Articles on: Login data sources

LicenceOne's bowser extension and German data protection law (Bundesdatenschutzgesetz / BDSG)

This article provides guidance to employers on the sections of the Bundesdatenschutzgesetz (BDSG) that might apply when deploying LicenceOne's browser extension in their company. In the interest of simplicity, we have excluded sections that apply equally to all data processors that an employer engages. For example, we have not mentioned that you must notify employees of breaches of their personal data.

This article is for informational purposes only and should not be seen as legal advice. We encourage you to consult a qualified lawyer in your locality to ensure you're fully in line with all labour, regional, and federal laws. Our guidance isn't a substitute for legal expertise, and we're not liable for any inaccuracies or omissions.

Overview of LicenceOne’s Browser Extension

LicenceOne's browser extension is a tool designed to help companies detect what online business applications are being used by their employees. More precisely, it helps companies detect unused licences and seats on their software subscriptions, links employees to the software they have access to, and helps companies ensure logins are removed for employees if and when they leave the company.

Employer responsibilities under BDSG

Before getting into regulations, let's set out a few terms we'll be using and what they refer to:

Employee is a Data Subject / Betroffene Person
Employer or Company is a Data Controller / Verantwortlicher
LicenceOne or We, Our is a Data Processor / Auftragsverarbeiter

1. Lawful Processing

Employers should only request that LicenceOne process employees' personal data if they have a lawful reason for doing so. Given that different employers might have different cultures and needs, we are unable to provide the one reason that might work for every company. However, please find below a list of the lawful reasons accepted by BDSG § 36 and GDPR Art. 6, alongside how they could reasonably apply to an employer implementing LicenceOne's browser extension:

Consent - The extension is only installed on browsers when the employee has consented to do so, but it is not installed if employees refuse. ⚠️ § 26 (2) of the BDSG highlights that consent isn't automatically acceptable in an employee-employer relationship, as employees may give consent under duress of career consequences. We therefore suggest that consent is not the only lawful reason that employers choose when deploying the extension
Processing for employment-related purposes - It could be considered reasonable that the employer monitors the business applications that their employees have accessed in a professional context; especially if the employer manages particularly sensitive data. This should, however, come with the caveat that the extension is only ever installed on work devices and never installed on personal devices of the employee
Necessary for compliance with a legal obligation to which the employer is subject - It could be considered reasonable, if the employer is subject to robust data protection laws, that the employer also needs to track all the business software that an employee accesses in case the employee has unwittingly stored confidential/personal information with unauthorized providers. For example, an employee has taken a free Trello account to use as their CRM, but their employer isn't aware, yet the personal data of clients is being stored there, and the employer is subject to GDPR regulations
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Security) - If the employee leaves the company, the employer most likely has a legitimate interest to know what software the employee had access to so that the (now-ex)employee is removed immediately, ensuring they no longer have access to company secrets.

2. Respect Employees Rights

Access rights (BDSG § 57)
Employees, upon request, have the right to be informed of any personal data processing by their employer, as well as the right to view what data has been processed. In the context of using LicenceOne's browser extension, you should inform employees of the following information:

Data processorData hosting locationTypes of Personal Data ProcessedLegal basis for processingData storage period
LicenceOne S.A.S.Paris, France with CleverCloudProfessional email, Full name, Language, IP Address, URLs visited on the browser(s) where the LicenceOne extension is installed¹, Timestamps of aforementioned visited URLs, Company name, Company countryFill in according to the lawful reasons that you decided upon in the previous sectionDuration of employee's employment contract -OR- until the end of the employer's sales contract with LicenceOne + 6 months from the contract end date ; whichever comes first

¹ See the Data minimization section to read about how we only collect the minimum data required

To respect employee's rights to view the data that has been processed, you may choose from the following solutions:
Invite employees to your LicenceOne workspace via the users section. You may invite employees with the Employee access role, which has been specifically created for this purpose
Employees will always see the applications that have recently been attributed to their employee profile by opening the extension
Employees and employers may contact LicenceOne and request a full export of the personal data processed

Right to rectification, erasure and to restriction of processing (BDSG § 58)
Employees have the right to rectify any inaccurate personal data that is processed. This can be accomplished through the following methods:
Employees can update the data on their user profile themselves
If there are any inaccurately linked business applications, employers and employees may contact LicenceOne

Employees also have the right to request that their data is deleted in circumstances where processing such data is unlawful, knowledge of the data is no longer necessary for the performance of tasks, or the data must be erased to comply with a legal obligation. They may do so by contacting their employer, who can then contact LicenceOne on to carry out the deletion request.

Under certain conditions outlined in § 58 of BDSG, the employer may also request that instead of erasure, the processing of the employees' data is restricted. This can also be done by contacting us.

3. Naming a Data Protection Officer

Your company, as data controller, may not have named a data protection officer (DPO) previously since you did not meet the requirements under § 38 of BDSG nor Art. 37 of GDPR. If this is the case, we strongly recommend assigning a DPO upon implementing the LicenceOne browser extension as you will therefore be systematically monitoring of employees, fitting the mandatory requirements to name a DPO under Art. 37 of GDPR.

4. Data minimization (§ 71 BDSG & Art. 5(1)(c) GDPR)

When an employee visits a website, the URL is sent to LicenceOne's servers to check if that URL exists in our database of online business software. If it does, we link that application with the employee profile and show the employer that the employee accessed that app.

If, however, the URL does not exist in our database of online business software, we do not make it viewable to the employer. Consequently, since it has no use being stored for LicenceOne to fulfil its contractual obligations with the employer, we will do nothing else with that visit record, and it will be deleted from all of our systems after seven days. This delay is to allow a reasonable time for LicenceOne to provide support to users that report that their online business software has not been tracked. In such instances, we may need to consult these logs to identify the issue. Additionally, these logs are technically locked-off, and are only viewable by 2 employees at LicenceOne.

In brief: personal browsing data or non-business-related activities are not tracked or displayed to employers, and deleted as soon as reasonably possible, ensuring privacy and adherence to the principle of data minimization.

5. Contacting LicenceOne in relation to BDSG

For all questions related to data protection, please don't hesitate to reach out to us via or through our live chat tool when logged into your LicenceOne workspace

Updated on: 16/02/2024

Was this article helpful?

Share your feedback


Thank you!