HR-ON Personal Data Policy – Table of Contents

HR-ON Personal Data Policy

1. Information Obligation

In this Personal Data Policy, HR-ON describes how we comply with data protection law and fulfil our information obligation under the EU General Data Protection Regulation (GDPR).

Like all companies in the EU, HR-ON is obliged to inform you how we process the personal data we collect for various purposes. HR-ON complies with current data protection law, and the sections below explain how.

For more information about your rights, visit www.datatilsynet.dk.

1.1 Contact Details

HR-ON ApS
Østre Stationsvej 27, 3rd floor
5000 Odense C, Denmark
CVR: 34474540
Phone: +45 71 99 07 66
Email: support@hr-on.com

Enquiries regarding your personal data can be directed to the contact details above or directly to gdpr@hr-on.com.

2. Your Personal Data in HR-ON Recruit and HR-ON Staff

This section applies to you if you are a job candidate applying to an organisation that uses HR-ON Recruit, or an employee whose employer uses HR-ON Staff for HR administration and onboarding.

2.1 HR-ON's Role

When an organisation uses HR-ON Recruit or HR-ON Staff, that organisation is the data controller, meaning it decides what personal data is collected about you, why, and for how long. HR-ON acts solely as a data processor, processing your data on behalf of and under instruction from that organisation.

If you have questions about how your personal data is used, or wish to exercise your rights, you should contact the organisation directly, your prospective employer or current employer. HR-ON will assist the data controller in responding to your request.

2.2 HR-ON Recruit: Candidates

When you apply for a job at an organisation that uses HR-ON Recruit as its applicant tracking system, your personal data is processed to manage the recruitment process.

Typical data collected: name, address, contact details, date of birth, education, work history, application, CV, attachments such as transcripts and references, and optionally a photo.

We ask that you do not include your national identity number (CPR) or sensitive information such as ethnic background, religion, political views, trade union membership, sexuality, or health, unless the organisation has explicitly requested it and has a lawful basis to do so. HR-ON's system will only process such data if the data controller has enabled and has legal authority for that processing.

Retention: Your prospective employer decides how long your data is stored in HR-ON. Typically, data is kept for the duration of the recruitment process and deleted once the position is filled, unless you have consented to being kept in a talent pool for future opportunities.

2.3 HR-ON Staff: Employees and HR Operations

When your employer uses HR-ON Staff for HR administration, onboarding, and employee lifecycle management, your personal data is processed to support those operations.

Typical data processed: name, contact details, job title, department, employment dates, salary and payroll information, absence and leave records, onboarding documents, and any other HR data the employer chooses to maintain in the system.

Retention: Your employer decides how long your data is stored in HR-ON. HR-ON Staff allows employers to configure automatic deletion intervals, in line with their legal obligations and internal policies.

2.4 Your Rights as a Data Subject

As a candidate or employee whose data is processed through HR-ON's products, your GDPR rights, including access, rectification, erasure, restriction, portability, and objection, are exercisable against the data controller, the organisation using HR-ON. Please contact them directly.

HR-ON will promptly assist the data controller in fulfilling any rights request you submit. A full description of your rights is in Section 9.

3. Processing of Personal Data in HR-ON Staff and Recruit

3.1 HR-ON's Role as Data Processor

When HR-ON delivers HR-ON Staff and HR-ON Recruit to a company or organisation, the customer is the data controller and HR-ON acts as the data processor. This means we process personal data exclusively on behalf of and under documented instruction from the customer. This relationship is governed by a Data Processing Agreement (DPA) entered into with the customer in accordance with GDPR Article 28.

HR-ON does not sell, share, or use customer data for its own purposes. All processing decisions, including the data collected, the purposes, and the retention periods, are made by the customer as a data controller.

3.2 Types of Personal Data Processed

As a data processor on behalf of our customers, HR-ON processes personal data in connection with recruitment, onboarding, HR administration, and employee lifecycle management.

