What sources and data do we use?
We process personal data that we have received from you to the extent necessary for the purposes of hiring, fulfilling the employment contract and terminating the employment relationship. In addition, we process personal data from our employees and other comparable data subjects that are regularly incurred in the context of the employment relationship.
This personal data includes in particular:
- Personal details (e.B. name, address and contact details; birthday and place and nationality, passport/identity card data, driving licence data)
- family data (e.B. marital status and information on children)
- Health data (e.B. incapacity reports and others, if relevant to the employment relationship, e.B. in the case of severe disability)
- Tax identification number
- Information on qualifications and employee development (e.B. training, professional experience, language skills and further training)
- Information on the employment relationship (e.B. date of entry and name of activity and title)
- Payroll tax-relevant data from the fulfilment of contractual obligations (e.B. salary payment)
- Information on the financial situation of employees (e.B. loan liabilities and salary attachments, if applicable)
- Social security data
- Data on pensions and pension funds
- data on working time (e.B. recording of workingtime, leave and sickness; data relating to missions)
- Access data
- Authorization data (e.B. access and access rights)
- Image and sound data (e.B. ID photo and video and telephone recordings)
- Employee evaluation data
- and other data comparable to those categories.
What do we process your data for (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG (new)):
In order to fulfil contractual obligations (Section 26 BDSG)
The processing of data is carried out for the establishment, execution or termination of the employment relationship within the framework of the existing contract with you or for the implementation of pre-contractual measures, which take place on request. If you use additional benefits (e.g. childcare allowance.B, retirement provision), your data will be processed to fulfill these additional benefits, if this is necessary.
In the context of the balance of interests (Art. 6 sec. 1 f GDPR)
If necessary, we process your data beyond the actual performance of the contract in order to safeguard legitimate interests of us or third parties. Examples of such cases are:
- Personnel development planning measures
- Measures to protect employees and customers and to protect the company's property
- Evaluation of work processes for work control and improvement of processes (e.B. evaluations of the number of work certificates or processing time of services for customers)
- Publication of contact details on the intranet and internal telephone book and on the website
- Records of employee interviews (e.B. documentation of defined goals and achievement of goals)
- Recording of security checks (e.B. retrieval of certificates of leadership, criminal records, etc.)
On the basis of your consent (Art. 6 sec. 1 a GDPR in conjunction with Art. 88 GDPR and Section 26 (2) BDSG (new))
If you have given us your consent to the processing of your personal data, processing will only be carried out in accordance with the purposes specified in the declaration of consent and to the extent agreed therein. Consent given may be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent given to us before the GDPR is applicable, i.e. before 25 May 2018. The revocation of consent only works for the future and does not affect the legality of the data processed up to the revocation.
This applies to:
- Use and, if necessary, publication of employee images
Due to legal requirements (Art. 6 sec. 1 c GDPR as well as Art. 88 GDPR and Section 26 BDSG (new))
As a company, we are subject to various legal obligations, i.e. legal requirements (e.B. social security law, occupational safety, tax laws). The purposes of the processing include, but are not only for verification of identity, the fulfilment of social security and tax control, reporting or documentation obligations, and the management of risks in the company.
Insofar as special categories of personal data are processed in accordance with Art. 9 sec. 1 GDPR, this serves in the context of the employment relationship the exercise of rights or the fulfilment of legal obligations under labour law, social security law and social protection (e.B. disclosure of health data to the health insurance fund, recording of the severe disability due to additional leave and determination of the severely disabled levy). This is done on the basis of Article 9(2) b GDPR i.V.m. Section 26 (3) of the German German Data Protection Act (BDSG). In addition, the processing of health data may be necessary for the assessment of their ability to work in accordance with Article 9 (2) h in the .m. Section 22 (1) b of the German Federal Data Protection Act (BDSG). In addition, the processing of special categories of personal data may.B be re-based on consent in accordance with Article 9(2) a GDPR i.V..m . .
Who gets my data?
Within the company, those agencies that need it to fulfil contractual, legal and regulatory obligations as well as to safeguard legitimate interests, e.B. human resources department.
