Processing of (personal) data by the entity in charge of the online application process

Data Protection Information for Applicants*
Flexoptix GmbH

* This document uses the pronouns "they, their and them" to represent all genders

Data Controller (party responsible for data processing):

Flexoptix GmbH, Mühltalstraße 153, 64297 Darmstadt, Germany
Tel: +49 (0)6151 629 040; Fax: +49 (0)6151 629 0499; E-mail: info@flexoptix.net

Company Data Protection Officer (DPO)

Marc Oliver Giel, Lagerstraße 11 A, 64807 Dieburg, Germany;
E-mail: datenschutz@flexoptix.net

What are the purposes for which your data is processed and what is the legal basis?

Consent:

Pursuant to Article 6 (1), P. 1 lit. a) of the GDPR, we process your personal data when you have informed us voluntarily of your consent to do so for one or more specific purposes. Please also note your right of revocation here (see the section entitled "The rights you have as a data subject“). You can in particular provide your consent for processing special categories of personal data pursuant to Article 9 of the GDPR.

Fulfilment of the contract and precontractual measures:

Pursuant to Article 6 (1), P. 1 lit. b) of the GDPR, we process your personal data when you contact our company as an applicant. Further purposes of processing are: the selection process, the decision regarding your application

Legal obligations:

Pursuant to Article 6 (1), S. 1 lit. c) of the GDPR, we process your personal data when we are legally obligated to do so. This obligation can result from a law or an official/judicial order and, in particular, includes compliance duties, data protection accountabilities, fulfilling the rights of data subjects (individuals affected) resulting from data protection law, as well as obligations from the German General Equal Treatment Act (AGG).

Legitimate prevailing interests:

Pursnt to Article 6 (1), P. 1 lit. f) of the GDPR, we process your personal data in order to preserve our legitimate interests, insofar as your interests or basic rights and fundamental freedoms that stipulate protection of personal data do not prevail. Please also note your right of objection here (see the section entitled "Your rights as a data subject").

Our legitimate interests: Assertion of legal claims and defence in the case of legal disputes, guaranteeing IT security and IT operations, business management measures, examining and optimising processes for determining requirements.

Video conferencing:

In individual cases, we hold recruitment interviews via video conference. We use the technology from Microsoft (MS Teams) for this.

Responsibilities:

Microsoft is responsible for the data processing, insofar as this relates to the essential technical and administrative operations of the video conferencing platform, i.e. in particular access to the video conferencing platform and transmission of sound and image data. In this respect, Microsoft must comply with various regulations, including those set out by the German Telecommunications Act (TKG) and the German Telecommunications and Telemedia Data Protection Act (TTDSG). We refer you to Microsoft's privacy statement here: https://privacy.microsoft.com/en-gb/privacystatement

We are responsible for the data processing, insofar as we process personal data for our own purposes or to provide additional functions that are used on the video conferencing platform (such as recordings, whiteboard, chat, etc.). Pursuant to Article 6 (1), P. 1 lit. f) of the GDPR, we have a legitimate prevailing interest in the effective, stable, secure and professional holding of online meetings

Which data categories are processed?

Application data, master data, contact details, usage data.

Insofar as you have also voluntarily shared special categories of personal data (such as health-related data, religious affiliation, degree of disability) with your application or in the course of the application process, this data will only processed when you have given your consent or when this is justified on a legal basis.

The following data is processed when using MS Teams video conferencing:

Disclosures on the user: E-mail address, first and last name (optional), telephone number (optional), profile picture (optional)
Metadata: IP address of participant(s), time and date of participation
For recordings (optional): File of all video, audio and presentation recordings
When dialling in by telephone: Disclosure of the incoming and outgoing telephone number, country name, start and end times. Where necessary, further connection data such as the IP address of the device can also be saved.
Text, audio and video data: Where appropriate and activated, you have the option to use the chat or survey functions, as well as to ask questions during an online meeting. In this respect, the text you enter is processed so that it can be displayed and, where applicable, also logged during the online meeting. To facilitate playback of video and audio, the data from your terminal's microphone and video camera (where present) is processed accordingly throughout the duration of the meeting. However, you can mute the microphone or the camera yourself at any time.
You must at least specify your e-mail address in order to take part in an online meeting and enter the online meeting room.

Where does your data come from?

Collected directly:

We primarily collect your personal data from you yourself.

Third-party collection:

In isolated cases, we also receive your personal data from the recipients of the data (see below), employment agencies, as well as publicly accessible sources, such as professional social networks.

Which recipients or recipient categories is your data forwarded to?

Internal recipients:

Within our company, the departments that require this data in order to properly fulfil our contractual and legal obligations are granted access to it

Data processors:

We have various business processes relating to your personal data performed by so-called "data processors". These are external service providers that process your personal data on our behalf. In order to protect your data, we have concluded a data processing contract pursuant to Article 28 of the GDPR or an equivalent agreement with these companies.

