Data protection information for applicants

pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR)

For reasons of better readability only, the simultaneous use of the language forms male, female and diverse (m/f/d) is dispensed with. All personal designations apply equally to all genders.

Dear applicant,

Thank you for your interest in our company. In accordance with the data protection regulations, in particular the General Data Protection Regulation ("GDPR"), we would like to inform you below about the processing of your personal data by e-mobilio, based at Medienbrücke 7. OG, Gisela-Stein-Str. 21, 81671 Munich (hereinafter also referred to as "e-mobilio", "we" or "us") as part of the application process and your rights in this regard.

1 Responsible for data processing & data protection officer

1.1 Joint controllers for data processing are

Controller A
Name: e-mobilio GmbH
Address: Medienbrücke 7th floor, Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing directors: Ralph Missy, Denis Reichel

Responsible B

Name: co2.auto GmbH
Address: Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

1.2 Data protection officer

Responsible person A

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@e-mobilio.de

Responsible person B

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@co2.auto

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can contact our management or the supervisory authority responsible for us below:

Bavarian State Office for Data Protection Supervision (BayLDA)
P.O. Box 1349
91504 Ansbach
Telephone: +49 981 180093 0 | e-mail: poststelle@lda.bayern.de

2 Purposes and legal basis of processing

We process your personal data in accordance with applicable laws, in particular the GDPR and the German Federal Data Protection Act ("BDSG"), based on the following legal bases, among others:

  • For the decision on the establishment of an employment relationship: to the extent necessary, we process your personal data primarily for the establishment of an employment relationship (Art. 6 para. 1 sentence 1 lit. b, Art. 88 GDPR in conjunction with Section 26 para. 1 BDSG).
  • To safeguard legitimate interests: In some cases, we process your personal data in order to protect our legitimate interests or those of third parties. A legitimate interest exists, for example, if your personal data is required to assert, exercise or defend legal claims in the context of the application process (e.g. assertion or defense of claims in the context of the burden of proof in proceedings under the General Equal Treatment Act (AGG)) (Art. 6 para. 1 sentence 1 lit. f GDPR).
  • On the basis of your consent: You can give us your consent to process your personal data for specific purposes, for example to consider your personal data and application for other relevant vacancies in the future (Art. 6 para. 1 sentence 1 lit. a, Art. 9 para. 2 lit. a, Art. 88 GDPR in conjunction with Section 26 para. 2 BDSG). Consent given can be revoked at any time with effect for the future (see section 8 of this data protection information).
  • For the purposes of the employment relationship: If there is an employment relationship between you and us, we will process the personal data already received from you for the purposes of the employment relationship in accordance with Art. 6 para. 1 lit. b) GDPR, Art. 88 GDPR in conjunction with § 26 para. 1 BDSG, insofar as this is necessary for the initiation, execution or termination of the employment relationship or for the exercise or fulfillment of the rights and obligations arising from a law.

3. categories of personal data

We only process data in connection with your application and a job interview. This may include the following personal data or categories of data:

  • Personal details and contact information, suchas name, address, email address, telephone number, date and place of birth, gender, marital status and nationality, visa and work permit (where required), bank details (for reimbursement of travel expenses), internal records of the interview;
  • Special categories of personal data, such as information on marital status, which may allow conclusions to be drawn about your sexual orientation; information on your health, such as severely disabled status; photos that allow conclusions to be drawn about your ethnic origin and, if applicable, your eyesight and/or religion;
  • Training, performance and employment data, suchas details of your professional qualifications and schooling, details of further professional training, certificates;
  • Other application documents, such asletter of application, CV, photo;
  • As well as any other data thatyou provide to us in connection with your application and during the interview.

The provision of your personal data as part of the application process is voluntary. However, we can only make a decision to establish an employment relationship or establish an employment relationship with you if you provide such personal data as is necessary to carry out the application.