Depending on the customer's use of HR-ON Recruit and HR-ON Staff, this may include:

  • General personal data, such as contact information, employment-related information, and recruitment data.
  • National identity numbers (CPR), where the customer has a lawful basis and enables the relevant functionality.
  • Special categories of personal data under GDPR Article 9, such as health information, where the customer has a lawful basis and enables the relevant functionality.

The specific categories of personal data processed, the purposes of processing, and the retention periods are determined by the customer acting as data controller.

3.3 Technical Security and Data Location

All personal data in HR-ON products is processed and stored exclusively within the EU/EEA:

  • Encryption at rest: AES-256 via AWS Key Management Service (KMS). Encryption keys are owned and controlled by HR-ON and stored in the EU. AWS KMS uses FIPS 140-2 validated Hardware Security Modules (HSMs), and plaintext keys never leave the HSM.
  • Encryption in transit: TLS 1.2 or higher for all communications, including API calls, database connections, and client-server traffic.
  • Data location: Primary: Frankfurt, EU (eu-central-1). Secondary backup: Ireland, EU (eu-west-1). Personal data processed within HR-ON Recruit and HR-ON Staff remains within the EU/EEA.
  • Backups: Daily automated backups with 14-day retention.
  • Logging: Access to personal data is logged at both application and system level. Logs are retained for 90 days.

3.4 Sub-Processors

HR-ON uses the following approved sub-processors to deliver its services. Customers are notified at least 30 days in advance of any planned changes to the sub-processor list and retain the right to object to changes:

Sub-Processor Processing Purpose
Amazon Web Services (AWS) Server hosting, networking, and infrastructure
Penneo A/S Digital signing via MitID
Signicat AS Digital identity verification and e-signature
GatewayAPI SMS message delivery
Bunny.net Content Delivery Network (CDN)
ClickUp LLC Project management and customer support
Cronofy Calendar integration

4. How HR-ON Handles Your Data at Our Events

4.1 Personal Data

When HR-ON invites participants to events where we manage registration ourselves, we collect information about you as an attendee. This includes: name, title, employer, mobile number, and email address.

Legal basis: GDPR Article 6(1)(b), processing is necessary to perform the agreement to attend the event.

4.2 Purpose

The purpose is to manage registrations for the event and to send you relevant information before, during, and after the event. In some cases, we may follow up with a participant list where relevant.

4.3 Photos and Video

If you attend an event hosted by HR-ON, please be aware that we often take photographs and in some cases make video recordings. These are used on our website and social media profiles to share knowledge and promote HR-ON's events.

Legal basis: GDPR Article 6(1)(f), legitimate interest in marketing HR-ON's events. You will be informed of this at the start of the event.

If you do not wish to appear in photographs or video recordings, please let us know at the start of the event.

4.4 Retention

Once the event has concluded and all follow-up information has been sent, we delete all your event registration data, as it is no longer relevant for us to retain.

For online webinars and live events, your data is retained in our mailing system for as long as you remain subscribed to our newsletter list. See Section 6 for more details.

4.5 Sharing with Co-organisers

HR-ON frequently organises events in collaboration with other companies. In such cases, data may be shared with co-organisers. The event description will clearly state who the co-organiser is.

The data shared in such cases is: name, email address, and company.

5. Contact Form and Sales Enquiries

When you complete our contact form on the website, we collect information such as name, email address, phone number, and the company or organisation you work for. The purpose is to be able to respond to your inquiry.

Legal basis: GDPR Article 6(1)(f), legitimate interest in responding to incoming enquiries.

We store your data in an internal CRM system. Data is reviewed regularly and deleted when it is no longer relevant. Active customer relationships are retained for 5 years after the end of the agreement in accordance with the Danish Bookkeeping Act.

6. Personal Data for Newsletter Distribution

HR-ON uses the email marketing platform ActiveCampaign to distribute newsletters and event invitations. ActiveCampaign is a US-based company, meaning personal data is transferred to a third country outside the EU.

