GDPR
About the GDPR
The General Data Protection Regulation (GDPR) came into force on May 25, 2018 introducing a risk-based approach to data protection, enabling innovation in the global digital economy while respecting an individual’s right to privacy.
Overview
The General Data Protection Regulation (GDPR) came into force on May 25, 2018 to bring consistency to the data protection landscape across Europe, to enhance data protection compliance obligations that apply to both data controllers and data processors, and to safeguard the privacy of EU data subjects. It embodies the principles of transparency, fairness and accountability and offers strengthened rights for individuals to control their data. The GDPR introduced a risk-based approach to data protection with the intent to encourage and enable innovation in the global digital economy while respecting an individual’s right to privacy.
Our Commitment
Visier placed a high priority on the GDPR readiness and proactively engaged a highly accredited privacy compliance solutions provider, TrustArc (formerly known as TRUSTe) to conduct a thorough assessment of Visier’s data privacy practices. While Visier already maintained a robust Privacy and Data Protection Program, we took steps to further mature this program and to prepare for the GDPR’s increased accountability obligations. This included appointing a Data Protection Officer, updating privacy policies and notices, adopting privacy-by-design in how we design, build and govern our solutions, enhancing contract language, refreshing employee privacy training, managing vendor relations, and preparing records of processing activities to ensure that we know what data we collect, where it resides and the purposes for processing.
Visier understands that demonstrating compliance with the GDPR is an ongoing journey. Our commitment includes continuously monitoring emerging developments, regulator guidance, and lessons learned as the effects of the GDPR take hold. We will continue to refine our privacy practices and Privacy and Data Protection Program to reflect this shifting landscape while supporting our customer’s goals and expectations.
In addition to the GDPR, Visier also complies with other applicable data protection laws and aligns with industry standards, frameworks and privacy best practices.
To learn more about our privacy commitments, please read our Privacy Overview.
Your Data and Using the Visier Solution
Visier strives to create a trusted environment and is committed to practicing transparency in how we handle our customers’ data. Our customers are, and remain, the data controller for the personal data being processed in the Visier solution. As the data processor, Visier shares responsibilities for data protection with our customers. We have implemented processes to ensure personal data is handled appropriately and securely throughout the data lifecycle.
To help customers understand how Visier has implemented measures to ensure personal data is handled in accordance with the General Data Protection Regulation (GDPR), we have highlighted some of the main GDPR requirements and how Visier helps to address them. Customers may also find this high level summary useful in supporting its compliance efforts with Article 35 Data Protection Impact Assessments (DPIAs) for high risk processing activities.
While Visier and its customers each have responsibilities when it comes to GDPR compliance, Visier also assists its customers when instructed to do so and as reasonably necessary, to comply with their respective privacy obligations.
*The requirements below highlight only a subset of the GDPR and are not intended as legal advice. Customers must seek their own legal advice to ensure their compliance with the applicable requirements under the GDPR.
GDPR Requirement | Responsibility | How Visier helps address the requirement |
Accuracy (Article 5) | Shared | Customers have an obligation to keep personal data accurate and up to date. Visier assists its customers in keeping personal data accurate and up to date. When instructed to do so from a customer, as required under the terms of the Subscription Agreement, Visier will correct or update personal data. |
Retention (Article 5) | Shared | Customers must ensure personal data is not kept longer than is necessary for the purposes for which it is processed and considering any legal obligations. As set out in the Visier Subscription Agreement, Visier will retain Customer Data for the duration of the customers’ use of the Visier solution and until all Customer Data is deleted or returned in accordance with the customers’ instructions or the terms of the Subscription Agreement. Upon termination or expiration of a customer’s Subscription Agreement, Customer Data is securely destroyed in all formats and from all media within 30 days. |
Purpose of processing (Article 6) | Customer | The purpose(s) of processing personal data is determined by the customer that implements, configures, and uses the Visier solution. As specified in Visier’s Subscription Agreement and Data Privacy Addendum, Visier, as a data processor, processes Customer Data to provide our customers the services in accordance with our customer’s documented instructions. Customers decide what personal data is collected from their employees and candidates; determine the lawful basis for processing; what personal data is transmitted to the Visier solution to help make business decisions about employees and candidates; and how this data is to be processed by Visier. Visier only processes personal data for its customers’ use within the Visier solution in accordance with the customers’ instructions and to the extent reasonably necessary for the provision of the contracted services. |
Consent (Article 7) | Customer | Customers, as data controllers, determine whether consent, or other legal basis, is required for processing personal data of employees and candidates in the Visier solution. |
Special categories of data (Article 9) | Customer | There are certain types of personal data that come under the ‘special categories of data’. This includes data that reveals an individual’s religious or philosophical beliefs, genetic data, or sexual orientation. Customers are solely responsible for determining the types and categories of personal data, including any special categories of data, that are transferred to Visier for processing in the Visier solution. |
Transparency (Article 12) | Shared | Visier provides its customers with transparency around how personal data is managed. The Visier Privacy Statement is presented upon initial user login and is easily accessible at all times within the Visier solution. The Privacy Statement describes Visier’s data handling practices and communicates the ways personal information is protected. Customers are responsible for providing an appropriate level of transparency regarding the personal data they manage in the Visier solution. |
