This privacy policy deals with the data processing related to our existing or potential customers. If you are visiting our website (including https://app.nextmatter.com/), the website privacy policy applies additionally.
Responsible for the data processing and “controller” in terms of the GDPR is:
Next Matter GmbH,
Gormannstraße 14,
10119 Berlin,
Germany
E-mail: info@nextmatter.com
www.nextmatter.com
The designated data protection officer is:
DataCo GmbH
Nymphenburger Str. 86,
80636 Munich,
Germany
Phone: +49 (0) 89 7400 458 40
E-mail: datenschutz@dataguard.de
www.dataguard.de
In providing the SaaS service Next Matter GmbH („we“ or “us”), we act as a data processor on behalf of our customers pursuant to Art. 28 GDPR. A data processing agreement (“DPA”) is part of our customer agreements. The DPA can be found here.
The DPA covers all data and processing activities within the SaaS service (e.g. “customer content” like your workflow data).
Specific privacy policy for Google Users
If you authorize Next Matter to access your Google account, we process your email address and any data you choose to sync with your Next Matter account strictly to enable services such as integrations with Google Workspace. All data processing activities comply with Google's Limited Use Requirements, meaning we do not use your data for advertising, profiling, or any purposes outside the scope of providing the requested services. The data is stored only as long as necessary to fulfil the requested service or as required by applicable legal or contractual obligations. Upon termination of the service or revocation of access, data will be securely deleted in accordance with our data retention policies.
As a data processor, we do not control or determine the content of the data you upload or sync. While we do not intentionally process sensitive data in accordance to Art. 9 GDPR, it is possible that such data may be uploaded by users. We strongly recommend avoiding the upload of sensitive data unless strictly necessary. In cases where sensitive data is inadvertently uploaded, we process it solely to provide the requested service and implement robust safeguards to ensure its confidentiality and security.
You retain full control over your data and may revoke Next Matter’s access to your Google account at any time through your Google account settings. Upon revocation, we will cease processing your data immediately.
The processing of data is carried out in full compliance with the requirements of Article 28 GDPR. This includes adherence to all obligations applicable to data processors, as outlined in our Data Protection Agreement (DPA). The technical and organisational measures implemented to ensure data security are specified in Annex 3 of the DPA.
Where necessary to provide the requested service, data may be shared with authorised sub-processors listed in Annex 4 of the DPA. All sub-processors are contractually bound to comply with stringent data protection requirements that meet the standards of Article 28 GDPR.
In cases where data is transferred to a third country, such transfers are carried out in accordance with Chapter V of the GDPR, using appropriate legal mechanisms, such as adequacy decisions or Standard Contractual Clauses (SCCs), to ensure an adequate level of data protection.
This privacy policy solely covers data processing we perform for our own purpose as a controller (and not on your behalf as a processor), e.g. contract management, billing and invoicing etc.
In the context of existing or potential customer relationships, we collect and process in particular the following data for our own purpose as a controller:
a) Processing for the purpose of performing the contract with you
The legal basis for the processing of personal data for pre-contractual and contractual purposes is Art. 6(1)(b) GDPR if you yourself are our contractual partner or Art. 6(1)(f) GDPR if your employer is our contractual partner. This applies to the data processing in respect of a contract between you or your employer and us and includes, without limitation, the initiation of the contractual relationship, contract processing, implementation and support as well as performance of the pre- and post-contractual obligations.
b) Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, your personal data will be processed on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with Art. 5, 7 GDPR. Art. 5, 7 GDPR.
c) Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 para. 1 sentence 1 lit. f GDPR if our legitimate interests exist, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is also our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.
d) Processing for the fulfilment of a legal obligation
Insofar as the processing of your personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR serves as the legal basis. Our legal obligation to process data arises from retention obligations under commercial and tax law, in particular from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung).
We also process your data for our or third parties’ legitimate interests (Art. 6(1)(f) GDPR). This may be necessary in particular:
We delete your personal data as soon as they are no longer required for the above-mentioned purposes.
We take appropriate measures to ensure that your personal data is only processed under the following conditions:
If required, we will be pleased to provide you with further information on the duration of data storage in relation to the specific purpose.
