What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection and privacy law that came into effect on 25th May 2018. It is enforced in the European Union (EU) and European Economic Area (EEA). This regulation is applicable to all establishments in the EEA, organizations offering goods/services to EU/EEA citizens, Public International Organizations and organizations monitoring the behavior of individuals in the EU/EEA. The main aim of GDPR is to impose a set of data protection laws to ensure no personal data of any individual shall get exploited. It mandates that personal data remains protected against unauthorized and unlawful processing. This legislation revolutionized data processing by imposing necessary restrictions to exposure of an individual’s personal data.
- Data Controller is the one who determines the purpose of data usage and the means by which personal data of individuals should be processed. Following are the responsibilities of Data Controller:
- To control and oversee the utilization of an individual’s personal data, done by a data processor.
- To define the procedure and purpose of data usage.
- To define the personal details that are to be collected from data subjects.
- To notify the data subjects regarding their information utilization.
- To take consent from individuals regarding their data collection.
- To determine whether to share data with third party
- Data Processor is usually a third party who processes personal data on behalf of the data controller. Data being processed by a data processor is fully resourced by the data controller and how it will be utilized is totally the decision of the data controller and not of the data processor.
- Data subjects are identified or identifiable living individuals to whom personal data relates. Basically, data subjects are the human beings from whom or about whom, data controllers collect the information.
This GDPR Policy is applicable for Matrix’s People Mobility Management Solution “COSEC”
Matrix’s GDPR Compliance Statement
Matrix ComSec is a provider of a People Mobility Management Solution “Matrix Cosec”(CENTRA & VYOM) for their customers, to manage their employees and staff. The Customer updates the information about their employee (“Customer data”) in Matrix COSEC Software. Customers can update, access, use, process and manage the information of their employees’ and staff. The customers will be the “Data controller” for employee information updated on Matrix COSEC(CENTRA & VYOM).
Matrix Comsec has anticipated this regulation by complying with necessary restrictions in the software solution in order to protect personal data of users. Matrix firmly believes that only authorized persons shall have the right to access required information of individuals.
We act in the capacity of “Data Processor” for the personal information updated by the customer on the Matrix COSEC VYOM. We do not own, control, or direct the use of Customer data that is stored in COSEC. In case of COSEC CENTRA, customers act in capacity of both, “Data Controller” and “Data Processor”.
How Our People Mobility Solution is GDPR Compliant? What Information do we collect and how do we utilize:
- Personal Information:
- Personal information of users which is being collected and processed on Matrix ComSec People Mobility Management Solution consists of details provided knowingly and voluntarily by End Users, Customers (Employer), or Customer’s Administrators. This may include your full name, Date of Birth, Blood group, Height, Weight, Gender, Medical History, Marital Status, Father/Spouse name, Nationality, Phone/Mobile number, E-mail ID, Address, Pin code, PAN (applicable to Indian citizens only), PF Number, ESI Number, Driving License Number, License Expiry, Visa, Visa Expiry, Passport Number, Passport Expiry, Aadhaar Number (applicable to Indian citizens only), Voter ID, Mobile Identification Number, UAN, Qualification and Experience. The customer (employer) updates the customer data on Matrix COSEC(CENTRA & VYOM) and is solely responsible for the accuracy of the information.
- Matrix provides the assistance for customers to define custom fields in order to fetch their desired details from users. These custom field details can be stored in encrypted form based on the choice of Customers. However, selection of personal details that is to be gathered from users is completely optional and totally the decision of Customers (Employers). Retaining, maintaining or deleting personal data of users is completely the choice as well as the responsibility of the Employers based on their requirements.
- Matrix strongly suggests that there is no need to gather user’s personal data for any of the add-on modules such as Time Attendance or Access Control solution.
- Location Information: Our mobile application is served with the capability of location capturing. But we do not ask you for your location details. However, your employer may enable location tagging technology for timekeeping purposes. In this case, your consent of providing your location details is the legal basis for processing the data within the terms of GDPR.
- Biometric Data: Being a Time Attendance and Access Control Solution provider, we need unique identification of users for certain operational and authentication purposes. These unique identifiers are fingerprint, face and palm templates of users. However, gathering and utilizing user’s biometric data is completely optional and your employer may collect, utilize or delete it based on their requirements.
- Log Management: If our customers choose any of the optional People Mobility Management add-on modules offered by Matrix Comsec, then we shall keep on user’s details and their event logs in order to further proceed for necessary calculations and management as per Customer set configurations. All the corresponding event logs will get removed from the software on deletion of a particular user. This consists of employee details such as User ID and name and events along with timestamps. Activities done by authorized users, possessing suitable roles and permission to update/add in the software will be logged in the system.
- Device Information: While using our Mobile Apps, we may ask access to your Mobile device camera or gallery in order to capture or upload face images for enrollment and approval purposes. We may also ask for Bluetooth enabling in order to fetch your mobile identification number. We do not access your device’s camera, photo storage or Bluetooth settings without your permission. Once the mobile application is installed on your device, we may use your device hardware model, operating system version and unique device identifier to give you a better experience as per the configuration of your device. We may associate your device identifier number with your basic account information stored on the server.
