(last updated November 23, 2023)
PRIVACY NOTICE reLated to our Processing of JOB Applicant Data in accordance with Articles 13, 14 and 21 General Data Protection Regulation (GDPR)
We take data protection very seriously and hereby inform you how we process your data and what claims and rights you are entitled to under data protection regulations.
1. Data controller and contact details
Heuking Kühn Lüer Wojtek PartGmbB
D-40474 Düsseldorf, Germany
Contact details of our Data Protection Officer (also Data Protection Officer of all civil law notaries working in the law firm):
Heuking Kühn Lüer Wojtek PartGmbB
Data Protection Officer Mr. Harald Eul
(HEC Harald Eul Consulting GmbH)
40474 Düsseldorf, Germany
2. Purposes of and legal basis for the processing of your data
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act, and other applicable data protection regulations. Details can be found below. Further details or additions to the purposes for data processing can be found in the relevant contractual documentation, in forms, or in a declaration of consent and other information provided to you.
2.1 Purposes necessary for the performance of a contract or precontractual measures (Article 6(1)(b) GDPR)
Your personal data will be processed for the purpose of processing your application in response to a specific job advertisement or as an unsolicited application, and in particular for the following purposes: examination and assessment of your suitability for the position to be filled, performance and conduct analysis within the legally permitted scope, if applicable for registration and authentication of an application via our website, where applicable for drafting an employment agreement, traceability of transactions, orders, and other agreements, as well as for quality control by means of appropriate documentation, measures for meeting the general duties of care, statistical evaluations for corporate management, travel and event management, travel bookings and travel cost invoicing, rights and credential management, cost recording and controlling, reporting, internal and external communications, invoicing and tax assessment of corporate services (such as canteen food), invoicing via company credit cards, workplace safety and health protection, communications relating to contracts (including appointments) with you, exercise or defense of legal claims in the event of legal disputes; guaranteeing of IT security (including system or plausibility tests) and general security, including building and plant safety, safeguarding and exercising of internal rules by means of appropriate measures, as well as, where applicable, by means of video surveillance for the protection of third parties and our employees, and to prevent and secure evidence in case of offenses; guarantees of integrity, prevention and investigation of criminal acts; authenticity and availability of data, monitoring by supervisory boards or supervisory bodies (e.g., auditing).
2.2 Purposes within the scope of our legitimate interests or those of third parties (Article 6(1)(f) GDPR)
Beyond the actual performance of the (preliminary) contract, we will process your data where necessary to safeguard either our justified interests or those of third parties. Your data will only be processed where there are no overriding interests on your part that are opposed to such processing, such as in particular for the following purposes: steps for further development of existing systems, processes, and services; comparisons with European and international anti-terror lists, where they exceed statutory obligations; enhancement of our data, including by using or researching of publicly accessible data where necessary; benchmarking; development of scoring systems or automated decision-making processes; building and plant security (e.g., by means of access control and video surveillance), where such exceeds the general duties of care; internal and external investigations, security investigations.
2.3 Purposes associated with your consent (Article 6(1)(a) GDPR)
Your personal data may also be processed for certain purposes (e.g., to obtain references from previous employers or using your data for future vacancies) on the basis of your consent. You may revoke your consent at any time with effect for the future. Any processing carried out prior to the revocation will remain unaffected and lawful. You will be informed of the purposes and the consequences of revocation or failure to give consent in the relevant text of the consent notice.
2.4 Purposes necessary for compliance with a legal obligation (Article 6(1)(c) GDPR) or for the performance of a task carried out in the public interest (Article 6(1)(e) GDPR)
Like all actors in business life, we are also subject to a large number of statutory obligations. These are primarily statutory requirements (e.g., Works Constitution Act, Social Code, Commercial Code, and Tax Code), but also possible duties under supervisory law or other requirements set out by government authorities (such as employers’ liability insurance associations). The purposes of processing may also include identity and age checks, prevention of fraud and money laundering (e.g., comparisons with European and international anti-terror lists), compliance with control and notification obligations under tax law, as well as the archiving of data on grounds of IT and data security, and for purposes of audits by tax advisors/auditors, fiscal and other government authorities. In addition, it may be necessary to disclose personal data within the scope of official government/court measures for the purposes of collecting evidence, law enforcement and criminal prosecution, or the satisfaction of claims under civil law.
