Skip to main content
GDPR - Data Protection Guide

Everything you need to know

Updated over a week ago

Edition: All

User-level: All


What is the GDPR?

The General Data Protection Regulation (GDPR) is a EU regulation which will come into effect on the 25th May 2018. The GDPR aims to protect the personal information of all EU citizens. The regulation gives the individuals control over how their personal data is collected, stored and used. Personal data is any piece of data that could identify a person, when used alone or along with other details. This regulation does not apply to business related data, only to personal data.

Total Synergy is committed to being transparent with users about where personal data is stored in Synergy. In this help topic we explain how Total Synergy processes personal data, and what tools are available for people to view / control what personal data is stored by Total Synergy.

Total Synergy is committed to protecting our customers' data and follow the GDPR requirements and industry standards to protect customers' data. The data collected by Total Synergy is stored in the Microsoft Azure cloud. For information about Azure compliance with GDPR see Microsoft Azure GDPR guide.

Tips:

  • This document has been written by Synergy staff (who are not lawyers). The details below are only a guide on how to manage the GDPR regulations for personal data saved within Synergy.

  • Total Synergy offers tools and information as a resource, but we don’t offer legal advice. We recommend you contact your legal counsel to find out how the GDPR affects you.

  • View the full details of the GDPR regulations here.


Sections in this guide

Tip: Click on a section above to jump straight to those details.


What personal data does Synergy store?

Synergy stores three types of data that could contain personal details. Synergy personal data types are:

  1. Profile data

    • Synergy stores basic personal data as part of the Synergy profile as provided by users upon sign-up.

    • Anyone that has a login to Synergy has a user profile with optional personal data and a profile picture for use in Synergy available to be configured.

    • Learn more about the Synergy profile.

  2. Staff data

    • Each organisation in Synergy, stores business data about its staff members.

    • Some personal data could also be stored as part of setting up this business data.

    • This data is stored as part of the staff record.

    • The organisation might store a combination of personal and business data in these records.

    • Learn more about Synergy staff records.

  3. Contact data - all contact types (Company, Personnel, Individual)

    • Each organisation in Synergy, stores business data about its external contacts.

    • Some personal data might be stored as part of this business data.

    • This data is stored as part of the contact record.

    • The organisation might store a combination of personal and business data in these records.

    • Learn more about Synergy contact records.

Depending on what type of user you are in Synergy will depend on which of the following applies to you for personal data e.g. If you are a staff member at the organisation you are unlikely to also have details about you also in a contact record.

Details about the exact data we collect and the purposes for which we use personal information are available in the Total Synergy privacy policy. Synergy users agree to this privacy policy when they create a login profile.


Controller or processor in the Synergy application?

The GDPR refers to the terms Controller and Processor. Here we will look at what these terms mean, and if Synergy is a Controller or a Processor for each of the personal data stored.

  • Controller - This is an organisation or business that is collecting data from EU residents.

  • Processor - This is an organisation that processes the personal data on behalf of a data controller.

Synergy plays a different role for handling your personal data based on the data type:

  1. Profile data

    • For your Synergy user profile data, Synergy is the controller and processor of the data.

    • Synergy requests some fields in your user profile as mandatory when you sign-up for a Synergy account, such as name and email address. Additional profile details that are optional (such as additional email addresses or phone numbers) can be entered later as required.

  2. Staff data

    • For the staff record data in your Synergy organisation, Synergy is the processor and your organisation which contains the staff record is considered the controller.

    • The organisation (owner/users) that entered your staff record in Synergy will complete the mandatory fields of name and work email address. Other details about a staff member can be entered as optional fields. Only people that work for that organisation can view the staff record or update the data, making the organisation the controller of the data.

  3. Contact data - all contact types (Company, Personnel, Individual)

    • For a contact record, Synergy is the processor and the organisation in Synergy which contains the contact record is considered the controller.

