Personio’s Privacy Notice

1.

Your data is in good hands with us... - this is why

2.

We store and process your personal data

3.

Trusted third parties who process your data

4.

International Data Transfers

5.

How we use cookies

6.

Be informed about your privacy rights

Your data is in good hands with us... - this is why

Here you can find out how we handle personal data. The explanations are intended for everyone who visits our website, contacts us or participates in our various offers of events whether in person or online. This privacy policy does not apply to our recruiting activities or the processing of personal data in Personio by our subscribers.

Data protection law, in particular the General Data Protection Regulation (GDPR), which is valid in the EU, is a daily instrument for us. As specialists in human resources, the protection of personal data is a key requirement for us.

We are:

Personio SE & Co. KG

Seidlstrasse 3

80335 Munich

Phone number: +49 (89) 1250 1005

And we are responsible for this website, its content and any processing of personal data that happens on it.

You can reach our data protection team at our postal address and by email at privacy@personio.com.

Our data protection principles:

  • We disclose our cards (transparent data processing)

  • We only process the data that we need for our work and our business (minimized data processing)

  • We only process data if we have a purpose and a legal basis for doing so (purpose-related and legitimate)

  • We secure our systems against intrusion and cyber-crime (secure and with integrity)

  • We work with reliable service providers (responsible)

  • We process data only as long as necessary (limited in time)

  • We do not process sensitive data like racial or ethnic origin, political opinions, religious or philosophical beliefs and the like.

  • We do not process any data from children as the use of our website and our offers is not intended for people under the age of 16.

  • We do not profile you or make decisions based on automated processes such as artificial intelligence.

  • Your provision of personal data is neither legally nor contractually required. Without your data, however, we cannot provide you with any information or offer you any services, or conclude a contract.

We store and process your personal data:

1.

You visit our websites

2.

You use our contact form, call us or send us an email

3.

We provide you with knowledge and information

4.

You are interested in Personio’s services

5.

You join the Personio Community

6.

You exercise your data subject rights

When contacting us or visiting our website whether because you are curious about us and what we do or because you are looking for something specific or perhaps because you are browsing the internet and our paths crossed, so it happens that we collect and process some of your data. And because of this, please let us tell you what we do, how we do it and why we do it.

This happens when:

You visit our websites

When you visit our websites, we process data about your browser, your operating system, location, IP address and a few others to ensure the functionality of the website, the safety of the connection and an excellent surfing experience. We also process data for marketing partly with the support of service providers. For this processing we specifically ask for your consent.

  • What data: IP address, login information, browser type and version, time zone setting, browser plug-in types, geolocation, operating system and version, clicking behavior, recurring visits, transaction data, use of third-party services

  • Purposes: Statistic, optimization, security, marketing

  • Legal basis: Legitimate interests, consent

  • Retention: session and up to 30 days (for detailed information please check our cookie information)

You use our contact form, call us or send us an email

We always welcome you to contact us, whether by web form, email or by phone call. In doing so, we process some of the data that belongs to you such as your name, surname, email address to meet your request and stay in touch. We will only share your data with third parties if this is necessary to process your request.

  • What data: Name and surname, company information, telephone number, email address, your request

  • Purposes: You getting in contact with us, answering questions, getting feedback

  • Legal basis: Contract

  • Retention: Until the purpose is fulfilled

We provide you with knowledge and information

When we provide you with free information and knowledge content, whether online or through our events, or when you participate in our raffles events or webinars, we request your consent to use your data for marketing purposes in return. When you subscribe to our newsletter, we only do so upon your explicit consent. You can revoke your consent at any point of time for the future.

  • What data: Name and surname, company information, telephone number, email address

  • Purposes: Explaining Personio, relationship maintenance, marketing

  • Legal basis: Contract for providing free content, consent for marketing

  • Retention: 2 years or until consent is revoked

You are interested in Personio’s services

If you are interested in our products and services in more detail, we offer you an expert appointment or a web demo. You can also test Personio for free. For this purposes, we will of course process your contact data (e.g. email address, name, surname etc). If you then order and use Personio, i.e. become our customer, we transfer the data to our customer base.

  • What data: Name and surname, company information, telephone number, email address, calendar items, bank account details for customers only

  • Purposes: Explaining Personio, marketing, customer relationship

  • Legal basis: Pre-contract negotiations and contract

  • Retention: 2 years for interested parties, duration of customer relationship plus legal storage period for customers

You join the Personio Community

The Personio Community offers information and the possibility to interact with other members. You create an account and can actively participate in the forum. For this purpose, we process your name, surname, email address and a few others. Of course, you are not obliged to register for the community, but then you would not be able to use all the available features.

  • What data: Name and surname, address, telephone numbers or email addresses, posts, comments, likes

  • Purposes: Providing you information, support and the possibility for networking

  • Legal basis: Contract

  • Retention: Until you unsubscribe from the service, you deleting your posts

You exercise your data subject rights

The privacy law gives you a number of data protection rights. We present these briefly further below. You can find more details in Art. 13 - 22 of the GDPR. If you want to exercise your data protection rights, please contact us. To ensure that you can exercise your rights we must process some of your data, such as name, surname, email address and some others, for example, to verify your identity and to reply to your request. This will generate further data about your person, which we will also process.

  • What data: Name and surname, address, telephone numbers or email addresses, content of the request

  • Purposes: Fulfilling your requests and legal requirements

  • Legal basis: Legal obligation

  • Retention: Two years

Trusted third parties who process your data

As part of our business operations and to provide certain services, we use service providers. This happens in marketing and customer support, for online surveys, chat and map services, display of videos, operating the website (cookie banner, security and provision), search in community posts and more. Do not worry though, we have concluded data processing agreements (DPA) with the service providers and when we transfer your data to third countries, we ensure that it is adequately safeguarded. This is achieved through either countries approved by the EU as safe (adequacy decision), specific approved contracts (standard contractual clauses), or by seeking your explicit consent when necessary.

