Data Protection Information for Applicants

(Last updated May 30, 2018)

Information on data protection related to our processing of applicant data in accordance with articles 13, 14 and 21 general data protection Regulation (GDPR)

We take data protection very seriously and inform you herein how we process your data and what claims and rights you are entitled to under data protection regulations.

1. Data Controller and contact details

Data controller:

Heuking Kühn Lüer Wojtek PartGmbB
Georg-Glock-Strasse 4
D-40474 Düsseldorf, Germany

Contact details of our Data Protection Officer (also Data Protection Officer of all notaries working in the law firm):

Heuking Kühn Lüer Wojtek PartGmbB
Data Protection Officer Mr. Harald Eul
(HEC Harald Eul Consulting GmbH)
Georg-Glock-Strasse 4
D-40474 Düsseldorf, Germany
Email: dsb(at)heuking.de

2. Purpose of and legal basis for the processing of your data

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz), as well as other applicable data protection regulations. Details can be found below. Further details or additions to the purposes for data processing can be found in the relevant contractual documentation, in forms, or in a declaration of consent and other information provided to you.

2.1 Purposes necessary for performance of a contract or precontractual measures (Art. 6(1)(b) GDPR)

Processing of your personal data is performed for the handling of your application based on a specific job advertisement or an unsolicited application, and in this connection only for the following purposes: examination and assessment of your suitability for the position to be filled, performance and conduct analysis within the legally permitted scope, if applicable for registration and authentication of an application via our website, if applicable for drafting an employment agreement, traceability of transactions, orders, and other agreements, as well as for quality control by means of appropriate documentation, measures for meeting the general duties of care, statistical evaluations for corporate management, travel and event management, travel bookings and travel cost invoicing, rights and credential management, cost recording, and controlling, reporting, internal and external communications, invoicing and tax evaluation of operational services (e.g., canteen food), invoicing via company credit cards, workplace security and health protection, communications relating to contracts (including appointments) with you, assertion of legal claims and defense in case of legal disputes; guaranteeing of IT security (including system or plausibility tests) and general security, including building and plant safety, securing and safeguarding of internal rules by means of corresponding measures, as well as, if applicable, by means of video surveillance for the protection of third parties and our employees, and to prevent and secure evidence in case of offenses; guarantees of integrity, prevention and solving of criminal acts; authenticity and availability of data, monitoring by supervisory boards or supervisory bodies (e.g., auditing).

2.2 Purposes within the framework of a legitimate interest on our part or of third parties (Art. 6(1)(f) GDPR)

Beyond the actual fulfillment of the (preliminary) contract, we will process your data  if  necessary to safeguard either our justified interests or those of third parties. Processing of your data will only take place if and insofar as no predominant interests on your part are opposed to such processing, for the following purposes in particular: measures for further processing of existing systems, processes and services; comparisons with European and international anti-terror lists, if they exceed the legal obligations; enhancement of our data, including through the use or researching of publicly accessible data if necessary; benchmarking; development of scoring systems or automated decision-making processes; building and plant security (e.g., by means of access control and video surveillance), if this exceeds the general duties of care; internal and external investigations, security investigations.

2.3 Purposes associated with your consent (Art. 6(1)(a) GDPR)

Processing of your personal data may also take place for certain purposes (e.g., to obtain references from previous employers or use of your data for future vacancies) on the basis of your consent. In general, you may revoke your consent at any time. You will be informed of the purposes and the consequences of revocation or failure to give consent in the corresponding text of the consent.

In principle, revocation of consent only affects the future. Any processing carried out prior to the revocation remains unaffected and legal.

2.4 Purposes necessary for compliance with a legal obligation (Art. 6(1)(c) GDPR) or for the performance of a task carried out in the public interest (Art. 6(1)(e) GDPR)

Like all players  in business life, we are also subject to a large number of legal obligations. These are primarily statutory requirements (e.g., Works Constitution Act, Social Code, Commercial Code, and Tax Code), but also if applicable supervisory law or other requirements set out by government authorities (such as employers’ liability insurance associations). The purposes of processing may also include identity and age checks, prevention of fraud and money laundering (e.g., comparisons with European and international anti-terror lists), compliance with control and notification obligations under tax law as well as the archiving of data for the purposes of data protection and data security, as well as for purposes of audits by tax advisors/auditors, fiscal and other government authorities. In addition, it may be necessary to disclose personal data within the framework of official government/court measures for the purposes of collecting evidence, law enforcement and criminal prosecution or the satisfaction of civil law claims.

3. The data categories that we process if we do not receive data directly from you, and their origin

Where necessary for the contractual relationship with you and the application you have submitted, we process any data received from other bodies or from other third parties in a permissible manner. In addition, we process personal data that we have obtained, received, or acquired in a permissible way from publicly accessible sources (such as commercial and association registers, civil registers, press, internet, and other media), where required and where we are allowed to process such data in accordance with the statutory provisions.

Relevant categories of personal data may be in particular:

  • address and contact data (registration data and similar data, such as email address and telephone number),
  • information concerning you in the internet or on social networks,
  • video data.

