Data protection information for employees and applicants

Initial contact in the application process

During the application process, we receive and check your application documents. This involves all the data you disclose. In the event of continued interest, this will be followed by an interview, whereby data (contact details, usually name, telephone number, e-mail address) will be collected, stored and used to arrange an appointment. In the event of continued interest, we will make you an offer of employment, whereby the contact data (usually name, telephone number, e-mail address) and the data from the employment contract (usually activity, holiday periods, salary) will be processed. In each of the aforementioned processing steps, it is also possible that a cancellation will be made. The purpose of the aforementioned processing operations is to carry out the application procedure. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Active recruitment

Before the application process, we research data about potential employees; this is done using generally accessible sources. We contact you. In doing so, we process the data required for establishing contact (e.g. name, address, email address) as well as job-specific data about your qualifications (e.g. degrees, certificates, etc.). The purpose of the aforementioned processing operations is to initiate the application process. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Requesting certificates and references

We request special certificates and qualifications that are essential for the job. In doing so, we process the data that appears in the certificates and other documents that arise in the process. The purpose of the aforementioned processing operations is to initiate the application process and, at a later stage, to carry out the employment relationship. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Conducting a trial workday

You will complete a trial workday and we will note our findings, which we will then use to decide on your application. In doing so, we process the data required for establishing contact (e.g. name, address, email address) as well as any notes taken during the trial working day. The purpose of the aforementioned processing operations is to initiate the application process. The legal basis is Article 6(1)(b) GDPR.

Video conferencing

(1) We enable you to communicate via video conference. (2) If you decide to use the video conference, we will obtain the necessary consent. For this purpose, we process the name, time and status of the consent. The purpose of this is to fulfil a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 7 paragraph 1 GDPR. (3) We conduct conversations via video conference. In doing so, we process the image and sound data that is generated, as well as any transcripts. The purpose of this is to communicate with you in relation to the contract. The legal basis for this is Article 6(1)(a) GDPR. This is not precluded by the prohibition under Article 9(1) GDPR, as the exception under Article 9(2)(a) GDPR applies here.

Involvement of tax consultancy firm

We forward tax-related data concerning you (e.g. offers, order confirmations, contracts, invoices, account statements, etc.) to an external tax consultancy firm. In doing so, we process your name and all data resulting from invoices and incoming payments. We therefore seek support with accounting and other tax-related matters. The legal basis for this is Article 6 (1) sentence 1 point (f) GDPR, whereby our legitimate interest follows from the stated purpose. Insofar as the external tax consultancy processes this data, it is not a matter of order processing (see DSK short paper 13), but of a data transfer that is justified by Article 6 (1) sentence 1 point (f) GDPR.

Implementation of the employment relationship

During the active employment relationship, all access and/or communication data in connection with the fulfilment of the employment contract (e.g. e-mails) are processed. The purpose of the aforementioned processing operations is to carry out the employment relationship. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Recording of driving licence data

If you receive a company car from us in order to fulfil your employment obligations, we will collect your driving licence data in advance with the help of an external provider where you can digitally register your driving licence. All driving licence data is processed here. The purpose of this is to fulfil our duty to maintain safety and our obligations to insurers, namely to ensure that you are authorised to drive a company car. The legal basis is Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest arises from the aforementioned purposes.

Employee benefits (with legitimate interest)

(1) In some selected cases, we offer you the opportunity to take advantage of employee benefits. (2) We transmit the contact data required for granting the benefits to external third-party providers (usually name, address, information that you are employed by us). The purpose is to grant benefits; this is to retain employees and to increase the attractiveness of the employer. The legal basis is Article 6(1)(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. Whether and, if so, which benefits are granted is the subject of an agreement under labour law, which may still have to be made in the abstract from this data protection information. No claim arises for you merely from the fact that this possibility is mentioned.

Handover of keys (including logging)

In some cases, you will receive keys and/or chip cards for access to operating rooms, whereby the handover is recorded. In doing so, we process the following data: name, status of the assignment of the above-mentioned objects. The purpose of the aforementioned processing operations is to fulfil a data protection obligation, namely that of taking sufficient organisational security measures. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 32 GDPR.

