Data subject information for applicants

We process personal data in compliance with the EU General Data Protection Regulation (EU-DSGVO), the Federal Data Protection Act (BDSG), and all other applicable laws. We comply with our obligation to provide information in the following.

I. Name and address of the controller

The controller in the sense of the General Data Protection Regulation and other national data protection laws of the member states and other data protection regulations is:

shopware AG

Ebbinghoff 10

48624 Schöppingen

Tel: +49 (0) 2555 92885-0

Fax: +49 (0) 2555 92885-99

Email: info@shopware.com

II. Name and address of the data protection officer

The controller’s data protection officer is:

Sascha Kremer, Fachanwalt für IT-Recht

c/o KREMER RECHTSANWÄLTE

Brückenstraße 21

50667 Köln (Innenstadt)

III. Applications

Affected category: Applicant

Data category: Master data, Address data, Communication data private, Communication data professional, Occupation, Application photo, Health data, Religious affiliation, Citizenship

Purposes of processing: Initiation of an employment relationship Archiving in the event of a non-employment action under the General Equal Treatment Act (§ 15 para. 1 AGG). Subsequent contact with applicants after the application process has been completed will only be made with the applicants' consent.

Legal basis for the processing of personal data: The processing of your personal data is based on legal regulations that permit data processing. This is because the processing is necessary for the provision of the service (§ 25 II No. 2 TTDSG, Art. 88 EU-DSGVO in conjunction with. § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 p. 1 lit. b EU-DSGVO).

Furthermore, the implementation of the online recruitment test and the associated processing of your personal data for the possible establishment of an employment relationship (Art. 88 EU-DSGVO in conjunction with. § Section 26 para. 1 BDSG in conjunction with. Art. 6 para. 1 p. 1 lit. b EU-DSGVO). In addition, we have a legitimate interest in enabling you to take part in the online recruitment test and in enabling us to carry out the online recruitment test as part of the application process. (Art. 88 EU-DSGVO in conjunction with § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 lit. f DS-GVO).

Data deletion and storage period: We delete unsuccessful applications no later than six months after rejection.

Transmission of data:

To fulfill the purpose as mentioned above, we may share or need to share your personal data with others. These are service providers, i.e., companies that provide us with the products and services provided, such as IT system providers and IT support. In addition, we may need to share your personal data with other companies or public bodies as part of the application process. This may depend on which job you have applied for. For example, we may have to share your personal data with the Chamber of Industry and Commerce (IHK) or the Employment Agency (Arbeitsagentur) in the event of an intention to hire you for an apprenticeship.

To fulfill the purposes as mentioned above, it may also happen that we transfer your personal data to recipients outside Germany. For example, your personal data may be shared with international teams to connect with colleagues. It may also happen that the service providers we use are based outside Germany or operate their systems outside Germany. Your personal data may be transferred internationally to countries in which we operate. If your personal data is transferred to recipients within the European Economic Area, the data protection complies with European regulations.

If your data is transferred to recipients outside the European Economic Area, we will ensure appropriate data protection. This data protection then also complies with the European data protection regulations. The transfer of personal data to recipients located outside the European Economic Area is carried out in compliance with the supplementary requirements of Art. 44 et seq. DSGVO. As a rule, appropriate contracts are concluded with these recipients, including the EU standard contractual clauses issued by the EU Commission to safeguard such international data transfers.

Your personal data may also be transferred to recipients in countries where the European Union has already decided that the European data protection requirements will be complied with. These include Canada, New Zealand, Switzerland, and the United Kingdom. A complete list of countries with adequacy decisions can be found on the following page of the Hessian data protection authority: https://datenschutz.hessen.de/datenschutz/internationales/angemessenheitsbeschl%C3%BCsse

IV. Applicant management tool Recruitee (Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, The Netherlands)

Affected category: Applicant

Data category: Degrees/education, Master data, Address data, Communication data private, Communication data professional, Occupation, Application picture, Health data, Religious affiliation, Citizenship

Purposes of processing: Optimization of the recruitment process

Legal basis for the processing of personal data: The processing of your personal data is carried out based on legal regulations that permit data processing.

The implementation of the online recruitment test and the associated processing of your personal data is necessary for the possible establishment of an employment relationship (Art. 88 EU-DSGVO in conjunction with. § 26 para. 1 BDSG in conjunction with. Art. 6 para. 1 p. 1 lit. b EU-DSGVO). Furthermore, we have a legitimate interest in enabling you to take part in the online recruitment test and in enabling us to carry out the online recruitment test as part of the application process, without your overriding interest being opposed to this (Art. 88 EU-DSGVO in conjunction with § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 lit. f DS-GVO).

