1. Visão geral do RGPD
O Regulamento Geral de Proteção de Dados (RGPD) é uma lei abrangente de proteção de dados que entrou em vigor a 25 de maio de 2018 em toda a União Europeia e Espaço Económico Europeu. Estabelece requisitos rigorosos sobre como as organizações recolhem, processam, armazenam e protegem dados pessoais de residentes da UE.
O que são dados pessoais?
Sob o RGPD, dados pessoais são qualquer informação relativa a uma pessoa singular identificada ou identificável. Isto inclui:
- Identidade básica: Nome, morada, endereço de e-mail, número de telefone
- Informação de trabalho: ID de colaborador, cargo, departamento, salário
- Dados técnicos: Endereços IP, IDs de dispositivo, impressões digitais de navegador
- Dados de localização: Localização geográfica de fechaduras inteligentes
- Dados biométricos: Impressões digitais usadas para autenticação de fechaduras inteligentes
- Dados comportamentais: Horas de trabalho, padrões de assiduidade, registos de tempo
Princípios-chave do RGPD
A WorkTime One adere a todos os sete princípios do RGPD:
1. Licitude, lealdade e transparência
Dados processados de forma lícita, leal e transparente com avisos de privacidade claros
2. Limitação da finalidade
Dados recolhidos apenas para fins específicos e legítimos
3. Minimização dos dados
Recolher apenas dados necessários para o fim declarado
4. Exatidão
Manter os dados pessoais precisos e atualizados
5. Limitação da conservação
Reter dados apenas pelo tempo necessário
6. Integridade e confidencialidade
Proteger dados com medidas de segurança apropriadas
7. Responsabilidade
Demonstrar conformidade através de documentação e políticas
2. Our Role Under GDPR
Data Controller vs. Data Processor
WorkTime One acts in different capacities depending on the context:
WorkTime One as Data Controller
For your organization's account data (company name, billing information, admin users), we are the data controller. We determine how and why this data is processed.
Examples: Account registration, billing, customer support, service communications
WorkTime One as Data Processor
For employee time tracking data that you upload and manage, we are the data processor. You (the customer) are the data controller and determine the purposes and means of processing.
Examples: Employee names, work hours, attendance records, biometric data, location data
Your Responsibilities as Data Controller
When using WorkTime One to track employee time, you are the data controller and are responsible for:
- Obtaining lawful basis for processing employee data (e.g., consent, contract, legitimate interest)
- Providing employees with privacy notices explaining data collection and use
- Obtaining explicit consent for biometric data collection (fingerprints)
- Responding to employee data subject rights requests
- Implementing appropriate technical and organizational measures
- Complying with local labor laws and employee monitoring regulations
- Conducting Data Protection Impact Assessments (DPIAs) where required
3. Lawful Basis for Processing
GDPR requires a lawful basis for processing personal data. WorkTime One relies on the following legal bases:
Contract (Article 6(1)(b))
Processing necessary to provide our services under our Terms of Service. This applies to account management, billing, and core service functionality.
Legitimate Interest (Article 6(1)(f))
Processing for security, fraud prevention, and service improvement. We balance our interests against your rights and freedoms.
Consent (Article 6(1)(a))
Marketing communications and optional features require your explicit consent. You can withdraw consent at any time.
Legal Obligation (Article 6(1)(c))
Processing required by law, such as tax records, financial compliance, and responding to legal requests.
Special Category Data (Biometrics)
Biometric data (fingerprints) is considered "special category" data under GDPR Article 9 and requires additional protection. Processing is lawful under:
- Explicit Consent (Article 9(2)(a)): You must obtain explicit, informed consent from employees for fingerprint collection
- Employment Context (Article 9(2)(b)): Processing may be necessary for employment obligations under national law
- Security Measures: Biometric data is hashed, encrypted, and stored separately from other personal data
- Right to Withdraw: Employees can withdraw consent and request deletion of biometric data at any time
4. Your Data Subject Rights
Under GDPR, you have comprehensive rights regarding your personal data:
Right to Access (Article 15)
You have the right to obtain confirmation whether we process your personal data and to access that data.
How to Exercise:
- Log into your account and navigate to Settings → Data Export
- Export your data in CSV, JSON, or Excel format
- Email [email protected] for comprehensive data access requests
- We will respond within 30 days (free of charge)
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected or completed.
