0

StepStone Data Protection Policy - Hotelcareer- Gastrojobs

Thank you for visiting our jobboard. The protection and confidentiality of your personal data is of particular importance for StepStone.

In this document we will inform you about the processing of personal data in connection with the services we offer at the individual jobboards Hotelcareer, Gastrojobs, or other websites or apps (collectively referred to as “Platforms”) that incorporate this Data Protection Policy. Personal data comprises all information that relates to an identified or identifiable natural person (Article 4 (1) GDPR). This includes information such as your name, e-mail address, postal address, or telephone number. Information that is not directly associated with your identity, e.g. the number of users of an Internet site, does not fall within this scope.

We provide you with a short version and a long version of our privacy policy. The short version gives you a quick overview of the essential aspects of data processing. The long version gives you a detailed insight.

Data Protection Policy – Short Version: Hotelcareer - Gastrojobs


1. Who is responsible for the processing of your personal data?#

Data controller (hereinafter referred to as „StepStone” or „we“) within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

The StepStone Group Deutschland GmbH
Völklinger Straße 1
40219 Düsseldorf
Germany
Tel: +49 (0) 211 – 93 493 0
E-Mail: info@stepstone.de

2. Contact details of the data protection officer

You can reach our data protection officer under the following contact details:

The StepStone Group Deutschland GmbH
Völklinger Straße 1
40219 Düsseldorf
Germany
Tel: +49 (0) 211 – 93 493 0
E-Mail: datenschutz@stepstone.de

3. Purposes and legal basis of processing and duration of storage

We process personal data for various purposes, which can be grouped together in a general way as follows:

- Processing of personal data (photos) during participation in an event , whereby we process data on the basis of a legitimate interest (pursuit of our business interests).

- the general use of our platforms and our services, where we process data on the basis of a legitimate interest (pursuit of our business interests) or on the basis of your consent

- the use of a Jobfinder or an Applicant Center, where we process data on the basis of a contract

- Processing of information about businesses and their employees , where we process data in the context of a legitimate interest or a contract or due to a legal obligation.

- Page Insights in the context of our Facebook fanpage

- processing of information about suppliers and their employees, where we process data in the context of a legitimate interest or a contract or due to a legal obligation

The personal data of the data subject are stored as long as the purpose exists. For more details, long version of the Privacy Policy.

4. Recipients or categories of recipients of personal data

We use data processors. These may therefore receive personal data, as described in detail in the long version of the Privacy Policy. Furthermore, we may also transmit or provide data to third parties within the scope of your consent or a contract with you, as described in particular in the long version, so that these can receive data as described there.

5. Transfer of data to countries outside the EU or the EEA

In certain cases, we transfer personal information to countries outside the EU or the EEA (so-called third countries). Essentially, this can be the case if you are applying for a job and the job provider is based in a third country. Furthermore, we use data processors or, within the scope of a legitimate interest, service providers that process data in some cases in third countries. More details can be found in the long version of the privacy policy.

6. Duration for which personal data is stored

Generally speaking, the personal data is stored as long as the purpose exists. The individual storage periods have been set out in the long version for the respective purpose of the processing.

7. Rights of data subjects

You have various rights related to the processing of personal data. You have (depending on the circumstances) theright to request access to the personal data (Article 15 GDPR), to rectification (Article 16 DGVO) or erasure (Article 17 GDPR), to restriction of processing (Article 18 GDPR), aright to object (Art. 21 DSGVO) and a right to data portability (Art. 20 DSGVO). If the processing is based on a consent, you can withdraw > it at any time.
If you believe that the processing of your personal data is in violation of the GDPR, you have the right to complain to a supervisory authority.
Further information can be found in the long version of our privacy policy under „Rights of the data subject.

8. Is there an obligation to provide personal information?

If you want to create a Jobfinder or an Applicant Center or if you would like to use our services as a business customer or supply goods or services to us as a supplier (you can find more details in the long version of the privacy policy), you have to provide certain data within the scope of the contract to be concluded. We will specify such data. In any other context, the provision of personal data is neither required by law nor by contract, nor are you required to provide personal information. However, the provision of personal data for the use of our services may also be partially required within the services we provide. In other words, if you do not provide us with the information we specify to be necessary, we may not be able to provide you with the full scope of services.

9. Modification of the privacy policy; change of purpose

We reserve the right to change th privacy policy in accordance with the data protection regulations. The current version can be found here at this point or another place on our website or app that can easily be found. If we intend to process your data for other purposes than those for which it was collected, we will inform you in advance in accordance with the law.

Data Protection Policy - Long Version: Hotelcareer - Gastrojobs

1. Who is responsible for the processing of your personal data?

The data controller (hereinafter referred to as “StepStone” or “we”) in the sense of the GDPR and other national data protection laws of the member states as well as other data protection regulations is:

StepStone GmbH
Völklinger Straße 1
40219 Düsseldorf
Germany
Tel: +49 (0) 211 – 93 493 0
E-Mail: info@stepstone.de

In so far as personal data are processed by recruiters, processing of personal data about Austrian recruiters is also carried out by StepStone Österreich GmbH, about Swiss recruiters by YOURCAREERGROUP Schweiz GmbH and about Polish recruiters by StepStone Services Sp. Z o.o. respectively, who will then be the respective data controller. For details, see section 3.4.

2. Contact details of the data protection officer

You can contact our data protection as follows:

The StepStone Group Deutschland GmbH
Völklinger Straße 1
40219 Düsseldorf
Germany
Tel: +49 (0) 211 – 93 493 0
E-Mail: datenschutz@stepstone.de

3. Purposes and legal basis of the data processing and period for which data will be stored

In the following we inform you about the different purposes for which we process personal data, on which legal basis such processing takes place, and for how long we store the data.

Insofar as we obtain the consent of the data subject for processing personal data, Art. 6 (1) (a) EU General Data Protection Regulation (GDPR) is the legal basis for the processing of personal data. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR will be the legal basis. This also applies to processing operations required to carry out pre-contractual actions. If processing of personal data is required to fulfill a legal obligation that our company is subject to, Art. 6 (1) (c) GDPR is the legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights, and freedoms of the data subject do not prevail over the first interest, Art. 6 (1) (f) GDPR is the legal basis for processing.

The personal data of the data subject will be stored for as long as the purpose continues.

3.1 Processing of personal data at events

When you attend an event, you should be aware that we may take photos, including of attendees. Where, given the overall impression of the image, the main focus is on a general gathering of people or, if there is no such general focus overall, the individuals who are recognisably depicted have consented at least tacitly, i.e. from the point of view of our photographer on the basis of the overall circumstances it can be assumed that the individuals have consented to the photo being taken in awareness of its purpose (e.g. by posing or smiling at the camera), we may use the photos taken for sales, advertising and informational material in physical format such as booking forms and flyers, information brochures and posters, and in electronic format such as newsletters, advertising e-mails, on our website and in our app, in social medial channels and for PR work and news reporting. In this respect, the basis in law is a legitimate interest under point f) of Article 6(1) GDPR, namely the advancement of our business interests in the form of promoting or reporting accompanied by images.