4 Sources of the personal data

We process personal data that we receive from you by post, e-mail or via our applicant portal at the URL https://e-mobilio.jobs.personio.de/ (provided by our service provider Personio GmbH) when you contact us or submit your application. In certain cases, we collect personal data via third parties, in particular via professional networks such as LinkedIn or Xing and possibly via recruitment agencies.

5. recipients or categories of recipients of the personal data

We only pass on your personal data within our company to those areas and persons who need this data to fulfill (pre)contractual and legal obligations or to implement our legitimate interest.

Furthermore, your data will be passed on within our affiliated companies if necessary as part of a shared responsibility. Detailed information on this can be found inAppendix 1.

If necessary, we use service providers to process your personal data (such as for our applicant management system, for IT services and for our data centers), whereby your personal data is processed exclusively on our behalf and on the basis of data protection agreements. For further information, please contact us.

Otherwise, data will only be passed on to recipients outside e-mobilio if this is permitted or required by law, if the transfer is necessary to fulfill legal obligations or if we have your consent.

6. transfers to a third country

In principle, your personal data will only be processed within Germany, the European Union and the European Economic Area ("EEA"), where the provisions of the GDPR apply. As a rule, data is not transferred to countries, states or international organizations outside the EEA ("third country").

However, insofar as one of our service providers or the service providers may also use service providers that have their registered office, parent company or data centers in a third country, e-mobilio may transfer your personal data to a so-called third country in which the GDPR provisions do not apply. In such cases, data will only be transferred to third countries if the conditions of Chapter 5 (Art. 44 - 50) of the GDPR and the other provisions of the GDPR are implemented and complied with.

This applies in particular to the providers of the cloud applications we use for our company-wide communication system and for our CRM system.

Although we ensure that servers within Germany and the EU are used to store the data wherever possible, it cannot be ruled out that your data may be transferred to a third country (e.g. the USA) and processed there in this context.

We have concluded corresponding contracts with all our service providers of this kind and have also contractually agreed that guarantees in accordance with Chapter 5 (Art. 44 - 50) of the GDPR on data protection must always be in place with their contractual partners in compliance with the European level of data protection. We will provide you with a copy of these guarantees on request.

7 Duration of data storage

We store your personal data for as long as this is necessary for the decision on your application. If the application procedure is followed by an employment, training or internship relationship, we will store your data for as long as it is necessary for the performance of the associated employment relationship.

If we are unable to consider you for a position, your personal data or application documents will be deleted no later than six months after the end of the application process (after notification of the rejection decision), unless longer storage is legally required or permitted. We are subject to various retention and documentation obligations, including those arising from the German Commercial Code and labor law regulations. The retention and documentation periods specified there are five (5) to ten (10) years. Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three (3) years, but in certain cases can also be up to thirty (30) years. We only store your personal data beyond this if this is required by law or in a specific case for the assertion, exercise or defense of legal claims for the duration of a legal dispute.

If you have not already given us your consent to store your application in our talent pool in advance, you may receive an invitation to include your data in our talent pool following the application process. This allows us to consider you for suitable vacancies in our applicant selection process in the future. If we have your consent to do so, we will store your application data in our talent pool for 12 months after you have given your consent and then delete it accordingly.

8. your rights

You have the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to notification under Art. 19 GDPR and the right to data portability under Art. 20 GDPR.

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

If your personal data is processed on the basis of your consent, you are entitled under Art. 7 GDPR to revoke your consent at any time and without giving reasons for the future. This does not affect processing that took place before you withdrew your consent. Please also note that we may have to retain certain data for a certain period of time in order to comply with legal requirements (see section 7 of this data protection information).

Insofar as your personal data is processed in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR to protect legitimate interests, you also have the right to object to the processing of this personal data at any time in accordance with Art. 21 GDPR for reasons arising from your particular situation. We will then no longer process this personal data unless there are compelling legitimate grounds for the processing. These must outweigh your interests, rights and freedoms, or the processing must serve the assertion, exercise or defense of legal claims.

To assert your rights or if you have further questions about data processing, you can contact us using the contact details provided in section 1.

