Privacy statement HRlab
Last update: September 2020
a. Personal data
Personal data is all information that refers to an identified or identifiable natural person; a natural person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, to an identification number, to location data, to an online identifier or to one or more special characteristics, which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
b. Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
Processing is any process or series of operations related to personal data, such as collection, recording, organisation, ordering, storage, adaptation or modification, reading, querying, application, with or without the aid of automated procedures; disclosure by submission, dissemination or other form of provision, matching or linking, restriction, erasure or destruction.
d. Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.
Pseudonymisation is the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without additional data, provided that such additional data is kept separate and is subject to technical and organisational measures to ensure that the personal data is not assigned to an identified or identifiable natural person.
Controller refers to a natural or legal person, public authority, body or institution that, alone or together with others, decides on the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for their designation may be provided for under Union or national law.
g. Third party
A third party is a natural or legal person, public authority, body or institution other than the data subject, the controller, the processor and the persons authorised under the direct responsibility of the controller or the processor to process the personal data.
Consent is any expression of will voluntarily and unequivocally made by the data subject in the form of a statement or other unambiguous confirmatory act by which the data subject expresses their agreement to the processing of their personal data.
2. Legal basis for the processing of personal data
The legal basis for our company’s processing is Article 6 I (a) GDPR, whereby we obtain consent for specific processing purposes in advance.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Article 6 I (b) GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, for example in the event of inquiries regarding our products or services.
If the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 (1)(c) GDPR is the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 (1) (d) GDPR.
Lastly, processing operations could be based on Art. 6 I (f) GDPR. Processing operations that are not covered by any of the above legal bases shall be based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the data subject prevail.
3. Responsible bodies
HRlab includes the following functions in this regard:
Administrative functions that enable employers to enter and manage information about on their respective employees centrally and to plan and manage operations and processes in the area of HR management.
Analytical functions that enable the user to evaluate, prepare and visualise the data entered in the service for various purposes and on the basis of various parameters. Among other things, this includes the creation of overviews, statistics, graphs, structures and other values and indicators in connection with the personnel management on the basis of the data entered in the service.
Interfaces/APIs that enable the integration of service offers of other providers (hereinafter “third-party provider software” or third-party providers”).
We collect, process and use data on behalf of our contractual partners during use of the service. Since protecting the privacy of our users when using the service is important to us, we would like use the following information to inform you of which personal data we collect while providing this service and how we handle this data.
Responsible body for data processing on its own responsiblity is:
Tel.: +49 (0) 30 398 2196 00
Commercial register number: HRB 182015 B
Register court: Amtsgericht Charlottenburg
Data protection officer: Stephan Frank
Cookies do not damage your computer’s hard drive nor do they contain viruses, trojans or other malware. Data is transmitted to us through the placement of cookies.
Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or that information always appears when you receive a new cookie. Disabling cookies may mean that you cannot use all features of our website.
b. Borlabs Cookie
This website uses Borlabs Cookie which sets a technically required cookie (borlabs-cookie) to save your cookie consent. Borlabs Cookie does not process personal data.
The Cookie borlabs-cookie saves your consent which you have given when you accessed the website. If you want to revoke your consent, please delete the cookie in your browser. If you reload/reenter the website, you will again be asked for your cookie consent.
c. Adjusting individual settings
If you want to adjust your individual settings, please click on this link:Customize Cookie Preferences
5. Collection and use of your data
To be specific, we process and store data as follows:
a. Registration / creation of a user account
Employers must register with HRlab GmbH and create a user account in order to be able to use the service.
In order to register, employers must state their company or business name, their first and last name or the first and last name of the person in charge of use of the service (hereinafter “person in charge”) as well as their e-mail address or the e-mail address of the person in charge (collectively referred to as “profile content”).
Furthermore, employers must designate one or more personnel managers for their respective user account.
We save all of this information in the respective user account.