3.2 Data processing in the context of a general communication and use of our Platforms and services
3.2.1 General access to our Platforms

With each access to our Platforms, we automatically collect data and information from the accessing device and store this data and information in the log files of the server. We may collect (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (known as referrers), (4) the sub-web pages that are accessed on our website (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used to defend any attacks against our IT systems. For security purposes, i.e. to be able to reconstruct an eventual attack against our Platforms, we store such data including the IP address for 14 days and then anonymize or delete such data. The IP address is required during the connection to transfer the contents of our Platform to your device. The legal basis for the processing and storage of the IP address is a legitimate interest as per Article 6 (1) (f) GDPR. The legitimate interest for the transmission of the IP address is that it is required to display the contents of the website; without transmission of the IP address it is not possible to display the content of the Platform. The legitimate interest for the temporary storage are our security interests.

3.2.2 Optimization of search and recommendation functions

We may also store information about your usage patterns on our Platforms in order to create statistical models to make our Platforms more user-friendly and, in particular, to optimize the functionalities to search for and recommend suitable job advertisements. In this context we also save your IP address in a pseudonymized form (that means that a natural person can no longer be identified based purely on the information in the statistical model) to exclude automated accesses (bots) to our Platforms when creating the statistical models. Legal basis for this purpose is Art. 6 (1) GDPR. Our legitimate interest is to ensure the functionality of the statistical model to improve our services. The IP address is deleted after one year.

3.2.3 Application form

If we provide an application form on our Platforms for job advertisements that are posted on our Platforms, and you complete this without being logged in to the Applicant Center (see clause 3.2.2 below) and click the button to submit the application, we will submit the information you provide in the application form to the provider who posted the advertisement on our Platform. The legal basis here is your consent in accordance with Art. 6 (1) sentence 1 GDPR. Please note that the respective recruiter might not be based in the EU or the EEA so it may be necessary under this contract to transfer the data to a country or that your application will be accessed from a country which has a lower level of protection under data protection law than in the EU or the EEA. Please note that in the case of an application where the recruiter is not revealed, there is usually no right be informed about the recipient, since this would adversely affect the confidentiality interests of the recruiter.

Once an application has been sent, we offer you the opportunity to create an account in the Applicant Center (see clause 3.3.2) and to automatically transfer the data input by you into the application form into your account on the basis of a legitimate interest under Art. 6 (1) (1) (f) GDPR, namely to provide our services to you as the user in an attractive and seamless manner. This is possible as long as you do not close the confirmation page after submitting the application, albeit for a maximum of 60 minutes after submitting the application.

3.2.4 Form for contacting further education or training institutes

If we provide a form on our platforms for establishing contact with further education or training institutes, and if you fill it out and click the button to send it, we transmit the information you have entered in the form to the respective further education or training institute. The legal basis is your consent in accordance with Art. 6 Para. 1 S. 1 GDPR. The data entered by you will not be stored by us after transmission to the institute for further education or training.

3.2.5 Newsletter and E-mails to similar services

If you register for a newsletter, we use your e-mail address to send you the respective newsletter, in which we regularly inform you about interesting topics. To ensure that you are properly registered for the newsletter, that is, to prevent unauthorized subscriptions on behalf of third parties, we will use a double-opt-in process and send you a confirmation e-mail after your first newsletter subscription; this e-mail will request you to confirm the subscription. The legal basis here is your consent in accordance with Art. 6 (1) sentence 1 a GDPR. We will store your email address for sending you the newsletter until you unsubscribe or we stop sending the newsletter to you. Additionally we may send emails about StepStone services that are similar to those you already use. Legal basis is a legitimate interest as per Art. 6 (1) sentence 1 f GDPR, namely the pursuit of our business interests.

The newsletters contain what are known as tracking pixels tor the statistical evaluation of our newsletter campaigns. This is a miniature graphic embedded in HTML-formatted e-mails that lets us know if and when you opened an e-mail and which links in the e-mail were accessed. In this context your IP address will be transmitted to our servers, but we will not store the IP address or any other personal data. The legal basis for the use of these tracking pixels is a legitimate interest within the meaning of Art. 6 (1) (f) GDPR, where the legitimate interest is in being able to evaluate and optimize our newsletters.

You may object to all types of StepStone newsletters at any time without incurring any costs other than the transmission costs at the basic rates (i.e., the cost of your internet service provider).

3.2.6 Objections to marketing

If you raise an objection with us against marketing purposes, we may put your personal contact information (name, address, telephone number, fax number, e-mail address) on a blacklist to ensure that we no longer send you any unwanted marketing material. The legal basis is a legitimate interest within the meaning of Art. 6 (1) (f) GDPR, where the legitimate interest is that we can meet our obligations from your objection against marketing. The data will be stored for this purpose until you expressly withdraw the objection to marketing in writing.

3.2.7 Contact form and e-mail contact

Our Platforms provide contact forms that can be used to contact us electronically. By clicking the “Send” button, you consent to the transmission to us of the data entered in the input form. In addition, we save the date and time of your contact. Alternatively, contact via the e-mail address provided is possible. In this case, the user’s personal data transmitted along with e-mail and our response will be stored. The personal data voluntarily transmitted to us in this context is used to process your inquiry and to contact you as needed. The legal basis for the transmission of the data is Art. 6 (1) (a) GDPR. The data will be used for this purpose until the specific conversation with you has ended. The conversation will be deemed ended when it can be inferred from the circumstances that the relevant facts have been conclusively clarified.

3.2.8 StepStone Market Research Surveys

StepStone organizes market surveys from time to time. As part of such surveys we will not collect any personal data, but at the end of the survey we might offer you the opportunity to participate in a competition. In order to participate in the competition you will have to provide us with your e-mail address, which we will only use for the purpose of the competition to notify you if you have won a prize. In particular, the e-mail address will be stored completely separately from your answers to the survey. The legal basis for the storage of your email address is your consent under Art. 6 (1) (a) GDPR. We will store your email address for this purpose until the end of the respective competition.

3.2.8a StepStone customer satisfaction surveys

Customer satisfaction surveys are carried out centrally by StepStone GmbH, which acts as a processor of its subsidiaries. Insofar as StepStone GmbH uses subcontractors for this purpose and a data transfer to countries outside the EEA is carried out, these subcontractors are engaged on the basis of the applicable EU standard contractual clauses. We would like to point out that in some cases the third countries concerned, in particular the USA, do not have an equivalent level of data protection in comparison to the EU General Data Protection Regulation and that this may result in disadvantages such as more difficult enforcement of data subject rights, a lack of control over the further processing and transfer of the data or access to the data by government agencies for control and monitoring purposes, without you being entitled to legal remedies against this. We therefore ask you not to fill in any open text fields with sensitive personal data (which, according to the content of the customer satisfaction survey, will never be necessary or intended)."