    • The organisation (owner or users) can enter a contact record in Synergy, and the only mandatory field for a contact is the name. Other details about the contact can be entered as optional fields. Only people that work for that organisation can update the staff record details, making that organisation the controller of the data.


GDPR new individual rights for personal data and how they affect Synergy

A. Right of access

Right of access in the GDPR means that individuals have the right to know what data about them is being processed and how.

In Synergy we can provide the individual their personal data using the extract or using 'on-screen' methods below. Synergy personal data options and how to obtain these details:

  1. Profile data

    1. To see a Synergy profile you need to be logged into the application at app.totalsynergy.com

      1. Select the 'edit profile' option from the top right 'profile toolbar menu'.

      2. The profile data stored is viewable in the edit profile page only by the logged in user. Learn more about the difference between a Staff file and User profile.

    2. Export an extract of the profile data, by:

      1. Opening the edit profile page.

      2. Select the '...' button > and choose the 'Export profile to Excel' option.

      3. An Excel file with all the Synergy profile details will be downloaded.

    3. The profile picture is not exported to the Excel file. If required save a copy of the profile image to your local folder.

  2. Staff data

    1. Staff details can be seen after logging into Synergy and using the organisation drop down menu > selecting the 'Staff' option > selecting to open the specific staff member from the list of all staff.

    2. Based on your staff access level in Synergy different detail will available on a staff record. If you are a Director or System Administrator then you can view all the details on the staff record. If you are set at any other access level then you can only view the general details for the staff record.

    3. The personal data for a staff record is available in these staff sub menu options:

      • Staff > Details

      • Staff > Documents

      • Staff > Notes

    4. Export the staff details to Excel can be done by a Director level staff member at the organisation (the organisation is the controller of those details). Export the details to Excel by:

      1. Open the staff record to the details page.

      2. Select the '...' button > choose the 'Export staff to excel' option.

      3. An excel file with the staff general details is downloaded by your browser.

Tip:

  • The Staff notes and Staff documents are not exported to the excel file. If these details have been entered / uploaded, then a manual extract of these details would need to be completed by the System Administrator at that organisation.

  • If a profile picture is shown for a contact record in Synergy, the user has setup that picture in their own personal profile. They control what image is shown for themselves within Synergy. If they have not uploaded a profile picture then we use a letter image that is created by default using the initials entered in their name.

  1. Contact data

    1. Contact details can be seen after logging into Synergy in:

      • Contacts area - Use the organisation drop down menu and select the contacts option. Select a contact from the list to view the details.

      • List views - When a contact is shown as a column in the list in Synergy you can click the name if it is shown in green / teal color to open a pop-up page with the contact details listed. e.g. Project list page, Invoices list page and more have the column contact included in the default view.

    2. Contacts can be added and updated by any staff members that work at that Synergy organisation.

    3. The contacts can have personal data stored under these sub menu options:

      • Contact > Details

      • Contact > Documents

      • Contact > Notes

    4. To receive an extract of this data, please contact your controlling organisation which can extract the data for you (using the export to excel)

    5. Export the contact details to Excel can be done by a Director level staff member at the organisation (the organisation is the controller of those details). Export the details to Excel by:

      • Open the contact record to the details page.

      • Select the '...' button > choose the 'Export contact to excel' option.

      • An excel file with the contact general details is downloaded by your browser.

      • Repeat this for each contact record for which you need the details exported to Excel.

Tips:

  • Synergy has three types of contacts: Companies, personnel, and individuals. Each of these contact types can have the same personal / business details stored within the record.

  • If a profile picture is shown for a contact record in Synergy, the user has setup that picture in their own personal profile. They control what image is shown for themselves within Synergy. If they have not uploaded a profile picture then we use a letter image that is created by default using the initials entered in their name.

  • The Contact notes and Contact documents are not exported to the excel file. If these details have been entered / uploaded, then a manual extract of these details would need to be completed by the System Administrator at that organisation.

B. Right to rectification

Right to rectification in the GDPR means that the individual may request that incomplete data be completed, or that incorrect data be corrected.

