About the GDPR
The General Data Protection Regulation (GDPR) came into force on May 25, 2018 to bring consistency to the data protection landscape across Europe, to enhance data protection compliance obligations that apply to both data controllers and data processors, and to safeguard the privacy of EU data subjects. It embodies the principles of transparency, fairness and accountability and offers strengthened rights for individuals to control their data. The GDPR introduced a risk-based approach to data protection with the intent to encourage and enable innovation in the global digital economy while respecting an individual’s right to privacy.
Visier placed a high priority on the GDPR readiness and proactively engaged a highly accredited privacy compliance solutions provider, TrustArc (formerly known as TRUSTe) to conduct a thorough assessment of Visier’s data privacy practices. While Visier already maintained a robust Privacy and Data Protection Program, we took steps to further mature this program and to prepare for the GDPR’s increased accountability obligations. This included appointing a Data Protection Officer, updating privacy policies and notices, adopting privacy-by-design in how we design, build and govern our solutions, enhancing contract language, refreshing employee privacy training, managing vendor relations, and preparing records of processing activities to ensure that we know what data we collect, where it resides and the purposes for processing.
Visier understands that demonstrating compliance with the GDPR is an ongoing journey. Our commitment includes continuously monitoring emerging developments, regulator guidance, and lessons learned as the effects of the GDPR take hold. We will continue to refine our privacy practices and Privacy and Data Protection Program to reflect this shifting landscape while supporting our customer’s goals and expectations.
In addition to the GDPR, Visier also complies with other applicable data protection laws and aligns with industry standards, frameworks and privacy best practices.
To learn more about our privacy commitments, please read our Privacy Overview.
Your Data and Using the Visier Solution
Visier strives to create a trusted environment and is committed to practicing transparency in how we handle our customers’ data. Our customers are, and remain, the data controller for the personal data being processed in the Visier solution. As the data processor, Visier shares responsibilities for data protection with our customers. We have implemented processes to ensure personal data is handled appropriately and securely throughout the data lifecycle.
To help customers understand how Visier has implemented measures to ensure personal data is handled in accordance with the GDPR, we have highlighted some of the main GDPR requirements and how Visier helps to address them. Customers may also find this high level summary useful in supporting its compliance efforts with Article 35 Data Protection Impact Assessments (DPIAs) for high risk processing activities.
While Visier and its customers each have responsibilities when it comes to GDPR compliance, Visier also assists its customers when instructed to do so and as reasonably necessary, to comply with their respective privacy obligations.
*The requirements below highlight only a subset of the GDPR and are not intended as legal advice. Customers must seek their own legal advice to ensure their compliance with the applicable requirements under the GDPR.
|GDPR Requirement||Responsibility||How Visier helps address the requirement|
|Shared||Customers have an obligation to keep personal data accurate and up to date.|
Visier assists its customers in keeping personal data accurate and up to date. When instructed to do so from a customer, as required under the terms of the subscription agreement, Visier will correct or update personal data.
|Shared||Customers must ensure personal data is not kept longer than is necessary for the purposes for which it is processed and considering any legal obligations.|
Visier will retain personal data for the duration of the customers’ use of the Visier solution and services and until personal data is deleted or returned in accordance with the customers’ instructions or the terms of the subscription agreement.
Upon termination or expiration of a customer’s subscription agreement, customer data is securely destroyed in all formats and from all media within 30 days.
|Purpose of processing|
|Customer||The purpose(s) of processing personal data is determined by the customer that implements, configures, and uses the Visier solution. |
Customers decide what personal data is collected from employees and candidates; the lawful basis for collection; how much personal data is transmitted to the Visier solution to help make business decisions about employees and candidates; and how this data is to be processed by Visier.
Visier only processes personal data for its customers’ use within the Visier solution in accordance with the customers’ instructions and to the extent reasonably necessary for the provision of the contracted services.
|Customer||Customers are able to upload, control and manage only the personal data they want processed in the Visier solution. |
Customers are responsible for selecting the types and categories of personal data they submit to Visier for processing in the Visier solution and must ensure they have provided sufficient notice and obtained applicable consents from data subjects.
|Special categories of data|
|Customer||There are certain types of personal data that come under the ‘special categories of data’. This includes data that reveals an individual’s religious or philosophical beliefs, genetic data, or sexual orientation.|
Customers are solely responsible for determining the types and categories of personal data, including any special categories of data, that are transferred to Visier for processing in the Visier solution.
|Shared||Visier provides its customers with transparency around how personal data is managed. The Visier Privacy Statement is presented upon initial user login and is easily accessible at all times within the Visier solution. The Privacy Statement describes Visier’s data handling practices and communicates the ways personal information is protected.|
Customers are responsible for providing an appropriate level of transparency regarding the personal data they manage in the Visier solution.
|Subject access requests|
|Shared||The Visier solution leverages the source data that customers transmit to Visier. Therefore, if an individual requests access to their data, this can be fulfilled by exporting the data from the customers’ internal human resources management system or candidate tracking system as these systems contain the original and complete data.|
Visier also provides the capability for customers to self-export the requested personal data available from the Visier solution into a machine readable format.
