Privacy Policy

Brief overview: This is how the controller processes your data through the website:

On its website, the responsible party provides information about its comprehensive range of CRO services for the pharmaceutical industry, medical device manufacturers and academic institutions.

In order to provide you with this information for retrieval, it processes personal data in some cases.

The controller collects and processes your contact information and message content when you contact him via remote communications, email, contact forms, social media or other channels in order to respond to you, if necessary.

In order to improve its external presentation and provide information, the responsible party also uses newsletters, social media profiles and job-related portals and processes your data in this context. You can cancel the newsletter subscription at any time by revoking it.

Should you, as an applicant, contact the person responsible via means of communication or the application platform, your personal data will be processed for the purpose of checking your CV and, if applicable, entering into an employment relationship.

Subsequently, you will find information about data security and your rights as a user of the website or as a data subject. Please address any inquiries, applications and suggestions regarding data protection to the person responsible.

Name and contact details of the responsible person

The following entity is responsible for this website pursuant to Art. 4 No. 7 of the General Data Protection Regulation (GDPR), hereinafter: “Controller”:

GKM Gesellschaft für Therapieforschung mbH
Lessingstraße 14
80336 Munich
Germany

Phone: +49 89 2091200
Fax: +49 89 20912030
E-mail: science@gkm-therapieforschung.de

Data Protection Officer:

Mr. Kay Melchinger
Lessingstrasse 14
80336 Munich
Germany

Tel.: +49 89 20 91 20 0
E-mail: k.melchinger@gkm-therapieforschung.de

Data processing via the contact form and other means of communication

a) Scope of processing

The responsible person can be reached for your inquiries by mail, e-mail, contact form, telephone or via social networks. Simple requests that do not require your identification can be made anonymously. Insofar as your identification should be necessary, e.g. in order to answer you or to call you back, the responsible person collects your contact data.

If you write a message via the contact form of the responsible person, he collects the personal data entered by you (first name, last name, e-mail address, message content). In addition, your IP address, the date and time of sending the message are logged in log files.

b) Purpose of the processing

Your personal data is processed to identify you, to assign your message to an existing contract, a job advertisement, a job application process or any other business relationship, if applicable, to store it, to answer it or to forward it, if applicable.

c) Legal basis of the processing

If you have given the responsible party consent on the occasion of correspondence with you, e.g. within the framework of the contact form, the responsible party may process your data within the framework of your consent pursuant to Art. 6 para. 1 p. 1 lit a GDPR.

The processing of your data may be necessary in individual cases for the fulfillment of a contract to which you are a party or for the implementation of pre-contractual measures that take place at your request, Art. 6 para. 1 p. 1 lit. b GDPR.

The processing of personal data may also be based on the legitimate interests of the controller pursuant to Art. 6 (1) p. 1 lit. f GDPR.

d) Legitimate interests

The controller has a legitimate economic interest in being reachable via its contact forms and (electronic) means of communication for processing and responding to inquiries with interest in its services and to respond to your inquiries. In addition, he has a legitimate interest in processing your data insofar as you are, for example, a director, employee, job applicant, customer, potential customer or other representative of a contractual partner of the responsible party. The data controller also collects information in order to review your job application. He also processes your data for the purpose of fulfilling the contract, asserting or defending claims.

e) Recipients or categories of recipients

As a rule, your personal data will be processed by the data controller. The latter will only pass on your personal data, which it has received via electronic means of communication, to external recipients to the extent that this is necessary in individual cases in order to process your request.

f) Third country transfer

The responsible party will not transfer your personal data abroad unless you agree to it.

g) Duration of storage

Your personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected and due to retention obligations under contract law, commercial law or tax law. Application documents are kept for at least two months after receipt of the rejection (§ 15 para. 4 AGG). Invoice documents are kept for 10 years, commercial letters for 6 years.

h) Possibility of objection and elimination

As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR (Article 21 (1) GDPR).

