Data Protection Practices

Sympa’s HR Service offers a solution for organisations to manage their processes of human resource management (HRM), human resource development (HRD) and recruitment in a secure and efficient way. We pursue the highest standards and best practices for the protection of personal data and offer our customers a fully GDPR compliant service with which their data can be entrusted.

As a service provider, Sympa acts in the role of data processor and processes personal data only on behalf of and based on instructions provided by the customer. This means that Sympa’s customer acts as the data controller when processing personal data in Sympa's HR Service. In certain cases, Sympa may process personal data received from the customer as a controller, for example concerning the Customer’s contact persons (support services, invoicing matters, etc.).

Categories of processing activities are dependent on the Customer’s configuration. Categories include gathering data from end-users and via APIs, storing data in the service and backup systems, distributing data to end-users (reporting) and via APIs, organising and changing data according to the Customer’s instructions.

Data protection and privacy principles are built into Sympa's HR Service by default, and the technical and organisational measures to secure personal data follow the best practices recognised by data protection professionals.

Sympa conducts yearly data security audits conducted by third-party security professionals to ensure that the level and depth of the data security measures meets the industry standards.

Sympa's HR Service is built, amongst other features, to support customers to comply the following GDPR principles:

Lawfulness, fairness and transparency
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity and confidentiality
Accountability

It is important to acknowledge that the customer as a data controller is responsible for the lawfulness and accuracy of the data it processes in Sympa's HR Service.

Data Protection principles, requirements, and best practices are built into Sympa’s processes and day-to-day operations by default and are applied throughout the whole lifecycle of personal data processing. This approach adheres to the concept of Privacy by Design and by Default, as defined by GDPR. It is based on the concept that data protection cannot be “sprinkled on top later,” and should already be taken into account during the planning and development phase of information services.

Sympa's HR Service is built in a way that provides all necessary functionality needed to meet the requirements of GDPR, including:

Sympa has implemented a strong encryption policy. All personal data in transit and at rest are encrypted, and all encryption keys to customers' personal data are created, held, and controlled by the Sympa under the BYOK (Bring Your Own Key) model.
In Sympa’s development work, all new features that involve the processing of personal data are reviewed by Legal and DPO before they are implemented in Sympa.

Sympa has tools and processes, both to prevent data protection related risks from occurring and to mitigate any identified issues. Sympa’s security and customer data is monitored and protected 24/7. Sympa has an incident response policy document which describes the data breach handling process.
Sympa’s ISO27001 and ISO9001 certified ISMS is built to protect customers’ personal data. Advanced ISMS and 3rd party information security controls, audits and certifications are the key methods of protection and GDPR compliance. Sympa has also carried out Data Protection Impact Assessment (DPIA) of Sympa's HR Service from the perspective of Sympa’s role as a data processor.
Sympa's HR Service include options and controls by which customer as a controller may adhere to its obligations and responsibilities. In Sympa's HR Service, the customer can define data removal processes to meet with legal requirements or data retention practices of their own organisation. The Service supports customers in applying the best practices to their user rights and access management.

Sympa’s customers can rest assured that we are committed to following the applicable legislation and will apply Privacy by Design and by Default to all our operations and practices. Sympa's HR Service is designed to ensure secure processing of personal data and to offer optimal support to our customer as data controllers in their personal data processing activities.

Sympa has taken necessary steps to ensure secure personal data processing and cross-border data transfers due to the CJEU’s Schrems II decision. The Schrems II decision does not definitively prohibit personal data transfers between the European Union (EU) and third countries, such as the United States, but it requires Sympa to take extra measures to secure any such transfers. For example, companies can still use the EU’s standard contractual clauses for transferring personal data outside of the EU or the European Economic Area (EEA), provided that additional safeguards are implemented as required in the Schrems II decision and the European Data Protection Board’s (EDPB) guidance.

Sympa primarily processes the personal data of Sympa’s customers solely within the European Union and European Economic Area. All of our sub-processors and business partners are contractually obliged to only process personal data in accordance with Sympa’s instructions.

How about cloud services?

Sympa has a service agreement with Microsoft concerning Azure cloud services. Based on the agreement, all personal data of Sympa’s customers is stored within EEA based Geo locations (Netherlands and Ireland) and the contractual party is Microsoft Ireland. Microsoft has implemented a series of contractual and technical measures to ensure that Sympa’s customer personal data are located and processed within the EEA. Microsoft has updated its Data Processing Agreements with addendums in order to comply with the Schrems II decision. All personal data in transit and at rest are encrypted. All encryption keys to customers' personal data are created, held, and controlled by the Sympa under the BYOK (Bring Your Own Key) model. Hosting provider (Microsoft) or governmental authorities cannot access the personal data or the encryption keys. Furthermore, personal data stored in Microsoft Azure is configured to remain within Microsoft’s Data Boundary, meaning all processing is conducted within the EU/EEA.

Sympa has contractual clauses with its other sub-processors restricting the processing of personal data only within the EEA.

Sympa’s sub-processors

We use trusted service providers and subcontractors to operate our business efficiently and to provide you with high quality and secure service. These service providers are, for example, data security services and cloud services hosting and maintaining personal data on our behalf and are acting as Sympa’s sub-processors when we provide our service to our customers. All of Sympa’s sub-processors are contractually obliged to process personal data only as instructed by Sympa.

Who can access personal data at Sympa?

Sympa does not view personal data stored in the Service more than necessary to provide and maintain Sympa's HR Service and related services. Only authorised team members in Sympa’s service delivery, maintenance, security, and service teams have access to data stored in Sympa's HR Service. Access is based on personal credentials provided by Sympa and the access rights are reviewed regularly. All Sympa employees with access to customer data have signed a Non-Disclosure Agreement or equivalent commitment to confidentiality (e.g. confidentiality clauses in employment contracts) before joining Sympa.

Sympa has elevated its cybersecurity by partnering with Elisa Cyber Security Center, as of July 1st, 2024. Elisa Oyj (PLC), the leading telecommunications and digital services provider in Finland, is known for its cutting-edge rapid detection and response technology and comprehensive cybersecurity approach. Through this partnership, we have significantly enhanced the protection we offer our clients. This upgrade reflects our dedication to superior cybersecurity standards and resilience.

Elisa is providing 24/7 cyber security governance, including advanced SOC and SIEM services tailored for Sympa SaaS and other operations. The end result is continuous, comprehensive security monitoring and management.

For additional information, please reach out to our Chief Information Security Officer (CISO).

Sympa is considered as the data controller in the meaning set forth in General Data Protection Regulation (679/2016) in certain specific processing purposes when processing personal data of its customers’ employees. This processing is subject to Sympa Privacy Policy and concerns mainly project management and support services.

Please note that this processing does not concern personal data included in the content of Sympa HR SaaS Service. Sympa processes such personal data in Sympa HR SaaS Service only on behalf of its customers and is thus in the role of data processor. This processing carried out by Sympa in the role of data processor is governed by Sympa data processing agreement that Sympa and its customer have in place.

Sympa’s processors when Sympa acts as the data controller

Sympa employs only trusted service providers that are contractually obliged to process personal data as instructed by Sympa. Personal data is hosted in EU/EEA.