Data Protection – GMH Gruppe

Privacy Policy

Status: January 2023
We reserve the right to make any adjustments to this privacy policy.

1. Foreword

The GMH Group (hereinafter also referred to as "company", "we" or "us") takes the protection of your personal data seriously. For this reason we would like to inform you (hereinafter also referred to as "customer", "user", "you" or "affected party") about data protection in our group of companies.

The GDPR obliges us to provide transparent information about the purposes and means of processing. The aim of this declaration is to provide you with information on the way in which your data is processed by us.

2. General information

2.1 Definitions

Following the model of Art. 4 GDPR, this data protection declaration is based on the following definitions:

  • "Personal data" (Art. 4 No. 1 GDPR) means all information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information concerning his or her physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability may also be provided by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).
  • "Processing" (Art. 4 No. 2 GDPR) is any operation in which personal data is handled, whether or not with the aid of automated (i.e. technology-based) procedures. This includes in particular the collection (i.e. acquisition), recording, organisation, filing, storage, adaptation or alteration, reading, retrieval, use, disclosure by transmission, dissemination or otherwise making available, comparison, interconnection, restriction, deletion or destruction of personal data, as well as alteration of a target or purpose on which data processing was originally based.
  • "Controller" (Art. 4 No. 7 GDPR) is the natural or legal person, authority, institution or other body which alone or jointly with others determines the purposes and means of processing personal data.
  • "Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, authority, institution or other body which processes personal data on behalf of the controller, in particular in accordance with the latter's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
  • "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorised to process the personal data; this also includes other legal persons belonging to the group.
  • "Consent" (Art. 4 No. 11 GDPR) means any freely given, informed and unequivocal expression of will in the specific case, in the form of a declaration or any other unequivocal affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

2.2 Who is responsible?

Responsible for the website:

Georgsmarienhütte Holding GmbH
Neue Hüttenstraße 1
49124 Georgsmarienhütte

Phone: +49 (0) 5401 39-0
Fax: +49 (0) 40 284069-26
e-mail: kontakt(at)gmh-gruppe.de

2.3 Data protection officer

You can reach our data protection officer at the postal address:

GMH Systems GmbH,
Neue Hüttenstraße 2,
49124 Georgsmarienhütte,

E-mail: datenschutz.systems@gmh-gruppe.de

2.4 Legal basis

The processing of personal data requires a legal basis or other defined permission. If there is no legal basis or similar justification, processing is prohibited. The legal bases defined in the law include

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)

If you have voluntarily, informedly and unambiguously indicated, by means of a statement or any other unambiguous affirmative act, that you consent to the processing of your personal data for a specific purpose.

Fulfilment/initiation of contract (Art. 6 para. 1 sentence 1 lit. b) GDPR)

If the processing is necessary for the performance of a contract to which you are party or for the implementation of pre-contractual measures taken at your request.

Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR)

If the processing is necessary for the fulfilment of a legal obligation to which we are subject (e.g.  B. a legal obligation to preserve records).

Protection of vital interests (Art. 6 para. 1 sentence 1 lit. d) GDPR)

If the processing is necessary to protect your vital interests or those of another natural person

Public interest (Art. 6 para. 1 sentence 1 lit. e) GDPR)

If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

If the processing is necessary to protect the legitimate interests (in particular legal or economic) of the controller or of a third party, unless your interests or rights outweigh the processing (in particular if the data subject is a minor).

2.5 Deletion and storage period

If no storage period is specified for our data processing, your data will be blocked or deleted as soon as the purpose no longer applies. Under certain circumstances, however, the data may be stored for a longer period of time because statutory retention periods (e.g. under tax law) prevent deletion.

2.6 Data security

In order to guarantee the security of your personal data, we use appropriate technical and organisational measures. These measures help to protect your data against accidental or deliberate manipulation, loss, destruction or unauthorised access by third parties. Technical and organisational measures are implemented taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons.

2.7 Data processing by order

In some cases, we use service providers for the processing of our business transactions, but they only act according to our instructions and are contractually obliged to comply with data protection regulations.

2.8 Profiling

We do not intend to use personal data collected from you for any automated decision making process (including profiling).