Insofar as the controller bases the processing of your data on the consent you have given or on a contract, you do not have the right to object.

i) Obligation to provide

Your personal data such as title, first name, last name, e-mail address are required to transmit the request via the contact form to the person responsible. Otherwise, the provision of your personal data is voluntary. In the event that you do not provide your personal data, the person responsible may not be able to process or respond to your inquiries, requests or wishes. However, if you do not provide the responsible person with your e-mail address in the contact form or provide it incorrectly, the responsible person will not be able to respond to you.

Data processing in connection with log files

a) Scope of processing

Each time the website of the responsible party is called up, its system automatically collects data and information from the computer system with which you as a user call up the website of the responsible party. This data is stored and processed on the server of the responsible party in a log file (so-called log files). The following personal data is collected:

Log files store, among other things, the IP address, the browser used, time and date and the system used by a site visitor. The IP address is a string of numbers that your Internet provider had uniquely assigned to you at THAT point in time when you called up the above-mentioned website. A subsequent direct establishment of a personal reference (from these log files) is generally not possible or very difficult.

b) Purpose of the processing

The IP address is used to receive and send data packets and enables a user to access a website. The temporary storage of the IP address on the server of the responsible party is necessary in order to transmit the page content to the user’s computer system after calling up this website, so that the user can perceive the content.

The storage in log files takes place in order to ensure the functionality of the website and to be able to detect any transmission errors that may occur. In addition, this data is used by the responsible party to optimize the website and to ensure the security of its information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

c) Legal basis of the processing

The processing is based on the legitimate interests of the controller pursuant to Art. 6 (1) p. 1 lit. f GDPR.

d) Legitimate interests

The Controller has a legitimate interest in processing the above personal data for the above purposes in order to ensure that its service information is available online.

e) Recipients or categories of recipients

Your personal data will be disclosed to the data processing department of the controller and to its contractors contracted to host and provide the IT resources for the operation of the website.

f) Third country transfer

The responsible party will not transfer your personal data abroad unless you agree to it.

g) Duration of storage

Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. The user’s IP address must remain stored for the duration of the session in order to enable the use of the website.

In case of saving your data in the log file, the data collected in it will be stored for 6 months.

h) Possibility of objection and elimination

As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR (Article 21 (1) GDPR). In this case, the controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a user, or the processing serves the purpose of asserting, exercising or defending legal claims.

The processing of personal data to provide the website and to create the log file is mandatory for the operation of the website. The user can therefore not object to this type of processing.

i) Obligation to provide

The processing of log files is indispensable in order to carry out an analysis in the event of an error

Data processing through cookies

a) Scope of processing

On its website, the responsible party uses so-called cookies. Cookies are text files that are stored on the user’s IT system as soon as the user calls up the website of the responsible party. Cookies contain characteristic character strings that enable the browser to be uniquely identified when the website is called up again.

The responsible party uses cookies to make its website more user-friendly. Some page elements of the website require that the calling internet browser can be identified even after a page change within the website.

The cookies used are described in more detail below:

Absolutely necessary cookies

The purpose of the use of strictly technically necessary cookies is to simplify the use of websites for users. Some functions of the website of the responsible party cannot be offered without the use of cookies. For these, it is necessary that the Internet browser is recognized even after a page change. With these technically necessary cookies, data is collected, stored and transmitted to the responsible party to enable the retrieval of their website. The user data collected by technically necessary cookies are not used to create user profiles.

 
Cookie-ID Service provider Functions and purposes Storage period (mind.)
wp-wpml_current_lang…

www.gkm-therapieforschung.de

Technically necessary
for website use

Is not the responsibility
of the provider

 


b) Purpose of the processing

The purpose of the use of technically necessary cookies is to simplify the use of websites for users. Some functions of the website of the responsible party cannot be offered without the use of cookies. For these, it is necessary that the Internet browser is recognized even after a page change. With these technically necessary cookies, data is collected, stored and transmitted to the responsible party in order to enable the retrieval of its website. The user data collected by technically necessary cookies are not used to create user profiles.

