Privacy Notice Applicants

Responsible party:
PAUL HARTMANN AG
Paul-Hartmann-Straße 12
89522 Heidenheim
Phone: +49-7321-36-0
Fax: +49-7321-36-3636
E-Mail: info@hartmann.info

Contact Data Protection:
PAUL HARTMANN AG
Department CFO-DPM / DPO
Paul-Hartmann-Straße 12
89522 Heidenheim
E-Mail: datenschutz@hartmann.info

We process your personal data in accordance with the provisions of the GDPR, the German Federal Data Protection Act (BDSG) and other applicable data protection regulations. You will find details under the following explanations.

2.1 Purposes in the context of pre-contractual measures (cf. Art. 6 (1) b, Art. 9 (2) b GDPR, § 26 BDSG)

This data protection notice is issued in connection with the application procedure. Your personal data is processed in order to decide on the establishment of an employment relationship with you and to process it. This may also include the creation of a personality profile as part of a personality test. Although the evaluation is initially automated, the content is then checked by the people involved in the recruitment process. The evaluation can then be included in the decision on whether to establish an employment relationship with you. The evaluation will be handed over to you personally. If personal hand over is not possible, it will be sent to you by post or made available to you by digital means. Of course, we will ensure the best possible digital hand over from a IT-Security perspective - according to the state of the art.

2.2 Purposes within the scope of legitimate interests of us or third parties (cf. Art. 6 (1) f GDPR)

We process your personal data if it is necessary to protect the legitimate interests of us or third parties, unless there are no overriding interests on your part (including fundamental rights and freedoms) that speak against such processing. Our purpose-oriented interests can be in particular:

• Internal administrative purposes;
• Statistical evaluations for corporate management;
• Measures for controlling and optimizing business processes;
• Measures for the further development of services and products;
• Identification of recruited employees for distribution of bonus;
• Testing and optimisation of procedures for demand analysis;
• Comparison with national as well as European and other international sanctions lists as part of our compliance program to determine critical data (screening), insofar as this goes beyond the legal obligations. The comparison depends to a large extent on the matter in question and the circumstances of the individual case, i.e. on the risk forecast and the safety relevance of the specific activity;
• Enrichment of our data, among other things by using or researching publicly available data to the extent necessary;
• Active Sourcing (direct approach of candidates);
• Benchmarking;
• Assertion of legal claims and defence in the event of legal disputes which are not directly attributable to the contractual relationship ;
• Building and plant security, securing and exercising the rights of the building by taking appropriate measures (e.g. access controls) and, if necessary, by video surveillance to protect third parties and our employees and to prevent criminal offences and to secure evidence for the investigation of criminal offences, insofar as this goes beyond the general duty of care;
• Further development of existing systems and processes;
• Internal and external investigations, security checks; publications;
• Obtaining and maintaining certifications of a private or official nature for internal administrative purposes.

2.3 Purposes within the scope of your consent (cf. Art. 6 (1) a GDPR)

Your personal data may also be processed for certain purposes (e.g. active sourcing - direct approach, addressed to you as a candidate; inclusion in talent pool, to which group companies may have access; or storage for the purpose of filling vacancies that have become vacant again) on the basis of your consent. You can withdraw this consent at any time. This also applies to the withdrawal of declarations of consent that were issued to us prior to the validity of the GDPR, i.e. before 25th May 2018.

In principle, the revocation of a consent at any time is only effective for the future. Processing that took place before the revocation is not affected and remains legal. In all other respects you are not obligated to grant consent and no legal disadvantages arise for you from the refusal of consent.

2.4 Purposes to meet legal requirements (cf. Art. 6 (1) c GDPR or purposes in the public interest (cf. Art. 6 (1) e GDPR)

Like everyone who is involved in the economic process, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. Works Constitution Act, Social Security Code, commercial and tax laws, German Fiscal Code), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of the processing may include identity and age verification, fraud and money laundering prevention (e.g. comparison with European and international anti-terrorist lists), company health management and ensuring occupational safety. In addition, the disclosure of personal data may become necessary within the scope of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil law claims.

Insofar as it is necessary for the decision on the establishment of an employment relationship with you, we process, in addition to the personal data received directly from you, any personal data that may have been lawfully received from third parties (see Art. 14 GDPR). This may include personal data received from external service providers such as headhunters or professional network operators (e.g. LinkedIn or Xing).

