Processing of (personal) data by the entity in charge of the online application process
Privacy Notice for Job Applicants
We are pleased that you are interested in our company and are applying for a position with us. Below, we would like to provide you with information regarding the processing of your personal data in connection with your application.
Who is responsible for data processing?
CPTx GmbH
Semmelweisstr. 1, 82152 Planegg
Email: info@cptx.bio
Phone: +49 (0) 89 6933 0382
You can find further information about our company, details regarding authorized representatives, and additional contact options in the legal notice section of our website: https://cptx.bio/imprint/
Our Data Protection Officer
We have appointed a data protection officer in our company. You can reach Stephan Krischke at datenschutz@cptx.bio
What data do we process about you? And for what purposes?
We process the data you have sent us in connection with your application to assess your suitability for the position (or, if applicable, other open positions in our company) and to conduct the application process.
We do not plan to process any special categories of personal data from you. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of a natural person, health data, or data concerning a natural person’s sex life or sexual orientation. If you provide us with such personal data of your own accord, our processing will also include such data.
What is the legal basis for this?
The legal basis for the processing of your personal data in this application process is primarily Article 6(1)(b) of the GDPR. According to this provision, the processing of data necessary in connection with the decision regarding the establishment of an employment relationship is permitted. This also includes the use of the online applicant portal.
If special categories of personal data within the meaning of Article 9 of the GDPR are processed (e.g., health data), the legal basis is Section 26(3) of the BDSG or Article 9(2)(b) of the GDPR in conjunction with Article 6(1)(b) of the GDPR.
If you have given your consent to be included in our applicant pool, the legal basis for our processing is Article 6(1)(a) of the GDPR in conjunction with Section 26(2) of the BDSG.
Should the data be required for legal proceedings after the conclusion of the application process, data processing may take place based on the requirements of Article 6 of the GDPR, for the pursuit of legitimate interests under Article 6(1)(f) of the GDPR. Our interest in such cases is in asserting or defending claims.
How long is the data stored?
Data from applicants is deleted after 6 months in the event of a rejection.
If you have consented to the continued storage of your personal data, we will transfer your data to our applicant pool. There, the data will be deleted after 12 months.
If you have been offered a position as part of the application process, the data will be transferred from the applicant data system to our human resources information system.
To whom is the data disclosed?
We use a specialized software provider for the application process. This provider acts as a service provider for us and may, in connection with the hosting of the system and the online applicant portal, as well as the maintenance and upkeep of the systems, gain access to your personal data. We have entered into a so-called data processing agreement with this provider, which ensures that data processing is carried out in a lawful manner.
Your application data will be reviewed by the Human Resources department upon receipt of your application. Suitable applications are then forwarded internally to the department heads responsible for the respective open position. The next steps are then coordinated. Within the company, only those individuals who require access to your data for the proper conduct of our application process have access to it.
Your application data may also be disclosed to third parties if we are legally obligated to do so—e.g., by court order (legal basis for processing: Art. 6(1)(c) GDPR).
Where is the data processed?
The data is processed exclusively in data centers within the European Economic Area (EEA). Data processing outside the European Economic Area (EEA) does not generally take place. However, we cannot rule out the possibility that data may be routed via internet servers located outside the EU.
However, the data is encrypted during transmission over the Internet and is therefore protected against unauthorized access by third parties.
Consequences of non-provision
The provision of personal data is necessary to conduct the application process with you and to subsequently enter an employment contract with you. You are not obliged to provide us with this personal data. If you do not provide us with the personal data required for the selection process or the conclusion of an employment contract, we may not be able to consider you in the application process under certain circumstances.
Your rights as a “data subject”
Right of access
You have the right to access the personal data we process about you. If a request for access is not made in writing, please understand that we may require you to provide proof that you are the person you claim to be.
Right to rectification or erasure
You also have the right to have your data corrected or deleted, to the extent permitted by law.
Right to Notification
If you have asserted your right to rectification, erasure, or restriction of processing against us, we are obligated to notify all recipients to whom we have disclosed personal data concerning you to rectify or erase such data. Furthermore, the restriction of processing must be communicated, unless this proves impossible or involves disproportionate effort. You have the right to be informed by us about these recipients.
Right to Restriction of Processing
You have the right to request that we restrict processing if one of the following conditions applies:
You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data.
The processing is unlawful, you object to the erasure of the personal data, and instead request the restriction of the use of the personal data.
We no longer need your personal data for our processes, but you may still need it to assert, exercise, or defend legal claims.
You have objected to the processing pursuant to Art. 21(1) of the GDPR, and it has not yet been determined whether our legitimate grounds override yours.
If the processing of your personal data has been restricted, such data—apart from its storage—may only be processed with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or a Member State.
If the restriction on processing has been imposed in accordance with the above conditions, we will notify you before the restriction is lifted.