3.2.9 Use of data processors for hosting and securing our platforms, administrative, troubleshooting, and support services

We use data processors, which we list below, to provide our services. The legal basis for using these data processors is legitimate interest under Art. 6 (1) (f) GDPR. The legitimate interest lies in the execution of our business activities, particularly to provide the services described elsewhere in this Data Protection Policy. No conflicting interest is apparent because we have entered into a data processing agreement with the respective processors under Art. 28 GDPR.

3.2.9.1 Hosting

We use data processors to host our Platforms and for back-up services, meaning that personal data that is stored on our platforms is transferred to these data processors. These data processors are Amazon Webservices, Inc., 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA (who processes data solely in the EU), StepStone GmbH, Axel-Springer-Str. 65, 10969 Berlin, Germany, StepStone Continental Europe GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany and StepStone N.V., Koningsstraat 47 Rue Royale, 1000 Brussels Belgium. These data processors will store the data for the same duration as it is stored on our Platforms for the various purposes defined in this Data Protection Policy.

3.2.9.2 Administrative, troubleshooting, and support services

We use StepStone Services sp. z o.o., ul. Domaniewska 50, 02-672 Warsaw, Poland, for administrative, troubleshooting, and support services, and which may consequently also have access to your personal data. Generally StepStone Services sp. z o.o should not store any personal data. This will only be done in exceptional cases, e.g. if needed to rectify technical issues. In such cases personal data will only be stored to the extent and for the duration that is necessary.

3.2.9.3 Sending of e-mails and other messages

For the sending of e-mails and messages through other electronic channels we use the services of Selligent GmbH, Atelierstraße 12, 81671 Munich, Germany, as a data processor, who in turn uses the following subcontractors

- Selligent Benelux NV, Kempische Steenweg, 305 box 401 Belgium
- Selligent International, Avenue de Finlande 2 box 2, 1420 Braine-L'Alleud, Belgium
- Selligent France SA, 20 Place des Vins de France RCS, 75012 Paris, France
- Selligent SA, 1420 Braine-l'Alleud, 2 avenue de Finlande, Belgium
- Selligent Iberica S.L.U, Caille Enrique Granados 86-88, Planta 3 °, 0008 Barcelona, ​​Spain
- Selligent Ltd, Second Floor, 45 Folgate Street, London E1 6GL, United Kingdom
- Selligent Inc., 1300 Island Drive, Ste. 200, Redwood City, California 94065, United States of America

Accordingly, these parties may also be provided with your personal data in the course of data processing commissioned by us. It will be stored there for a period that is otherwise lawful for purposes under this Data Protection Policy, i.e. in particular for the contractual communications in the course of contracts with you or otherwise for promotional communications. The use of Selligent, Inc. is permitted under Art. 46 (2) lit. c DSGVO, as the standard contractual clauses of the European Commission ("EU standard contractual clauses") were concluded with Selligent.

The legal basis for our use of Selligent is a legitimate interest under Art. 6 (1) sentence 1 f GDPR, namely the execution of our business purposes in the course of the processes described elsewhere in this Data Protection Policy. No conflicting interest is apparent in this respect, in particular due to the fact that we have entered into a data processing agreement with Selligent.

3.2.9.4 Proxy caching and web application firewall

We use Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany and Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA as data processors for the purposes of proxy caching and web application firewall services. That means that any visit to our websites is routed through the servers of Akamai, meaning that the user will not be connected directly to our servers but to those of Akamai and Akamai will then request the content from our servers and will deliver it to the user. Proxy caching in this context means that Akamai will cache selected content (but not personal data) for a period of 24 hours, so that this can be delivered faster to you. The web application firewall means that Akamai will try to identify malicious web traffic and will prevent it from accessing our websites. Akamai does not store any personal data, but any dataflows between our servers and the user will be routed through Akamai, so that this can also include personal data. Data transferred to Akamai Technologies, Inc is transferred outside the EU and the EEA. This transmission is permitted under Art. 46 (2) lit. c DSGVO, as the EU standard contractual clauses have been agreed with Akamai Technologies, Inc., the wording of which can be found under the following link https://www.akamai.com/de/de/multimedia/documents/akamai/akamai-pre-signed-eu-standard-contractual-clauses.pdf.

With respect to Akamai, the additional legitimate interest in the context of the legal basis is that we thereby are also implementing technical and organizational measures to protect our Platforms and the personal data stored on them.

3.2.10 Google Re-Captcha

In specific cases we use the reCAPTCHA service https://www.google.com/recaptcha/intro/ by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, (“Google”) based on a legitimate interest (i.e. the interest to ensure the correctness of data, avoidance of automatic registrations / orders by so-called bots, and economical operation of our

online offering within the meaning of Art. 6 (1) lit. f DSGVO) in certain cases the reCAPTCHA service https://www.google.com/recaptcha/intro/" of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google"). This transmission is permissible under Art. 46 (2) lit. c DSGVO, as the EU standard contractual clauses have been agreed with Google, Inc.

We use re-Captcha to distinguish whether an input is made by a human or abusively by automated, mechanical processing. The query in this context includes the sending of the IP address and any other data required by Google for the reCAPTCHA service to Google. Your input will be transmitted to Google and analyzed for this purpose.

For more information about Google reCAPTCHA and Google’s Data Protection Policy, please visit the following links: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html .

3.2.11 Cookies and similar technology

We use cookies on our websites. Cookies are text files that are stored on a computer system via an Internet browser. We use such cookies both as a technical means of providing services on our Platforms as well as for analyzing the website behavior of our visitors and on that basis developing a more user-friendly design of our offerings. For this purpose, we may also use other techniques, such as tracking pixels or code in apps. In addition, we may use these cookies or other techniques to target you with interesting job advertisements and other content. For the sake of clarity, we have moved the information on cookies and similar techniques in section 4 of this Data Protection Policy. More details can be found there.

3.2.12 Youtube Videos

In the context of a legitimate interest according to Art. 6 para. 1 p. 1 GDPR, namely an attractive design of our websites, we use the YouTube for the integration of videos. YouTube is operated by YouTube LLC, headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google Inc., located at 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.

On some of our websites we use plugins from YouTube. If you access our websites with such a plug-in – for example a media library – a connection to the YouTube servers will be established and the plugin will be displayed. It will then be communicated to the YouTube server which of our websites you have visited. If you are logged in as a member of YouTube, YouTube can assign this information to your personal user account. When using the plugin, e.g. by clicking on the start button of a video, Youtube can also assign this information to your user account. You can prevent this by logging out of your YouTube user account and other user accounts of the YouTube LLC and Google Inc. before using our website and deleting the corresponding cookies from the companies. Further information on data processing and notes on data protection by YouTube (Google) can be found at www.google.de/intl/de/policies/privacy/.

