This data privacy statement supplements our existing general data privacy statement, in which you are given concrete information explaining how we process your personal data during your visits to our website or with regard to subjects not specifically related to your application. You can find this general data privacy statement here: https://www.edag-engineering.de/en/privacy-protection.html
I. Name and Address of the Data Controller
In terms of the General Data Protection Regulation and other national data protection laws of the EU member states and other data protection-related regulations, the data controller is:
II. Name and Address of the Data Protection Officer
The data controller's data protection officer is:
Tel.: +49 661 29698090
Fax: +49 661 29698099
III. General Data Processing Information
1. Extent to which personal data is processed
We process all data with which you provide us through your application. This includes but is not limited to your contact data, application documents (CV, letter, previous professional experience, training and certificates, video interview if applicable, and any notes we make during interviews with you), your salary expectations, the type of employment you require, your date of availability and, in exceptional cases, your identification documents. In addition, this will also apply to any other data you supply, including all correspondence with us during the application process, and, if applicable, the results of online tests. This also covers special categories of personal data such as any health data we collect, save and process within the context of a pre-employment medical examination, for instance.
We also collect the above-mentioned data about you from other sources, including personnel service providers, the references you have provided, websites and other data available to the public on the Internet. This covers, for instance, data you have clearly made public within the scope of an online profile on a business social network. We can also receive data that you transmit to us via third-party websites, for instance von job markets such as Stepstone or Monster.
If you apply via our online portal, we can gather access information such as the IP address of your access device. Further information relating to this can be taken from the data privacy statement on our website.
Please refrain from providing the following information in the application process as, according to the terms of the General Equal Treatment Act, this may not be used:
- ethnic origin, political opinions, philosophical or religious convictions, membership in a trades union, physical or mental health, or sexual life
- defamatory or libelous information
- information which has no bearing on the job profile
2. Purpose of and legal basis for the processing of personal data
We collect and process your personal data in order to be able to fill vacant positions and carry out the selection procedure. The data you provide will be used to process your application, and, should an employment contract be concluded, also for the performance of the employment contract. Processing is not carried out for any other purpose. The legal basis is § 26 para. 1 in conjunction with para. 8 S. 2 of the Federal Data Protection Act (BDSG) (new) and § 22 para. 1 b) BDSG (new) or, for public profiles, Art. 6 f) of the General Data Protection Regulation (GDPR) in conjunction with Art. 9 para. 2 e) of the GDPR. In this case, the legitimate interest is to receive from you a clear short profile, which you have obviously made public, as defined in Art. 9 para. 2 e) of the GDPR.
Should consent be required for the processing of data (e.g. for inclusion in our talent pool), the legal basis will be § 26 of the BDSG (new) in conjunction with Art. 7 of the GDPR.
In addition, we can also process personal data about you insofar as this is necessary to conduct the defence, in the event of legal claims arising from the application process being made against us. The legal basis is Art. 6 para. 1 b) and f) of the GDPR. The legitimate interest could, for example, be a burden of proof in proceedings in accordance with the General Equal Treatment Act (GETA).
According to § 26 para. 1 of the BDSG (new), as soon as an employment relationship is established between you and ourselves, any personal data already received from you may be used for the purpose of the employment relationship. This will happen if it is necessary for the performance or termination of the employment contract, or for exercising rights and discharging obligations arising from a law or a wage agreement, or a company or works agreement (collective agreement) of the body representing the employees' interests.
In addition, we may, for the purpose of security screening, check your master data (name, address, date of birth, place of birth) against the terrorist lists in the appendices to the current versions of Regulation (EC) No. 2580/2001 of 27 December 2001, Regulation (EC) No. 881/2002 of 27 May 2002 and/or Regulation (EU) No. 753/2011 of 1 August 2011, to ensure that the persons listed there are not provided with money or economic resources. The legal basis for this is Art. 6 para. 1 c) of the GDPR in conjunction with the relevant regulation.
