Name and address of the data controller
The data controller as per the European General Data Protection Regulation (“EU GDPR”), other applicable national data protection regulations valid in the member states and other data protection provisions is:
Fabrikstraße 8, 91224 Pommelsbrunn
Phone: 09154-91592-0 Fax: 09154-91592-250
firstname.lastname@example.org ; www.hcr-gmbh.de
Managing Director: Helmut Wild, Carmen Gihl
Registered office of the company: Pommelsbrunn
Commercial register entry: Registry Court Nuremberg; Reg.-No. HRB 13281
VAT-identification number.: DE173847555
(hereinafter referred to as “we”, “us” or “our”)
Name and address of our data protection officer
Data processing when you visit our website
a. Storage in logfiles
When you visit our website, the browser used on your device automatically sends information to our website's server. This information is then temporarily stored in a logfile. The following information will therefore be collected without any action on your part and stored until it is automatically deleted when you close your browser:
IP address of the requesting device
Date and time of the visit
Name and URL of the accessed file
Website from which you were referred to us (referred URL)
Browser used and the device operating system, if required, and the name of your access provider
b. Legal basis
This data processing takes place on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the data collection purposes listed below.
The aforementioned data is collected by us for the following purposes:
To ensure smooth connection of the website;
To ensure the user-friendliness of the website;
To analyse system security and stability;
And for other administrative purposes.
Contacting us by email
a. Description, scope and duration of data processing
If you have any questions, you can contact us by email. The data we collect in this regard comprises your email address and the content of your email. Your data is erased as soon as it is no longer required for the purpose for which it was collected. This is also the case for personal data which is disclosed when you contact us, provided your query has been processed and statutory retention periods no longer apply.
b. Legal basis
We process personal data that you disclose when you contact us on the basis of your consent as per Art. 6 para. 1 lit. a GDPR. If you contact us with the intention of concluding a contract, the additional legal basis of Art. 6 para. 1 lit. b shall apply for the processing of your personal data.
If you contact us, we will process your personal data in order to handle your request.
d. Right to object and deletion
You reserve the right to object to the processing of your data when you contact us at any time with future effect. Please bear in mind that if you object to this processing, we will not be able to further process your query. All personal data collected as part of the exchanged communications will be deleted in this case, unless otherwise required by statutory retention periods.
Data subject disclosures as per Art. 12 ff. GDPR
a. Legal basis
When processing a data-protection query (data subject disclosure), your personal data, or the personal data of the contact persons at your company is processed on the legal basis of Art. 6 para. 1 lit. c in conjunction with Art. 12 ff. GDPR. The legal basis for the subsequent documentation of legally compliant processing of data subject disclosures is Art. 6 para. 1 lit. f GDPR.
We process your personal data within the scope of processing data subject disclosures in order to respond to queries related to data protection. The subsequent documentation of legally compliant processing of the respective data subject disclosure fulfils the legally required obligation to provide proof as per Art. 5 para. 2 GDPR.
c. Retention period
Your data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of the processing of data subject disclosures, this period shall expire 3 years after the end of the respective processing as per Art. 41 of the German Federal Data Protection Act (BDSG) in conjunction with Art. 31 para. 2 no. 1 of the German Law of Regulatory Offences (OWiG).
d. Right to object and deletion
You reserve the right to object to the processing of your data in relation to the processing of data subject disclosures at any time with future effect. Please bear in mind that if you object to this processing, we will not be able to further process your data protection query.
We are required to document the legally compliant processing of the respective data subject disclosures. As follows, you are not entitled to object hereto.
Legal defence and enforcement
a. Legal bases
The legal bases for the processing of your personal data or the personal data of the contact persons at your company within the scope of legal defence and enforcement are Art. 9 para. 2 lit. f and Art. 6 para. 1 lit. f GDPR.
We process your personal data within the scope of legal defence and enforcement to defend against unwarranted claims and to legally assert and exercise our claims and rights.
c. Retention period
Your data is deleted as soon as it is no longer required for the purpose for which it was collected.
d. Right to object and deletion
The processing of your personal data within the scope of legal defence and enforcement is required for our legal defence and enforcement. As follows, you are not entitled to object hereto.
