Skip to main content

Processing of (personal) data by the entity in charge of the online application process

Data protection notice

I. Scope

The following information relates to the Processing of Personal Data from you as a job applicant and/or employee in the context of the use of our HR management software Personio (Data Subject and hereinafter referred to as “you” / “your”).

II. Definitions

For the purpose of this data protection information, the terms listed in this section II., when used in their capitalized form, shall have the meaning set forth below

“GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679).

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 sec. 1 GDPR).

“Processing” means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 sec. 7 GDPR).

“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Art. 4 sec. 7 GDPR).

‘Data Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing (see Art. 4 sec. 9 GDPR).


III. Data Controller and data protection officer

1. Data Controller

Unless otherwise specified in this Data Protection Information, the Controller for the processing of your Personal Data is:

  • Banxware GmbH
  • Invalidenstraße 117
  • 10115  Berlin
  • info@banxware.com
  • hereinafter referred to as “Banxware”, “we” or “our”.

2. Data protection officer
Banxware has appointed a data protection officer which can be contacted under:

Data Protection Officer

Banxware GmbH

Invalidenstraße 117

10115 Berlin 

Email: datenschutz@banxware.com


IV. Situations, purposes and legal bases of Processing your Personal Data
1. Registration on / login to HR management software

We are Processing your username, password and email address when you register for and login to your user account on our HR management software (Legal base(s): Necessary Processing in order to take steps at the request of the Data Subject prior to entering into contract, Art. 6 (1) 1 lit. b GDPR / Necessary Processing for the purpose of recruitment, Art. 88 GDPR in conjunction with § 26 (1) 1 BDSG).

3. Job application handling

We are processing your Personal Data like your contact data (e.g. first and last name, address, phone number and email address) and the provided job application data (e.g. information on job and work history, education, language fluency etc.) to handle your job application, which i.a. includes reviewing your job application, set up job interviews, deciding on a job offer, negotiating and preparing of an employment contract (Legal base(s): Necessary Processing in order to take steps at the request of the Data Subject prior to entering into contract, Art. 6 (1) 1 lit. b GDPR / Necessary Processing for the purpose of recruitment, Art. 88 GDPR in conjunction with § 26 (1) 1 BDSG).

4. Reference/Background checks

Where necessary to verify the information provided in your application, we may use your personal data to carry out reference checks, for example by visiting your LinkedIn profile. In light of our position as an obligated party under the German Money Laundering Act, background checks, including criminal record checks, checks against EU anti-terrorism lists/sanctions lists/PEP lists and/or credit checks may also be carried out to ensure that there are no facts indicating that you are not suitable for the position in question (Legal base(s) i.a.: Necessary Processing to comply with legal obligations under the Money Laundering Act and the European Anti-Terrorism Regulations 2580/2001 and 881/2002, for our legitimate interests and to carry out pre-contractual measures (e.g. verification of information / prevention of risks in the area of property and criminal law): Art. 6 (1) lit. b, c, f GDPR), Art. 88 GDPR in conjunction with § 26 (1) 1 BDSG).

6. Candidate Pool

If you have given your prior consent, we keep your personal data in our candidate pool and may inform you about other potentially suitable job advertisements, even if the application for the specific position for which the data were originally collected was unsuccessful.

Your consent can be withdrawn  at any time by via email to info@banxware.com. The withdrawal of consent  shall not affect the lawfulness of processing based on consent before its  withdrawal (Legal base: Processing based on consent, Art. 6 (1) 1 lit. a GDPR)

7. Time Tracking
    If you are an employee, we are processing your attendance and absence times and their reasons (such as working hours, vacation, illness,  business trips, maternity leave, parental leave, etc.) to document and monitor compliance with contractual and/or legal rights and obligations (e.g. working hours, salary, vacation, continued payment of wages in case of illness, etc.) (Legal base(s): Necessary Processing for the performance your employment contract, Art.  6 (1) 1 lit. b GDPR; Art. 88 GDPR in conjunction with § 26 (1) 1 GDPR /  Necessary Processing for compliance with legal obligations, Art. 6 (1) 1 lit. c  GDPR in conjunction with i.a. Arbeitszeitgesetz, Bundesurlaubsgesetz, Entgeltfortzahlungsgesetz  etc.).

V. Categories of Data Recipients

Your Personal data is disclosed internal, especially to the employees responsible for human resources.

Your Personal Data is also disclosed to our external service providers which provide the tools and platforms used in our recruitment process and which process your Personal Data on our behalf as Data Processors.

For background checks described under section IV. 4. Personal Data might also be transferred to the entities involved in performing the background checks (e.g. credit agencies).

VI. Storage periods

In case of a rejection of your application, your applicant account and your provided Personal Data will be deleted or anonymized 6 months after receiving the rejection, unless you have consented to be included in our talent pool. In the latter case, your Personal Data (including your applicant account) will be deleted upon request (e.g. withdrawal of your consent) or automatically 6 months after consent has been received.

In case of an employment, your Personal Data in your applicant account will be migrated to an employee account.

    

Your employee account including all Personal Data in it will be deleted in 10 years after your leaving. During this period, processing of your retained Personal Data is  restricted from Processing for purposes other than the fulfilment of post-contractual obligations, the establishment, exercise or defense of legal claims from or against you and accounting and tax audits. 


VII. Your data protection rights

In accordance with the applicable data protection regulations, you have the following rights concerning your Personal Data processed by us:

  • Right of access (Art. 15 GDPR),
  • Right to rectification (Art. 16 GDPR),
  • Right to erasure (“Right to be forgotten”) (Art. 17 GDPR),
  • Right to restriction of Processing (Art. 18 GDPR) and
  • Right to data portability (Art. 20 GDPR)

Right to object (Art. 21 GDPR)

In cases we are Processing your Personal Data according to section IV. of this Data Protection Information on the basis of our legitimate interests pursuant to Art. 6 sec. 1 lit. f GDPR, you have the right to object to the respective Processing at any time on grounds relating to your particular situation. We will then no longer process your data for this / these purpose(s) unless our legitimate interests in processing overweights or the processing serves to establish, exercise or defend legal claims (Art. 21 sec. 1 GDPR).

    

Please direct your requests to exercise these rights by email to info@banxware.com.  To handle your request and for authentication we will also process Personal  Data from you. Your request and our answer will be stored for up to three years  (Legal base: Necessary Processing for compliance with legal obligation, Art. 6 (1)  1 lit. c GDPR) / Necessary Processing for our legitimate interest (i.a. accountability; establishment, exercise or defence of legal claims), Art. 6 (1)  1 lit. f GDPR)). 

 You also have the right to lodge a complaint with a  supervisory authority (Art. 77 GDPR).

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.