GDPR Compliance Policy

The purpose of this Policy is to:

• Define our approach to lawful, fair, and transparent data processing
• Explain how personal data is collected, used, protected, and retained
• Outline the rights of data subjects under GDPR
• Demonstrate compliance with GDPR Articles 5, 6, 24, 25, 30, and 32

This Policy applies to:

• All personal data processed through HR-Tek System
• All employees, contractors, interns, and third parties
• All EU/EEA data subjects whose data is processed through our platform

• Personal Data: Any information relating to an identified or identifiable natural person
• Data Subject: An individual whose personal data is processed
• Controller: Entity that determines the purpose and means of processing
• Processor: Entity that processes data on behalf of the Controller
• Processing: Any operation performed on personal data
• PII: Personally Identifiable Information

Depending on the service context:

• Clients are typically the Data Controllers
• HR-Tek System acts as a Data Processor
• In limited operational cases (e.g., website inquiries), HR-Tek System may act as a Data Controller

All processing is governed by contractual agreements and documented instructions.

We process personal data only when a lawful basis exists:

• Consent – freely given, informed, and revocable
• Contractual Necessity – to deliver subscribed services
• Legal Obligation – regulatory or statutory compliance
• Legitimate Interest – platform security, analytics, improvement (without overriding rights)

Sensitive data is processed only where explicitly permitted by law.

We adhere to the following principles:

• Lawfulness, Fairness & Transparency
• Purpose Limitation – data used only for defined purposes
• Data Minimization – only necessary data collected
• Accuracy – reasonable steps to keep data updated
• Storage Limitation – retained only as long as required
• Integrity & Confidentiality – secured against unauthorized access

Depending on usage, we may process:

• Identification data (name, email, phone number)
• Professional data (designation, company details)
• Login and authentication data
• HR assessment inputs linked to users
• Communication records (support tickets, emails)
• Technical data (IP address, logs, device info)

We do not intentionally process special category data unless contractually required and legally permitted.

We implement privacy controls at every stage:

• Secure default settings
• Role-based access controls (RBAC)
• Encrypted storage and transmission
• Minimal data exposure
• Controlled AI model usage with anonymization

Privacy considerations are embedded into system architecture.

We apply appropriate technical and organizational measures, including:

• AES-256 encryption (data at rest)
• TLS/HTTPS encryption (data in transit)
• MFA and strong authentication
• Continuous monitoring and audit logs
• Secure cloud infrastructure
• Incident response and breach management procedures

EEA data subjects have the right to:

• Access their personal data
• Rectification of inaccurate data
• Erasure (“Right to be Forgotten”)
• Restriction of processing
• Data Portability
• Objection to processing
• Withdraw Consent at any time

Requests are handled within 30 days, unless extended lawfully.

To submit a GDPR request, data subjects may contact us with:

• Proof of identity
• Description of the request

Requests can be sent to:

• Data is retained only for contractual, legal, or operational necessity
• Upon contract termination, data is deleted or anonymized
• Secure deletion and archival procedures are followed
• Retention schedules are documented internally

We may engage vetted sub-processors such as:

• Cloud infrastructure providers
• Analytics tools
• Communication services

All sub-processors:

• Are GDPR-compliant
• Are bound by Data Processing Agreements
• Follow equivalent security standards

A list of sub-processors is available upon request.

If personal data is transferred outside the EEA:

• Standard Contractual Clauses (SCCs) are applied
• Transfers are encrypted and access-controlled
• Equivalent data protection safeguards are ensured

In case of a personal data breach:

• We assess impact immediately
• Notify the Data Controller without undue delay
• Support regulatory notification within 72 hours (if required)
• Maintain breach registers and corrective actions

• No automated decisions with legal or significant effect are made without human oversight
• AI models use anonymized and aggregated datasets
• No client data is reused across organizations
• AI outputs are advisory, not deterministic

All employees and contractors receive:

• GDPR awareness training
• Data protection and confidentiality training
• Secure handling guidelines

Compliance is mandatory and monitored.

• GDPR compliance is reviewed annually
• Internal audits are conducted periodically
• Documentation is maintained as per Article 30 (RoPA)

Data subjects have the right to lodge a complaint with their local Data Protection Authority (DPA) if they believe their rights have been violated.