Data Privacy for Enboarder

_{Information on data processing}

The responsible party is the respective BASF company with which you have concluded an employment contract (or, in the case of pre-boarding, the company with which you intend to conclude an employment contract).

Questions regarding data protection can be directed to: onboarding@basf.com

Enboarder acts only as a service provider of BASF and in this respect processes data only on behalf of BASF and only in accordance with the specifications and instructions of a data processing agreement (Art. 28 para. 3 GDPR).

Below BASF provides you with an overview of the transmission and processing of your personal data and your rights in accordance with the EU General Data Protection Regulation (GDPR). Further information on how the service provider processes data in general can be found here: https://enboarder.com/privacy/.

BASF has commissioned Enboarder Limited (UK), 10 John Street, London, WC1N 2EB, United Kingdom, to set up an onboarding and engagement platform for future and current employees. BASF uses this platform to use digital workflows to develop motivating and supportive experiences for employees along their employee lifecycle at BASF.  The use cases used include in particular:

• Pre-boarding/onboarding: For future or current employees (e.g., position change within the BASF Group, return from parental leave) who are being introduced to the BASF world either before or from the employment contract start date and are involved in the preparation of the employment relationship. This includes, for example:
  • sharing information about BASF as an employer,
  • about the location,
  • about the team and
  • the retrieval of contract-relevant information (e.g., by initiating an order for IT devices or work clothes).
• Mentoring & Learning: For current employees who are being supported in their further development at BASF with helpful information and instructions (e.g., learning materials). In addition, the tool can be used to enable knowledge transfer and networking among employees (e.g., through mentoring programs).
• Transition & Change Management: For current employees who are being supported in their change process (e.g., through process changes at BASF or projects that affect the employee's area of responsibility) with helpful information and guidance (e.g., learning materials). In addition, the tool can be used for networking with other employees (e.g., internal exchange).
• Offboarding: For current employees who are being supported with helpful information, guidance (e.g., for the return of company property) and networking opportunities (e.g., alumni networks) directly prior to leaving BASF.

You will be contacted by e-mail or SMS at the start of the Enboarder workflow to participate in the process via the platform. You can then decide which communication channel you would like to use to receive information (e-mail or SMS). The first time you access the platform, you will be asked to request a PIN code for access. This will be sent to you by e-mail or SMS, depending on the communication channel you have chosen. You will then receive automated messages at irregular intervals, alerting you to new information and tasks in the platform. To use the platform, you need an Internet-capable device with a browser (Chrome, Firefox, Edge, Safari), such as a computer or smartphone. For current BASF employees, communication may be technically limited to the BASF email address.

The following data are processed:
 

1. Communication data

In order to be able to contact you via the platform, the following data is transmitted to Enboarder and used for the online service:

• Master data (first name, last name, prefix (Mr, Ms etc.), academic title)
• Communication data (private e-mail, private mobile number, communication language)
• Data on the employment relationship (date of entry, start date, personnel number, org unit (department), company code (company), place of work, employee subgroup, time limits, shift/working time model, job title or, in the case of trainees, also training occupation)
• Usage data (information regarding whether and when you have viewed which content)
   

2. Other information

Depending on the use case of Enboarder, further information may be requested from you and stored in the platform. Possible examples:

The data provided by you will be used exclusively

a) to communicate with you to provide or request information from you

b) to carry out the measures necessary for the respective use case (e.g., ordering work clothes for onboarding, returning IT equipment for offboarding)

c) for the implementation of other internal processes for employee development (e.g., mentoring and learning)

d) to further improve BASF's online service for our new and current employees by asking you about your experience with the process.
 

The data will not be used to assess your performance. The data will only be viewed by those persons who are responsible for the Enboarder workflow at BASF, in particular the Human Resources department and your future manager or departments of the company who provide you with your work equipment or allow you access to the BASF site. This may also involve data transfers within the Group.

BASF processes your personal data in compliance with the provisions of the General EU Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) as well as all other relevant laws (e.g. BetrVG, ArbZG, etc.). Your personal data is treated confidentially and processed based on the following legal bases.
 

1. Processing for the fulfilment of pre-contractual and contractual obligations (§26 section 1 sentence 1 BDSG, Art. 6 section 1 sentence 1 lit. b) GDPR)

The processing of your personal data on the basis of E a) and E b) is carried out for the purpose of onboarding / offboarding and thus the execution of the employment relationship. The legal basis for this is § 26 section 1 sentence 1 BDSG, Art. 6 section 1 sentence 1 lit. b) GDPR.
 

2. Processing based on legitimate interests (Art. 6 section 1 sentence 1 lit. f) GDPR)

The processing of your personal data on the basis of E c) or E d) takes place in order to further improve our online service in the context of the Enboarder processes. The legal basis in this respect is Art. 6 section sentence 1 lit f) GDPR. The legitimate interests of BASF are to improve the design of the Enboarder process in order to ensure the most valuable support possible for employees.
 

3. Further Permissions

Where necessary, we also process your data to help solving crimes. The legal basis is § 26 section 1 sentence 2 BDSG.

