Team Member Privacy Policy
Last updated: December 12, 2025
Team Member Privacy Policy
This Team Member Privacy Policy (“Privacy Policy”) explains what types of personal data we may collect about our employees, consultants, individual contractors and contingent workers (“Team Member(s)”) and how it may be used.
Before reading further, please note you have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. This right is explained in detail below and you can exercise it by contacting us at dpo@gitlab.com.
While this Privacy Policy is intended to describe the broadest range of our data processing activities globally, those processing activities may be more limited in some jurisdictions based on the restrictions of their laws. For example, the laws of a country may limit the types of personal data we can collect or the manner in which we process that data. In those instances, we adjust our internal policies and practices to reflect the requirements of local law.
Who is Collecting Your Personal Data (who is the data controller)?
For personal data collected under this Privacy Policy, the controller will be the GitLab entity that employs you or is a party to your employment contract or contract for services. You can find a list of the GitLab entities (collectively, “GitLab”) that act as a controller for your personal data here.
If you are employed by a Professional Employment Organization (“PEO(s)”), your personal data may be processed according to both this Privacy Policy and any separate privacy policies published by your PEO as your Employer of Record or Agency of Record.
GitLab entities may act as controllers or processors on behalf of other GitLab entities and/or controllers. Furthermore, GitLab Inc., its affiliate entities and its subsidiaries participate in group-wide Information Technology (“IT”) systems in order to harmonize GitLab’s IT infrastructure and its use. These systems may hold personal data on all Team Members. Insofar that these systems serve to improve and harmonize the People Group processes within the company, GitLab Inc. in the U.S. is responsible for these systems.
Applicability of Other GitLab Privacy Policies
The websites of GitLab (e.g., about.gitlab.com) have separate privacy policies and terms of use that apply to their use. If we collect, store, or process your personal data as part of the recruitment process, then the Recruitment Privacy Policy will apply to that processing.
Additionally, some of our third-party products and services may have separate privacy policies that apply to their use. Any personal data collected in connection with your use of those websites or products and services are not subject to this Privacy Policy. If you are unsure how or if this Privacy Policy applies to you, please contact our Privacy Team at dpo@gitlab.com.
Third-Party Services
In some cases, you may provide personal data to third-parties that GitLab works with or that provide services to GitLab. This includes those parties or systems identified in the Tech Stack Applications.
The Tech Stack is updated periodically to ensure accurate, up-to-date disclosures of Team Member and customer third-party applications used at GitLab. This particular Privacy Policy applies to those applications identified as relating to Team Member applications, provided such applications are not provided by entities legally designated as independent Controllers of your data (e.g., Modern Health).
The use of some third-party websites and applications may be governed by separate terms of use and privacy policies which are not under our control and are not subject to this Privacy Policy. Please contact such third-parties for questions regarding their privacy practices, as well as if you would like to have them correct, delete, port, or provide access to your personal data. Please understand that there are exceptions to rights surrounding personal data relating to employment. For example, third-parties may be required to maintain certain employment information by law (e.g., E-Trade).
What is Personal Data?
Personal data for the purposes of this Privacy Policy means any information that (i) directly and clearly identifies an individual; or (ii) can be used in combination with other information to indirectly identify an individual. Personal data that has been made anonymous or aggregated, meaning it has been rendered irreversibly de-identified by removing personal identifiers, legally ceases to be personal data and is no longer subject to this Privacy Policy.
Examples of personal data include:
- An individual’s name
- Employee ID number
- Home address
- Home phone number
- Personal email address
- Names of family members
- Date of birth
What is Sensitive Personal Data?
Sensitive personal data is a statutorily defined subset of personal data that may be more sensitive in nature for the individual concerned.
Examples of sensitive personal data include:
- Race and ethnicity
- Sexual orientation or sex life
- Political or religious beliefs
- Health or medical information
- Criminal records
- Genetic and biometric information
What Personal Data and Sensitive Personal Data Do We Collect?
