Privacy

Personal Data
In the following information, „personal data“ is a very frequent term, but what does it actually mean?

The term “personal data” is defined legally in Article 4 (1) GDPR as follows:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing
The term “processing” is defined legally in Article 4 (2) GDPR as follows:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

I. Initiation of an employment relationship
We process the data which you deliver with your application. These are data which we are obliged to ask for (obligatory data) and such data which have been given voluntarily (voluntary data). Voluntarily given data are all data which you forward to us without our requirement.

We engage the worker’s council and the representative body for disabled employees (if there are such entities in our company) in the decision about the initiation of an employment relationship in line with legal requirements (e.g. § 99 Works Constitution Act, or Germen “Betriebsverfassungsgesetz” (BetrVG)).

1) Obligatory Data

• Form of address, title if applicable (PhD)
• First and family name
• Contact data (e.g. street, zip or postal code, city, country, phone number, mobile phone number, e-mail address)
• Information about majority age
• Information about graduated education
• Professional and personal qualification, incl. job experience and further education
• Valid residence permit / work permit
• Availability and estimated entry date
• Information about previous convictions or current preliminary proceedings which are relevant for the job
• For artistic positions: image and/or sound recordings

We use your application data for the application procedure (incl. ensuring and defence of our legal position). The legal basis for processing is § 26 (I) Federal Data Protection Act (hereafter referred to as “BDSG” for German “Bundesdatenschutzgesetz”).

2) Data which we collect from third parties

If you include links to your profiles in professional networks, we may consider those in the selection process. We then use the following data:

• Public profile
• Previous employers / CV

We use these data for the application procedure (incl. ensuring and defence of our legal position). The legal basis for processing is § 26 (I) BDSG.

3) Voluntary data

You decide for yourself, which data you provide us with your cover letter, CV or other documents voluntarily. The following information will usually be provided:

• Marital status
• Gender
• Recommendation (name and contact details of referrer)
• Employment status
• Religion
• Health impairments which might have impact on the job

Since we are not allowed to change your documents due to legal regulations, we process these documents without any alterations (Art. 6 (I) c) GDPR).

II. Data for the Purpose of Controlling

For our controlling, we process the following information which you have provided voluntarily:

• Nationality

This information is included in reports that do not contain any personal reference. Processing is based on our legitimate interests in improving the reach of our job advertisements and in demonstrating the reach to our funding providers (Art. 6 (I) f) GDPR).

III. Certificate of Good Conduct

We ask for a certificate of good conduct if this is necessary for the open position only. We need an enhanced police clearance certificate for all positions which involve contact with children or adolescents.

Provided that it is necessary for the open position, we process the certificate of good conduct for the fulfilment of the employment relationship (§ 26 (I BDSG). For some positions, there is a legal requirement for submitting the certificate of good conduct for the employment decision (Art. 6 (I) c) GDPR).

IV. Obtaining References

If you reveal your previous employers, we may contact those for a recommendation or for their evaluation of your person, provided that you give us your consent (Art. 6 (I) a) GDPR).

If you include referrers from your former employer in your applications, we may contact these referrers to ask for their confirmation of the statements in your application, since it is our legitimate interest to consider this reference for the employment decision (Art. 6 (I) f) GDPR). Please note that if you provide information about other persons (e.g. referrers), you must have obtained their prior approval and informed them about the purposes for which this information is being disclosed, as set forth in this Data Protection Notice.

V. Candidate Pool

It may happen that, despite your interesting profile, we cannot offer you a suitable position. In order to be able to come back to you in the event of a suitable future position, we store your application incl. all provided data and documents in our candidate pool, if you give us your consent to do that (Art. 6 (I) a) GDPR).

VI. Reimbursement of Travel Expenses

When we reimburse your travel expenses, we process the following data:

• Banking account
• Driven kilometres and incurrent travel costs
• Receipts (taxi, petrol receipts, train tickets or similar)

We process these data for the billing of your travel expenses for travelling to the interview location and back. This is based on § 26 (I) BDSG (initiation of an employment relationship).

VII. Other Data

In addition, we store all electronic and written communication between you and our company. We also save and process comments that have been created about you during the application procedure.

We process these data for the application procedure (incl. ensuring and defence of our legal position). The legal basis for processing is § 26 (I) sentence 1 BDSG.

VIII. Whistleblower Protection Act

We process your data to fulfill our obligations under the Whistleblower Protection Act (Hinweisgeberschutzgesetz or HinSchG). Accordingly, we are obliged to receive and examine reports of (suspected) violations of the law. In the course of clarifying the reported cases, we may question the persons reporting or named. Information and statements may be passed on to other affected bodies or authorities or used in court. Whether disclosure is necessary and permitted by law is examined separately in each individual case.

We receive the report from the respective whistleblower. If necessary, the report will be supplemented by the receiving reporting office.

Your data is processed for the purpose of clarifying a reported case in order to protect our legitimate interest in clarifying violations of legal provisions or internal regulations.

