Data privacy statement for application procedures

We take the protection of your personal data very seriously. Therefore, we handle your data responsibly in all data processing procedures and observe the statutory provisions regarding data protection, in particular the provisions of the General Data Protection Regulation (GDPR) and of the German Federal Data Protection Act (Bundesdatenschutzgesetz (BDSG)).

This data privacy statement gives an overview of the following information:

•    Which of your data are collected, stored, and processed via our website (hereinafter also referred to as “offer”?
•    In what manner, to what extent, and for what purposes are these data used?
•    What security measures are taken to protect your data?
•    How can you obtain access to the information provided to us and, if necessary, assert further data subject rights against us?

1. Contact details of the controller

e.solutions GmbH
Despag-Straße 4a
85055 Ingolstadt, Germany
Phone: +49 8458 3332-100
Fax: +49 8458 3332-333
www.esolutions.de
 
Contact details of our data protection officer:

Dr. Carlo Piltz
PL Services GmbH
Südwestkorso 3
12161 Berlin
Tel: +49 30 814 53 50 00
Fax: +49 30 814 53 50 09
E-mail: datenschutzbeauftragter@esolutions.de
Web: www.piltz.legal    

2. Purposes of data processing

You can apply for advertised jobs using our job portal. The purpose of data processing is to select the candidates for a potential employment at e.solutions GmbH.

In order to apply for a job at e.solutions using our job portal, you have to create an account in our job portal (or use the provided login function of the social networks XING or LinkedIn) so that we will be able to clearly allocate the transmitted data and documents to your person and confidential handling of any and all information relating to you can be guaranteed. We mandatorily collect the following applicant data in order to create an account and receive and process your application:

•    form of address,
•    first and last name, 
•    address,
•    e-mail address, 
•    curriculum vitae,
•    knowledge of the German and English language.
 

If you voluntarily provide us with additional data, these will only be used for the purpose of processing your application and carrying out the application procedure.


If your application is an unsolicited application, we will additionally collect the following applicant data:

•    favoured type of contract,
•    favoured area of responsibility.

You may voluntarily provide us with additional information such as your salary expectations, period of notice, or additional documents (certificates, references, motivational letter, etc.).

We will review your application and contact you if necessary, in particular to arrange appointments or to clear up questions.

Moreover, you can also log in to our job portal via an already existing account in the XING or LinkedIn network. For more detailed information on that, please read section 8 “Third-party services”.

When you apply for a job at e.solutions, your applicant data are never passed on to third parties. If you have any questions regarding data protection in the application procedure (e.g., about your rights under data protection law), please directly contact our data protection officer at datenschutzbeauftragter@esolutions.de.

We store your application data upon receipt of your application. If we accept your application and then employ you, we will store your application data as long as this is necessary for your employment and insofar as we are required by law to do so.

If we reject your application, we will store your application data for a maximum of six months after rejection of your application, unless you give us your consent to a longer storage. We will contact you by phone for this purpose in order to find out whether you have an interest in your application being considered for other job vacancies. If you communicate your interest in the phone conversation, we will subsequently send you a confirmation e-mail. After completion of the further application procedure, we will store your data for another six months. After expiry of this period, the data will be erased automatically.

If we do not advertise a concrete vacancy at that time, you will have the option to have your applicant data stored in our talent pool. We will contact you by e-mail for this purpose in order to find out whether your profile may be considered for future job vacancies. Storage will only be carried out after receipt of your written confirmation. From the date of consent, we will store your applicant data for a maximum of six more months. After expiry of this period, the data will be erased automatically.

If and whenever you contact us (e.g., using the contact form or by e-mail), your data will be stored for the purpose of handling your request and in case any follow-up questions arise.
 