Provision of access data (including logging)

In some cases, you will receive access data for company software and hardware, whereby both this access data and the assignment to you are recorded and stored. The allocation itself is also logged. We process the following data for this purpose: name, access data, status of the allocation of access data. The purpose of the aforementioned processing operations is to fulfil a data protection obligation, namely to take sufficient organisational security measures. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 32 GDPR.

Handover of operating devices (including logging)

In some cases, you will receive company hardware, and the handover will be recorded. In doing so, we process the following data: name, status of the allocation of the hardware. The purpose of the aforementioned processing operations is the internal organisation of the services owed under the employment contract. The legal basis is Article 6 paragraph 1 sentence 1 lit. f DSGVO, whereby the legitimate interest follows from the above-mentioned purpose.

Mental Health Coaching

(1) We enable you to participate in mental health coaching in a few selected cases. (2) If you decide to do so, we will obtain the necessary consent. For this purpose, we process the name, time and status of the consent. The purpose is to fulfil a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with Article 7 paragraph 1 DSGVO. (3) We ourselves do not process any data regarding participation in coaching and/or content, but only receive a bill. The legal basis is Article 6 (1) sentence 1 lit. a GDPR.

Changes in data processing

If we change the processing, in particular if we use new recipients, we will inform you of the change by email; we will do this by sending you the updated data protection information by email. The purpose of this is to fulfil the transparency obligations under the GDPR (Articles 12 to 14 GDPR). The legal basis is Article 6(1), sentence 1, point (c) GDPR.

Assertion of rights

If you assert your rights under the GDPR or other legal provisions, we process the data in order to check these claims and, if necessary, to fulfil them. The purpose is to fulfil a legal obligation. The legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the standard from which the legal obligation arises.

Conflicts in the employment relationship

In the event of a legal or labour dispute between you and us, the data will be processed in order to provide appropriate explanations and, if necessary, to obtain external legal advice. The following data is processed in this context: name, contact details, all matters related to the labour dispute. The processing serves to obtain external labour law advice/support and to exercise our own rights. The legal basis is Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest follows from the aforementioned purposes. Insofar as data is processed externally, this does not constitute order processing (see DSK-Kurzpapier 13), but rather a data transfer, which in turn is justified by Article 6 (1) sentence 1 lit. f GDPR. It is therefore a case of other outsourcing.

Receiving and processing whistleblower reports

We offer you the opportunity to contact us as a whistleblower. We take note of and process incoming whistleblower reports from employees. Personal data is only processed if the report is not submitted anonymously. This data includes the following: name(s), content of the report. The purpose of the processing is to fulfil a legal obligation under §§ 12ff. HinSchG. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO.

Production of media recordings

(1) We enable you to have media recordings (photo, film, sound) made in a few selected cases. (2) If you decide to do so, we will obtain the necessary consent. For this purpose, we process the name, time and status of the consent. The purpose is to fulfil a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with Article 7 paragraph 1 DSGVO. (3) Media recordings will be made of you and, insofar as consent extends, published in some cases to be determined by us. In doing so, we process image, film and sound data. The purpose of this is to present our company to the public. The legal basis for this is Article 6 (1) sentence 1 lit. a GDPR. This is not precluded by the prohibition under Article 9 (1) GDPR, as the exception under Article 9 (2) lit a GDPR applies here.

Fulfilment of further legal obligations

In the employment relationship, data is processed to fulfil further legal obligations not yet mentioned here. These include the following situations:

  • Processing of all data on participation in training and instruction, including in particular first-aid training (Section 14 of the German Social Security Code (SGB) VII in conjunction with DGUV Regulation 1), conducting data protection training for employees (Article 32 GDPR), training for EuP (Section 14 SGB VII in conjunction with DGUV Regulation 3), driver safety training (Section 3 ArbSichV), fire extinguishing training (Section 14 SGB VII in conjunction with DGUV Regulation 1), IT training (BSI Kritisverordnung, Article 32 DSGVO). The following data is processed: name, company contact details, communication data, status and, if applicable, time of participation (day, time).
  • Processing of all data when ordering hardware or software that must be provided for occupational safety reasons, e.g. computer glasses (Section 3 ArbSchG). The following data is processed: name, company contact details, communication data, proof of the necessity of the hardware or software, time of order, time of delivery, time of commissioning, costs.
  • Processing of all data when keeping an accident book, in particular, keeping the completed accident book pages (Section 14 SGB VII in conjunction with DGUV Regulation 1, Section 24 (6)). The following data is processed: name, company contact details, communication data, data on all first-aid incidents, in particular the type of incident, time, measures, identity of the employees/persons providing assistance and affected.
  • Processing of all data collected in the course of occupational medical examinations (Section 3 ArbSchG). The following data is processed: name, company contact details, communication data, time of appointment, status of appointment.
  • Processing of all data collected in the course of occupational ophthalmological examinations (Section 3 ArbSchG). The following data is processed: name, company contact details, communication data, time of appointment, status of appointment.
  • Other training courses for which training obligations currently or in the future exist. The following data is processed here: name, company contact data, communication data.

All processing steps serve to fulfil the legal obligations mentioned in the respective parentheses. The legal basis is Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with the standards mentioned in the respective parenthesis.

Fulfilment of further contractual obligations

In the employment relationship, data is processed for the purpose of implementing the employment relationship. This includes, in particular, but not exclusively, the following situations:

  • The filing of planning documents and the documentation with station suppliers are recorded, stored and further used. The following data is processed in this context: name, company contact details, communication data, status and time of entry, identity of the employee making the entry.
  • The documentation of the filing of planning documents and the documentation with the substation installer are recorded, stored and further used. The following data is processed here: name, company contact data, communication data, status and time of entry, identity of the employee making the entry.
  • Absences due to parental leave, illness, holiday, special leave, educational leave, unpaid leave are recorded, stored and further used. The following data is processed: name, company contact details, communication data, period, reason, evidence for the reason for the absence.
  • In the case of procurements/purchases, including the ordering of work clothes, that affect you, the following data is collected, stored and used: name, company contact details, communication data, clothing size, assignment of work clothes, condition of work clothes.
  • Internal communication takes place regarding the management of work clothing. The following data is processed: name, company contact details, communication data, clothing size, assignment of work clothing, condition of work clothing.
  • In certain cases, electronic signatures are obtained. The following data is processed: name, company contact details, communication data, signature image, signature time, content of the signed document.
  • Hotel reservations are made and documented for you. The following data is processed for this purpose: name, company contact details, communication data, business trip status, business trip period, business trip costs.
  • The assumption of other travel expenses for business trips is recorded, stored and used. The following data is processed for this purpose: name, company contact details, communication data, business trip status, business trip period, business trip costs.

All processing steps serve the purpose of internal communication and the fulfilment of contractual obligations. The legal basis is Article 6 (1) sentence 1 lit. b GDPR.

