T:Buddy - Privacy Policy (English Global)

Privacy Policy (T:Buddy Web Version)

In this privacy policy, we inform you about the processing of personal data and about the access and storage of information on your end device when you use T:Buddy: https://tbuddy.transcom.com/.

T:Buddy is designed as a communication and one-stop HR solution platform accessible using a downloadable mobile application and a web-based interface. T:Buddy is designed with several features that are individually deployable depending on the country’s preference.

The General Data Protection Regulation (hereinafter abbreviated as the GDPR) aims to ensure that every person affected by data processing (i.e. including employees in the employment relationship) is aware of the extent to which their personal data is processed.

Personal data is information that relates to an identified or identifiable person. This primarily includes information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or email address. However, personal data also includes certain identifiers such as your IP address or the device ID of the end device you are using.

Usage data is information collected automatically (or third-party services), which can include: the IP addresses or domain names of the computers utilized by the users of our, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the user, the various time details per visit (e.g., the time spent on each page) and the details about the path followed with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.

User is an individual using our app, who, unless otherwise specified, coincides with the Data Subject.

Data subject is a natural person to whom the Personal Data refers.

Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of our app. The Data Controller, unless otherwise specified, is the TRANSCOM.

Cookies are small sets of data stored in a user’s device.

1. Contact details of the Controller and the Data Protection Officer (DPO)

The contact person and so-called Controller for the processing of your personal data when you visit our web-based T:Buddy within the meaning of the General Data Protection Regulation (GDPR) is (depending on where you are located):

Transcom WorldWide AB
Hälsingegatan 40
PO Box 45033
SE – 104 30 Stockholm
Sweden
Email: buddy@transcom.com

Transcom WorldWide Philippines, Inc.
Silver City 5, Office Lane,
Ortigas East, Brgy. Ugong
Pasig City
Email: buddy@transcom.com

You have the option to contact us via email. In this context, we process your data exclusively for the purpose of communicating with you.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as your details are required to answer your enquiry, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in you contacting us and us being able to answer your enquiry.

The data collected by us when you contact us will be automatically deleted after your enquiry has been fully processed, unless we still need your enquiry to fulfil contractual or legal obligations (see Section 6 “Storage duration”).

If you have any questions about data protection in connection with our app and the data processing related to T:Buddy, you can also contact our data protection officer at any time. The data protection officer can be contacted at the above postal address and at the e-mail address dpo@transcom.com (keyword: “Attn. data protection officer”). We expressly point out that when using this e-mail address, the contents are not exclusively taken note of by our data protection officer. If you wish to contact solely our data protection officer and/ or if you wish to send confidential information, please refer in your email to the data protection officer and please ask for contacting you.

2. Data processing on T:Buddy web version
2.1 Accessing the T:Buddy web version / connection data

Each time you use our web-based version of T:Buddy, we process technical data that your browser automatically transmits to enable you to visit the website. This connection data comprises the so-called HTTP header information, including the user agent, and includes in particular:

Date and time of use
Browser name
Device system language
IP Address

The data processing of this connection data is necessary to enable the visit to the website, to ensure the permanent functionality and security of our systems and to maintain our website in general for administrative purposes. The connection data is also stored in internal log files for the purposes described above, temporarily and limited in content to what is necessary, in order to find the cause and take action in the event of repeated or criminal calls that jeopardise the stability and security of our website.

The log files are generally stored for six months and then anonymised. In exceptional cases, individual log files and IP addresses are stored for longer in order to prevent further attacks from this IP address in the event of cyber-attacks and/or to take action against the attackers by way of criminal prosecution.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in enabling website access and the permanent functionality and security of our systems. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states.

2.2 Hosting of content related files

This website uses storage services of Google Cloud Platform, which is provided by Google Ireland Limited, Gordon House, 4 Barrow Street, D04 E5W5 Dublin, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“GCP”).

We use GCP to store all content related files such as images you upload or documents contained in T:Buddy as well as to ensure reliable performance, secure data storage, and scalable infrastructure for our T:Buddy web version. GCP helps us maintain a secure and efficient web environment.

The legal basis is Art. 6 para. 1 lit. b GDPR, and otherwise Art. 6 para 1 lit. f GDPR, based on our legitimate interest in providing a reliable and secure website for our users.