In Synergy we can provide the individual their personal data following the extract options listed in part 1 above - right to access. Synergy personal data can then be corrected or updated by:

  1. Profile data

    1. To rectify your profile data login to Synergy and use the toolbar menu in the top right of the page and select > edit profile.

    2. Use the Synergy Profile page to update the details as required.

  2. Staff data

    1. To rectify the data in your staff record, please contact System Administrator or Owner of the Synergy organisation (controller).

    2. The controller of the data can login to Synergy and use the Staff feature and sub menus as required to update the details on your staff record in that Synergy organisation.

  3. Contact data

    1. To rectify the data in a contact record, please contact a Staff member or Owner of the Synergy organisation (controller).

    2. The controller of the data can login to Synergy and use the Contacts feature and related sub menus to update the details as required on the staff record.

Tips:

  • In your Synergy profile you must always have at least one email address listed, and you cannot edit the username setup when you created the account initially.

  • Staff records allow you to edit all the general details saved for the record, and the saved record must always have a name and an email address.

  • Contact records allow you to edit all the general details saved for the record, and the saved record must always have a name.

C. Right to object

Right to object in the GDPR means that an individual may prohibit certain data from being used.

In Synergy we can provide the individual requesting their personal data following the options in part 1 above - right to access. Synergy personal data can then be updated or removed from Synergy by:

  1. Profile data

    1. Most of the personal data in the profile page is optional. Update the fields to be blank to remove the data from Synergy.

    2. Profiles are required to have a first and last name, and a primary work email address. All other data can be removed as required.

  2. Staff data

    1. The personal data in the staff record is optional. Staff can contact the System Administrator or Owner at their organisation (the data controller) and request that they remove any of the optional personal data stored in their contact record.

    2. Staff records require that a name and email address is entered on each record.

  3. Contact data

    1. The personal data in the contact record is optional. Contacts can talk to the System Administrator or Owner at their organisation (the data controller) and request that they remove any of the optional personal data stored in the contact record.

    2. Contacts require that a name is entered on each record.

Tips:

  • In your Synergy profile you must always have at least one email address listed, and you cannot edit the username setup when you created the account initially.

  • Staff records allow you to edit all the general details saved for the record, and the saved record must always have a name and an email address.

  • Contact records allow you to edit all the general details saved for the record, and the saved record must always have a name.

D. Right to be forgotten

Right to be forgotten in the GDPR means that the individual may request that an organisation delete all data on that individual as quickly as possible.

In Synergy we can provide the individual requesting their personal data following the options in part 1 above - right to access. Synergy personal data can then be deleted by:

  1. Profile data

    1. Synergy users can use the edit profile page and remove any personal data as required.

    2. Synergy users can delete their profile by:

      1. Select the profile menu by selecting you profile picture in the toolbar top right corner, then select edit profile.

      2. Select the '...' button in the top right of the edit profile page > delete.

      3. Click 'delete' on the confirmation pop-up.

      4. You will now be logged out of Synergy, as you no longer have a valid account.

    3. Important note: Deleting a profile doesn't delete any Synergy organisations or project portals. Any content you added into an organisation or portal will remain. The content already in the Synergy organisation / portal is business related data, and is retained for legal reasons.

  2. Staff data

    1. Staff members in an organisation can contact their employer organisation (data controller) to delete their personal data.

    2. The employing organisation (data controller) can change the staff record details in Synergy if they have System Administrator or Director access levels.

      1. Select the Organisation menu and select the staff option.

      2. Locate the staff member that wants their details updated in the list and click the record to open it.

      3. Review the record, and click the edit button to remove any personal (non-business related) information in the staff record.

      4. Delete any notes or documents from the relevant tabs that contain personal information about the staff member as well.

    3. The employing organisation need to retain business related data as required by law.

    4. The staff record cannot be deleted. It can be set as inactive if the staff member has now left the organisation. The organisation needs to keep the staff record with at least the employees name and work email address in Synergy, as data has been created in the system linked to that record.

