GDPR - CollSoft Secure Support

At CollSoft we have always viewed Data Protection as vitally important to both ourselves and our customers.

With the introduction of the General Data Protection Regulation (known as GDPR) on 25th May 2018, we at CollSoft have been reviewing how we can provide technical support to our customers and meet the various requirements of the GDPR and so we are introducing "CollSoft Secure Support".

Generally speaking, CollSoft is simply a supplier of Payroll Software. We do not have access to your Payroll data, and as such we are not generally considered to be a data processor.

However, in order to provide technical support to our customers, it is sometimes necessary for us to view a copy of your Payroll data to help diagnose a particular issue. At this point, we may be considered as a data processor, or as a sub processor if you yourself are acting as a processor for somebody else (e.g. providing a Payroll Bureau service).

With GDPR this would require that we enter into a Data Processing Agreement with you. GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data and any particular special categories of data and the obligations and rights of both parties.

Failure to have in place a suitable Data Processing Agreement is a breach of the law under GDPR and therefore Controllers should be carrying out an audit of their existing contracts with Processors to establish if those contracts already comply with GDPR and in addition putting in place due diligence and procurement requirements in respects of contracts that are going to be entered into to which GDPR will apply.

With this in mind, we will be launching our "CollSoft Secure Support" platform after 25th May 2018.

So What does this mean for you?

1) From 25th of May 2018 CollSoft will no longer accept any Payroll backups by email. Any backups sent to us by email will be deleted straight away from our servers and the customer will be notified by email that the file has been deleted.

2) Secure Support Backups will be sent directly from your copy of Payroll to our support servers using SSL.

3) Secure Support Backups will be encrypted using a private key that is only available to CollSoft. This will mean that the backup can only be decrypted by CollSoft and not by any other third parties. Indeed you will not be able to decrypt/restore the backup on your own PC.

4) Secure Support backups will only contain the minimum amount of data necessary in order to investigate the query. The user will be able to select the exact employees who are included in the Secure Support Backup. For example, imagine that you have 20 employees but you want us to check the calculations for one specific employee. Using this method you will be able to send us a Secure Support Backup that only contains the data relating to that one employee.

5) By default Secure Support Backups will have all employee identifiable data irreversibly anonymised before it is transmitted to CollSoft. This will essentially make the data "non personal" and as such completely outside the scope of GDPR.

6) For cases where it is not feasible to have the data irreversibly anonymised Payroll will create a unique Data Processing Agreement covering the transfer and processing of the data. You will be able to specify exactly what processing we are to perform on your behalf, it will have a specified termination date and data retention period along with all other GDPR requirments.

7) All such support queries will be tracked using our Helpdesk ticketing system. Any Data Processing Agreements will be tagged to the relevant support ticket and a full log will be kept of all interactions by CollSoft employees with that ticket and or any associated data.

8) CollSoft undertakes to delete all Secure Support Backups from our live systems within 72 Hours of the support ticket being closed. In cases where there is a data processing agreement covering the support ticket, data will be deleted according to the retention period specified in the agreement. It should be noted that it will take a further 14 days before all traces of that data is removed from our backup systems. This is because we retain backups of our live systems for a period of 14 days to allow for disaster recovery.

9) Upon deletion of data the user will receive an email confirming the fact that the data has been deleted. Our ticketing system will keep a log of when such deletions have occurred.

10) All Secure Support Backup data will be stored on servers wholly owned by CollSoft - we will not use any third parties to host, store or process your Secure Support Data. CollSoft has full control over who has physical or system access to your Secure Support Data.

11) All of our serves hosting Secure Support Data are located in Ireland. Secure Support Data will not be moved or processed outside this jurisdiction.

12) All of our own system backups are retained on systems wholly owned by CollSoft. We do not use any third party services for backup purposes, and all "off-site" backups are retained at other CollSoft installations.

Creation date: 16/04/2018 16:40     Updated: 01/11/2019 14:28