Purpose of Processing
Scello processes personal data to provide a high-integrity proof-of-work platform for the construction industry. The platform enables workers to generate court-admissible evidence of their labour, thereby protecting against wage theft and ensuring fair compensation.
The primary data processing activities include:
- Work session tracking— recording start and end times, GPS location, and device telemetry during active work sessions to establish an immutable record of attendance and location.
- Biometric data— collecting heart rate data from wearable devices as a liveness signal to verify that a real person was present during the recorded session.
- Device information— storing device identifiers, OS version, and sensor metadata to detect anomalies and prevent fraud.
- Certificate generation— producing tamper-proof work certificates anchored to the OpenTimestamps blockchain for long-term verification.
- Employer portal— enabling enterprise administrators to manage their workforce, view aggregated reports, and respond to compliance requirements.
This assessment is conducted in accordance with Article 35 of the UK GDPR and the EU General Data Protection Regulation (Regulation (EU) 2016/679), as the processing involves systematic monitoring of individuals on a large scale and the processing of special categories of data (biometric information).
Necessity & Proportionality
The processing carried out by Scello is necessary and proportionate for the following reasons:
Legal Basis for Processing
- Legitimate interest (Article 6(1)(f))— Scello has a legitimate interest in providing reliable proof-of-work services that protect workers from wage theft and employers from fraudulent claims. This interest is balanced against the rights and freedoms of data subjects through robust technical and organisational safeguards.
- Contractual necessity (Article 6(1)(b)) — Processing is necessary for the performance of the contract between Scello and its users (both workers and employers), which explicitly includes the generation of verifiable work records.
- Explicit consent (Article 9(2)(a)) — For the processing of special category data (biometric heart rate data), explicit consent is obtained from each worker prior to the start of any tracked session. Workers may opt out of biometric collection while still using the core session tracking features.
Proportionality Assessment
The data collected is limited to what is strictly necessary to achieve the stated purposes. GPS coordinates are recorded only during active work sessions and are not tracked outside of working hours. Heart rate data is sampled at intervals sufficient to establish liveness without creating a detailed health profile. Device information is limited to identifiers needed for fraud prevention and is not used for cross-device tracking or advertising.
Retention periods are set to the minimum required for regulatory compliance. Construction industry regulations in the UK and EU require that employment records be retained for a minimum of 7 years. Scello aligns with this requirement and does not retain data beyond the statutory obligation period unless explicitly requested by the data subject.
Risks Identified
The following risks to the rights and freedoms of data subjects have been identified in relation to the processing activities:
Unauthorised access to personal data, including GPS traces, biometric data, and employment records, could expose sensitive information about workers' locations, health indicators, and work patterns.
Internal or external actors could gain access to worker data beyond their authorised scope, potentially leading to surveillance, discrimination, or identity theft.
Data retained longer than necessary increases the attack surface and the potential impact of any breach. Failure to enforce retention policies could result in regulatory penalties.
Data transferred between EU and US jurisdictions may be subject to differing legal frameworks, creating compliance risks if appropriate safeguards are not maintained.
Although work certificates contain limited information, aggregation of public verification data could potentially enable re-identification of individual workers.
The rich dataset collected for proof-of-work purposes could be repurposed for surveillance or performance monitoring beyond the original intent.
Mitigations
The following technical and organisational measures are in place to mitigate the identified risks:
Encryption
- All data at rest is encrypted using AES-256 at the application layer, with separate encryption keys per tenant.
- Data in transit is protected by TLS 1.3 for all communications between clients and servers.
- PII fields (names, addresses, contact details) are encrypted at the application level before database storage.
Access Controls
- Role-based access control (RBAC) with the principle of least privilege. Workers can only access their own data; employers can only access data for workers in their organisation.
- Multi-factor authentication is required for all employer portal accounts.
- API endpoints enforce row-level security (RLS) to prevent cross-tenant data access.
- Service accounts use scoped tokens with automatic rotation.
Audit Logging
- All access to personal data is logged in an immutable audit trail, including who accessed what data and when.
- Audit logs are retained for the lifetime of the associated data and are available to data subjects upon request.
- Automated alerts are triggered for anomalous access patterns (e.g., bulk data exports, access outside business hours).
Row-Level Security (RLS)
- PostgreSQL Row-Level Security policies enforce data isolation at the database level, ensuring that even application-level bugs cannot expose cross-tenant data.
- All queries are scoped to the authenticated user's organisation context.
Retention Policies
- Work records and associated telemetry are retained for 7 years from the date of creation, in line with UK and EU construction industry regulatory requirements.
- Biometric heart rate data is deleted after 90 days unless the worker explicitly opts in to longer retention.
- GPS location data is aggregated and anonymised after 12 months; raw coordinates are deleted.
- Data subjects can request early deletion of their data, subject to regulatory retention obligations.
Cross-Border Safeguards
- Data is stored in EU (Frankfurt) and US (Virginia) data centres with Standard Contractual Clauses (SCCs) governing transfers.
- The UK International Data Transfer Agreement (IDTA) is in place for UK-EU transfers.
- Supplementary measures include encryption in transit and at rest, access controls, and audit logging on both sides of the transfer.
Review Schedule
This DPIA is subject to regular review to ensure it remains accurate and effective:
- Annual review— A full review of this assessment is conducted at least once per year by the Data Protection Officer in consultation with the engineering and product teams.
- Triggered review— A review is triggered whenever there is a significant change to the processing activities, including new data types, new third-party processors, or changes to the technical infrastructure.
- Post-incident review— Following any data breach or security incident, this DPIA is reviewed and updated to reflect lessons learned and additional mitigations implemented.
Next Scheduled Review
30 April 2027
Data Protection Officer
For questions or concerns about this assessment, contact the DPO at privacy@scello.co