GDPR Compliance - OsaBox HR

Last Updated: April 21, 2025

This document outlines how OsaBox HR complies with the General Data Protection Regulation (GDPR) and protects the privacy rights of data subjects in the European Economic Area (EEA), United Kingdom, and Switzerland.

1. Introduction to GDPR
2. Our Commitment to GDPR Compliance
3. Data Controller and Processor Roles
4. Legal Basis for Processing
5. Data Subject Rights
6. Data Protection Measures
7. International Data Transfers
8. Data Breach Management
9. Data Protection Officer
10. Data Protection Impact Assessments
11. Records of Processing Activities
12. Third-Party Vendors and Subprocessors
13. Data Processing Agreements
14. Contact Information

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations operating within the European Union (EU) and European Economic Area (EEA), as well as non-EU organizations that offer goods or services to EU residents or monitor the behavior of EU residents.

The GDPR strengthens individuals' rights regarding their personal data and imposes strict requirements on how organizations must handle and protect this data. Key principles include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

2. Our Commitment to GDPR Compliance

At OsaBox HR, we are committed to protecting the privacy and security of personal data. We have implemented comprehensive measures to ensure compliance with the GDPR and other applicable data protection laws. Our commitment includes:

Privacy by Design

We incorporate data protection principles into our products and services from the earliest stages of development.

Data Security

We implement robust technical and organizational measures to protect personal data against unauthorized access or disclosure.

Transparency

We provide clear information about how personal data is collected, used, and shared through our Privacy Policy and other notices.

User Rights

We respect and facilitate the exercise of data subject rights under the GDPR, including access, rectification, erasure, and portability.

3. Data Controller and Processor Roles

Under the GDPR, organizations are classified as either data controllers or data processors, each with specific responsibilities:

3.1 OsaBox as a Data Controller

We act as a data controller for the personal data we collect directly from our clients, potential clients, and website visitors. This includes account information, business information, payment data, and usage data that we collect to provide and improve our Services.

As a data controller, we determine the purposes and means of processing this personal data and are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate compliance with the GDPR.

3.2 OsaBox as a Data Processor

We act as a data processor for the employee data that our clients upload or create within our platform. Our clients (typically employers or HR departments) are the data controllers for this information.

As a data processor, we process this personal data only on documented instructions from the data controller (our client) and have implemented appropriate technical and organizational measures to ensure the security of processing.

4. Legal Basis for Processing

Under the GDPR, organizations must have a valid legal basis for processing personal data. The legal bases we rely on include:

4.1 For Client Data (where we are the data controller)

Legal Basis	Examples
Contractual Necessity	Processing necessary to perform our contract with you, such as creating your account, processing payments, and providing our Services.
Legitimate Interests	Processing necessary for our legitimate interests, such as improving our Services, preventing fraud, ensuring network and information security, and direct marketing to business contacts.
Consent	Processing based on your specific consent, such as sending marketing communications to individuals where required by law.
Legal Obligation	Processing necessary to comply with a legal obligation, such as keeping records for tax purposes.

4.2 For Employee Data (where we are a data processor)

Our clients, as data controllers, are responsible for establishing and documenting the legal basis for processing their employees' personal data. We process this data solely on their instructions as outlined in our Data Processing Agreement.

5. Data Subject Rights

The GDPR provides individuals (data subjects) with several rights regarding their personal data. We respect these rights and have implemented procedures to facilitate their exercise:

Rights of Data Subjects under GDPR

Right to be informed: You have the right to be informed about the collection and use of your personal data.
Right of access: You have the right to request a copy of your personal data that we hold.
Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
Right to erasure: You have the right to request the deletion of your personal data under certain circumstances.
Right to restrict processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
Right to data portability: You have the right to request that we transfer your personal data to another organization or directly to you.
Right to object: You have the right to object to the processing of your personal data under certain circumstances.
Rights related to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

5.1 How to Exercise Your Rights

If you wish to exercise any of these rights regarding personal data for which we are the data controller, please contact us using the information provided in the "Contact Information" section below.

If you are an employee of one of our clients and wish to exercise your rights regarding personal data processed through our platform, please contact your employer (our client) directly. As a data processor, we will assist our clients in fulfilling these requests as required by our Data Processing Agreement.

6. Data Protection Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 Technical Measures

Encryption: We use industry-standard encryption for data in transit (TLS/SSL) and at rest.
Access Controls: We implement strict access controls, including strong authentication, role-based permissions, and least privilege principles.
Network Security: Our infrastructure is protected by firewalls, intrusion detection systems, and regular security monitoring.
Regular Backups: We perform regular backups of data to prevent loss in case of technical failures.
Security Testing: We conduct regular security assessments, including vulnerability scanning and penetration testing.