We process this data in order to establish and implement the contractual relationship on the use of the service between employers and ourselves and to ensure the proper use of the service by the employers.
The data is processed on the basis of the statutory regulations that permit data processing because it is necessary for fulfilment of the agreement on the use of the service or because we have a legitimate interest in ensuring the proper use of the service, without this being in conflict with an overriding interest of the data subjects.
b. Creation of employee profiles
Employers can create personalised profiles for their employees as part of their user accounts (hereinafter “employee profiles”). The creation of employee profiles and the entry of employee data is the responsibility of the employers under data protection law. Employers must in particular ensure that they are entitled under data protection law to enter employee data in the service or have it entered by their employees.
Admission occurs when the respective employer creates an employee profile, stating the first and last name and a valid business e-mail address of the respective employee. As a result, the respective employee is sent a corresponding request to the e-mail address provided and the employee in question accepts this request. If employees do not have a business e-mail address, the request is sent to the employee in another form.
Additional information about the respective employee can be entered in the employee profile either by the employer or the respective employee (hereinafter referred to as “employee data” together with the information provided when creating the employee profile).
The employee data may include the following information:
- master data (first and last name, birth name, form of address, academic title, personnel number, gender, date of birth, country of birth, city of birth, nationality, existence and duration of a work and residence permit, ID);
- contact details (address, e-mail addresses, telephone numbers, Facebook link, LinkedIn link);
- payroll accounting data (salary, bonuses, account data, tax numbers, tax bracket, marital status, children’s allowances, proof of parenthood, religious affiliation, religious affiliation of partner, uniform flat-rate tax, main or secondary employment, tax allowances, maternity, parental leave, social insurance number, membership and scope of health and pension insurance, unemployment insurance, nursing care insurance, occupational pension scheme);
- health data, (illness-related absences, disability);
- organisational and personnel planning data (qualifications of the employees, organigrams, work schedules, time recording, business travel planning, leave planning, workflows, responsibilities, equipment, documents);
- contractual data (position/job title, employment agreements, date of retirement, foreign deployments, leave entitlement, organisational assignment, confidentiality obligation declarations, non-disclosure agreements, application documents, curriculum vita, etc.);
- access authorisation to HRlab (classification in the authorisation group such as administrator, human resources, user, etc.).
We save the employee data in the respective employee profile and provide it as part of the service for the respective employer (and) its person in charge as service provider subject to directives.
c. Login and general use of the service
To use the service, users must log in with the data they provided or received during registration. You must enter the following data to log-in:
- username (e-mail address provided during registration for the service or creation of the employee profile);
We communicate a generated password to users by e-mail to the e-mail address provided, which the user needs to log in to the service. Users can always change this password in their user account or employee profile. Under certain circumstances, we may have to specify the username and password, for example, when using interfaces/APIs.
We save the username and password for each user account or employee profile.
In addition, we automatically save certain data as part of the use of the service by the user. This includes: the IP address or device ID assigned to the respective terminal, which we need in order to transmit the requested content (e.g. in particular content, texts, pictures, product information and files provided for download, etc.), user behaviour as part of the service, the type of the respective terminal, the browser type used and date and time of use.
This data processing occurs to fulfil the agreement between the employers and HRlab GmbH regarding the use of the service and the services owed under it.
In addition, we preserve this information for a maximum of seven days in order to detect and track abuse. Our legitimate interest in the data processing consists in ensuring proper functioning of our website and the service.
For the rest, we delete or anonymise the usage data including the IP addresses immediately as soon as it is no longer needed for the aforementioned purpose.