Cookies, which are not technically necessary, are used by the responsible party to get to know its target groups better, to evaluate their interests and to draw their attention to its company by means of direct marketing.

c) Legal basis of the processing

If you have given the controller consent via the cookie banner for technically unnecessary cookies, the controller may process your data within the scope of your consent pursuant to Art. 6 (1) p. 1 lit a GDPR. For cookies that are technically necessary to operate this website, the processing is based on the legitimate interests of the controller pursuant to Art. 6 (1) p. 1 lit. f GDPR.

d) Legitimate interests

The responsible party has a legitimate economic interest in the external presentation of his company and in the advertising of his services. Technically necessary cookies help the responsible person with the optimal presentation of the website. 

e) Recipients or categories of recipients

The data of the cookies will be communicated to internal entities of the Controller and to its contractors assigned to host and provide the IT resources.

f) Third country transfer

As a matter of principle, information stored in cookies is not transmitted to third countries unless user identification is necessary for third-party service providers.

g) Duration of storage

The personal data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the processing of data for the provision of the website, this is the case when the respective session has ended. Cookies are stored on the user’s IT system and transmitted by it to the server of the responsible party. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the storage of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically.

h) Possibility of objection and elimination

As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR (Article 21 (1) GDPR). In this case, the controller will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the user, or the processing serves the purpose of asserting, exercising or defending legal claims. If cookies are deactivated for the website of the controller, it may no longer be possible to fully use all functions of the website, e.g. the shopping cart of the store. The processing of personal data for the provision of the website by technically required cookies is mandatory for the operation of the website. The user can therefore not object to this type of processing.

i) Obligation to provide

The provision of your data by accepting the processing of cookies is voluntary. In case of non-provision of your data (refusal of cookies), you may not be able to use his website or not fully.

Data processing by WordPress

a) Scope of processing

The responsible person uses for his website the open source content management system WordPress of Aut O’Mattic A8C Ireland Ltd, Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland, which is licensed under the GPLv2, to be able to manage the content of his website.

The WordPress privacy policy is available at: https://de.wordpress.org/about/privacy/ 

To contact the WordPress data protection officer, please contact: privacypolicyupdates@automattic.com 

b) Purpose of the processing

The purpose of using a content management system is to be able to create, edit, organize and display digital content. The responsible party uses the system to be able to provide a target group-oriented and optimal presentation of the text and multimedia content of its website.

c) Legal basis of the processing

The processing is based on the legitimate interests of the controller pursuant to Art. 6 (1) p. 1 lit. f GDPR.

d) Legitimate interests

The Controller has a legitimate interest in processing the above personal data for the above purposes in order to ensure that its service information is available online.

e) Recipients or categories of recipients

Your personal data will be disclosed to the data processing department of the controller and to its contractors contracted to host and provide the IT resources for the operation of the website.

f) Third country transfer

If and to what extent the provider transfers personal data to third countries, please refer to the provider’s data protection information.

g) Duration of storage

Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. The user’s IP address must remain stored for the duration of the session in order to enable the use of the website.

In the event that your data is stored in the log file, the data collected therein will be stored indefinitely.

h) Possibility of objection and elimination

As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR (Article 21 (1) GDPR). In this case, the controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a user, or the processing serves the purpose of asserting, exercising or defending legal claims.

The processing of personal data to provide the website and to create the log file is mandatory for the operation of the website. The user can therefore not object to this type of processing.

i) Obligation to provide

The provision of your personal data is voluntary. In the event that you do not provide it, you may not be able to use the website to its full extent.

Data processing by Clever Reach

a) Scope of processing

If you want to stay informed about the offers of the responsible person, he will be happy to send you his e-mail newsletter on a regular basis. To do this, you must register by e-mail. For this purpose, only your name or company and your e-mail address are required. During registration, your IP address and a timestamp are collected.

The newsletter is sent via the so-called double opt-in procedure. After registering for the newsletter, a confirmation email will be sent to you, through which the registration must be explicitly confirmed by clicking on a corresponding link.

The newsletter is sent using the services of CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede. CleverReach processes personal data on behalf of the controller for the dispatch and statistical analysis of the newsletter. The newsletters sent by e-mail contain so-called web beacons or tracking pixels, which can be used to determine whether a newsletter message has been opened and which links, if any, have been clicked. In addition, conversion tracking can be used to analyze whether a specific GKM website has been called up after clicking on the link.

