Privacy Notes according to Art. 13, 14 GDPR

RYDES GmbH (NAVIT)

I. General Information

Applicable to all of the following descriptions of data processing.

The controller responsible for the processing of your personal data in the context of this contact is

RYDES GmbH (NAVIT)
Brunnenstraße 19-21
10119 Berlin
Germany
[email protected]
www.navit.com

The appointed Data Protection Officer is

DataCo GmbH
Sandstraße 33
80335 Munich, Germany
Tel.: +49 (0) 89 7400 458 40
E-mail: [email protected]
www.dataguard.de

II. Rights of the Data Subject

The General Data Protection Regulation (GDPR) grants individuals in the EU (and the EEA) a set of rights over their personal data. These rights are intended to give people transparency, control, and recourse in how their data is collected, used, and shared by organizations.

Below is a summary of the key rights:

You may request confirmation from the controller as to whether personal data concerning you is being processed. Where this is the case, you may request the following information from the controller:

  • The purposes for which the personal data is processed;
  • The categories of personal data being processed;
  • The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed, in particular recipients in third countries or international organizations;
  • The envisaged period for which your personal data will be stored, or, if specific information is not available, the criteria used to determine that period;
  • The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
  • The right to lodge a complaint with a supervisory authority;
  • Any available information as to the source of the data, where the personal data was not collected from the data subject;
  • The existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR and, in certain cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether your personal data is transferred to a third country or an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

The controller will provide you with a copy of the personal data undergoing processing. The rights and freedoms of others shall not be adversely affected. For any further copies you request, the controller may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, the information shall be provided in a commonly used electronic format, unless you request otherwise.

You have the right to obtain from the controller the rectification of inaccurate personal data concerning you without undue delay, and the right to have incomplete personal data completed.

a) Obligation to erase

If you request the controller to erase your personal data with immediate effect, the controller is obliged to do so without undue delay where one of the following applies:

  • The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw the consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal ground for the processing.
  • You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
  • The personal data concerning you has been unlawfully processed.
  • The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8(1) GDPR.

b) Information to third parties

Where the controller has made your personal data public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, that personal data.

c) Exceptions

The right to erasure does not apply to the extent that processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise, or defense of legal claims.

You may request the restriction of the processing of your personal data under the following conditions:

  • Where you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of your personal data;
  • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  • The controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise, or defense of legal claims; or
  • Where you have objected to processing pursuant to Art. 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override your grounds.

Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

Where processing has been restricted under the above conditions, you shall be informed by the controller before the restriction is lifted.

Where you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to each recipient to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the controller about those recipients.

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided, where

  • the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and
  • the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by this.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

You also have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. This does not apply where the decision

  1. is necessary for entering into, or performance of, a contract between you and the controller,
  2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
  3. is based on your explicit consent.

However, such decisions must not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (b) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases referred to in 1. and 3., the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

III. Applicants

1.1 Categories of personal data

As part of the application process, we process exclusively data relating to your application. This may include the following personal data:

  • Application via the applicant portal or submission of documents by post or e-mail
  • Personal master data (e.g. salutation, first and last name, date of birth)
  • Address data (e.g. street, house number, postal code, city, country)
  • Contact data (e.g. mobile phone number, e-mail address)
  • Skills (e.g. language skills, additional qualifications)
  • Application or profile data (e.g. cover letter, CV, references/certificates, earliest possible start date, desired position, preferred locations, salary expectations, how you became aware of us)
  • Where applicable, details of contact persons for references
  • Where applicable, information on current remuneration
  • Where applicable, data on areas of interest
  • Where applicable, a link to professional networks such as a XING or LinkedIn profile
  • Where applicable, bank details for travel expense reimbursement
  • Where applicable, an application photo
  • The existence of your consent to inclusion in the applicant and/or talent pool
  • Your consent to contacting the references you have named, and where applicable, data from correspondence with those references

1.2 Sources from which your personal data originates

As part of the applicant process, NAVIT collects the following personal data from you:

  • Salutation
  • Address
  • Professional qualification and further training
  • Last name
  • First name
  • Your e-mail address
  • Your mobile phone number
  • Your landline number
  • CV
  • References/certificates
  • Title
  • Education
  • Further data that you share with us during the application process

Purposes of processing

Your personal data is processed for the following purposes:

  • Conducting the application process and deciding on the establishment of an employment relationship
  • Communication (telephone, e-mail)
  • Carrying out pre-contractual measures (initiation of the employment relationship)
  • Inclusion of applicant data in an applicant pool
  • Establishment, exercise, or defense of legal claims arising from the application process

Legal bases for processing

Special categories that have been made public – Art. 9(2)(e) GDPR: Insofar as special categories of personal data are processed which you have manifestly made public, your data is processed pursuant to Art. 9(2)(e) GDPR.

Legal claims / actions of the courts – Art. 6(1)(f) GDPR, Art. 9(2)(f) GDPR: Where necessary, your data is processed for the establishment, exercise, or defense of legal claims or in connection with actions of the courts.

Consent – Art. 6(1)(a) GDPR in conjunction with Art. 7 GDPR, Art. 88(1) GDPR in conjunction with Section 26(2) BDSG (German Federal Data Protection Act): If you have given your consent to data processing, your data is processed accordingly.

Decision on the establishment of the employment relationship – Art. 6(1)(b) GDPR, Art. 88(1) GDPR in conjunction with Section 26(1) BDSG: We process your data in order to make a decision on the establishment of the employment relationship. In the event of employment, your data is processed for the purpose of carrying out and terminating the employment relationship; separate information is provided for this.

Legitimate interest – Art. 6(1)(f) GDPR: Our legitimate interest arises in particular from the proper conduct and optimization of the application process and from the establishment, exercise, or defense of legal claims.

Special categories – Art. 9(2)(a) GDPR: If you have given your consent to the processing of special categories of personal data (e.g. health data, religious affiliation, nationality), your data is processed accordingly.

In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients:

  • Within our company, exclusively to the departments and persons who need this data to fulfill contractual and legal obligations or to implement our legitimate interest
  • HR department
  • External staff / freelancers
  • Processors
  • Third parties
  • Affiliated companies

As part of the application process, your personal data is only forwarded to those employees of our company who need it to fulfill the aforementioned purposes. No transfer of your personal data to third parties takes place as part of the application process.

In addition, your personal data may be transmitted to the following service providers established in a country outside the EU/EEA:

  • DocuSign, Inc., San Francisco, USA
  • Sendgrid (Twilio Inc.), Denver, USA
  • Intercom, San Francisco, USA
  • HubSpot, Cambridge, USA

In order to make the third-country transfer as data protection-friendly as possible, standard contractual clauses pursuant to Art. 46(2)(c) GDPR have been concluded with providers in unsafe third countries. A copy of the standard contractual clauses can be requested by sending an informal e-mail to [email protected].

For the purpose of communicating with applicants, we use the Google Workspace service provided by Google Inc., Google Ireland Limited, Google Commerce Limited, Google Asia Pacific Pte. Ltd., or Google Australia Pty Ltd. Further information: workspace.google.com/terms/2014/1/dpa_terms

We will erase your personal data as soon as the aforementioned purposes for its storage no longer apply, or you object to the use of your personal data (in the case of processing based on legitimate interests), or you withdraw the consent you previously gave. However, your personal data may also be stored beyond this, in particular in the following cases:

  • where contractual, statutory (in particular under the German Commercial Code (HGB), Criminal Code (StGB), and Fiscal Code (AO)), or bylaw-based retention periods prevent erasure
  • for the establishment, exercise, or defense of legal claims
  • where required under European or national laws for compliance with a legal obligation to which we are subject

The following retention periods arise from statutory provisions in particular:

  • Following a decision not to fill the position: 6-month retention period for application documents (Section 15(4) AGG (General Equal Treatment Act), Section 224 ZPO (Code of Civil Procedure)).