Data deletion and storage period: We delete unsuccessful applications no later than 6 months after rejection.

Transmission of data:

To fulfill the purpose as mentioned above, we may share or need to share your personal data with others. These are service providers, i.e., companies that provide us with the products and services provided, such as IT system providers and IT support. In addition, we may need to share your personal data with other companies or public bodies as part of the application process. This may depend on which job you have applied for. For example, we may have to share your personal data with the Chamber of Industry and Commerce (IHK) or the Employment Agency (Arbeitsagentur) in the event of an intention to hire you for an apprenticeship.

To fulfill the purposes as mentioned above, it may also happen that we transfer your personal data to recipients outside Germany. For example, your personal data may be shared with international teams to connect with colleagues. It may also happen that the service providers we use are based outside Germany or operate their systems outside Germany. Your personal data may be transferred internationally to countries in which we operate. If your personal data is transferred to recipients within the European Economic Area, the data protection complies with European regulations.

If your data is transferred to recipients outside the European Economic Area, we will ensure appropriate data protection. This data protection then also complies with the European data protection regulations. The transfer of personal data to recipients located outside the European Economic Area is carried out in compliance with the supplementary requirements of Art. 44 et seq. DSGVO. As a rule, appropriate contracts are concluded with these recipients, including the EU standard contractual clauses issued by the EU Commission to safeguard such international data transfers.

Your personal data may also be transferred to recipients in countries where the European Union has already decided that the European data protection requirements will be complied with. These include Canada, New Zealand, Switzerland, and the United Kingdom. A complete list of countries with adequacy decisions can be found on the following page of the Hessian data protection authority: https://datenschutz.hessen.de/datenschutz/internationales/angemessenheitsbeschl%C3%BCsse

V. Online recruitment tests for software developers as part of the application process

Affected category: Applicant

Data category: Contact details, IT usage data, test results

Purposes of processing: To automate and structure the recruiting of software developers via tests that assess the programming skills of applicants.

Legal basis for the processing of personal data: The processing of your personal data is based on legal requirements that allow data processing. This is because the processing is necessary for the provision of the service (§ 25 II No. 2 TTDSG, Art. 88 EU-DSGVO in conjunction with. § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 p. 1 lit. b EU-DSGVO). Furthermore, the implementation of the online recruitment test and the associated processing of your personal data for the possible establishment of an employment relationship (Art. 88 EU-DSGVO in conjunction with. § Section 26 para. 1 BDSG in conjunction with. Art. 6 para. 1 p. 1 lit. b EU-DSGVO). In addition, we have a legitimate interest in enabling you to take part in the online recruitment test and in enabling us to carry out the online recruitment test as part of the application process. (Art. 88 EU-DSGVO in conjunction with § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 lit. f DS-GVO).

Data deletion and storage period: We delete unsuccessful applications no later than 6 months after rejection.

Transmission of data:

To fulfill the purpose as mentioned above, we may share or need to share your personal data with others. These are service providers, i.e., companies that provide us with the products and services provided, such as IT system providers and IT support.

To fulfill the above purposes, we may also transfer your personal data to recipients outside Germany. For example, your personal data may be shared with international teams to contact colleagues. Your personal data may be transferred internationally to countries in which we operate. If your personal data is transferred to recipients within the European Economic Area, the data protection complies with European regulations.

If your data is transferred to recipients outside the European Economic Area, we will ensure appropriate data protection. This data protection then also complies with the European data protection regulations. The transfer of personal data to recipients located outside the European Economic Area is carried out in compliance with the supplementary requirements of Art. 44 et seq. DSGVO. As a rule, appropriate contracts are concluded with these recipients for this purpose, including the EU standard contractual clauses issued by the EU Commission to safeguard such international data transfers.

Your personal data may also be transferred to recipients in countries where the European Union has already decided that the European data protection requirements will be complied with. These include Canada, New Zealand, Switzerland, and the United Kingdom. A complete list of countries with adequacy decisions can be found on the following page of the Hessian data protection authority: https://datenschutz.hessen.de/datenschutz/internationales/angemessenheitsbeschl%C3%BCsse

VI. General information on data processing

Purposes of processing: We process personal data to initiate the contract and for the conclusion of the contract. We process data to implement the contractual relationship if the contract is concluded. For the execution of the agreement, it is partly also a mandatory requirement that we process personal data. Furthermore, we need such data for an overall assessment of the contractual relationship, for example, to be able to amend or adapt a contract or to provide information.

Suppose we intend to process personal data for a purpose other than the personal data collected. In that case, we will provide information about this other purpose before further processing.

