nach oben

C Data protection information for employees and the application process

Please also note our applicable General Data Protection Information and the definitions/provisions contained therein.

1 Processing purposes, legal basis

Personal data (hereinafter referred to as "DATA") is processed in order to establish, implement or process an employment relationship with data subjects and to stay in contact with them.

(A)    Contract implementation and processing

The DATA IS processed primarily in the context of employment, i.e. in particular for the purposes of contract fulfilment, including the fulfilment of obligations laid down by law or collective agreements (works agreements) and for the purposes of exercising individual or collective rights and benefits associated with employment. The processing is carried out in particular:

  • for the conclusion of the contract;
  • for recording attendance and absence times;
  • for payroll accounting and, if applicable, travel expense accounting;
  • for personnel administration (e.g. provision of company car, insurance, pension scheme);
  • for personnel file management;
  • Exit management (e.g. preparation of certificates).

The legal basis for such processing is Article 6  (1) b) GDPR in conjunction with Article 88 GDPR, Section 26 BDSG.

As an employer, we are subject to various legal obligations (legal requirements). Processing takes place, for example

  • to fulfil legal requirements (e.g. tax matters, official statistics, social security, etc.);
  • to fulfil legal obligations to provide information.

The legal basis for such processing is Article 6 (1) c) GDPR in conjunction with Section 26 BDSG.

Insofar as we process special categories of DATA (Article 9 GDPR), this serves the exercise of rights or the fulfilment of legal obligations under labour law, social security law and social protection law within the framework of the employment relationship. This includes in particular

  • the provision of health data to a health insurance company;
  • recording a severe disability due to additional leave or determining the equalisation levy.

In addition, the processing of health data in accordance with Article 9 (2) h) GDPR in conjunction with Section 22 BDSG may also be necessary to assess the ability to work.

Where necessary, we process DATA BEYOND the actual fulfilment of the contract or the statutory/legal requirements to protect our legitimate interests or those of third parties, in particular

  • for the performance and documentation of operationally necessary legal, technical or economic audits (e.g. during a tax audit);
  • in ensuring proper data processing in accordance with (security-related) IT requirements (e.g. log data);
  • for analysing and correcting technical errors;
  • in ensuring system security and availability;
  • to optimise and control the systems (e.g. updating the list of blocked websites, "black list"; optimisation of network services);
  • for data protection control/for data protection and data security purposes;
  • for the purpose of identifying contact persons (e.g. names, telephone numbers, e-mail addresses, function, department/team affiliation);
  • for personnel planning/controlling;
  • for personnel deployment planning and scheduling;
  • for personnel management/development;
  • on behavioural and/or performance monitoring (in particular under staff representation law);
  • for access/access control;
  • on personnel reporting;
  • to store resubmission data (e.g. expiry of probationary period, fixed term, duration of maternity leave, etc.);
  • for the (automated) execution of driving licence checks in the context of keeper liability.

The legal basis for such processing is Article 6 (1) f) GDPR. The legitimate interest lies in the optimisation of processes for the benefit of the company and its employees.

If our rights or the rights of third parties are infringed, we may process DATA for legal defence in accordance with Article 6 (1) f) GDPR, which is also our legitimate interest.

(B)    Application procedure (contract initiation)

As part of an application process, we request DATA that allows us to check or assess the identity, suitability for the position to be filled, required qualification(s) and, if applicable, legal admissibility (e.g. sanctions list comparison).
The legal basis for such processing is Article 6 (1) b) GDPR in conjunction with Article 88 GDPR, Section 26 BDSG.

However, the scope of the application documents is also self-determined, i.e. further DATA can be made available to us voluntarily in order to substantiate suitability.
The legal basis for such processing is Article 6 (1) a) GDPR in conjunction with Section 26 (2) BDSG. Consent is given by means of an explicit act of confirmation, which may also consist of communicating/sending us DATA THAT IS not required and not mandatorily requested (voluntary information).
DATA that is not compatible with a non-discriminatory application procedure can be filtered out (e.g. by redaction, deletion or return).

Please send your application documents in digital form (ideally in one coherent PDF file) to our HR department.

Please note, however, that in the case of communication/data transmission via/in the Internet, it may be technically possible for a message to be routed from us to you or vice versa via a server in an insecure third country, especially if you are located in a third country yourself. Alternatively, you are therefore welcome to choose the postal dispatch route.

Do not submit any original documents during the application process. If the submission of an original document (e.g. certificate, certificate of good conduct) is required before/for the conclusion of the contract, you can submit such documents at an interview or upon conclusion of the contract.
 Application documents will always be destroyed, not returned!

Shortlisted candidates are interviewed by telephone/digital/face-to-face interviews with the specialist and HR departments - and, depending on the position, also with the management.

(C)    Processing with consent

For certain purposes (e.g. for the implementation of company integration management; conducting personnel surveys, publication of images on the intranet or internet, operation of a talent pool), we obtain voluntary consent (Article 7  GDPR) for the processing of DATA IN advance.
The exact purpose and scope of the DATA CAN BE FOUND in the respective declaration of consent.
If consent is not granted (or is revoked) in such cases, the corresponding processing will cease (from the time of revocation) without this having any negative impact on the employment relationship.

