General Data Protection Regulation

At Lucca, we did not wait for the GDPR to ensure the privacy and security of your data. However, this regulation does reinforce some of our obligations. We have therefore taken the necessary steps to comply. You will find the details below.

Lucca's solutions manage information (vacations, expense reports, payslips, personnel files, etc.) which is "personal data" as defined by the General Data Protection Regulation (GDPR) in force since May 25, 2018.

Consequently, if you are one of our clients, you are subject to the provisions of the GDPR, on two levels:

your relationship with us, as we act as your data processor (article 28 of the GDPR),
your relationship with your employees, as you are acting as a data controller of their personal data through our solutions (Article 24 of the GDPR).

In addition, we manage personal information to communicate, in particular by email, with the administrators of our solutions as well as with our leads. As such, we act as a data controller.

Definitions of the major concepts

The GDPR is a dense and complex document whose provisions sometimes leave room for interpretation or may seem abstract. It is nevertheless important to know these 4 definitions to better understand it.

Personal data

Any information relating to an identified or identifiable natural person. The term “personal data” is frequently encountered.

In Lucca, employee records, an absence request, an evaluation are therefore personal data, like almost all of the information you manage in our solutions.

Processing of personal data

This is any operation or set of operations carried out on personal data, such as collection, recording, retention, modification, access, deletion etc.

Lucca carries out several processing operations on personal data on behalf of its clients. For example, throughout the duration of the contract with its clients, Lucca retains the personal data of employees and deletes them within 30 days of the end of the contract.

Data controller

Any legal or natural person who determines the purposes and means of processing personal data. The data controller is responsible for compliance with the GDPR within their organization, and in particular for respect of the rights of employees (access permission, right to erasure, etc.).

All our clients are therefore data controller.

Data processor

Legal or natural person who processes personal data on behalf of the data controller.

Lucca has the status of data processor with respect to all its clients.

Lucca's commitments as a data processor

If you are a Lucca client, then we are your data processor. As such, we undertake to comply with our obligations as defined in Article 28 of the GDPR. As a result, we have appointed a Data Protection Officer (DPO) who may be contacted via rgpd@lucca.fr.

As a data processor, we also make the following commitments:

Only process the personal data of your employees in the context of the performance and execution of Lucca online services to which you have subscribed. We will never sell or use your employee data for marketing purposes.
Not transfer your data outside the EU, unless you opt for data hosting in Switzerland.
Hosts

We use four data processor to host our solutions and, therefore, the hosting of employees’ personal data:
- the OVH company on servers located in France and Germany,
- the Scaleway company on servers located in France and in the Netherlands, used exclusively for encrypted backups,
for customers residing in Switzerland:
- Microsoft Azure on servers located in Switzerland,
- the GCP company, on servers located in Switzerland, used only for encrypted backups
Notify you of changes to the data processor we use to process some of your personal data, and ensure that these data processor are GDPR-compliant.
Restrict access to your personal data only to duly authorized Lucca employees, in particular to assist you in the context of support functions.
Guarantee a high level of data security and protection.
Make our employees aware of the confidential nature of personal data, the issues of data security and the regulations applicable to the protection of this data.
Notify you of data breaches within 48 hours of becoming aware of them.

Questions

No, it is not necessary. The GDPR applies to relationships with our clients regardless of the signing of specific clauses to this effect. However, you can contact our DPO (rgpd@lucca.fr) should you wish to sign a Data Processing Agreement (DPA) in order to supervise the processing carried out by Lucca. In addition, our general terms and conditions have been edited so that our contracts now include all the provisions of the GDPR relating to the responsibilities of the data processor with respect to the data controller. For clients who signed a contract before May 25, 2018, should you not agree to such changes, you have the option of terminating your subscription, free of charge with 30 days notice. In the absence of termination before August 31, 2018, you will be deemed to have accepted them as such.

Lucca has implemented security measures to ensure the integrity and confidentiality of the personal data entrusted to it. As such, Lucca obtained ISO 27001 certification in July 2022, which reflects our commitment to information security.

In particular:

Systematic encryption of data in transit on the public network,
Replication of production data on a geographically remote site,
Encrypted off-site backups (AES 256) at Scaleway Paris (PRA) and GCP Storage (Zurich) for our Swiss clients,
Deletion of personal data when it leaves the production area,
Regular security audits and penetration tests,
Secure development policy with blocking controls.

Finally, we regularly assess the risks and adapt the level of our security appropriately.

Your obligations as a data controller

You manage, through our solutions, the personal data of your employees.

As a result, your employees have rights over this data. It is your responsibility to allow them to exercise them. Lucca solutions help you fulfill this obligation.

Access permission (article 15 of the GDPR)

The data subject shall have the right to obtain from the data controller access to his or her personal data.

Depending on the settings of the solution, employees have access to the information that concerns them (or can request access to it from their administrator). Only you, as the data controller, must or must not give this possibility to your employees.

Right to rectification (article 16 of the GDPR)

The data subject shall have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her.

The Poplee Core HR solution by its nature (employee self service) allows employees to edit all or part of their personal data themselves.

The right to be forgotten (Article 17 GDPR)

The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay

We provide our clients with a module dedicated to the management of the right to be forgotten. Reserved for administrators of our solutions, it allows them to delete personal data, especially for former employees. To learn more about this module

Questions

Given the unequal nature of the employer-employee relationship, it is rare for employees to be able to freely give their consent, unless the acceptance or refusal has no negative impact on their employee status.

Consent is only one of the 6 legal bases provided by Article 6 of the GDPR to ensure the lawfulness of the processing of personal data. Therefore, depending on the purposes that you have previously determined for your processing, it is up to you to determine the legal basis that will be adapted.

Lucca’s commitments as data processor

We may collect and process personal data for the purposes of managing our clients, suppliers and leads, but also for the purposes of executing our contracts with our clients.

In particular, we use certain personal data of the administrators of our solutions (surname, first name, professional email, role) to communicate with them and provide them with maintenance and functional support services, as well as information on developments and news of our solutions.

We have provided the possibility for administrators to disable the receipt of this information, but in such a case they may not be fully informed of all functions and/or developments of the Lucca solutions.

Limit data collection to those that are strictly useful.
Do not use the data collected for purposes other than those for which it was collected.
Give the administrators of our solutions rights of access, rectification or erasure of their personal data.
Implement appropriate technical and organizational measures to guarantee a high level of security.

Under no circumstances can these responses constitute legal advice. We invite you to consult your counsel on these matters.

Introduction Definitions Commitments of Lucca subcontractor Obligations of the Client data owner Commitments of Lucca data owner