Where the applicant has consented, the application documents are included in the applicant pool and retained there for a maximum of 2 years from the time of consent. They are erased upon the purpose no longer applying or the withdrawal of consent by the applicant.

In the event of employment with our company, your personal data is erased when the purpose no longer applies, at the latest after termination of the employment relationship, unless statutory retention periods prevent erasure.

IV. Customers and Interested Parties

1.1 Your personal data that we process

In the context of the existing customer relationship, we process the following data relating to you:

  • Address
  • Bank account details
  • Customer number
  • Last name
  • First name
  • Your e-mail address
  • Your mobile phone number
  • Your landline number

1.2 Purposes of processing

In the context of the existing customer relationship, your personal data is processed for the following purposes:

  • To process your inquiry as an interested party. For this purpose, we use your contact data to be able to respond to your inquiry.
  • To prepare and carry out pre-contractual measures – this includes, for example, the creation and sending of an individual offer, or the individual agreement and transmission of contract terms with the aim of concluding a contract.
  • To include your contact data in our customer database.
  • To fulfill our contractual obligations under the license agreement with you.
  • To inform you optimally about our products and services. This also includes sending (direct) advertising by e-mail or post.
  • To ensure smooth billing of the services rendered (issuing invoices).
  • To comply with our legal obligations (e.g. transmission to the tax office).
  • To provide you with optimal support as our customer (communication by e-mail, mobile phone, landline).
  • For the purpose of sending the newsletter, insofar as you have subscribed to our newsletter.
  • To fulfill post-contractual measures.
  • For the establishment, exercise, or defense of legal claims.

1.3 Legal bases for processing

The legal basis for the processing of data in the context of our customer relationship is Art. 6(1)(a)–(f) GDPR.

Consent: Insofar as we obtain your consent, processing is carried out on the basis of Art. 6(1)(a) GDPR in conjunction with Art. 5, 7 GDPR.

Contract performance: Insofar as we process your data for the purpose of performing a contract, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to pre-contractual and post-contractual measures.

Legal obligation: Where necessary, Art. 6(1)(c) GDPR serves as the legal basis (tax and commercial law retention obligations).

Legitimate interest: The legal basis for direct advertising may, where our legitimate interests apply, be Art. 6(1)(f) GDPR – in particular to inform you about our products, offers, and services by way of direct marketing, and to respond to your inquiries by e-mail and telephone. The establishment, exercise, or defense of legal claims is also based on point (f).

In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients. We only transmit to external recipients where you have consented or where this is permitted by law:

  • External staff / freelancers
  • Processors
  • Third parties
  • Public authorities (e.g. tax offices, courts, trade supervisory office)
  • Billing partners
  • Debt collection companies
  • Credit institutions
  • Parcel service providers
  • Postal services
  • (External) quality control bodies
  • Tax advisors

In addition, your personal data may be transmitted to the following service providers established in a country outside the EU/EEA:

  • Sendgrid (Twilio Inc.), Denver, USA
  • Intercom, San Francisco, USA
  • HubSpot, Cambridge, USA

For the purpose of communicating with customers and interested parties, we use the Google Workspace service provided by Google Inc., Google Ireland Limited, Google Commerce Limited, Google Asia Pacific Pte. Ltd., or Google Australia Pty Ltd. Further information: workspace.google.com/terms/2014/1/dpa_terms

In order to make the third-country transfer as data protection-friendly as possible, standard contractual clauses pursuant to Art. 46(2)(c) GDPR have been concluded with providers in unsafe third countries.

The following service providers in the USA have joined the Trans-Atlantic Data Privacy Framework (TADPF; the data protection agreement between the EU and the USA), so that an adequate level of data protection is ensured for the data processing:

  • Intercom, San Francisco, USA
  • HubSpot, Cambridge, USA

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data is destroyed or erased in our systems as soon as it is no longer needed. We take appropriate measures to ensure that your personal data is only processed under the following conditions:

  1. For the duration for which the data is used to provide you with a service;
  2. as required by applicable law, contract, or in view of our legal obligations;
  3. only for as long as is necessary for the purpose for which the data was collected, or longer where this is required by contract or applicable law, applying appropriate safeguards.