    
3. Legal basis of processing

The legal basis for the processing of your applicant data is

•    Art. 6(1)(b) GDPR for the establishment and performance of the potential employment contract; 
•    Art. 6(1)(c) GDPR (in conj. with the respective legal obligation to which we are subject) for the fulfilment of legal obligations the employer is subject to; 
•    Art. 6(1)(f) GDPR for safeguarding the legitimate interests of e.solutions or a third party, unless your interests or fundamental rights and freedoms override; 
•    Section 26 subsection 2 sentence 1 BDSG (in conjunction with Art. 6(1)(a) GDPR) on the basis of a consent given by you.  

If special categories of personal data (e.g., health data, Art. 9(1) GDPR) are processed, this processing is carried out on the basis of Section 26 subsection 3 sentence 1 BDSG (in conjunction with Art. 9(2)(b) GDPR) for exercising rights or fulfilling legal obligations under labour law, the right to social security and social protection, or based on your consent pursuant to Section 26 subsections 2 and 3 BDSG (in conjunction with Art. 9(2)(a) GDPR).

Please note that in particular CVs, certificates, references, or further data provided by you for purposes of the application might also contain particularly sensitive data (Art. 9(1) GDPR). Therefore, we recommend to not provide any particularly sensitive data. If you transfer data of this type, we will only use them to keep your documents and process your application in accordance with this information.  
 


4. Log files

We (and our webspace provider, respectively) process your data on every access to the offer (called server log files and system and usage data, respectively). Access data include the following: name of the called website, file, date and time of the call, transferred amount of data, report on successful retrieval, referral URL (previously visited page), IP address, and accessing provider. We use the log data only for statistical evaluations for the purpose of operation, security, and optimisation of our offer. However, we reserve the right to subsequently examine the log data if there are concrete indications of the legitimate suspicion of illegal use. The legal basis for the processing of personal data in log files is Art. 6(1)(f) GDPR.

 
5. Disclosure of data

If you apply to our company for a concrete job advertisement, we will pass on your application internally to the responsible specialist department so that the application can be processed and evaluated there.
If you send us an unsolicited application, the specialist departments for which your application could be of interest will gain access. The purpose of this is to allow an evaluation of the content of your application.

Otherwise, the data collected by us will generally be disclosed if:
•    you gave your explicit consent to that in accordance with Art. 6(1)(a) GDPR;
•    the disclosure is required in compliance with Art. 6(1)(f) GDPR for the establishment, exercise, or defence of legal claims and if there is no reason for the assumption that you have a substantial legitimate interest in the non-disclosure of your data;
•    we are required by law to disclose them, pursuant to Art. 6(1)(c) GDPR; or
•    this is permitted under law and required for the execution of a contract with you or for the implementation of pre-contractual measures performed upon your request in compliance with Art. 6(1)(b) GDPR.

Part of the data processing described in this data privacy statement might be performed by our service providers. Apart from the service providers stated in this data privacy statement, this may include in particular data centres that store our website and databases, IT service providers that maintain our systems, and consulting firms. If we disclose data to our service providers, they must only use the data to accomplish their tasks. The service providers were selected and commissioned carefully by us. They are contractually bound by our instructions, dispose of suitable technical and organisational measures to protect the data subjects’ rights, ensure an adequate level of data protection, and are carefully supervised by us.

Moreover, your data might be disclosed in connection with official inquiries, court orders, and legal procedures if this is required for prosecution or law enforcement.

 

6. Storage period

In general, we will store your applicant data for a period of six months from the date on which

•    you received our decision regarding the filling of the vacancy or 
•    you informed us that you withdraw your application,

in order to be able to respond to actions under the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz (AGG)) if necessary. In the case of a lawsuit against you in this context, we will store your applicant data even beyond this period of six months until the lawsuit has been settled.

Moreover, we will also keep your applicant data after the application process if

•    an assessing forecast requires longer storage for a future lawsuit against you;
•    a lawsuit against you is certainly imminent; or
•    a lawsuit against you already takes place.

In these listed cases, we will store your applicant data at the longest until the associated lawsuit has been settled.
 