Legal basis for the processing of personal data: Insofar as the processing concerns data of applicants, the legal bases are Art. 88 para. 1 EU-DSGVO in conjunction with Section 26 para. 1 sentence 1 BDSG, Art. 88 para. 1 EU-DSGVO in conjunction with Section 26 para. 3 sentence 1 BDSG Art. 6 para. 1 sentence 1 lit. a, Art. 6 para. 1 lit. b, c and f EU-DSGVO.

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 para. 1 lit. an EU Data Protection Regulation (DSGVO) serves as the legal basis. According to Art. 7 (3) EU-DSGVO, consent can be revoked at any time. This also applies to our permissions before implementing the GDPR on 25.05.2018. However, the revocation of consent does not affect the lawfulness of the processing carried out based on the consent until revocation.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

If the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) c DSGVO serves as the legal basis. If processing is necessary to protect a legitimate interest of our company or a third-party, the interests, fundamental rights, and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing. This may be the case, in particular, to ensure IT security and IT operations, to be able to provide information to data subjects, to carry out photographic documentation without publishing it, to prevent and investigate criminal offenses, and to be able to assert and/or defend legal claims.

Data deletion and storage period: The data subject's personal data will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if the European or national legislator has provided for this in Union regulations, laws, or other provisions to which the person responsible is subject. Data will also be blocked or deleted if a storage period prescribed by the standards as mentioned above expires unless there is a necessity for the continued storage of the data for the conclusion or fulfillment of a contract.

We store the personal data for the purposes as mentioned above. As soon as the contractual relationship with you expires, all mutual claims are fulfilled and provided that there are no other statutory retention obligations (such as from the HGB or the AO) or other statutory justification reasons (statutory limitation periods of three to thirty years), for the storage of your data, we delete it. This means that we generally delete your data after the expiry of the statutory retention obligation, which regularly ends ten years after the end of the contract.

VII. Rights of the data subject

If users’ personal data is processed, they are the data subject within the meaning of the GDPR and they are entitled to the following rights from the controller, whereby the following list includes all of their rights, not just the rights arising from the use of our services:

1. Right to information

Users can ask the controller to confirm whether personal data concerning you will be processed by us. If processing has taken place, users can request the following information from the controller:

  • 1.1. the purposes for which personal data is being processed;

  • 1.2. the category of personal data being processed;

  • 1.3. the recipient or categories of recipients to whom the personal data concerning you has been or is still being disclosed;

  • 1.4. the planned storage duration of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;

  • 1.5. the existence of a right to have the personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to this kind of processing;

  • 1.6. the existence of a right to complain to a supervisory authority;

  • 1.7. all available information regarding the origin of the data if the personal data is not collected from the data subject;

  • 1.8. the existence of automated decision-making, including profiling in accordance with Art. 22 Abs. 1 and 4 GDPR and – at least in these cases – significant information on the logic involved and the scope and intended effects of this kind of processing for the data subject.

Users have the right to request information as to whether the personal data concerning them is transferred to a third country or to an international organisation. In this context, they can request to be informed of the appropriate guarantees according to Art. 46 GDPR in connection with the transmission.

2. Right to correction

Users have a right to the correction and/or completion by the controller if the personal data processed concerning them is incorrect or incomplete. The controller must make the correction without delay.

3. Right to restrict processing

Users may request that the processing of personal data concerning them be restricted under the following conditions:

  • 3.1. if users dispute the accuracy of the personal data concerning them for a period of time that enables the controller to verify the accuracy of the personal data;

  • 3.2. processing is unlawful and users refuse the deletion of the personal data and instead request that the use of the personal data be restricted;

  • 3.3. the controller no longer needs the personal data for processing purposes but users need it to assert, exercise or defend legal claims, or

  • 3.4. if users have filed an objection to the processing according to Art. 21 Abs. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh their reasons.

If the processing of personal data concerning users has been restricted, this data may only be processed – aside from being stored – with their consent or for the purpose of asserting, exercising or defending rights or for protecting the rights of another natural or legal person or on grounds of important public interest of the European Union or a member state.

If the processing restriction has been restricted in accordance with the aforementioned conditions, users will be informed by the controller before the restriction is lifted.

4. Right to deletion

4.1. Deletion obligation

Users can request that the controller delete the personal data concerning them without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:

  • 4.1.1. The personal data concerning users is no longer necessary for the purposes for which it was collected or otherwise processed.

  • 4.1.2. Users revoke their consent on which the processing was based according to Art. 6 Abs. 1 lit. a or Art. 9 Abs. 2 lit. a GDPR and there is no other legal basis for processing.