2.9 What rights can you assert?

You have the following rights in relation to the personal data concerning you:

  • Right of access by the data subject,
  • Right of rectification,
  • Right to erasure,
  • Right to restriction of processing,
  • Right to object,
  • Right to data portability,
  • Right of withdrawal,
  • Right of appeal to a supervisory authority

2.10 Rights in detail

Right of access by the data subject according to Art. 15 GDPR

You have the right to ask us to confirm whether personal data concerning you is being processed. If this is the case, you have the right to be informed of this personal data and to receive the following information:

  • For what purpose will the data be processed?
  • What kind of data is processed?
  • Who has access to the data?
  • Is the data stored or transferred to third countries?
  • If a statement can be made, how long will the data be stored?
  • information on other rights of data subjects, such as the right of correction or deletion.

Right of rectification under Art. 16 GDPR

As the responsible party, we have the duty to ensure that the personal data processed is accurate. If this is not the case, you have the right to demand that we correct any incorrect personal data that has been processed.

Right to erasure to Art. 17 GDPR

You have the right to have your personal data stored by us deleted if

  • the purpose of the processing has ceased to exist,
  • you revoke your consent,
  • you object to the processing,
  • the data processing was unlawful from the outset,
  • the deletion is necessary to comply with a legal obligation under Union or national law
  • your data have been collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

Right to restriction of processing with Art. 18 GDPR

You may request the restriction of data processing for the following reasons:

  • the correctness of the data is disputed by you,
  • the processing is unlawful and you object to the deletion of the data
  • we no longer need your data, but you do need the data to assert, exercise or defend legal claims or
  • you have lodged an objection to the processing pursuant to Art. 21 GDPR.

Right to data portability to Art. 20 GDPR

You may request the release of the data we collect in a structured, common, machine-readable format or request that the data be transferred to another responsible party.

Right of appeal to a supervisory authority under Art. 77 GDPR

You have the opportunity to contact a supervisory authority in the event of complaints regarding data protection.

Right of withdrawal of consent, Art. 7 para. 3 GDPR

If you have given us permission to process your data, you can revoke this permission at any time. Such revocation concerns the permissibility of processing your personal data in the future. The permissibility of the data processing carried out up to that point remains unaffected by the revocation. A simple e-mail to: datenschutz.systems(at)gmh-gruppe.de is sufficient here.

Right of objection Art. 21 GDPR

The right of objection protects against processing that is not in accordance with your will - to assert this right, you must take action and make the claim clear to us. Here a simple mail to: datenschutz.systems(at)gmh-gruppe.de

You can lodge an objection if we base the processing of your personal data on the weighing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR and there are reasons arising from your particular situation. In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or show you our compelling reasons for continuing the processing that are worthy of protection.

3. Website

3.1 Explanation

Information about our group of companies, competencies and services can be found at www.gmh-gruppe.de together with the corresponding sub-pages (hereinafter jointly referred to as "website") of the respective group companies. When you visit our website there is the possibility that personal data may be processed.

3.2 Processed data and legal basis

When using the website for information purposes only, i.e. when you do not register (e.g. shopping portal) or otherwise provide us with information, we only collect the personal data that your browser sends to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website and to ensure its stability and security

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Amount of data transmitted in each case
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

The above-mentioned data are processed by us on the basis of Art. 6 para. 1 lit. f GDPR. The data processing is necessary to ensure the presentation of the website and its security

3.3 Contact and callback form

On our website we offer the possibility to get in touch with us via a contact or callback form. In order to be able to answer your request, it is necessary to process your personal data. The data will be used exclusively for this purpose. A temporary storage of the e-mail logs for operational reasons takes place for 30 days, including in particular the sender's e-mail address. A storage of the entire mail content takes place for 5 days.

When using the contact form, the following data will be processed by us independently of the data mentioned above:

  • Name
  • e-mail

When using the callback form, the following data will be processed:

  • Name
  • e-mail
  • Phone

The relevant legal basis in this context is Art. 6 para. 1 lit. f) GDPR to be able to answer your request.

3.4 Cookies

When you use our website, we use cookies that are stored on your computer. A cookie is a set of data. Specifically, a cookie consists of data, a value and a key. Cookies are managed by the browser in the user's terminal device and stored there. They are used to make the Internet offer as a whole more user-friendly and effective, i.e. more pleasant for you.