3.2.13 General communication with us

In the context of general communication with us by e-mail, e-mails that we receive are hashed using a cryptographic process, checked for harmful content and isolated if necessary. In this respect, we use the company Cyren GmbH, Hardenbergplatz 2, 10623 Berlin as a data processor. On its part, Cyren GmbH uses subcontractors in Israel (Cyren Ltd.) and the USA (Cyren Ltd.). This transmission is permitted under Art. 46 (2) lit. c DSGVO, as the EU standard contractual clauses have been agreed with Cyren.

3.3 Data processing if you register for a Jobfinder or the StepStone Applicant Center

StepStone offers a variety of services for your career development. StepStone aims to support you at all stages of your professional life. In particular, you can subscribe to a Jobfinder and can create an account for the Applicant Center in which we process personal data. In this section 3.3, we inform you about the purpose, the respective legal basis as well as the storage duration of these processing operations.

3.3.1 Jobfinder

First we offer you the opportunity to enter into a contract to receive a Jobfinder. The purpose of data processing in the context of a Jobfinder is for us to send you regular e-mails about job vacancies that correspond to a predefined profile or are recommended to you based on your user behavior. Details of the Jobfinder can be found in our Terms of Use. The legal basis is Art. 6 (1) (b) GDPR. We store the data under a contract for the use of the Jobfinder for the duration of the contractual term, i.e. until you or we terminate your Jobfinder.

3.3.2 Applicant Center

Second we offer you the opportunity to enter into a contract for the use of the Applicant Center, where you can use additional functions and correspondingly define the scope of the contractual use. The purposes of the data processing under this contract are that:

- We will submit an application to a recruiter via your Application Center when you complete our application form and click the button to submit the application. The legal basis is your contract with us as per to Art. 6 para. 1 p. 1 b GDPR. Please note that the respective recruiter might not be based in the EU or the EEA so it may be necessary under this contract to transfer the data to a country or that your application will be accessed from a country which has a lower level of protection under data protection law than in the EU or the EEA. Please note that in the case of an application where the recruiter is not revealed, there is usually no right be informed about the recipient, since this would adversely affect the confidentiality interests of the recruiter.

- We store the applications you make through our Platforms in your Applicant Center account for you until you delete a stored application, they will be deleted after 12 months at the latest.

- You can save individual job advertisements in your Applicant Center account,

- You can use additional functionalities of a Jobfinder (see 3.2.1)

- You can administer the StepStone e-mail newsletters

- You can create a profile under the contract for Applicant Center. Which personal data is transmitted to us in this context depends on your uploads or your input into the relevant fields. We will analyze the content and structure of any uploaded documents in an automated process in order to improve the services we provide to you. You can define the scope of the contractual use of this profile. You can either use it to apply to vacant positions only (including applications to box number advertisements), see below; or you can make the profile accessible partially or fully to potential employers who are StepStone customers and use the StepStone Applicant Profile Search or similar products. In the context of profiles made fully available, we may also use your profile data to find publicly available, business-related social media profiles and link these to your profile. Your profile will be stored until you delete it or the contract for your Applicant Center account is terminated. Please be informed that, as far as you make your profile accessible to recruiters, a recruiter could also be located outside of the EU/EEA. That means that as part of the contract between you and us, it might be necessary, that your profile is accessed from a country that does not have the same level of data protection as the EU or EEA.

- If you have created a profile and access a job application form made available on our Platforms for job advertisements published on our Platforms, we will use your profile data to complete this form and, when you click the button to submit the application, we will send the data recorded with the form and make your profile accessible to the recruiter who published the respective job advertisement with us. Again, please be informed that the respective recruiter might not be located in the EU or EEA, so that as part of the contract between you and us, it might be necessary, that the data is transmitted to or accessed from a country that does not have the same level of data protection as the EU or EEA.

- You can register for newsletters in the Applicant Center, we will then regularly inform you about interesting topics by email. The newsletters contain tracking pixels for the statistical evaluation of our newsletter campaigns. This is a miniature graphic embedded in HTML-formatted e-mails that lets us know if and when you opened an e-mail and which links in the e-mail were accessed. In this context your IP address will be transmitted to our servers, but we will not store the IP address or any other personal data. The legal basis for the use of these tracking pixels is a legitimate interest within the meaning of Art. 6 (1) (f) GDPR, where the legitimate interest is in being able to evaluate and optimize our newsletters. You may object to all types of StepStone newsletters at any time without incurring any costs other than the transmission costs at the basic rates (i.e., the cost of your internet service provider).

Further details about the Applicant Center account can be found in our Terms of Use. In connection with the registration of an Applicant Center account and the setting of the various functions, we will also store your respective IP address and the date and time of registration or setting of functions. The legal basis for the storage and use of your personal data in connection with your Applicant Center account is Art. 6 (1) (b) GDPR, unless otherwise specified above.

We store your personal data for as long as necessary to provide the contractually agreed service. The personal data stored by you in your Applicant Center account is available to you for the duration of the contract and will be stored by us for this period. The personal data will be erased if you do so in relation to individual data or ask us to do so or if the contract ends, that is, if you or we terminate the contract, further details are available in the terms of use.

Additionally, we use information provided by you as part of a profile in order to optimize the job search and job recommendations for you and other users of our Platforms using the statistical model described in clause 3.3.2 In this context we store certain parts of your profile which by themselves or in combination with each other cannot be used to identify you along with a pseudonymized user ID in the statistical model. Based solely on this pseudonymized ID you are not identifiable from within the statistical model: an identification would theoretically only be possible by externally pseudonymizing the user ID assigned to your Applicant Center account and then comparing the outcome with all pseudonymized user IDs stored in the statistical model. If we optimize the job search and the job recommendations for you with the statistical model, this is done in the context of your contract via the Applicant Center account on the legal basis of Art. 6 (1) (b) GDPR. If we use the data to generally improve our statistical model and thus also services for other users, this is done on the basis of a legitimate interest under Art. 6 (1) (f) GDPR. By deleting your Applicant Center account, your data will be completely anonymized in the statistical model, as the pseudonymized user ID stored in it will no longer allow any reference to your Applicant Center account. Our legitimate interest is in pursuing our business interests to improve our services. No conflicting interest is apparent, since the data is required during the contract period for achieving the purpose of the contract for the Applicant Center account and identification is no longer possible after the end of the contract.

3.4 Data processing about recruiters and their employees

Our services for recruiters aim to provide businesses with a wide selection of suitable candidates. In doing so, we process personal data of businesses (data relating to businesses is only personal data if the business is operated by one or more natural person/s) or employees of such businesses. The respective businesses may be in a contractual or pre-contractual relationship with us, but in some cases we may also process data about businesses and their employees if there is no such pre-contractual relationship. In this section 3.4 we inform you about the purpose, the respective legal basis as well as the retention period of such processing about businesses or their employees as well as the data categories, provided we do not collect the personal data from the data subject. The data will be deleted as soon as it is no longer necessary for the achievement of the purpose, that is, no contract with the customer exists and we no longer intend to enter into a contract with the respective customer and a legitimate interest no longer exists and, moreover, we are no longer obliged to keep records that may contain personal data.