GitLab, either directly or through our service providers, will collect and maintain the following categories of personal data about you in accordance with applicable law:
- Contact information, such as name, email, phone number, physical address, emergency contact information, and social media handles.
- Personal identifiers, such as photograph, gender, date of birth, residency, gender, gender identity, employee number, passport information, visa information, driver’s license, veteran status, and identification cards.
- In addition, we may collect (where allowed by local law) Personal Identifiers that are considered sensitive personal data, such as race, ethnicity, sexual orientation, and disability status.
- Household data, such as emergency contact information, marital status, family member and dependent names, and family member and dependent contact information.
- Systems administration data, such as usernames, passwords, login and authentication records, device location, network activity data, IP address, application usage data, browser and operating systems data, browsing history (where allowed by local law), download history, and related metadata.
- Communications data, such as emails, meeting agendas, voicemails, video conference recordings, calendar events, work schedules, access requests, and other communications created, stored or transmitted for professional or job-related purposes using our networks, applications, devices, or communications equipment.
- Operational data, such as survey responses, engagement metrics, accommodation requests, headcount, and turnover metrics.
- Employment qualifications, such as employment history, employment agreements, job titles, resumes, language capabilities, professional certifications, job applications, interview notes, references, background checks, training records, identity verification, work permits, and government identification numbers.
- Performance and Team Member relations data, such as performance reviews, performance metrics, project contributions, improvement plans, promotion documents, claims documentation, growth plans, meeting minutes, grievances, investigation records, disciplinary records, and other personnel records.
- Payroll and benefits data, such as salary, bonuses, stock plan compensation, compensation benchmarking, bank details, sick or family leave, paid time off, retirement plans, insurance policies, benefits enrollment, benefits selections, beneficiary selections, and taxpayer information.
- Regulatory compliance data, such as policy acknowledgements, insider status, mandatory training records, equal opportunity metrics, and other information required for us to comply with laws.
- Workplace safety data, such as criminal records (where allowed by local law), requests for assistance, phishing or malware investigations, and other security related claims.
How is Your Data Collected?
Primarily, we collect personal data directly from you in the ordinary course of your employment, such as during the onboarding process. For Team Members in jurisdictions subject to the General Data Protection Regulation (“GDPR”), we are required to collect certain personal data from you to fulfill your employment contract or to comply with local regulations, such as personal data related to tax reporting and withholding obligations, social security and benefits administration, employment eligibility verification, and health and safety compliance requirements. If we do not collect this personal data, we may be unable to comply with local regulations or your employment agreement, resulting in limited access to IT systems, the inability to participate in company programs or career development opportunities, delayed salary or benefits administration, and a reduced ability to provide workplace accommodations or support. In some cases, our inability to collect required categories of personal data may result in termination of the employment relationship.
In certain circumstances, we may collect personal data from you indirectly, including through third-parties. When we collect your personal data from third-parties, we do so on the basis of your consent where required under applicable law. In addition, we may also collect your personal data from third-parties when you voluntarily submit your personal data to a third-party Team Member service made available to you by us, or where such collection of this personal data is required by applicable law or regulatory requirements.
The following table outlines the categories of personal data we may obtain from third-parties:
| Category of Personal Data | Third-Party Source |
|---|---|
| Systems administration data | • Corporate Security and IT administrators • Application providers |
| Communications data | • Your Managers • Team Members • Customers • Application providers • Corporate Security and IT administrators |
| Employment qualifications | • Previous employers • Educational institutions • Professional references and referrals • Application providers • Credit reporting agencies • Government agencies |
| Performance and Team Member relations data | • Your Managers • Team Members • Customers • Application providers • Corporate Security and IT administrators • Sales reports • Previous employers • Educational institutions • Professional references and referrals |
| Payroll and benefits data | • Family members or beneficiary designees • Government agencies • Application providers |
| Workplace safety data | • Corporate Security and IT administrators • Application providers • Security researchers • Government agencies |
How Do We Collect Information Regarding Your Family or Other Third-Parties?
