Updated as at 18th August 2020
1. Our approach to privacy
1.2. BrioHR operates a cloud-based human resources management solution available via our website https://www.briohr.com/ (our “Website”), our application software (our “Platform”), and our mobile application software for digital tablets and mobile phones (our “App”) as well as other products and services that we make available (together, the “BrioHR Services”).
1.6. The Customer shall be the Controller of the personal information and BrioHR shall be the Processor of the personal information (as such terms are defined in the General Data Protection Regulation 2016/679 (“GDPR”)).
2. Personal information we collect about End Users and how we use it
2.1. Information given to us. We collect personal information about End Users when End Users or the Customer voluntarily submit information directly to us by filling in forms on our Website, Platform, or App, or by corresponding with us by phone, email or other means. This includes information End Users or the Customer provide when they register to use our Website, Platform, or App, subscribe to the BrioHR Services, participate in any discussion boards, forums or other social media functions on our site or enter a competition, promotion or survey and when End Users or the Customer report a problem with our Website, Platform, or App or use some other feature of the BrioHR Services as available from time to time.
2.2. If End Users or the Customer choose not to provide personal information, we may not be able to provide the BrioHR Services or respond to other requests.
2.3. Information we receive from other sources. We may work closely with third parties (including, for example, subcontractors in technical, and payment services, analytics providers) and may receive information about End Users directly from them, subject to the End Users’ agreements with them.
2.4. The table at Annex 1 sets out the categories of personal information End Users provide to us and that we receive from other sources and how we use that information. The table also lists the legal basis which we rely on to process the personal information.
2.5. We also automatically collect personal information about End Users indirectly about how End Users access and use the BrioHR Services and information about the device End Users use to access the BrioHR Services.
2.6. The table at Annex 2 sets out the categories of personal information we collect about End Users automatically and how we use that information. The table also lists the legal basis which we rely on to process the personal information and information as to how we determine applicable retention periods.
2.8. We may link or combine the personal information we collect and/or receive about End Users and the information we collect automatically. This allows us to provide End Users and the Customer with a personalized experience regardless of how they interact with us.
2.9. We may anonymize and aggregate any of the personal information we collect (so that it does not identify End Users). We may use anonymized information for purposes that include testing our IT systems, research, data analysis, improving the BrioHR Services and developing new products and features. We may also share such anonymized information with others.
2.10. End Users’ personal information collected via the Platform and/or the App will not be used for marketing purposes. Only personal information willingly provided to us via our Website may be used for marketing purposes.
3. Disclosure of End Users personal information
3.2. Usage and personal information to: business partners, vendors, suppliers, and subcontractors who perform services on our behalf (these companies are authorized to use End Users’ personal information only as necessary to provide these services to us); and
3.3. Anonymous usage information to: analytics and search engine providers that assist us in the improvement and optimization of our Website.
3.4. BrioHR shall notify Customer and End Users from time to time of the identity of any sub-processors engaged. If Customer or End Users (acting reasonably) object to a new sub-processor on grounds related to the protection of the personal information only, then Customer or End Users may request that BrioHR moves the personal information to another sub-processor and BrioHR shall, within a reasonable time following receipt of such request, use reasonable endeavours to ensure that the original sub-processor does not process any of the personal information. If it is not reasonably possible to use another sub-processor, and Customer or End Users continue to object for a legitimate reason, either party may terminate the BrioHR Services on thirty (30) days written notice. If Customer or End Users do not object within (30) days days of receipt of the notice, they will be deemed to have accepted the new sub-processor.
3.5. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet law enforcement requirements.
3.6. Publicly accessible blogs. Our Website includes publicly accessible blogs or community forums. Any information provided in these areas may be read, collected and used by others who access them. This includes information posted on our public social media accounts. To request removal of End Users’ personal information from our blog or community forum, contact us at email@example.com.
3.7. Testimonials. With consent, we may display personal testimonials of satisfied customers on our site, along with other endorsements. If you wish to update or delete your testimonial, you can contact us at firstname.lastname@example.org.
3.8. We may disclose personal information to third parties in connection with a business transaction. Personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business. If we are involved in a merger, acquisition, or sale of all or a portion of its assets, Customer and End Users will be notified via email and/or a prominent notice on our Website of any change in ownership that impacts the use of End Users’ personal information, as well as any choices they may have regarding End User’s personal information.
4. Storing and transferring personal information
4.1. Security. BrioHR has implemented administrative, technical, organisational and physical safeguards and security measures to protect its and its customers information and ensure a level of security appropriate to the risk, including as appropriate, the measures referred to in article 32(1) of the GDPR. Where we have given Customer or End Users (or where Customer or End Users have chosen) a password which enables them to access certain parts of our BrioHR Services, they are responsible for keeping this password confidential. They should not share their password with anyone.