The legal basis for this processing is Article 6 (1) a) GDPR.
Consent is granted through an explicit, active act of confirmation. Consent can be revoked at any time. Please also note No. 7 of the general data protection information, in particular regarding the right of cancellation and cancellation procedure.

(1)    Publication of DATA within the company

In order to promote internal processes, we process DATA, in particular name(s) and function, WITH prior consent.

The DATA will only be published within the company (e.g. intranet, 'notice board') in accordance with the declaration of consent.

(2)    Publication of DATA on company websites

For the external presentation of the company, we may process DATA, in particular (portrait) photos, name, function and/or contact details and publish them on company websites, subject to prior consent.

(3)    Talent pool

We maintain a talent pool for filling future vacancies. With prior consent, we take over DATA from previous applications.

  • application procedures, in particular from so-called unsolicited applications and/or
  • employment relationships.

If you have consented to the processing of your DATA in the talent pool, we will inform you on a case-by-case basis about our presumably suitable vacancies. If we have neither offered you a position nor received a message from you one year after recording the DATA IN THE TALENT pool, we will inform you via the communication address provided that we will delete/destroy the DATA after one month if we do not receive any (contrary) message from you.

2 Recipients

Within the company, those departments (e.g. the respective manager, specialist departments) receive your DATA that they need to fulfil their contractual and legal obligations.

In addition, we use various service providers to fulfil our contractual and legal obligations, in particular processors in accordance with Article 28 GDPR.

In addition, we may transfer your DATA to other recipients outside the company if this is necessary to fulfil contractual and/or legal obligations as an employer. These may be, for example

  • Authorities (e.g. pension insurance institutions, professional pension schemes, social insurance institutions, tax authorities, courts);
  • Banks (SEPA payment media);
  • Health and substitute funds;
  • Travel management (organisation/handling of business trips);
  • Insurance companies/insurance brokers (e.g. for pension schemes, asset-based benefits, supplementary insurance).

3 Data transfer to a third country

In principle, we do not intend to transfer DATA to a third country or an international organisation. Only in the case of personnel secondments and for the organisation and processing of trips abroad is the transfer of DATA to third countries necessary in individual cases. This applies in particular to hotel reservations, flight bookings, hire vehicles, visas, etc.
For such transfers, we observe the requirements of Chapter V  GDPR and inform you in each case in accordance with Article 13 (1) f).

Please also note No. 3 of the data protection information for communication.

4 Data origin and categories

We process DATA that we receive from you as part of the selection and recruitment process, during the employment relationship or on a voluntary basis. In addition, we process - to the extent necessary for the employment relationship - DATA that we collect from other bodies on a legal basis (e.g. event-related queries of tax-relevant data from the responsible tax office, information on periods of incapacity for work from a health insurance company). On the other hand, we process DATA that we have legitimately received from third parties (e.g. recruitment agencies).

Relevant DATA is primarily your master data (e.g. first name, surname, personnel number, address, contact details), identification data (e.g. social security number, tax identification number), payment data (e.g. bank details, garnishments), accounting data (e.g. time recording data, holiday times, periods of incapacity for work, salary data, assessment data (e.g. application data, qualifications, certificates), security-relevant data (IT log data, evacuation data). time recording data, holiday periods, periods of incapacity for work, salary data), assessment data (e.g. application data, qualifications, certificates), security-related data (IT log data, evacuation management) and other data comparable with the categories mentioned. This may also include special categories of personal data pursuant to Article 9 (1) GDPR (e.g. health data).

5 Specific processing duration, deletion periods

Insofar as necessary for the purposes stated above (no. 1), we process your DATA for the duration of the contractual relationship, which also includes the initiation and fulfilment of the contract. It should be noted that an employment relationship is a continuing obligation, which is generally intended to last for years.

If you are entitled to or receive benefits from a company pension scheme offered by us, the DATA required for this will be processed for the duration of the entitlement or benefit.

In addition, we are subject to various retention and verification obligations arising from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The storage periods are up to ten years.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.

If your application is successful, the DATA WILL BE added to your personnel file. Otherwise, the DATA will be deleted/destroyed or returned four months after rejection, unless you have agreed to your application being included in our talent pool.

If the processing is based on consent [see no. 1 (C) above], the DATA WILL no longer be processed or deleted or destroyed or returned after consent is withdrawn. Please note the deletion periods specified when granting consent, if applicable.

6 Obligation to provide DATA

As part of your application or employment, you only need to provide the DATA that is necessary for the establishment and execution/processing of the employment relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to process. Without this DATA, we are generally not in a position to establish or execute/process the contract with you.

If we process DATA on the basis of consent, there is no obligation to provide it.

7 Automated decision making

We do not use automated decision-making - including profiling - to establish, implement and process the employment relationship in accordance with Article 22 GDPR.

Please also note No. 8 of the general data protection information.

Status of the data protection information: October 2023