LicenceOne's bowser extension and German data protection law (Bundesdatenschutzgesetz / BDSG)
This article provides guidance to employers on the sections of the Bundesdatenschutzgesetz (BDSG) that might apply when deploying LicenceOne's browser extension in their company. In the interest of simplicity, we have excluded sections that apply equally to all data processors that an employer engages. For example, we have not mentioned that you must notify employees of breaches of their personal data.
This article is for informational purposes only and should not be seen as legal advice. We encourage you to consult a qualified lawyer in your locality to ensure you're fully in line with all labour, regional, and federal laws. Our guidance isn't a substitute for legal expertise, and we're not liable for any inaccuracies or omissions.
LicenceOne's browser extension is a tool designed to help companies detect what online business applications are being used by their employees. More precisely, it helps companies detect unused licences and seats on their software subscriptions, links employees to the software they have access to, and helps companies ensure logins are removed for employees if and when they leave the company.
Before getting into regulations, let's set out a few terms we'll be using and what they refer to:
Employee is a Data Subject / Betroffene Person
Employer or Company is a Data Controller / Verantwortlicher
LicenceOne or We, Our is a Data Processor / Auftragsverarbeiter
Employers should only request that LicenceOne process employees' personal data if they have a lawful reason for doing so. Given that different employers might have different cultures and needs, we are unable to provide the one reason that might work for every company. However, please find below a list of the lawful reasons accepted by BDSG § 36 and GDPR Art. 6, alongside how they could reasonably apply to an employer implementing LicenceOne's browser extension:
Consent - The extension is only installed on browsers when the employee has consented to do so, but it is not installed if employees refuse. ⚠️ § 26 (2) of the BDSG highlights that consent isn't automatically acceptable in an employee-employer relationship, as employees may give consent under duress of career consequences. We therefore suggest that consent is not the only lawful reason that employers choose when deploying the extension
Processing for employment-related purposes - It could be considered reasonable that the employer monitors the business applications that their employees have accessed in a professional context; especially if the employer manages particularly sensitive data. This should, however, come with the caveat that the extension is only ever installed on work devices and never installed on personal devices of the employee
Necessary for compliance with a legal obligation to which the employer is subject - It could be considered reasonable, if the employer is subject to robust data protection laws, that the employer also needs to track all the business software that an employee accesses in case the employee has unwittingly stored confidential/personal information with unauthorized providers. For example, an employee has taken a free Trello account to use as their CRM, but their employer isn't aware, yet the personal data of clients is being stored there, and the employer is subject to GDPR regulations
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Security) - If the employee leaves the company, the employer most likely has a legitimate interest to know what software the employee had access to so that the (now-ex)employee is removed immediately, ensuring they no longer have access to company secrets.
Access rights (BDSG § 57)
Employees, upon request, have the right to be informed of any personal data processing by their employer, as well as the right to view what data has been processed. In the context of using LicenceOne's browser extension, you should inform employees of the following information:
¹ See the Data minimization section to read about how we only collect the minimum data required
To respect employee's rights to view the data that has been processed, you may choose from the following solutions:
Invite employees to your LicenceOne workspace via the users section. You may invite employees with the Employee access role, which has been specifically created for this purpose
Employees will always see the applications that have recently been attributed to their employee profile by opening the extension
Employees and employers may contact LicenceOne and request a full export of the personal data processed
Right to rectification, erasure and to restriction of processing (BDSG § 58)
Employees have the right to rectify any inaccurate personal data that is processed. This can be accomplished through the following methods:
Employees can update the data on their user profile themselves
If there are any inaccurately linked business applications, employers and employees may contact LicenceOne
Employees also have the right to request that their data is deleted in circumstances where processing such data is unlawful, knowledge of the data is no longer necessary for the performance of tasks, or the data must be erased to comply with a legal obligation. They may do so by contacting their employer, who can then contact LicenceOne on to carry out the deletion request.
Under certain conditions outlined in § 58 of BDSG, the employer may also request that instead of erasure, the processing of the employees' data is restricted. This can also be done by contacting us.
Your company, as data controller, may not have named a data protection officer (DPO) previously since you did not meet the requirements under § 38 of BDSG nor Art. 37 of GDPR. If this is the case, we strongly recommend assigning a DPO upon implementing the LicenceOne browser extension as you will therefore be systematically monitoring of employees, fitting the mandatory requirements to name a DPO under Art. 37 of GDPR.
When an employee visits a website, the URL is sent to LicenceOne's servers to check if that URL exists in our database of online business software. If it does, we link that application with the employee profile and show the employer that the employee accessed that app.
If, however, the URL does not exist in our database of online business software, we do not make it viewable to the employer. Consequently, since it has no use being stored for LicenceOne to fulfil its contractual obligations with the employer, we will do nothing else with that visit record, and it will be deleted from all of our systems after seven days. This delay is to allow a reasonable time for LicenceOne to provide support to users that report that their online business software has not been tracked. In such instances, we may need to consult these logs to identify the issue. Additionally, these logs are technically locked-off, and are only viewable by 2 employees at LicenceOne.
In brief: personal browsing data or non-business-related activities are not tracked or displayed to employers, and deleted as soon as reasonably possible, ensuring privacy and adherence to the principle of data minimization.
For all questions related to data protection, please don't hesitate to reach out to us via help@licenceone.com or through our live chat tool when logged into your LicenceOne workspace
This article is for informational purposes only and should not be seen as legal advice. We encourage you to consult a qualified lawyer in your locality to ensure you're fully in line with all labour, regional, and federal laws. Our guidance isn't a substitute for legal expertise, and we're not liable for any inaccuracies or omissions.