6.2 Organizational Measures

Staff Training: All staff members receive regular training on data protection and security practices.
Policies and Procedures: We have implemented comprehensive policies and procedures for data protection, including a Data Protection Policy, Security Policy, and Incident Response Plan.
Data Protection Impact Assessments: We conduct DPIAs for high-risk processing activities.
Vendor Management: We assess the data protection practices of our vendors and have appropriate contractual safeguards in place.
Documentation: We maintain records of processing activities and other documentation required by the GDPR.

7. International Data Transfers

We may transfer personal data to countries outside the EEA, UK, or Switzerland. When we transfer personal data to countries that have not received an adequacy decision from the European Commission, we implement appropriate safeguards to ensure that your personal data receives an adequate level of protection.

7.1 Transfer Mechanisms

We use one or more of the following mechanisms for international data transfers:

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs when transferring personal data outside the EEA.
Binding Corporate Rules (BCRs): Where applicable, we may rely on approved BCRs for intra-group transfers.
Adequacy Decisions: Where available, we transfer data to countries that have received an adequacy decision from the European Commission.
Derogations: In limited circumstances, we may rely on GDPR derogations such as explicit consent or contractual necessity.

7.2 Supplementary Measures

Following the Schrems II decision by the Court of Justice of the European Union, we also implement supplementary measures as necessary to ensure an essentially equivalent level of protection for transferred data, including technical measures (e.g., encryption), contractual measures, and organizational measures.

8. Data Breach Management

We have implemented a comprehensive Data Breach Response Plan to detect, respond to, and manage personal data breaches in accordance with the GDPR.

8.1 As a Data Controller

If we become aware of a personal data breach that may pose a risk to the rights and freedoms of individuals, we will:

Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
Document the facts relating to the breach, its effects, and the remedial action taken.

8.2 As a Data Processor

If we become aware of a personal data breach involving data we process on behalf of our clients, we will:

Notify the data controller (our client) without undue delay.
Provide the data controller with information about the breach to assist them in fulfilling their notification obligations.
Cooperate with the data controller to investigate and remediate the breach.

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our compliance with the GDPR and other data protection laws. Our DPO is responsible for:

Informing and advising us and our employees about our obligations under data protection laws
Monitoring compliance with data protection laws and our internal policies
Providing advice on Data Protection Impact Assessments
Cooperating with supervisory authorities
Acting as a contact point for data subjects and supervisory authorities

You can contact our DPO using the information provided in the "Contact Information" section below.

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. Our DPIA process includes:

Systematically describing the processing operations and purposes
Assessing the necessity and proportionality of the processing
Identifying and assessing risks to data subjects
Identifying measures to address those risks
Consulting with the supervisory authority where high risks remain after mitigation

We maintain records of all DPIAs conducted and their outcomes.

11. Records of Processing Activities

We maintain records of our processing activities as required by Article 30 of the GDPR. These records include:

11.1 As a Data Controller

Our name and contact details, and where applicable, those of our representative and DPO
The purposes of the processing
A description of the categories of data subjects and personal data
The categories of recipients to whom the personal data has been or will be disclosed
Transfers of personal data to third countries or international organizations
The envisaged time limits for erasure of the different categories of data
A general description of the technical and organizational security measures

11.2 As a Data Processor

Our name and contact details, and where applicable, those of our representative and DPO
The categories of processing carried out on behalf of each controller
Transfers of personal data to third countries or international organizations
A general description of the technical and organizational security measures

12. Third-Party Vendors and Subprocessors

We carefully select and manage vendors and subprocessors who may access or process personal data. Our vendor management process includes:

Conducting due diligence on vendors' data protection practices
Entering into appropriate contractual arrangements that include data protection provisions
Regularly monitoring and reviewing vendor compliance
Maintaining a list of approved subprocessors

We provide our clients with information about our subprocessors and notify them of any intended changes to our subprocessor list as required by our Data Processing Agreement.

13. Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with:

Our Clients: When we act as a data processor for personal data they control.
Our Vendors: When they act as subprocessors for personal data we process on behalf of our clients or for personal data we control.

Our DPAs include all the elements required by Article 28 of the GDPR, including:

The subject matter and duration of the processing
The nature and purpose of the processing
The type of personal data and categories of data subjects
The obligations and rights of the data controller
Processing only on documented instructions from the controller
Confidentiality commitments from personnel
Security measures
Subprocessor engagement requirements
Assistance with data subject rights
Assistance with breach notification, DPIAs, and consultations
Deletion or return of data at the end of the processing
Audit and inspection rights

14. Contact Information

If you have any questions about our GDPR compliance or wish to exercise your rights under the GDPR, you can contact us at:

OsaBox Limited
74A, Sichizya Road
Lusaka, Zambia

Data Protection Officer
Email: dpo@osabox.co

EU Representative
Email: eu-rep@osabox.co

Table of Contents