Rights of the data subject
If we process your personal data or the personal data of the contact persons at your company, you or the contact persons at your company are regarded as the data subject as per the GDPR. Data subjects are granted the following rights:
a. Right to information
You have the right to receive information concerning your personal data processed by us as per Art. 15 GDPR. In particular, you may request information concerning the purposes of the processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the envisaged retention period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to appeal, information on the origin of your data if it was not collected by us, as well as the existence of automated decision making including profiling and, if applicable, conclusive information on the details thereof.
b. Right to rectify
You have the right to demand the immediate rectification of any incorrect or incomplete personal data stored by us as per Art. 16 GDPR.
c. Right to erasure
As per Art. 17 GDPR, you are entitled to request the deletion of your personal data stored by us if the processing of your personal data is required to assert your right to freedom of speech and information, to fulfil legal obligations, for reasons in the public interest or to assert, exercise or defend legal claims.
d. Right to restrict data processing
Furthermore, as per art. 18 GDPR, you reserve the right to demand the processing of your personal data is restricted if you dispute the accuracy of the data, if the processing is unlawful but you object to its erasure, if we no longer need the data, however you need it for the assertion, exercise and defence of legal claims or if you have lodged an objection to the processing in accordance with Art. 21 EU GDPR.
e. Right to notification
If you have asserted your right to rectification, deletion or to restrict processing, we are obligated to notify all recipients of the respective personal data of this rectification, deletion or restriction to processing. According to Art. 19 clause 2 GDPR, you reserve the right to be informed about those recipients if so requested.
f. Right to data portability
According to Art. 20 GDPR, you have the right to receive the personal data you have provided us with in a structured, conventional and machine-readable format, or to request the transfer thereof to another data controller.
g. Right to object to direct advertising
If we process your personal data on the basis of our legitimate interests as per Art. 6 para. 1 lit. f GDPR, you are entitled, as per Art. 21 GDPR, to file and object to the processing of your personal data, provided this is based on grounds that pertain to your personal situation or due to an objection to direct advertising. In the latter case, you are entitled to the general right to object to processing, which we must comply with without requiring any information on your personal situation.
b. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or legal remedy, you are entitled to lodge a complaint with a supervisory authority as per Art. 77 GDPR if you suspect that your personal data is being processed unlawfully.
As a rule, you can direct this complaint at the supervisory authority responsible for your domicile, workplace or our registered office. The competent data protection supervisory authority for our registered office is the
Bavarian Data Protection Authority (BayLDA)
a. Scope of the processing of personal data
We process your personal data and the personal data of the contact persons at your company solely in cases where this is required to perform our services. We process your personal data on a regular basis for the purposes of fulfilling our contractual duties of performing pre-contractual measures.
b. Legal bases for the processing of personal data
Provided we obtain the consent of the data subject, we process the corresponding data on the basis of Art. 6 para. 1 lit. a GDPR.
If we process personal data to fulfil our duties within the scope of a contract concluded between you and us, this processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR. This also applies to processing that is required to perform pre-contractual measures.
If the processing of personal data is required to fulfil statutory obligations to which we are subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
If we are required to process your personal data to safeguard our own legitimate interests or the legitimate interests of a third party, and the interest in question outweighs your interests, fundamental rights and freedoms, or the interests, fundamental rights and freedoms of the contact persons at your company, Art. 6 para. 1 lit. f GDPR serves as the legal basis for this processing.
c. Data erasure and retention period
Your personal data and the personal data of the contact persons at your company will be deleted or blocked as soon as the original purpose for which the data was stored has been fulfilled. However, your data may be saved for a longer period if required as per the European or national legislator in Union directives, laws or other acts to which we are subject. In this case, your data will only be blocked or deleted once the specified statutory retention period expires, provided the data no longer needs to be stored to conclude a contract or fulfil contractual duties.
If you apply for a job at our company or at a company owned by one of our (potential) clients, your application is voluntary and you can withdraw it at any time. The employees and departments at our company who require your personal data to process your application shall be granted access to it. We process your personal data within the scope of the application process as follows:
a. Categories and origin of your personal data
We process all data and documents linked to your application, including
the following information:
Name, date of birth, curriculum vitae, nationality/work permit
Contact details, in particular your address, phone number, email
Certificates, qualifications, e.g. your driving licence
Information on your health suitability for the position and any disabilities, if necessary
Severe disability, if necessary
We process the personal data you disclose to us, including data you legally disclose to other agencies or other third parties, provided this is required for the application process and we are permitted to process this data according to statutory provisions. In particular, we process personal data that we have legally obtained, received or acquired from publicly accessible sources e.g. information found on social networks, commercial and association registers, civil registers, the press, online and other sources.
b. Purposes and legal bases for the processing of your personal data
aa. To fulfil contractual duties or perform pre-contractual measures, Art. 6 para. 1 lit. b GDPR in conjunction with Art. 26 BDSG
Processing of your personal data to process your application for a specific vacancy or for an unsolicited application and in relation hereto takes place for the following purposes:
To check and evaluate your suitability for the position to be filled;
To draw up the employment contract;
To assert legal claims and to defend legal disputes.
bb. To balance interests as per Art. 6 para. 1 lit. f GDPR in conjunction with Art. 26 BDSG
In addition to fulfilling the (preliminary) contract, we may also process your data if this is required to protect our legitimate interests or the legitimate interests of third parties. This includes:
To assert legal claims and to defend legal disputes;
To prevent and investigate criminal offences;
To introduce measures to secure our premises and systems (e.g. access controls using electronic lock systems, where applicable).