  • 4.1.3. Users file an objection against processing according to Art. 21 Abs. 1 GDPR and there are no overriding legitimate reasons for processing or they file an objection against processing according to Art. 21 Abs. 2 GDPR.

  • 4.1.4. The personal data concerning the users has been unlawfully processed.

  • 4.1.5. The deletion of personal data concerning the users is necessary to fulfil a legal obligation under EU law or the member state law to which the controller is subject.

  • 4.1.6. The personal data concerning the users has been collected in relation to information society services offered according to Art. 8 Abs. 1 GDPR.

4.2. Information to third parties

If the controller has made personal data concerning users public and is obliged to delete it according to Art. 17 Abs. 1 GDPR it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

4.3. Exceptions

The right to deletion does not exist if processing is required.

  • 4.3.1. to exercise the right to freedom of expression and information;

  • 4.3.2. to perform a legal obligation required for processing under EU law or member states’ law to which the controller is subject or to perform a task in the public interest or to exercise public authority that has been given to the controller;

  • 4.3.3. for reasons of public interest in the field of public health according to Art. 9 Abs. 2 lit. h and i such as Art. 9 Abs. 3 GDPR.

  • 4.3.4. for archiving purposes in the public interest, academic or historical research purposes or for statistical purposes according to Art. 89 Abs. 1 GDPR if the right referred to in a) is likely to make it impossible or seriously impair the attainment of the objectives of this processing or

  • 4.3.5. for asserting, exercising or defending legal claims.

5. Right to notification

If users have exercised their right to have the controller correct, delete or limit processing, it is obliged to inform all recipients to whom the personal data concerning them has been disclosed of this correction or deletion of the data or processing restriction, unless this proves impossible or involves a disproportionate effort. Users shall also have the right to be informed about these recipients by the controller.

6. Right to data transferability

Users have the right to receive the personal data concerning them that they have provided to the controller in a structured, common and machine-readable format. Furthermore, users have the right to transmit this data to another controller without any obstruction by the controller to whom the personal data was made available provided that:

  • 6.1. processing is based on consent according to Art. 6 Abs. 1 lit. a GDPR or Art. 9 Abs. 2 lit. a GDPR or on a contract according to Art. 6 Abs. 1 lit. b GDPR and

  • 6.2. processing is carried out using automated methods.

In exercising this right, users also have the right to affect that the personal data concerning them be transferred directly from one controller to another if this is technically feasible. Freedoms and rights of other people may not be affected because of this.

The right to data transferability does not apply to processing personal data necessary for performing a task in the public interest or in the exercise of public authority assigned to the controller.

7. Right to objection

Users have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you under Art. 6 Abs. 1 lit e or f GDPR at any time; this also applies to profiling based on these provisions.

The controller no longer processes the personal data concerning users unless it can prove compelling legitimate reasons for the processing, which outweigh their interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data concerning users is processed for direct marketing purposes, users have the right to object to the processing of personal data concerning them for the purpose of this kind of advertising at any time; this also applies to profiling if it is in connection with this kind of direct marketing.

If users object to the processing for direct marketing purposes, the personal data concerning them will no longer be processed for these purposes. Users have the option of exercising their right of objection using automated procedures in which technical specifications are used, in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

8. Right to revoking the declaration of consent relating to data privacy

Users have the right to revoke their declaration of consent relating to data privacy at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

9. Automated decision on a case-by-case basis, including profiling

Users have the right not to be subject to a decision based exclusively on automated processing, including profiling, that has legal effect against them or significantly impairs them in a similar manner. This does not apply if the decision:

  • 9.1. is necessary for concluding or fulling a contract between them and the controller,

  • 9.2. is admissible due to EU law or the member state law to which the controller is subject and where this law contains appropriate measures to safeguard their rights, freedoms and legitimate interests or

  • 9.3. takes place with their explicit consent.

However, these decisions may not be based on special categories of personal data according to Art. 9 Abs. 1 GDPR unless Art. 9 Abs. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights, freedoms and legitimate interests.

In the cases referred to in 9.1 and 9.3, the controller shall take reasonable measures to safeguard their rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state its own position and to challenge the decision.

10. Right to complain to a supervisory authority

Irrespective of any other administrative or judicial remedy, users have the right to complain to a supervisory authority, in particular in the member state in which they are residing, working or suspected of violation, if they believe that the processing of personal data concerning them is contrary to the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

The supervisory authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen

Kavalleriestr. 2-4

40213 Düsseldorf

Tel: 0211/38424-0

Fax: 0211/38424-999

Email: poststelle@ldi.nrw.de

Internet: www.ldi.nrw.de/