7. Security

We implement up-to-date technical measures to ensure data security, in particular to protect your personal data against hazards during data transmission and disclosure to third parties. These measures are each adjusted to the current state of the art.


8. Third-party services

Application using the form on the website with onlyfy one (formerly Prescreen)

When you apply for a job opening on our website, you will be redirected to a page on which you can give and send us your application details. We provide this page with the aid of our service provider New Work SE, Am Strandkai 1, 20457 Hamburg, Germany (hereinafter referred to as “New Work SE”). New Work SE provides the application form and the technical infrastructure on our behalf. In this context, New Work SE 4 processes the log files mentioned in section 4 of this data privacy statement on our behalf and sets a session cookie (PHPSESSID) which is required for providing the application page with the form and which loses its validity once the window with the form is closed.

You can interrupt the creation of your online application at any time and continue at a later date. New Work SE uses cookies for this purpose. Data provided by you to create the user account as well as uploaded documents are notified to us by New Work SE in our company account. The data will remain recorded even if you interrupt and/or do not complete an application. In this case, your application will be marked as incomplete, and we will have limited access to your data. New Work SE is responsible for the use of cookies. We process the data notified to us in the company account on the basis of our legitimate interests in the use of data provided to us for an application that has been commenced on the basis of Art. 6(1)(f) GDPR.
 

XING

On our job portal we use a plugin of New Work SE, Am Strandkai 1, 20457 Hamburg, Germany, which allows applicants to create a link to XING and import the data from their XING profile into the application form. If you use this function, your browser will establish a connection to the servers of New Work SE (“XING”) to transmit the respective data.
By clicking “Allow” you grant this application access to your basic profile data and additionally the following:

•    profile details,
•    complete date of birth,
•    verified e-mail address,
•    address (private),
•    address (business).

After you have given your consent, XING will provide us with these data for further use. If you decide to transmit your application details using XING in part, according to XING this might involve data transfer from a EU/EEA country to a non-EU/EEA country, as XING occasionally stores or processes data outside the EU and the EEA. You using XING for the transfer of information to us entails the implementation of a pre-contractual measure involving data transfer upon your request on the basis of Art. 49(1)(b) second variant GDPR.

The latest version of Xing’s privacy policy and additional information is available at: https://privacy.xing.com/en/privacy-policy.


LinkedIn

Furthermore, we use a plugin of the social network LinkedIn of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”), which allows applicants to log in to our portal directly via their LinkedIn account and import the data from their LinkedIn profile into the application form.

By clicking “Allow” you grant LinkedIn access to the following data, which will be provided to us for further use:

•    your basic profile data with name, photo, headline, and current positions;
•    the primary e-mail address assigned to your LinkedIn account.

If you decide to transmit your application details using LinkedIn in part, according to LinkedIn this might involve data transfer from a EU/EEA country to a non-EU/EEA country, as LinkedIn occasionally stores or processes data outside the EU and the EEA. LinkedIn provides information on how data are transferred by LinkedIn from the EU, EEA, Switzerland, and Great Britain at the following URL: https://www.linkedin.com/help/linkedin/answer/a1343190?trk=microsites-frontend_legal_privacy-policy&lang=en-us&intendedLocale=en-GB. LinkedIn is certified under the Data Privacy Framework (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000L0UZAA0&status=Active). Data transfers to the USA are based on the adequacy decision and LinkedIn's certification under the Data Privacy Framework or on the basis of the EU standard data protection clauses (Implementing Decision (EU) 2021/914 of 4 June 2021). The standard contractual clauses agreed with LinkedIn are part of the data processing agreement concluded with LinkedIn, which is available at the following URL: https://www.linkedin.com/legal/l/dpa.
 