You can generally prevent the setting of cookies via the settings in your browser or alternatively remove the unwanted cookies from the history of your browser after your session.

You can set your browser settings to allow the acceptance of cookies only in certain cases or generally. You can configure your browser settings to suit your preferences and, for example, refuse to accept third-party cookies or all cookies. Please note that if you disable the acceptance of cookies, you may not be able to use all functions of this website.

Cookies may contain data that enable the recognition of the device used. However, sometimes cookies only contain information on certain settings that cannot be related to a specific person.

A distinction is made between session cookies, which are deleted again as soon as you close your browser, and persistent cookies, which are stored beyond the individual session.

  1. The session cookies are only saved during your current visit to our website and are used to enable you to use our services without restriction and to make your use of our website as convenient as possible for your current visit to our website. If session cookies are deactivated, it cannot be guaranteed that you will be able to use all our services without restriction.
  2. Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

When you visit our website, you will be asked which data we may process. We distinguish between essential and other cookies.

Essential (technically mandatory) cookies:

These are mandatory to navigate the website, use basic functions and ensure the security of the website

Functional cookies:

These technologies enable us to analyse the use of the website in order to measure and improve performance.

Marketing Cookies:

These technologies are used by advertisers to deliver ads that are relevant to your interests.

Analysis cookies:

These technologies are used to analyse user behaviour on the site and improve the products accordingly.

Any use of cookies that is not absolutely technically necessary represents data processing that is only permitted with your express consent in accordance with Art. 6 para. 1 lit. a GDPR.

We use a service provider to manage cookie consent. This is the Usercentrics Consent Management Platform, a consent management service of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany".

3.5 Google Tag Manager

The Google Tag Manager is a tag management system (TMS) that allows you to manage tags, i.e. tracking codes and associated code fragments, on our website. Google services can be integrated into a website via the Google Tag Manager.

When using the Google Tag Manager a connection to the servers of Google is established. This means that the IP address of the browser of the Google device used by the visitor to this website is stored. It cannot be ruled out that in this context data may be transferred to Google in the USA and that US security authorities may be able to access the data. However, cookies are not set in connection with the use of the Google Tag Manager.

More information about the Google Tag Manager and data processing by Google can be found here:

https://support.google.com/tagmanager/answer/6102821?hl=de

https://www.google.com/policies/privacy/

The lawful processing is determined by Art. 6 para. 1 lit. a) DSGVO - the consent. You have the possibility to manage your consents via the cookie banner of the GMH Gruppe page. Accordingly, you are free to consent to processing or to revoke it subsequently.

Place of processing: United States of America

Retention period: The data is deleted as soon as it is no longer needed for processing purposes.

Data receiver:

  • Alphabet Inc.
  • Google LLC
  • Google Ireland Limited

3.6 Google Analytics

This website uses Google Analytics, a web analysis service of Google LLC. Google Analytics uses so-called "cookies", text files that are stored on your computer. We use Google Analytics to analyse and regularly improve the use of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.

By using this service the following data is processed:

  • IP address
  • Date and time of the visit
  • Usage data
  • Click on path
  • App updates
  • Browser information
  • Device information
  • JavaScript support
  • Visited pages
  • Referrer URL
  • Downloads
  • Flash version
  • Location information
  • Purchase activity
  • Widget interactions

Lawful processing is determined by Art. 6 para. 1 lit. a GDPR - consent. You have the option of managing your consent via the cookie banner on the GMH Group website. Accordingly, you are free to consent to processing or to revoke your consent subsequently.

The processed company is "Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland". The place of processing is the European Union.

The data receivers are

  • Alphabet Inc,
  • Google LLC,
  • Google Ireland Limited.

The processed data are subject to a certain retention period. The retention period is the period of time during which the collected data is stored for processing. The data must be deleted as soon as they are no longer required for the specified processing purposes. The retention period depends on the type of data stored.

Some services transfer the collected data to a third country. This may be for various purposes, such as storage or processing.

