GreenSignature Workplace Wellness Index™ – GDPR Statement Addendum

This GDPR Statement Addendum explains how the GreenSignature Workplace Wellness Index™ is architected as a privacy-by-design, zero-data-retention workplace wellbeing tool compliant with EU GDPR principles.

Issued by: GreenSignature™
Website: https://greensignature.org/
Contact: hello@greensignature.org
Regulatory Framework: EU General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679

This addendum should be read together with the Legal Usage Policy & HR Deployment Manual when deploying the Workplace Wellness Index™ in organisations within or aligned to EU GDPR jurisdictions.

1. Purpose of This GDPR Addendum

The purpose of this GDPR Statement Addendum is to clarify how the GreenSignature Workplace Wellness Index™ aligns with the requirements, principles and spirit of the EU General Data Protection Regulation (GDPR), particularly in relation to:

Data minimisation and purpose limitation
Privacy by design and default
Storage limitation and data security
Data subject rights and organisational responsibilities

2. Data Controller & Data Processor Status

In the context of the GreenSignature Workplace Wellness Index™ as implemented on the official GreenSignature website:

GreenSignature™ acts solely as a technology publisher.
GreenSignature™ does not act as a Data Controller for assessment responses.
GreenSignature™ does not act as a Data Processor for assessment responses.

All scoring and report generation occur locally in the user’s browser. No assessment responses are sent to or stored on GreenSignature servers.

3. Nature of Data Processed

The Workplace Wellness Index™ is engineered such that GreenSignature™ does not collect, store or process any of the following:

Personally Identifiable Information (PII)
Psychological or health data on servers
Employee identifiers or HR system IDs
Behavioural profiles, tracking or analytics linked to responses

Optional fields such as name, age or nature of work are used purely for local PDF labelling and are not transmitted or centrally stored.

4. Lawful Basis for Processing (GDPR Article 6)

As GreenSignature™ does not receive or retain assessment data, Article 6 lawful basis conditions are not directly triggered at the GreenSignature level.

If an organisation chooses to collect or store reports externally (e.g. employees email their PDF reports to HR), the organisation becomes the Data Controller and must independently ensure a lawful basis for processing under GDPR, typically:

Article 6(1)(a): Explicit, informed consent, or
Article 6(1)(f): Legitimate interest, with full safeguards and transparency.

5. Special Category Data (Article 9)

If stored centrally, wellbeing-related information can fall under special category data (health-related) in GDPR terms. However:

GreenSignature™ does not store any such data.
No centralised health or psychological record is created by GreenSignature™.

Any organisation downloading, storing or linking reports to identifiable individuals bears full responsibility for meeting Article 9 conditions (e.g. explicit consent, DPIA, restricted access).

6. Data Minimisation, Purpose Limitation & Storage Limitation

The Workplace Wellness Index™ aligns with GDPR principles of data minimisation, purpose limitation and storage limitation by design:

No assessment responses are collected or stored by GreenSignature™.
The tool is strictly limited to self-reflective wellbeing awareness.
No automated cross-session profiling or long-term behavioural tracking is performed.

7. Integrity & Confidentiality (Article 5(1)(f))

Integrity and confidentiality are protected through:

Local-only scoring and PDF generation.
No server-side storage of responses.
No integration with HRIS, CRM or ERP by default.
Anti-copy and domain-protection mechanisms (best-effort) for test integrity.

8. Data Subject Rights (Articles 12–22)

Because GreenSignature™ does not store personal data from the assessment, the usual data subject rights (access, rectification, erasure, restriction, portability, objection) apply primarily to any organisation that chooses to store assessment results.

GreenSignature™ does not perform:

Automated decision-making for employment.
Profiling linked to stored user identities.

9. International Data Transfers (Chapter V)

As no personal data related to wellness responses is sent to GreenSignature servers, no international data transfers occur in the operation of this tool.

If an organisation chooses to export or store data across borders independently, it must ensure appropriate transfer safeguards (e.g. SCCs, adequacy decisions) under GDPR.

10. Data Breach Notification

Since GreenSignature™ does not store any assessment data:

The risk of a reportable data breach relating to assessment responses is structurally minimised.
GDPR breach notification obligations relating to assessment storage fall upon organisations that independently store reports.

11. Employer Compliance Obligations

Organisations that collect, store or analyse employee reports from the Workplace Wellness Index™:

Act as independent Data Controllers for such data.
Must implement access controls, encryption and limited retention policies.
May be required to conduct a Data Protection Impact Assessment (DPIA).
Must communicate clearly with employees about how their data will be used and stored.