onlyfy one

We use the onlyfy one (by XING) service provided by New Work SE, Am Strandkai 1, 20457 Hamburg, Germany, for application processing and management. onlyfy one enables us, for instance, to publish job advertisements, identify interesting talents (e.g., also from the professional network XING), receive and manage applications and exchange information with talents and job applicants. Among other things, New Work SE provides talent recommendations and notifies these in our company account and generates recruiting-relevant information and analyses on the basis of data processed by New Work SE in onlyfy one and, for example, in other XING applications or outside. 
Regarding some data processing, New Work SE and we are joint controllers within the meaning of Art. 26(1) sentence 1 GDPR. Regarding data processing for which New Work SE is solely responsible or jointly responsible with us within the scope of our joint controllership (for the responsibilities, also refer to the table in this sections), more detailed information is available in XING’s Privacy Policy at https://privacy.xing.com/en. A list of the subcontracted processors deployed by New Work SE being recipients of the data processed within the scope of the joint controllership is available here.
The agreement concluded between us and New Work SE is available here. In the following we inform you about the essentials of the agreement concluded with New Work SE and the scope of the joint controllership as well as the allocation of responsibilities for the fulfilment of obligations arising from the GDPR. Within the scope of the joint controllership of New Work SE and us, the following types of data are processed in accordance with the concluded agreement:
•    master data (e.g., name, contact details, date of birth, etc.);
•    qualification data (CV etc.);
•    optional details (application photo or further information, additional questions depending on the respective advertisement, etc.);
•    communications data;
•    information from profiles on XING or LinkedIn etc.;
•    special categories of personal data pursuant to Art. 9(1) GDPR, for instance, data concerning health (e.g., severely disabled status) or details that allow conclusions to be drawn about the sexual orientation or ethnic origin or religion;
•    usage data, tracking data, also using cookies and similar technologies;
•    data within the scope of support services (e-mail address, name, enquiry context, other personal data, etc.)

The above-mentioned types of data are processed in the context of the following processing steps as part of the joint controllership under the responsibility of the following parties:
 

Processing step

Responsibility

Storing applicant data in our account

We

Showing and recommending talents in our account

New Work SE

Collecting usage data, tracking, also using cookies and similar technologies

New Work SE

Transferring data accumulating or processed in our account, including usage data / data collected automatically, also using tracking technologies and cookies, for New Work SE’s own purposes

New Work SE

Providing “insights”: generating and providing recruiting-relevant information and analyses on the basis of data from our account

New Work SE

Product support for talents or applicants regarding the included products and services, including information on product changes etc.

New Work SE

Selecting and implementing third-party tools provided for us for use within the scope of the included products and services as well as processing of related data by processors and/or transfer of data

New Work SE

Among the joint controllers, the party responsible for one of the above-mentioned processing steps is responsible for the existence of a legal basis under the GDPR and for implementing the data subject rights pursuant to Art. 15 GDPR (right to access), Art. 16 GDPR (right to rectification), Art. 17 GDPR (right to erasure), Art. 18 GDPR (right to restriction of processing), Art. 20 GDPR (right to data portability), and Art. 21 GDPR (right to object).

New Work SE is solely responsible for implementing the rights pursuant to Art. 22(3) GDPR (right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision in the case of automated individual decision-making with legal/detrimental effects). Regardless of the responsibilities for implementing data subject rights agreed between us and New Work SE, you may contact the company of your choice to assert your data subject rights. However, in practice it is surely more effective to contact primarily New Work SE, since we – as shown in the table – are only responsible for storing applicant data in our account.

Moreover, New Work SE is also solely responsible for complying with the requirements under Art. 25 GDPR (data protection by design and by default) and for carrying out a risk assessment of the processing. Additionally, New Work SE is also responsible for communication in the context of data breaches under Art. 34(1) GDPR, provided such data breach is not caused by technical implementation and configuration on our part.