Should data be processed for statistical purposes (e.g. analyses to assess applicant behaviour), this is done solely for our own purposes and is always anonymous. Under no circumstances it it ever personalised.
3. Data erasure and storage period
We will store your personal data only for the duration of the retention period for application data, 6 months, or for as long as the data will be required for the legitimate interests of EDAG under applicable law, unless you give your consent to our using your documents for other positions which might become available (talent pool); in conjunction with our request for this consent, you will receive separate information on data erasure and how long your data will be stored in the talent pool. Should data storage no longer be necessary after the above, the data will be deleted.
If you accept employment with us, we will store your personal data throughout the entire duration of your employment contract in line with the data privacy statement for employees, which will be sent to you when you accept employment.
4. Data recipients
You can either apply for a specific position, or submit a blind application. If you apply for a specific position, the manager responsible and the employees in the relevant HR department will be given access to your data. If you send a blind application, access to your data will be provided for the managers of the department or departments concerned.
If you consent to being included in our talent pool, we can also pass on your application documents to Group companies associated with us in the sense of §§ 15 et seq. of the German Companies Act (AktG), to offer you suitable jobs; in conjunction with our request for this consent, you will receive separate information on the possible recipients of your data in the talent pool.
Moreover, personal data can also be processed on our behalf on the basis of contracts in accordance with Art. 28 of the GDPR, in particular by suppliers of recruiting management and applicant selection process systems.
Personal data is also handed on to the public authorities and/or law enforcement authorities if necessary for the above-mentioned purposes, if prescribed by law or if necessary for the protection of our legitimate interests, in compliance with applicable law.
5. Data transmission to third countries
Should we transmit personal data to service providers or Group companies outside of the European Economic Area (EEA), the data is only transmitted insofar as the EU Commission has confirmed that the third country provides an adequate level of data protection, or other data protection guarantees (e.g. binding corporate data protection regulations or EU standard contract clauses) exist.
IV. Rights of Data Subject
If personal data concerning you is processed, you are the data subject as defined in the GDPR, and have the following rights against the data controller:
1. Right to information
You can ask the controller to provide you with confirmation as to whether or not personal data concerning you is processed by us.
If such processing is being undertaken, you can ask the controller to provide you with information concerning the following:
- The purposes for which the personal data is processed;
- The personal data categories which are processed;
- The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
- The planned storage duration of the personal data concerning you or, if it is not possible to provide concrete information on this point, criteria for defining the storage duration;
- The existence of a right to correct or delete the personal data concerning you, a right to limit processing by the controller, or a right to object to such processing;
- The existence of a right to lodge a complaint with a supervisory authority;
- All available information concerning the origin of the data, if the personal data was not acquired from the data subject him or herself;
- The existence of automated decision-making and profiling in accordance with Art. 22 para. 1 and 4 of the GDPR and – at least in these cases – meaningful information on the logic involved and the implications and intended impact of such processing for the data subject.
You have the right to request information on whether or not the personal data concerning you is transmitted to a third country or international organisation. In this context, you may ask for information on appropriate guarantees in accordance with Art. 46 of the GDPR relating to the transmission of data.
2. Right to rectification
You have a right to have the controller correct or complete any personal data concerning you which, having been processed, is either incorrect or incomplete. The data controller must carry out any corrections without undue delay.
3. Right to restrict processing
Subject to the following conditions, you can request that processing of the personal data concerning you be restricted:
- If you dispute the accuracy of the personal data concerning you for a period which allows the controller to check the accuracy of the personal data;
- the processing is unlawful and you refuse deletion of the personal data, instead requesting that use of the personal data be restricted;
- the controller no longer needs the personal data for processing purposes, but you need it in order to establish, exercise or defend legal claims, or
- if you have filed an objection to the processing of the data in accordance with Art. 21 para. 1 of the GDPR, and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.
