Applicant data protection information pursuant to Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR)
Data protection is of paramount importance to us. In the following, we will inform you how your personal data is processed in the context of the application procedure and what rights you are entitled to.
1 Who is the controller responsible for data processing and whom can I contact?
The data controller as defined in the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions, is:
BFFT Gesellschaft für Fahrzeugtechnik mbH
Tel.: +49 8458 3238-0
Fax: +49 8458 3238-29
2 Contact details of the external data protection officer
The Controller’s Data Protection Officer is:
Mr. Markus Möller
Phone: 0661 296980-97
3 Purposes of the processing/ Legal basis
Your personal data will be processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act [Bundesdatenschutzgesetz (BDSG)] and other pertinent data protection regulations. We will process your personal data for the following purposes:
3.1 Consent (Art. 6 (1) (a) GDPR)
The consent you have granted to the processing of personal data is the legal basis for the processing referred to therein. You can revoke your consent with future effect at any time.
3.2 Fulfillment of contractual obligations (Art. 6 (1) (b) GDPR, Section 26 (1) clause 1 Federal Data Protection Act (BDSG))
We process your personal data for carrying out the application procedure. The processing may also be carried out electronically. This is especially the case if an applicant sends us corresponding application documents electronically, such as, for example, by email or via a web form on the website.
3.3 Fulfillment of legal obligations (Art. 6 (1) (c) GDPR, Section 26 (1) clause 1 Federal Data Protection Act (BDSG))
We process your personal data, where necessary, for the fulfillment of legal obligations, which may include retention and storage obligations, etc..
3.4 Legitimate interests of our company or third parties (Art. 6 (1) (f) GDPR)
We may also use your personal data on the basis of a balance of interests to protect our legitimate interests or those of third parties. This includes in particular the collection of data not directly from the data subject from publicly accessible sources, the so-called Active Sourcing. Our interest in this regard is to fill the respective position with the best possible candidate, who in turn has the interest to be offered the best possible job. We operate Active Sourcing only in business social networks (especially XING and LinkedIn), on which the contact details of the potential candidates can be viewed after registration, to ensure that at least one contact can be expected for the purpose of active sourcing. In addition, the legal basis also includes the forwarding of applicant’s data to the companies affiliated with us. These are legally independent companies, which however are affiliated with our company in business terms. Such business affiliation is precisely defined in Section 15 of the German Stock Corporation Act.
4 Categories of personal data that is being processed
The following data, among other things, is processed:
- Contact details (last name, first name, postal address, telephone number, e-mail address)
- Complete application documents (such as photo, CV, certificates, references)
Naturally, we do not ask applicants to provide so-called specific personal data, such as information on ethnic origin or union membership, in the application procedure. Should such data nevertheless be transmitted to us, we will not consider it in the application procedure.
5 Who receives your data?
We disclose your personal data internally within our company solely to those employees who are involved in the selection of the specific candidate, i.e. need this data to fulfill the contractual and legal obligations or to implement our legitimate interest. In addition, the following recipients may receive your data:
- Processors employed by us (Article 28 GDPR), service providers for supporting activities and other controllers as defined in the GDPR, in particular in the areas of IT services, logistics, courier services, printing services, external data centers, support / maintenance of IT applications, archiving, document processing, accounting and controlling, data destruction, purchasing/procurement, customer administration, letter shops, marketing, telephony, website management, tax consulting, auditing services, credit institutions,
- public agencies and institutions where we are obligated under legal or statutory provisions to furnish information, notification or disclosure of data or the data transfer in the public interest,
- bodies and institutions based on our legitimate interest or that of the third party for the purposes stated in Section 3.4 (e.g., in authorities, lawyers, courts, appraisers, companies belonging to the Group EDAG AG, BFFT Aeromotive GmbH, BFFT Italia Srl, BFFT of America Inc., plus bodies and supervisory bodies)
- other bodies for which you have given us your consent to the transfer of data.
6 Transfer of personal data to a third country or an international organization
Data processing outside the EU or the EEA will only be carried out by our affiliate BFFT of America Inc., 940 Emmett Ave, Suite 100, Belmont, CA 94002, United States of America – and only in the event of a pertinent, legitimate interest or consent. In order to ensure an appropriate level of data protection as well as to ensure enforceable and effective rights regarding the processing of personal data, even after the transfer, the corresponding EU standard contractual clauses have been agreed upon with the BFFT of America Inc..
7 How long do we store your personal data?
If the data controller concludes an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by the controller, the application documents shall be automatically erased six months after notification of the refusal decision, provided that no other legitimate interests of the controller are opposed to the erasure. Other legitimate interest in this relation is, e.g. a burden of proof in a procedure under the General Equal Treatment Act (AGG) or the statutory statute of limitations. The data may be stored for a longer period of time after a separate voluntary consent of the data subject, which is offered to the data subject in the context of receiving a rejection. If the data subject gives consent to the controller to be contacted later and to continue the application process. Where he/she should be considered for another position then the data will be erased in 24 months following the date of storage.