Overview of LicenceOne’s Browser Extension
LicenceOne's browser extension is a tool designed to help companies detect what online business applications are being used by their employees. More precisely, it helps companies detect unused licences and seats on their software subscriptions, links employees to the software they have access to, and helps companies ensure logins are removed for employees if and when they leave the company.
Employer responsibilities under BDSG
Before getting into regulations, let's set out a few terms we'll be using and what they refer to:
Employee is a Data Subject / Betroffene Person
Employer or Company is a Data Controller / Verantwortlicher
LicenceOne or We, Our is a Data Processor / Auftragsverarbeiter
1. Lawful Processing
Employers should only request that LicenceOne process employees' personal data if they have a lawful reason for doing so. Given that different employers might have different cultures and needs, we are unable to provide the one reason that might work for every company. However, please find below a list of the lawful reasons accepted by BDSG § 36 and GDPR Art. 6, alongside how they could reasonably apply to an employer implementing LicenceOne's browser extension:
Consent - The extension is only installed on browsers when the employee has consented to do so, but it is not installed if employees refuse. ⚠️ § 26 (2) of the BDSG highlights that consent isn't automatically acceptable in an employee-employer relationship, as employees may give consent under duress of career consequences. We therefore suggest that consent is not the only lawful reason that employers choose when deploying the extension
Processing for employment-related purposes - It could be considered reasonable that the employer monitors the business applications that their employees have accessed in a professional context; especially if the employer manages particularly sensitive data. This should, however, come with the caveat that the extension is only ever installed on work devices and never installed on personal devices of the employee
Necessary for compliance with a legal obligation to which the employer is subject - It could be considered reasonable, if the employer is subject to robust data protection laws, that the employer also needs to track all the business software that an employee accesses in case the employee has unwittingly stored confidential/personal information with unauthorized providers. For example, an employee has taken a free Trello account to use as their CRM, but their employer isn't aware, yet the personal data of clients is being stored there, and the employer is subject to GDPR regulations
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Security) - If the employee leaves the company, the employer most likely has a legitimate interest to know what software the employee had access to so that the (now-ex)employee is removed immediately, ensuring they no longer have access to company secrets.
2. Respect Employees Rights
Access rights (BDSG § 57)
Employees, upon request, have the right to be informed of any personal data processing by their employer, as well as the right to view what data has been processed. In the context of using LicenceOne's browser extension, you should inform employees of the following information:
| Data processor | Data hosting location | Types of Personal Data Processed | Legal basis for processing | Data storage period |
|---|---|---|---|---|
| LicenceOne S.A.S. | Paris, France with CleverCloud | Professional email, Full name, Language, IP Address, URLs visited on the browser(s) where the LicenceOne extension is installed¹, Timestamps of aforementioned visited URLs, Company name, Company country | Fill in according to the lawful reasons that you decided upon in the previous section | Duration of employee's employment contract -OR- until the end of the employer's sales contract with LicenceOne + 6 months from the contract end date ; whichever comes first |
¹ See the Data minimization section to read about how we only collect the minimum data required
To respect employee's rights to view the data that has been processed, you may choose from the following solutions:
Invite employees to your LicenceOne workspace via the users section. You may invite employees with the Employee access role, which has been specifically created for this purpose
Employees will always see the applications that have recently been attributed to their employee profile by opening the extension
Employees and employers may contact LicenceOne and request a full export of the personal data processed
Right to rectification, erasure and to restriction of processing (BDSG § 58)
Employees have the right to rectify any inaccurate personal data that is processed. This can be accomplished through the following methods:
Employees can update the data on their user profile themselves
If there are any inaccurately linked business applications, employers and employees may contact LicenceOne
Employees also have the right to request that their data is deleted in circumstances where processing such data is unlawful, knowledge of the data is no longer necessary for the performance of tasks, or the data must be erased to comply with a legal obligation. They may do so by contacting their employer, who can then contact LicenceOne on to carry out the deletion request.
Under certain conditions outlined in § 58 of BDSG, the employer may also request that instead of erasure, the processing of the employees' data is restricted. This can also be done by contacting us.
3. Naming a Data Protection Officer
Your company, as data controller, may not have named a data protection officer (DPO) previously since you did not meet the requirements under § 38 of BDSG nor Art. 37 of GDPR. If this is the case, we strongly recommend assigning a DPO upon implementing the LicenceOne browser extension as you will therefore be systematically monitoring of employees, fitting the mandatory requirements to name a DPO under Art. 37 of GDPR.
4. Data minimization (§ 71 BDSG & Art. 5(1)(c) GDPR)
When an employee visits a website, the URL is sent to LicenceOne's servers to check if that URL exists in our database of online business software. If it does, we link that application with the employee profile and show the employer that the employee accessed that app.
If, however, the URL does not exist in our database of online business software, we do not make it viewable to the employer. Consequently, since it has no use being stored for LicenceOne to fulfil its contractual obligations with the employer, we will do nothing else with that visit record, and it will be deleted from all of our systems after seven days. This delay is to allow a reasonable time for LicenceOne to provide support to users that report that their online business software has not been tracked. In such instances, we may need to consult these logs to identify the issue. Additionally, these logs are technically locked-off, and are only viewable by 2 employees at LicenceOne.
In brief: personal browsing data or non-business-related activities are not tracked or displayed to employers, and deleted as soon as reasonably possible, ensuring privacy and adherence to the principle of data minimization.
5. Contacting LicenceOne in relation to BDSG
For all questions related to data protection, please don't hesitate to reach out to us via help@licenceone.com or through our live chat tool when logged into your LicenceOne workspace
Updated on: 16/02/2024
Thank you!