4. Recipients or categories of recipients of your data

Within our firm, internal departments or organizational units will receive your data required to meet our contractual and statutory obligations (such as executives and divisional managers who are looking for new employees or who participate in the decision on hiring, accounting department, corporate physician, occupational safety department, etc.), or as part of handling and implementing our justified interests. Dissemination of your data to external third parties takes place exclusively

  • under circumstances in which we are obligated or entitled to provide information, make a report, or pass on data (e.g., to financial authorities) or the passing on of data is in the public interest (cf. item 2.4);
  • insofar as external service providers process data on our behalf as processors or for the performance of functions (e.g., banks, external computer centers, travel agency/travel management, printing companies, or companies for data disposal, courier services, mail, logistics);
  • as a result of our justified interests or the justified interests of the third party for the purposes stated under item 2.2 (e.g., to authorities, credit agencies, lawyers, courts, appraisers, affiliated companies, corporate bodies and supervisory bodies);
  • if you have given us consent for transmission to third parties.

We will likewise not pass on your data to a third party without notifying you thereof separately. If we commission service providers to perform processing, your data will be subject to the security standards that we have stipulated in order to protect your data in an appropriate manner. In the aforementioned cases, the employees may only use the data for the purposes for which they were transmitted.

5. Duration of the storage of your data

In principle, we process and store your data for the duration of your application, as well as if you provide us with your data for incorporation into our pool of applicants or the HKLW Talent Community. This also includes the initiation of a contract (precontractual legal relationship).

In addition, we are subject to various storage and documentation obligations, arising among other things from the German Commercial Code and the German Tax Code. The durations prescribed there for storage of documentation are up to ten years after the end of the contractual relationship or the precontractual legal relationship. The original of your application documentation will be returned to you if you have not been recruited after six months. Electronic data will accordingly be erased after six months. You will be notified of details in connection with the process in question.

If the data are no longer necessary for the fulfillment of contractual or legal obligations and rights, they will be erased on a regular basis, unless it is necessary to continue processing them for a limited period in order to fulfill the purposes listed under item 2.2 based on our overriding justified interests. An overriding justified interest of this kind will exist, for example, if erasure  is not possible due to the particular type of storage or is only possible at disproportionately high expense. In these cases, we may also store and if necessary use your data within a limited scope after the end of this contractual relationship for a duration agreed upon along with the purposes. In principle, in these cases, instead of the data being erased, processing will be restricted. In other words, the data will be blocked against the otherwise usual use by means of corresponding measures.

6. Processing of your data in a third country or through an international organization

Data are transmitted to parties in countries outside the European Economic Area EU/EEA (third countries) whenever such is necessary to meet a contractual obligation towards you (e.g., application for a position in another country) or where such is in the legitimate interests of us or a third party, or if you have issued us with your consent to such.

At the same time, your data may be processed in a third country, including in connection with the involvement of service providers within the framework of contract processing. If no decision has been issued by the EU Commission regarding the presence of an appropriate level of data protection for the respective country, we warrant that your rights and freedoms will be reasonably protected and guarantied in accordance with EU data protection requirements through contractual agreements to this effect. Information on the suitable or appropriate guarantees and about how and where you can obtain a copy of these may be requested from the operational data protection officer or the human resources department responsible for you.

7. Your data protection rights

Under certain circumstances, you may assert the following data protection rights against us:

Each data subject has the right of access in accordance with Art. 15 GDPR, the right to rectification in accordance with Art. 16 GDPR, the right to erasure in accordance with Art. 17 GDPR, the right to restrict processing in accordance with Art. 18 GDPR, as well as the right to data portability under Art. 20 GDPR. The restrictions in accordance with Sections 34 and 35 Federal Data Protection Act) will apply to the right of access and the right to erasure. In addition, you have a right to complain to a data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 Federal Data Protection Act).

Your requests to exercise your rights should ideally be sent in writing to the address listed above or directly to our Data Protection Officer.

8. Scope of your obligation to provide us with your data

You are only required to provide data that are necessary for the processing of your application or a pre-contractual relationship, or that we are obligated to collect by law. Without such data we will generally not be able to continue to perform the application and selection process. If we request further information from you, you will be notified separately that the information is voluntary.

9. Existence of automated decision-making in individual cases (including profiling)

We do not use any purely automated decision-making procedures pursuant to Article 22 GDPR. If we do, however, use a procedure of this kind in the future in individual cases, we will notify you separately thereof if we are legally obligated to do so.

Information on your right of objection under Art. 21 GDPR

1. You have the right to file an objection at any time against processing of your data carried out on the basis of Art. 6(1)(f) GDPR (data processing on the basis of a weighing-up of interests) or Art. Art. 6(1)(e) GDPR (data processing in the public interest). The precondition for this is, however,  that there are grounds for your objection emanating from your special personal situation. This also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR.

If you file an objection, we will no longer process your personal data unless we can demonstrate compelling reasons warranting protection for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

You may, of course, withdraw your application at any time.

2. We do not intend to use your personal data for purposes of direct marketing. Nevertheless, we are required to inform you that you have the right to file an objection to advertising at any time. This also applies to profiling to the extent that it is connected with such direct advertising. We will respect this objection with effect for the future.

The objection may be filed without adhering to any formal requirements and should be sent to

Heuking Kühn Lüer Wojtek PartGmbB
Data Protection Officer Mr. Harald Eul
(HEC Harald Eul Consulting GmbH)
Georg-Glock-Strasse 4
D-40474 Düsseldorf, Germany
Email: dsb(at)heuking.de
Our information on data protection in accordance with Articles 13, 14, and 21 GDPR may change from time to time. We will publish all changes on this site. We will archive older versions for viewing.

Data protection information last updated: May 30, 2018

PDF-Download: Data Protection Information 

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.