3.4.1 Other Data Controllers

Insofar as the respective recruiter is an Austrian customer, the respective products are usually sold by

The StepStone Group Österreich GmbH
Prinz-Eugen-Straße 8 - 10
A-1040 Vienna
Austria
Tel.: +43 405 00 68 0
E-Mail: datenschutz@stepstone.at

which will then be data controller for the processing of personal data related to the sale of goods and services. The respective company is also data controller if the recruiter enters into a contract with that company for any other reason.

Insofar as the respective recruiter is a Swiss customer, the respective products are usually sold by

YOURCAREERGROUP Schweiz GmbH
Lindenstrasse 25
CH-8302 Kloten
Tel.: +41 41 767 40 50
Fax: +41 41 767 40 55
Email: info@hotelcareer.ch

which will then be data controller for the processing of personal data related to the sale of goods and services. The respective company is also data controller if the recruiter enters into a contract with that company for any other reason.

Insofar as the respective recruiter is a Polish customer, the respective products are usually sold by

StepStone Services Sp. z o.o.
Ul. Domaniewska 50
02-672 Warszawa
Tel.: +48 22 356 36 90
Fax: +48 58 321 7709
info@hotelcareer.pl

which will then be data controller for the processing of personal data related to the sale of goods and services. The respective company is also data controller if the recruiter enters into a contract with that company for any other reason.

However, the actual services are provided by the the data controller named in section 1, so that it remains responsible for the provision of services. The various roles are referred to below. The StepStone Group Österreich GmbH, YOURCAREERGROUP Schweiz GmbH and StepStone Services Sp. Z o.o. are collectively referred to as "local subsidiaries" and then each such reference then refers to the company, which has sold the products or services to the recruiter.

3.4.2 Data processing for contract management and pre-contractual purposes

The StepStone Group Deutschland GmbH and the local subsidiaries process personal data for the purpose of contract management, that is, so that we can provide the customers with the contractual services and also for associated pre-contractual purposes. As far as the local subsidiaries enter into a contract with the customer, personal data will be transmitted to StepStone Deutschland GmbH for the fulfillment of the contract. If the customer is a natural person, the legal basis is that the processing is required for the performance of a contract or for the performance of pre-contractual measures pursuant to Art. 6 (1) sentence 1 b GDPR. If we process personal data of employees of the customer, the legal basis is a legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the conduct of our business and that of the customer. There is no conflicting interest of the data subject because, from the point of view of our customer, we are required to perform the processing in the context of the existing employment relationship with the data subject (section 26 revised German Data Protection Act (BDSG-neu). We store personal data for this purpose for the term of the contract.

Furthermore, we store accounting records for the duration of ten years and business correspondence, i.e. every message that is used to prepare, execute, or revoke a business transaction, for the duration of six years, in order to comply with statutory retention periods for business correspondence under section 257 (1) no. 2 German Commercial Code (HGB) and section 147 German Tax Code (AO), whereby the term begins at the end of the calendar year in which the correspondence was sent or received or the accounting record came into existence. The legal basis for this purpose is Art. 6 (1) (c) GDPR.

On our behalf, World Hotel Book Ltd, Maria-Theresien-Str. 29/4, A-6020 Innsbruck, Austria, is engaged in the distribution in Austria and South Tyrol, so that this company can be the recipient of data.

3.4.3 Customer services

Stepstone Deutschland GmbH and the local subsidiaries process the personal data of a business or its employees (as a contact person) obtained in connection with a contract with the respective company or in connection with a request addresses to it from a prospective customer, including after the end of the contract and, if no contract is entered into, for the purpose of customer services and particularly, in case of a new request of the customer or prospective customer, to be able to recommend suitable services on the basis of the previous contracts or inquiries. The legal basis is a legitimate interest under Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the execution of our business activities. We store personal data for this purpose for as long as we believe the respective customer might enter into an initial or further contract with us in future, which is the case as long as the customer does not specifically inform us that he or she does not intend to enter into any contract with us under any circumstances.

3.4.4 StepStone Recruiter Space

In order to use and manage their contractual services, our customers or their employees can use the StepStone Recruiter Space, which is provided by The StepStone Group Deutschland GmbH. In this context, we process such personal data of the respective customer or its employees as was provided by them, as well as the respective contractually agreed or offered services and the manner in which they are utilized. When using our Applicant Profile Search we will also store if and when a candidate was contacted.

If the customer is a natural person, the legal basis is that the processing is required for the performance of a contract or for the performance of pre-contractual measures pursuant to Art. 6 (1) sentence 1 b GDPR. If we process personal data of the customer's employees, the legal basis is a legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the conduct of our business and that of the customer. There is no conflicting interest of the data subject because, from the point of view of our customer, we are already required to perform the data processing in the context of the existing employment relationship with the data subject (section 26 revised German Data Protection Act (BDSG-neu). Personal data will be stored for this purpose for the term of the contract for the use of the StepStone Recruiter Space.

Additionally, we use the data collected under this section in anonymous form to produce statistics about the general behavior of the customers of the Applicant Profile Search. This allows us to make the services more customer-friendly. The legal basis is a legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the execution of our business activities.

3.4.5 Data processing when publishing advertisement products

If the customers publish advertising products or company portraits on our Platform, The StepStone Group Deutschland GmbH processes personal data of the customer where the customer is a natural person. If our customer specifies an employee’s contact data in an advertisement product, we process this employee’s personal data to provide the relevant data to our users as part of the advertisement on our Platform and to ensure that the advertisement can be found via the search functionality on our Platforms. To increase the reach of the advertisement by submitting it to our co-operation partners, we may, in whole or in part, submit the advertisement content to our co-operation partners who provide the advertisement or a preview on their web site (for a list of co-operation partners, see https://www.hotelcareer.de/arbeitgeber/kooperationen-partner , further cooperation partner is meinestadt.de GmbH, Waidmarkt 11, 50676 Köln). If the customer is a natural person, the legal basis is that the processing is necessary for the performance of a contract pursuant to Art. 6 (1) sentence 1 b GDPR. If the advertisement contains contact details of employees of the customer, the legal basis is a legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the conduct of our business and that of the customer. There is no conflicting interest of the data subject because, from the point of view of our customer, we are required to perform the processing in the context of the existing employment relationship with the data subject (section 26 revised German Data Protection Act (BDSG-neu). We will store the data for this purpose for the contractual term during which the job advertisement is available on our Platforms.