Please note that customer content (e.g. your workflow data) stored within the SaaS system will be deleted as agreed in the data processing agreement, usually upon termination or expiration of the contract.
Within our company, only those persons and departments receive your personal data that need them to fulfil their tasks with regard to the above-mentioned purposes. In the course of our activities, we sometimes also have to transfer data to external third parties and use external service providers. In particular, we may transfer your personal data to the following categories of recipients:
Insofar as we use services whose providers are partly located in third countries outside the European Economic Area or process personal data there and the EU Commission has not issued an adequacy decision for these countries pursuant to Art. 45 GDPR, we have taken appropriate precautions to ensure an adequate level of data protection. These include, among others, the standard contractual clauses of the European Union (SCC) or binding corporate rules (BCR). Where this is not possible, we base the data transfer on your express consent.
Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.
Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.
According to the General Data Protection Regulation, in addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR), erasure or restriction of processing (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).
You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, E-Mail: mailbox@datenschutz-berlin.de.
This privacy policy deals with the data processing related to our website. If you are using our SaaS service as a customer, our privacy policy for customers and the data processing agreement (DPA) apply additionally.
Responsible for the data processing and “controller” in terms of the GDPR is:
Next Matter GmbH,
Gormannstraße 14,
10119 Berlin,
Germany
E-mail: info@nextmatter.com
www.nextmatter.com
The designated data protection officer is:
DataCo GmbH
Nymphenburger Str. 86,
80636 Munich,
Germany
Phone: +49 (0) 89 7400 458 40
E-mail: datenschutz@dataguard.de
www.dataguard.de
a) Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, your personal data will be processed on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with Art. 5, 7 GDPR. Art. 5, 7 GDPR.
b) Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 para. 1 sentence 1 lit. f GDPR if our legitimate interests exist, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is also our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.
c) Processing for the fulfilment of a legal obligation
Insofar as the processing of your personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR serves as the legal basis. Our legal obligation to process data arises from retention obligations under commercial and tax law, in particular from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung).
a) Automatically generated website visitor information
We collect information and data that is automatically transmitted or generated by your browser each time you visit our website. Such information includes the IP address, the geographic location, the URLs of the site you visited before accessing our website (“referrer”), the browser used, the browser language, the operating system and user interface, the access device used, date and time of your access, the pages viewed on our website, and the time you spend on the website.
Legal basis for the processing of such log data is Art. 6(1)(f) GDPR due to our following legitimate interest:
b) Contact and inquiries
You can contact us e.g. via contact forms or chat functions on the website or by e-mail if you are interested in our services. In our contact forms, we usually ask you about your contact details (name, email address, company). The legal basis for the data processing is Art. 6(1)(b) GDPR insofar as your information is required to answer your inquiry or to initiate or execute a contract, otherwise your and our legitimate interest in answering your current or future inquiry, improving service quality, training staff, or for establishing, exercising, or defending legal claims pursuant to Art. 6(1)(f) GDPR.
c) Blog Newsletter
On our website you can subscribe to our blog newsletter. In this case, we will use the contact data you have provided for sending the newsletter with news, product updates and information by e-mail. The data processing is based on your consent pursuant to Art. 6 (1)(a) GDPR.
You can revoke your consent at any time, e.g. by using the “unsubscribe” link, which you will find at the end of each newsletter e-mail.
We store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The legal basis is our legitimate interest pursuant to Art. 6 (1)(f) GDPR in proving the proper registration for the newsletter.
In order to determine when our emails are opened and how they are used, we record and analyze the interactions with the newsletter or the accruing access data (e.g. opening rate or click rate) using standard market technologies provided to us by our newsletter service provider. For this purpose, our e-mails contain so-called web beacons (see Sec. 4 below). This allows us to determine whether and when an e-mail was opened by you. We also learn which of the links contained in the e-mails you click on. We use this access data for the continuous improvement of our offer, our content and customer communication as well as for statistical purposes. If you do not want this analysis of usage behavior, you can unsubscribe from the newsletters or deactivate graphics in your e-mail client. The legal basis is our legitimate interest in usage analysis pursuant to Art. 6(1)(f) GDPR.
d) Cookies
We use cookies, web beacons and suchlike when you visit our websites or use our services.
