Processing of (personal) data by the entity in charge of the online application process

Reading aid

Data protection information for applicants

Information on data protection regarding our processing of applicant data in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

1. Controller responsible for data processing and contact details
 

Responsible body within the meaning of data protection law
GESIS – Leibniz-Institut für Sozialwissenschaften e.V.
Team Personal
B6, 4-5
68159 Mannheim
Telefon: 0621 1246 0
E-Mail: info(at)gesis(dot)org

Contact details of our data protection officer:
HEC Harald Eul Consulting GmbH
Datenschutzbeauftragter GESIS
Auf der Höhe 34
50321 Brühl
HEC-DSB-E-Mail: GESIS-Datenschutz(at)he-c(dot)de

2. Purposes and legal basis on which we process your data 
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data protection regulations. Details in the following. Further details or additions to the purposes of data processing can be found in the respective contract documents, forms and other information provided to you.

2.1 Purposes for the fulfillment of a contract or pre-contractual measures (Art. 6 para. 1 b GDPR)

Your personal data is processed for the purpose of handling your application for a specific job advertisement or as an unsolicited application, and in this context in particular for the following purposes: examination and assessment of your suitability for the vacancy, performance and behavior assessment to the extent permitted by law, if necessary for registration and authentication for application via our website, if necessary, for the creation of the employment contract, verifiability of transactions, orders and other agreements, as well as for quality control through appropriate documentation, measures to fulfill general due diligence obligations, statistical evaluations for corporate and personnel recruitment management, travel and event management, travel booking and travel expense accounting, Administration of authorizations and ID cards, cost recording and controlling, reporting, internal and external communication, billing and tax assessment of company services (e.g. canteen meals), billing via company credit card, occupational health and safety, contract-related communication (including appointments) with you, assertion of legal claims and defense in legal disputes; ensuring IT security (including system and plausibility tests) and general security, including building and facility security, safeguarding and exercising domiciliary rights by means of appropriate measures such as video surveillance to protect third parties and our employees and to prevent and secure evidence in the event of criminal offences; ensuring the integrity, prevention and investigation of criminal offences; authenticity and availability of data, control by supervisory bodies or control instances (e.g. internal audit).

2.2 Purposes in the context of a legitimate interest of us or third parties (Art. 6 para. 1 f GDPR)

Beyond the actual fulfillment of the (preliminary) contract, we may process your data if it is necessary to protect our legitimate interests or those of third parties. Your data will only be processed if and to the extent that no overriding interests on your part speak against such processing, in particular for the following purposes: measures for the further development of existing systems, processes and services; comparisons with European and international anti-terrorism lists as well as further fraud or abuse prevention measures, insofar as these go beyond legal obligations; enrichment of our data, including by using or researching publicly available data as far as necessary; benchmarking; development of scoring systems or automated decision-making processes; building and facility security (e.g. through access controls and video surveillance), insofar as this goes beyond general due diligence; internal and external investigations, security checks.

2.3 Purposes within the scope of your consent (Art. 6 para. 1 a GDPR)

Your personal data may also be processed for certain purposes (e.g. obtaining references from previous employers or using your data for future vacancies) on the basis of your consent. As a rule, you can revoke this at any time. You will be informed separately about the purposes and the consequences of revoking or refusing consent in the corresponding text of the consent.

As a general rule, the revocation of consent is only effective for the future. Processing that took place before the revocation is not affected and remains lawful.

2.4 Purposes for the fulfillment of legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)

Like everyone who participates in economic life, we are also subject to a variety of legal obligations. Primarily, these are legal requirements (e.g. the German Works Constitution Act, the German Social Security Code, commercial and tax laws), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of processing may include the verification of identity and age, fraud and money laundering prevention (e.g. comparisons with European and international anti-terrorism lists), company health management, ensuring occupational safety, fulfilling tax control and reporting obligations, and archiving data for the purposes of data protection and data security, as well as for the purposes of audits by tax consultants/auditors, tax and other authorities. Furthermore, the disclosure of personal data may be required as part of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil claims.

3. The categories of data processed by us, insofar as we do not receive data directly from you, and their origin

Insofar as it is necessary for the contractual relationship with you and for the application you have submitted, we may process data that we have legitimately received from other sources or from other third parties. In addition, we process personal data that we have legitimately obtained, received or acquired from publicly accessible sources (such as commercial and association registers, civil registers, the press, the internet and other media), insofar as this is necessary and we are permitted to process this data in accordance with legal requirements.

