1. What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that governs the collection, storage, and processing of personal data of individuals in the EEA (European Economic Area). It came into force on May 25, 2018. If your organisation is based in the EU, or if you monitor employees who are EU residents, GDPR applies to your use of Tracknesty.
2. Our Roles Under GDPR
Under GDPR, there are two key roles: • Data Controller — the entity that determines the purposes and means of processing personal data. This is YOU — the employer using Tracknesty. • Data Processor — the entity that processes personal data on behalf of the controller. This is Tracknesty. As your data processor, Tracknesty processes employee monitoring data strictly on your instructions and in accordance with our Data Processing Agreement (DPA). You, as the employer, remain the data controller and are responsible for establishing a lawful basis for monitoring.
3. Lawful Basis for Monitoring
GDPR requires you to have a valid lawful basis before monitoring employees. Common lawful bases applicable to employee monitoring include: • Legitimate Interests — monitoring for productivity, security, or fraud prevention, balanced against employee privacy rights. • Contractual Necessity — where monitoring is necessary to fulfil an employment contract. • Legal Obligation — where monitoring is required by law (e.g., financial sector regulations). • Consent — where employees have freely and explicitly consented. Note: consent in an employment context is generally not considered freely given and is the weakest basis. We strongly recommend consulting with a data protection officer (DPO) or legal counsel to determine the appropriate lawful basis for your specific situation.
4. Employee Transparency & Notice
GDPR requires that you inform employees about the monitoring you perform. Your employee privacy notice should include: • What data is collected (screenshots, app usage, URLs, attendance) • Why it is collected and the lawful basis • Who has access to it • How long it is retained • Their rights as data subjects Tracknesty is designed with transparency in mind — the desktop agent is always visible in the system tray and is never hidden. However, you are responsible for ensuring employees receive adequate written notice before monitoring begins.
5. Data Subject Rights
Under GDPR, your employees (as data subjects) have the following rights, which you as the data controller must uphold: • Right of Access (Article 15) — employees can request a copy of their personal data. • Right to Rectification (Article 16) — employees can request correction of inaccurate data. Tracknesty's correction-request workflow supports this. • Right to Erasure (Article 17) — employees can request deletion of their data in certain circumstances. • Right to Restriction of Processing (Article 18) — employees can request that processing be limited. • Right to Data Portability (Article 20) — employees can request their data in a machine-readable format. • Right to Object (Article 21) — employees can object to processing based on legitimate interests. Requests should be directed to your HR or IT department. You have 30 days to respond.
6. Data Minimisation
GDPR requires that you collect only the minimum data necessary for your stated purpose. Tracknesty gives you full control over what is monitored: • Screenshot intervals are configurable — use longer intervals if your purpose doesn't require frequent captures. • Browser and app tracking can be configured per-team or per-member. • Live screen streaming should only be used for documented operational purposes. We recommend reviewing your configuration to ensure it aligns with your stated monitoring purpose and doesn't collect more data than necessary.
7. Data Retention
GDPR requires you to retain personal data only for as long as necessary. You should define and document a data retention schedule for monitoring data. Tracknesty allows you to delete screenshots, activity logs, and attendance records at any time through the admin dashboard. When your account is cancelled, all data is permanently deleted after 30 days. We recommend setting a clear retention period (e.g., 90 days for screenshots, 1 year for attendance records) and communicating this in your employee privacy notice.
8. International Data Transfers
If your employees are in the EEA and your Tracknesty instance is hosted outside the EEA, you must ensure an appropriate transfer mechanism is in place, such as: • Standard Contractual Clauses (SCCs) • An adequacy decision by the European Commission Tracknesty is a self-hosted platform — your monitoring data is stored on your own server or VPS. You choose the hosting location. Ensure your hosting is in an EEA-adequate jurisdiction if your employees are EU residents.
9. Data Processing Agreement (DPA)
GDPR Article 28 requires a written Data Processing Agreement between a data controller and any data processor. As your processor, Tracknesty provides a DPA upon request. To obtain a DPA for your organisation, email support@tracknesty.com with the subject line "DPA Request". We will provide a signed agreement within 5 business days.
10. Contact
For GDPR-related queries, DPA requests, or data subject rights assistance: Email: support@tracknesty.com Response time: within 3 business days