8 To what extent is automated decision-making used in individual cases, including profiling?
We do not use purely automated decision-making procedures in accordance with Article 22 GDPR. Should we use these procedures in individual cases, we will inform you separately, insofar as this is required by law.
9 Scope of your obligations to provide us with your personal data
You only need to provide the data that is required for the application procedure. Without such data, we will not be able to conclude an employment contract with you. If we request further data from you, you will be separately informed of the voluntary nature of the information.
10 Data source
Data that was not collected directly from the data subject is obtained from publicly available sources. These sources are job-oriented business social networks such as XING, LinkedIn, etc. Incidentally, this is the data that the applicant has made available as part of his/her application.
11 Your data protection rights
Where your personal data is processed, you are deemed a data subject as defined in the GDPR and you have the following rights towards the controller:
11.1 Right to information (Art. 15 GDPR):
You can ask the controller to confirm whether your personal data is being processed.
If such processing is taking place, you can request the following information from the data controller:
- The purposes for which the personal data is being processed;
- the categories of personal data that are being processed;
- the recipients and/or categories of recipient to whom your personal data has been or will be disclosed;
- the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
- whether you have a right to have your personal data corrected or deleted, a right to limit processing by the responsible party, or a right to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information on the origin of the data if the personal data has not been collected from the data subject;
- whether there is an automated decision-making process, including profiling as per Art. 22 (1) and (4) GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You are entitled to demand information on whether your personal data is transmitted to a third-party country or international organization In this regard, you are entitled to be informed of the appropriate safeguards in connection with the transmission of data pursuant to Art. 46 GDPR.
11.2 Right to rectification (Art. 16 GDPR):
You are entitled to have the controller rectify or complete you personal data insofar as your processed personal data is inaccurate or incomplete. The controller shall have your personal data rectified without undue delay.
11.3 The right to restriction of processing (Art. 18 GDPR)
Under the following conditions, you may request that the processing of your personal data be restricted if:
- you contest the accuracy of the personal data for a period of time enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the controller no longer needs the personal data for the stated processing purposes, but you need it in order to assert, exercise or defend legal claims, or
- you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds. If processing of your personal data has been limited, this data – aside from its storage – may only be processed with your consent or in order to assert, exercise or defend legal claims or to protect the rights of another natural or legal person, or for the sake of an important public interest of the Union or a member state. If the processing restriction has been imposed according to the aforementioned conditions, you will be informed by the data controller before the restriction is lifted.
11.4 Right to erasure (Art. 17 GDPR):
11.4.1 Obligation to erase
You are entitled to request that the controller erases your personal data without undue delay and the controller shall be obligated to erase personal data without undue delay where one of the following grounds applies:
- Your personal data is no longer needed for the purposes for which it was collected or otherwise processed.
- You withdraw any existing consent on which the processing was based as per to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal ground for the processing.
- You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
- Your personal data was unlawfully processed.
- Your personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
11.4.2 Information disclosed to third parties
Where the controller has made the personal data public and is obligated pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Your right to erasure does not apply where processing is required
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
- for archival purposes, scholarly or historical research purposes that are in the public interest, or for statistical purposes as per Art. 89 (1) GDPR, to the extent that the right referred to in Section a) is likely to enable to fulfill the objectives of the processing or will significantly impair it, or
- to assert, exercise or defend legal claims.
11.5 Right to information (Art. 19 GDPR)
If you have asserted your right to have the data rectified or erased or its processing restricted by the controller, the latter must inform all recipients to whom your personal data was disclosed about such rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You are entitled to be informed about the recipients by the controller upon request.
11.6 Right to data portability (Art. 20 GDPR)
You are entitled to obtain the personal data that you provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to pass this data on to another controller without hindrance by the controller to whom the personal data was provided, as long as
- The processing is based on a declaration of consent in accordance with Art. 6 (1) (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and
- the processing is carried out using automated methods.
- In exercising this right, you also have the right to request that your personal data be transferred directly from one data controller to another, insofar as this is technically feasible. In doing so, other people’s freedoms or rights may not be impaired.
The right to portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.
11.7 Right of objection (Art. 21 GDPR):
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1) clause 1 (e) or (f) GDPR, including profiling based on these provisions.
The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms, or unless such processing is being used to assert, exercise or defend legal claims.
Where your personal data is processed for direct marketing purposes, then you are entitled to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option to exercise your right to object by automated means using technical specifications.
11.8 Right to withdraw data protection consent (Art. 7 GDPR)
You are entitled to withdraw your data protection consent at any time. Revoking your consent will not affect the legality of any processing that took place before the revocation.
11.9 Automated individual decision-making including profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based exclusively on automated processing including profiling that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller,
(2) is admissible by law of the Union or of the Member States to which the controller is subject and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or
(3) is based upon your explicit consent.
These decisions, however, shall not be based on specific categories of personal data referred to in Article 9 (1) GDPR, unless point (a) or (g) of Article 9 (2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state his or her point of view and to challenge the decision.
11.10 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of alleged infringement if you consider that the processing of data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
The supervisory authority responsible for us is:
Bavarian State Authority for Data Protection Oversight [BayLDA – Bayerisches Landesamt für Datenschutzaufsicht]