GitLab, Inc. is a global company with its headquarters in the U.S. This means that personal data may be used, processed, and transferred to the United States and other countries or territories and those countries or territories may not offer the same level of data protection as the country where you reside, including the European Economic Area. However, GitLab will ensure that appropriate or suitable safeguards are in place to protect your personal data and that transfer of your personal data complies with applicable data protection laws. Where required by applicable data protection laws, GitLab has ensured that service providers (including other GitLab affiliates) sign standard contractual clauses as approved by the European Commission or other supervisory authority with jurisdiction over the relevant GitLab data exporter (which typically will be your employer).
Who is collecting your personal data (who is the data controller)?
The GitLab entity that is a party to your employment contract or contract for services or otherwise employs you will be the data controller of your personal data. The following are the GitLab entities that act as controller: GitLab, Inc., GitLab, LLC., GitLab BV, GitLab GK, GitLab GmbH, GitLab PTY Ltd, GitLab Canada Corp, GitLab IT BV, GitLab UK, Ltd., GitLab Ireland Ltd., GitLab Korea Limited, GitLab Singapore Pte Ltd., GitLab France S.A.S. and other GitLab subsidiaries throughout the globe (collectively "GitLab").
GitLab affiliates may act as processors on behalf of other GitLab affiliates and/ or controllers. Furthermore, GitLab, its affiliates and subsidiaries participate in a group-wide IT system in order to harmonize GitLab’s IT infrastructure and its use (the “System”). The System also may hold data on all employees, workers, individual contractors and contingent workers ("Staff"). Insofar the System serves to improve and harmonize most of the human resources (“HR”) processes within GitLab. GitLab, Inc. in the U.S. is responsible for the System.
Applicability of Other GitLab Privacy Policies
Third Party Services
In some cases, you may provide personal data to third parties that GitLab works with or that provide services to GitLab. This includes, those parties identified in the Tech Stack Application YAML (“Third Parties”).
What is Personal Data?
Examples of personal data include:
What is Sensitive Personal Data?
Sensitive personal data is a subset of personal data that may be more sensitive in nature for the individual concerned.
Examples of sensitive personal data include:
What Personal Data Do We Collect?
We collect and maintain different types of personal data about you in accordance with applicable law. This includes the following:
Physical limitations and special needs in order to provide reasonable accommodations.
Where permitted by law and applicable we may collect the results of credit and criminal background checks, screening, health certifications, driving license number, vehicle registration, and driving history.
Information required for us to comply with laws, the requests and directions of law enforcement authorities or court orders (e.g., child support and debt payment information).
Acknowledgements regarding our policies, including employee handbooks, ethics and/or conflicts of interest policies, and computer and other corporate resource usage policies.
Information captured on security systems and key card entry systems.
Voicemails, e-mails, correspondence, documents, and other work product and communications created, stored or transmitted for professional or job related purposes using our networks, applications, devices, computers, or communications equipment.
Date of resignation or termination, reason for resignation or termination, information relating to administering termination of employment (e.g. references).
Letters of offer and acceptance of employment.
Your resume or CV, cover letter, previous and/or relevant work experience or other experience, education, transcripts, or other information you provide to us in support of an application and/or the application and recruitment process.
References and interview notes.
Information relating to any previous applications you may have made to GitLab and/or any previous employment history with GitLab.
For specifics about what information is collected by third party applications, please refer to the Tech Stack Applications.
How is Data Collected?
Generally, we collect personal data directly from you in circumstances where you provide personal data (during the onboarding process, for example). However, in some instances, the personal data we collect has been inferred about you based on other information you provide us, through your interactions with us, or from third parties. When we collect your personal data from third parties it is either because you have given us express consent to do so, your consent was implied by your actions (e.g., your use of a Third-Party employee service made available to you by us), or because you provided explicit consent to the Third-Party to provide the personal data to us. Where permitted or required by applicable law or regulatory requirements, we may collect personal data about you without your knowledge or consent.
We reserve the right to monitor the use of our equipment, devices, computers, network, applications, software, and similar assets and resources for the safety and protection of employees and intellectual property. In the event such monitoring occurs, it may result in the collection of personal data about you. If required by applicable law, we will notify you of such monitoring and obtain your consent.