ActiveCampaign is certified under the EU-US Data Privacy Framework (DPF), which constitutes a valid transfer mechanism under GDPR Article 45. The transfer is therefore lawful.

The data shared with ActiveCampaign about each recipient is: name, company, and email address.

Legal basis: GDPR Article 6(1)(a), consent. Subscription to our newsletter is based solely on active, informed consent. You may unsubscribe at any time via the unsubscribe link in each newsletter, after which your data will be deleted from our mailing list.

7. Cookies

HR-ON uses cookies on our website. Cookies are small text files stored in your browser.

We use the following types of cookies:

  • Necessary cookies: Ensure the basic functionality of the website, including session and login management. These cannot be declined.
  • Analytics cookies: Used to analyse how our website is used in order to improve the user experience. Only set with your consent.
  • Marketing cookies: Used to show you relevant advertisements on other platforms. Only set with your consent.

8. Security Measures

HR-ON implements appropriate technical and organisational security measures to protect the personal data we process:

  • Encryption: All data encrypted at rest (AES-256/AWS KMS) and in transit (TLS 1.2+).
  • Access control: Role-based access control (RBAC) and the principle of least privilege. Multi-factor authentication (MFA) is required for all administrative access.
  • Secure development: Mandatory peer code review, automated SAST and DAST scanning in the CI/CD pipeline, and continuous CVE scanning of all dependencies.
  • Monitoring: Real-time monitoring via AWS CloudWatch and APM. System logs retained for 90 days. Live status at status.hr-on.xyz.
  • Audit and certification: Annual ISAE 3000 Type I assurance engagement by an independent audit firm. NIS2 core obligations implemented.
  • Disaster recovery: Daily backups, multi-AZ architecture, and a tested DR plan. Most recent DR test: December 2025 with no remarks.

9. Your Rights

Your rights as a data subject are established by the GDPR. As a data processor, HR-ON assists customers in fulfilling requests relating to these rights in accordance with the Data Processing Agreement (DPA) in place between HR-ON and your organisation.

To exercise your rights: contact your organisation, your employer or prospective employer, directly, as they are the data controller and responsible for responding. HR-ON will assist them under the terms of the DPA.

For data HR-ON collects in its own name, including events, newsletter, and contact form, contact gdpr@hr-on.com directly.

Requests are responded to within 30 days. In complex cases this may be extended by 60 days, with prior notification.

10. Personal Data Breaches

HR-ON maintains internal incident response procedures for managing and documenting security incidents. Breach notification responsibilities depend on HR-ON's role:

Where HR-ON acts as data controller, for example events, newsletter, and contact form, HR-ON will fulfil its breach notification obligations directly under GDPR, reporting to the Danish Data Protection Agency (Datatilsynet) within 72 hours of becoming aware of a breach, and notifying affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Where HR-ON acts as data processor, HR-ON Staff and HR-ON Recruit, HR-ON notifies the relevant customer within 24 hours of identifying a breach. The customer, as data controller, is then responsible for assessing the breach and fulfilling their reporting obligations towards Datatilsynet and affected data subjects. HR-ON will provide all information necessary to assist them in doing so.

11. Right to Complain

If you believe our processing of your personal data is inconsistent with data protection law, you have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Email: dt@datatilsynet.dk
Phone: +45 33 19 32 00
Website: www.datatilsynet.dk

We encourage you to contact us directly before lodging a complaint, so that we have the opportunity to address any concerns.

12. Changes to This Policy

We reserve the right to update this Personal Data Policy if legislation or our processing activities change. The current version is always available at https://hr-on.com/privacy-policy Material changes will be communicated by email to registered contacts with at least 30 days' notice.

HR-ON ApS
Østre Stationsvej 27, 3rd floor
5000 Odense C, Denmark
CVR 34474540
support@hr-on.com
Indtast din
tekst her
💰👉 Gør løngennemsigtighed nemmere - direkte i HR-ON!