A requirement to retain data may exist in particular where the data is still needed to fulfill contractual services, to review and grant or defend warranty and, where applicable, guarantee claims. Where the data is no longer required for the fulfillment of contractual or legal obligations, it is erased on a regular basis, unless its – temporary – retention remains necessary, in particular to fulfill statutory retention periods of up to ten years (arising, among others, from the German Commercial Code (HGB), Fiscal Code (AO), and Anti-Money Laundering Act). In the case of statutory retention obligations, erasure is only considered after the expiry of the respective retention obligation.

V. Event Participants

1.1 Your personal data that we process

We process personal data that we receive from you through your participation in the event. In particular, we process:

  • Livestream recordings
  • Video recordings
  • Photos
  • First name
  • Last name
  • Company affiliation
  • E-mail address
  • Salutation
  • Signature in the event of a consent given

1.2 Purposes of processing

Your personal data is processed for the following purposes:

  • To conduct the event
  • For internal reporting on the event
  • For advertising purposes for our company on social networks

In addition, the film and video recordings are published after the event for marketing purposes: on the website and on social or professional networks (YouTube, LinkedIn). Processing of your personal data for any other purpose is not intended.

1.3 Legal bases for processing

Legitimate interest: The legal basis for producing photo and film recordings during our events is our legitimate interest (Art. 6(1)(f) GDPR) in the subsequent internal and external publication for marketing purposes on our company website (www.navit.com) and on social or professional networks (YouTube, LinkedIn). If you do not wish to be photographed or filmed, please let us know before or during the event. If you should nevertheless appear in group recordings, you will be rendered unrecognizable in these recordings afterwards. For the publication, we obtain your consent at the entrance area of the event location, which you may of course give voluntarily.

Consent: The legal basis for processing your personal data, both for the purpose of participating in the event and for the internal and external publication of photo and film recordings, is the consent you have given, and thus Art. 6(1)(a) GDPR in conjunction with Art. 5, 7 GDPR. You have the right to withdraw your consent at any time by e-mail to [email protected]. The withdrawal does not affect the lawfulness of processing carried out on the basis of consent up to the point of withdrawal (Art. 7(3) GDPR). If you appear in a recording together with other persons, erasure is not mandatory – it is sufficient for you to be rendered unrecognizable. Insofar as a recording reveals information about your ethnic origin, religion, or health, the consent also expressly extends to this information.

Information on publication on the internet: Where personal data has been made publicly accessible and you withdraw your consent, we are only subject to an obligation to inform other recipients. Information placed on the internet may under certain circumstances never be completely deleted. In any case, the providers of the most important search engines are informed of the erasure request. Despite all technical precautions, it cannot be ruled out that third parties may reuse or pass on photos and/or videos. The company is not liable for third parties using the photos for further purposes.

In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients:

  • External staff / freelancers
  • Processors
  • Public authorities (e.g. tax offices, courts, trade supervisory office)
  • Billing partners
  • Debt collection companies
  • Credit institutions
  • Logistics companies
  • Parcel service providers
  • Postal services
  • (External) quality control bodies
  • Tax advisors

Your personal data is transmitted to the following service providers:

  • Eventbrite, San Francisco, California

In the case of processors and service providers outside the EU/EEA, your aforementioned personal data is only processed insofar as this is the subject of our data processing agreement pursuant to Art. 28 GDPR with these recipients. The following data is used: name, video material (if the camera was switched on), e-mail address, IP address, metadata of the end device.

In addition, in the context of the publication of film and video recordings for marketing purposes, your personal data may be transmitted to the following service providers, provided you have given your consent:

  • LinkedIn Ireland Unlimited Company, Dublin, Ireland
  • YouTube: Google Ireland Limited, Dublin, Ireland

In order to make the third-country transfer as data protection-friendly as possible, standard contractual clauses pursuant to Art. 46(2)(c) GDPR have been concluded with providers in unsafe third countries. We have no influence over the collection of data and its further use by the providers of the social networks. Further information on options for objection and removal can be found here: LinkedIn – linkedin.com/legal/privacy-policy; YouTube – policies.google.com/privacy.