Your right to restriction of processing may be limited to the extent that it is likely to be impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary for the fulfillment of those research or statistical purposes.
Right to Data Portability
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that
1. the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and
2. the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, provided this is technically feasible. The freedoms and rights of other individuals must not be infringed upon as a result.
Objection to Processing
You have the right to object at any time, on grounds relating to your situation, to the processing of personal data concerning you that is carried out based on Article 6(1)(e) or (f) of the GDPR.
We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
Right to Withdraw Consent
You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of personal data.
Processing of (Personal) Data by the Operator of the Recruitment Site
General
This recruitment site is operated by Personio SE & Co. KG, a company based in Germany that provides human resources and applicant tracking software (https://www.personio.com/legal-notice/). The data you submit as part of your application is transmitted using TLS encryption and stored in a database. The company conducting this online application process is solely responsible for this data within the meaning of Art. 24 of the GDPR. Personio is merely the operator of the software and this recruitment site and, in this context, acts as a data processor pursuant to Art. 28 of the GDPR. The basis for processing by Personio is a data processing agreement between the controller and Personio. In addition, Personio SE & Co. KG processes further data - some of which may also be personal data—to provide its services, for the operation of this recruitment site. This is discussed in more detail below.
The controller within the meaning of data protection law is:
Personio SE & Co. KG
Seidlstraße 3, 80335 Munich
Tel.: +49 89 1250 1004
Entry in the Commercial Register
Registration number: HRA 115934
Registering court: Munich Local Court
Data Protection Officer: privacy@personio.com
Access logs (“server logs”)
Every time this recruiting site is accessed, general log data—so-called server logs—is automatically collected. This data is generally pseudonymous and therefore does not allow for any identification of a natural person. Without this data, it would in some cases be technically impossible to deliver and display the software’s content. Furthermore, the processing of this data is necessary for security reasons, particularly for access, input, transmission, and storage control. In addition, anonymous information may be used for statistical purposes as well as for optimizing the service and technology. Furthermore, the log files may be retrospectively checked and evaluated in the event of suspected unlawful use of the software. The legal basis for this is found in Section 25(2)(2) of the Telecommunications and Digital Services Data Protection Act (TDDDG) as well as Article 6(1)(f) of the GDPR. Generally, data such as the website’s domain name, the web browser and its version, the operating system, the IP address, and the timestamp of access to the software are collected. The scope of this logging does not exceed the standard scope of any other website on the Internet, such as. These access logs are stored for up to 7 days. There is no right to object.
Error Logs
So-called error logs are created for the purpose of identifying and resolving errors. This is necessary to be able to respond as promptly as possible to potential issues with the display and implementation of content (legitimate interest). This data is generally pseudonymous and therefore does not allow for any identification of a natural person. The legal basis for this is found in Section 25(2)(2) of the Telecommunications and Digital Services Data Protection Act (TDDDG) as well as Article 6(1)(f) of the GDPR. When an error message occurs, general data such as the website’s domain name, the web browser and its version, the operating system, the IP address, and the timestamp at the time the corresponding error message or specification occurred are recorded. These error logs are stored for up to 7 days. There is no right to object.
Use of Cookies
This recruiting page uses so-called cookies in some cases. These are small text files that are stored on the device you use to access this recruiting page. In general, cookies serve to ensure security when visiting a website (“strictly necessary”), implement certain functionalities such as default language settings (“functional”), improve the user experience or performance on the website (“performance”), or display target group-based advertising (“marketing”). This recruiting site generally uses only strictly necessary, functional, and performance cookies, to implement certain default settings such as language, to identify the application channel, or to analyze the performance of a job posting through which a user arrived at this recruiting site. The use of cookies is strictly necessary for the provision of our services and thus for the fulfillment of the contract (Art. 6 (1) b) GDPR). Storage period: Up to 1 month or until the end of the browser session Right to object: You can use your browser settings to decide for yourself whether to allow cookies or to object to their use. Please note that disabling cookies may result in limited or completely restricted functionality of this recruitment site.
Data Subject Rights
If personal data is processed by Personio SE & Co. KG as the data controller, you, as the data subject, have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and purpose of the processing, including, where applicable, the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR), and the right to object (Art. 21 GDPR). If the processing of personal data is based on your consent, you have the right to withdraw this consent under Article 7(3) of the GDPR. To exercise your data subject rights regarding the data processed for the operation of this recruiting site, please contact the Data Protection Officer of Personio SE & Co. KG (see Section B.).
Final Provisions
Personio reserves the right to amend this Privacy Policy at any time to ensure it always complies with current legal requirements or to reflect changes to the services described in the Privacy Policy, e.g., upon the introduction of new services. The new Privacy Policy will then apply to any subsequent visit to this recruiting site or subsequent application.