Cookies are small text files that are stored by your browser on your computer or mobile device and which allow re-identification of your computer or mobile device, potentially across numerous websites. These cookies contain no personal data. Some of the cookies we use are deleted again upon expiry of the session, that is, when you close your browser (these are referred to as session cookies). Other cookies remain stored on your device and allow us, or our business partners to recognize your browser during subsequent visits (persistent cookies).
You may prevent cookies by configuring your browser software accordingly. However, please note that certain areas of the websites or certain services may then not work as intended (such as the SaaS service).
Web beacons are small graphics files (pixels) that may be embedded in our website for the purposes of recording user behavior. Similar methods include, for example, flash cookies, HTML5 cookies or other local (browser or device) storage methods that – in a similar way to cookies – allow data to be saved to your browser or device so that your browser or device can be recognized during subsequent visits or during a session.
We use cookies that are required for the provision of certain functionality of our website (e.g. the SaaS service). Some of our service providers may also use cookies, in particular for web analysis and marketing purposes (see below).
Legal Basis for Cookies
We use tools and cookies necessary for website operation based on your and our legitimate interest pursuant to Art. 6(1)(f) GDPR in the operation of the website and pursuant to § 25 (2) No. 2 TDDDG. Tools and cookies necessary for the provision of the SaaS service are based on Art. 6(1)(b) GDPR, § 25(2) No. 2 TDDDG.
We use other tools, in particular for analysis and marketing purposes based on your consent pursuant to Art. 6(1)(a) GDPR and pursuant to § 25(1) TDDDG, which is obtained via the cookie banner (see below). If you have given your consent to use certain tools, we may also transfer the data processed when using the tools to third countries on the basis of this consent.
When you visit our website for the first time and at any time later, you have the choice of whether you permit the setting of cookies or which individual additional functions you would like to select.
You can revoke your consent at any time via the cookie banner. You will find the corresponding link at the bottom left of each page ("privacy settings").
Additional information
You can find more information about the external tools and cookies in the cookie banner, including:
You will find the corresponding link at the bottom left of each page ("privacy settings").
We may use third party service providers, and disclose to such service providers personal data as required for the provision of the services. We use in particular technical service providers for the hosting and operation of the website. Third party service providers also include providers of external tools embedded in the website, as listed in the cookie banner (see Sec. 2.2 above).
We may make personal data available to our service providers for the fulfillment of their activities, if necessary. In doing so, we will of course also comply with all data protection requirements and oblige our service providers to do so to the extent necessary. The service providers may process the personal data exclusively on our behalf and not for their own purposes and must treat the data confidentially. To this end, we have concluded commissioned processing agreements in accordance with Art. 28 GDPR.
Insofar as we use services whose providers are partly located in third countries outside the European Economic Area or process personal data there and the EU Commission has not issued an adequacy decision for these countries pursuant to Art. 45 GDPR, we have taken appropriate precautions to ensure an adequate level of data protection. These include, among others, the standard contractual clauses of the European Union (SCC) or binding corporate rules (BCR). Where this is not possible, we base the data transfer on your express consent.
Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.
Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.
We delete your personal data as soon as they are no longer required for the above-mentioned purposes.
We take appropriate measures to ensure that your personal data is only processed under the following conditions:
If required, we will be pleased to provide you with further information on the duration of data storage in relation to the specific purpose.
In addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).
You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, E-Mail: mailbox@datenschutz-berlin.de.
Thank you for your interest in working with Next Matter. We would like to inform you below about the processing of your personal data provided by you as part of the application process and, if applicable, collected by us, and your rights in this regard.
Responsible for the data processing and “controller” in terms of the GDPR is:
Next Matter GmbH,
Gormannstraße 14,
10119 Berlin,
Germany
E-mail: info@nextmatter.com
The designated data protection officer is:
DataCo GmbH
Nymphenburger Str. 86,
80636 Munich,
Germany
Phone: +49 (0) 89 7400 458 40
E-mail: datenschutz@dataguard.de
www.dataguard.de
We use your personal data that you provide to us throughout the application process for example in cover letters, resumes, references, applicant questionnaires, applicant interviews. In addition, we may process personal data that we have lawfully obtained from publicly available sources (e.g. professional social networks), from recruiters or contact with references. This may include:
The data processing is carried out in accordance with Art. 88 GDPR, § 26 para. 1 p. 1 BDSG for recruiting purposes. This includes the following purposes:
We do not carry out any automated decision-making or profiling pursuant to Art. 22 GDPR.