Where we engage a service provider (e.g. an event manager), we remain responsible for the protection of your data. All processors are obliged to treat your data confidentially and to process it only in the course of providing the service. We may pass on your personal data (e.g. name, company name, e-mail address) to our authorized sales partners, based on our legitimate interest in identifying and pursuing potential sales opportunities (Art. 6(1)(f) GDPR). After receiving your data, these sales partners act as independent controllers.

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data is destroyed or erased in our systems as soon as it is no longer needed. We take appropriate measures to ensure that your personal data is only processed under the following conditions:

  1. For the duration for which the data is used to provide you with a service;
  2. as required by applicable law, contract, or in view of our legal obligations;
  3. only for as long as is necessary for the purpose for which the data was collected, or longer where this is required by contract or applicable law, applying appropriate safeguards.

A requirement to retain data may exist in particular where the data is still needed to fulfill contractual services, to review and grant or defend warranty and, where applicable, guarantee claims. Where the data is no longer required for the fulfillment of contractual or legal obligations, it is erased on a regular basis, unless its – temporary – retention remains necessary, in particular to fulfill statutory retention periods of up to ten years (arising, among others, from the German Commercial Code (HGB), Fiscal Code (AO), and Anti-Money Laundering Act).

VI. Employees

1.1 Your personal data that we process

In the context of the employment relationship, we process the following personal data relating to you:

  • First name, last name, gender, date and place of birth
  • Where applicable, passport/ID card data, nationality, ethnic origin
  • Address, e-mail address (business and private)
  • Employment contract including addenda and supplements; contractual instructions and other correspondence relating to the employment relationship
  • Termination documents (notices of termination, warnings, termination agreements)
  • Working hours, deployment times, overtime
  • Health insurance fund, insurance number; illness-related absences, certificates of incapacity for work, proof of illness; health insurance documents
  • Payroll and salary statements: church tax liability, marital status, maintenance obligations, main/secondary employment, income tax allowance, where applicable salary advances/loans, tax ID, tax class and factor, child allowances, pension insurance provider, religious affiliation
  • Tax documents (e.g. income tax records, annual income tax certificates)
  • Social security notifications and annual reports
  • Pregnancy/childbirth, information on parental leave
  • Personnel number, IT username
  • Evidence of school, university, and professional qualifications (e.g. references/certificates)
  • Performance-related documents/notes (target agreements, interim references/certificates)
  • Information on vacation days, sabbatical; emergency contact(s)
  • (In the case of temporary agency work:) information thereon
  • (In the case of disability:) proof of severe disability or similar
  • (In the case of occupational pension schemes:) provider of the occupational pension scheme
  • (In the case of double taxation:) any exemption notification
  • (For commission-entitled employees:) statements of the revenues relevant to salary determination

1.2 Purposes of processing

  • Carrying out pre-contractual measures (initiation of the employment relationship)
  • Establishment, performance, and termination of the employment relationship
  • Settlement of your expenses and remuneration (in particular preparation of expense calculations and payroll statements)
  • Documentation of your employment relationship (in particular in our personnel file)
  • Communication (telephone, e-mail, video conferences)
  • Fulfillment of contractual, statutory, collective bargaining, income tax, or social security obligations
  • Establishment, exercise, or defense of legal claims arising from the employment relationship
  • Archiving to safeguard legal claims and to comply with statutory retention obligations
  • Data destruction and erasure after the archiving purpose no longer applies

1.3 Legal bases for processing

Consent – Art. 6(1)(a) GDPR in conjunction with Art. 7 GDPR, Art. 88(1) GDPR in conjunction with Section 26(2) BDSG: e.g. consent to the publication of names and/or photos on the internet/intranet/flyers.

