Data protection declaration as to application procedure pursuant to the EU General Data Protection Regulation (GDPR)
Applicable for applicants (m/f/d) of the company Werner Sobek (consisting of: Werner Sobek Group GmbH, Studio Werner Sobek GmbH, Werner Sobek AG, alphaINSIDE GmbH, AH Aktiv-Haus GmbH, Werner Sobek Design GmbH, Werner Sobek Green Technologies GmbH, Sobek & Hall GmbH, Werner Sobek Frankfurt GmbH & Co. KG, IFT GmbH) (hereinafter referred to as the “controller“).
With the following information pursuant to Art. 12 et seq. GDPR we will provide an overview of our processing of your personal data in line with the application procedure and your rights from the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA). The individual course of the application procedure shall be decisive for the data to be processed in detail and the manner they are used.
If you are a minor (applicants under the age of 18), by taking note of the data protection declaration, you declare that your parents have approved your application.
1. Controller for data processing
2. Data protection officer of the controller
Werner Sobek AG
3. Data and data sources
We process personal data provided by you in line with the application procedure. Moreover, we process personal data you have made accessible to us via a profile in a professional social media network (e.g. XING, LinkedIn, StepStone, etc.) or we have collected permissibly from other publicly accessible sources and may process (e.g. website with application etc.)
b) Categories of personal data
In line with the employment procedure the following personal data related to your application can be collected, processed and saved:
Address and communication data (name, address, telephone, e-mail address, other contact details), person master data (date/place of birth, gender, nationality, marital status, legal capacity, photo), as well as information on professional qualifications, education and professional development, driving licenses and vehicle classes.
Moreover, further personal data provided to us (CV, certificates, questionnaires, interviews, previous activities) or occupational information we collected from sources (e.g. professional social media networks, website with application, etc.) you have made publicly accessible, will be processed).
If provided by you voluntarily in the application letter or in the course of the application procedure, special categories of personal data (such as health data, religion, degree of disability) will also be processed.
In particular by personal, telephone or written contacts initiated by you or the controller further personal data are created. This includes e.g. information on the contact channel, date, occasion and result (electronic) copies of the correspondence, as well as interview transcripts.
4. Purpose and legal basis of processing
We process the personal data mentioned in no. 3 for the purpose of your application for an employment relationship in compliance with the regulations of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA).
a) For the purpose of the employment relationship (Art 6 paragraph 1 lit. b GDPR combined with § 26 paragraph 1 combined paragraph 8 FDPA)
Personal data shall be processed insofar as it is decisive for the employment relationship.
Insofar as an employment relationship is established between you and us, we can process the personal data already provided by you further pursuant to § 26 paragraph 1 FDPA, if this is required for the realization or termination of the employment or for exerting or fulfilling rights and obligations of representing the interests of employees resulting from legislation or a works or company agreement.
In the context of your application we shall be entitled to contact you under the data provided by you.
b) On the basis of your consent (Article 6 paragraph 1 lit. a GDPR combined with § 26 paragraph 2 FDPA)
Provided that you have given us your consent to process personal data in line with the application procedure for certain purposes (e. g. disclosure of data within the corporate group), the processing shall be legitimate on the basis of your consent. A given consent may be revoked at any time. Please note that the cancellation will only be valid for the future. Processing made before the cancellation shall not be affected. You may request an overview of the status of the contents you have given at any time.
c) On the basis of your consent for special categories of personal data (Article 9 paragraph 2 lit. a GDPR combined with § 26 paragraph 2 FDPA)
The processing of special categories of personal data (e.g. health data) shall be based on your consent pursuant to Art 9 paragraph 2 lit. a GDPR combined with § 26 paragraph 2 FDPA, unless legal permissions such as Art 9 paragraph 2 lit. b combined with § 26 paragraph 3 FDPA are pertinent.
d) Due to compliance with legal obligations (Article 6 paragraph 1 lit. c GDPR combined with § 26 paragraph 2 FDPA)
Your data is also processed in order to fulfill our legal obligations as an employer with regard to tax and social security law.
On the basis of Art. 9 paragraph 2 lit. b GDPR combined with § 26 paragraph 3 FDPA also includes the processing of special personal data in accordance with Art. 9 paragraph 1 GDPR, insofar as this is for the exercise of rights or the fulfillment of legal obligations from labor law, the right to social security and social protection (e.g. providing health data to health insurance companies, recording the severely disabled person to grant additional leave and determination of the severely disabled person’s tax).
The processing of health data can also be used to assess the ability to work according to Art. 9 paragraph 2 lit. h combined with § 22 paragraph 1 FDPA may be required.
Due to legal requirements, in particular according to § 257 of the German Commercial Code (HGB) and § 147 of the German Tax Code (AO), the Controller is obliged to store and store business documents and data for several years. In addition, all access to the communication systems are logged, stored and evaluated as needed to meet legal requirements and ensure information security.