3. Application via the online job market (Perbit MyJobBoard)
In cases where you submit your application to us via the online job market (domain name MyJobBoard.de), your personal data will be collected by our processor perbit Software GmbH. The online job market enables us to import your personal data and application documents into our HR systems, thus avoiding transmission errors and ensuring that your application is processed quickly. We have carefully selected perbit Software GmbH as a processor to the best of our knowledge and belief. We have entered into an agreement on data processing on behalf of a controller with perbit Software GmbH and obligated the processor to maintain confidentiality in accordance with Section 43e German Federal Code for Lawyers. Where perbit Software GmbH uses subcontracted processors (cloud providers) to host the online job market, we have obtained assurance that our subcontracted processor has in turn entered into an agreement on data processing on behalf of a controller with the aforementioned cloud provider and that your personal data will be processed in a German data center. Irrespective thereof, we are unable to rule out the possibility that the cloud provider may also transfer personal data (e.g., in connection with maintenance work) to third countries outside the EU with a lower level of data protection, where the risk of access by state authorities and limited options for legal remedies cannot be excluded despite far-reaching contractual provisions. With respect to any data transfers to the USA, we have (additionally) satisfied ourselves that the cloud provider is certified under the EU-US Data Privacy Framework.
4. Data categories processed by us where we do not receive data directly from you, and their origin
Where necessary for the contractual relationship with you and the job application you have submitted, we may process data received from other bodies or from other third parties in a permissible manner. In addition, we will process personal data that we have obtained, received, or acquired in a permissible manner from publicly accessible sources (such as commercial and association registers, civil registers, press, internet, and other media) where required, and where we are allowed to process such data in accordance with the statutory provisions.
Relevant categories of personal data may include, in particular:
- address and contact details (registration data and similar data, such as email address and telephone number),
- information concerning you on the internet or on social networks,
- video data.
5. Recipients or categories of recipients of your data
Within our firm, internal departments or organizational units will receive your data required to meet our contractual and statutory obligations (such as executives and divisional managers who are looking for new employees or who participate in the hiring decision, accounting department, corporate physician, occupational safety department, etc.), or as part of handling and implementing our justified interests. Your data will be passed on to external third parties exclusively
- to process your application in response to a specific job advertisement or as an unsolicited application to employees of group companies, where they are involved in or support the decision to fill the position (cf. section 2.1 hereinabove);
- for purposes for which we are obligated or entitled to provide information, make a report, or transfer data (e.g., to tax authorities), or the data transfer is in the public interest (cf. section 2.4 hereinabove);
- where external service providers process data on our behalf as processors or for the performance of functions (e.g., credit institutions, IT service providers, external data centers, travel agency/travel management, printing companies, or companies for data disposal, courier services, postal services, logistics);
- as a result of our justified interests or the justified interests of the third party for the purposes listed under section 2.2 hereinabove (e.g., to authorities, credit agencies, lawyers, courts, appraisers, affiliated companies, corporate bodies, and supervisory bodies);
- where you have given us consent for transmission of data to third parties.
We will not pass on your data to a third party without notifying you thereof separately. Where we commission service providers to perform processing on our behalf, your data will be subject to the safety standards that we have stipulated to protect your data in an appropriate manner. In other cases, the recipients may only use the data for the purposes transmitted.
6. Duration of the storage of your data
In principle, we process and store your data for the duration of your job application and where you provide us with your data to be included in our pool of applicants or the HKLW Talent Community. This also includes the initiation of a contract (precontractual legal relationship).
