What sources and data do we use?
We process personal data that we have received from you insofar as this is necessary for the purposes of recruitment, fulfilment of the employment contract and termination of the employment relationship. In addition, we process personal data of our employees and other comparably affected persons that regularly arise in the context of the employment relationship.
This personal data includes in particular:
- Personal data (e.g. name, address and contact details; date and place of birth and nationality, passport/identity card data, driving licence data).
- family data (e.g. marital status and details of children)
- Religious affiliation
- Health data (e.g. notifications of incapacity to work and others, insofar as these are relevant to the employment relationship, e.g. in the case of a severe disability).
- Tax ID number
- Information on qualifications and staff development (e.g. education, work experience, language skills and further training)
- Employment details (e.g. date of joining and job title)
- Data relevant to payroll tax from the fulfilment of contractual obligations (e.g. salary payment)
- Information on the financial situation of employees (e.g. credit liabilities and salary garnishments, if applicable)
- Social security data
- Data on the pension scheme or pension fund
- Data on working time (e.g. recording of working time, leave and sickness; data in connection with business trips)
- Access data
- Authorisation data (e.g. access and access rights)
- Image and sound data (e.g. ID photo and video and telephone recordings)
- Employee evaluation data
- as well as other data comparable to the above categories.
What do we process your data for (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG (new)):
For the fulfilment of contractual obligations (§ 26 BDSG)
Data is processed for the purpose of establishing, implementing or terminating the employment relationship within the framework of the existing contract with you or for the purpose of carrying out pre-contractual measures upon request. If you make use of additional benefits (e.g. childcare subsidy, pension scheme), your data will be processed for the fulfilment of these additional benefits, insofar as this is necessary.
Within the framework of the balancing of interests (Art. 6 para. 1 f DSGVO)
Where necessary, we process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. Examples of such cases are:
- Measures for personnel development planning
- Measures to protect employees and customers and to protect the company's property
- Evaluation of workflows for work control and improvement of processes (e.g. evaluations of the number of work statements or processing time of services for customers).
- Publication of official contact details on the intranet and internal telephone directory and on the website
- Records of staff appraisals (e.g. documentation of set goals and goal achievement)
- Recording for security checks (e.g. checking certificates of good conduct, criminal records, etc.)
Based on your consent (Art. 6 para. 1 a DSGVO in conjunction with Art. 88 DSGVO and § 26 para. 2 BDSG (new))
If you have given us consent to process your personal data, processing will only take place in accordance with the purposes and to the extent agreed in the declaration of consent. Consent given can be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent given to us prior to the application of the GDPR, i.e. prior to 25 May 2018. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.
- Use and, if necessary, publication of staff pictures
Due to legal requirements (Art. 6 para. 1 c DSGVO as well as Art. 88 DSGVO and § 26 BDSG (new))
As a company, we are subject to various legal obligations, i.e. legal requirements (e.g. social security law, occupational safety, tax laws). The purposes of the processing include, among others, identity verification, the fulfilment of social security and tax law control, reporting or documentation obligations as well as the management of risks in the company.
Insofar as special categories of personal data are processed pursuant to Art. 9 (1) DSGVO, this serves the exercise of rights or the fulfilment of legal obligations arising from labour law, social security law and social protection within the framework of the employment relationship (e.g. disclosure of health data to the health insurance fund, recording of severe disability due to additional leave and determination of the severe disability levy). This is done on the basis of Art. 9 para. 2 b DSGVO in conjunction with. § Section 26 (3) BDSG. In addition, the processing of health data for the assessment of their ability to work pursuant to Art. 9 para. 2 h in conjunction with. § Section 22 (1) b BDSG. In addition, the processing of special categories of personal data may be based on consent pursuant to Art. 9 para. 2 a DSGVO in conjunction with. § Section 26 (2) BDSG new (e.g. operational integration management).
Who gets my data?
