BitaBIZ needs to collect and use certain information about individuals to carry out our business ac-tivities. These can include customers, suppliers, business contacts, employees, and other people we have a relationship with or may need to contact.
BitaBIZ is committed to protecting the personal data of our employees, users of our services, contractors, and website visitors. This policy is applicable in situations where we act as a data controller or data processor with respect to this personal data.
This policy describes how this personal data must be collected, handled and stored to meet our data protection standards and to comply with the Regulation (EU) 2016/679 (General Data Protection Regulation) referred to as “the GDPR”.
In this document, “we”, “us”, and “our” refer to BitaBIZ.
The purpose of this policy is to protect and promote the data protection rights by informing everyone working for BitaBIZ and any third party to whom this policy applies to of their data protection obligations and of the BitaBIZ procedures that must be followed to ensure compliance with the GDPR.
All BitaBIZ employees, contractors, consultants, freelancers, and any other person who works under the authority of BitaBIZ must comply with this policy, including all personnel affiliated with third parties who may have access to any BitaBIZ network or resource.
This policy applies to BitaBIZ processing of personal data, whether by electronic or manual means.
The following sets out the principles that underline our practices for collecting, using, disclosing, storing, securing, accessing, transferring, or otherwise processing personal data.
Fairness. BitaBIZ shall process personal data in a lawful, legitimate, and transparent manner.
Purpose Limitation. BitaBIZ shall only collect personal data for specific, explicit, and legitimate purposes.
Proportionality. BitaBIZ shall only process personal data that is adequate, relevant, and not excessive for the purposes which it is processed.
Data Integrity. BitaBIZ shall keep personal data that is accurate, complete, and up to date, as is reasonably necessary to accomplish the purpose for which it is processed.
Data Retention. BitaBIZ shall keep personal data in a form that is personally identifiable for no longer than necessary to accomplish the purpose for which the personal data was obtained unless required by law to retain some information for a period of time.
Data Security. BitaBIZ shall implement appropriate and reasonable technical and organizational measures to safeguard personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, use, and access.
Individual Rights. BitaBIZ shall process personal data in a manner that respects individuals’ rights as required by the GDPR.
Accountability. BitaBIZ shall implement appropriate governance, policies, processes, controls, and other measures necessary to demonstrate that it processes personal data following this policy and the GDPR.
Legal Basis for Processing Customer and Partner Data
Data processing for contractual relationship. Personal data of the customer or partner can be processed to establish, perform, and terminate a contract.
Consent to data processing. Personal data can also be processed following the consent by the data subject. Before giving consent, the data subject must be informed. The declaration of consent must be obtained in writing or electronically for the purposes of documentation.
Legal authorization or obligation. The processing of personal data is permitted if national legislation requests, requires, or permits this. The type and extent of processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions.
Legitimate Interest. Personal data can also be processed if necessary, for legitimate interests (e.g., avoiding breaching of contract). Before data is processed, it is needed to determine whether the data subjects’ interests worthy of protection outweigh the legitimate interests
Employment relationship. Personal data can be processed if needed to establish, perform, and terminate the employment relationship. In the existing employment relationship, data processing must always relate to the purpose of the employment. Personal data of candidates can be processed to help to decide whether to enter into an employment relationship. If the candidate is rejected, their data must be deleted, unless the candidate has agreed to remain file for future selection process.
Personal Data We Collect and Receive
BitaBIZ collects and receives customer data. Below are the kinds of data we collect and reasons for doing so. We do not use this data for other purposes.
1. When a BitaBIZ account is created, the following information may be collected:
- User data. Users (employees) or individuals granted access to a BitaBIZ account by a customer (“Setup Admin user”) routinely submit customer data to BitaBIZ when using the Services. Data like vacation requests, time registrations, sick leave registrations, etc.
- Customer data. BitaBIZ is also used to collect other customer data. To create or update a BitaBIZ account, you or your employer supply BitaBIZ with an email address, phone number and other staff/ HR/ payroll related information.
- Billing information. Customers that purchase a paid version of the BitaBIZ Services provide BitaBIZ (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
Our Data Collect Policy describes in detail what data may be collected using the BitaBIZ service. Click here to read our Data Collect Policy.
2. BitaBIZ also collects, generates, and/or receives other information:
- Device information. BitaBIZ collects information about devices accessing the services, including the type of device and what operating system is used.
- Logs. Our servers automatically collect information when you access or use our services and record it in log files. This log data may include the Internet protocol (IP) address.
How We Use Information
The information added to BitaBIZ will be used in accordance with the Customer’s instructions. BitaBIZ is a processor of Customer Data and the Customer is the controller. The Data Processor Agreement (DPA) govern how BitaBIZ shall act as the data processor. Click here to read the DPA.
Where We Store and Process Personal Data
BitaBIZ is hosted in a cloud and data we collect is stored in the Microsoft Azure platform. Microsoft enterprise cloud services are independently validated through certifications and attestations, as well as third-party audits. In-scope services within the Microsoft Cloud meet key international and industry-specific compliance standards, such as ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1 and SOC 2. They also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses, UK G-Cloud, Singapore MTCS, and Australia CCSL (IRAP). In addition, rigorous third-party audits, such as by the British Standards Institution and Deloitte, validate the adherence of their cloud services to the strict requirements these standards mandate.
Microsoft has certified to the Department of Commerce that it adheres to the Privacy Shield Princi-ples. Microsoft has stated that it and its controlled U.S. subsidiaries (collectively “Microsoft”) will continue to comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
Data Subject’s Rights
A data subject has the following rights vis-à-vis the controller:
- The right to be informed of the circumstances in the processing of their personal data (Right of transparent communication and information)
- The right to obtain information about how their data is processed and what rights they are entitled to in this respect (Right of access).
- The right to correct or supplement personal data if data are incorrect or incomplete (Right to rectification).
- The right to delete their personal data if the legal bases have ceased to apply. Existing retention periods and interests are worthy of protection that prohibit deletion must be observed (Right to erasure).
- The right to restriction of processing if they dispute the accuracy of processing or the controller no longer needs the data while the data subject needs the data for their legal claims (Right to restriction of processing).
- The right to receive their personal data which has provided on the bases on a consent or in context in the agreement initiated by them in a commonly used digital format. Data subject has also the right to transfer this data to a third party (Right to data portability).
- The right to object to direct marketing at any time (Right to object).
- Right not to be subject to automated decision-making.
- The right to lodge a complaint
Access to Your Data
All individuals who are the subject of personal data held by BitaBIZ are entitled to:
- Ask what information BitaBIZ holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up-to-date.
- Be informed how the companies meeting their data protection obligations.
- Request removal
Our Information Security Policy describes our:
- Hosting security
- Product security
- Internal security
Click here to read our Information Security Policy
International Data Transfers
BitaBIZ may transfer personal data added to the BitaBIZ services to countries other than the one in which you live.
BitaBIZ has an EU GDPR compliant data transfer setup:
- Data storage inside the EU
- Engages only selected sub-processors that may process personal data submitted to BitaBIZ services.
Click here to read our Sub-processor Policy.
BitaBIZ customers have statutory rights in relation to data stored on the BitaBIZ service.
BitaBIZ provides data management tools to manage and delete personal data according to local law. If you cannot use the settings and tools, contact BitaBIZ online support for assistance.
Your rights to your data stored on the BitaBIZ service is described in our Terms & Conditions.
If you want to lodge a complaint about our processing of your personal data, please contact us directly. If we cannot help you, you can lodge a complaint to the national Data Protection Authority.