a) Processing based on consent
If you have given your consent to data processing, for example by submitting an application, your data will be processed according to Art. 6 para. 1 p. 1 lit. a DS-GVO in connection with Art. 7 DS-GVO. Art. 7 DS-GVO, in conjunction with. Art. 26 para. 2 BDSG
b) Processing of special categories of personal data
Insofar as special categories of personal data are processed that you have obviously made public, your data will be processed pursuant to Art. 9 (2) lit e DS-GVO. If you have given your consent to the processing of non-public special categories of personal data, such as health data, religious affiliation or nationality, your data will be processed in accordance with Art. 9 (2) lit. a DS-GVO.
c) Decision on the establishment of the employment relationship
We process your data in order to make a decision on the establishment of the employment relationship. In the event of employment in our company, your data will be processed for the purpose of implementing and terminating the employment relationship. Separate information on the processing of your personal data on the basis of employment relationship has been provided in our Privacy Policy for Employees. Processing based on legitimate interest – Art. 6 Para. 1 f GDPR
d) Processing for the purpose of asserting, exercising or defending legal claims or in the case of acts of the courts
As far as necessary, your data will be processed for the purpose of asserting, exercising or defending legal claims or in case of actions of the courts according to Art. 6 para. 1 p. 1 lit f DS-GVO, Art. 9 para. 1 lit f DSGVO.
f) Processing on the basis of legitimate interest
Insofar as the processing is carried out to protect a legitimate interest of us or a third party and their interests or fundamental rights and freedoms do not outweigh the first-mentioned interest, Art. 6 (1) p. 1 lit. f DS-GVO serves us as the legal basis for the data processing. Our legitimate interest arises in particular from the following reasons:
Within Next Matter GmbH, only those persons and positions (e.g. People department, hiring management, interviewers) receive your personal data that need them to fulfill their respective tasks and contractual and legal obligations.
We may engage external service providers who act exclusively on our behalf in accordance with Art. 28 GDPR and are not permitted to process data for their own purposes, and may transfer personal data for these purposes to the external service providers, for example assessment centers, recruiters and personnel consultants, external consultants in the case of an aptitude diagnostic procedure, lawyers in the event of a dispute, if applicable.
If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding corporate rules or EU standard contractual clauses) are in place.
Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.
Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.
Upon your express consent, we will retain your data beyond the end of a specific application process for a period of 12 months so that we can contact you later if you are considered for another position (inclusion in our “applicant pool”). If you apply for another position, the period starts again. Before the period expires, we will contact you by email to ask whether you agree to further storage. The legal basis for this data retention is Art. 6 para. 1a GDPR.
You can withdraw your consent to be included in the applicant pool at any time, e.g. by sending an e-mail to info@nextmatter.com.
We delete your data as follows:
An application process is completed when the period has expired in which lawsuits for violation of the AGG (Allgemeines Gleichbehandlungsgesetz, German General Equal Treatment Act) can still be expected (usually six months after the rejection has been sent, if no lawsuit or assertion according to § 15 para. 4 AGG has been received by then).
If your application is successful, your data will be transferred to the personnel file, insofar as this is necessary and permissible. Separate information on the processing of your personal data on the basis of employment relationship has been provided in our Privacy Policy for Employees. Processing based on legitimate interest – Art. 6 Para. 1f GDPR.
In addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).
You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, E-Mail: mailbox@datenschutz-berlin.de.
We would hereby like to inform you about the processing of your personal data by Next Matter GmbH as your employer and the rights to which you are entitled under data protection law.
Responsible for the data processing and “controller” in terms of the GDPR is:
Next Matter GmbH,
Gormannstraße 14,
10119 Berlin,
Germany
E-mail: info@nextmatter.com
The designated data protection officer is:
DataCo GmbH
Nymphenburger Str. 86,
80636 Munich,
Germany
Phone: +49 (0) 89 7400 458 40
E-mail: datenschutz@dataguard.de
The categories of personal data processed include:
Your personal data is generally collected directly from you as part of the recruitment process or during the employment relationship.
