The protection of personal data is an important concern for H&Z Unternehmensberatung GmbH ("H&Z" or "we"). We process personal data exclusively in accordance with the legal requirements, in particular the EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG"). This privacy policy for applicants describes how we store and process your personal data when you apply for a job with us by email, post, LinkedIn or in any other way, and what rights you have in this regard.

Who is responsible for processing my data? How can I contact H&Z?

H&Z Unternehmensberatung GmbH is responsible for the processing of your personal data within the meaning of the GDPR.

You can contact H&Z at any time using the contact details below:

H&Z Unternehmensberatung GmbH,
Max-Joseph-Straße 6
80333 Munich
Phone: +49 892429690

If you have any questions about the protection of your personal data, you can contact the central data protection coordinator, Christof Sonderhauser, at the following e-mail address;

E-Mail: christof.sonderhauser@hz.group

You can contact H&Z's data protection officer at:
E-mail: datensicherheit@hz.group

Which of my data is processed?

H&Z collects the data that you disclose to H&Z as part of your application, in particular your desired position, name, title, address, e-mail, telephone, date of birth, details of school, academic and professional training, current and previous employment, certificates, language skills, computer skills.
We may also receive the aforementioned personal data from recruitment agencies with whom we work. In addition, we may collect data from you that you have published via application platforms and publicly accessible and professionally used social media to maintain existing and establish new business contacts (e.g. LinkedIn, Xing). This includes your name, contact details, information on your professional career and other relevant data that you may disclose in the respective network for professional purposes.
When submitting your application, please ensure that you do not disclose any sensitive personal data about yourself (e.g. information about health, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation), as this information is not required for an assessment of your skills and qualifications for the purpose of deciding on your application.

For what purposes and on what legal basis is my data processed? How long will my data be stored?

H&Z processes your data in the context of your application only to the extent necessary for the processing of your application (including the performance of pre-employment compliance checks) and the decision on the establishment of an employment relationship with you. The legal basis for the processing of your data is the necessity of the processing for the decision on the establishment of an employment relationship with you (Art. 6 para. 1 lit. b) GDPR, § 26 para. 1 sentence 1 BDSG). Insofar as it is necessary to carry out certain measures for pre-employment compliance checks so that H&Z can fulfill its legal obligations, the processing of your data is based on our legitimate interests in complying with these legal obligations and preventing any disadvantages and sanctions resulting from a violation of the law (Art. 6 para. 1 lit. f) GDPR).
Insofar as we collect and process data that you have published via application platforms or publicly accessible and professionally used social media in the run-up to an application procedure, we base the processing of your data in this regard on our legitimate interest in recruiting suitable applicants for our company (Art. 6 para. 1 lit. f) GDPR).
If an employment relationship is established with you, we will transfer your data from the application process - insofar as it is relevant for the establishment and implementation of the employment relationship - to our personnel database and process it in accordance with our data protection declaration for employees in accordance with our data protection retention and deletion processes.
If no employment relationship is established, we will store your data for a period of 6 months after the application process has been completed. The legal basis for the storage of the data is the necessity of the processing to safeguard our legitimate interests in the assertion, exercise or defense of legal claims, in particular the defense against any claims asserted in accordance with the AGG (Art. 6 para. 1 lit. f) GDPR).
We generally delete your data after expiry of the retention period specified above, unless deletion conflicts with statutory retention obligations or longer storage is necessary in a specific case to fulfill other legal obligations or to protect our legitimate interests (assertion, exercise or defense of our legal claims).

Am I obliged to provide my data?

You are neither contractually nor legally obliged to provide us with your data. However, we may not be able to process your application in full if you do not provide the data required to process your application.

Who will my data be passed on to?

Your data will be treated as strictly confidential and will only be passed on internally to the relevant departments/employees who need to know your data in order to process your application.
In addition, we pass on your data to external recipients insofar as this is necessary to achieve the above-mentioned purposes:

The storage and management of the data specified in section 2  by H&Z takes place in the centralized personnel management system of the H&Z Group. Insofar as this is necessary for the processing of the application procedure, in particular for checking qualifications and suitability and for conducting interviews, we may pass on your data to other companies of the H&Z Group or grant them access to your data. In these cases, too, an authorization concept ensures that only those employees of the H&Z Group who need your data to carry out the application process and decide on your recruitment are granted access to your data. In this context, H&Z and the other H&Z Group companies involved in the processing process your data as joint controllers and have concluded a joint controllership agreement that meets the requirements of Art. 26 GDPR. For an effective assertion of your rights as a data subject (see section 6), you can contact the central point of contact at H&Z at any time using the details provided in section 1 even if the processing is carried out within the scope of joint responsibility by another H&Z Group company mentioned above. Of course, you also reserve the right to assert your rights directly against the Group company concerned.