Storage of data/storage period

We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

  • Internal records (e.g. annual financial statements, accounting vouchers) are to be kept for 10 years, starting on 31 December of the calendar year in which the respective document was created. The processing serves to fulfil a legal obligation and is based on Article 6 (1) sentence 1 lit. c GDPR in conjunction with Section 147 AO, Section 257 HGB.
  • Data from business correspondence (e.g. customer letters) and other tax-relevant documents must be kept for six years, starting on 31 December of the calendar year in which the respective document was created. The processing serves to fulfil a legal obligation and is based on Article 6 (1) sentence 1 lit. c GDPR in conjunction with § 147 AO, § 257 HGB.
  • Data from the documentation of working hours must be kept for two years, starting on 31 December of the calendar year in which the respective document was created. The processing serves to fulfil a legal obligation and is based on Article 6(1), sentence 1, point (c) of the GDPR in conjunction with Section 16 of the German Working Hours Act (ArbZG) and Section 17 of the German Minimum Wage Act (MiLoG).
  • Data from the payroll account must be kept for six years, starting on 31 December of the calendar year in which the last recorded wage payment is made. The processing serves to fulfil a legal obligation and is based on Article 6(1)(1)(c) GDPR in conjunction with Section 41 of the German Income Tax Act (EStG).
  • Data concerning health insurance status and sick leave are stored for five years. The processing serves to fulfil a legal obligation and is based on Article 6(1) sentence 1 point (c) GDPR in conjunction with Section 198 of the German Social Code, Book V (SGB V) and Section 165 of the German Social Code, Book VII (SGB VII).
  • Data that arises when you assert data protection claims is stored for three years, starting on 31 December of the calendar year in which we responded to it. The processing serves to protect the interest in defending against claims and is based on Article 6(1)(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statutes of limitation for claims for damages (Sections 195, 199 (1) BGB) and, in addition, from the statutes of limitation of the law relating to administrative offences (Section 31 (2) no. 1 OWiG in conjunction with Article 83 GDPR).
  • Data that arises when you assert other claims is stored for three years, starting on 31 December of the calendar year in which we responded to it. The processing serves to safeguard the interest in defending against claims and is based on Article 6(1)(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statute of limitations for claims for damages (Sections 195, 199 (1) BGB).
  • Data based on consent must be stored until consent is withdrawn or until the purpose associated with the processing no longer applies, whichever occurs earlier. The storage serves the purpose associated with the consent and is based on Article 6(1)(a) GDPR.
  • Data that proves that consent has been granted must be kept for three years, starting from the date of consent withdrawal or the date the purpose ceases to exist, depending on which occurs earlier. The processing serves to safeguard the interest in defending against claims and is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest follows from the aforementioned purpose. The duration of the legitimate interest follows from the statute of limitations of the law governing administrative offences (Section 31 (2) (1) OWiG in conjunction with Article 83 GDPR).
  • Data from an application is stored for 6 months, starting with the period of receipt of the rejection. The processing serves to safeguard the interest in defending against claims arising from the AGG and is based on Article 6 (1) sentence 1 lit. f GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the time limit in Section 15 (4) UWG plus the time after which the receipt of a complaint can no longer be expected.

Deletion of data

After the retention periods have expired, the data will be deleted. The deletion is intended to fulfil a legal obligation and is based on Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 5 paragraph 1 lit. a, e GDPR.

Recipients

The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

  • providers of backup tools
  • software hosting companies,
  • providers of video conferencing systems and remote working tools,
  • law firms, tax and auditing firms,
  • providers of password management systems,
  • project management tools,
  • providers of whistleblower platforms,
  • providers of compliance and training solutions,
  • providers of (payroll) accounting solutions,
  • providers of Microsoft assistance tools,
  • providers of translation tools,
  • providers of the provision and administration of work equipment (e.g. work clothes),
  • providers of HR systems,
  • providers of employee benefits,
  • providers of security and monitoring services.
  • Providers of social networks (for recruiting purposes)

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

  • Microsoft: Various applications are used by Microsoft Corporation (USA), which was commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365-Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 45 of the GDPR.
  • New Relic: The website monitoring tool ‘New Relic’ from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.
  • Lacework: The IT security tool ‘Lacework’ from Lacework, Inc. (USA) is used. A transfer of data to a third country (here the USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.
  • ShareFile: The IT tool ‘ShareFile’ from Citrix Systems Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here: USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.
  • Monday.com: The collaboration tool Monday.com from Monday.com Ltd. (Israel) is used. A transfer of data to a third country (here: Israel) that cannot be ruled out is justified in accordance with Article 45 GDPR.
  • Atlassian: The project management tool from Atlassian Pty Ltd (Australia) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case Australia) cannot be ruled out, but this is justified in accordance with Article 46 of the GDPR.
  • Autodesk: The project management tool ‘Autodesk’ from Autodesk, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case the USA) cannot be ruled out for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.
  • Adobe: In connection with the use and creation of documents, software offers from Adobe Systems Software Ireland Limited (Ireland - EU) are used, which were commissioned in accordance with Article 28 of the GDPR. A non-excludable transfer of data to a third country (here to Adobe Inc., USA) is justified for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.
  • LinkedIn (social network): The social network LinkedIn, operated by LinkedIn Ireland Unlimited Company (Ireland – EU), is used. However, it cannot be ruled out that data may be transferred to or incorporated by the parent company, LinkedIn Corporation (USA). A transfer of data to a third country (in this case, the USA) cannot be ruled out, but is justified under Article 46 of the GDPR. The following tools are used: LinkedIn (company page), LinkedIn (recruiting)
  • Dropbox: The cloud service ‘Dropbox’ from Dropbox, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 45 of the GDPR.