How We Process and Use Your Personal Data
We may collect and process your personal data in the Systems for various purposes subject to local laws and any applicable collective bargaining agreements and works council agreements, including:
Recruitment, training, development, promotion, career, and succession planning
Appropriate vetting for recruitment and team allocation including, where relevant and appropriate, credit checks, right to work verification, identity fraud checks, relevant employment history, relevant regulatory status and professional qualifications
Providing and administering remuneration, salary, benefits, and incentive schemes and providing relevant information to payroll
Allocating and managing duties and responsibilities and the business activities to which they relate
Identifying and communicating effectively with other employees and management
Managing and operating conduct, performance, capability, absence, and grievance related reviews, allegations, complaints, investigations, and processes and other informal and formal HR processes and making related management decisions
Consultations or negotiations with representatives of the workforce
Conducting surveys for benchmarking and identifying improved ways of working employee relations and engagement at work (these will often be anonymous but may include profiling data such as age to support analysis of results)
Processing information about absence or medical information regarding physical or mental health or condition in order to assess eligibility for incapacity or permanent disability related remuneration or benefits, determine fitness for work, facilitate a return to work, make adjustments or reasonable accommodations to duties or the workplace and make management decisions regarding employment or engagement or continued employment or engagement or redeployment and conduct related management processes
For planning, managing and carrying out restructuring or redundancies or other change programs including appropriate consultation, selection, alternative employment searches and related management decisions
Operating email, IT, Internet, intranet, social media, HR related and other company policies and procedures. The company carries out monitoring of GitLab's IT systems to protect and maintain the systems, to ensure compliance with GitLab policies and to locate information through searches where needed for a legitimate business purpose
Complying with applicable laws and regulation (for example maternity or parental leave legislation, working time and health and safety legislation, taxation rules, worker consultation requirements, other employment laws and regulation to which GitLab is subject in the conduct of its business)
Monitoring programs to ensure equality of opportunity and diversity with regard to personal characteristics protected under local anti-discrimination laws
Planning, due diligence and implementation in relation to a commercial transaction or service transfer involving GitLab that impacts on your relationship with GitLab (for example mergers and acquisitions or a transfer of your employment under automatic transfer rules)
For business operational and reporting documentation such as the preparation of annual reports or tenders for work or client team records including the use of your personal photo
In order to operate the relationship with Third-Party customer and suppliers including the disclosure of relevant vetting information in line with the appropriate requirements of regulated customers to those customers, contact or professional CV details or resume, or your personal photo for identification to clients or disclosure of information to data processors for the provision of services to GitLab
Where relevant for publishing appropriate internal or external communications or publicity material including via social media in appropriate circumstances, provided that privacy rights are preserved
To support HR administration and management and maintaining and processing general records necessary to manage the employment or worker relationship and operate the contract of employment or engagement
To centralize HR administration and management processing operations in an efficient manner for the benefit of our employees and to change access permissions
To provide support and maintenance for the System
To enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you
To comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country
Other purposes permitted by applicable privacy and data protection legislation including where applicable, legitimate interests pursued by GitLab where this is not overridden by the interests or fundamental rights and freedoms of employees.
Legal Basis for processing
Where applicable data protection laws require us to process your personal data on the basis of a specific lawful justification, we generally process your personal data under one of the following bases:
Compliance with a legal obligation to which GitLab is subject; Entering into at-will employment (for US only) or performance under an employment contract with GitLab; For GitLab's legitimate interests being those purposes described in the section above headed "How We Process and Use Your Personal Information"; Your consent where required and a legitimate legal basis under applicable local laws.
We may on occasion process your personal data for the purpose of the legitimate interests of a Third-Party where this is not overridden by your interests.
Processing of Special Categories of Personal Data
“Special Categories of Personal Data” includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, as well as genetic and biometric data.
From time to time you may provide us with information which constitutes Special Categories of Personal Data or information from which Special Categories of Personal Data may be deduced. In such cases, where required by law, we will obtain your express written consent to our processing of Special Categories of Personal Data. If separate consent is not required by local law, by providing this information to GitLab, you give your freely given, informed, explicit consent for us to process those Special Categories of Personal Data for the purposes set out in How We Process and Use Your Personal Data section above.