Personio may disclose personal data collected in the scope of this privacy policy to members of its corporate group (“Affiliates”) – where this involves a transfer of your data to third countries outside the UK/European Economic Area (“EEA”)/Switzerland , we will ensure that it is adequately safeguarded (see the International Data Transfers section below for more information). Personio may also disclose relevant personal data if it is required to do so by law or legal process or in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. 

Detailed Information on the services can be found in the settings options of the cookie banner, via the link "Cookie Settings" at the bottom of each page of the website or via this link: Cookie Settings

International Data Transfers

We may disclose data collected within the scope of this privacy policy to third parties that are located in countries outside the UK/EEA/Switzerland, including our Affiliates. Our customer data is exclusively stored in the European Union.

Some of those countries may not have the same data protection laws as the UK/EEA/Switzerland. In particular, those countries may not provide the same degree of protection for your personal data, may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data. However, when transferring your personal data outside the UK/EEA/Switzerland, we will comply with our legal and regulatory obligations in relation to your personal data, including (as necessary) having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will also take appropriate steps to ensure the security of your personal data in accordance with applicable data protection laws.

When transferring your personal data outside the UK/EEA/Switzerland, we will, where required by applicable data protection laws, ensure that at least one of the following safeguards is implemented: (1) we will only transfer your personal data to countries or organisations that have been deemed to provide an adequate level of protection for personal data by the UK and/or Swiss Government or the European Commission, as applicable; or (2) we will use specific contracts approved by the UK and/or Swiss Government or the European Commission, as applicable, commonly known as the “Standard Contractual Clauses” or “SSCs”, which give personal data the same protection it has in the UK/Switzerland and the EEA. Please contact us if you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK/EEA/Switzerland.

In addition, where we disclose personal data that we process in connection with any of our affiliates’ participation in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework, we remain liable under those frameworks in relation to our onward transfer of personal data to those entities, unless we can show that we are not responsible for the event giving rise to the damage. 

Personio Corp. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)  as set forth by the U.S. Department of Commerce.  Personio Personio Corp. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Personio Personio Corp. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. 

If there is any conflict between the terms of this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (“DPF Principles”), the DPF Principles shall prevail.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification(s), please visit https://www.dataprivacyframework.gov/.

How we use cookies

Cookies are text information that is stored on your device via the internet browser. Cookies have distinct functions:

Essential cookies are necessary to ensure the functioning of the website. Without them the website would not work. For these we do not need consent. For all other cookies, functional cookies, marketing cookies and those to display maps or videos, we ask for your consent.

Detailed information on cookies can be found again in the same place as indicated above and via this link: Cookie Settings.

Be informed about your privacy rights

First, you have the right to be informed. This is the purpose of this privacy notice, but this is not all there is. You can exercise your right to information about the very data we process from you, the right to rectification, erasure or restriction of processing.

To do so, contact us or our data protection officer. Use the contact options mentioned below.

If you wish, you can obtain a copy of the data and you can also withdraw a given consent at any time for the future. Under certain circumstances, you can object to the processing of your data too. In particular, in the case of direct marketing or when we process data for our legitimate interests.

Lastly, you have the right to lodge a complaint.

EU, UK or Swiss individuals can report concerns to the following organisations: 

We prefer that you file your complaint with us, as we will make every effort to reach a resolution. Alternatively, you always have the option to lodge a complaint with a data protection supervisory authority at any time: Our competent authority is the Bavarian State Office for Data Protection Supervision, Promenade 18, D-91522 Ansbach, phone: +49 (0) 981 180093-0, email: poststelle@lda.bayern.de.

EEA -  You can find a list of supervisory authorities and their contact details for the EEA at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm 

United Kingdom - The Information Commissioner’s Office (“ICO”) is the supervisory authority in the United Kingdom. Contact details for the ICO can be found at https://ico.org.uk.  

Switzerland - The Federal Data Protection and Information Commissioner (“FDPIC”) is the supervisory authority in Switzerland. Contact details for the FDPIC can be found at https://www.edoeb.admin.ch/

United States of America - In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Personio commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States.   If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework  for more information or to file a complaint.  The services of JAMS are provided at no cost to you.  Following the dispute resolution process, JAMS or you may refer the matter to the U.S. Federal Trade Commission, which has investigatory and enforcement powers over us. Under certain circumstances, you also may be able to invoke binding arbitration to address complaints about our compliance with DPF Principles.

Date of this privacy notice: 10-2023

Data Protection Officer

Personio has appointed Bitkom Servicegesellschaft mbH as external data protection officer for advice on data protection issues and to provide support as the company data protection officer.

Bitkom Servicegesellschaft mbH

Albrechtstraße 10

10117 Berlin

Email: datenschutz@bitkom-consult.de

Data Subject Rights

You have the right to be informed. This is the purpose of this privacy notice, but this is not all there is. You can exercise your right to information about the very data we process from you, the right to rectification, erasure or restriction of processing.

If you wish, you can obtain a copy of the data and you can also withdraw a given consent at any time for the future. Under certain circumstances, you can object to the processing of your data too. In particular, in the case of direct marketing or when we process data for our legitimate interests.

Lastly, you have the right to lodge a complaint.

To exercise your rights please use this form

Here you can find further information on Personio's General Terms and Conditions and our Data Processing Addendum (DPA).