9 Automated decision-making / profiling

We do not use automated decision-making in accordance with Art. 22 GDPR for the application process and initiation of the employment relationship. We also do not carry out profiling.

Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.

10. changes to this data protection information

e-mobilio reserves the right to change this data protection information at any time.

Attachments:

Annex 1: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR

Appendix 1: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR

1. preamble

There is a cooperation between the controllers in the areas of marketing, customer service and finance & controlling or the entire accounting processes, such as financial accounting including accounts receivable and accounts payable and electronic payment transactions and payment of bonuses to end customers and commissions to affiliated companies and business partners, in accordance with Art. 26 GDPR in conjunction with Art. 4 No. 7 GDPR (cooperation between two or more controllers in the processing of personal data). As it is possible or necessary for the joint controllers to gain access to your personal data as part of this collaboration, they are jointly responsible for the protection of your personal data with regard to the processes described below. The main contents of the agreement between the controllers to fulfill their obligations under the GDPR are also described below.

2 Joint controllers

Controller A
Name: e-mobilio GmbH
Address: Medienbrücke 7th floor, Gisela-Stein-Str. 21, 81671 Munich, Germany
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing directors: Ralph Missy, Denis Reichel


Responsible B

Name: co2.auto GmbH
Address: Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing Directors: Ralph Missy, Denis Reichel

3. purposes and description of the processing

The purpose of data processing is to fill vacancies at all responsible parties through coordinated application management. The applicant data is used to assess suitability and is required to decide whether to invite the applicant to an interview.

The applicant data is processed jointly by all parties in order to exploit as many synergies as possible. Joint campaigns are also carried out, the results of which are accessed jointly in the form of the applicant data obtained.

Applications are received either by post, email or via the homepage by the respective responsible parties or online via the central application portal. In the case of telephone applications, applicants are requested to use one of the methods described above. In the case of paper applications, the mail is opened by Human Resources, stamped with a receipt stamp, scanned and entered into the "Personio" applicant management tool. In the case of online applications, confirmation of acknowledgement of the privacy policy provided is obtained during the initial submission process, and information on the transfer of data within the affiliated companies is provided. The data is largely collected automatically or entered by employees in the respective application management system. A SaaS application from Personio GmbH is used as a tool for this. The data is made available to the respective person responsible and processed by them. In the event of a negative decision, the applicant is informed immediately. In the event of a positive decision, a personal interview is first sought with the applicant via a video conference. The applicant is then invited to a personal interview. If this leads to employment, the application documents are entered into a personnel database. Electronic applications are also processed via the e-mail inbox. The rest of the procedure is identical to that by post. The electronic documents are not returned. In both cases, the electronic data will be deleted after six (6) months, unless the applicant has consented to longer storage in the applicant pool. Another option is the use of online platforms on which either the company or the applicants present themselves. This is controlled via the Personio application. The rest of the application process is identical to that described above. In the respective cases, the electronic data is deleted after six (6) months, unless the applicant has consented to longer storage in the applicant pool.

4 Affected groups of persons

Applicants are the data subjects of controllers A and B.

5 Categories of personal data

We only process data in connection with your application and a job interview. This may include the following personal data or categories of data:

  • Personal details and contact information, suchas name, address, email address, telephone number, date and place of birth, gender, marital status and nationality, visa and work permit (where required), bank details (for reimbursement of travel expenses), internal records of the interview;
  • Special categories of personal data, such as information on marital status, which may allow conclusions to be drawn about your sexual orientation; information on your health, such as severely disabled status; photos that allow conclusions to be drawn about your ethnic origin and, if applicable, your eyesight and/or religion;
  • Training, performance and employment data, suchas details of your professional qualifications and schooling, details of further professional training, certificates;
  • Other application documents, such asletter of application, CV, photo;
  • As well as any other data thatyou provide to us in connection with your application and during the interview.

The provision of your personal data as part of the application process is voluntary. However, we can only make a decision to establish an employment relationship or establish an employment relationship with you if you provide the personal data that is required to complete the application.

