Applicant data protection information pursuant to Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR)
Data protection is of paramount importance to us. In the following, we will inform you how your personal data is processed in the context of the application procedure and what rights you are entitled to.
1 Who is the controller responsible for data processing and whom can I contact?
The data controller as defined in the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions, is:
INSTART Consult GmbH
Tel.: +49 (0) 162 / 134 06 14
2 Contact details of the external data protection officer
The Controller’s Data Protection Officer is:
Herr Felix Heim
3 Purposes of the processing/ Legal basis
Your personal data will be processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act [Bundesdatenschutzgesetz (BDSG)] and other pertinent data protection regulations. We will process your personal data for the following purposes:
3.1 Consent (Art. 6 (1) (a) GDPR)
The consent you have granted to the processing of personal data is the legal basis for the processing referred to therein. You can revoke your consent with future effect at any time.
3.2 Fulfillment of contractual obligations (Art. 6 (1) (b) GDPR, Section 26 (1) clause 1 Federal Data Protection Act (BDSG))
We process your personal data for carrying out the application procedure. The processing may also be carried out electronically. This is especially the case if an applicant sends us corresponding application documents electronically, such as, for example, by email or via a web form on the website.
3.3 Fulfillment of legal obligations (Art. 6 (1) (c) GDPR, Section 26 (1) clause 1 Federal Data Protection Act (BDSG))
We process your personal data, where necessary, for the fulfillment of legal obligations, which may include retention and storage obligations, etc..
4 Categories of personal data that is being processed
The following data, among other things, is processed:
Naturally, we do not ask applicants to provide so-called specific personal data, such as information on ethnic origin or union membership, in the application procedure. Should such data nevertheless be transmitted to us, we will not consider it in the application procedure.
5 Who receives your data?
We disclose your personal data internally within our company solely to those employees who are involved in the selection of the specific candidate, i.e. need this data to fulfill the contractual and legal obligations or to implement our legitimate interest. In addition, the following recipients may receive your data:
6 How long do we store your personal data?
If the data controller concludes an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by the controller, the application documents shall be automatically erased six months after notification of the refusal decision, provided that no other legitimate interests of the controller are opposed to the erasure. Other legitimate interest in this relation is, e.g. a burden of proof in a procedure under the General Equal Treatment Act (AGG) or the statutory statute of limitations. The data may be stored for a longer period of time after a separate voluntary consent of the data subject, which is offered to the data subject in the context of receiving a rejection. If the data subject gives consent to the controller to be contacted later and to continue the application process. Where he/she should be considered for another position then the data will be erased in 24 months following the date of storage.
7 To what extent is automated decision-making used in individual cases, including profiling?
We do not use purely automated decision-making procedures in accordance with Article 22 GDPR. Should we use these procedures in individual cases, we will inform you separately, insofar as this is required by law.
8 Scope of your obligations to provide us with your personal data
You only need to provide the data that is required for the application procedure. Without such data, we will not be able to conclude an employment contract with you. If we request further data from you, you will be separately informed of the voluntary nature of the information.
9 Data source
Data that was not collected directly from the data subject is obtained from publicly available sources. These sources are job-oriented business social networks such as XING, LinkedIn, etc. Incidentally, this is the data that the applicant has made available as part of his/her application.
10 Your data protection rights
Where your personal data is processed, you are deemed a data subject as defined in the GDPR and you have the following rights towards the controller:
10.1 Right to information (Art. 15 GDPR):
You can ask the controller to confirm whether your personal data is being processed.
If such processing is taking place, you can request the following information from the data controller:
10.2 Right to rectification (Art. 16 GDPR):
You are entitled to have the controller rectify or complete you personal data insofar as your processed personal data is inaccurate or incomplete. The controller shall have your personal data rectified without undue delay.
10.3 The right to restriction of processing (Art. 18 GDPR)
Under the following conditions, you may request that the processing of your personal data be restricted if:
10.4 Right to erasure (Art. 17 GDPR):
10.4.1 Obligation to erase
You are entitled to request that the controller erases your personal data without undue delay and the controller shall be obligated to erase personal data without undue delay where one of the following grounds applies:
10.4.2 Information disclosed to third parties
Where the controller has made the personal data public and is obligated pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Your right to erasure does not apply where processing is required
10.5 Right to information (Art. 19 GDPR)
If you have asserted your right to have the data rectified or erased or its processing restricted by the controller, the latter must inform all recipients to whom your personal data was disclosed about such rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You are entitled to be informed about the recipients by the controller upon request.
10.6 Right to data portability (Art. 20 GDPR)
You are entitled to obtain the personal data that you provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to pass this data on to another controller without hindrance by the controller to whom the personal data was provided, as long as
The right to portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.
10.7 Right of objection (Art. 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1) clause 1 (e) or (f) GDPR, including profiling based on these provisions.
The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms, or unless such processing is being used to assert, exercise or defend legal claims.
Where your personal data is processed for direct marketing purposes, then you are entitled to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option to exercise your right to object by automated means using technical specifications.
10.8 Right to withdraw data protection consent (Art. 7 GDPR)
You are entitled to withdraw your data protection consent at any time. Revoking your consent will not affect the legality of any processing that took place before the revocation.
10.9 Automated individual decision-making including profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based exclusively on automated processing including profiling that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller,
(2) is admissible by law of the Union or of the Member States to which the controller is subject and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or
(3) is based upon your explicit consent.
These decisions, however, shall not be based on specific categories of personal data referred to in Article 9 (1) GDPR, unless point (a) or (g) of Article 9 (2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state his or her point of view and to challenge the decision.
10.10 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of alleged infringement if you consider that the processing of data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
The supervisory authority responsible for us is:
Bavarian State Authority for Data Protection Oversight [BayLDA – Bayerisches Landesamt für Datenschutzaufsicht]