We are committed to maintaining the accuracy, confidentiality, and security of your personal data. Our privacy policy outlines how we collect, use, and protect your information in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. We adhere to the core principles of transparency, accountability, and data minimization to ensure that your privacy rights are fully respected.

1. Introduction

We are committed to ensuring the accuracy, confidentiality, and security of the personal data we process. As part of this commitment, we comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, which governs the collection, use, disclosure, and protection of personal data within the European Union. We have designated a Data Protection Officer (DPO) who is responsible for overseeing compliance with this privacy policy and addressing any inquiries related to data protection.

2. Identifying Purposes
In accordance with Article 5(1)(b) of GDPR (Purpose Limitation), we collect, use, and disclose only the data necessary to provide our services, including employee stress and burnout analysis. The purposes for data collection will be clearly identified before or at the time of collection.

We do not process personal data for any purpose beyond the one explicitly stated, unless further processing is compatible with the original purpose or the data subject has provided explicit consent in accordance with Article 6(1)(a) and Article 9(2)(a) of GDPR.

3. Lawful Basis for Processing & Consent

Under Article 6 of GDPR, we ensure that all data processing activities have a lawful basis. Given that stress and burnout data may involve sensitive health-related information, we process such data only under Article 9(2)(a) (Explicit Consent).

Providing personal data is voluntary, but refusal may impact the availability of certain services. We never condition the supply of a product or service on excessive data collection, in accordance with Article 7(4) of GDPR. Employees may withdraw their consent at any time by contacting our DPO. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

4. Data Minimization & Limiting Collection

As per Article 5(1)(c) (Data Minimization), we collect only the minimum amount of data required for conducting employee stress analysis. We do not collect unnecessary personal details such as private addresses, unrelated medical records, or data that does not directly contribute to workplace well-being assessment.

Data is collected only through legitimate channels, such as:

• Direct input by employees (e.g., self-reported surveys)

• Company-approved assessments

• Voluntary participation in research

Employees are informed about the voluntary nature of data collection and can choose not to participate without penalty.

5. Data Use, Disclosure & Retention

5.1 Data Use

Personal data is used strictly for workplace stress assessment and burnout prevention strategies. In compliance with Article 5(1)(b) (Purpose Limitation), data is not repurposed for marketing or non-health-related analytics without additional explicit consent.

5.2 Data Sharing & Disclosure

We do not sell or share employee personal data with third parties unless:

• There is a legal obligation (Article 6(1)(c) of GDPR)

• The employee has given explicit consent (Article 6(1)(a))

• The data is fully anonymized and aggregated

In cases where external partners (e.g., third-party analytics tools) are involved, Data Processing Agreements (DPAs) are in place, ensuring that external processors comply with GDPR standards (Article 28).

5.3 Data Retention Policy

In compliance with Article 5(1)(e) (Storage Limitation), personal data is retained only for as long as necessary. Data is securely deleted when:

• It is no longer required for the stated purpose

• An employee withdraws consent (Article 17 - Right to Erasure)

• The retention period mandated by law expires

We maintain a data retention schedule, ensuring compliance with GDPR’s strict data storage principles.

6. Accuracy of Personal Data

Under Article 5(1)(d) (Accuracy Principle), we ensure that personal data remains accurate, complete, and up to date. Employees have the right to review and request corrections (Article 16 – Right to Rectification). Employees can review and update their data by submitting a request to the DPO or through our employee portal, where applicable.

7. Security Measures & Data Protection

As per Article 32 (Security of Processing), we implement strong encryption, pseudonymization, and access controls to prevent unauthorized access to personal data. Our security measures include:

• Data Encryption (both in transit and at rest)

• Role-Based Access Control (RBAC) to limit internal access

• Secure cloud storage with GDPR-compliant providers

• Regular security audits to identify and mitigate risks

In the event of a data breach, we adhere to Article 33 (Notification of a Personal Data Breach) and notify the relevant supervisory authority within 72 hours, as well as affected individuals if there is a high risk to their rights and freedoms (Article 34).

8. Employee Rights & Data Access

Under Articles 12-23 of GDPR, employees have the right to:

• Access their personal data (Article 15 - Right of Access)

• Correct inaccurate data (Article 16 - Right to Rectification)

• Request data deletion (Article 17 - Right to Erasure / Right to be Forgotten)

• Restrict processing (Article 18 - Right to Restriction of Processing)

• Object to certain processing activities (Article 21 - Right to Object)

• Receive their data in a portable format (Article 20 - Right to Data Portability)

• 
  

9. True Anonymization vs. Pseudonymization

Under Recital 26 of GDPR, if data is fully anonymized, GDPR no longer applies. However, to ensure compliance:

• Anonymized Data – Data is irreversibly stripped of identifiers (e.g., name, ID, email). Indirect identifiers (e.g., location, job title) are also handled carefully.

• Pseudonymized Data – Data is replaced with codes, but it can still be re-linked to an individual. GDPR still applies in this case (Article 4(5)).

• Aggregated Data for Analytics – If only statistical summaries are retained (e.g., "average stress levels per department"), with no possibility of re-identification, GDPR restrictions do not apply.

  
  

10. Cookies & Online Tracking

Our website uses cookies to improve functionality and user experience. Cookies may collect technical data, but they do not store personal information without consent (in compliance with Article 6(1)(a)). Users may:

• Disable cookies via browser settings

• Opt-in/opt-out of tracking cookies where required

  
  

11. Third-Party Links & External Websites
Our website may contain links to third-party sites. These sites are not covered by this privacy policy, and we are not responsible for their data practices. We recommend reviewing their privacy policies before sharing any personal data.

12. Handling Privacy Complaints & Questions
For any concerns regarding data privacy or GDPR compliance, employees may contact us through our Contact Us page.

Conclusion

We are fully committed to GDPR compliance and ensure that all employee stress and burnout data is handled with the highest level of security, transparency, and individual rights protection.