Click here to read the privacy policy of the data processor https://policies.google.com/privacy?hl=en

Click here to revoke on all domains of the processing company https://tools.google.com/dlpage/gaoptout?hl=de

Click here to read the data processor's cookie policy https://policies.google.com/technologies/cookies?hl=en

3.7 Social Media

On our website it is possible to access the following social media via click: Facebook, Instagram, Twitter, Xing and LinkedIn. We use the so-called "two-click solution". This means that when you visit our site, no personal data is initially passed on to the providers.
The legal basis for the use is Art. 6 para. 1 p. 1 lit. f GDPR.

Only if you click on the marked field of the social networks and thereby activate it, personal data will be transmitted from you to the respective provider and stored there (partly in the USA in the case of US providers). This also happens if you yourself do not have a profile in the respective social network. The data processing operations and their scope differ according to the respective social network. For more information on the purpose and scope of data collection and its processing by the provider of the social network, please refer to the privacy statements of the respective provider. There you will also receive further information on your rights in this regard and setting options for protecting your privacy.
Addresses of the respective plug-in providers and URL with their privacy notices:

1. Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Meta Privacy Policy - How Meta collects and uses user data | Privacy Center | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy,
Introducing Privacy Center | Meta (fb.com)

Including more detailed information:

Facebook
Basic Privacy Settings & Tools | Facebook Help CenterFacebook Privacy Basics

Instagram
Privacy Settings & Information | Instagram Help Center

2. Xing AG, Dammtorstraße 30 , 20354 Hamburg, DE
Privacy at XING

3. LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
LinkedIn Privacy Policy

4. Twitter, Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
Safety and security (twitter.com)Protecting your personal information | Twitter Help

In the case of Facebook, Instagram and Xing, the IP address is anonymized immediately after collection, according to the respective providers. In addition, the IP addresses of Facebook and Instagram are deleted after 90 days.

3.8 Use of YouTube

Our online offer includes YouTube videos, for whose playback we use a plug-in of the YouTube service operated by Google (hereinafter referred to as "YouTube"). The operator of the service is Google.

We use the YouTube service in advanced privacy mode to protect your privacy as much as possible. If you visit a website of our online offer on which a YouTube video is integrated, Google initially only receives the information necessary for integration and no cookies are set for usage analysis. Only when you play the embedded video does Google receive further information; Google may also set cookies to analyze your user behavior. When playing the video, Google's YouTube servers are informed, for example, about which page of our online offer you are playing the video from.

If you are logged in to your Google Account, you enable Google or YouTube to assign your surfing behavior directly to your personal Google profile. We therefore recommend that you only play embedded YouTube videos if you agree to the associated data processing by Google. You can prevent the assignment of data to your Google profile by logging out of your YouTube account. For more information on how Google treats user data, please see Google's privacy policy at https://www.google.de/intl/de/policies/privacy/, which also applies to YouTube.

We use YouTube so that we can show you videos and thus better inform you about us and our services. The legal basis for the integration of the videos is our legitimate interest in the sense of Art. 6 para. 1 lit. f) GDPR; however, the playing of the videos and the associated further data processing will only take place on the basis of your consent in the sense of Art. 6 para. 1 lit. a) GDPR.

3.9 Google Maps

On this website we integrate the map service "Google Maps". This technology enables us to analyse the use of the website in order to measure and improve performance.

By using this service the following data is processed:

  • IP address
  • Usage data
  • URLs
  • Location Information
  • Date and time of the visit

Lawful processing is determined by Art. 6 para. 1 lit. a GDPR - consent. You have the option of managing your consent via the cookie banner on the GMH Group website. Accordingly, you are free to consent to processing or to revoke your consent subsequently.

The processed company is "Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland". The place of processing is the European Union.

The data receivers are

  • Alphabet Inc,
  • Google LLC,
  • Google Ireland Limited.

The processed data are subject to a certain retention period. The retention period is the period of time during which the collected data is stored for processing. The data must be deleted as soon as they are no longer required for the specified processing purposes. This service may transfer the collected data to another country. In particular, this may include third countries, i.e. countries outside the European Union and the European Economic Area.

Click here to read the data processor's cookie policy https://policies.google.com/technologies/cookies?hl=en

3.10 Google Ads Conversion Tracking

We use Google Ads on our website. This is a conversion tracking service for marketing and analysis purposes.

