access Policy.

Security

Do you have a dedicated Data Protection and/or Information Security Officer?

Name or title of DPO	Kit Barker, Chief Information Security Officer at Agilio
email	privacy@agiliosoftware.com
Address	Data Protection, myhrtoolkit Limited, Unit 18 Jessops Riverside, 800 Brightside Lane, Sheffield, S9 2RX.

What measures do you have in place to keep my data safe?

Security measures are outlined in our Security Statement.

How would security incidents affecting our data be formally reported to us?

Please view our data breach process information page.

Back-up and disaster recovery

What about Backups?

We understand the importance of regular reliable backups to ensure system availability and continuity; as such, we operate 2 entirely separate backup routines for the purposes of disaster recovery. The first is managed by our hosting partner, Google Cloud Platform, who make a daily back up of all changes and take a full back up once a week. These are stored in their secure data centre over a 2 week rolling period. Additionally, myhrtoolkit take a full daily back up which is stored for 30 days off-site with a different PCI DSS Level 1 service provider. Before this leaves our servers, the back-up is encrypted, transmitted over a secure connection and remains encrypted whilst it is outside our network. Both facilities are based entirely in the EEA. Please note that individual data, records or documents cannot be extracted from this back up.

Do you encrypt my data?

Our certificates are encrypted with 256-bit encryption, and all data that passes between you and our servers is encrypted with industry standard 128-bit encryption.
For further details on how we keep your data secure, please review our Security Statement.

For how long do you retain my data?

In regular use, information is held as long as the Data Controller allows it to be. Tools to edit or delete fields or remove whole user records are provided. Leavers are managed through a secure process allowing different levels of sanitisation or anonymisation.

Following a customer serving notice to terminate their use of myhrtoolkit, an account operates normally until the final day of contract, usually the day before the next monthly invoice would have been issued. During this period we are happy to assist in data extraction.

Customer data is then archived for a further 30 days before all data is deleted rendering it non-recoverable.

Following the archive period, account data then resides in the disaster recovery back up for a further 30 days.

After this point, the only data retained is company level data appropriate for recording the previous existence of our commercial relationship. No personal data is stored.

Stage	Period	Access
Normal usage	Until final day of contract	Full
Archive	30 days	Can be reinstated on request (fees apply)
Data Recovery back up	30 days	No

Do you have a business continuity and disaster recovery plan?

Should the occasion arise, we have plans in place which would allow us to continue providing service to you, these are fully documented and regularly tested.

Call 0330 236 8399 for more information