In order to carry out the application process, the employment contract, or the service contract or contract for work, we and third-parties or processors commissioned by us process the following data from you, insofar as you have provided us with this data during the application process or working relationship or if the data arises during the working relationship:
- Personal information (e.g., name, address, telephone number, date of birth, e-mail address, marital status, nationalities)
- Other information on your CV, employer references, emergency contacts, certificates
- Salary data, social insurance data, tax data, health data, religion
Special categories of personal data (Art. 9 of the GDPR and Section 22 of the German Federal Data Protection Act (BDSG)) may also be processed (e.g., information relating to any severe disabilities) in order to comply with our legal obligations as an employer.
The processing is carried out in order to execute the employment contract or the service contract or contract for work, in particular payroll, and in order to comply with the legal obligations of genua, in particular the payment of income tax to the tax authorities, the payment of social insurance contributions to the social insurance agencies, the payment of contributions to other insurers, the performance of the required security checks and the transfer of data within the framework of checks by authorities and public bodies.
In the event that the personal data is to be further processed for a purpose other than the purpose for which the personal data was collected, you will be informed about this other purpose, the duration of the processing and the rights of data subjects before the further processing begins.
3.1. Use of data based on your consent (Art. 6(1)(a) GDPR)
If you consent to your application being stored in our applicant pool, the purpose of the data processing is the use of your application for a future job vacancy. This also applies to any other processing to which you have actively consented. The legal basis for this is your consent pursuant to Art. 6(1)(a) GDPR.
Within the framework of the existing working relationship, special categories of personal data may also be processed. The processing of such data is based on your consent pursuant to Art. 9(2)(a) GDPR. Information regarding your religion is provided voluntarily based on your consent if you would like to exercise associated rights or pay the church tax via your employer.
Information relating to any trade union membership or emergency contacts is provided voluntarily based on your consent.
By providing your application documents, you give genua permission to store and process the personal data and application documents that you provide within the framework of the application process for up to six months. This consent also expressly extends to special categories of personal data that are provided.
All instances of consent provided are voluntary and can be withdrawn, at any time and without giving reasons, by contacting the HR department. Once your notice of withdrawal is received, genua will process your personal data for no longer than is required by the legal retention regulations. Once the legal retention period expires, your personal data will be erased in accordance with data protection laws.
3.2. Data processing for the purpose of executing the contract concluded between you and us (Art. 6(1)(b) GDPR)
In the event that an employment contract is concluded, we will process your data to decide whether to establish an employment relationship or, once the employment relationship has been established, to perform or terminate the employment relationship. The legal basis is Art. 6(1)(b) GDPR, Art. 88 GDPR in conjunction with Section 26 BDSG. In the event that a service contract or contract for work is concluded with you as a freelancer, we will process your data to execute the service contract or contract for work or to implement pre-contractual measures. The legal basis for this is Art. 6(1)(b) GDPR.
In the event that a service contract or contract for work is concluded with you as a freelancer, we will process your data to execute the service contract or contract for work or to implement pre-contractual measures. The legal basis for this is Art. 6(1)(b) GDPR.
3.3. Data processing for the purpose of complying with legal obligations (Art. 6(1)(c) GDPR)
In the event that legal obligations apply, we will process your data based on Art. 6(1)(c) GDPR in conjunction with Section 26 BDSG. The data that is relevant in the respective case is processed based on the applicable legal provisions. In particular, this data includes information relating to payroll, information in tax documents (e.g., receipts for expenses) with regard to tax offices, information for social insurance agencies, employee representative bodies, company doctors, and declarations to insurers and authorities as well as the legally required sanctions list check.
Within the framework of the existing working relationship, special categories of personal data may also be processed. The processing of such data is based on statutory provisions pursuant to Art. 9(2)(b) GDPR.
Statutory provisions on data processing also arise in particular from the German Social Security Codes, the German Fiscal Code (in particular Section 147 AO), the German Commercial Code (in particular Section 257 HGB), the German Industrial Code (in particular Section 109 GewO), the German Evidence Act, the German Transparency of Remuneration Act, the German Federal Statistics Act, the German Trade and Services Statistics Act and the German Works Constitution Act (in particular Section 80 BetrVG).
3.4. Data processing based on legitimate interests (Art. 6(1)(f) GDPR)
Various types of your data (e.g., usernames, e-mail address, IP address) are processed to manage the IT system and maintain its security. This includes created and archived text documents (e.g., correspondence). It also encompasses data collected within the framework of internet use. Without this data processing, secure operation of the system, and therefore employment by our company, would not be possible. This data is processed based on our legitimate interest in ensuring that our IT system functions properly and without malfunctions. In addition, the basic data must also be processed within the company to ensure flawless communication between employees. The legal basis for this is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
The basic provision of personal data is required in order to carry out the application process or conclude a contract (employment contract, service contract or contract for work) with genua. Not providing the data would make it impossible to carry out the application process or conclude a contract. Information relating to a severe disability and other information related to health data as defined in Art. 4(15) GDPR is provided on a purely voluntary basis, meaning that it is possible to apply even without this information, without resulting in an advantage or disadvantage.