Accordingly, your data will only be processed to the extent that you do not have any interests that outweigh our interest in the corresponding processing.
cc. On the basis of your consent as per Art. 6 para. 1 lit. a GDPR in conjunction with Art. 26 BDSG
We reserve the right to process your personal data for certain purposes after we obtain your consent, e.g. to collect references from previous employers or to contact you for future vacancies or for communications with our clients and potential clients.
In principle, you are entitled to revoke your consent at any time with future effect. Processing that takes place prior to revocation is not affected by this and shall remain lawful. You will be separately informed of the purpose and consequences of revoking or refusing your consent in the corresponding text when we obtain you consent.
If your application documents contain photos, we therefore assume that this implies you consent to us processing your photo. As per Art. 7 para. 3 clause 1 GDPR, you are entitled to revoke your consent in this regard at any time.
dd. To fulfil legal duties to which the data controller is subject, Art. 6 para. 1 lit. c GDPR in conjunction with Art. 26 BDSG
We also process your personal data to fulfil a number of legal duties to which we are subject. These include, amongst others, the requirements of employment, social, trade and tax law. In this regard, processing is carried out on the basis of the respective statutory regulations in conjunction with Art. 6 para. 1 lit. c GDPR and Art. 26 BDSG.
If we are required to process special categories of personal data, including information on your health, as per Art. 9 para. 1 GDPR as part of the application process, this processing solely takes place to ensure that we fulfil our legal duties as per Art. 164 of the Social Security Code IX.
c. Recipients or categories of recipients of your personal data:
Within our company, your data shall be disclosed to the employees, internal bodies or organisational units in the extent required to fulfil our contractual and legal duties or within the scope of processing or asserting our legitimate interests such as, for instance, executives and line managers looking to hire a new employee or those who participate in the decision of filling a vacancy, accounting, etc.
We shall only pass on your data to external parties
if you have granted your consent to clients and potential clients for your placement;
for purposes whereby we are required to provide information or transfer data as per statutory requirements, e.g. to the tax authorities, or we are required to disclose your personal data in the public interest;
if we use external service providers to process data on our behalf as processors or the providers of features, e.g. external IT service providers and web providers;
on the basis of our legitimate interests or the legitimate interests of a third party for the aforementioned purposes, e.g. to lawyers;
if you have granted us permission to transfer your data to third parties.
Your data shall not be passed on to third parties without separation notification from us. If we commission service providers within the scope of data processing, your data will remain subject to the security standards upheld by us to ensure your data is adequately protected. In all other cases, recipients are only permitted to use your data for the purpose for which it was transferred.
d. Retention period and deletion of your applicant data
We will delete your personal data as soon as it is not longer required for the application process, e.g. if your application is rejected. However, this shall not apply if statutory requirements prevent deletion or further storage is required for evidence purposes. For example, personal data may be retained for evidence purposes for the time during which there is a chance that claims could be asserted against our company, e.g. as per the General Equal Treatment Act.
e. Retention period and deletion of your applicant data if you consent to joining the applicant pool
If you have agreed to the inclusion of your application in our applicant pool, we shall accordingly store your data for a maximum of 48 months, following which your data will be automatically deleted from the pool. You reserve the right to request that your data is deleted from the applicant pool prior to the expiration of this 48-month period. Your data will then be immediately deleted.
f. Retention period and deletion of your applicant data if an employment relationship is established
If your application is successful and we enter into an employment relationship with you, we shall continue to store and use your data for common organizational and administrative purposes and to conduct the employment relationship according to the pertinent statutory requirements. We shall provide you with more details in relation to the respective process.
g. Restrictions for data transfers to third countries
We only process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or do so in relation to utilising the services of third parties or to disclose or transfer data to other persons or companies, if this processing is required to fulfil our (pre)contractual obligations, on the basis of your consent, legal duties or our legitimate interests. Notwithstanding statutory or contractual authorisations, we shall only process or store data in a third country if the pertinent statutory requirements have been met. i.e. processing is carried out, for instance, on the basis of specific guarantees, such as the officially recognised establishment of a level of data protection equivalent to the level in the EU or compliance with officially recognised specific contractual obligations.