Privacy Notice for Personio App

Contents

  1. 1
    Data Controller
  2. 2
    Access and activity logs ("server logs")
  3. 3
    Error logs
  4. 4
    Login Information
  5. 5
    Use of service providers
  6. 6
    Rights of data subjects
  7. 7
    Data protection officer

This privacy notice is intended for Personio users. It explains what data we process on the system side when you use Personio Mobile App. We call this data "Usage Data".

This privacy statement is not about the data you work with and store in Personio, i.e., it is not about your employee data (HR Data) that is managed within Personio. Your company using Personio is the controller for these.

If you have questions about processing of personal data in Personio please contact your account owner.

Data Controller

The controller in the sense of data protection law for this Usage Data is:

Personio SE & Co. KG Seidlstr. 3 80335 Munich

If you have questions regarding this data privacy statement please contact us via this form.

Access and activity logs ("server logs")

Every time you work with our software, log data, the so-called server logs and events, are automatically collected. This is general data such as: 

  • User ID

  • Device Information: Model, manufacturer, operating system and version.

  • App Version: The version of the app being used.

  • Usage Data: Interactions with the app, such as pages viewed and features used.

  • Location Data: Approximate location based on IP address.

  • Timestamp: Date and time of access and interactions within the app.

Your data is per default pseudonymised. This data is collected to help us improve the functionality, security, and overall experience of our app. The information may also be used in an aggregated and anonymized form for statistical purposes and to optimize our offerings and technology. If there is a suspicion of illegal use of the software, the log files are subsequently reviewed and analyzed. The legal basis for this data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

The access and activity logs are stored for 30 days and deleted thereafter.

Error logs

In order to detect and correct errors, so-called error logs are created. This is necessary in order to be able to react promptly to any problems with the presentation and implementation of the content. The legal basis for this data processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

When error messages occur, general data is collected, such as:

  • Device Information: Model, manufacturer, operating system and version.

  • Error Details: Information about the error, including error codes and messages.

  • App Version: The version of the app being used when the error occurred.

  • Timestamp: Date and time when the error occurred.

These error logs are stored for 90 days.

Login Information

When you access our app, we collect certain login information to facilitate secure access and improve your user experience. This includes:

  • Email address: Used to authenticate and grant access to your account.

  • Login Timestamps: The date and time of each login attempt.

  • IP Address: The IP address from which the login attempt was made, used for security monitoring and fraud detection.

  • Device Information: Details such as model, operating system and version to ensure compatibility and enhance security.

This login information is collected to safeguard your account, monitor for unauthorized access, and continuously improve our security protocols. 

The legal basis for processing this data is our legitimate interest in securing our services and protecting user accounts, pursuant to Art. 6(1)(f) GDPR. All login information is retained for a period of 30 days and deleted thereafter.

Use of service providers

In order to provide our services and to be able to continuously improve them, we rely on the services of service providers and their tools. In certain cases, the service providers also process the contract data or the Usage Data and the personal data contained therein. We have selected these companies carefully as service providers and agreed terms in accordance with Article 28 of the GDPR.

Amplitude

Used to ensure the provision of the service and for product analytics to understand user behavior.

Datadog

Used for application performance monitoring.

Sentry

Used for error tracking and monitoring.

In particular, these service providers have no direct access to personal data of employees processed by our customers within Personio. 

We may disclose data collected within the scope of this privacy policy to third parties that are located in countries outside the UK/EEA/Switzerland, including our affiliates. Our customer data is exclusively stored in the European Union.

Some of those countries may not have the same data protection laws as the UK/EEA/Switzerland. In particular, those countries may not provide the same degree of protection for your personal data, may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data. However, when transferring your personal data outside the UK/EEA/Switzerland, we will comply with our legal and regulatory obligations in relation to your personal data, including (as necessary) having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will also take appropriate steps to ensure the security of your personal data in accordance with applicable data protection laws.

When transferring your personal data outside the UK/EEA/Switzerland, we will, where required by applicable data protection laws, ensure that at least one of the following safeguards is implemented: (1) we will only transfer your personal data to countries or organizations that have been deemed to provide an adequate level of protection for personal data by the UK and/or Swiss Government or the European Commission, as applicable; or (2) we will use specific contracts approved by the UK and/or Swiss Government or the European Commission, as applicable, commonly known as the "Standard Contractual Clauses" or "SSCs", which give personal data the same protection it has in the UK/Switzerland and the EEA. Please contact us if you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK/EEA/Switzerland.

In addition, where we disclose personal data that we process in connection with any of our affiliates’ participation in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework, we remain liable under those frameworks in relation to our onward transfer of personal data to those entities, unless we can show that we are not responsible for the event giving rise to the damage.

Personio Corp. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Personio Personio Corp. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Personio Personio Corp. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (“DPF Principles”), the DPF Principles shall prevail. To learn more about the Data Privacy Framework (DPF) program, and to view our certification(s), please visit https://www.dataprivacyframework.gov/.

Rights of data subjects

First, you have the right to be informed. This is the purpose of this privacy notice, but this is not all there is. You can exercise your right to information about the very data we process from you, the right to rectification, erasure or restriction of processing. To do so, contact us or our data protection officer. Use the contact options mentioned below.

If you wish, you can obtain a copy of the data and you can also withdraw a given consent (if stated as legal basis) at any time for the future. Under certain circumstances, you can object to the processing of your data too. In particular, in the case of direct marketing or when we process data for our legitimate interests.

Lastly, you have the right to lodge a complaint.

EU, UK or Swiss individuals can report concerns to the following organizations: We prefer that you file your complaint with us, as we will make every effort to reach a resolution. Alternatively, you always have the option to lodge a complaint with a data protection supervisory authority at any time: Our competent authority is the Bavarian State Office for Data Protection Supervision, Promenade 18, D-91522 Ansbach, phone: +49 (0) 981 180093-0, email: poststelle@lda.bayern.de.

EEA - You can find a list of supervisory authorities and their contact details for the EEA at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

United Kingdom - The Information Commissioner’s Office ("ICO") is the supervisory authority in the United Kingdom. Contact details for the ICO can be found at https://ico.org.uk.

Switzerland - The Federal Data Protection and Information Commissioner ("FDPIC") is the supervisory authority in Switzerland. Contact details for the FDPIC can be found at https://www.edoeb.admin.ch/.

United States of America - In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Personio commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Following the dispute resolution process, JAMS or you may refer the matter to the U.S. Federal Trade Commission, which has investigatory and enforcement powers over us. Under certain circumstances, you also may be able to invoke binding arbitration to address complaints about our compliance with DPF Principles.

Data protection officer

Our DPO is:

Bitkom Servicegesellschaft mbH

Albrechtstraße 10

10117 Berlin

E-Mail: datenschutz@bitkom-consult.de

Published: 28. April 2025.