As noted above, you may be required to provide us personal data regarding your dependents and other family members so that we may administer Team Member benefits and contact your next-of-kin in the case of an emergency. Before you provide such third-party personal data to us, you must first inform these third-parties of any such data which you intend to provide us and the processing to be carried out by us. If these third-parties want to know more information about why their data is being shared with us, please direct them to this Privacy Policy or provide them with our contact information at dpo@gitlab.com.
How Do We Process and Use Your Personal Data?
We may collect and process your personal data in our systems for the various purposes stated in the table below. For Team Members in jurisdictions subject to the GDPR or otherwise require us to attribute the processing of your personal data to a statutorily enumerated legal basis, you will also find that information in the table below.
These legal bases include the following:
- Performance of the employment contract or other active contract where GitLab is a party
- Legal obligations that GitLab must comply with
- Consent from the Team Member, where required by applicable law
- Legitimate business interests of GitLab where such interests are not overridden by the interests or fundamental rights and freedoms of Team Members
Where applicable, we will process your personal data subject to local laws and any applicable collective bargaining agreements, labor management agreements, or works council agreements.
| Purpose of Processing | Categories of Personal Data | Legal Basis |
|---|---|---|
| Identity verification | • Contact information • Personal identifiers |
• Performance of the employment contract • Legal obligation |
| Remuneration and benefits administration | • Contact information • Personal identifiers • Household data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data |
• Performance of the employment contract • Legal obligation |
| Occupational health and workplace accommodations | • Contact information • Personal identifiers • Operational data • Payroll and benefits data • Regulatory and compliance data |
• Performance of the employment contract • Legal obligation • Consent |
| Business analytics and workforce planning | • Contact information • Operational data • Performance and Team Member relations data |
• Performance of the employment contract • Legal obligation • Legitimate interests • Consent |
| Sales management and strategy | • Contact information • Communications data • Performance and Team Member relations data |
• Performance of the employment contract • Legitimate interests • Consent |
| Facilitating internal communications | • Contact information • Personal identifiers • Systems administration data • Communications data • Employment qualifications |
• Performance of the employment contract • Legitimate interests |
| Paid time off, sick leave and other absence calculations | • Contact information • Personal identifiers • Household data • Payroll and benefits data • Regulatory and compliance data |
• Performance of the employment contract • Legal obligation |
| Enterprise application security and access | • Systems administration data • Communications data • Workplace safety data |
• Performance of the employment contract • Legal obligation • Legitimate interests • Consent |
| Personnel file management | • Contact information • Personal identifiers • Communications data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data |
• Performance of the employment contract • Legal obligation |
| Training and learning opportunities | • Contact information • Performance and Team Member relations data • Regulatory and compliance data |
• Legal obligation • Legitimate interests |
| Tax reporting and withholding obligations | • Payroll and benefits data • Regulatory and compliance data |
• Legal obligation |
| Schedules and calendaring | • Contact information • Communications data |
• Performance of the employment contract • Legitimate interests |
| Compensation benchmarking | • Personal identifiers • Operational data • Employment qualifications • Payroll and benefits data • Regulatory and compliance data |
• Legal obligation • Legitimate interests |
| Company surveys | • Personal identifiers • Operational data |
• Legitimate interests |
| Performance management, internal investigations, and disciplinary procedures | • Contact information • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Workplace safety data |
• Performance of the employment contract • Legal obligation • Legitimate interests |
| Company handbook and policy updates | • Contact information • Communications data • Systems administration data • Regulatory and compliance data |
• Legal obligation • Legitimate interests |
| Events coordination | • Contact information • Personal identifiers • Communications data |
• Performance of the employment contract • Legitimate interests • Consent |
| Social security and retirement contributions | • Contact information • Personal identifiers • Household data • Payroll and benefits data |
• Performance of the employment contract • Legal obligation |
| Promotions and growth plans | • Communications data • Performance and Team Member relations data |