  3. Contact data

    1. Contacts can get in touch with the organisation who has them included as a contact record (company / personnel / individual types) (data controller) to delete their personal data.

    2. The organisation (data controller) can get a Synergy staff member to:

      1. Use the Organisation menu and select the Contacts option.

      2. Locate the contact record in the list to open the record.

      3. Edit the contact record and review and delete all personal information by making the fields blank. The contact records must remain with at least the 'name' details completed.

      4. If required also remove any notes or contact documents that contain personal details.

    3. The contact record can only be deleted if it is not linked to any other Synergy records: Personnel, Projects, Invoices etc. Set the contact as inactive if the contact should no longer be used in Synergy. The organisation needs to keep the contact record with at least the name in Synergy, as data has been created in the system linked to that record.

Tips:

  • Your Synergy profile can only be deleted if you are not listed as the 'Owner' of any Synergy subscriptions. If you have any active Synergy subscriptions paid or trial where you are the owner then the record cannot be deleted.

  • Staff records cannot be deleted. Mark the staff member as terminated / inactive if they have left the organisation. Edit the staff record to remove the personal information. A name and work email address is required to remain on the record.

  • Contact records can only be deleted if they are not linked to any personnel, projects, or invoices. Mark the contact as terminated / inactive if they should no longer be part of projects. Edit the contact record to remove the personal information. A name is required to remain on the record.

E. Data portability

Right to data portability in the GDPR means that the individual may request that personal data held by one organisation be possible to be transported to another organisation.

In Synergy we can provide the individual requesting their personal data following the options in part 1 above - right to access. Synergy personal data can then be exported by:

  1. Profile data

    1. Export an extract of the profile data, by:

      1. Opening the edit profile page.

      2. Select the '...' button > and choose the 'Export profile to Excel' option.

      3. An Excel file with all the Synergy profile details will be downloaded.

  2. Staff data

    1. To receive an extract of your staff record data, please contact your employer. The organisation that has the Synergy subscription can export these details to Excel.

    2. Export the staff details to Excel can be done by a Director level staff member at the organisation (the organisation is the controller of those details). Export the details to Excel by:

      1. Open the staff record to the details page.

      2. Select the '...' button > choose the 'Export staff to excel' option.

      3. An excel file with the staff general details is downloaded by your browser.

  3. Contact data

    1. To receive an extract of the contact data, please contact the Synergy organisation. A staff member at that organisation can then export these details to Excel.

    2. Export the contact details to Excel can be done by a Director level staff member at the organisation (the organisation is the controller of those details). Export the details to Excel by:

      1. Open the contact record to the details page.

      2. Select the '...' button > choose the 'Export contact to excel' option.

      3. An excel file with the contact general details is downloaded by your browser.

      4. Repeat this for each contact record for which you need the details exported to Excel.

F. Data sovereignty

The data collected by Total Synergy is stored in the Microsoft Azure Cloud. This data is stored in the USA. As changes in laws and data privacy frameworks happen, including recent changes to the EU-US Data Privacy Framework, Total Synergy is committed to compliance once all requirements are clarified.

Regarding Protecting privacy in Microsoft Azure and GDPR, Microsoft says:

“Microsoft has an enduring commitment to protect data privacy, not as an afterthought, but built into Microsoft Azure from the ground up. Microsoft designed Azure with industry-leading security controls, compliance tools, and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. These also help you comply with other important global and regional privacy standards such as ISO/IEC 27018, EU-U.S. Privacy Shield, EU Model Clauses, HIPAA/HITECH, and HITRUST.”

Synergy add-on partners and the GDPR

Synergy can export or send contact and staff details to third-party products e.g. accounting interfaces, or other API integrations. If you are using an interface to export Synergy data, then please review the other software company / product website for more details on how they are managing the GDPR requirements.


Where to next?

What other features does this relate to?

Did this answer your question?