6 Joint responsibility and assignment of responsibilities for process steps

Even if there is joint responsibility, the controllers must fulfill the data protection obligations in accordance with their respective responsibilities for the individual process steps described below.

6.1In the context of joint controllership,Controller A is responsible forthe processing of personal data in the following process stages:

  • Collection of data: Collection of the respective project-related personal data of the corresponding groups of data subjects; information obligations pursuant to Art. 13, 14 and 26 para. 2 sentence 2 GDPR.
  • Storage of the data: Storage of the data in the applicant management system or in our own data storage systems.
  • Processing / use of the data: Recording, processing and evaluation of the above-mentioned data categories in the applicant management system to screen the relevant applicants. If necessary, forwarding to the relevant contact person for processing the application. In the event of recruitment, forwarding the data to the HR managers. Printing, copying, archiving, deleting and destroying data and documents in accordance with legal requirements.
  • Deletion of the data: In accordance with the deletion concept.

6.2 Within the scope of joint responsibility,Controller B is responsible forthe processing of personal data in the following process stages:

  • Collection of data: Collection of the respective project-related personal data of the corresponding groups of data subjects; information obligations pursuant to Art. 13, 14 and 26 para. 2 sentence 2 GDPR.
  • Storage of the data: Storage of the data in the applicant management system or in our own data storage systems.
  • Processing / use of the dataRecording, processing and evaluation of the above-mentioned data categories in the applicant management system to screen the relevant applicants. If necessary, forwarding to the relevant contact person for processing the application. In the event of recruitment, forwarding the data to the personnel managers. Printing, copying, archiving, deleting and destroying data and documents in accordance with legal requirements.
  • Deletion of data: In accordance with the deletion concept.

6.3Thepersons responsible arejointly responsiblefor the process sections described below:

  • Determining the purpose of data processing, determining the categories of personal data concerned, guaranteeing the rights of data subjects in accordance with Art. 15, 16, 17, 18, 19, 20 and 21 GDPR, documenting the technical and organizational measures (TOM) in accordance with Art. 32 GDPR, risk assessment and (if necessary) carrying out data protection impact assessments (DPIA) in accordance with Art. 35 GDPR, as well as coordination with the supervisory authorities, evaluation and monitoring of processors in accordance with Art. 28 GDPR, provision and documentation of processing records in accordance with Art. 30 GDPR, evaluation and communication in the event of data breaches in accordance with Art. 33, 34 GDPR.

7. agreements of the controllers regarding their data protection obligations

7.1 Information obligations pursuant to Art. 13 and 14 GDPR

In accordance with the contractual agreements, the controllers shall provide the data subjects with the information required under Art. 13 and 14 GDPR in a transparent and easily understandable form. Each controller shall provide the other controller with all necessary information from its sphere of activity.

7.2 Contact point for the assertion of data subject rights in accordance with the GDPR

The controllers may designate a contact point to which data subjects can turn to assert their rights under the GDPR. Irrespective of this agreement, data subjects can always assert their rights under Art. 26 (3) GDPR against each of the controllers. The controllers shall inform each other immediately of any claims asserted by data subjects and provide each other with all information necessary for processing.

7.3 Technical and organizational measures

The controllers have agreed to comply with all legal requirements in accordance with Art. 32 GDPR with the help of suitable technical and organizational measures in order to ensure an appropriate level of protection for the processing of personal data.

7.4 Further data protection obligations under the GDPR

The controllers have undertaken to support each other in complying with the contractually agreed provisions and all applicable data protection regulations and to coordinate accordingly. This applies in particular to the following areas

  • Measures in the event of any data protection breaches;
  • Cooperation with the competent data protection authorities;
  • Creation and maintenance of processing directories;
  • Coordination in the event of any deletion of personal data (statutory retention periods, etc.);
  • Involvement of contract processors;
  • Cooperation with the respective data protection officers;
  • Obligation of all persons involved in data processing to maintain confidentiality.