CleverReach’s privacy policy is available at: https://www.cleverreach.com/de-de/datenschutz/

The data protection officer of CleverReach can be contacted at: office@datenschutz-nord.de 

b) Purpose of the processing

Your personal data will be used by the responsible party exclusively for its own advertising purposes for newsletter dispatch. The IP address and the time stamp are collected to protect the IT systems of the responsible party from misuse. The controller uses services of CleverReach to provide a user-friendly and secure newsletter system.

c) Legal basis of the processing

For the sending of the newsletter, the responsible party obtains your consent pursuant to Art. 6 para. 1 p. 1 lit a GDPR during registration and, if applicable, via the double opt-in procedure. The declaration of consent is voluntary and can be revoked at any time with effect for the future without giving reasons. To do so, please click on “Unsubscribe” in the newsletter email.

d) Recipients or categories of recipients

As a rule, your personal data is processed by the person responsible. The newsletter dispatch takes place, among other things, by using the services of CleverReach GmbH.

e) Third country transfer

The responsible party will not transfer your personal data abroad unless you expressly agree to it.

f) Duration of storage

Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected and due to contractual, commercial or tax retention obligations.

g) Possibility of objection and elimination

Since the processing of your data is based on consent pursuant to Art. 6 (1) p. 1 lit a GDPR, you have no right to object. However, you can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter or by notifying the controller accordingly. After unsubscribing, the controller will immediately delete your email address from its newsletter distribution list.

h) Obligation to provide data (Art. 13 II lit. e GDPR)

Your personal data such as name/company and e-mail address are required to send you the newsletter. Otherwise, the provision of your personal data is voluntary. In case of non-provision or incorrect provision of your personal data, the responsible person may not be able to include you in the distribution list.

Data processing via LinkedIn

a) Scope of processing

The responsible person operates a business profile on the “LinkedIn” portal of LinkedIn Ireland Unlimited Company, Attn: Legal Dept. (Privacy Policy and User Agreement), Wilton Plaza, Wilton Place, Dublin 2, Ireland.

In the context of the use of his LinkedIn profile, the controller processes the following personal data: All of your data that you have provided within the platform in a publicly visible manner, in particular your first and last names, biographical information, age, username, user URL, profile picture, information from profile pages, e.g. chronicle, comments or user interactions on his profile, message content (e.g. in messengers or comments) or other media content that you have communicated or otherwise disclosed to him.

Via the application functions, the responsible party also receives aggregated, anonymized statistical data about the users of these profiles, e.g. access figures, countries of origin or information about whether you liked content or not.

LinkedIn’s privacy policy is available at: https://www.linkedin.com/legal/privacy-policy

The data protection officer of LinkedIn can be contacted at: https://www.linkedin.com/help/linkedin/ask/ppq

b) Purpose of the processing

The controller processes your personal data to promote its services. LinkedIn is also used to promote employee communications.

c) Legal bases of the processing

If you are a user of LinkedIn, you have given this provider consent to the processing of your personal data for one or more specific purposes as part of your user agreement. In this case, this consent constitutes the legal basis pursuant to Art. 6 (1) p. 1 lit. a GDPR. The above-mentioned provider may also process your personal data to the extent necessary to enter into and fulfill your user contract pursuant to Art. 6 para. 1 p. 1 lit. b GDPR. 

Furthermore, the responsible party processes your personal data in the context of your visit to the profile for the exercise of the legitimate economic interest of optimizing the external presentation pursuant to Art. 6 para. 1 p. 1. lit. f GDPR.

d) Recipients or categories of recipients

Your data will be processed by the responsible person and the provider. If and to what extent the above-mentioned provider passes on personal data, please refer to the provider’s data protection information.

e) Third country transfer

The controller does not transfer personal data to third countries.

f) Duration of storage

The personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected and no retention obligations must be observed. The responsible party has no influence on the storage of your personal data by the aforementioned provider. However, the cookies of this provider are stored on your end devices. Therefore, you have full control over the use of these cookies. By changing the settings in your Internet browser, you can disable or restrict the receipt of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. The responsible party will only store your personal data for as long as is necessary to respond to your request, unless your data must be kept longer due to retention obligations. It is recommended to delete cookies regularly and to use do-not-track applications to protect your data.

g) Obligation to provide

The use of the above profile is voluntary. In the event that you do not provide your data, it may no longer be possible to fully use all the functions of the website.