It is also possible that we receive personal data from a third party, for example from clients through a feedback program, training providers and trainers about your participation in trainings, travel service providers in the context of creating travel plans.
In certain circumstances, your personal data will also be collected from third parties due to legal requirements. This includes, in particular, event-related queries of tax-relevant information from the relevant tax office and information about periods of incapacity for work from the relevant health insurance. In addition, we may have received data from third parties (e.g. job placement agencies).
We process your personal data for recruitment decisions, establishing, performing and terminating the employment relationship. This will include the following purposes:
We do not perform any automated decision-making - including profiling - to bring about a decision on the establishment, performance or termination of an employment relationship.
We process your personal data based on the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws (e.g. BetrVG, ArbZG, etc.).
a) Processing for the performance of the employment contract
Primarily, our data processing serves the purpose of establishing, performing and terminating the employment relationship. The primary legal basis for this is § 26 (1) BDSG in conjunction with. Art. 6 par (1)(b) GDPR.
b) Processing for compliance with legal obligations
We also process your data in order to fulfill our legal obligations as an employer, in particular in the area of tax and social security law. This is based on Art. 6 (1)(c) GDPR in conjunction with § 26 BDSG.
c) Processing on the basis of legitimate interest
In individual cases, we process your data in order to protect legitimate interests of us or of third parties (e.g. authorities). This applies in particular to the investigation of criminal offences (legal basis Art. 6 (1)(f) GDPR in conjunction with § 26 para. 1 p. 2 BDSG).
d) Processing on the basis of collective agreements
The processing is justified if provided for in a collective agreement or a works agreement (Article 88 GDPR, Sec. 26 (1) FDPA).
e) Processing on the basis of consent
If the processing of your data in individual cases is based on consent pursuant to Art. 6 (1)(a) GDPR, you have the right to revoke the consent at any time with effect for the future. In the event of revocation of your consent, a data processing operation may still be permissible on the basis of a legal provision, such as one of the aforementioned.
Processing of special categories of personal data
a) Processing for compliance with legal obligations
Insofar as special categories of personal data are processed pursuant to Art. 9 (1) GDPR, this serves the exercise of rights or the fulfillment of legal obligations from labor law, social security law and social protection within the framework of the employment relationship (e.g. disclosure of health data to the health insurance, recording of severe disability due to additional leave and determination of the severely disabled levy). This is done on the basis of Art. 9 (2)(b) GDPR in conjunction with § 26 (3) BDSG.
b) Processing on the basis of consent
In addition, the processing of special categories of personal data may be based on consent pursuant to Art. 9 (2)(a) GDPR in conjunction with § 26 (2) BDSG (e.g., company health management). You have the right to revoke the consent at any time with effect for the future. In the event of revocation of your consent, a data processing operation may still be permissible on the basis of a legal provision, such as one of the aforementioned.
If we want to process your personal data for a purpose not mentioned above, we will inform you in advance.
Within Next Matter GmbH, only those persons and positions (e.g. People department, management, supervisors) receive your personal data that need them to fulfill their respective tasks and contractual and legal obligations.
In addition, we sometimes use external service providers to fulfill our contractual and legal obligations. The contractors and service providers we use act exclusively on our behalf in accordance with Art. 28 GDPR and may not process data for their own purposes.
In addition, we may transfer your personal data to other recipients to the extent necessary to fulfill our contractual and legal obligations as an employer, in particular:
If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding corporate rules or EU standard contractual clauses) are in place.
Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.
Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.
We delete your personal data as soon as it is no longer required for the above-mentioned purposes. After termination of the employment relationship, your personal data will be stored as long as we are legally obliged to do so. This regularly results from legal obligations to provide proof and to retain data, which are regulated, among other things, in the German Commercial Code and the German Fiscal Code. The storage periods are then regularly ten years.
In addition, personal data may be retained for the period during which claims can be asserted against us (statutory limitation period of three or up to thirty years). In addition, the data required for the company pension benefits will be processed until the end of your claims and will also be stored thereafter for as long as we are legally obliged to do so for the above reasons.
In addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).
You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, E-Mail: mailbox@datenschutz-berlin.de.