These companies in particular include:

Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052 USA (MS Teams video conferencing)
Personio GmbH & Co. KG, Rundfunkplatz 4, 80335 München, Germany (HR software)
MAIT Germany GmbH, Berner Feld 10 - 78628 Rottweil, Germany (IT service provider)
raebbit networks GmbH, Mühltalstraße 153, 64297 Darmstadt, Germany (IT service provider)
Stephan Stahl, Humboldtstraße 31, 30169 Hannover, Germany (IT service provider)

xpoundit GbR, Johann-Strauß-Str. 9, 68723 Plankstadt, Germany (IT service provider)

Third parties:

"Third parties" are companies that do not belong to our company, but which process your personal data independently and without instruction. They receive your data when we are contractually or legally obligated to provide them with your consent or when we have a legitimate prevailing interest in this.

These third parties in particular include: Individuals affected (data subjects), the Data Protection Officer (DPO), courts, public bodies and institutions (for example supervisory authorities, employment agency, financial authorities), recruitment agencies, lawyers, tax consultants, law enforcement authorities, business consultants.

Which third countries or which international organisations is the data sent to?

Third countries:

USA (MS Teams video conferencing). We have concluded a Data Protection Addendum (DPA) with Microsoft. This includes the EU standard contractual clauses, which should be considered suitable guarantees pursuant to Article 46 (2) lit c) of the GDPR. To comply with the requirements of the ECJ and its judgement (C-311/18), an Additional Safeguards Addendum was agreed with Microsoft that is also included in the aforementioned DPA in order to protect your personal data

International organisations:

None

How long is your data stored and when is it deleted again?

Consent:

When you have given your consent pursuant to Article 6 (1) lit. a of the GDPR, the data will be stored until you revoke your consent. For reasons of accountability, we store your declaration of consent for 3 years.

Application documents:

If you are not offered a position at our company, your application documents will be deleted/destroyed 6 months after conclusion of the application process, insofar as you have not given your consent to be included in our talent pool for future opportunities.

Legitimate prevailing interest:

In the case of our legitimate prevailing interest, the data is stored until the data subject (individual affected) exercises their right of objection pursuant to Article 21 (1) of the GDPR, unless we can demonstrate compelling and legitimate reasons for the processing that outweigh the interests, rights and freedoms of the data subject or the processing is required in order to assert, exercise or defend legal rights.

Are you obligated to provide your data? What consequences are associated with failure to provide the data?

Contractual obligation:

Within the scope of the application process, we need from you the personal data that is required to execute the application process and assess your aptitude.

Legal obligation:

We are legally obligated to identify you unequivocally and to document our selection process.

Consequences of failure to provide the requisite data:

If you do not make your application documents available to us, we will unfortunately not be able to consider you when filling vacant positions.

Your rights as a data subject (individual affected)

Information:

Pursuant to Article 15 of the GDPR, you have the right to information on the personal data processed by us, insofar as no statutory exemption is applicable.

Rectification:

Pursuant to Article 16 of the GDPR, you have the right to rectification of inaccurate personal data that affects you and is processed by us.

Deletion:

Pursuant to Article 17 of the GDPR, you have the right to deletion of your personal data that is processed by us, insofar as a legally stated reason is provided and there is no statutory exemption.

Restriction:

Pursuant to Article 18 of the GDPR, you have the right to restrict processing of your personal data by us, insofar as a legally stated reason is provided.

Right to data portability:

Pursuant to Article 20 of the GDPR, you have the right to receive the personal data relating to you that you made available to us in a structured, standard and machine-readable format. You also have the right to transmit this data to a different responsible party without any restriction on our part, insofar as a legally stated reason is provided and there is no statutory exemption.

Objection:

Pursuant to Article 21 of the GDPR, you have the right to object, at any time and with future effect, to processing of personal data relating to you that we process due to our legitimate prevailing interest (Art. 6 (1) lit. e or f of the GDPR) for reasons resulting from your own special situation. Exceptions result from Article 21 (1) P. 2 of the GDPR.

Revocation:

Pursuant to Article 7 (3) of the GDPR, you have the right to revoke your consent at any time. This also applies to the revocation of declarations of consent that you submitted to us before the GDPR came into effect, i.e. before May 25, 2018. However, the legality of the processing based on the consent up to the point of revocation remains unaffected by the revocation of the consent.

Right of appeal:

Pursuant to Article 77 of the GDPR, and notwithstanding any other legal remedy based on regulatory requirements or judicial findings, you have the right to appeal to a supervisory authority, in particular in the member state of your regular abode, of your workplace or of the location of the alleged infringement, if you are of the opinion that the processing of the personal data relating to you is in violation of the GDPR.

Legal remedy:

Pursuant to Article 79 of the GDPR, and notwithstanding any available legal remedy based on regulatory requirements or judicial findings, including the right to lodge a complaint at a supervisory authority pursuant to Article 77, you have the right to an effective judicial remedy, if you are of the opinion that the rights granted to you on the basis of the GDPR have been violated as a result of processing of your personal data that is not in line with this regulation.

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.