What happens to my data?
This article is intended for employees who use the Hrmony meal subsidy or other benefits and want to know how Hrmony handles their personal data.
Who is responsible for my data?
Hrmony processes personal data of employees on behalf of the respective employer. The employer is the controller within the meaning of the GDPR β Hrmony acts as a processor. Hrmony concludes a data processing agreement (DPA) with each corporate customer in accordance with the GDPR, which bindingly regulates the type, purpose, and scope of data processing.
For what purpose is my data processed?
Hrmony processes personal data exclusively for the following purpose:
Calculation and provision of reimbursement amounts for the employer β with the goal of increasing the net salary of the employees.
Data or receipt images are not passed on to third parties for other purposes.
What data is processed?
| Data category | Examples |
|---|---|
| Personal master data | First name, last name, email address, personnel number |
| Account data | Email address, password |
| Receipt data | Issuer, date, item positions, amounts |
Hrmony follows the principle of data minimization β only the data that is actually necessary for the respective purpose is processed. If receipts contain additional information (e.g., private addresses, IBAN), these are not specifically extracted or used for own purposes.
What happens to submitted receipts?
When a receipt is submitted via the Hrmony app or by email, it goes through the following steps:
- Recording β The receipt is assigned to the user account
- Review β Automatic check for eligibility for reimbursement according to applicable guidelines
- Archiving β The receipt is electronically archived
The archiving period is at least the duration of the contract term between Hrmony and the employer β tax-relevant documents can be retained for up to 10 years. After the contract ends, the data will be returned upon the employer's request or deleted within 90 days.
Where is my data stored?
All Hrmony applications and services are hosted exclusively in data centers within the European Union β specifically in Frankfurt am Main (Germany) and Dublin (Ireland). The operator is Amazon Web Services EMEA SARL (AWS).
All data is transmitted encrypted (TLS 1.2 or higher) and stored encrypted (AES-256).
Who has access to my data?
- Hrmony employees receive only purpose-bound access β and only as far as absolutely necessary for contract fulfillment
- The least privilege principle applies: access is restricted to the necessary minimum
- All access is audit-proof logged
My rights as a data subject
As an employee, you have the following rights under the GDPR towards your employer as the controller:
- β Right of access β which data about you is stored
- β Right to rectification β in case of incorrect data
- β Right to erasure β under the legal conditions
- β Right to restriction of processing
- β Right to data portability
Data protection officer
The data protection officer at Hrmony is appointed in writing as:
Simpliant GmbH, Boris Arendt Fasanenstr. 12, 10623 Berlin π§ datenschutz@hrmony.de
Further information
- π How is data protection ensured at Hrmony?
- π How long are my employees' receipts retained?
- π What happens to archived receipts in the event of termination?
Questions about data protection? Please contact directly: π§ datenschutz@hrmony.de