How to Exercise:
- Update your account information directly in Settings
- Admins can update employee information in the Employee Management section
- For corrections requiring our assistance, contact [email protected]
- We will correct inaccuracies within 30 days
Right to Erasure / Right to be Forgotten (Article 17)
You have the right to request deletion of your personal data in certain circumstances.
How to Exercise:
- Close your account via Settings → Account → Delete Account
- Employees can request deletion by contacting their employer (data controller)
- Email [email protected] for deletion requests
- Data deleted within 30 days (excluding legal retention requirements)
- Backups purged within 90 days
Note: We may retain certain data where required by law (e.g., tax records for 7 years)
Right to Restriction of Processing (Article 18)
You can request that we limit how we process your data in certain situations.
When Available:
- You contest the accuracy of the data (during verification)
- Processing is unlawful but you don't want deletion
- We no longer need the data but you need it for legal claims
- You've objected to processing (pending verification of legitimate grounds)
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, machine-readable format and transmit it to another controller.
Supported Formats:
- CSV (Comma-Separated Values)
- JSON (JavaScript Object Notation)
- Excel (.xlsx)
- Direct API transfer to another service (contact us for assistance)
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing.
How to Exercise:
- Object to marketing: Unsubscribe link in emails or Settings → Notifications
- Object to profiling: Contact [email protected]
- Object to legitimate interest processing: We will cease unless we demonstrate compelling legitimate grounds
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affects you.
WorkTime One Position: We do not make automated decisions that produce legal effects or similarly significantly affect you. Payroll calculations and penalty assessments are based on transparent rules defined by you (the employer) and can be manually reviewed and adjusted.
5. Data Protection Measures
We implement comprehensive technical and organizational measures to ensure appropriate security:
Technical Measures
- Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
- Pseudonymization: Where possible, we pseudonymize data to reduce privacy risks
- Access Controls: Role-based access control (RBAC) with principle of least privilege
- Two-Factor Authentication: Mandatory 2FA available for all users
- Automated Backups: Regular encrypted backups with geographic redundancy
- Intrusion Detection: 24/7 monitoring for security threats
- Vulnerability Management: Regular security testing and patch management
Organizational Measures
- Data Protection Policies: Comprehensive internal policies and procedures
- Employee Training: Regular privacy and security training for all staff
- Confidentiality Agreements: All employees sign NDAs and confidentiality agreements
- Access Reviews: Quarterly reviews of employee access permissions
- Incident Response Plan: Documented procedures for data breach response
- Data Protection Impact Assessments: DPIAs conducted for high-risk processing
- Vendor Management: Due diligence on all sub-processors
Privacy by Design and Default
- Privacy considerations integrated into product development from the start
- Default settings prioritize privacy protection
- Data minimization built into system design
- Regular privacy reviews throughout product lifecycle
6. International Data Transfers
WorkTime One may transfer your personal data outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
Data Storage Locations
- Primary Storage: EU-based data centers (Germany, Belgium, Netherlands) via Google Cloud Platform
- Backups: Replicated across multiple EU regions
- Option for EU-only Storage: Enterprise customers can request EU-only data residency
Transfer Mechanisms
Standard Contractual Clauses (SCCs)
We use EU-approved Standard Contractual Clauses (SCCs) for data transfers to countries without adequacy decisions. Our SCCs incorporate the requirements from the Schrems II judgment.
Adequacy Decisions
Where possible, we transfer data to countries with EU adequacy decisions (e.g., UK, Switzerland, Canada under certain conditions).
Supplementary Measures
We implement supplementary technical measures (encryption, pseudonymization) to protect data transferred outside the EU.
Sub-Processors
We use the following sub-processors who may process EU personal data:
| Sub-Processor |
Purpose |
Location |
Safeguards |
| Google Cloud Platform |
Hosting, Database |
EU (primary) |
SCCs, ISO 27001 |
| Firebase (Google) |
Authentication, Database |
EU (primary) |
SCCs, ISO 27001 |
| SendGrid |
Email Delivery |
USA |
SCCs, PCI DSS |
| TTLock API |
Smart Lock Integration |
China |
SCCs, Encryption |
7. Data Processing Agreement (DPA)
As required by GDPR Article 28, we provide a Data Processing Agreement to all customers who use WorkTime One to process employee data.