The data is processed on the basis of the statutory regulations that permit data processing because it is necessary for fulfilment of the agreement on the use of the service or because we have a legitimate interest in ensuring the security and functionality of the service and its proper use, without this being in conflict with a predominant interest of the data subjects.
d. Provision of administration functions
In order to fulfil and execute the agreement on the use of the service between HRlab GmbH and the respective employer as well as to provide the administrative functions due under it, we process profile content and employee data on the instructions of the respective employer as follows:
- import and saving profile content and employee data in the HRlab Software;
- provision of profile content and employee data to the employer, its person in charge or otherwise authorised persons in order to perform planning and administrative tasks.
e. Provision of analytical functions
In order to fulfil and execute the agreement on the use of the service between HRlab GmbH and the respective employer as well as to provide the analytical functions due under it, we process profile content and employee data on the instructions of the respective employer as follows:
- merge, prepare and visualise profile content and employee data;
- create overviews, statistics, graphs, structures and other values and indicators on the basis of the profile content and employee data;
- anonymise or aggregate profile content and employee data to establish comparative and average values for the individual user as well as across all users;
- evaluate profile content and employee data of individual users as well as across all users;
- comparison of the profile content and employee data with the pseudonymised or aggregated comparative and average values identified.
f. Termination of the use relationship
g. Consent to receipt of advertising
If you consented to receiving advertising from us, we use the information you provided to send you advertising by electronic post (e-mail, SMS, MMS, instant message).
We verify your consent to the receipt of advertising by e-mail using the so-called double opt-in procedure. This means that we first request active confirmation of your consent to the receipt of advertising by e-mail to the e-mail address you provided when subscribing before we start to send it. We use the information on confirmation to document and if necessary prove your consent.
You can revoke your consent at any time with effect for the future by sending us an e-mail to firstname.lastname@example.org. Revoking the consent does not affect the lawfulness of the processing performed on the basis of the consent.
6. Use of third party providers
In order to provide and continuously improve our services, we rely on the services of the following third-party providers, who may process personal data. Please note that unless otherwise explained, the third-party providers are located in the USA and that the USA are no safe third country according to the EU data protection. US-companies are obliged to submit personal data to security authorities without individual remedies against such actions. Thus, it cannot be excluded that US authorities (e.g. intelligence agencies) process, analyze and save your data which are managed on US servers. We have no influence in this regard.
Unless otherwise specified in this privacy statement, provider of all Google services mentioned here is Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“).
a. Google Maps
The Google Maps service is integrated into this website via API to display geographical information. The integration of Google Maps enables Google to collect, process and use data about your use of the service.
However, so-called IP anonymisation is activated on our website. As a result, the IP address transmitted is previously abbreviated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area.
You find additional information on processing of your data by Google in the Google privacy statement.
b. Google Tag Manager
The Google Tag Manager service is used on this website. The Tag Manager is a tool for managing tags that are used for tracking in online marketing. The Tag Manager itself does not process any personal data, as it is used exclusively to manage other services – e.g. Google Analytics, etc.. You find additional information on the Google Tag Manager here:
c. Google Analytics
We use Google Analytics, a web analysis service provided by Google Inc (“Google”), to design our website www.hrlab.de in line with requirements and to continuously optimise it. Web analysis is the collection, storage and analysis of data regarding the behaviour of visitors to websites. A web analysis service collects data that, among other things, shows the website from which a visitor has come to this website (referrer), which of the website’s sub-pages they visit or how often and for how long they access them or how often and for how long they look at a sub-page. This type of web analysis is mainly used for website optimisation and for cost-benefit analysis of internet advertising.
Operating company of this Google-Analytics-component is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
Under no circumstances will the IP address be linked to other data relating to the user. HRlab GmbH uses the “_gat._anonymizeIp” function for web analytics via Google Analytics. This function ensures that the IP address of the internet access will be shortened and anonymised by Google if our site is accessed from a Member State of the European Union or from another state party to the Agreement on the European Economic Area.
As a user, you can prevent cookies from being installed by setting browser software accordingly; however, we would like to point out that the functions of this website may not be fully usable in this case.