3.4.6 Data processing for general marketing purposes

StepStone and the local subsidiaries process personal data about the respective customers as well as other companies and companies that are not in a business relationship with the respective company and in this context, if necessary, also from the respective contact persons for the purpose of direct marketing, as far as legally permitted. If we did not collect this data directly from the respective data subject, we may also collect contact data about the data subject from publicly available sources, in particular the website of the respective company, classified directories, or advertisements of the respective business. In connection with these direct marketing purposes, we can also process information about the previous contracts of our customers and specifics about the business such as industry or size of the business in order to make the advertising as appropriate as possible. The legal basis is a legitimate interest in accordance with Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the processing of personal data for the purpose of direct advertising itself (see recital 47 GDPR). The data subjects have the right to object at any time to the processing of personal data concerning them for the purpose of such advertising. You object at any time under the contact details set out in clause 1; in the case of advertising by e-mail, you will also find an opt-out link directly in the respective e-mail. We will store personal data for this purpose as long as we are still interested in entering into a contract with the respective business or until the business objects.

3.4.7 StepStone webinars

When you register for a StepStone webinar, The StepStone Group Deutschland GmbH will collect certain information to enable you to participate in the webinar. The legal basis here is your consent in accordance with Art. 6 (1) sentence 1 a GDPR. We will store the data for this purpose until the webinar has taken place. We use LogMeIn, Inc., 333 Summer Street, Boston, MA 02210 USA to collect the registration data and provide the webinar as a data processor, and this party will be a recipient of your personal data in this context. Data will be transferred to the USA, i.e. into a country outside of the EU or the EEA. This transmission is permitted under Art. 46 (2) lit. c DSGVO, as the EU standard contractual clauses have been agreed with LogMeIn, Inc

We will also use the information you input to provide you with marketing as described in section 3.4.6, which is included herein by reference.

3.4.8 Seminars and events

If you book participation in a seminar or event, we process personal data as described in Sections 3.4.2 to provide the seminar or event. Within the framework of such events or seminars, we transmit certain participant data (contact person name, job title, company) to the respective lecturer. In addition, these data will be recognizable on the day of the event by an attendance list and name plates on the tables of other participants. The legal basis is that this is necessary within the framework of the concluded contract.

3.5 Facebook Fanpage

We use a facebook fanpage at https://www.facebook.com/hotelcareer.international/ . Facebook provides Page-Insights for that fanpage to us. Page-Insights are aggregated data, which allow us to understand how users interact with our fanpage. Page Insights can be based on personal data which is collected in relation to a visit of or an interaction with our fanpage and its content by users. Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland („Facebook Ireland“) and we are joint controllers in the sense of Art 26 GDPR for the processing of Insights data and we have entered into an arrangement with Facebook Ireland which you can find at https://www.facebook.com/legal/terms/page_controller_addendum . Legal basis for our use of the fanpage and Page-Insights is a legitimate interest in the sense of Art. 6 paragraph 1 f GDPR, in relation to the fanpage that means the use of Facebook as channel of communication about our company and in relation to Page Insights the better understanding of the interests of visitors of our fanpage so that we can specifically serve these interests.”

3.6 Suppliers

When we purchase goods or services from suppliers, we process personal data relating to these suppliers (data is only personal data if the supplier is a natural person) or relating to employees of these suppliers. The supplier concerned may be in a contractual or pre-contractual relationship with us. We store personal data for this purpose for the term of the contract. We also use data relating to suppliers and their employees for accounts payable management. In detail, this includes the following activities: accounts payable master data maintenance, invoice verification and allocation, recording (booking) of incoming invoices and credit notes, open item management, arranging payment (including down payments and advance payments). The legal basis for processing in this context is that the processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract under Art. 6 (1) sentence 1 b GDPR, or where we process data relating to supplier employees, the legal basis is a legitimate interest within the meaning of Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the conduct of our business and that of the customer. There is no conflicting interest of the data subject because, from the point of view of our customer, we are required to perform the processing in the context of the existing employment relationship with the data subject (section 26 revised German Data Protection Act (BDSG-neu). If the goods and services are purchased by StepStone Österreich, YOURCAREERGROUP Schweiz GmbH or StepStone Services Sp. z o.o, the entities referred to in clause 3.4.1 are responsible and you can contact us and the data protection officers using the contact details indicated there.

Furthermore, we store accounting records and business correspondence on the basis of Art. 6 (1) c GDPR for the durations required by national law. At The StepStone Group Deutschland GmbH, we store accounting records for a duration of ten years, and business correspondence i.e. every message that is used to prepare, execute, or revoke a business transaction, for a duration of six years, in order to comply with statutory retention periods under section 257 (1) no. 2 German Commercial Code (HGB) and section 147 German Tax Code (AO), whereby the term begins at the end of the calendar year in which the correspondence was sent or received or the accounting record came into existence. At The StepStone Group Österreich GmbH, in accordance with section 212 Austrian Commercial Code (UGB) and section 124 Austrian Federal Fiscal Code (BAO), storage is for a duration of seven years, whereby the term begins at the end of the calendar year in which the correspondence was sent or received or the accounting record came into existence. At YOURCAREERGROUP Schweiz GmbH, we retain accounts and accounting records for 10 years, starting at the end of the business year in which they came into existence. At StepStone Services Sp. z o.o, accounts are retained for a duration of five years.

4. Cookies and similar technology

We use cookies on our websites. Cookies are text files that are stored on a computer system via an Internet browser. We use such cookies both as a technical means of providing services on our Platforms, for enabling e.g. certain functions, as well as for analyzing the website behavior of our visitors and on that basis developing a more user-friendly design of our offerings. For this purpose, we can also use other techniques, such as tracking pixels or code in apps. In addition, we may use these cookies or other techniques to target you with interesting job advertisements and other content.

Some of the cookies we use are deleted at the end of the browser session, i.e. when you close your browser (known as session cookies). Other cookies are kept on your end device and enable us or our partner companies to recognize your browser on the next visit (persistent cookies).

If not specifically stated below, you can view the exact retention period of a given cookie by displaying the cookie in your browser.

You can set your browser up such that you are notified when a cookie is set and can decide individually whether to accept them or whether you opt out of accepting cookies for specific cases or generally. If you opt out of accepting cookies, the functionality of our website may be limited. We deal with specific cookies below.

4.1 Technically necessary cookies

We use technical cookies. These are cookies that are merely required to collect certain information on our Platforms to provide a service required or wanted by you as user. This extends to navigation or session cookies that enable smooth navigation and use of the website (and for instance permit access to the restricted area); analysis cookies that are set directly by us to collect aggregated information about the number of users and their behavior; functional cookies that provide you with navigation by certain selected criteria as part of a service optimization (e.g. selected language, purchase of selected products).

The legal basis for these cookies is a legitimate interest under Art. 6 (1) sentence 1 f GDPR, namely pursuance of our business purposes.

