The General Data Protection Regulation (GDPR) is a data protection and privacy law that came into effect on 25th May 2018. It is enforced in the European Union (EU) and European Economic Area (EEA). This regulation is applicable to all establishments in the EEA, organizations offering goods/services to EU/EEA citizens, Public International Organizations and organizations monitoring the behavior of individuals in the EU/EEA. The main aim of GDPR is to impose a set of data protection laws to ensure no personal data of any individual shall get exploited. It mandates that personal data remains protected against unauthorized and unlawful processing. This legislation revolutionized data processing by imposing necessary restrictions to exposure of an individual's personal data.
Definitions
Data Controller is the one who determines the purpose of data usage and the means by which personal data of individuals should be processed. Following are the responsibilities of Data Controller:
Matrix ComSec is a provider of a People Mobility Management Solution “Matrix Cosec”(CENTRA & VYOM) for their customers, to manage their employees and staff. The Customer updates the information about their employee (“Customer data”) in Matrix COSEC Software. Customers can update, access, use, process and manage the information of their employees’ and staff. The customers will be the “Data controller” for employee information updated on Matrix COSEC(CENTRA & VYOM).
Matrix Comsec has anticipated this regulation by complying with necessary restrictions in the software solution in order to protect personal data of users. Matrix firmly believes that only authorized persons shall have the right to access required information of individuals.
We act in the capacity of “Data Processor” for the personal information updated by the customer on the Matrix COSEC VYOM. We do not own, control, or direct the use of Customer data that is stored in COSEC. In case of COSEC CENTRA, customers act in capacity of both, "Data Controller" and "Data Processor".
Personal information of users which is being collected and processed on Matrix ComSec People Mobility Management Solution consists of details provided knowingly and voluntarily by End Users, Customers (Employer), or Customer’s Administrators. This may include your full name, Date of Birth, Blood group, Height, Weight, Gender, Medical History, Marital Status, Father/Spouse name, Nationality, Phone/Mobile number, E-mail ID, Address, Pin code, PAN (applicable to Indian citizens only), PF Number, ESI Number, Driving License Number, License Expiry, Visa, Visa Expiry, Passport Number, Passport Expiry, Aadhaar Number (applicable to Indian citizens only), Voter ID, Mobile Identification Number, UAN, Qualification and Experience. The customer (employer) updates the customer data on Matrix COSEC(CENTRA & VYOM) and is solely responsible for the accuracy of the information.
Matrix provides the assistance for customers to define custom fields in order to fetch their desired details from users. These custom field details can be stored in encrypted form based on the choice of Customers. However, selection of personal details that is to be gathered from users is completely optional and totally the decision of Customers (Employers). Retaining, maintaining or deleting personal data of users is completely the choice as well as the responsibility of the Employers based on their requirements.
Matrix strongly suggests that there is no need to gather user’s personal data for any of the add-on modules such as Time Attendance or Access Control solution.
Our mobile application is served with the capability of location capturing. But we do not ask you for your location details. However, your employer may enable location tagging technology for timekeeping purposes. In this case, your consent of providing your location details is the legal basis for processing the data within the terms of GDPR.
Being a Time Attendance and Access Control Solution provider, we need unique identification of users for certain operational and authentication purposes. These unique identifiers are fingerprint, face and palm templates of users. However, gathering and utilizing user’s biometric data is completely optional and your employer may collect, utilize or delete it based on their requirements.
If our customers choose any of the optional People Mobility Management add-on modules offered by Matrix Comsec, then we shall keep on user’s details and their event logs in order to further proceed for necessary calculations and management as per Customer set configurations. All the corresponding event logs will get removed from the software on deletion of a particular user. This consists of employee details such as User ID and name and events along with timestamps. Activities done by authorized users, possessing suitable roles and permission to update/add in the software will be logged in the system.
While using our Mobile Apps, we may ask access to your Mobile device camera or gallery in order to capture or upload face images for enrollment and approval purposes. We may also ask for Bluetooth enabling in order to fetch your mobile identification number. We do not access your device’s camera, photo storage or Bluetooth settings without your permission. Once the mobile application is installed on your device, we may use your device hardware model, operating system version and unique device identifier to give you a better experience as per the configuration of your device. We may associate your device identifier number with your basic account information stored on the server.
Who is responsible for User’s Data
Customer (Employer) using our software solution owns all the data of employees. Customers are fully responsible for maintaining or deleting the information of employees as per their requirements. User’s details which are to be processed is also the decision of Customer. Once the user details are deleted or updated by Customer (Employer), the changes will be reflected in the database.
Who has the access to the Data
We store User’s personal information in encrypted form in the database. Data exchange between devices and servers is a secured communication as well using standardized protocols.
Employee data is completely handled by Customers (Employers). It is Customer’s or their Administrator’s sole responsibility to delete the Employee data which is no longer useful. Along with deletion of employee data, event logs associated with that particular employee in the past will also get permanently deleted from the database. Customers terminating the utilization of our services may raise a request for their data deletion, on which the Matrix team will permanently delete all their data from the database. User’s information which is deleted cannot be regained and is permanently removed from the database.
Matrix does not sell, share, transfer, rent or otherwise disclose the customer data to third parties except in certain circumstances:
From the perspective of GDPR compliance, if you are an employee from European economic area (EEA), we process the information collected on Matrix Cosec Vyom on behalf of the customers (“Data Controller” from GDPR perspective), who has a legitimate interest in maintaining his employee information and the purpose of managing his business and adhering to his statutory compliance requirements.
The ownership of fulfilling all consent requirements for procurement and processing of personal information lies with the Customer (data controller). Matrix being a technology partner for their customer, is not responsible to procure or withdraw consent from the data subject, whose personal information is being captured.
We only handle customer data upon request from the customer. We are the processor of the customer data rather than the controller in terms of GDPR. Prior to or while the customer’s data is being stored in the service, the customer is responsible for complying with any applicable regulations or laws.
We process customer data on behalf of our customers, and as such, we adhere to their requests with regard to that data to the extent that it is practical for our service's performance.
As a data subject from the European Economic area (EEA), you are entitled to the following rights under GDPR -
Our employee self-service portal and app provides full visibility to users of their entire personal data. Users can change the information that relates to them through our employee self-service portal and app. Inaccurate or outdated data may be rectified anytime. Users will be able to delete any of their personal information from our provided solution through our employee self-service portal or app if required. Authorized person having sufficient rights of user can delete the data.
We may, if required, assist our customers in informing their employees and staff of the purpose of processing the personal information. We offer a wide range of capabilities to our customers, allowing them to access, edit and delete their personal data.
Any subject access request for access, rectification, modification, deletion, restriction of processing made to us will be directed to the customer, and we will support the customer in meeting any obligations to do so. As we have previously mentioned our customers have the access to carry out these subject access requests independently. Matrix will intervene only upon customer request for assistance.
Our biometric devices and our people mobility management solution Matrix COSEC Vyom are meant to collect data related to biological aspects of the subject exposed to the same, which may also include children below the age of 13 years and for those children such Biometric data would be received/ collected and stored with the consent of guardians of the children.
Contact usIf you have any inquiries or grievances regarding this privacy statement or how we collect or process your personal information, you may contact us at:
vyomdpo@matrixcomsec.com
We review our privacy policy and practices on regular intervals and we reserve a right to change or update this privacy policy at any time. We will notify you of any changes by posting the revised policy and by updating the effective date of this policy. It is recommended to periodically visit the privacy policy to be acquainted with our privacy practices.