Within the company, those departments receive access to your data that need it to fulfil contractual, legal and supervisory obligations as well as to safeguard legitimate interests, e.g. human resources department.
Service providers and vicarious agents employed by us may also receive data for these purposes, insofar as they require the data to perform their respective services. These are, for example, companies in the categories of tax consultancy for payroll accounting, training providers and IT services. All service providers are contractually obliged to treat your data confidentially.
With regard to the transfer of data to recipients outside our company, it should first be noted that as an employer we only pass on necessary personal data in compliance with the applicable data protection regulations. As a matter of principle, we may only pass on information about our employees if this is required by law, if you have consented to it or if we are otherwise authorised to pass it on.
Under these conditions, recipients of personal data may be, for example:
- Social security institutions
- Health insurance funds
- Pension funds
- Tax authorities
- Professional associations
- Public bodies and institutions (e.g. tax authorities and law enforcement agencies) if there is a legal or official obligation to do so.
- other companies for the processing of salary payments or comparable institutions to which we transfer personal data for the purpose of implementing the contractual relationship (e.g. for salary payments)
- Business and income tax auditor
- Service providers within the framework of order processing relationships
Further data recipients may be those bodies for which you have given us your consent to transfer data or to which we are authorised to transfer personal data on the basis of a balancing of interests.
Is data transferred to a third country or to an international organisation?
As a rule, no data is transferred to countries outside the European Economic Area (so-called third countries). Nevertheless, data transfer to third countries may take place in individual cases, insofar as:
- it is required by law,
- you have given us your consent or
- this is legitimised by the legitimate interest under data protection law and no higher interests of the data subject worthy of protection conflict with this.
Furthermore, we do not transfer any personal data to bodies in third countries or international organisations.
However, we use service providers for certain tasks, most of which also use service providers that may have their registered office, parent company or data centres in a third country. A transfer is permitted if the European Commission has decided that an adequate level of protection exists in a third country (Art. 45 GDPR). If the Commission has not made such a decision, we or our service providers may only transfer personal data to a third country if appropriate safeguards are in place (e.g. standard data protection clauses adopted by the EU Commission or the supervisory authority in a specific procedure) and enforceable rights and effective remedies are available.
An example of this is our use of Microsoft Office 365 as a company-wide communication system. Although Microsoft also operates servers within the EU, it cannot be ruled out that your data may be transferred to a third country (e.g. the USA) in this context and processed there.
We have concluded an order processing agreement with Microsoft in accordance with Art. 28 DSGVO with EU standard contractual clauses to maintain an appropriate level of data protection. If required, please feel free to contact us at the above contact details for further information on this.
We have concluded corresponding order processing agreements with our service providers and have also contractually agreed that there must always be guarantees for data protection in compliance with the European level of data protection with their contractual partners as well.
How long will my data be stored?
We process and store your personal data as long as this is necessary for the fulfilment of our contractual and legal obligations. It should be noted that the employment relationship is a continuing obligation that is intended to last for a longer period of time.
If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is necessary for the following purposes:
- Fulfilment of legal obligations to retain records, which may arise, for example, from:Social Security Code (SGB IV), Commercial Code (HGB) and Fiscal Code (AO). The periods specified there for storage or documentation are generally six to ten years.
- preservation of evidence within the framework of the statutory limitation provisions.According to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.
If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists.The aforementioned exceptions apply here. The same applies to data processing based on consent given. As soon as this consent is revoked by you for the future, the personal data will be deleted, unless one of the exceptions mentioned applies.
Is there an obligation to provide data?
In the context of the employment relationship, you must provide those personal data that are necessary for the establishment, implementation and termination of an employment relationship and for the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will generally not be able to conclude the contract with you or execute it.
To what extent is there automated decision-making?
We do not use automatic decision-making pursuant to Article 22 of the GDPR for the establishment, implementation and termination of the working relationship. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.
Does profiling take place?
We do not process your data with the aim of automatically assessing certain personal aspects.