Data processing via Xing

a) Scope of processing

The responsible person operates a business profile on the portal “Xing” of New Work SE, Am Strandkai 1, 20457 Hamburg. Xing is a social network which, in addition to the creation of private profiles, also allows the creation of company pages. Other Xing users have access to the information published there and can share their own content.

In the context of the use of his Xing profile, the controller processes the following personal data: All of your data that you have provided within the platform in a publicly visible manner, in particular your first and last names, biographical information, age, username, user URL, profile picture, information from profile pages, e.g. chronicle, comments or user interactions on his profile, message content (e.g. in messengers or comments) or other media content that you have communicated or otherwise disclosed to him.

If users are logged in via user account when calling up the company page, information about the call can be assigned to the respective user account. The provision of data can be avoided by logging out of Xing via one’s own user account before calling up the company page.

Via the application functions, the responsible party also receives aggregated, anonymized statistical data about the users of these profiles, e.g. access figures, countries of origin or information about whether you liked content or not.

Xing’s privacy policy is available at: https://privacy.xing.com/de/datenschutzerklaerung

The data protection officer of Xing can be contacted via: https://privacy.xing.com/de/ihre-ansprechpartner

b) Purpose of the processing

The controller processes your personal data to promote its services. Xing is also used to promote employee communication.

c) Legal basis of the processing

If you are a user of Xing, you have given this provider consent to the processing of your personal data for one or more specific purposes as part of your user agreement. In this case, this consent constitutes the legal basis pursuant to Art. 6 (1) p. 1 lit. a GDPR. The above-mentioned provider may also process your personal data to the extent necessary for the conclusion and fulfillment of your user contract pursuant to Art. 6 para. 1 p. 1 lit. b GDPR. 

Furthermore, the responsible party processes your personal data in the context of your visit to the profile for the exercise of the legitimate economic interest to optimize the external presentation, pursuant to Art. 6 para. 1 p. 1. lit. f GDPR.

d) Legitimate interests

The controller has a legitimate interest in conducting public relations and optimizing its external presentation, pursuant to Art. 6 (1) lit. f GDPR.

e) Recipients or categories of recipients

Your data will be processed by the responsible person and the provider. If and to what extent the above-mentioned provider passes on personal data, please refer to the provider’s data protection information.

f) Third country transfer

The controller does not transfer personal data to third countries.

g) Duration of storage

The personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected and no retention obligations must be observed. The responsible party has no influence on the storage of your personal data by the aforementioned provider. However, the cookies of this provider are stored on your end devices. Therefore, you have full control over the use of these cookies. By changing the settings in your Internet browser, you can disable or restrict the receipt of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. The responsible party will only store your personal data for as long as is necessary to respond to your request, unless your data must be kept longer due to retention obligations. It is recommended to delete cookies regularly and to use do-not-track applications to protect your data.

h) Possibility of objection and elimination

As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR (Article 21 (1) GDPR). In this case, the controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a user, or the processing serves the purpose of asserting, exercising or defending legal claims.

i) Obligation to provide

The use of the above profile is voluntary. In the event that you do not provide your data, it may no longer be possible to fully use all the functions of the website.

Data processing for job advertisements and applicants

a) Scope of processing

The data controller receives applications via its career website, by e-mail or by mail. In the context of application procedures, the data controller processes the personal data that identifies you. This is primarily your name (first and last name), e-mail address, telephone number(s), LinkedIn profile if applicable, information from or about the channel, how you became aware of the responsible person. In addition, the responsible party stores information on when you would be available for the vacant position, salary expectations, and the data you provide that contains your application documents, including date of birth, information about your professional and, if applicable, private career (if applicable, references, letters of reference, portrait photos, information about marital status or private life situation).