Relevant personal data categories may include, in particular,

• Address and contact data (registration and comparable data, such as email address and telephone number)

• Information about you on the internet or in social networks

• Video data

4. Recipients or categories of recipients of your data
Within our company, your data is received by those internal departments or organizational units that require it to fulfill our contractual and legal obligations (such as managers and line managers who are looking for a new employee or are involved in the decision on filling a position, accounting, company doctor, occupational safety, employee representatives, if applicable, etc.) or in the context of processing and implementing our legitimate interest. Your data will be passed on to external parties only

• to process your application for a specific job vacancy or as an unsolicited application to employees of affiliated companies, insofar as they are involved in or support the decision to fill the position (see section 2.1).
• for purposes for which we are obliged or entitled to provide information, report or pass on data in order to comply with legal requirements (e.g. tax authorities) or where the disclosure of data is in the public interest (see section 2.4);
• to the extent that external service providers process data on our behalf as processors or function providers (e.g. credit institutions, external data centers, travel agencies/travel management, printing companies or data disposal companies, courier services, postal services, logistics);
• due to our legitimate interest or the legitimate interest of the third party for the purposes mentioned in section 2.2 (e.g. to authorities, credit agencies, lawyers, courts, experts, affiliated companies and committees and control bodies);
• if you have given us permission to transfer the data to third parties.

We will not disclose your data to third parties unless we have informed you separately. Insofar as we commission service providers as part of order processing, your data is subject to the security standards we have specified in order to protect your data appropriately. In all other cases, the recipients may only use the data for the purposes for which it was transmitted to them.
 
 
5. Duration of the storage of your data 
We process and store your data in principle for the duration of your application. This also includes the initiation of a contract (pre-contractual legal relationship).

In addition, we are subject to various retention and documentation obligations, which arise, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods for retention and documentation specified there are up to ten years beyond the end of the contractual relationship or the pre-contractual legal relationship. Your application documents will be destroyed after 180 days if you are not hired. Electronic data will be anonymized accordingly after 180 days. If we wish to store your data for a longer period for future vacancies or you have placed your data in an applicant pool, the data will be deleted at a later date; you will be informed of the details in connection with the respective process.

If the data is no longer required for the fulfillment of contractual or legal obligations and rights, it will be deleted on a regular basis, unless its further processing – for a limited period of time – is necessary to fulfill the purposes listed under point 2.2 due to an overriding legitimate interest of our company. Such an overriding legitimate interest exists, for example, if deletion is not possible or only possible with disproportionately high effort due to the special type of storage. In these cases, we may also store your data for a period compatible with the purposes agreed, and use it to a limited extent if necessary, even after our contractual relationship has ended. In principle, in these cases, deletion is replaced by a restriction of processing. In other words, the data is blocked from the usual use by appropriate measures.


6. Talent pool
If we are unable to consider you for the position for which you have applied, we may contact you to ask whether we can include you in our talent pool.
We will contact you by email for this purpose. If you agree, we will include your data in the talent pool and consider you for new, suitable job postings. This does not happen automatically; we will contact you and inform you each time you are considered. You can object to being considered. Your data will remain in our pool for 180 days after the application process has ended. The data will then be anonymized.


7. Processing of your data in a third country or by an international organization Data will be transferred to recipients in countries outside the European Economic Area EU/EEA (so-called third countries) if it should be necessary for the performance of a contractual obligation towards you (e.g. applying for a job abroad), or if it is in the legitimate interest of us or a third party, or if you have given us your consent.
In this case, your data may also be processed in a third country in connection with the involvement of service providers for the purpose of order processing. If the EU Commission has not issued a decision regarding an adequate level of data protection in the country concerned or for specific sectors in a third country, appropriate contracts (such as EU standard contracts) and additional measures may be used as a basis for the transfer. Information on the appropriate or suitable guarantees and on how to obtain a copy of them can be requested from the company data protection officer.

8. Your data protection rights 
Under certain conditions, you can assert your data protection rights against us.
Every data subject has the right of access under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR and the right to data portability under Article 20 of the GDPR. The restrictions according to §§ 34 and 35 BDSG apply to the right of access and the right of deletion. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 DS-GVO in conjunction with § 19 BDSG).
 
Your requests to exercise your rights should, if possible, be addressed in writing to the above address or directly to our data protection officer.

9. Scope of your obligations to provide us with your data
You are only required to provide the data that is necessary for the processing of your application or for a pre-contractual relationship with us or that we are legally obliged to collect. Without this data, we will generally not be able to continue the application and selection process. If we request additional data from you, you will be informed separately about the voluntary nature of the information.


10. Existence of automated decision-making in individual cases (including profiling)
We do not use any purely automated decision-making processes in accordance with Article 22 of the GDPR. If we do use such a process in individual cases in the future, we will inform you of this separately, provided that this is required by law.

Data protection information for applicants dated 10.03.2025, version no. 1.0
 

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy(at)personio(dot)com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.