Data, sessions and interactions are captured across multiple devices and are used to analyse your activities across devices. In addition, we use demographic characteristics of Google Analytics reports, which include and use data from Google’s interest-based advertising as well as visitor data concerning third parties (e.g. age, gender and interests). This data cannot be traced back to a specific person and can be deactivated at any time via the ad settings.
We also use Google Analytics to analyse data from Double-Click-Cookies and Google Ads for statistical reasons. If this is undesired, you can request a deactivation through the ad setting manager (http://www.google.com/settings/ads/onweb/?hl=en).
You find further information and the data protection clause of Google under https://www.google.de/intl/en/policies/privacy/ and http://www.google.com/analytics/terms/de.html. Google Analytics is explained in detail under the following link https://www.google.com/intl/en_us/analytics/.
d. Google AdWords
We have integrated Google Ads into this website. Google Ads is an internet advertising service that allows us to place adverts on both Google search engine results and in the Google Network. The use of Google Ads allows you to specify certain keywords. If the user retrieves a keyword-relevant search result with the search engine, the corresponding ad will be displayed in the Google’s search engine results. In the Google Network, ads are distributed on web pages relevant to the theme using an automated algorithm and according to pre-defined keywords.
Operating company of the Google Ads services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The use of Google AdWords serves to promote our website by displaying interest-based advertising on third-party websites, in the search engine results of Google’s search engine and on our website.
After 30 days, this cookie loses its validity and is no longer used to identify the user.
As already stated above, you can prevent our website from placing cookies at any time using the relevant setting of the used internet browser and thus permanently opt out of the setting of cookies. Changing such a setting of the used internet browser in this manner would also prevent Google from placing a conversion cookie on the user’s IT system. Cookies already placed by Google Ads can also be deleted at any time via an internet browser or other software programs.
Furthermore, you can revoke interest-related advertising from Google.Therefore, adjust the desired settings via https://adssettings.google.com/authenticated for all browsers which you use..
You find further information and the data protection clause of Google under https://policies.google.com/privacy?hl=en&gl=en.
You find further information and the data protection clause of YouTube under : https://policies.google.com/privacy?hl=en
To send newsletters, we use MailChimp, a newsletter dispatch platform belonging to the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave #5000, Atlanta, GA 30308, USA. The use is based on Art. 6 (1) (1) (a) GDPR.
Our newsletter recipients’ e-mail addresses and other data are stored on the MailChimp servers in the USA. Mailchimp uses the data to dispatch and evaluate the newsletters on our behalf. In addition, MailChimp may use the data to improve its own services, e.g. to technically optimise the dispatch and newsletter presentation or for commercial purposes, by tracking the recipient’s countries of origin. However, MailChimp will not use newsletter recipients’ data to contact you or pass this on to third parties.
The operator of MailChimp, the Rocket Science Group LLC, is certified according to the Privacy Shield. In light of this, the conditions for the processing of personal data by Mailchimp can be regarded as fulfilled.
You find the data protection clause of MailChimp here.
g. LinkedIn Insight Tag
The LinkedIn Insight tag enables information to be collected about visits to this website, including URL, referrer URL, IP address, device and browser characteristics, timestamps and page views. This data is encrypted, anonymised within seven days and the anonymised data is deleted within 90 days. LinkedIn does not share any personally identifiable information with us, but only provides aggregate reports about the site’s audience and ad performance. LinkedIn also provides retargeting for website visitors, which enables us to use this information to display targeted advertising outside of our website without identifying the member. LinkedIn members can manage the use of their personal data for promotional purposes in their account settings.
Purpose of the data processing
The LinkedIn Insight tag is used to provide detailed campaign reporting and information about both visitors to our website and our advertising and marketing interests. As a LinkedIn marketing solutions customer, we use the LinkedIn Insight tag to retarget our site visitors and gather additional information about the LinkedIn members who view our ads.
Legal basis of the data processing
The legal basis for processing personal data is Art. 6 (1) (f) GDPR, in other words a legitimate interest on our part. Our legitimate interest in this regard lies in the aforementioned purposes.