Relevant personal data can be:

First name and surname, if applicable maiden name, gender, residential address, contact data, date of birth, place of birth, nationality, religious affiliation, marital status, job description, callable contact data, start / end of employment, educational background (school, studies, training etc.) and professional development, title, residence permit / work permit and its period of validity, data from identification document, qualifications (driver's license, first-aider, knowledge of foreign languages etc.) Status information (mainly pupil or student), information about certificates and qualifications, severe disability (e.g. for holiday entitlement or job description), honorary position / active membership in a club (sports etc.), information about previous employment relationships, criminal records (e.g. for security-relevant functions), photos, bank records (for travel expense accounting).

We only process your personal data within the company. Within our company, those internal departments or organisational units receive your personal data insofar as they need it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged in each case to use your personal data only to the aforementioned extent.

If we transfer your personal data to other persons and companies (third parties) or grant them other access to the personal data, this is only done on the basis of a legal permission. If we commission third parties to process personal data on the basis of a so-called "contract processing agreement" and thereby secure the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.

We process or store your personal data in principle for the duration of the direct approach or of the application procedure. This means that your personal data is generally deleted at the latest 6 months after the application procedure has been declared terminated (e.g. by a rejection). If we only have your application documents in paper form, we will return them to you after the end of the application procedure to our credit.

The above-mentioned information on deletion does not apply if, among other things, legally prescribed retention periods prevent immediate deletion (cf. Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing. In particular, if you have consented to your personal data being stored for further suitable vacancies (inclusion in talent pool) or for filling vacancies that have become vacant again, we will not delete your personal data until you have withdawn your consent to do so or the period of time specified separately by us has expired.

Incorrect and/or incomplete data will be deleted or - if possible - corrected immediately in accordance with Art. 5 (1) d GDPR.

A transfer of data to countries outside the European Economic Area EU/EEA (so-called third countries) takes place in particular if it is necessary for the decision on the establishment of an employment relationship (e.g. your application is passed on to a subsidiary in a third country).

The processing of your personal data in a third country may also take place in connection with the use of service providers in the context of processing orders. Unless the EU Commission has decided on an adequate level of data protection in the country concerned, we guarantee - in accordance with Article 13 (1) f of the GDPR - that your rights and freedoms are protected in the case of transfers in accordance with Articles 46, 47 or 49 (1) subparagraph 2 of the GDPR by providing suitable and appropriate guarantees. Information on the suitable or appropriate guarantees and the possibility of how and where to obtain a copy of them can be obtained on request from the Data Protection Department or the Human Resources Department responsible for you.

• You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that took place before the revocation therefore remains lawful.
• In accordance with Art. 15 GDPR, you can request information about your personal data processed by us.
• In accordance with Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.
• In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored by us in accordance with the conditions stated therein, unless legally prescribed retention periods prevent immediate deletion (see Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
• Pursuant to Art. 18 (1) GDPR, you may request the restriction of data processing if one or more conditions pursuant to Art. 18 (1) GDPR lit. a to d are met.
• In accordance with Art. 20 (1) GDPR, you can receive the personal data processed by us in a structured, common and machine-readable format and transfer this personal data to another person responsible without hindrance from us.
• In addition, you can object to the processing of your personal data in accordance with Art. 21 (1) GDPR. In the event of an objection, we will terminate the processing of your personal data. However, the right of objection only applies in the event of special circumstances arising from your personal situation. In addition, compelling reasons worthy of protection that speak in favour of processing may prevail. Furthermore, certain processing purposes may conflict with your right of objection.
• Without prejudice to any other administrative or judicial remedy, you also have the right to appeal to the competent supervisory authority (see Art. 77 GDPR) if you believe that the processing of your personal data violates data protection provisions. In this context, however, we would ask you to address any complaints first to the contact details given under (1) above.

You only need to provide personal data that is necessary for the decision on the establishment of the employment relationship or that we are legally obliged to collect (e.g. to provide evidence to authorities). Without this personal data, we will generally not be able to carry out the application process. If we request additional personal data from you, you will be informed separately about the voluntary nature of the information.

We do not use purely automated decision-making procedures in accordance with Art. 22 GDPR. Should we nevertheless use such a procedure in individual cases in the future, we will inform you of this separately if this is required by law.