Trust Hub

Legal Resources at PeopleForce

GDPR Compliance
icon

GDPR at PeopleForce

Last updated: June 01, 2025

At PeopleForce, we are fully committed to complying with the General Data Protection Regulation (GDPR) and supporting our customers and users in the European Union (EU) with transparency, control, and accountability. This page explains how we protect your personal data, what rights you have, and how our platform helps your organization stay compliant.

Our Commitment to GDPR Compliance

We align our data handling practices with the core principles of the GDPR:

Lawfulness, Fairness & Transparency

  • We process personal data only when there is a valid legal basis, such as performance of a contract, compliance with legal obligations, or explicit consent.
  • PeopleForce acts as a Data Processor; our customers are the Data Controllers. We process data solely based on their documented instructions under our Data Processing Agreement (DPA).

Purpose Limitation & Minimisation

  • Data is collected and used only for specified and legitimate purposes as outlined in our Privacy Policy and Terms of Service.
  • We collect only the minimum necessary data required to deliver our services.

Accuracy & Storage Limitation

  • Data Controllers are responsible for keeping data accurate and up to date. The PeopleForce platform provides tools for easy access, review, and correction.
  • Personal data is retained only as long as needed to fulfil its purpose or comply with legal requirements.

Integrity & Confidentiality

We implement a comprehensive set of technical and organizational measures to safeguard data, including:

  • Encryption in transit and at rest
  • Role-based access controls (RBAC)
  • Regular internal audits and third-party penetration testing
  • ISO 27001:2022-aligned security practices

GDPR Certification & External Audits

PeopleForce has successfully undergone an external GDPR compliance audit and was issued a formal GDPR compliance certificate by an independent third-party assessor.

This certification confirms that:

  • Our internal processes and controls align with GDPR requirements;
  • Data subject rights and consent mechanisms are respected and implemented;
  • Security risks are assessed and managed proactively.

A summary of our certification is available to customers under NDA upon request.

Data Residency & Transfers

All PeopleForce data is stored and processed exclusively within the European Union, using secure infrastructure located in Frankfurt, Germany.

We do not transfer personal data outside the EU under normal operations. If international transfers become necessary (e.g., for customer-authorized integrations or support), they will be executed strictly in line with Chapter V of the GDPR, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Supplementary technical and organizational safeguards

More details are available on our Trust Hub.

Your Rights Under GDPR

As a data subject, you have the right to:

  • Access your personal data
  • Rectify inaccurate or outdated information
  • Erase your data (“right to be forgotten”)
  • Restrict or object to certain types of processing
  • Receive a copy of your data in a portable format
  • Lodge a complaint with a supervisory authority

How to Exercise Your Rights

Since PeopleForce is a Data Processor, we act on behalf of the Data Controller (typically your employer). You can:

  • Contact the Data Controller directly, or
  • Email us at security@peopleforce.io — we will promptly notify the Data Controller and help facilitate your request.

Frequently Asked Questions

How long does PeopleForce retain personal data?

We retain data only for as long as necessary to fulfill its original purpose or comply with legal and contractual obligations. Retention periods may vary by data type.

Is my data transferred outside the EU?

No. PeopleForce hosts all customer data in Frankfurt, Germany. If a cross-border transfer becomes necessary, we apply SCCs or other lawful safeguards.

What is PeopleForce’s role in data processing?

We are a Data Processor. Our customers define the purpose and means of processing as Data Controllers.

How is my data protected?

We apply industry-standard security measures, including encryption, RBAC, and continuous monitoring. For full details, visit our Trust Hub.

What if I suspect a data breach?

Report it to security@peopleforce.io. We will investigate and notify the Data Controller in accordance with our incident response process.

Contact & Support

For any GDPR-related inquiries or to submit a request:

We are transparent. We are secure. We are GDPR-compliant.