We have concluded a data processing agreement with Google. Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 para. 2 lit. c GDPR.

For more information please refer to Google’s Privacy Policy: https://policies.google.com/privacy.

2.3 Registration and authentication

For our web version of T:Buddy, you must login to the website using Google Sign-in (provided by Transcom).

For the purpose of simplifying user authentication by allowing users to log into multiple applications and services with a single Google account, enhancing security through centralized and robust authentication processes we use the Google Single Sign-On (SSO) service, which is is provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

The legal basis for processing the data required for registration is Art. 6 para. 1 lit. b GDPR. For all other data, the legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to enable you to customise, adapt and change your account, or your consent pursuant to Art. 6 para. 1 lit. a GDPR, insofar as you have given us this.

2.3.1 Personal data already provided to TRANSCOM

In order to complete the registration process, we need to compare and, if necessary, supplement the data you have provided with the information stored in our SAP system. Please note that SAP does not receive any additional data through this process and does not act as an active service provider for this purpose. For more information, please see the Employee Privacy Notice.

2.3.2 Google OAuth

Our website uses the OAuth 2.0 service offered by Google Ireland Limited, Gordon House, 4 Barrow Street, D04 E5W5 Dublin, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”).

OAuth enables API authorisation without us receiving your access data. By logging in via the OAuth procedure and then confirming access in the OAuth consent screen, personal data can be sent from Google to us and from us to Google. This refers to information such as IP address, browser used, etc. and not data such as your real name or address.

The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states.

Information on what data Google collects and how Google uses this data can be found in Google’s privacy policy: https://policies.google.com/privacy.

2.4 PeopleHub

For our service “PeopleHub” that includes an HR ticketing feature as well as a knowledge base in the T:Buddy application we use the cloud-based platform ServiceNow. ServiceNow is a service provided by ServiceNow Inc., located at 2225 Lawson Lane, Santa Clara, CA 95054, USA (“ServiceNow”).

Our HR ticketing feature enables you to raise tickets about any HR-related topic (including payroll disputes) and our HR knowledge base enables you to find answers to HR-related questions from various subjects such as benefits, compensations, HR policies etc.

As part of HR ticketing, we process your name and your SAP ID, the selection of ticket types and (sub)categories, files attached by you and the respective conversation history.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, and otherwise is Art. 6 para 1 lit. f GDPR, based on our legitimate interest, to provide high-quality services for our employees.

We concluded a data processing agreement with ServiceNow. Since ServiceNow is located in the USA, your personal data may be transferred in the USA. ServiceNow has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

For more information on, please refer to the Privacy Policy of ServiceNow: https://www.servicenow.com/service-privacy.html

2.5 Surveys

You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service.

For providing surveys we use Google Forms, a service which is provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

The data processed in each case is derived from the respective survey. The legal basis for processing of your personal data when participating in the survey is your consent in accordance with Art. 6 para. 1 lit. a GDPR.

Information on what data Google collects and how Google uses this data can be found in Google’s privacy policy: https://policies.google.com/privacy.

2.6 Mood Checker (for AAPAC only)

For the purpose of providing the user-based optional Mood-Checker and ensuring that the mood is being actioned upon, one can select their sentiment for the day from a set of emoticons (happy, neutral, sad, worried, angry and sick). For this purpose we collect sentiment data.

For the purpose of providing the subsequent questionnaire from Daily Mood Checker, we collect the following data regarding to the given answer for the Daily Mood Checker:

If your mood is work related (yes/no)
If you receive adequate support (yes/no)
If you soon leave the company (yes/no)
Additional comments about your mood

The legal basis for this processing is in each case your consent in accordance with Art. 6 para. 1 lit. a GDPR

2.7 Further T:Buddy features

The legal basis for the processing described below is Art. 6 para. 1 lit. b GDPR, and otherwise is
Art. 6 para 1 lit. f GDPR, based on our legitimate interest, to provide high-quality services for our employees.

The optional sharing of your sentiment is in each case based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.