We will not publish your personal data. Within our company only persons and bodies (e.g. HR department, Works Council, Severely Disabled Representatives) who need your personal data for fulfillment of their contractual and statutory duties will receive your data.

Within the BASF group, your data is provided to specific companies within the group if they centrally perform key tasks for affiliates within the company group (such as payroll or company pension) or perform cross-company functions on the basis of the organizational structure (such as HR development).

In addition, in order to fulfill our contractual and statutory obligations we in part employ different service providers (e.g. travel service, collection service provider, IT service provider, consulting companies).

We may also disclose your personal data to other recipients outside of the company if necessary for fulfillment of our contractual and statutory duties as an employer. These may be, for example:

• Official bodies (pension insurance provider, occupational pension schemes, Social Security providers, tax authorities, courts, professional associations)
• The employee’s bank (SEPA-payment medium)
• Receiving offices of healthcare providers
• Official bodies in order to guarantee claims from the company pension scheme
   

Our cloud provider and HR service provider are bound by contract to observe strict regulations regarding data protection. They are committed to handling your personal data with care. They are prohibited from using your personal data for their own purposes or from passing the personal data on to third parties.

It may be possible that an IT service provider from a third country would, in rare circumstances, receive limited access to your personal data during remote maintenance of IT services. We’ll inform you about exact details, if we are obliged by law.

In the event we disclose personal data to service providers or companies within the BASF group outside of the European Economic Area (EEA), the personal data will only be disclosed if the EU Commission confirmed an adequate data protection level for the third country or other data protection guarantees (such as binding corporate rules or EU standard contractual clauses) apply. You may request the information from the above service providers and companies.

Our processor stores your personal data in an extremely protected computer center in Frankfurt on the Main in Germany (or according to the regulations of your BASF company outside the EU, e.g., in Australia or the USA). The transfer of personal data is encrypted. Our processor uses technical and organizational safety measures to protect your personal data against accidental or willful manipulation, loss, destruction, or access by unauthorized persons. All the security measures and the compliance with data protection regulations are regularly audited by an independent entity.

The data required for the Enboarder service, including personal data, will be stored in the platform and deleted after the purpose has been achieved, no later than 6 months after completion of the Enboarder process.

1. Cookies

Enboarder uses the following cookies:

2.     Embedded YouTube videos
 

a. Data processing

We have integrated YouTube videos into our digital offer, which are stored on the YouTube platform and can be played directly from our website. YouTube is a service of Google LLC, D/B/A YouTube. 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter as ‘Google’). The videos are all embedded in the so-called ‘2-click-mode’, which means that no data about you as a user is being transferred to Google if you do not activate the video function. Before the video function’s activation, only a preview image loaded from our own web server is being displayed.

Data will only be transferred to Google if you activate such video functions. Once activated, we have no influence on this data transfer. The data transfer is carried out regardless of whether Google provides a user account through which you are logged in or no user account exists. If you are logged in to Google, your data will be assigned directly to your account. 

b. Purposes and legal basis

We use YouTube videos on Enboarder to easily present those videos to you. The legal basis for the processing of your personal data is your consent according to Art. 6 para. 1 sentence 1 lit. a GDPR. You grant this consent by activating the video function. If activated, your personal data will be transferred to Google as described above.

In the course of the data transfer to Google, your personal data will be transferred to servers of Google, which might also be located in the USA. The USA is a country that does not have a level of data protection which is adequate to that of the EU. This means that personal data can be accessed by US authorities in a simplified manner and that there are only limited rights to such measures. If you activate the YouTube video function, you expressly consent to the transfer of data to Google and to the transfer of your personal data to servers located in the USA.

If you have given your consent, you have the right to revoke it at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

You can revoke you consent at any time for the future by deactivating the “YouTube” video function in the respective Enboarder sequence.

c. Further information

Further information on data processing, in particular on the legal basis and storage period by Google, can be found in the provider's privacy policy (https://policies.google.com/privacy) and in the privacy banner on the YouTube platform. There you will also find further information on your rights and setting options to protect your privacy.

As a user of the platform you have the following rights:
 

1. Right of access (Art. 15 GDPR)

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to request access to the personal data and the information of the purposes of the processing.
 

2. Right to rectification (Art. 16 GDPR)

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you.
 

3. Right to erasure (Art. 17 GDPR)

You have the right to obtain form the controller the erasure of personal data concerning you without undue delay.
 

4. Right to restriction of procession (Art. 18 GDPR)

You have the right to obtain from the controller restriction of procession where the conditions of Art. 18 GDPR apply.
 

5. Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format.
 

6. Right to object (Art. 21 GDPR)

If we process your data to protect legitimate interests, you may object to this processing in accordance with Art. 21 GDPR for reasons arising from your particular situation. We will then no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this regulation (GDPR).

The supervisory authority with which the complaint has been lodged shall inform you on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 (GDPR).

Furthermore, you can file a complaint with the Data Protection Representative specified above or contact the Data Protection Authority, having jurisdiction for us:

Der Landesbeauftragte für den Datenschutz und
die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34
55116 Mainz