Establishment, performance, and termination of the employment relationship – Art. 88(1) GDPR in conjunction with Section 26(1) BDSG, Art. 6(1)(b) GDPR: As a rule, name and address are required for the employment contract.

Legal obligations – Art. 6(1)(c) GDPR: Our statutory obligations arise in particular from: Section 312 SGB III (employment certificate), Section 28a SGB IV (reporting obligation), Section 198 SGB V (reporting obligation for employees subject to insurance), Section 16(2) ArbZG (recording of working time), Sections 49, 50(2) JArbSchG (information/submission), Section 17 MiLoG (recording of working time), Section 27 MuSchG (notification/retention obligations), Section 17c AÜG (preparation/keeping of documents). (SGB = Social Code; ArbZG = Working Hours Act; JArbSchG = Youth Employment Protection Act; MiLoG = Minimum Wage Act; MuSchG = Maternity Protection Act; AÜG = Temporary Employment Act.)

Legitimate interest – Art. 6(1)(f) GDPR: in particular the establishment, exercise, or defense of legal claims, as well as in connection with personnel, IT, or other matters.

Special categories of personal data: for the exercise of rights under employment, social security, and social protection law (Art. 9(2)(b) GDPR, Art. 88(1) GDPR in conjunction with Section 26(3) BDSG); on the basis of your consent (Art. 9(2)(a) GDPR); where manifestly made public (Art. 9(2)(e) GDPR); for the establishment/defense of legal claims or in connection with actions of the courts (Art. 9(2)(f) GDPR); for purposes of preventive medicine, occupational medicine, or the assessment of working capacity (Art. 9(2)(h) GDPR).

In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients. We only transmit to external recipients where you have consented or where this is permitted by law. External recipients are in particular:

  • Banks
  • Public authorities (e.g. tax offices, Federal Employment Agency, job centers, pension insurance providers, courts)
  • Health insurance funds
  • Affiliated companies
  • Payroll offices
  • Tax advisors
  • Lawyers
  • Processors such as agencies and software providers for video streaming or video conferencing

The transmission to the above recipients generally takes place for billing purposes, to fulfill our contractual, statutory, collective bargaining, income tax, or social security obligations, and for the establishment, exercise, or defense of legal claims (where necessary).

We will erase your personal data as soon as the aforementioned purposes for its storage no longer apply, you object to its use, or you withdraw the consent you previously gave. However, your personal data may also be stored beyond this, in particular:

  • where there are still outstanding obligations arising from the contractual relationship
  • where contractual, statutory (in particular under HGB, StGB, and AO), or bylaw-based retention periods prevent erasure
  • for the establishment, exercise, or defense of legal claims
  • where required under European or national laws for compliance with a legal obligation

The following retention periods arise from statutory provisions in particular:

  • Section 199 BGB (Civil Code) – 30 years (documents relating to liability cases)
  • Section 18a BetrAVG (Company Pensions Act) – 30 years (documents relating to occupational pension schemes)
  • Section 147(1), (3) AO (Fiscal Code) – up to 10 years (tax-relevant documents, planning of business trips)
  • Section 257(1) No. 1, (4) HGB (Commercial Code) – 10 years (payroll lists)
  • Section 41(1) EStG (Income Tax Act) – 6 years (wage accounts, travel cost reimbursements)
  • Section 28f SGB IV (Social Code) – 5 years (remuneration records relating to social security)
  • Section 13 HAGDV 1 (Home Work Act implementing regulation) – 3 years (home-work remuneration records)
  • Section 7(2) AÜG (Temporary Employment Act) – 3 years (temporary agency work – business records of the lender)
  • Section 16(2) ArbZG (Working Hours Act) – 2 years (working time records)
  • Section 50(2) JArbSchG (Youth Employment Protection Act) – 2 years (registers)
  • Section 17(1) MiLoG (Minimum Wage Act) – 2 years (working time for minimum-wage remuneration)
  • Section 27(5) MuSchG (Maternity Protection Act) – 2 years (maternity protection documents)

Your data is stored on a restricted basis where storage is carried out solely for the purpose of fulfilling a retention obligation.