In the event of disclosure for reasons of data protection, freedom of information or other laws, legal proceedings or investigations by supervisors, data subjects must assume that e-mails, text messages, voicemail or other electronic communications can be accessed, read, heard or disclosed by third parties, if they are relevant to the questions examined.
e) For the purposes of the legitimate interests (Article 6 paragraph 1 lit. f GDPR)
To protect justified interests of us or a third party the processing of data submitted by you can be required for the following reasons:
- Defense of asserted claims from the employment relationship
- Burden of proof in a process pursuant to the General Equal Treatment Act (GETA)
- Reconciliation with so-called EU terror lists pursuant to the European anti-terror regulation 2580/2001 and 881/2002 to ensure that no funds or other economic resources are provided for terrorist purposes
- Prevention of crimes
- Video surveillance for preserving the domiciliary right, collecting evidence in the event of crimes
- Building and office security precautions
- Measures for assuring the domiciliary right
- Risk control within the corporate group
- Own statistical purposes with anonymous data (e.g. studies as to the behavior of employees)
- Safeguarding IT security and IT operations: The personal data resulting from the use of the IT systems, e-mail, internet and telephony services is generally not used for performance and behavioral control. The legal basis for the processing of personal data to ensure the proper operation of e-mail / internet services is the legitimate interest of the Controller. The recorded protocol and connection data are used exclusively for billing internet use, ensuring system security, defending and / or analyzing cybercrime, controlling network load balancing and network optimization, analyzing and correcting technical errors, and disruptions, abuse control and suspected criminal offenses. The processing of the stored personal data, with the exception of the data collected by the legally required archiving, will be restricted after approx. 6 months. The data is only part of the long-term archiving.
5. Recipients of data
Within the controller those persons and entities shall be granted access to your data which are required by them to make a decision and to comply with our (pre-) contractual and legal obligations.
We can transmit your personal data to related companies of the controller, to the extent permissible in line with the purposes and legal bases mentioned under no. 4 or data processing tasks for applicant management are centrally executed within the group.
If we are not able to offer you a position to be filled, but think that your application could be of interest for future positions within the group due to your profile, we will forward your personal application data to other companies related to us, provided that your express consent is at hand.
With regard to data transfer to recipients outside the controller it must be considered first of all that we will only transfer information about you if provided by legal stipulations, you have given your consent and/or processors commissioned by us guarantee that the requirements of the EU GDPR and the Federal Data Protection Act are complied with and this is required for constituting an employment relationship.
Under these conditions the recipients of personal data may for instance be:
- Public bodies and institutions in the circumstances of a statutory or official obligation
- Processors to which we submit personal data for the application procedure. In detail: Providers of applicant management systems, support/servicing of EDP/IT applications, call-center services, compliance services, data destruction, research, risk controlling, video legitimation, website management incl. host provider.
Further data recipients may be those entities for which you have given the consent to data transfer.
6. Data transfer to third countries or international organizations
Data transfer to countries outside the EU or EEA (so-called non-member countries) shall only take place if it is required for the constitution of an employment relationship, is statutory, you have given us your consent or in line with order processing. If service providers are employed in a non-member state, these shall be obliged to the compliance with the data protection level in Europe in addition to written instructions by the agreement of EU standard contractual clauses.
7. Term of data storage
We will save your personal data as long as required for the decision on your application. Insofar as an employment relationship between you and us is not established, we will delete your personal data 6 months upon termination of the application procedure.
This shall not be applicable if legal stipulations are opposed to the deletion or another saving for the purpose of argumentation for defending possible legal claims is required or you have given your consent to longer saving.
If we are not able to offer you a position to be filled, but think that your application could be of interest for future job offers due to your profile, we will process your personal application data 24 months in our applicant database, provided your consent is at hand.
8. Data protection rights of the data subject
Depending on the situation you, as an applicant, will have the following data protection rights on a case-by-case basis. Please do not hesitate to contact us or our data protection officer as to the assertion of such rights.
a) Right of access by the data subject (Art. 15 GDPR)
You are entitled to access your personal data processed by us, as well as demand access to your personal data and/or copies of these data. This shall include information about the purpose of processing, the categories of the data concerned, its recipients and the recipients or categories of recipient to whom the personal data have been or will be disclosed, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. The restrictions of § 34 FDPA shall apply.
b) Right to rectification (Art. 16 GDPR)
You shall have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed (also by means of providing a supplementary statement).
c) Right to erasure (Art. 17 GDPR)
You shall have the right to obtain from us the erasure of personal data concerning you without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- You revoke consent to the processing and where there are no other primary legitimate reasons for the processing
- The personal data have been unlawfully processed
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which we are subject. This shall not apply for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the establishment, exercise or defense of legal claims
The restrictions of § 35 FDPA shall apply.
d) Right to restriction of processing (Art. 18 GDPR)
You shall have the right to demand restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by you for a period enabling us to verify the accuracy of the personal data
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
- We no longer need the personal data for the purposes of the processing, but they are required by you for the assertion, exercise or defense of legal claims.
- You have objected to processing pending the verification whether the legitimate grounds on our part override yours.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If you have obtained restriction of processing we shall inform you before the restriction of processing is lifted.
e) Right to data portability (Art. 20 GDPR)
You shall have the right to receive the personal data provided by you, in a structured, commonly used and machine-readable format.
f) Right to object (Art. 21 GDPR)
As far as the processing is based on Art. 6 paragraph 1 lit. e and lit. f GDPR, you shall at any time have the right to object on grounds relating to your particular situation, to the processing of these personal data. We will then no longer process these personal data, unless we are able to prove compelling legitimate reasons for the processing that override your interests, rights and freedoms or the processing is for asserting, exercise or defense of legal claims.
g) Right to withdraw (Art. 7 paragraph 3 GDPR)
Where processing is based on consent, you shall be entitled to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Please do not hesitate to contact our data protection officer at any time under the aforementioned data.
h) Right to complaint (Art. 13 paragraph 2 lit. d GDPR and Art. 77 GDPR combined with § 19 FDPA)
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
9. Obligation to provide data
Within the context of your application you must provide the personal data required for the handling of the application procedure and assessment of aptitude. Without these data we cannot conduct the application procedure nor make a decision on the establishment of the employment relationship.
10. Automated decision-making (including profiling)
There will be no automated individual decision making in terms of Art. 22 GDPR, i.e. the decision on your application is not exclusively based on automated processing.
Version: February 2022