Visier promptly forwards to its customers any data subject access request where a customer’s data subject has directly applied to Visier to exercise their rights, and does not respond to such a request unless authorized to do so or required to by law.
|Right to erasure|
|Shared||Customers may choose to delete or de-identify personal data in response to a right to erasure request. When instructed to do so by a customer, as required under the terms of the subscription agreement, Visier assists a customer in deleting or de-identifying personal data of an employee or candidate that has previously been transferred to Visier for processing.|
Visier promptly forwards to its customers any right to erasure requests where a customer’s data subject has directly applied to Visier to exercise their rights, and does not respond to such a request unless authorized to do so or required to by law.
|Customer||The Visier solution provides data-driven insights to executives and human resources professionals to help them make effective business decisions related to their employees and candidates.|
|Visier||Visier informs its customers where processing undertaken is conducted by a sub-processor and complies with the particular requirements of a customer with regard to the appointment of sub-processor as set out under the terms of the subscription agreement with a customer.|
Visier ensures that sub-processors comply with provisions consistent with the terms in its customer agreements and in particular, that the sub-processor adopts appropriate and equivalent security measures. See Visier’s Sub-Processor list.
|Records of processing activities|
|Shared||Customers, as data controllers, are responsible for maintaining records of processing activities associated with personal data. |
Visier maintains internal records of processing activities relevant to its role as a data processor.
|Data protection by design|
|Shared||Visier considers Privacy by Design principles in the design and development of solutions and services. Privacy assessments and reviews are integrated into the development lifecycle of new functions, features and content. Visier’s head of Privacy and Data Protection is a stakeholder in the go no-go decisions for all new releases and before they become generally available. Read more about Privacy by Design at Visier.|
Customers are responsible for how personal data is managed within the Visier solution. Customers should periodically review their use and configuration to validate that data protection has been taken into account by design.
|Data Protection Officer|
|Customer||Customers may need to appoint a Data Protection Officer under the GDPR. |
Visier does not offer Data Protection Officer services.
|Shared||Visier is committed to protecting personal data and has implemented appropriate technical and organizational measures to safeguard personal data. This includes internal policies and processes, contractual commitments, third party audits, encryption, and certifications. Visier undergoes an annual SOC2 Type II audit using an internationally recognized accounting firm. For a summary of the SOC 2 report, see our SOC 3 report. For more information about our security practices and vulnerability management program, read our Security Overview.|
Visier adopts access controls based on the principle of ‘least privilege’ and ‘need to know’ to ensure that only authorized individuals utilized in the operation and provision of the contracted services are permitted to process customers’ data. Visier strictly adheres to its obligations of confidentiality and does not distribute or disclose customer data to any other party.
The Visier security model empowers customers to manage their user’s access and provides controls for defining appropriate permissions. Customers should periodically review their security configuration settings and permissions to ensure only authorized users have access to features, functions, and content.
|Personal data breach|
|Shared||Visier maintains an internal security incident and data breach response plan to ensure that customers’ designated Security Contact(s) are notified of a security incident in accordance with the Visier Customer Data Safeguards Policy.|
As the data controller, customers are responsible for determining and meeting personal data breach notification obligations for their impacted employees and candidates.
|Customer||Customers are responsible for any pseudonymisation, anonymization, or de-identification of personal data transmitted to and processed in the Visier solution.|
|Location and cross border data flows|
(Article 44, 46)
|Visier||Customers have a choice of GDPR compliant data transfer mechanisms for personal data transfers outside the European Economic Area (EEA), the United Kingdom (U.K.) or Switzerland to Visier.|
Visier is self-certified for the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. Customers may leverage Visier’s EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certifications or sign standard contractual clauses.
While GDPR does not have data localization or data residency requirements, Visier offers its customers a choice for storing their data at rest within a specific geographic area. See data center locations on the Visier Trust site.