4.2 Cookies and technologies that we use via third party providers

We also use cookies or other technology provided to us by external providers in various areas. In the following, we inform you about the respective providers and how you can object to the cookie or the corresponding technology. In general, in the case of websites, you can make an appropriate setting in your browser and in case of our apps you can make the respective setting with the slider for anonymous statistics under "Settings".

4.2.1 Security analysis techniques from Akamai

Our websites use web and security analysis techniques from Akamai Technologies, Inc. (“Akamai”). These techniques use cookies, text files and beacons that are stored on your computer and that enable Akamai (i) to perform security analyses and thus prevent unauthorized access to our websites and (ii) to analyze the use of the websites by you. The information generated by the cookies or beacons about the access to our websites, including your IP address and other data from log files, is transferred to Akamai's servers, some of which are located in the USA, where it is stored and processed. This transmission is permitted under Art. 46 (2) lit. c DSGVO, as the EU standard contractual clauses were agreed with Akamai Technologies, Inc.

Akamai will use this information to prevent unauthorized access to the websites, to produce reports about website activity for us, to perform further services associated with the website use and Internet use, and to analyze your use of our websites. Akamai may also pass this data to third parties if Akamai is required to do so by law or if these third parties are processing this data on behalf of Akamai. Akamai will not use the data to identify natural persons. You can prevent the storage of cookies or beacons by making a corresponding setting in your browser software; however, note that if you do so you may not be able to use the full functionality of this website. You can view the precise storage duration of the cookies for yourself by accessing this information via your respective browser.

For further information on terms of use for the processing of personal data by Akamai and on Akamai’s data protection policy, see https://www.akamai.com/de/de/privacy-policies/ .

The legal basis is a legitimate interest under Art. 6 (1) sentence 1 f GDPR, namely pursuance of our business purposes and the protection of our websites.

4.2.2 Adjust

We also use the app analysis service Adjust (adjust GmbH, Saarbruecker Str. 38a, 10405 Berlin) to analyze the usage of our apps. The Adjust service has been tested and certified according to the ePrivacyseal (European Privacy Seal) (see https://www.eprivacy.eu/en/customers/awarded-seals/ ).

When using the app, Adjust collects installation and usage data on our behalf. We use this anonymous information to understand how our users interact with our app. Adjust uses your anonymized IDFA or Android ID as well as your anonymized IP and MAC address. It is not possible to identify you. A storage of personal data does not take place accordingly.

For more information, see Adjust's Privacy Policy: https://www.adjust.com/privacy-policy/ .

The legal basis for the data analysis and use of Adjust is a legitimate interest (ie interest in the analysis, optimization and economic operation of our apps) in the sense of Art. 6 (1) (f) GDPR for the purposes of our own Market research, advertising purposes and the optimization and user friendly design of the apps. There is no apparent conflicting interest, especially since we have concluded a data processing agreement with Adjust.

You can opt out of using Adjust at any time by changing the setting of the slider for anonymous statistics in the app under "Settings".

4.2.3 Adobe Analytics

We use SiteCatalyst, a web-analytics tool from Adobe Systems Software Ireland Limited, that enables us to optimize our services in line with your requirements.

Adobe Analytics uses cookies that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website (including your IP address) is transferred to servers of the service in Ireland where it is anonymized. It is then transferred to servers in the USA for further processing, where it is stored. Adobe uses this information to evaluate your use of the website to compile reports on website activities for the website operators and to provide further services connected with the use of the website and the Internet.

No personal data is stored because of the anonymization.

As a user of our websites you of course have the option to block cookies at any time in your browser settings. You can opt out of any future recording of your user behavior on the Platform at any time; click the following link for instructions on how to deactivate cookies on your computer: https://www.adobe.com/privacy/opt-out.html .

The legal basis for processing this data is a legitimate interest under Art. 6 (1) (f) GDPR. The legitimate interest as defined by Art. 6 (1) (f) GDPR that we are pursuing by processing the data described above is our interest in structuring our offerings in a user- and demand-driven manner. No conflicting interest is apparent, especially because you may opt out at any time.

5. Recipients or categories of recipients of personal data

We use data processors as specified above for the respective processing purposes (in particular, “StepStone Surveys”, “ hosting and securing our platforms, administrative, troubleshooting, and support services“ and „ Cookies and technologies that we use via third party providers" and "General communication with us" ) . These can therefore, as described there, be the recipient of personal data.

Additionally, we may also provide or provide information to third parties under your consent or any agreement you have with us, as described above (in particular under „Application Form„, under „ Application Center“ for a profile made available to you by potential employers and under „ Data processing when publishing advertisement products“ in relation to business customers and their employees) so that these can be recipients as described.

6. Transfers of data to countries outside the EU or the EEA

In certain cases, we may transfer personal information to a country outside the EU or the EEA (so-called third countries). Essentially, this can be the case if you are applying for a job and the recruiter is based in a third country. More details can be found above under „ Application form“ or „Application Center„. Furthermore, we use data processors or, within the scope of a legitimate interest, service providers that process data in some cases in third countries. For details, see „Sending of Emails and Other Messages,“ „Proxy Caching and Web Application Firewall„, „ Google Re-Captcha“, „Youtube Videos“, „StepStone Webinars“ and „ Cookies and technologies that we use via third party providers" and in the context of "General communication with us".

7. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller:

7.1 Right of access

You may request confirmation from us as to whether we process personal data relating you.

If such processing is taking place, you can request the following information from us:

(1) the purposes for which the personal data is being processed;

(2) the categories of personal data that are being processed;

(3) the recipient or categories of recipient to whom the personal data concerning you has been or will be disclosed;

(4) the envisaged period for which the personal data concerning you will be stored or, if no concrete information about this is possible, criteria used to determine that period;

(5) the existence of a right to rectification or erasure of the personal data concerning you, a right restrict the processing of the data by the controller or a right to object to this processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) any available information about the origin of the data if the personal data was not collected from the data subject;

(8) the existence automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved and the scope and the intended effects of such processing for the data subject.

You have the right to request information about whether the personal data in question will be transferred to a third country or an international organization. In this context you can ask to be notified of the suitable safeguards in accordance with Art. 46 GDPR in the context of the transfer.

This right to information may be limited if it is likely to render impossible or seriously impair the achievements of the statistical purposes and the limitation is necessary for satisfying the statistical purposes.

You have the right to receive a copy of the personal data undergoing the processing. For any further copy you request, we may charge a reasonable fee based on administrative costs. If the application is submitted electronically, the information must be provided in a standard electronic format, unless otherwise specified.

The right to receive the copy must not affect the rights and freedoms of others.

7.2 Right to rectification

You have a right to rectification and/or completion vis-à-vis the data controller if the personal data concerning you that is being processed is incorrect or incomplete. The data controller must perform the rectification without undue delay.

Your right to rectification may be limited if it is likely to render impossible or seriously impair the achievements of the statistical purposes and the limitation is necessary for satisfying the statistical purposes.