What is a DPA?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller (you) and a data processor (us) that governs how personal data is processed. It ensures we comply with GDPR when processing your data.
Our DPA Includes
- Subject Matter and Duration: Time tracking and attendance management for the duration of your subscription
- Nature and Purpose: Processing employee time tracking data to provide our services
- Types of Personal Data: Names, employee IDs, work hours, biometric data, location data
- Categories of Data Subjects: Your employees and contractors
- Your Obligations: Your responsibilities as data controller
- Our Obligations: Our responsibilities as data processor
- Security Measures: Technical and organizational measures we implement
- Sub-Processing: List of authorized sub-processors
- Data Subject Rights: Our assistance with data subject requests
- Audits and Inspections: Your right to audit our compliance
- Data Breach Notification: Our obligation to notify you of breaches
- International Transfers: SCCs and transfer mechanisms
- Deletion and Return: Data handling upon contract termination
How to Access: Our standard DPA is incorporated into our Terms of Service. Enterprise customers can request a customized DPA by contacting [email protected]
8. Data Breach Notification
Under GDPR Articles 33 and 34, we have strict obligations regarding data breach notification:
Our Obligations
- Supervisory Authority Notification: We notify the relevant supervisory authority within 72 hours of becoming aware of a breach affecting EU residents
- Customer Notification: We notify affected customers (data controllers) without undue delay, typically within 24-48 hours
- Data Subject Notification: If the breach poses high risk to individuals, we assist you in notifying affected individuals
- Breach Documentation: We maintain records of all breaches, including facts, effects, and remedial actions
What We Will Tell You
- Nature of the breach (what happened)
- Categories and approximate number of affected individuals and records
- Potential consequences of the breach
- Measures we have taken or propose to take to address the breach
- Measures to mitigate potential adverse effects
- Contact information for further inquiries
Your Obligations as Data Controller
If we notify you of a breach affecting your employees' data, you may need to:
- Assess whether the breach poses high risk to your employees
- Notify your national supervisory authority (if required)
- Notify affected employees (if the breach poses high risk to their rights and freedoms)
- Document your breach response and decisions
9. Data Protection Officer (DPO)
Under GDPR Article 37, we have appointed a Data Protection Officer to oversee our data protection strategy and ensure compliance.
DPO Responsibilities
- Monitoring compliance with GDPR and other data protection laws
- Advising on Data Protection Impact Assessments (DPIAs)
- Cooperating with supervisory authorities
- Acting as contact point for data subjects and supervisory authorities
- Training staff on data protection obligations
- Conducting internal audits and assessments
Contact Our DPO
You can contact our Data Protection Officer directly for any GDPR-related questions or concerns:
Email: [email protected]
Mail: Data Protection Officer, WorkTime One, Inc.
Response Time: We will respond to DPO inquiries within 5 business days
10. Employee Privacy Rights
Special considerations apply when processing employee data through WorkTime One:
Employer Obligations
Important: As the employer (data controller), you have legal obligations to your employees regarding their privacy.
- Transparency: Inform employees about time tracking, data collected, and how it will be used
- Lawful Basis: Ensure you have a lawful basis (usually contract or legitimate interest) for time tracking
- Biometric Consent: Obtain explicit consent before collecting fingerprints or other biometric data
- Data Minimization: Only track data necessary for legitimate business purposes
- Employee Rights: Facilitate employee data subject rights requests (access, deletion, etc.)
- Works Council Consultation: In some EU countries, consult with works councils before implementing employee monitoring
- National Laws: Comply with national labor laws and employee monitoring regulations
Employee Privacy Notice Template
We provide a template employee privacy notice that you can customize for your organization. This helps you comply with GDPR transparency requirements.
11. Supervisory Authority Complaints
Under GDPR Article 77, you have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.
How to File a Complaint
You can file a complaint with the supervisory authority in:
- The EU member state of your habitual residence
- The EU member state of your place of work
- The EU member state where the alleged infringement occurred
EU Supervisory Authorities
Find your local data protection authority:
Contact Us First
We encourage you to contact us first if you have concerns about our data processing. We are committed to resolving issues directly and will work with you to address your concerns.
Recursos RGPD
Saiba mais sobre os seus direitos de proteção de dados e a nossa conformidade