In addition, we are subject to various storage and documentation obligations, including under the German Commercial Code and the German Tax Code. The durations stipulated there for storage of documentation are up to ten years after the end of the contractual relationship or the precontractual legal relationship. The originals of your application documentation will be returned to you unless you have been recruited within six months. Electronic data will accordingly be erased after six months. You will be notified of details in connection with the respective procedure.
Where the data is no longer necessary to meet contractual or statutory obligations and rights, it will be erased on a regular basis, unless it is necessary to continue processing such data for a limited period to fulfill the purposes listed under section 2.2 hereinabove based on our overriding justified interests. An overriding justified interest of this kind will exist, for example, where erasure is not possible due to the particular type of storage or is only possible at disproportionately high expense. In such events, we may also store and, where necessary, use your data within a limited scope after the end of this contractual relationship for a duration agreed upon along with the purposes. In principle, in such events, instead of the data being erased, processing will be restricted. In other words, the data will be blocked against the otherwise usual use by means of corresponding measures.
7. Processing of your data in a third country or by an international organization
Data will be transmitted to parties in countries outside the European Economic Area EU/EEA (referred to as third countries) whenever necessary to meet a contractual obligation towards you (e.g., application for a position in another country) or where such is in the legitimate interests of us or a third party, or where you have consented thereto.
Your data may be processed in a third country, including in connection with the involvement of service providers within the scope of processing on behalf of a controller. Unless there is an EU Commission decision on an adequate level of data protection for the relevant third country or for specific sectors in such third country, appropriate contracts (such as EU standard contractual clauses) and additional measures may be used as a basis for the transfer. Information on the suitable or appropriate guarantees and on options to obtain a copy thereof may be requested from the Data Protection Officer.
8. Your data protection rights
Under certain circumstances, you may assert the following data protection rights against us:
Each data subject has the right of access in accordance with Article 15 GDPR, the right to rectification in accordance with Article 16 GDPR, the right to erasure in accordance with Article 17 GDPR, the right to restriction of processing in accordance with Article 18 GDPR, and the right to data portability in accordance with Article 20 GDPR. The restrictions in accordance with Sections 34 and 35 Federal Data Protection Act will apply to the right of access and the right to erasure. In addition, you have a right to complain to a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 Federal Data Protection Act).
Your requests to exercise your rights should ideally be sent in writing to the address listed hereinabove or directly to our Data Protection Officer.
9. Scope of your obligation to provide us with your data
You are only required to provide data necessary for the processing of your application or a precontractual relationship, or which we are obligated to collect by law. Without such data, we will generally not be able to continue to perform the application and selection process. Where we request further information from you, you will be notified separately about the voluntary nature of such information.
10. Existence of automated decision-making in individual cases (including profiling)
We do not use purely automated individual decision-making procedures pursuant to Article 22 GDPR. Where we use such a procedure in individual cases in the future, however, we will notify you thereof separately if we are legally obligated to do so.
Information on your right to object in accordance with Article 21 GDPR
1. You have the right to object at any time to processing of personal data concerning you which is based on Article 6(1)(f) GDPR (data processing on the basis of weighing of interests) or Article 6(1)(e) GDPR (data processing in the public interest). There must, however, be grounds for your objection relating to your particular situation. This also applies to profiling based on this provision within the meaning of Article 4(4) GDPR.
Where you object, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise, or defense of legal claims.
You may, of course, withdraw your application at any time.
2. We do not intend to use your personal data for purposes of direct marketing. Nevertheless, we are required to inform you that you have the right to object to advertising at any time. This also applies to profiling to the extent that it is connected with such direct advertising. We will respect such objection with effect for the future.
The objection may be filed without adhering to any formal requirements and should be sent to
Heuking Kühn Lüer Wojtek PartGmbB
Data Protection Officer Mr. Harald Eul
(HEC Harald Eul Consulting GmbH)
40474 Düsseldorf, Germany
Our Privacy Notice in accordance with Articles 13, 14, and 21 GDPR may be amended from time to time. We will publish all updates on this site. Older versions will be archived for viewing.
Privacy Notice last updated: November 23, 2023