Subject access requests (Article 15) | Shared | Visier provides the capability for customers to self-export the requested personal data available from the Visier solution into a machine readable format. Visier promptly forwards to its customers any data subject access request where a customer’s data subject has directly applied to Visier to exercise their rights, and does not respond to such a request unless authorized to do so or required to by law. |
Right to erasure (Article 17) | Shared | Customers may choose to delete or de-identify personal data in response to a right to erasure request. When instructed to do so by a customer, as required under the terms of the subscription agreement, Visier assists a customer in deleting or de-identifying personal data of an employee or candidate that has previously been transferred to Visier for processing. Visier promptly forwards to its customers any right to erasure requests where a customer’s data subject has directly applied to Visier to exercise their rights, and does not respond to such a request unless authorized to do so or required by law. |
Automated decision-making (Article 22) | Customer | The Visier solution provides data-driven insights to executives and human resources professionals to help them make effective business decisions related to their employees and candidates. Depending on the customer’s configuration, the Visier solution may perform certain automated processing of data such as the analysis performed to derive insights on how people collaborate within an organization. |
Sub-processor (Article 28) | Visier | Visier shares data with third parties acting as our sub-processors to support functions such as infrastructure-as-a-service and security. Visier informs its customers where processing undertaken is conducted by a sub-processor and complies with the particular requirements of a customer with regard to the appointment of sub-processor as set out under the terms of the Subscription Agreement. Any sub-processors to which Visier transfers Customer Data will have entered into written agreements with Visier that are no less protective than the terms in the customer’s agreement. All Visier sub-processors to which Customer Data is shared are included in the Visier Sub-processor list. |
Records of processing activities (Article 30) | Shared | Customers, as data controllers, are responsible for maintaining records of processing activities associated with personal data. Visier maintains internal records of processing activities relevant to its role as a data processor. |
Data protection by design (Article 35) | Shared | Visier considers Privacy by Design principles in the design and development of solutions and services. Privacy assessments and reviews are integrated into the development lifecycle of new functions, features and content. Visier’s Head of Privacy and Data Protection is a stakeholder in the go no-go decisions for all new releases and before they become generally available. Read more about Privacy by Design at Visier. Customers are responsible for how personal data is managed within the Visier solution. Customers should periodically review their use and configuration to validate that data protection has been taken into account by design. |
Data Protection Officer (Article 37) | Customer | Customers may need to appoint a Data Protection Officer under the GDPR. Visier does not offer Data Protection Officer services. |
Security (Article 32) | Shared | Visier is committed to protecting personal data and has implemented appropriate technical and organizational measures to safeguard personal data. This includes internal policies and processes, contractual commitments, third party audits, encryption, and certifications. Visier undergoes an annual SOC2 Type II audit using an internationally recognized accounting firm. For more information about our security practices and vulnerability management program, read our Security Overview. Visier adopts access controls based on the principle of ‘least privilege’ and ‘need to know’ to ensure that only authorized individuals utilized in the operation and provision of the contracted services are permitted to process customers’ data. Visier strictly adheres to its obligations of confidentiality and does not distribute or disclose customer data to any other party. The Visier security model empowers customers to manage their user’s access and provides controls for defining roles and permissions. Customers should periodically review their security configuration settings and permissions to ensure only authorized users have access to relevant features, functions, and content. |
Personal data breach (Article 33) | Shared | Visier maintains an internal security incident and data breach response plan to ensure that customers’ designated Security Contact(s) are notified of a security incident in accordance with the Visier Customer Data Safeguards Policy. As the data controller, customers are responsible for determining and meeting personal data breach notification obligations for their impacted employees and candidates. |
Pseudonymisation (Article 4(5)) | Customer | Customers are responsible for any pseudonymisation, anonymization, or de-identification of personal data transmitted to and processed in the Visier solution. |
Location and cross border data flows (Article 44, 46) | Visier | For personal data from the European Economic Area (EEA), Switzerland, and the United Kingdom (UK), Visier ensures that transfers of personal data to a third country or international organization are subject to appropriate safeguards. When Visier transfers personal information from the EEA, the UK, or Switzerland to another country such as the United States (US), appropriate data transfer solutions such as Standard Contractual Clauses (SCCs) are used. Visier also relies on the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as a legal basis for transfers of personal information from the EU to the US. Visier will rely on the UK extension to the EU-U.S. DPF and the Swiss-U.S. DPF when applicable local authorities approve the adequacy decisions. In the meantime, Visier continues, and will continue to offer a DPA which includes the SCCs as a transfer mechanism with every customer who needs one, in addition to reliance on the EU-U.S. DPF. Visier offers its customers a choice for storing their data at rest within a specific geographic area. See data center locations on the Visier Trust site. |