Data protection
Last updated: 10 April 2024
Definitions
“Customer” or “you” means a company using the Service.
“DPA” means a data processing agreement in accordance with Article 28 of the GDPR.
“Service” means Aboard HR.
“Service Personal Data” means personal data of Users that is processed as part of the Customer’s use of the Service.
“Teamtailor”, “we” or “us” means Teamtailor AB.
“Third country” means a country outside the EU/EEA.
“User” means an employee, consultant or other party related to the Customer, who is using the Service.
1. Teamtailor’s and the Customer’s roles and responsibilities
1.1 What role does Teamtailor and the Customer have under the GDPR?
When a Customer uses the Service, the Customer is in control of whose personal data is added to the Service, what the personal data will be used for, for how long Service Personal Data will remain in the Service, etc.
Since the Customer controls the purposes and the means of the processing, the Customer acts as the data controller.
When Teamtailor processes Service Personal Data to provide the Service to a Customer, Teamtailor acts as the Customer’s data processor.
For a very limited number of processing operations (such as sending newsletters and other marketing materials to the Customer’s business representatives), Teamtailor acts as the data controller, as described here.
1.2 Will a DPA be entered into between Teamtailor and the Customer?
Yes, as part of our standard agreement, we offer a DPA governing our processing of the Service Personal Data on your behalf, for your review and agreement. You can find it here.
2. Personal data processed
2.1 What personal data is processed in the Service?
The Service is designed to process the personal data that is relevant for managing HR-related matters. This usually includes:
User account information - such as email address and password.
Contact information - such as name, phone number, address, birthday, social security number, photo, employee ID, gender.
Information about individuals’ emergency contacts.
Information related to individuals’ position in the organization - such as title, start- and end date, salary, manager, department and location.
Financial information - such as individuals’ salary and benefits.
Information related to individuals’ availability at work, health and family situation - such as planning and documentation of vacation, sick leave and parental leave.
Information related to individuals’ performance and challenges at work - such as notes and evaluations created by the individual’s manager.
Information created through interaction between employees - such as invitations to events, pictures and messages.
Additional types of personal data will be processed if you choose to activate an optional feature, such as the whistleblowing functionality.
2.2 Will special categories of personal data be processed in the Service?
Some of the offered functionality can involve processing of special categories of personal data, such as data concerning individuals’ health or sexual orientation.
If special categories of personal data are added to the Service, we will apply the same high level of security and protection to it as to other types of Service Personal Data. For example, and as far as practically possible, information in the Service will be encrypted on application level before it is stored in the database.
3. Purposes of processing
3.1 What are the purposes of processing Service Personal Data in the Service?
The Service is intended to be used for managing HR-related matters. Depending on which features and functionalities you and your Users decide to use from time to time, more granular purposes of processing personal data will be relevant for your use of the Service - such as employee onboarding, offboarding, absence tracking, documenting meetings, and other HR-related administrative tasks.
We will also process the Service Personal Data for purposes that are necessary to enable and support your use of the Service, such as logging, troubleshooting and investigating and managing incidents.
For an overview of the different features we offer, see our website.
4. Access and security
4.1 Who in Teamtailor’s organization has access to the Service Personal Data?
Access to operational applications, platforms and data is limited according to a Teamtailor employee’s role. Teamtailor operates a general rule of least privilege, meaning that employees only receive the access they need to perform their role, and nothing more.
Manual access reviews are done at least every 6 months, where access levels are approved and reviewed by designated system owners. Access will be revoked immediately in cases where access is no longer appropriate for the role.
Those accessing Service Personal Data will only do so in an authorised manner and are subject to confidentiality undertakings.
4.2 Can you control who within your own organization has access to the Service Personal Data?
Yes, you control who has access to which Users' information according to the permissions you assign your Users. For more information about access roles, see here.
4.3 What technical and organizational measures does Teamtailor take to protect the Service Personal Data?
This is described in Appendix 2 to our DPA, see here.
5. Users’ control over their personal data
5.1 Who will inform the Users about the processing in the Service, and how?
As the data controller, the Customer is responsible for informing the Users about how their personal data will be processed in the Service. Many of our Customers do this in an employee privacy notice.
5.2 Will Teamtailor support you if a User requests to access or delete their personal data?
Yes, once you have verified that the request is legitimate, and have decided what data should be provided respectively deleted, you can contact help@aboardhr.com for assistance in executing the request.
6. Data locations and subprocessors
6.1 Where is the Service Personal Data stored?
The Service Personal Data is stored in the EU/EEA, in the countries reflected in our List of Subprocessors.
6.2 Which subprocessors does Teamtailor use in providing the Service, and what personal data does each subprocessor access?
This is reflected in our List of Subprocessors.
6.3 Can the Service Personal Data be processed outside of the countries of storage?
Some of our subprocessors are based in a third country, or are the subsidiary of a company based in a third country. In these cases, the risk of a potential transfer to a third country needs to be assessed.
To support our Customers in this risk assessment, we have created a Transfer Impact Assessment. Among other things, the Transfer Impact Assessment describes what transfer mechanisms and technical and organisational measures we have put in place with these subprocessors.
Contact our sales representatives, your CSM or help@aboardhr.com to access the Transfer Impact Assessment.
7. Personal Data Breaches
7.1 Will Teamtailor inform the affected Customer(s) if there’s a personal data breach?
Yes, our DPA contains a detailed description of our process for informing a Customer of a personal data breach affecting the Customer. We commit to notifying our Customers without undue delay, and at least within 48 hours, after becoming aware of a personal data breach affecting the Customer.
8. Blocking access and deletion
8.1 Is it possible to block access to Service Personal Data?
Yes, you can block the access to particular Service Personal Data, and thereby exempt it from being processed for any other purpose than storage. This is done by using the archived mode in the Service.
8.2 Is it possible to delete Service Personal Data?
Yes, if you want to delete Service Personal Data, please contact help@aboardhr.com.
8.3 What is the deletion process after termination of the Service?
When the Agreement is terminated, you can instruct us to return and/or delete all Service Personal Data from the Service. We will comply with this instruction as soon as we can, and at least within sixty (60) days after termination of the Agreement.
If you haven’t requested erasure or return within thirty (30) days of termination, we will delete all Service Personal Data as soon as reasonably practicable, and at least within sixty (60) days of termination.
Disclaimer
This information is not legal advice, and it’s not part of our agreement with our Customers.
The views expressed in this FAQ are in good faith. While we’ve taken every care in preparing it, we make no representations and give no warranties regarding its content.
Ultimately, you are responsible for ensuring that your use of the Service complies with applicable laws and regulations. We recommend that you consult with your legal counsel to make sure this will be the case.