Federal Act on Data Protection / General Data Protection Regulation

At Lucca, we didn’t wait for the FADP and GDPR to come into effect to ensure the confidentiality and security of your data. However, these laws do increase some of our obligations. Therefore, we have taken the necessary steps to ensure compliance. The details can be found below.

Lucca solutions manage information (leave, expense reports, pay slips, personnel files…) that is “personal data” in the sense of the Swiss Federal Data Protection Act (“FDPA”) and the General Data Protection Regulation of the European Parliament and the Council (“GDPR”).

Therefore, if you are a customer of ours, you are subject to the provisions of the FDPA in two respects:

  • Through your relationship with us, as we act as your processor (Articles 5(k), 9 and 19 et seq. FADP and Article 28 GDPR),
  • through your relationships with your employees, as you are the controller for the processing of your employees’ personal data via the Lucca solutions (Articles 5(j), 7 and 19 et seq. of the FADP and Article 24 of the GDPR).

In addition, we manage personal information to communicate, in particular by email, with the administrators of our solutions as well as with our leads. As such, we act as a data controller.

Definitions of the most important terms

The FDPA and the GDPR are dense and complex texts whose provisions can sometimes leave room for interpretation or seem abstract. Nevertheless, it is important to know the following four definitions in order to better understand them.

Personal data

Personal data, as defined by the GDPR, is any information relating to an identified or identifiable natural person. 

At Lucca, almost all information that you manage with our Lucca solutions, be it an employee record, a leave request or an assessment, is therefore personal data.

Processing of personal data

Processing means any handling of personal data, irrespective of the means and procedures used, in particular the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data.

Lucca processes the personal data of its clients. For example, Lucca stores the personal data of its employees for the entire duration of the contract with its customers and deletes them within 30 days after the termination of the contract. 

Person in charge for processing (controller)

The controller is the (natural or legal) person or federal body that, alone or jointly with others, determines on the purposes and means of the processing of personal data. The controller is responsible for compliance with the FADP and the GDPR within its organization, in particular for compliance with the rights of employees (right of access, etc.).

All customers of our Lucca solutions are therefore to be considered as responsible for the processing.

Processor

The processor is the private (natural or legal) person or federal body that processes personal data on behalf of the controller.

Lucca has the status of a processor in relation to all its customers.

Lucca’s obligations as a processor

If you are a customer of Lucca, we are your data processor. In this capacity, we undertake to comply with our obligations under article 9 and chapter 3 of the FADP and article 28 of the GDPR. In particular, we have appointed a Data Protection Officer (DPO) whom you can contact at rgpd@lucca.fr.

As a processor, we also commit to the following obligations:

  • We process the personal data of your employees only in connection with the implementation and processing of the Lucca online services to which you have subscribed. We will never sell or use your employee data for marketing purposes.
  • We do not transfer your data outside the European Union.

Hosts

For customers located in Switzerland, we use two processors to host our applications, including the personal data of our employees:

  • Microsoft Azure on servers located in Switzerland ;
  • GCP on servers in Switzerland, which are only used for encrypted backups.

For customers located in the European Union:

  • OVH on servers located in France and Germany;
  • Scaleway Azure on servers located in France and in the Netherlands and used only for encrypted backups.
  • We will inform you of any changes to the processors we appoint to process some of your personal data and ensure that they, as processors, comply with the FADP and the GDPR.
  • We will restrict access to your personal data only to duly authorized to Lucca employees, in particular to assist you with support functions.
  • We guarantee you a high level of security and protection of your data.
  • We sensitize our employees to the confidentiality of personal data, the challenges of data security and the applicable regulations for protecting this data.
  • We will notify you within 48 hours of becoming aware of a data breach.

Question

What measures has Lucca taken regarding data security and data privacy?

Lucca has taken security measures to ensure the integrity and confidentiality of the personal data you entrust to us. To this end, Lucca obtained the ISO 27001 certification in July 2022, which demonstrates our commitment to information security.

In particular:

  • Systematic encryption of data that is transmitted over the public network.
  • Replication of production data at a geographically remote location.
  • Hourly encrypted (AES 256) offsite backups at GCP Storage (Zurich) or at Scaleway Paris (PRA) for our customers who have chosen to be hosted in the European Union.
  • Deletion of personal data as it leaves the production environment.
  • Regular security audits and penetration tests.
  • A secure development policy with lockdown controls.

Finally, we regularly assess the risks and adjust the level of our security measures accordingly.

Your obligations as controller

Our solutions allow you to manage your employees’ personal information.

Accordingly, your employees have rights regarding this data. It is your responsibility to enable them to exercise these rights. Our solutions help you do that.

Access right (Article 25 FADP and Article 15 GDPR)

Any person may request information from the controller as to whether personal data concerning them is being processed. In particular, if such data is being processed, the individual has the right to obtain the personal data being processed.

Depending on the solution settings, employees may have access to information about themselves (or may request such access from their administrator). Only you, as the controller, can grant or deny this option to your employees.

Legal claims (Article 32 FADP and Article 16 GDPR)

The data subject may request the controller to rectify inaccurate personal data.

The Poplee Core HR (Employee Self Service) solution allows employees to change all or part of their personal data themselves.

Right to erasure (Article 32 FADP) / Right to be forgotten (Article 17 GDPR)

With regard to actions for the protection of personality pursuant to Art. 28 et seq. of the Civil Code, the FADP provides, among other things, that the plaintiff may request the erasure or destruction of personal data. 

The GDPR, for its part, provides that the data subject has the right to request the controller to erase the personal data concerning him or her as soon as possible.

We provide our customers with a module to manage the right of erasure. This module is reserved for administrators of our solutions and allows them to delete personal data, in particular of employees who no longer work for the company.

Further information on this module

Questions

Do I need the consent of the employees before I use Lucca solutions?*

Due to the unequal relationship between employer and employee, employees are rarely free to give their consent unless their acceptance or refusal has no negative impact on their status as an employee.

If the data subject’s consent is required, it is only legally valid if the data subject has freely expressed his or her will in relation to one or more specific treatments and after having been duly informed. Article 6 of the FADP recalls that consent must be given explicitly in three cases:

  • If it concerns the processing of sensitive personal data
  • In the case of high-risk profiling by a private person
  • If the profiling is carried out by a federal body

Consent is only one of the justifications listed in Art. 31 FADP and Art. 6 GDPR to ensure the lawful processing of personal data. Therefore, depending on the purposes that you have previously determined for your processing, it is up to you to determine the legal basis that will be adapted.

Lucca’s obligations as controller

We collect and process personal data in order to manage our customers, suppliers and potential customers and to fulfill our contracts with our customers.

In particular, we use certain personal data of the administrators of our solutions (first and last name, business e-mail address, job title) in order to communicate with them and provide them with maintenance and support services, as well as information about developments and innovations in our solutions. 

We have provided the option for administrators to opt out of receiving this information, but in this case there is a risk that they will not be fully informed about all functions and/or developments of the Lucca solutions.

  • We limit the collection of data to what is absolutely necessary.
  • We do not use the data collected for purposes other than those for which it was collected.
  • We provide the administrators of our solutions with the right to access, correct, or delete their personal data.
  • We implement appropriate technical and organizational measures to ensure a high level of security.

These answers do not constitute legal advice. We recommend that you consult your legal counsel on these matters.