• Legitimate interests • Consent |
| Team Member safety, travel assistance, and disaster planning | • Contact information • Personal identifiers • Household data • Communications data • Workplace safety data |
• Legal obligation • Legitimate interests |
| Diversity programs and equal opportunity monitoring | • Personal identifiers • Operational data • Regulatory compliance data |
• Legal obligation • Consent |
| IT management, network monitoring, device backups, and application testing | • Communications data • Systems administration data • Workplace safety data |
• Legal obligation • Legitimate interests • Consent |
| Requests from public authorities | • Contact information • Personal identifiers • Household data • Communications data • Systems administration data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Legal obligation |
| Protection of intellectual property and work product | • Systems administration data • Regulatory and compliance data • Workplace safety data |
• Legal obligation • Legitimate interests |
| Litigation and legal claims | • Contact information • Personal identifiers • Household data • Communications data • Systems administration data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Legal obligation • Legitimate interests |
| Marketing and publicity materials | • Contact information • Personal identifiers • Employment qualifications |
• Legitimate interests • Consent |
| Social media content and external communications | • Contact information • Personal identifiers • Employment qualifications |
• Legitimate interests • Consent |
| Artificial intelligence adoption and efficiency reports | • Systems administration data | • Legitimate interests |
Where consent is the legal basis for the processing of your personal data, such as the direct collection of sensitive personal data, you may withdraw your consent at any time by contacting GitLab’s People Operations Team at people_operations@gitlab.com and the Privacy Team at dpo@gitlab.com. Further, any reporting based on sensitive personal data elements, such as diversity or disability metrics, will only contain anonymized or aggregated data.
Where you have withdrawn your consent but GitLab retains your sensitive personal data, we will only continue to process that sensitive personal data when we have another appropriate legal basis, such as processing necessary to comply with legal obligations related to your employment.
Your voluntary submission of sensitive personal data to the systems, such as the inputting of sensitive personal data in Workday, will be received as a manifestation of your express consent to process your sensitive personal data.
How GitLab Monitors Its Team Members
Unless legally prohibited, we monitor the use of our equipment, devices, computers, network, applications, software, and similar assets and resources. This monitoring may result in the collection of your personal data (see, What Personal Data and Sensitive Personal Data Do We Collect?). In full accordance with any local requirements and except where prohibited, Team Members should have no expectation of privacy with regard to any communications or files stored on GitLab owned or issued devices. Any monitoring of company devices will be based on our legitimate interest or, where required, your consent.
For more information on the use of personal devices for matters related to your employment at GitLab, please see the Bring-Your-Own-Device section of our Internal Acceptable Use Policy.
International Data Transfers
Since GitLab is a global company, personal data may be collected in a Team Member’s country or territory of residence and then transferred to another country or territory that may not offer the same level of data protection, such as a country outside the European Economic Area. These data transfers are essential to provide our services in the employment context and to operate our global business.
Your information may be transferred to or accessed from the following countries:
- The United States, where GitLab Inc. is headquartered
- Countries where GitLab has affiliate entities or operations
- Countries where our service providers operate
- Countries where we maintain data centers
When we transfer your personal data from the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions, we use specific legal transfer mechanisms designed to provide adequate protection for your data, such as:
- Adequacy Decisions (Art. 45 GDPR), meaning transfers to countries that the European Commission has decided provide adequate protection, including:
- Canada (Commission Decision 2002/2/EC)
- Israel (Commission Decision 2011/61/EU)
- Japan (Commission Decision 2019/419)
- Republic of Korea (Commission Decision 2022/254)
- United Kingdom (Commission Decision 2021/1772)
- Standard Contractual Clauses (Art. 46.2 GDPR), meaning European Commission-approved model contracts that allow transfers to countries without an adequacy decision (e.g., the United States, Australia, Singapore), including:
- Module 1 (Controller-to-Controller) for transfers between GitLab affiliate entities and to third parties who act as independent controllers; and
- Module 2 (Controller-to-Processor) for transfers between GitLab affiliate entities and to service providers who process data on our behalf.