4.2. While no transmission of information via the internet is completely secure, we take reasonable measures to protect End Users’ personal information. We cannot guarantee the security of End Users’ personal information transmitted to our Website; any transmission is at End Users’ own risk. Once we have received End Users’ information, we will use strict procedures and security features to try to prevent unauthorized access.
4.3. International Transfers of personal information. The personal information we collect may be transferred to and stored in countries outside of the jurisdiction Customer and/or End Users’ are in where we and our third party service providers have operations. If End Users’ are located in the European Economic Area (“EEA”), their personal information may be processed outside of the EEA; these international transfers of their personal information are made pursuant to appropriate safeguards, and we will take suitable steps to ensure that their personal information is treated just as safely and securely as it would be within the EEA and under the GDPR. Such transfers shall be:
- to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects (as such term is defined in the GDPR) as determined by the European Commission; or
- to a third party that is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission; or
- governed by the standard contractual clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply) (the “Standard Contractual Clauses”) between the Customer or End Users as exporter and such third party as importer. For this purpose, the Customer and End Users appoints BrioHR as their agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Customer and End Users on their behalf.
4.5. Security Incident Notification. If BrioHR becomes aware of a security incident, BrioHR will (a) notify Customer and End Users of the security incident within 72 hours, (b) investigate the security incident and provide Customer and End Users (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the security incident.
5. Retaining personal information
5.1. We will only retain End Users’ personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of our legitimate business interests and satisfying any legal or reporting requirements.
5.2. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of End Users’ personal information, the purposes for which we process End Users’ personal information and the applicable legal requirements.
5.3. If Customer wishes to unsubscribe from the BrioHR Services, Customer will receive an email confirming its un-registration from the BrioHR Services. Customer will not receive further email from BrioHR and End Users’ personal information will be deleted upon Customer’s last day of subscription.
6. Rights of End Users in respect of their personal information
6.1. In accordance with applicable data protection law, End Users have the following rights in respect of their personal information that we hold:
- Right of access and portability. The right to obtain access to their personal information along with certain information, and to receive that personal information in a commonly used format and to have it ported to another data controller.
- Right to rectification. The right to obtain rectification of their personal information without undue delay where that personal information is inaccurate or incomplete.
- Right to erasure. The right to obtain the erasure of their personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed.
- Right to restriction. The right to obtain the restriction of the processing undertaken by us on their personal information in certain circumstances, such as where the accuracy of the personal information is contested by the End Users.
- Right to object. The right to object, on grounds relating to their particular situation, to the processing of their personal information.
- Right to non-discrimination. The right to non-discrimination for exercising their rights as outlined in this policy. This includes, but is not limited to, denying them goods or services, charging different prices for similar services, or providing a different level or quality of service.
6.2. If End Users wish to exercise one of these rights, they should contact the Customer (or any authorised representative of the Customer) to address their requests. The Customer will have authority to ask us to access, correct or request deletion of the End Users’ personal information on their behalf by contacting us at email@example.com We will respond to the Customer’s request within 10 days.
6.3. BrioHR does not sell personal information shared by End Users and Customer. All use of personal information is done for the delivery, use, and improvement of the BrioHR Services.
6.4. If an End User resides in the EEA, he/she has the right to lodge a complaint to his/her local data protection authority. Information about how to contact his/her local data protection authority is available at europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
7. Cookies and similar technologies
7.2. We use the following types of cookies:
- Strictly necessary cookies. These cookies may be required for the essential operation of our BrioHR Services such as to authenticate End Users and prevent fraudulent use.
- Analytical/performance cookies. These cookies allow us to recognize and count the number of visitors and to see how visitors move around our BrioHR Services when they are using them. This helps us to improve the way our BrioHR Services work, for example, by ensuring that End Users can find information easily.
- Functionality cookies. These cookies are used to recognize End Users when they return to our BrioHR Services. This enables us to personalize our content for End Users, greet them by name and remember their preferences (for example, their choice of language or region).
- Targeting cookies. These cookies record the pages visited and the links followed by the visitors of our Website. We will use this information to make our BrioHR Services more relevant to their interests.
7.4. End Users can block cookies by activating the setting on their browser that allows them to refuse the setting of all or some cookies. However, if they use their browser settings to block all cookies (including strictly necessary cookies) they may not be able to access all or parts of our Website.
8. Links to third party sites
8.1. The BrioHR Services may, from time to time, contain links to and from third party websites. These websites have their own privacy terms and we do not accept any responsibility or liability for their terms. End Users should check these terms before submitting any information to those websites.
8.2. Some of the pages on our Website may utilize framing techniques to serve content to/from our partners while preserving the look and feel of our Website. End Users should be aware that they are providing their personal information to these third parties and not to BrioHR.
9. Changes to this policy
10.1. If we need to provide End Users or Customers with information about something, whether for legal or other business related purposes, we will select what we believe is the best way to get in contact with them. We will usually do this through email or by placing a notice on our Platform, App or Website.
11. Contacting us
BrioHR Pte. Ltd.
160 Robinson Road, #14-04