You may withdraw your consent at any time by contacting GitLab's People Operations Group or the DPO. Where you have withdrawn consent but GitLab retains the personal data we will only continue to process that Special Category Personal Data where necessary for those purposes where we have another appropriate legal basis such as processing necessary to comply with legal obligations related to employment or social security. However, this may mean that we cannot (for example) administer certain benefits or contact your next-of-kin in an emergency or provide support to you above and beyond our legal obligations. You give your knowledgeable, freely given, express consent to GitLab for GitLab to use, disclose and otherwise process any personal health information about you that is provided to GitLab by any of your personal health information custodians, for the purposes set out in the How We Process and Use Your Personal Information section above.
Sharing Personal Data
Your personal data may be shared, including to our affiliates, subsidiaries, and other third parties, as follows:
Where you request us or provide your consent to us.
We may buy or sell businesses and other assets. In such transactions, employee data is generally one of the transferred business assets and we reserve the right to include your personal data as an asset in any such transfer. Also, in the event that we, or substantially all of our assets, are acquired, your personal data may be one of the transferred assets.
Where required by law, by order or requirement of a court, administrative agency, or government tribunal, which includes in response to a lawful request by public authorities, including to meet national security or law enforcement requirements or in response to legal process.
If we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property.
As necessary to protect the rights, privacy, safety, or property of an identifiable person or group or to detect, prevent or otherwise address fraud, security or technical issues, or to protect against harm to the rights, property or safety of GitLab, our users, applicants, candidates, employees or the public or as otherwise required by law.
Where the personal data is public and exempted from coverage under applicable data protection laws.
To seek advice from our lawyers and other professional advisors.
To professional advisors (e.g. bankers, lawyers, accountants) and potential buyers and vendors in connection with the sale, disposal or acquisition by use of a business or assets.
Access to Personal Data We Collect
To the extent access is required by applicable law, you can request access to the personal data that we hold about you. If you want to review your personal data, please submit a request through this form. If you want to correct your personal data, you may do this through the self-serve capabilities within Workday.
When requesting access to your personal data, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you.
We reserve the right not to grant access to personal data that we hold about you if access is not required by applicable law. There are also instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal data that we hold about you. In addition, the personal data may have been destroyed, erased or made anonymous. In the event that we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Correction of Collected Personal Data
We endeavor to ensure that personal data in our possession is accurate, current and complete. If an individual believes that the personal data about him or her is incorrect, incomplete or outdated, he or she may request the revision or correction of that data. We reserve the right not to change any personal data we consider to be accurate or if such correction is not required by applicable law.
Retention of Collected Data
Except as otherwise permitted or required by applicable law or regulatory requirements, we may retain your personal data only for as long as we believe it is necessary to fulfill the purposes for which the personal data was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations) and for IT archival purposes.
Personal data for data subjects in the European Union is by default erased by GitLab after termination of your employment, with the exception of certain types of personal data, which may be stored for an extended period of time due to administrative purposes, e.g. for payment of retirement income or for giving references to other employers, or where such personal data must be retained to comply with regulatory requirements.
You may request that we delete the personal data about you that we hold, provided that we reserve the right not to grant such request if we are not required to delete personal data under applicable law. There are instances where applicable law or regulatory requirements allow or require us to refuse to delete this personal data. In the event that we cannot delete your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
To request deletion of your personal data, please submit your request via this Deletion Request Form.
If you have questions or concerns regarding the handling of your personal data, please contact GitLab's People Operations Group or DPO. Alternatively, you may report concerns or complaints to the Legal Department.
You may also anonymously report violations of policy or law using our Third-Party managed Compliance & Fraud Prevention Hotline. You can access the Hotline by going to Questions,Reporting, and Effect of Violations section of the Code of Ethics
Security of Collected Information
We are committed to protecting the security of the personal data collected, and we take reasonable physical, electronic, and administrative safeguards to help protect the data from unauthorized or inappropriate access or use.
Additional Rights You may also have the following additional rights, subject to certain exceptions and limitations as specified in applicable law:
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, to the extent provided under applicable law, you have the right to receive all such personal data which you have provided to GitLab in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible;
Right to restriction of processing
You have the right to restrict our processing of your personal data where:
To the extent required by applicable law, where personal data is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defense of legal claims.
Right to withdraw consent
Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time. You can do this by contacting GitLab's People Operations Group or DPO.
Right to object to processing justified on legitimate interest grounds
Where we are relying upon legitimate interest to process data, then you have the right to object to such processing, and we must stop such processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims. Normally, where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the processing of your personal data infringes this regulation.