- United Kingdom International Data Transfer Agreement, meaning an approved amending agreement to the European Standard Contractual Clauses that allows for United Kingdom based transfers to countries without an adequacy decision (e.g., the United States, Australia, Singapore).
Furthermore, GitLab will ensure that additional measures or safeguards are in place to protect your personal data as required by applicable data protection laws. We maintain records of our international transfers, including specific transfer mechanisms used for different types of personal data. Upon request, we can provide more detailed information about the specific protections we’ve used for particular personal data transfers.
How Does GitLab Handle Personal Data After Collection?
Sharing Personal Data
The following table provides detailed information about the categories of recipients with whom we share personal data, the categories of personal data shared, and the purpose of the sharing:
| Recipient Category | Categories of Personal Data Shared | Purpose of Sharing |
|---|---|---|
| People Team Applications Providers | • Contact information • Personal identifiers • Household data • Systems administration data • Communications data • Operational data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Identity verification • Occupational health and workplace accommodations • Business analytics and workforce planning • Facilitating internal communications • Paid time off, sick leave and other absence calculations • Personnel file management • Compensation benchmarking • Company surveys • Performance management, internal investigations, and disciplinary procedures • Company handbook and policy updates • Promotions and growth plans • Team Member safety, travel assistance, and disaster planning • Diversity programs and equal opportunity monitoring |
| Payroll Applications and Benefits Providers | • Contact information • Personal identifiers • Household data • Operational data • Payroll and benefits data |
• Remuneration and benefits administration • Occupational health and workplace accommodations • Paid time off, sick leave and other absence calculations • Tax reporting and withholding obligations • Social security and retirement contributions |
| Security and Access Management Applications Providers | • Systems administration data • Communications data • Workplace safety data |
• Facilitating internal communications • Enterprise application security and access • IT management, network monitoring, device backups, and application testing • Protection of intellectual property and work product |
| Training and Learning Applications Providers | • Contact information • Performance and Team Member relations data • Regulatory and compliance data |
• Training and learning opportunities • Schedules and calendaring • Company handbook and policy updates • Events coordination |
| Productivity Tooling and AI LLM Model Providers | • Contact information • Systems administration data • Communications data |
• Sales management and strategy • Facilitating internal communications • Training and learning opportunities • Schedules and calendaring • Performance management, internal investigations, and disciplinary procedures • Team Member safety, travel assistance, and disaster planning • Marketing and publicity materials • Social media content and external communications • Artificial intelligence adoption and efficiency reports |
| Cloud Hosting and Datawarehouse Providers | • Contact information • Systems administration data • Communications data |
• Business analytics and workforce planning • Facilitating internal communications • Personnel file management • Compensation benchmarking • Performance management, internal investigations, and disciplinary procedures • Company handbook and policy updates • Promotions and growth plans • Diversity programs and equal opportunity monitoring • IT management, network monitoring, device backups, and application testing • Requests from public authorities • Litigation and legal claims • Marketing and publicity materials • Social media content and external communications • Artificial intelligence adoption and efficiency reports |
| Communications and Video Conferencing Providers | • Contact information • Systems administration data • Communications data |
• Sales management and strategy • Facilitating internal communications • Training and learning opportunities • Schedules and calendaring • Events coordination • Promotions and growth plans • Team Member safety, travel assistance, and disaster planning • Marketing and publicity materials • Social media content and external communications |
| Government Agencies and Law Enforcement Bodies | • Contact information • Personal identifiers • Household data • Systems administration data • Communications data • Operational data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Occupational health and workplace accommodation • Business analytics and workforce planning • Sales management and strategy • Paid time off, sick leave and other absence calculations • Tax reporting and withholding obligations • Compensation benchmarking • Social security and retirement contributions • Team Member safety, travel assistance, and disaster planning • Diversity programs and equal opportunity monitoring • Requests from public authorities |
