Privacy Statement Research

Here you can find out how we handle personal data in the context of research activities. The explanations are intended for everyone who signs up and participates in our activities listed hereafter. Data protection law, in particular the General Data Protection Regulation (GDPR), which is valid in the EU, is a daily instrument for us. 

We are:

Personio SE & Co. KG

Seidlstrasse 3

80335 Munich

Phone number: +49 (89) 1250 1005

And we are responsible for the research program you are signing up to, its content and any processing of personal data that happens on it.

You can reach our data protection team at our postal address and by email at privacy@personio.com.

1. When you take part

Your feedback and insights will help us improve the features and functionalities of our products and services. You will for example partake in either interview(s) with a Researcher, an unmoderated session using an internet browser, or a focus group/workshop alongside other participants. The form of how information is collected may depend on the actual study conducted. If participating in a focus group and/or workshop, you will be able to see, hear and interact with the other participants as well as the Researcher. Only your first name will be typically used during each session.

2. Information we want to collect

In a study conducted in the course of our activities , we will normally ask you questions about your daily work and your experience using software tools as part of it. When discussing usability,  we may ask you to show us how you use these software tool(s). We might watch how you do various tasks and we ask you some questions about your thought process. We are never testing you, we just want to learn if our product fits your needs. We will record the session and we will take notes to record your comments and actions.

3. Research activities you might be invited to participate in

Your Personio Contact will confirm what your session(s) will entail and how they will be conducted in advance of your participation but here is a list of possible activities. 

  • Moderated Usability study

  • Unmoderated Usability study

  • Interview for generative study

  • Survey

  • Diary Study

  • Focus Group

  • Co-creation program/workshop(s)

Personal data and categories of data in our outputs

  • Video recording and audiovisual content

  • Documented findings/report and statements

  • Analytics report on task completion or other metrics and feedback captured by usability testing tool 

  • Answers to questionnaires/surveys 

  • Artifacts created as part of focus groups or co creation sessions 

All outputs created contain personal data respectively. The data is stored for 5 years.

Legal basis for processing is Article 6(1)(b) GDPR. 

The statements from the Participants are only reproduced as released by the Participants and are not changed. 

The right to use any output generated is given without any limitation in time, place and content to the processing and use of the data/recordings, both by Personio and by third parties acting under the control of Personio, regardless of the transmission, carrier, and storage technology. 

The Participant expressly agrees to the editing of the photographs or videos in relation to the purpose specified above, be it by retouching, be it by digital editing by means of appropriate software, or a use in the context of montages of any kind (for example, for a short video with the key learnings from the workshop that will be shared internally at Personio). 

The Participant agrees on the mention of his/her name or a pseudonym and the professional title in connection with the unedited or altered recordings made of his/her person. 

By signing this document the Participant confirms that he/she has been fully informed by Personio about all circumstances of the making, processing and use of the recordings and that he/she makes his/her declaration of intent to participate voluntarily. 

4. How we ensure your privacy

Any output generated during the studies will be treated as confidential and will not be shared outside our company.

5. Use of service providers

In order to conduct research we rely on the services of service providers and their tools. In certain cases, the service providers also process the personal data contained therein. We have selected these companies carefully as service providers and agreed terms in accordance with Article 28 of the GDPR. If you wish to receive more detailed information about which service providers we use please reach out to us.

We may disclose data collected within the scope of this privacy policy to third parties that are located in countries outside the UK/EEA/Switzerland, including our affiliates. Our customer data is exclusively stored in the European Union.

Some of those countries may not have the same data protection laws as the UK/EEA/Switzerland. In particular, those countries may not provide the same degree of protection for your personal data, may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data. However, when transferring your personal data outside the UK/EEA/Switzerland, we will comply with our legal and regulatory obligations in relation to your personal data, including (as necessary) having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will also take appropriate steps to ensure the security of your personal data in accordance with applicable data protection laws.

When transferring your personal data outside the UK/EEA/Switzerland, we will, where required by applicable data protection laws, ensure that at least one of the following safeguards is implemented: (1) we will only transfer your personal data to countries or organizations that have been deemed to provide an adequate level of protection for personal data by the UK and/or Swiss Government or the European Commission, as applicable; or (2) we will use specific contracts approved by the UK and/or Swiss Government or the European Commission, as applicable, commonly known as the "Standard Contractual Clauses" or "SSCs", which give personal data the same protection it has in the UK/Switzerland and the EEA. Please contact us if you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK/EEA/Switzerland.

In addition, where we disclose personal data that we process in connection with any of our affiliates’ participation in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework, we remain liable under those frameworks in relation to our onward transfer of personal data to those entities, unless we can show that we are not responsible for the event giving rise to the damage.

Personio Corp. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Personio Personio Corp. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Personio Personio Corp. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms of this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (“DPF Principles”), the DPF Principles shall prevail. To learn more about the Data Privacy Framework (DPF) program, and to view our certification(s), please visit https://www.dataprivacyframework.gov/.

6. Rights of data subjects

First, you have the right to be informed. This is the purpose of this privacy notice, but this is not all there is. You can exercise your right to information about the very data we process from you, the right to rectification, erasure or restriction of processing. To do so, contact us or our data protection officer. Use the contact options mentioned below.

If you wish, you can obtain a copy of the data and you can also withdraw a given consent (if stated as legal basis) at any time for the future. Under certain circumstances, you can object to the processing of your data too. In particular, in the case of direct marketing or when we process data for our legitimate interests.

Lastly, you have the right to lodge a complaint.

EU, UK or Swiss individuals can report concerns to the following organizations: We prefer that you file your complaint with us, as we will make every effort to reach a resolution. Alternatively, you always have the option to lodge a complaint with a data protection supervisory authority at any time: Our competent authority is the Bavarian State Office for Data Protection Supervision, Promenade 18, D-91522 Ansbach, phone: +49 (0) 981 180093-0, email: poststelle@lda.bayern.de.

EEA - You can find a list of supervisory authorities and their contact details for the EEA at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

United Kingdom - The Information Commissioner’s Office ("ICO") is the supervisory authority in the United Kingdom. Contact details for the ICO can be found at https://ico.org.uk.

Switzerland - The Federal Data Protection and Information Commissioner ("FDPIC") is the supervisory authority in Switzerland. Contact details for the FDPIC can be found at https://www.edoeb.admin.ch/.

United States of America - In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Personio commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Following the dispute resolution process, JAMS or you may refer the matter to the U.S. Federal Trade Commission, which has investigatory and enforcement powers over us. Under certain circumstances, you also may be able to invoke binding arbitration to address complaints about our compliance with DPF Principles.

Our DPO is:

Bitkom Servicegesellschaft mbH

Albrechtstraße 10

10117 Berlin

E-Mail: datenschutz@bitkom-consult.de