GDPR Policy

1. Introduction

Revolo HR ("we," "us," or "our") is committed to safeguarding the personal data entrusted to us by our clients, employees, contractors, and any other individuals whose personal data we handle. This GDPR Policy outlines how we collect, process, store, and protect personal data, ensuring compliance with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• Other applicable data protection laws and regulations

This policy is based on best practices and aligns with industry standards. It is intended to provide clear guidelines to all stakeholders regarding their rights and obligations under the GDPR.

2. Scope and Purpose

2.1 Scope

This policy applies to all processing activities involving personal data carried out by Revolo HR, including those performed by employees, contractors, and third-party service providers acting on our behalf.

2.2 Purpose

• To comply with obligations under the UK GDPR and other applicable data protection laws.
• To implement appropriate technical and organisational measures to protect personal data.
• To provide guidance on how we collect, use, store, share, and delete personal data.
• To inform data subjects (employees, clients, users) of their rights and how to exercise them.

3. Roles and Responsibilities

3.1 Data Controller vs. Data Processor

Data Controller: Revolo HR acts as a Data Controller when determining the purposes and means of processing personal data for our own business operations (e.g., user account data for customer support or billing).
Data Processor: Revolo HR acts as a Data Processor when our clients (employers using the Revolo HR platform) determine the purposes and means of processing personal data (e.g., employee data in the platform).

3.2 Data Protection Officer (DPO) or Responsible Person

We oversee our data protection strategy and compliance efforts regularly. For any questions or concerns about this Policy or our data handling practices, please contact: info@revolohr.com

3.3 All Employees and Contractors

All individuals working for or on behalf of Revolo HR are responsible for following this Policy and related procedures. They must complete data protection training and understand their obligations under the GDPR.

4. Lawful Basis for Processing

Revolo HR processes personal data lawfully, fairly, and in a transparent manner. We rely on one or more of the following lawful bases under the UK GDPR:

• Consent: Where data subjects have explicitly provided consent for specific purposes (e.g., marketing communications).
• Contractual Necessity: Where processing is necessary for the performance of a contract (e.g., providing HR management services to our clients).
• Legal Obligation: Where processing is necessary to comply with a legal requirement (e.g., responding to lawful requests from public authorities).
• Legitimate Interests: Where processing is necessary for legitimate interests pursued by Revolo HR or a third party, provided these interests are not overridden by the rights and freedoms of the data subject (e.g., fraud prevention, improving software functionality).

5. Personal Data We Collect

5.1 Client and User Data

• Account Registration: Names, email addresses, phone numbers, login credentials, and identifiers.
• Business Contact Details: Job title, company name, and professional contact information.

5.2 Employee Data (When Acting as a Data Processor)

• Employment details: job title, salary, performance data, and related HR information.
• Personal identifiers: name, contact information, national insurance number (or equivalent).
• Other data required for HR management (e.g., right-to-work documentation).

5.3 Technical Data

• IP addresses, device identifiers, browser type, usage logs (collected automatically when users interact with our software).

5.4 Other Data

• Additional personal data provided through communications, support requests, or integrations (e.g., background checks, payroll systems).

6. Data Collection and Processing Principles

• Purpose Limitation: We collect and process personal data only for specified, explicit, and legitimate purposes and do not use it in ways incompatible with those purposes.
• Data Minimisation: We ensure data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure personal data is accurate, kept up to date, and rectified when inaccuracies are identified.
• Transparency: We provide clear and concise information about our processing activities via this policy and any supplemental notices.

7. Data Retention

7.1 Retention Period

• Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal and contractual obligations.
• Where Revolo HR acts as a Data Processor, retention periods may be determined by the client (Data Controller).

7.2 Deletion or Anonymisation

• Once personal data is no longer needed, we securely delete or anonymise it unless a longer retention period is required or permitted by law (e.g., tax regulations, legal claims).

8. Data Sharing and Disclosure

• Service Providers: We engage trusted third parties (e.g., cloud hosting, analytics, email delivery) that process personal data on our behalf under written Data Processing Agreements. These providers must follow strict data protection requirements.
• Business Transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity. We will provide notice of any significant change in data handling or ownership.
• Legal Compliance: We may disclose personal data when required by law or to protect our rights, property, or safety, or to comply with lawful requests by public authorities.

9. International Data Transfers

Where personal data is transferred outside the UK, we implement appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA)
• Adequacy decisions where the destination country is deemed to provide an adequate level of protection
• Binding Corporate Rules (BCRs) for certain internal group data transfers

These measures ensure personal data receives a level of protection consistent with UK GDPR requirements.

10. Security Measures

Revolo HR employs technical and organisational measures to protect personal data against unauthorised access, accidental loss, or destruction, including:

• Encryption of data in transit (SSL/TLS) and, where feasible, at rest
• Access controls and role-based permissions, ensuring only authorised personnel can access sensitive data
• Regular security assessments such as penetration testing and system monitoring
• Up-to-date firewalls, antivirus, and intrusion detection systems
• Staff training and clear internal policies on data handling

11. Data Subject Rights

Under the GDPR, data subjects have the following rights:

• Right of Access: Obtain confirmation of whether and how we process their personal data, and request a copy of it.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): Request deletion of personal data in certain circumstances (e.g., no longer necessary for the collected purpose).
• Right to Restrict Processing: Request limited use of personal data under specific conditions (e.g., contesting accuracy).
• Right to Data Portability: Receive personal data in a structured, commonly used, and machine-readable format, and request its transfer to another controller.
• Right to Object: Object to the processing of personal data, including for direct marketing or when based on legitimate interests.
• Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: Lodge a complaint with the UK Information Commissioner’s Office (ICO) or another competent data protection authority.

Exercising Your Rights

• Where Revolo HR acts as Data Controller, please contact us at info@revolohr.com.
• Where Revolo HR acts as a Data Processor, data subjects should direct their requests to the Data Controller (the employer/client).

12. Training and Awareness

All Revolo HR employees and contractors handling personal data receive regular training on:

• GDPR principles and obligations
• Internal policies and procedures
• Best practices for safeguarding personal data

This training ensures everyone understands their responsibilities and follows appropriate data handling procedures.

13. Breach Notification

13.1 Reporting Data Breaches

• In the event of a personal data breach (accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data), Revolo HR will promptly assess the risk to individuals’ rights and freedoms.
• If a breach is notifiable, we will inform the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

13.2 Notifying Data Subjects

• Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also communicate the breach to the affected data subjects without undue delay.

14. Third-Party Relationships

14.1 Due Diligence

• Before engaging a third party to process personal data on our behalf, we conduct appropriate due diligence to ensure they maintain suitable data protection and security standards.

14.2 Data Processing Agreements (DPAs)

• We enter into written agreements with third-party processors that include GDPR-compliant clauses, ensuring personal data is processed solely per our instructions and protected by sufficient security measures.

15. Review and Updates

We periodically review this GDPR Policy to reflect changes in:

• Technology and security practices
• Legal requirements and regulations
• Operational processes or data handling activities

Any significant updates will be communicated via email or a prominent notice on our website or platform, and the "Effective Date" will be revised accordingly.

16. Contact Us

If you have any questions, concerns, or requests about this GDPR Policy or our data protection practices, please contact:

Revolo HR
Email: info@revolohr.com

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data protection rights have been infringed. For more information, visit ico.org.uk.