| Auditors | • Contact information • Personal identifiers • Employment qualifications • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Occupational health and workplace accommodation • Business analytics and workforce planning • Sales management and strategy • Paid time off, sick leave and other absence calculations • Enterprise application security and access • Tax reporting and withholding obligations • Compensation benchmarking • Company handbook and policy updates • Social security and retirement contributions • Diversity programs and equal opportunity monitoring • IT management, network monitoring, device backups, and application testing • Requests from public authorities |
| Financial Institutions, Accountants, and Investors | • Contact information • Personal identifiers • Employment qualifications • Payroll and benefits data |
• Business analytics and workforce planning • Sales management and strategy • Tax reporting and withholding obligations • Compensation benchmarking • Social security and retirement contributions • Team Member safety, travel assistance, and disaster planning • Requests from public authorities |
| Law Firms and Professional Advisors | • Contact information • Personal identifiers • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Occupational health and workplace accommodation • Business analytics and workforce planning • Sales management and strategy • Paid time off, sick leave and other absence calculations • Tax reporting and withholding obligations • Performance management, internal investigations, and disciplinary procedures • Promotions and growth plans • Team Member safety, travel assistance, and disaster planning • Diversity programs and equal opportunity monitoring • Requests from public authorities • Protection of intellectual property and work product • Litigation and legal claims |
| Event Coordinators and Hosts | • Contact information • Personal identifiers • Employment qualifications |
• Occupational health and workplace accommodation • Training and learning opportunities • Events coordination • Team Member safety, travel assistance, and disaster planning |
| Lodging and Travel Providers | • Contact information • Personal identifiers • Employment qualifications |
• Occupational health and workplace accommodation • Training and learning opportunities • Events coordination • Team Member safety, travel assistance, and disaster planning |
| Entities in a Potential Merger or Acquisition | • Contact information • Personal identifiers • Employment qualifications • Payroll and benefits data |
• Business analytics and workforce planning • Sales management and strategy • Paid time off, sick leave and other absence calculations • Tax reporting and withholding obligations • Compensation benchmarking • Social security and retirement contributions • Requests from public authorities |
| GitLab Affiliate Entities | • Contact information • Personal identifiers • Household data • Systems administration data • Communications data • Operational data • Employment qualifications • Performance and Team Member relations data • Payroll and benefits data • Regulatory and compliance data • Workplace safety data |
• Occupational health and workplace accommodation • Business analytics and workforce planning • Sales management and strategy • Paid time off, sick leave and other absence calculations • Personnel file management • Tax reporting and withholding obligations • Compensation benchmarking • Performance management, internal investigations, and disciplinary procedures • Social security and retirement contributions • Promotions and growth plans • Diversity programs and equal opportunity monitoring • Requests from public authorities |
For California based Team Members
The California Privacy Rights Act broadly defines the sale of personal data to include disclosing Team Member personal data to a third-party business without entering into a service provider agreement with that business. If this occurs, the right to opt-out of a data sale must be provided to the Team Member.
GitLab does transmit specific Team Member personal details and compensation data to certain vendors in order to receive information back regarding industry benchmarking of both compensation and workforce metrics. These vendors include Radford, Comptryx, Compass, and other possible benchmarking surveys vendors, each of which retain this data for their own purposes, including to keep their benchmarking data up to date. While this data is often shared in an aggregated format, it may be deemed a data sale under California law. If you are in California and you do not want us to share your compensation data with these benchmarking vendors, please email both the People Operations team at people_operations@gitlab.com and the Total Rewards team at total-rewards@gitlab.com. You may also contact the Privacy Team at dpo@gitlab.com to learn more about your right to opt-out of this data sharing.