If the processing of the personal data concerning you has been restricted, then, storage aside, this data may only be processed with your consent, or to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of substantial public interest on the basis of Union or Member State law.
If restriction of the processing has been restricted under the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.
4. Right to deletion
a) Obligation to deleteYou can ask the controller to delete the personal data concerning you without undue delay, and the controller is obliged to delete this data without delay if one of the following reasons applies:
- The personal data concerning you is no longer needed for the purposes for which it was collected or otherwise processed.
- You revoke your consent, which served as the basis for processing in accordance with Art. 6 para. 1 point a or Art. 9 para. 2 point a of the GDPR, and there is no other legal basis for the processing.
- You file an objection to processing in accordance with Art. 21 para. 1 of the GDPR, and there are no overriding legitimate reasons for the processing, or you file an objection to processing in accordance with Art. 21 para. 2 of the GDPR.
- The personal data concerning you has been unlawfully processed.
- Deletion of the personal data concerning you is necessary in order to ensure compliance with a legal obligation under Union or Member State law to which the data controller is subject.
- The personal data concerning you has been acquired in relation to the offer of information society services in accordance with Art. 8 para. 1 of the GDPR.
b) Information to third parties
If the controller has made the personal data concerning you public, and is obliged to delete such data in accordance with Art. 17 para. 1 of the GDPR, then, taking into account the technologies available and implementation costs, he - the controller - applies appropriate measures, which may also be of a technical nature, to inform the people responsible for processing personal data that, as the data subject, you have requested that they should delete all links to this personal data as well as all copies or replications of this personal data.
The data subject does not have the right to have his or her data deleted if processing is necessary
- to exercise the rights to freedom of expression and freedom of information;
- to comply with a legal obligation calling for processing on the basis of Union or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 points h and i and Art. 9 para. 3 of the GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 of the GDPR, insofar as the right set out in section a) is likely to render impossible or seriously impair the achievement of the purposes of this processing, or
- to establish, exercise or defend legal claims.
5. Right to information
If you have exercised your right to have the controller correct, delete or restrict the processing of your data, then the controller is obliged to inform all recipients to whom the personal data concerning you has been disclosed of such correction or deletion of the data or restriction of the processing, unless it proves impossible to do so or would involve unreasonable expense and effort.
You are entitled to have the controller inform you of these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you with which you have provided the controller in a structured, commonly used and machine-readable format. Further, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, providing that
- the processing is based on consent in accordance with Art. 6 para. 1 p. 1 point a of the GDPR or Art. 9 para. 2 point a of GDPR or on a contract in accordance with Art. 6 para. 1 p. 1 point b of the GDPR, and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 para. 1 p. 1 point e or f of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves to establish, exercise or defend legal claims.
If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling, insofar as it is related to such direct marketing.
Should you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services – notwithstanding Directive 2002/58/EG – you are entitled to exercise your right to object by automated means using technical specifications.
8. Right to withdraw declaration of consent under data protection law
You have the right to withdraw your declaration of consent to the processing of personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects that concern you or significantly affects in a similar way. This does not apply if the decision
- is necessary for entering into or the performance of a contract between you and the data controller,
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests, or
- is made with your explicit consent.
These decisions must not, however, be based on special categories of personal data referred to in Art. 9 para. 1 of the GDPR, unless Art. 9 para. 2 point a or g applies, and suitable measures have been undertaken to safeguard your rights and freedoms and your legitimate interests.
With regard to the cases described in points (1) and (3), data controller will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Art. 78 of the GDPR.
The authorised supervisory authority is:
The Hessian Commissioner for Data Protection and Freedom of Information
Here you will find our Declaration of consent to the processing of application data in our eRecruiting Portal (pdf, 80 KB).
Here you will find our Supplementary declaration for special data categories in our eRecruiting Portal (pdf, 85 KB)
In order to read the PDF document you will need the free Acrobat Reader, Version 8.0 or higher.