How to revoke the data processing
If you are a LinkedIn member and do not want LinkedIn to collect information about you visit to our website and link it to your membership information held by LinkedIn, you must sign out of LinkedIn before visiting our website.
We use Forms.
We inform interested parties at regular intervals about new features of our product as well as about company events in a newsletter. You can receive the newsletter if you have a valid email address and you have registered for the newsletter. A confirmation email will first be sent to the email address you entered for the newsletter mailing list using the double-opt-in procedure. This procedure is used to check whether the owner of the email address authorised the receipt of the newsletter.
When subscribing to the newsletter, we also store the IP address of the computer system used by the data subject as assigned by the internet service provider (ISP) at the time of registration as well as the date and time of registration. The legal basis for the saving the data is Art. 6 (1) (a) GDPR. The collection of this data is necessary to trace the possible misuse of a data subject’s email address at a later date and therefore serves as a legal safeguard for us.
You can cancel your subscription to our newsletter at any time. The consent to the storage of personal data that you grant us for newsletter dispatch can be revoked at any time. At the end of each newsletter, you will find a link that allows you to unsubscribe from the newsletter at any time.
Our newsletters contain tracking pixels. A tracking pixel is a miniature graphic embedded in emails that are sent in HTML format, to enable log file recording and log file analysis. They allow statistical evaluation of the success or failure of online marketing campaigns. On the basis of the embedded tracking pixel, we can detect whether and when an email was opened and which links in the email were clicked on. We store and evaluate such personal data collected via the tracking pixels contained in the newsletters in order to optimise the delivery of newsletters and to better adapt the content of future newsletters to your interests. The legal basis for the temporary storage of data is Art. 6 (1) (f) GDPR. This personal data will not be transmitted to third parties. You may revoke the separate declaration of consent given via the double-opt-in procedure at any time. Alternatively, you can unsubscribe from the newsletter at any time by sending an email to email@example.com. Following revocation, HRlab GmbH will delete this personal data. We automatically interpret a cancellation of the receipt of the newsletter as a revocation.
b. Test version
If you register for a test account, we will use your data to send you required information and present the test account and software features:
- Processed data: E-Mail address, last name, first name, phone number, company, job title, department;
- Purpose: Provisioning of the requested test account and explaning software features;
- Storage period: Data will be only stored as long as necessary, e.g. to prepare, perform and follow up software demonstration meetings;
- Legal basis: Art. 6 I b GDPR.
8. Your rights as data subject
You are entitled to receive information about the data stored about you at any time. Upon submission of the respective requirements, you may also be entitled to the following rights:
- the right to rectification of inaccurate personal data relating to you;
- the right to erasure of data relating to you;
- the right to block or restrict the processing of your data;
- the right to object to the processing of data relating to you and
- the right to data portability.
Should you desire information on the data relating to you saved by HRlab GmbH on its own responsibility, wish to enforce other rights or have questions on data protection, you can either contact us by post (HRlab GmbH, Wattstraße 11, D-13355 Berlin) or by e-mail at firstname.lastname@example.org. Please contact your employer if you have any concerns regarding the contract data processing perform by us.
9. Right to lodge a complaint with a responsible supervisory authority
You are entitled to lodge a complaint at any time with a supervisory authority, in particular with a supervisory authority in the member state of your place of residence, your workplace or the location of the probable breach if you consider that the processing of personal data relating to you breaches the data protection laws.
The following data protection authority is responsible for HRlab GmbH:
The Berlin Commissioner for Data Protection and Freedom of Information
Visitors’ entrance: Puttkamerstr. 16 – 18 (5th floor)
We use approriate technical and organisational security measures to protect your data against coincidential or intentional manipulations, partial or total loss, destruction or unauthorized access of third parties. Our security measures are continously improved in line with the technological development.
11. Final provisions