- Who is responsible for User’s Data
- Customer (Employer) using our software solution owns all the data of employees. Customers are fully responsible for maintaining or deleting the information of employees as per their requirements. User’s details which are to be processed is also the decision of Customer. Once the user details are deleted or updated by Customer (Employer), the changes will be reflected in the database.
- Who has the access to the Data
- Employees to their own Data
Customer’s authorized personnel having access to their personal data and all other User’s Data
Matrix’s internal team to the entire database. However, Matrix will step in only when a support request is raised by the Customer and data access becomes necessary to assist them.
- Employees to their own Data
- How do we store data?
- We store User’s personal information in encrypted form in the database. Data exchange between devices and servers is a secured communication as well using standardized protocols.
- For how long, the data remains stored?
- Employee data is completely handled by Customers (Employers). It is Customer’s or their Administrator’s sole responsibility to delete the Employee data which is no longer useful. Along with deletion of employee data, event logs associated with that particular employee in the past will also get permanently deleted from the database. Customers terminating the utilization of our services may raise a request for their data deletion, on which the Matrix team will permanently delete all their data from the database. User’s information which is deleted cannot be regained and is permanently removed from the database.
Matrix does not sell, share, transfer, rent or otherwise disclose the customer data to third parties except in certain circumstances:
- Related entities
In accordance with this privacy statement, we may disclose such information’s to our subsidiaries and connected businesses.
- Third Party Services
We provide the facility for seamless integration with third party softwares for various applications and services. During integration, user’s data may get exchanged between the softwares. Data to be defined or used for transfer is the responsibility of the customer. However, third party integration is completely optional and the choice of customers. This case is totally out of scope of Matrix ComSec.
- Information shared with our sub-processors
We host our cloud solution using other entities which manage our cloud on our behalf. Our sub-processors are completely under our control and functions based on operational configurations done by our customers (Employers). We share all data with them which is necessary to assist us and to provide services to you. We have ensured that our sub-processors are Data Protection certifed.
- Legal Requirements
We may divulge this information if we reasonably believe that doing so is necessary to, conform to any applicable law, regulation, legal process or enforceable governmental request or enforce applicable terms of service, including looking into potential violation of such terms. We may also provide this information to detect, prevent or otherwise address fraud, security or technical issues, as well as to protect against imminent harm to the rights, property or safety of Matrix, its customers or their employee as required or permitted by law.
Legal basis for processing the Information
From the perspective of GDPR compliance, if you are an employee from European economic area (EEA), we process the information collected on Matrix Cosec Vyom on behalf of the customers (“Data Controller” from GDPR perspective), who has a legitimate interest in maintaining his employee information and the purpose of managing his business and adhering to his statutory compliance requirements.
The ownership of fulfilling all consent requirements for procurement and processing of personal information lies with the Customer (data controller). Matrix being a technology partner for their customer, is not responsible to procure or withdraw consent from the data subject, whose personal information is being captured.
Matrix’s Efforts to achieve GDPR compliance
We only handle customer data upon request from the customer. We are the processor of the customer data rather than the controller in terms of GDPR. Prior to or while the customer’s data is being stored in the service, the customer is responsible for complying with any applicable regulations or laws.
We process customer data on behalf of our customers, and as such, we adhere to their requests with regard to that data to the extent that it is practical for our service’s performance.
- Data Subject Rights
As a data subject from the European Economic area (EEA), you are entitled to the following rights under GDPR –
- Right to access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Right against automated decision making
Our employee self-service portal and app provides full visibility to users of their entire personal data. Users can change the information that relates to them through our employee self-service portal and app. Inaccurate or outdated data may be rectified anytime. Users will be able to delete any of their personal information from our provided solution through our employee self-service portal or app if required. Authorized person having sufficient rights of user can delete the data.
We may, if required, assist our customers in informing their employees and staff of the purpose of processing the personal information. We offer a wide range of capabilities to our customers, allowing them to access, edit and delete their personal data.
Any subject access request for access, rectification, modification, deletion, restriction of processing made to us will be directed to the customer, and we will support the customer in meeting any obligations to do so. As we have previously mentioned our customers have the access to carry out these subject access requests independently. Matrix will intervene only upon customer request for assistance.
Fulfillment Of GDPR Principles
- Lawfulness, Fair and Transparency
User’s data are processed without any exploitation of law and users have complete knowledge regarding the utilization of their data.
- Purpose Limitation
Data is collected only for specified, explicit and legitimate purposes and will not be used for reasons beyond its original purpose.
- Data Minimization
Only necessary data for the purpose is intended to collect and not more
- Storage Limitation
Data will remain stored only for the duration as long as is necessary
Data captured will be accurate and kept Up to date
- Protection against Data breach
The communication between devices and the central software is secured with TLS protocol. Biometric templates are stored in the database in encrypted form.
Children’s Privacy Protection
Our biometric devices and our people mobility management solution Matrix COSEC Vyom are meant to collect data related to biological aspects of the subject exposed to the same, which may also include children below the age of 13 years and for those children such Biometric data would be received/ collected and stored with the consent of guardians of the children.
If you have any inquiries or grievances regarding this privacy statement or how we collect or process your personal information, you may contact us at:
Amendments to the policy