7.3 Right to restriction of processing

If the following conditions are met, you can demand that the processing of the personal data concerning you is restricted:

(1) if you contest the accuracy of the personal data relating for you for a that enables us to review the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and instead request a restriction of the use of the personal data;

(3) we no longer require the personal data for the purposes of the processing, but you need it to establish, exercise, or defend legal claims, or

(4) if you have objected to the processing in accordance with Art. 21 (1) GDPR and it has not yet been verified whether our legitimate reasons override yours.

If the processing of the personal data concerning you has been limited, this data – with the exception of being stored by you – may only be processed with your consent or for the purpose of establishing, exercising, or defending legal claims or to protect the rights of another natural or legal or on grounds of a compelling public interest of the EU or a Member State.

If a restriction of processing has been imposed in accordance with the above conditions, we will notify you before the restriction is lifted.

Your right to restrict processing may be limited if it is likely to render impossible or seriously impair the achievements of the statistical purposes and the limitation is necessary for satisfying the statistical purposes.

7.4 Right to erasure
7.4.1 Erasure obligation

You may request that we erase the personal data concerning you without undue delay, and we are obliged to erase this data without undue delay where one of the following grounds applies:

(1) The personal data concerning you is no longer needed for the purposes for which it was collected or otherwise processed.

(2) You withdraw your consent upon which the processing was based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and no other legal ground for the processing applies.

(3) You object to the processing in accordance with Art. 21 (1) GDPR and no overriding legitimate grounds for the processing apply, or you raise an objection to the processing under Art. 21 (2) GDPR.

(4) The personal data concerning you has been processed unlawfully.

(5) The erasure of the personal data concerning you is required in order to comply with a legal obligation under EU law or the law of the Member States to which we are subject.

(6) The personal data concerning you is collected in the context of information society services pursuant to Art. 8 (1 ).

7.4.2 Information to third parties

If we have published the personal data concerning you and we are obliged to delete it under Art. 17 (1) GDPR, we will take reasonable steps (including in terms of technical feasibility), taking account of the available technology and implementation costs, in order to notify the responsible data controller who is processing the data that you as a data subject have requested from them the erasure of all links to this personal data or copies or replications of this personal data.

7.4.3 Exceptions

There is no right to erasure if the processing is necessary

(1) for the exercise of the right to the freedom of expression and information;

(2) to satisfy a legal obligation that requires the data to be processed under the law of the EU or the Member States to which the data controller is subject, or to perform a task that is carried out in the public interest or in the exercise of official authority vested in the data controller;

(3) on grounds of the public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;

(4) for archiving purposes in the public interest, academic or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, provided the right specified under section a) is likely to render impossible or seriously impair the achievements of the objectives of this processing or

(5) to establish, exercise, or defend legal claims.

7.5 Right to data portability

You have the right to the receive the personal data concerning you that you have provided to us in structured, commonly used, and machine-readable format. Further, you have the right to transmit this data to a different data controller without hindrance from us, provided

(1) the data processing is based on consent under Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and

(2) the processing is being performed using automated means.

Further, in exercising this right you also have the right to have the personal data concerning you transferred directly from one data controller to another data controller, where technically feasible. This must not adversely affect other people’s rights and freedoms.

The right to data portability does not apply to the processing of personal data that is required for a task that is performed in the public interest or the exercise of official authority vested in us.

7.6 Right to object

You have the right to object, on grounds relating to your specific situation to object, at any time to the processing of the personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; this also applies to any profiling based on those provisions.

In this case we will stop processing the personal data concerning you unless we can provide compelling and legitimate grounds for the processing that override your interests, rights and freedoms, or the data is being processed for the purpose of establishing, exercising, or defending legal claims.

If the personal data concerning you is being processed for the purpose of conducting direct marketing, you have the right to object at any time to the processing of the personal data concerning you for such marketing; this also applies to any profiling connected to such direct marketing.

If you object to the data processing for the purposes of direct advertising, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services and Directive 2002/58/EC notwithstanding, you may exercise your right to object using automated means using technical specifications.

Where personal data is processed for statistical purposes pursuant to Art. 89 (1) GDPR, you, on grounds relating to your specific situation, have the right to object to personal data concerning your being processed.

Your right to object may be limited if it is likely to render impossible or seriously impair the achievements of the statistical purposes and the limitation is necessary for satisfying statistical purposes.

7.7 Right to withdraw the declaration of consent under data-processing law

You have the right to withdraw your declaration of consent under data-processing law at any time. Withdrawing the consent has no bearing on the lawfulness of any processing performed up to the point of the revocation.

7.8 Automated decision in individual cases including profiling

You have the right not to be subject to a decision that is based solely on automated processing – including profiling – that produces legal effects on you or is similarly significantly affects you. This does not apply if the decision

(1) is necessary for the entering into or performing a contract between you and the data controller,

(2) is authorized under legal provisions of the EU or the Member States to which the data controller is subject and these legal provisions contain adequate measures for safeguarding your rights and freedoms as well as your legitimate interests or

(3) is made with your explicit consent.

However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) applies and adequate safeguards to protect the rights and freedoms as well as your legitimate interests are in place.

As regards the cases stated in (1) and (3), we take adequate measures to your rights and freedoms as well as your legitimate interests, which include at least the right to have a person intervene on the data controller’s side, to present your own point of view, and to challenge a decision.

7.9 Right to lodge a complaint with a supervisory authority

Notwithstanding any other administrative or judicial legal remedy, you have the right to lodge a complaint with a supervisory authority in the Member State of your place of residence, your workplace, or the place of the alleged breach if you are of the opinion that the processing of the personal data concerning you breaches the GDPR.

The supervisory body to which the complaint was submitted will notify the complainant of the status and outcomes of the complaint including the option of a judicial remedy under Art. 78 GDPR. Responsible supervisory authority for us is the Data Protection Commissioner for Nordrhein-Westfalen [Landesbeauftragter für den Datenschutz Nordrhein- Westfalen], www.ldi.nrw.de.

8. Is there an obligation to provide personal information?

If you want to create a Jobfinder or an application center or if you would like to use our services as a business customer, you have to provide certain data within the scope of the contract to be concluded. We will specify such data. In any other context, the provision of personal data is neither required by law nor by contract, nor are you required to provide personal information. However, the provision of personal data for the use of our services may also be partially required within the services we provide. In other words, if you do not provide us with the information we specify to be necessary, we may not be able to provide you with the full scope of services.

9. Amendment of the data protection policy; amendment of purpose

We reserve the right to amend this Data Protection Policy in consideration of stipulations under data-protection law. You will always be able to locate the current version here or another corresponding, easily locatable point of our website or app. If we are intending to process your data for other purposes, i.e. those for which it was collected, we will notify you about this in advance in compliance with the statutory provisions.

06/05/2022