By using this service, the following data are processed:

§ Browser language
§ Clicked advertisements
§ Cookie-Information
§ IP-Adress
§ Usage data
§ Browser type
§ Cookie ID
§ Date and time of visit
§ Referrer URL
§ Web request

The lawful processing is determined according to Art. 6 (1) a) DSGVO - the consent. You have the option to manage your consents via the cookie banner. Accordingly, you are free to consent to processing or to revoke it subsequently.
The processed company is "Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland". The place of processing is the European Union.
 
The data recipients are:
Alphabet Inc.,
Google LLC,
Google Ireland Limited.
 

The processing data are subject to a certain retention period. The retention period is the time period during which the collected data is stored for processing. The data must be deleted as soon as they are no longer required for the specified processing purposes. The retention period depends on the type of data stored.
Some services may transfer the collected data to a third country. This may be for various purposes, such as storage or processing.

 

Click here to read the privacy policy of the data processor: https://policies.google.com/privacy?hl=en

Click here to revoke on all domains of the processing company: https://tools.google.com/dlpage/gaoptout?hl=en

Click here to read the cookie policy of the data processor: https://policies.google.com/technologies/cookies?hl=en

4. Business Partner

4.1 Explanation

We are a member of the GMH Group and operate mainly in the European Economic Area (EEA). However, we also have branches outside the European Economic Area. Together we process personal data of our contact persons, such as name, first name, telephone numbers, etc., in order to be able to contact you.

A business relationship or a business initiation is not possible without processing personal data of the contact persons. We use your data in the Business to Business (B2B) area.

4.2 Responsible person

For the person responsible in accordance with Art. 4 No. 7 GDPR, we refer to the company named in the imprint and their contact details (https://www.gmh-gruppe.de/de-de/gmh-gruppe/gruppen-unternehmen.html).

4.3 Data protection officers

You can reach our data protection officer at the postal address:

GMH Systems GmbH,
Neue Hüttenstraße 2,
49124 Georgsmarienhütte,

E-mail: datenschutz.systems(at)gmh-gruppe.de

4.4 Purpose, categories of data, legal basis

We store the personal data provided by you within the framework of our business relationship and/or a business initiation (interested party), in particular for the fulfilment of existing contracts and/or for the implementation of pre-contractual measures.

These are the company data made available to us for the purpose of an enquiry, quotation and order (clarification of queries / enquiries, coordination of appointments, invoicing, customer advice / customer service and other legal obligations of the person responsible), including the contact data of the respective contact persons. These data are generally collected when contacting us by telephone, received / provided business cards (interested party or potential customer / service provider / supplier) and / or received e-mail.

The relevant legal basis for lawful processing is Art. 6 para. 1 lit. b GDPR - The data processing is necessary for the performance of a contract or for the implementation of pre-contractual measures

In order to protect our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, the contact data is also used for statistical purposes and to optimise our processes in sales and dispatch. To provide an overview of customer service, to improve our products and to maintain our contractual relationship, these personal data may be stored in a customer database (Customer Relationship Management - CRM).

Due to various legal regulations, the companies of the GMH Group are subject to further obligations arising, for example, from the German Commercial Code or the Tax Act. These are, in particular, the fiscal control and reporting obligations, the implementation of compliance screenings (comparison of the "EU terror lists" (European anti-terrorism regulations 2580/2001 and 881/2002) and the prevention of fraud and money laundering) - the legal basis for the collection of data for the fulfilment of legal obligations is Art. 6 para. 1 lit. c GDPR.

The contact details of contact persons are also used to inform them about products, events or trade fairs and to conduct a customer satisfaction survey (voluntary). Use for these purposes is made on the basis of our legitimate interests in direct marketing measures in accordance with Art. 6 para. 1 lit. f GDPR or, if consent is required, by means of a declaration of consent on the basis of Art. 6 para. 1 lit. a GDPR. You have the right to revoke any consent you have given at any time with effect for the future without giving reasons.

4.5 Data transfer

Personal data may also be processed by affiliated companies of the GMH Group. Within the respective responsible body of the GMH Group, only those bodies entrusted with the fulfilment of existing contracts, the execution of pre-contractual business relations and/or the protection of our legitimate interests will receive your data. These are in particular the employees entrusted with the preparation and execution of the request for quotation, order processing (sales, shipping, finance and accounting), purchasing and customer service.