IX. Other Processing Purposes

In addition, the above-mentioned data are used for the following purposes in the context of a balance of interests (Art. 6 (I) (f) GDPR). The interests are described below:
1. As it is in our interest to ensure the security of our systems, we regularly conduct security and efficiency tests that allow us to process your above-mentioned data.
2. Should a security incident occur in our company that affects your data, we are obliged to report the case to our data protection supervisory authority (Article 33 GDPR). Since our legitimate interest is to comply with this statutory reporting obligation as quickly as possible, it may happen that in the context of the investigation of the corresponding security incident data about you are processed. Reports of these security incidents to data protection supervisory authorities do not contain any of your personal data.
3. We perform (internal) audits and other control activities (e.g. data protection officer’s monitoring activities), because it is our legitimate interest to comply with legal provisions, to obtain transparency about our business processes, to constantly optimise these processes and to prevent and identify harmful acts against our business. In doing so, documents or data sets with your personal data may be processed.
4. We process your data for purposes of managing our company, for identification and persecution of financial risks, for concentrating our sales activities and for fulfilment of (contractual) obligations regarding our customers. For that purpose, the processed data will be used for the creation of reports and for evaluation. The processing takes place for protecting our legitimate interests in company and sales management as well as for fulfilment of our obligations regarding our customers.
5. For meeting our tax-law obligations, we engage tax counsellors. Furthermore, we engage financial auditors for meeting our duty of auditing the financial statements according to § 316 (1) Commercial Code (or German “Handelsgesetzbuch”, short HGB). Finally, as it is our legitimate interest to cooperate with auditors from tax authorities in order to prove the correct invoicing and financial statements. Documents which are regarded for these purposes may contain your personal data.
6. Since it is our interest to solve legal disputes, we process your data in that specific case. It is also in our interest, in the event of litigation, to keep evidence until all relevant statutory limitation periods pursuant according to sections 195 and fallowing of the German Civil Code, have expired. For this purpose, we retain the relevant data about you in accordance with these limitation periods. The retention periods cannot be globally predicted, since they depend on the particular matter in dispute and the respective statutory limitation period, which can be up to 30 years. The regular limitation period is three years.
7. In addition, it is in our interest to investigate suspected cases and to hand over relevant information to law enforcement authorities in case of a specific criminal suspicion.
8. Errors can occur to anyone and in any organisational process. In order to optimise our processes and minimising our error rate, we process the data which are available to our company for identifying sources of error. The processing takes place in order to protect our legitimate interests in the improvement of our processes.
9. We process your data for testing IT systems and software products and for migrations. The processing is necessary for satisfying our legitimate interest in evaluating if new products are correct and if migrations are complete.

If we accept your application, you will be informed about the deletion periods in the Data Protection Notice for employees.

If we reject your application, your personal data will be stored for a maximum period of 3 months.

If you have consented to the inclusion of your application in our candidate pool in order for us to consider your data for another open position, your data will be stored for 12 months and deleted after that.

Receipts and accounting documents are deleted after 10 years (see § 147 AO and § 257 HGB).
The documentation of a report is deleted 3 years after the conclusion of the procedure at the reporting office. Furthermore, the deletion of your data is suspended if it is required for the assertion, defence and exercise of legal claims or in the context of official or judicial proceedings.

For the preservation of evidence, we retain data in accordance with the statutory limitation periods according to sections 195 and following of the German Civil Code. The storage duration of your data may exceed the duration stated above. The statutory limitation periods can be up to 30 years. The normal limitation period is 3 years.

The deletion of your data will be suspended when they are necessary for the enforcement, defence and exercise of legal claims or for public authority proceedings.

The following list shows which organisations (“data recipients”) receive your data in which cases. You can read about the specific data in the corresponding sections of this data protection notice. Transfer of your data may sometimes occur due to contractual or legal requirements. In other cases, we use selected vicarious agents and service providers who work for us as commissioned data processors (in accordance with Art. 28 GDPR) and may obtain access to your data in the required scope. Commissioned data processors are subject to numerous contractual obligations and may, in particular, process your personal data only on our instructions and solely for the fulfilment of the orders received from us.

• Employment Agency
• Banks, payment service providers
• Data Protection Officer
• Service providers for mailings and logistics
• Service providers for mass file destruction
• Recipient’s e-mail provider
• Tax authorities
• Courts, Lawyers, opposing lawyers, law enforcement agencies, authorities, cooperation partners (for legal disputes for actual suspicious cases)
• IT service providers
• Tax counsellors
• Service providers for telecommunication
• Affiliated companies
• Financial auditors

Our IT service providers in the EU have affiliates or subcontractors outside the EU or the European Economic Area (EEA) that can access your data. We would like to point out that the level of data protection in third countries may differ from the European level of data protection without an adequacy decision by the EU Commission. The EU Commission determines which non-EU/EEA countries (third countries) have an adequate level of data protection. An adequacy decision of the EU Commission No. C(2019) 304 has been issued for the transfer of personal data to subcontractors of our IT service providers in Japan. Our service provider is responsible for using EU standard contractual clauses in accordance with Commission Decision No. (EU) 2021/914. Other affiliated companies or subcontractors of our IT service providers have either submitted to the so-called Data Privacy Framework (Decision No. C(2923) 4745 final of 10 July 2023) if they are based in the USA; otherwise our IT service providers are responsible for the use of EU standard contractual clauses in accordance with Commission Decision No. (EU) 2021/914. A model of these EU standard contractual clauses can be found on the websites of the EU Commissioner for Justice and in the Official Journal of the EU.

You have the legal right to:

• Access to your personal that we process (Art. 15 GDPR)
• Rectification and completion of your data (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Withdrawal of your consent (Art. 7 GDPR) with effect for the future. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
• You have the right to demonstration of your own point of view and refutation of an automated decision (Art. 22 GDPR).
• You also have the right to object to the processing of your data which is based on our legitimate interests or the legitimate interests of a third party at any time, on grounds relating to your particular situation (Art. 21 GDPR). This also applies to profiling based on these provisions within the meaning of Art. 4 (4) GDPR.

To exercise these rights, you can contact us via the contact details mentioned above.

You also have the legal right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).