Storage of Personal Data
GitLab stores Team Member records in the following locations: Workday, Greenhouse, with our payroll providers (HR Savvy, SD Worx, iiPay, ADP, CloudPay, and Papaya Global), and other systems as necessary (Google Workspace, Docusign, etc.). Team Members have self service access to Workday, their appropriate payroll provider, and other Team Member facing software provisioned through Okta. GitLab also contracts with First Advantage and LawLogix to conduct and store information related to pre-employment screenings, such as background checks and employment eligibility verification. Where available, documents and information stored with those companies may be shared with you.
Lastly, where GitLab utilizes PEOs, such as GX, Remote, and CXC, to hire a Team Member, the applicable PEO, as the agent of record or employer of record (as applicable), will retain the personnel files of its respective hires. Access to personal data is only authorized when there is a legitimate and lawful basis, and access is only granted to appropriate personnel. Requests for confidential Team Member data from anyone outside our company under any circumstances must be approved in accordance with applicable local laws.
Retention of Collected Personal Data
As defined in our Record Retention Policy, a “record” is a document created or received by a GitLab entity or individual in the transaction of business that contains significant business value. Oftentimes, Team Member medical and personnel records must be retained by GitLab for prescribed durations.
Except as otherwise permitted or required by applicable law or regulatory requirements, we may retain your personal data only for as long as we believe it is necessary to fulfill the purposes for which the personal data was collected.
To find out more about GitLab’s retention standards for personnel files only, please see our Team Member Personnel File Retention Policy.
Security of Collected Personal Data
We are committed to protecting the security of the personal data collected, and we take reasonable physical, electronic, and administrative safeguards to help protect personal data from unauthorized or inappropriate access or use. For example, the People Operations Group strictly adheres to the Access Request process before provisioning access to any enterprise systems. Furthermore, core IT and People Group systems are evaluated under GitLab’s Third Party Risk Management Program for appropriate controls, such as those security measures found in Workday’s Security Exhibit.
Team Member Data Subject Rights
Access to Personal Data We Collect
To the extent access is allowed by applicable law, you can request access to the personal data that we hold about you. There are two separate processes to obtain access to your personal data. If you are an active GitLab Team Member you can access your personnel documents via self-service in Workday (and the various payroll systems as applicable). For additional assistance on obtaining your personnel file GitLab team members should reach out through HelpLab. Former team members can email people_operations@gitlab.com to request their personnel file. You can review the types of personal data contained in a Personnel File here. If you want to review personal data beyond what is included in a Personnel File, please submit a Data Access Request form.
When requesting access to your personal data, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you.
We reserve the right not to grant access to personal data that we hold about you if access is not required by applicable law. There are also instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal data that we hold about you. In addition, there are instances where the personal data may have been destroyed, erased or made anonymous. In the event that we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Correction of Collected Personal Data
We endeavor to ensure that personal data in our possession is accurate, current and complete. If an individual believes that the personal data about them is incorrect, incomplete or outdated, they may request the revision or correction of that data or they may correct the data themselves through the self-serve capabilities within Workday. We reserve the right not to change any personal data we consider to be accurate.
Deletion of Collected Personal Data
You may request that we delete the personal data that we hold about you, provided that we reserve the right not to grant such a request if we are not required to delete personal data under applicable law. There are instances where applicable law or regulatory requirements allow or require us to refuse to delete certain personal data. In the event that we cannot delete your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
To request deletion of your personal data, please submit your request via this Deletion Request Form.
Data Portability
Depending on our lawful basis for processing, you have the right to request that GitLab transmit such personal data to another controlling organization in a commonly used machine readable format, provided this is technically feasible.
