Data Protection Impact Assessment (summary)

Summary DPIA per GDPR Article 35 for the Dopusto leave management service.

Processing activities

• Employee records (name, EMŠO, tax ID, address, IBAN) for payroll and ZDR-1/ZEPDSV compliance.
• Leave data (types, dates, balances, documents such as sick notes).
• Identity data of operators and employees for system use.
• Technical data (IP, user agent) for security and audit trail.

Lawful basis

Processing is based on performance of the employment contract (art. 6(1)(b)), legal obligations (art. 6(1)(c) ZDR-1, ZEPDSV, ZVOP-2), and legitimate interest (art. 6(1)(f)).

Data subjects

Customer employees, HR operators, and Konsepto super admin staff.

Retention periods

Employment records: 10 years post-termination (ZEPDSV). After that, personal fields are auto-anonymised; only aggregate statistics remain.

Security measures

• TLS 1.3 in transit, AES-256-GCM for sensitive fields at rest (EMŠO, IBAN, 2FA secrets).
• Argon2id password hashing.
• TOTP 2FA mandatory for super admin and operators.
• Strict multi-tenant isolation via tenant_id filter on every query.
• Full audit log of critical operations (logins, decisions, exports, deletes).

Sub-processors

• Hetzner Online GmbH EU hosting (Germany).
• Paddle.com Market Ltd. Merchant of Record for payments (Ireland).
• Google LLC Calendar sync (only with explicit employee consent).

Data subject rights

Access, rectification, deletion, restriction, portability and objection via /my/data or privacy@dopusto.si.

Full DPIA document available on request.