We use onlyfy one on the basis of our legitimate interests in processing and managing applications, receiving recommendations for potential applications from New Work SE, communicating with applicants via onlyfy one and receiving recruiting-relevant information and analyses on the basis of data from our account. The legal basis is Art. 6(1)(f) GDPR. If you convey special categories of personal data within the scope of your application, the processing will be carried out on the basis of Section 26 subsection 3 sentence 1 BDSG (German Federal Data Protection Act) (in conjunction with Art. 9(2)(b) GDPR) to exercise rights or fulfil legal obligations under labour law, the right to social security and social protection, or based on your consent pursuant to Section 26 subsections 2 and 3 BDSG (in conjunction with Art. 9(2)(a) GDPR).
 

Video interviews using Microsoft Teams

We use the online video conference system Microsoft Teams (“MS Teams”) provided by our contractual partner Microsoft Ireland Operations Limited (One Microsoft Place, South Country Business Park, Leopardstwon Dublin 18, DP18 P521, Ireland, “Microsoft”) to conduct video interviews. Microsoft and the subcontracted processors named here are recipients of the data processed by us when you communicate with our employees via MS Teams.

We process the following data when you communicate with our employees via MS Teams:

•    information on the MS Teams account, MS Teams version and settings;
•    information on meetings and their participants;
•    status information (offline, inactive, active, in a meeting, etc.);
•    personal data as part of data on video and audio quality;
•    personal data as part of data on text, video, and audio files;
•    personal data as part of analyses and reports that can be created in MS Teams.

The legal basis for data processing is our legitimate interests within the meaning of Art. 6(1)(f) GDPR. Our legitimate interests are to provide and use an established tool for video interviews and to conduct such interviews in order to refrain from travelling and flexibly conduct interviews. Furthermore, Microsoft processes the data as independent controller for the purposes stated here on page 6 under “Verarbeitung für Geschäftstätigkeiten, die durch die Bereitstellung der Produkte und Services an den Kunden veranlasst sind”. 

When using MS Teams, data are transferred to the USA and other countries where Microsoft or its subcontracted processors have their registered office. Such data transfers between a Microsoft company based in the EU and subcontracted processors commissioned by Microsoft or Microsoft companies based in third countries are based on the EU standard data protection clauses, module 3 (Implementing Decision (EU) 2021/914 of 4 June 2021) or, in the case of data transfers to the USA, additionally on the basis of the adequacy decision and Microsoft's certification under the Data Privacy Framework (the certification is available at the following URL: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active). As the EU standard data protection clauses are agreed by Microsoft with other companies, you have to contact Microsoft to obtain a copy of the EU standard data protection clauses. You can do this, for example, in the form at the following URL:  https://www.microsoft.com/en-gb/concern/privacy
 

9. Your rights

You have the right to obtain access to your personal data processed by us at any time. Within the scope of providing this access, we will explain the data processing and provide an overview of the data stored about your person.

If data stored by us are wrong or no longer up to date, you have the right to have these data rectified.

Moreover, you may demand the erasure of your data. If erasure is not possible for once due to other legal provisions, the data will be locked so that they are only available for this legal purpose.

Moreover, you may have the processing of your data restricted, e.g., if you hold that the data stored by us are not correct. You also have the right to data portability, i.e., that we supply you with a digital copy of the personal data provided by you on request.

In order to exercise your rights described here, you may address the contact data stated above at any time. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection.

Moreover, you have the right to object to data processing that is based on Art. 6(1)(e) or (f) GDPR or serves for direct marketing.

Finally, you have the right to lodge a complaint with the data protection supervisory authority responsible for us. You may exercise this right before a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Bavaria, the responsible supervisory authority is: Bayerisches Landesamt für Datenschutzaufsicht, Promenade 27, 91522 Ansbach, Germany.
 


Right to revoke and object

Pursuant to Art. 7(2) GDPR you have the right to withdraw your consent given to us at any time. Consequently, we will no longer continue the processing of data that had been based on this consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Insofar as we process your data on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR and state grounds relating to your particular situation which, in your opinion, speak for the predomination of your legitimate interests.

If you wish to exercise your right to revoke or object, an informal notice to the contact data stated above will be sufficient.