Applicant management software is used to support the personnel selection process. On the basis of the above-mentioned information, a check is carried out to determine whether an invitation to an interview can be considered as part of the selection process. In the event of basic suitability, further personal data will be collected which is essential for the selection decision. You will be informed separately about this collection if you are considered for employment.

b) Purpose of the processing

The data controller processes the above-mentioned personal data in order to identify you, to check your application, to contact you or to hire you as an employee, if necessary.

c) Legal basis of the processing

Your personal data is processed on the following legal basis: Art. 6 (1) (1) (b) GDPR for the initiation of a contractual or service relationship in conjunction with Art. 9 (2) (b) and (h) GDPR, Art. 8 (1) sentence 1 No. 2 GDPR, processing of particularly sensitive data. If the data processing is based on your consent, the data processing is permissible pursuant to Art. 6 (1) (1) a GDPR.

In the event that you are not (or no longer) considered for the vacant position, you can give your consent to the person responsible for storing your personal data in his database (“Talent Pool”) until you revoke it, so that he can consider you for subsequent application procedures on the basis of your application documents and contact you as a possible applicant (Art. 6 para. 1 p. 1 lit. a GDPR). This consent is voluntary and can be revoked at any time by sending an email to science@gkm-therapieforschung.de.

Your application documents will also be stored until it is ensured that there are no legal claims against the deletion. This data processing is based on the exercise of legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f GDPR.

d) Legitimate interests

The responsible party has a legitimate interest in transferring your records to its professional secrecy holders for the purpose of reviewing the legal situation in order to defend or assert claims.

e) Recipients or categories of recipients

Only authorized employees from the HR department of the responsible party or, e.g. in the case of interviews, the employees involved in the application process have access to your personal data. The employees of the responsible party who deal with HR issues have undertaken in writing to maintain data secrecy and have been informed of the legal consequences of violations. In the event that the examination of the legal situation, defense or assertion of (employment) legal claims should be necessary, the attorneys of the person responsible will be given access to your data as professional secrecy holders and will process it accordingly.

Application procedures are handled by the contractor of the responsible person, BITE GmbH. The database is operated by the company BITE GmbH, Magirus-Deutz-Str. 16, 89077 Ulm, Tel.: 0731/14 11 50-0, e-mail: info@b-ite.de, which offers personnel administration and applicant management software. In this context, BITE GmbH is the processor of the controller according to Art. 28 DS-GVO. The basis for the processing here is a contract for commissioned processing between the controller as the responsible entity and BITE GmbH.

f) Third country transfer

Personal data will not be transferred to third countries.

g) Duration of storage

The responsible party shall retain your documents, insofar as this is necessary, for as long as it is subject to retention obligations in the respective individual case, Art. 6 (1) p. 1 lit. c GDPR. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied. Your data will be stored for a period of 180 days beyond the end of the application process. This is usually done to fulfill legal obligations or to defend against any claims arising from legal regulations. Subsequently, the responsible party is obliged to delete or anonymize your data. In this case, the data will only be available to him as so-called metadata without direct personal reference for statistical evaluations (for example, proportion of women or men in applications, number of applications per period, etc.).

If the responsible person unfortunately had to decide against employment, your personal data will be restricted (Art. 18 GDPR). In the restricted form, your data will be stored for a period of 6 months from the receipt of the rejection.

If you receive an offer of employment with the data controller as part of the application process and accept this offer, the data controller will store the personal data collected as part of the application process for the duration of the employment relationship and beyond this for as long as this is required by statutory retention obligations.

h) Possibility of objection and elimination

As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR (Article 21 (1) GDPR). In this case, the controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a user, or the processing serves the purpose of asserting, exercising or defending legal claims.

i) Obligation to provide

The provision of your data may be necessary for the conclusion of a contract. In case of non-provision, your application cannot be considered. 

Definitions and data subject rights

a) Why does this information exist?

The legislator obliges the controller to inform the user about the processing of his personal data in accordance with Art. 13 and Art. 14 of the General Data Protection Regulation (GDPR). The following discloses the extent to which the controller processes the user’s personal data and the rights to which the user is entitled.