6.1. Categories of data recipients
The personal data collected is processed by the employees of genua's HR department. In addition, the Payroll and (HR-)Controlling departments also receive the data relevant to them. Other internal recipients also have restricted access like the working council, the occupational safety department, the health prevention department, the direct supervisor, the respective trainer if applicable and the management. If required, the data is processed by administrators and the data protection team.
Where legally permissible, we transfer personal data to external parties:
- External service companies for payroll accounting
- External service companies for business trips and employee training
- External service companies for the sanctions list check procedure
- External service company for HR and application management
- Authorities and health insurance providers for compliance with legal (reporting) obligations
- IT service providers for the maintenance of our IT infrastructure
- In the case of labor disputes: legal representatives and courts
- Responsible authorities and public bodies
- Bundesdruckerei GmbH as our parent company
Where required by law, we have concluded a data processing agreement with the external parties pursuant to Art. 28 GDPR.
6.2. Data sources
We process personal data that we have received from you within the framework of our business relationships. To the extent that it is necessary in order for us to provide our services, we process personal data that we obtain in a permissible manner from publicly accessible sources or that is provided by other third parties (service providers for the finding of applicants) who are authorized to do so.
Generally, no data is transferred to third countries or international organizations. Data transfers to countries outside the EU and the European Economic Area ("third countries") take place within the framework of the administration, development and operation of IT systems. In this case, the data is transferred only if the transfer is generally permissible because there is a legal justification or because you have consented to the data transfer and the special conditions for a transfer to a third country have been met
The data will be processed and stored for as long as it is necessary in order to fulfill the abovementioned processing purposes. If the data is no longer necessary in order to fulfill the abovementioned purposes, the data will be erased, unless we are legally obligated to retain the data and/or the further processing of the data is necessary in order to preserve evidence within the framework of the legal limitation period pursuant to Section 195 ff. of the German Civil Code (BGB).
In the case of applications, personal data is stored for the duration of the application process. In addition, if necessary, personal data relating to an unsuccessful application is also retained for six months for the duration of the exercise or defense of legal claims, especially based on the General Act on Equal Treatment (AGG). This data is automatically erased once the six months have elapsed.
If you withdraw your application and/or delete your application account, your data will be deleted within 24 hours, unless genua has rejected it beforehand/at the same time. In this case, your personal data will be deleted after the six-month retention period has expired.
If consent to the storage of the application in an applicant pool was granted, the data will be stored for as long as this declaration of consent remains valid.
In the event that an employment contract is concluded, personal data will be stored for the duration of the working relationship. The same applies to service contracts and contracts for work with freelancers. If necessary, personal data is also stored to enable the performance of a task that is in the public interest or falls within the exercise of authority. In addition, if necessary, personal data is also stored for the duration of the exercise or defense of legal claims.
Once the working relationship has ended, the personnel file is generally retained for up to three years following the expiry of the statutory limitation period from the due date of the claim. In addition, individual documents in the personnel file (e.g., payroll accounts, exemption certificates) will be retained for up to six years (pursuant to the German Income Tax Act and the Fiscal Code of Germany) or up to eight or ten years (pursuant to the German Commercial Code).
You have the following rights with regard to the personal data concerning you:
- Right to information (Art. 15 GDPR)
- Right to rectification or erasure (Art. 16 and 17 GDPR)
- Right to restriction of data processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
With regard to the right to object, please refer to our explanations under Section 11 below.
Furthermore, you have the right to object to the use of your data, based on public or legitimate interests, at any time (Art. 21 GDPR). Insofar as we process your data on the basis of your previously given consent, you have the right to revoke this consent at any time with effect for the future (Art. 7(3) GDPR). From the time we receive your revocation, we will no longer process your data for the purposes stated in the consent. Please send your revocation or objection to:
genua GmbH
Domagkstraße 7
85551 Kirchheim bei München (Germany)
Email: datenschutz@genua.de
You can also submit a complaint to a supervisory authority at any time. The supervisory authority generally responsible for us is the Bayerische Landesamt für Datenschutzaufsicht, Postfach 606, 91511 Ansbach (Germany). Alternatively, you can also submit your complaint to any other data privacy supervisory authority.
Furthermore, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Art. 6 (1) (1) (e) or (f) GDPR (Art. 21 (1)(1) GDPR). In the event of an objection, we will no longer use your personal data for the purposes in question and will delete them from our systems, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.