Further access to the data is possible by service providers employed by us and acting on our behalf (so-called order processors, Art. 28 GDPR), for the care and maintenance of our systems, for error analyses and corrections and to ensure IT security. These accesses are regulated by contracts for order processing according to GDPR.

4.6 Third countries 

Due to our business relations and branches outside the European Economic Area, your personal data may be transferred to third countries. Such processing is carried out solely for the purpose of fulfilling contractual and business obligations and to maintain your business relationship with us.

4.7 Storage

If there is no legal retention period and/or storage is no longer required, the data will be deleted. This is the case when

a) you do not place an order and you are not interested in / consent to further offers, information, contacts and / or

b) after termination and complete conclusion of the contract and no legal obligation to keep records precludes deletion.

The obligation to keep personal data can vary between three (3) and thirty (30) years.

4.8 Rights of natural persons

Their rights are set out in the general section under points 2.9 and 2.10

5. Applicants

5.1 Explanation

When your application for a significant position is received by the respective GMH Group company, personal data will be processed.

5.2 Responsible person

The person responsible in terms of data protection is the respective company to which you would like to apply or have applied. On our career page you will find the respective company directly in the job description.

If you would like us to consider you for other vacancies in our company and/or keep your application for the maximum retention period of 6 months, please let us know directly with your application.

We assume that we may also answer unencrypted application e-mails without encryption. If you do not wish this, please give us a note in your application e-mail.

5.3 What categories of data do we use as an employer and where does this data come from?

The categories of personal data processed include in particular your master data (such as first name, surname, name affixes), contact data (such as private address, (mobile, telephone number, e-mail address), all data resulting from your application documents (including health data, if applicable), and, if applicable, bank details (to reimburse travel expenses).

Your personal data is usually collected directly from you during the application process. In addition, we may have received data from third parties (e.g. employment agencies).

We also process personal data that we have reliably obtained from publicly accessible sources (e.g. professional networks).

5.4 For what purposes and on what legal basis are data processed?

We process your personal data in accordance with the provisions of the GDPR, the Federal Data Protection Act (BDSG) and all other relevant laws (e.g. ArbZG, etc.).

We store the personal data provided by you as part of the application process. This applies both to applications in response to specific advertisements and to unsolicited applications.

The data processing serves exclusively to decide on the establishment of an employment relationship. The primary legal basis is § 26 para. 1 BDSG.

In addition, your separate consent in accordance with § 26 para. 2 BDSG may be used as a data protection permission regulation.

If you have given us your permission to store your personal data for a longer period of time beyond the application process or to use the data to companies of the GMH Group for similar staffing procedures, this constitutes consent in accordance with § 26 para. 2 BDSG.

If your application documents contain photographs, we see this as an implied consent to the processing and forwarding of the photograph within the application process. The relevant legal basis is § 26 para. 2 BDSG - Consent. You have the right to withdraw your consent at any time.

5.5 Who gets your data?

Within our company, only those persons and positions that are responsible for the specific application procedure receive your personal data. These are the employees of the personnel department as well as the departments in which a position is to be filled and the potential superiors, if necessary the works council receives the application documents, in accordance with § 99 BetrVG (co-determination in individual personnel measures).

5.6 Is your data transferred to a third country?

We do not transfer personal data to third parties outside the European Economic Area (EEA).

5.7 To what extent do automated individual case decisions take place?

We do not use purely automated processing to make a decision - including profiling to establish an employment relationship.

5.8 How long will your data be stored?

If no discontinuation takes place and no legal retention period exists, the data will be deleted as soon as storage is no longer required or the legitimate interest in storage has ceased to exist. This is regularly the case six (6) months after the application procedure has been completed at the latest.

In individual cases, individual data may be stored for a longer period (e.g. travel expense accounting). The duration of the storage then depends on the legal storage obligations, e.g. from the German Fiscal Code (6 years) or the German Commercial Code (10 years).

If you have given us your permission to store your personal data for a specified period of time beyond the application process, this storage period applies.

5.9 What are your rights?

Their rights are set out in the general section under points 2.9 and 2.10