In principle, no personal data of users will be processed, unless the processing is permitted by law (“legal basis”). Consent given to the controller by the user voluntarily and after prior information may also constitute a legal basis for the processing of the user’s personal data.

b) What is personal data and who is affected?

“Personal data” are, according to Art. 4 No. 1 GDPR, any information relating to an identified or identifiable natural person (hereinafter “user”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

There are many circumstances in which the responsibility for processing such personal data lies with the controller, which makes the data subject of the processing a user. Users include, for example, users of the controller’s websites, senders and recipients of letters, e-mails or other communications from the controller, as well as callers and called parties, clients or other persons interested in legal advice, contractors, employees, customers, suppliers or cooperation partners of the controller.

c) What are the legal bases?

Insofar as the controller has obtained the consent of the user for the processing operations of personal data, Art. 6 (1) p. 1 lit. a GDPR serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the user is a party, Art. 6 (1) p. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures at the request of the user. Insofar as processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, Art. 6 (1) p. 1 lit. c GDPR serves as the legal basis. In the event that vital interests of the user or another natural person make processing of personal data necessary, Art. 6 (1) p. 1 lit. d GDPR serves as the legal basis. If the processing is necessary to protect a legitimate interest of the controller or a third party and the interests, fundamental rights and freedoms of the user do not override the first-mentioned interest, Art. 6 (1) p. 1 lit. f GDPR serves as the legal basis for the processing.

In this data protection information, the user is informed about the purposes for which and the legal basis on which his personal data are processed.

d) How long is personal data stored or when is it deleted?

The user’s personal data will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may take place beyond this if this is stipulated by the European or national legislator in Union regulations, laws or other regulations according to which the responsible party is obliged to store the personal data. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires; unless further storage of the data is necessary for the conclusion or performance of a contract.

e) What technical and organizational measures are used?

Ensuring data security is a particularly important concern for the controller. It therefore implements appropriate technical and organizational measures, in particular to protect the user’s personal data from risks during data transmissions and to protect against third parties gaining knowledge. The data security measures are reviewed and adapted in accordance with the current state of the art. The processing of personal data via the website of the controller is https-encrypted.

f) What rights do I have as a user?

  1. right to revoke consent:
    The user has the right, in accordance with Art. 7 (3) GDPR, to revoke his consent, once given, at any time vis-à-vis the responsible party. This has the consequence that the data processing, which was based on this consent, may no longer be continued for the future.
  2. Right of access:
    In accordance with Article 15 of the GDPR, the user has the right to request information about his or her personal data processed by the controller. In particular, he may request information about the processing purposes, the category of personal data, the categories of recipients to whom his data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of his data, if not collected by the controller, and the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
  3. right to rectification:
    In accordance with Art. 16 GDPR, the user has the right to demand the correction of incorrect or incomplete personal data stored by the responsible party without delay.
  4. right to erasure and to be forgotten:
    The User has the right, pursuant to Article 17 of the GDPR, to request the erasure of his or her personal data stored by the Controller, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.
  5. right to restriction:
    In accordance with Art. 18 GDPR, the user has the right to demand the restriction of the processing of his personal data, insofar as the accuracy of the data is disputed by him, the processing is unlawful, but the user refuses its erasure and the controller no longer needs the data, but the user needs it for the assertion, exercise or defense of legal claims or the user has objected to the processing in accordance with Art. 21 GDPR.
  6. right to data portability:
    Pursuant to Art. 20 GDPR, the user has the right to receive his personal data provided to the controller in a structured, common and machine-readable format or to request the transfer to another controller.
  7. right of complaint:
    The user may complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, he can contact the supervisory authority of his usual place of residence or workplace or the headquarters of the responsible party.
  8. right to object:
    If the User’s personal data is processed on the basis of legitimate interests pursuant to Art. 6 UAbs. 1 para. 1 p. 1 lit. f GDPR, the User has the right to object to the processing of his personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from the User’s particular situation. To exercise the right to object, it is sufficient to send an e-mail to the person responsible.