Service providers and vicarious agents used by us may also receive data for these purposes, provided that they need the data for the performance of their respective services. These are e.B. companies in the categories of tax advice for payroll, training providers and IT services. All service providers are contractually obliged to treat your data confidentially.
With regard to the transfer of data to recipients outside our company, it should first be noted that we, as an employer, only pass on necessary personal data in compliance with the applicable data protection regulations. In principle, we may only disclose information about our employees if this is required by law, if you have consented or if we are otherwise authorised to disclose it.
Under these conditions, recipients of personal data may be, for example.B:
- Social security institutions
- Health insurance
- Tax authorities
- Trade associations
- public and public bodies (e.B. tax authorities and law enforcement authorities) in the event of a legal or regulatory obligation
- other companies for the processing of salary payments or similar entities to which we transmit personal data for the execution of the contractual relationship (e.B. for salary payments)
- Business and payroll tax auditors
- Service providers in the context of order processing relationships
Other data recipients may be the bodies for which you have given us your consent to transfer data or to which we are authorised to transfer personal data on the basis of a balance of interests.
Is data transferred to a third country or to an international organisation?
Data transfers to agencies outside the European Economic Area (so-called third countries) usually do not take place. Nevertheless, data transfer in third countries may take place in individual cases, provided that:
- it is required by law to:
- you have given us your consent or
- this is legitimised by the legitimate interest in data protection law and does not prevent the higher interests worthy of protection of the data subject.
In addition, we do not transfer personal data to agencies in third countries or international organisations.
However, we use service providers for certain tasks, which usually also use service providers who may have their registered office, parent company or data centers in a third country. A transfer is permitted if the European Commission has decided that there is an adequate level of protection in a third country (Article 45 GDPR). If the Commission has not taken such a decision, we or our service providers may only transfer personal data to a third country if appropriate safeguards exist (e.B. standard data protection clauses adopted by the EU Commission or the supervisory authority in a particular procedure) and enforceable rights and effective remedies are available.
An example of this is our use of Microsoft Office 365 as an enterprise-wide communication system. Although Microsoft also operates servers within the EU, it cannot be ruled out that your data may be transferred to and processed in a third country (e.B. the UNITED States).
We have concluded a contract processing agreement with Microsoft under Article 28 GDPR with EU clauses in order to maintain an adequate level of data protection. If necessary, please contact us for further information under the contact details above.
We have concluded corresponding order processing contracts with our service providers and have also contractually agreed that there must always be guarantees on data protection with their contractual partners in compliance with the European data protection level.
How long will my data be stored?
We process and store your personal data as long as this is necessary for the fulfilment of our contractual and legal obligations. It should be noted that the employment relationship is a permanent debt relationship, which is intended for a longer period of time.
If the data is no longer necessary for the fulfilment of contractual or legal obligations, these data are regularly deleted, unless their - temporary - further processing is required for the following purposes:
- Fulfilment of statutory retention obligations, which may arise .B from: Social Code (SGB IV), Commercial Code (HGB) and Tax Code (AO). The retention or documentation deadlines set there are usually six to ten years.
- Preservation of evidence within the framework of the statutory limitation regulations. Pursuant to Sections 195 ff of the Civil Code (BGB), these limitation periods can be up to 30 years, with a regular limitation period of 3 years.
If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists. The above exceptions apply. The same applies to data processing on the basis of consent given. As soon as this consent is revoked by you for the future, the personal data will be deleted, unless there are one of the above exceptions.
Is there an obligation to provide data?
Within the scope of the employment relationship, you must provide the personal data necessary for the establishment, execution and termination of an industrial relationship and for the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will generally not be able to enter into or execute the contract with you.
To what extent is there automated decision-making?
We do not use automatic decision-making in accordance with Article 22 GDPR to establish, implement and terminate the working relationship. Should we use these procedures in individual cases, we will inform you about this and your rights in this regard separately, if this is required by law.
Is profiling taking place?
We do not process your data with the aim of evaluating certain personal aspects automatically.