Further information on joint responsibility and the relevant agreement between H&Z and the other H&Z Group companies can be obtained at any time on request from H&Z at the addresses given in section 1 mentioned contact details.

• In addition, we transmit your data to the extent permitted by law for the purposes described above in section 3 above to carefully selected external service providers, such as hosting and IT service providers, legal advisors, tax consultants and business partners (e.g. travel agencies, hotels, airlines), who are contractually obligated in accordance with the relevant data protection regulations. These companies may only process your personal data insofar as this is necessary for the provision of the services commissioned by us. Your data will neither be sold to third parties nor marketed in any other way.
• 
  

In particular, we use the web-based personnel administration and application management software of Personio SE & Co KG, Seidlstraße 3, 80335 Munich, Germany (hereinafter referred to as "Personio") for the processing of personal data of applicants and employees. The data collected as part of your application and the execution of your employment relationship is transmitted in encrypted form and stored and processed in a database operated by Personio. Personio processes your personal data on our behalf on the basis of an order processing contract in accordance with Art. 28 GDPR. You can find further information on data protection at Personio at https://www.personio.de/ueber-uns/datenschutz/.

In some cases, the above-mentioned recipients may be located in countries outside the European Union and the contracting states of the European Economic Area ("third countries"), in particular in the case of transfers to service providers in the USA. The laws of these countries may not guarantee a level of data protection that has been deemed adequate by the European Commission in the context of an adequacy decision. In these cases, however, we have taken suitable and appropriate measures to ensure that your data is also adequately protected by the recipients in third countries and that the level of data protection required by European law is not undercut (e.g. by concluding EU standard contractual clauses and implementing additional measures).
To find out more about the specific recipients of your data, the respective third countries and the measures we have taken to protect your data, including the possibility of obtaining a copy of the measures, please contact H&Z at the details provided in section 1 above.

What rights do I have and how can I exercise them?

You have the right in accordance with the statutory provisions:

to request information about the personal data processed by you and a copy of this data (right to information);

to request the rectification of inaccurate personal data and, taking into account the purposes of the processing, the completion of incomplete personal data (right to rectification); please let us know whether your data and, if applicable, which of your data that we store has changed so that we can correct or update the relevant data.

to demand the deletion of your personal data if there are legitimate reasons for doing so (right to deletion);

to demand the restriction of the processing of your personal data, provided that the legal requirements are met (right to restriction of processing);

if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transmit this data to another controller or, if technically feasible, to have it transmitted by us (right to data portability); and

not to be subject to a decision based solely on automated processing, unless the legal requirements for this are met. Automated decision-making does not take place at H&Z.

You also have the right to object, on grounds relating to your particular situation, to processing of your data which is necessary for the purposes of the legitimate interests pursued by H&Z or by a third party (right to object). If personal data is processed by H&Z for the purpose of direct marketing, you have the right to object to this processing at any time without the need for special reasons.
If your data is processed on the basis of consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing of your data based on consent before its withdrawal.
To exercise your rights and to revoke any declaration of consent, please contact H&Z at the address given in section 1 listed contact details. Your rights with regard to the processing of personal data in the context of the data processing described in section 5 You can assert your rights with regard to the processing of personal data within the scope of the joint responsibility described in section 5 with and against each of the aforementioned controllers , i.e. against H&Z or against H&Z Unternehmensberatung GmbH (Hietzinger Kai 133/Top 201, 1130 Vienna, Austria, e-mail: datensicherheit@hz.group), H&Z Business Consulting AG (Steinstrasse 21, 8003 Zurich, Switzerland, e-mail: datensicherheit@hz.group) and against H&Z Management Consulting Ltd (United Kingdom, 48 Dover Street, London W1S 4FF, e-mail: datensicherheit@hz.group, ). In order to exercise your rights effectively, we recommend that you contact H&Z as the central point of contact using the details set out in section 1 contact details listed in section 1.
In addition, without prejudice to other legal remedies, you have the right to lodge a complaint with a supervisory authority at any time.

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.