My Profile: This feature allows you to view your profile data and customize your profile photo.
News feed: This feature allows you to view local and global organizational content. You can also share your sentiment depending on your reaction to the respective content or post a comment.
Careers: This feature allows you to view external and internal job postings and referral programs. You can also share your sentiment depending on your reaction to the respective job posting.
Company Policies: This feature allows you to view company’s global and local policies.
Discounts: This feature allows you to view discount affiliations. You can also share your sentiment depending on your reaction to the respective discount.
Information: This feature allows you to view other informational content. You can also share your sentiment depending on your reaction to the respective content.
My Tools: This feature allows you to view Transcom tools and links.
Calendar: This feature allows you to view upcoming events and holidays.
Awards: This feature allows you to view certain employee recognitions.
Newsletter: This feature allows you to view campaign or organizational newsletters.
Org-Chart: This feature allows you to view our Org-Chart or rather our organizational hierarchy, which includes employee names, individual corporate email addresses, individual country and site assignment.
My Team (for local People Managers): This feature allows People Managers to view their team’s mood and the completion status for mandatory courses of their team members.
My Space (for Philippines only): This feature allows you to view your available Personal Time Off (leave credits) and the amount of as well as transactions and eligibility in the context of Perfect Attendance Rewards. Furthermore, you can view your eligibility for Work-at-home.
Shuttle (for Philippines only): This feature allows you to view shuttle schedules.

3. Use of tools on the website
3.1 Technologies used

The web version of T:Buddy uses services and applications (collectively “tools”) that are offered either by us or by third parties. These include, in particular, tools that use technologies to store or access information in the end device:

Cookies: Information stored on the end device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
Web storage (local storage / session storage): Information stored on the end device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with a time entry). Information in local and session storage can also be deleted manually.
JavaScript: Programming codes (scripts) embedded or called up in the website that, for example, set cookies and web storage or actively collect information from the end device or about the user behaviour of visitors. JavaScript may be used for “active fingerprinting” and the creation of user profiles. JavaScript can be blocked by a setting in the browser, although most services will then no longer work.

With the help of these technologies and also by simply establishing a connection on a page, it may be possible to create so-called “fingerprints“, i.e. user profiles that do not require the use of cookies or web storage but can still recognise visitors. Fingerprints based on the connection setup cannot be completely prevented manually.

Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you can usually adjust your browser settings so that all or certain cookies are rejected, or scripts and graphics are blocked. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services will probably not function or not function without disruption.

In the following, the tools we use are listed by category, whereby we inform you in particular about the providers of the tools, the storage duration of cookies or information in local storage and session storage as well as the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can revoke this consent.

If – even despite the greatest care – the information in the consent banner contradicts the information in this privacy policy, the information in this privacy policy shall take precedence.

3.2 Legal bases and revocation
3.2.1 Legal bases

We use tools necessary for website operation on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in order to provide the basic functions of the web version of T:Buddy. In certain cases, these tools may also be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states.

We use all other non-essential (optional) tools that provide additional functions on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states. Data processing using these tools only takes place if we have received your consent for this in advance.

If personal data is transferred to third countries, we refer, also with regard to any associated risks, to Section 5 (“Data transfer to third countries”). We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools and the associated transfer of your personal data to third countries, we will (also) transfer the data processed when using the tools to third countries on the basis of this consent in accordance with Art. 49 para. 1 lit. a GDPR.

3.2.2 Obtaining and withdrawing your consent

You agree to the processing of your personal data in the context of using T:Buddy by clicking the
“I confirm” button on the welcome page of T:Buddy after you have read the Privacy Policy. The fact that you agreed is stored directly in the T:Buddy database and is only requested once when you first log in via a web-based browser.

Your consent or withdrawal, your IP address, information about your device and the time of your visit will be transmitted to T:Buddy database and Google Analytics.

To withdraw your consent, you can click on this link and send your request. Please note that withdrawing your consent will result in the deletion of your T:Buddy account.

3.3 Analysis tools

In order to improve T:Buddy, we use optional tools to recognise visitors and to statistically record and analyse general user behaviour based on access data (“analysis tools”). We also use analysis services to evaluate the use of our various marketing channels. The usage information collected is processed in aggregated form and enables us to track the usage habits of our visitors. This helps us to adapt and optimise the design of our website and make the user experience more pleasant.

The legal basis for the analysis tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states.

In the event that personal data is transferred to third countries, in addition to the information provided below, we refer to Section 5 (“Data transfer to third countries”).

