GDPR compliance
What is the GDPR?
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and standardizes data protection laws across EU countries. The GDPR provides EU citizens with greater data rights, and requires businesses to be more accountable and transparent with how they collect and process that data. There are seven key principles:
Process data lawfully, fairly, and in a transparent manner.
Identify a purpose for the processing of that data.
Limit the data collected to what is necessary.
Ensure the accuracy of personal data.
Don't store personal data longer than needed.
Put security measures in place to protect personal data.
Take responsibility for what you do with personal data.
Data controller or processor?
Under the GDPR, there are different obligations for data controllers and data processors. Controllers are organizations that determine the purpose of processing personal data. Processors are typically third parties that process data on behalf of the controller.
Quinto is considered a data processor because we do not control or change the purpose of information provided by clients, and we don't transfer that information to third parties without authorization from the client. Each client controls the data on their own Quinto site.
How does Quinto comply with the GDPR?
As a data processor, we are committed to protecting personal data. We provide features that support the rights of EU citizens under the GDPR and help our clients meet their obligations as data controllers. We also implement a variety of proactive tools and processes to find vulnerabilities, protect against data-leaks, prevent injection attacks, and ensure system stability and security.
Information we collect as a processor
Account information
Account login information consisting of first and last name, a company business email address, and a company name (“Account Information”). The client might also choose to include the employee ID, city, country, hire date, and job history.
Electronic identification data
IP addresses are collected in the Quinto audit log. This log stores all user actions and lists the user’s first and last name, email address, IP address, date, time, and subject of the action. Clients use the log to confirm past actions. Quinto customer support uses the log to investigate technical issues at the client’s request.
Survey and job description data
Clients can collect comments from users in the selection of competencies or in the review of job descriptions. Clients can provide the employee’s job title, summary, level, type, location, pay, and any other properties the client might choose to define. Clients can also include competency/proficiency, responsibilities, education, professional certifications, skills, experience, working conditions, additional information, and languages. The employee’s name and a sign-off history may or may not be associated with the job description.
How Quinto supports controllers
Right to be informed
Users are presented with a link to our Terms and Privacy Policy on the login page.
Right of access and data portability
We offer an export of each user’s personal data. Learn more
Right to rectification
Clients can edit user account info and associated job data.
Right to erasure
Clients can anonymize deleted users. This process is irreversible. Comments made by the user on surveys and jobs still appear, but the user’s name is cleared. Activities performed by the user still appear in the audit log, but the user’s name is cleared.
Right to restriction of processing
Clients can delete any user. The user no longer is no longer available to select as a participant for any Quinto activities. Comments made by the user on surveys and jobs still appear.
Right to object
Employees can contact their administrator with questions about how their data is being used, requests for corrections, or objections to the processing of their information.
Right to avoid automated decision making
Quinto does not support automated decision making. Emails sent from Quinto always involve human intervention. Quinto does generate lists based on calculations, but decisions made based on this information are not automated. HR uses this information to inform their decisions.
Data retention and deletion
Sites are shutdown 14 days after a contract ends. The backups exist in our cold-storage for 20 days from the shutdown date. The site is no longer included in new backups 20 days from termination.
Data breaches
In the case of a confirmed data breach, our Data Protection Officer will contact your designated site administrator by email without undue delay. We will send the site administrator regular updates about our investigation and remediation efforts.
Data transfers
Quinto services are managed in Canada. The European Commission has recognized commercial organizations in Canada as having adequate protection, meaning that personal data may be transferred from the EU to Canada. Quinto also uses third-party service providers (”subprocessors”) which are listed on our website. These providers may process personal data outside of Canada, including in the United States. For cases where data is sent to the US, we rely on standard contractual clauses to safeguard personal data.