ERP chain Privacy Policy

Last Updated: 01-Oct-2025

1. Introduction and Scope

ERP chain (“the App”) is developed by ERP and may be integrated by authorized partners. This Privacy Policy applies to all Customers and their Users who access or use ERP chain.

This Policy governs the processing of Personal Data carried out in connection with the provision of ERP chain's human resources management features, including:

  • Leave management
  • Attendance tracking (with GPS localization at declared times only)
  • Overtime management
  • Performance reviews
  • Online training (PDF and video)
  • HR news and internal communications

This Policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the French Data Protection Law (“Loi Informatique et Libertés”), and equivalent applicable data protection laws worldwide.


2. Definitions

For purposes of this Policy:

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
  • Controller: The Customer organization using ERP chain that determines the purposes of processing.
  • Processor: ERP and, where relevant, its authorized integrators.
  • Sub-Processor: Any subcontractor engaged by ERP to support processing.
  • Sensitive Data: Special categories of data as defined under GDPR, including but not limited to health information, union membership, biometrics, performance reviews, salaries, advantages and GPS location data.


3. Categories of Personal Data Processed

Depending on the configuration selected by the Customer, ERP chain may process:

  • Identification Data: name, employee ID, contact information.
  • Employment Data: job title, department, manager, employment details, payslips.
  • Attendance Data: working hours, overtime, leave records.
  • Location Data: GPS data collected only at check-in/check-out events.
  • Performance Data: appraisals, feedback, evaluation records.
  • Training Data: training history, course completions, materials accessed.
  • Communication Data: internal HR news and updates.

Sensitive Data will only be processed when strictly necessary, with enhanced safeguards.


4. Purposes and Legal Bases of Processing

Processing is undertaken solely for defined purposes and under lawful bases, including:

  • Performance of contract: delivering HR services (attendance, leave, overtime, training).
  • Legal obligations: compliance with labor, tax, or employment regulations.
  • Legitimate interests: ensuring system security, and improving services, provided such interests do not override User rights.
  • Explicit consent: required for GPS localization and any optional features.


5. Principles of Processing

ERP chain ensures that Personal Data is processed in accordance with the following principles:

  • Lawful, fair, and transparent processing.
  • Collected for explicit and legitimate purposes.
  • Limited to what is strictly necessary (data minimization).
  • Accurate and kept up to date.
  • Retained only as long as necessary (storage limitation).
  • Protected by appropriate security measures.


6. Data Retention

Retention periods are defined as follows, unless applicable law requires longer storage:

  • Attendance, leave, and overtime records: up to 5 years.
  • Performance reviews: up to 3 years after end of employment.
  • Training history: up to 7 years.
  • GPS location logs: up to 1 year.
  • HR news communications: for the duration of employment.


7. Rights of Data Subjects

Users of ERP chain may exercise the following rights:

  • Access, rectification, and erasure of their data.
  • Restriction or objection to processing.
  • Portability of Personal Data.
  • Withdrawal of consent at any time (without affecting prior lawful processing).
  • The right not to be subject to decisions based solely on automated processing.

Requests will be answered within 30 days. Users should direct requests through their employer (the Customer), who may escalate to ERP where necessary.


8. Security Measures

ERP implements industry-standard technical and organizational measures, including:

  • Encryption of data in transit and at rest.
  • Role-based and least-privilege access controls.
  • Audit logs and monitoring.
  • Pseudonymization for analytics.
  • Regular audits and employee data protection training.

The Customer reserves the right to audit ERP’s compliance with these obligations.


9. Data Breach Notification

In the event of a personal data breach, ERP shall notify the Customer without undue delay and in any case within 24 hours of becoming aware of the breach.

The notification shall include:

  • The nature of the breach.
  • Categories and number of data subjects affected.
  • Likely consequences.
  • Measures taken or proposed to mitigate adverse effects.

ERP shall fully cooperate with the Customer in fulfilling regulatory and communication obligations.


10. Subcontracting and Third Parties

ERP shall not engage Sub-Processors without prior notification to the Customer and, where required by law or contract, the Customer’s prior written approval.

All Sub-Processors will be bound by obligations equivalent to those in this Policy, and ERP remains fully liable for their compliance.


11. International Data Transfers

Transfers of Personal Data outside the European Economic Area (EEA) will only occur subject to adequate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission or other recognized legal mechanisms.


12. Automated Processing and Profiling

ERP chain does not take employment-related decisions based solely on automated processing. Where algorithms are used (e.g., training recommendations or evaluation tools), final decisions remain subject to human review.


13. Accountability and Governance

ERP undertakes to:

  • Appoint a Data Protection Officer (DPO).
  • Conduct Data Protection Impact Assessments (DPIAs) where required.
  • Maintain records of processing activities.
  • Provide documentation to supervisory authorities upon request.


14. Contact and Complaints

For questions or to exercise rights, Users may contact their employer (the Customer) or ERP’s DPO directly:

📧 info@erpcompaz.com

Users also retain the right to lodge a complaint with their local data protection authority.


15. Updates to this Policy

ERP may update this Policy to reflect changes in law, regulation, or ERP chain functionality. The Customer will be notified of material changes in advance, and the updated Policy will include a new “Last Updated” date.