3.3.1 Google Analytics 4

Our web version of T:Buddy uses the Google Analytics 4 service (“Google Analytics”), which is provided by Google Ireland Limited, Gordon House, 4 Barrow Street, D04 E5W5 Dublin, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”).

We have made the following data protection settings for Google Analytics:

IP anonymisation (shortening of the IP address before evaluation);
Automatic deletion of old visit logs by limiting the storage period to 2 months;
No resetting of the retention period for new activity;
Deactivation of the recording of precise location and position data;
Deactivation of the recording of precise device data;
Deactivated advertising function (including target group remarketing by GA Audience);
Deactivated remarketing;
Deactivated cross-device and cross-page tracking (Google Signals);
Deactivated data sharing with other Google products and services, benchmarking, technical support, account manager.

This service processes the following data:

Device information;
Operating system;
Cookies (Cookie Browser Session UID, Google Analytics Cookies);
Usage data;
Number of sessions;
Duration of session;
Number of users;
Geography/ region.

Google Analytics sets the following cookies for the specified purpose with the respective storage duration:

“_ga” (2 years), “_gid” (24 hours): Recognising and distinguishing visitors by a user ID;
“_ga_(G-5HFGPB667J)” (2 years): Retention of the information of the current session;
“_gac_gb_(G-5HFGPB667J)” (90 days): Storage of campaign-related information.

Further information can be found in Google’s privacy policy: https://policies.google.com/privacy.

4. Disclosure of data

In certain cases, we may disclose some of your data that we process in the context of your use of T:Buddy to entities and individuals outside of our company. These third parties are called “recipients of personal data” by law.

The data collected by us will only be disclosed if there is a legal basis for this under data protection law in the specific case, in particular if:

you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR,
the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
we are legally obliged to disclose data in accordance with Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to official enquiries, court orders and legal proceedings, or
this is legally permissible and required in accordance with Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that are carried out at your request.

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include, in particular, data centres that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.

5. Transfers to a third country

The recipients of your personal data may in some cases be located in so-called third countries, i.e., countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include, among others, the Standard Contractual Clauses (“SCC”) of the European Union or binding corporate rules. Where this is not possible, we base the data transfer on exceptions of Art. 49 GDPR, in particular your consent or the necessity of the transfer for the performance of the contract.

EU standard contractual clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

6. Duration of storage

We store the data for as long as it is required for the above-mentioned purposes. Data that is relevant, for example, for the tax office or the social insurance agency, is subject to statutory retention periods. We must comply with these retention obligations (in particular e. g. in Germany: according to Section 257 Commercial Code (HGB), Section 147 Tax Code (AO)). When the obligation to retain the data no longer applies, the data in question is deleted or destroyed.

In particular we store your master data, contact data and employee data for 60 days from resign (automated) or immediately upon request.

7. Your rights, in particular revocation and objection

You are entitled to the data subject rights formulated in Art. 7 Para. 3, Art. 15 – 21 at any time if the respective legal requirements are met:

Right to withdraw your consent (Art. 7 (3) GDPR);
Right to object to the processing of your personal data (Art. 21 GDPR);
Right to information about your personal data processed by us (Art. 15 GDPR);
Right to rectification of your incorrect personal data stored by us (Art. 16 GDPR);
Right to erasure of your personal data (Art. 17 GDPR);
Right to restriction of processing of your personal data (Art. 18 GDPR);
Right to data portability of your personal data (Art. 20 GDPR).

You have the right to withdraw your consent at any time. As a result, we will no longer continue the data processing that was based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Please note that the revocation of your consent leads to the deletion of your T:Buddy account.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it concerns an objection to data processing for direct marketing purposes, you have a general right to object, which we will also implement without you having to give reasons.

If you would like to exercise your right to erasure or objection, simply use the link provided above under Section 3.2.2.

Finally, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR at. You can assert this right, for example, with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement.

We at TRANSCOM take your data protection rights seriously. Therefore, please do not hesitate to contact us at the following e-mail address dpo@transcom.com.

8. Changes to the privacy policy

We occasionally update this privacy policy, for example when we customise T:Buddy or when legal or regulatory requirements change.

Version: 1.1 / Status September 2024