Right to Restriction of Processing
You have the right to restrict our processing of your personal data where:
- You contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy
- Where the processing is unlawful, but you do not want us to erase the information
- Where we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims
- Where you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether GitLab has compelling legitimate grounds to continue processing
To the extent required by applicable law, and where personal data is subjected to restriction in this way, we will only process it with your consent or for the establishment, exercise or defense of legal claims or regulatory obligations.
Right to Withdraw Consent
Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time. Many of our systems offer self-service capabilities where you can remove optional data fields, thereby withdrawing consent. You can also request our assistance in your withdrawal by contacting GitLab’s People Operations Team at people_operations@gitlab.com or the Privacy Team at dpo@gitlab.com.
Please note that in limited circumstances, the withdrawal of your consent may result in our inability to provide you a certain service. For example, if you withdraw your consent to process secondary emergency contact information, we may not be able to contact your next-of-kin in an emergency, unless we have a legal obligation that supersedes your withdrawal of consent. In this event, we will inform you if withdrawal would affect any services or benefits.
Withdrawal of consent does not affect the lawfulness of processing before the withdrawal, and certain processing might continue under a different legal basis.
Right to Object to Processing Justified on Legitimate Interest Grounds
Where we are relying upon legitimate interest to process your personal data, you have the right to object to such processing, and we must stop such processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. Normally, and where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis. To object, please contact GitLab’s People Operations Team at people_operations@gitlab.com or the Privacy Team at dpo@gitlab.com.
Right to Not be Subject to Automated Decision-Making
Depending on your jurisdiction, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. At this time, we do not believe we use Team Member personal data in any automated decision-making processes that meet this definition. However, we will continue to assess our processing of Team Member personal data and if we engage in this type of automated decision-making, we will update this provision accordingly.
Right to Lodge a Complaint
Depending on your jurisdiction, you have the right to lodge a complaint with a supervisory authority in your country of residence, in your place of work, or where the alleged infringement occurred. Some relevant supervisory authorities include:
- France: Commission Nationale de l’Informatique et des Libertés (CNIL)
- Germany: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
- Netherlands: Autoriteit Persoonsgegevens (AP)
- United Kingdom: Information Commissioner’s Office (ICO)
For information on how to submit a complaint, please visit the relevant authority’s website or contact our Privacy Team at dpo@gitlab.com for assistance.
Resolving Concerns
Team Pages or Recordings
Despite GitLab being public by default, Team Members can opt-out of most public exposure, as long as there is no requirement within their job description to be public-facing. For example, on the team page, Team Members can remove themselves from the page, they can modify the content that is available, or they can use their initials or an alias instead of their name. To enable an asynchronous working environment, we aim to record the majority of meetings at GitLab and post many of them on GitLab Unfiltered. Thus, the only way to limit unwanted exposure from these videos is to have the camera turned off and an alias or initials added to the Zoom profile, and even then, you may still be identifiable through your voice and alias. If a Zoom call is being recorded, there will be a recording icon in the top left hand corner of the screen. For any GitLab live streams through YouTube, a Team Member can watch and comment through YouTube instead of through the internal video link.
Other Inquiries or Concerns
If you have any questions or concerns regarding the handling of your personal data, please contact GitLab’s People Operations Team at people_operations@gitlab.com or the GitLab Privacy Team at dpo@gitlab.com. Alternatively, you may report concerns or complaints to the Legal and Corporate Affairs Team.
You may also anonymously report violations of policy or law using our third-party managed Compliance & Fraud Prevention Hotline. You can access the Hotline by going to Questions, Reporting, and Effect of Violations section of the Code Business Conduct and Ethics.
Changes to Privacy Policy
We may change this Privacy Policy from time to time. When we do, we will update the date at the top of this Privacy Policy and actively communicate changes through direct email notification, an internal announcement on Slack, or a required acknowledgment in People group systems. Material changes will not be implemented without appropriate notice and, where required, consultation with works councils or other employee representatives.
a8254aaf)
