Complying with the General Data Protection Regulation

StepAhead is a data processor, and as such, we meet all the applicable GDPR requirements. As data controllers, each of our customers still needs to have a separate GDPR-compliant process in place.

We process the personal data of our customer’s employees “for the purposes of the legitimate interests pursued by the controller”, under Article 6(1)(f). As we participate in research in the field of Organizational Network Analysis (ONA), we may process personal data as part of such research, implementing appropriate safeguards, including pseudonymization, in accordance with Articles 5(1)(b), 6(4), and 89(1). We are committed to protecting our customers and their employees’ privacy. We will process our customers’ data in a manner that is adequate, relevant and limited to what is necessary in relation to the purpose of processing. We practice principles of data minimization and pseudonymization in order to protect our customers’ data. All data is stored according to GDPR requirements. The main facility we use for storage is Amazon AWS, located in Hamburg, Germany.

StepAhead provides services under a contract executed between StepAhead and each of our customers, stipulating our obligations to our customers in accordance with Article 28.

We implement data subjects’ rights, providing our customers with the means to grant their employees with:

• Copy of the personal data undergoing processing in a commonly used electronic form, as well as the purpose of processing, the categories of personal data concerned, and to whom the processed data will be disclosed, in accordance with the Right of Access (Article 15)
• Ratification of an inaccurate data concerning an employee, in accordance with the Right to rectification (Article 16)
• Erasure of personal data concerning an employee, in accordance with the Right to Erasure (“the right to be forgotten”) (Article 17)
• Postponement of processing of data in accordance with the Right to Restriction of Processing (Article 18)
• Prevention of personal data of an employee from being processed, in accordance with the Right to Object (Article 21)