Skip to main content

Processing of (personal) data by the entity in charge of the online application process

DATA PRIVACY POLICY FOR EMPLOYEES     

For WHU - Otto Beisheim School of Management, Burgplatz 2, 56179  Vallendar, email: datenschutz@whu.edu (hereinafter referred to as  "WHU"), protecting the personal data that we process in the context  of your employment relationship with WHU is of the highest importance. 

In the following, we explain, based on our privacy policy, what types of personal data we process and in which way.

Please contact us if you have further questions. Our contact details are listed at the end of this Privacy Policy.

Personal data

Personal data is any information relating to an identified or identifiable natural person. A natural person is considered to be identifiable if the identity of the person can be directly or indirectly determined - in particular by association with identifying information such as a name, ID number, location data, an online username, or one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of this natural person.

Personal data includes, for example, information such as your name, address, telephone number, language, location, email address, bank details, and date of birth.

Processing of personal data

When processing data, we handle your personal data responsibly and confidentially. Your personal data is processed in compliance with the applicable data protection regulations in Germany (in particular the Bundesdatenschutzgesetz, “BDSG new”) and Europe (EU General Data Protection Regulation, hereinafter referred to as "GDPR").

According to the meaning of these regulations, the processing of personal data consists of any form of data process or series of processes, with or without the help of automated processes. In particular, data processing includes collecting, capturing, organizing, filing, storing, adapting, modifying, selecting, querying, using, disclosing through transmission, dissemination, or any other form of providing, matching or linking, and the restriction, deletion or destruction of personal data.

In the event that we contract a data processor with the processing of your personal data, then we conclude a data processing agreement with the latter that fulfills all the requirements of Art. 28 GDPR.

  

Purpose of processing personal data

We process personal data in accordance with the requirements and conditions set out below, using an automated process.

A legal basis for processing personal data in the context of an employment relationship is provided in § 26 BDSG new. For the purposes of § 26 para. 8 s. 2 BDSG new, applicants are handled as employees.

When you apply for a position at WHU, we process the data that you have submitted to us in order to ascertain whether we are interested in entering into and carrying out an employment relationship with you. Your application data are only stored and processed until the point in time when a decision is made regarding your application, in the case that your application is not successful. Your data are deleted 6 months after we have declined your application and/or returned the application materials. In the case that we enter into an employment relationship with you, then the data that you have provided to us are processed in order to allow for the establishment, continuation, and (when appropriate) end of the employment relationship.

Under the following conditions, data may be processed - within the context of the employment relationship - on the legal basis of § 26 BDSG:

Data processing is necessary to establish, maintain, or terminate an employment relationship, or to carry out and fulfill the rights and obligations arising from a law or a collective agreement representing the interests of the employee (statutory framework for labor relations in the workplace).

In addition, data processing in the employment relationship may take place for the purpose of detecting criminal offences in the workplace.

The legal authorization for this is based on art. 6 para. 1 sentence 1 lit. c GDPR.

Aside from what is authorized by law, your personal data only processed by us with your express consent, in accordance with art. 6 para. 1 sentence 1. a DDPR and art. 7 GDPR. You have the option to voluntarily provide a consent form in this regard. There are no disadvantages for you if you do not consent. You can ask to view your consent form at any time and may revoke your consent at any time by email or by post. Revocation of consent does not affect the legality of data processing that was carried out prior to your revocation. Our contact details can be found at the end of this Privacy Policy.

In the view of the law, consent according to art. 26 para. 2 BDSG new can only be given if it provides a legal or economic benefit for you (for example, setting up a company health management system to promote employee health, or to enable use of company IT for private purposes) or if it serves the mutual interests of employers and employees (e.g., adding your name and date of birth to a birthday list or using photos / videos of you on the Internet / Intranet or for advertising purposes). In these cases will we, if necessary, request a declaration of consent from you, and only in consideration of the conditions described above.

Automated decision-making in individual cases, including profiling, is prohibited according to art. 22 GDPR.

The extent to which your personal data is processed is limited to the purposes described above.

Storage of personal data during use of WHU’s internal payment system

When you log on to WHU’s internal, cashless payment system using the terminal manager or our app, MyAuthent, and when you use the payment system, your personal data is collected and stored by us.

This data includes name, amount, date, WHU card number, and user group association. Data is collected and processed when you add credits to your card, use your card to pay at a terminal, or return credits.

Processing of personal data only takes place insofar as this is necessary to complete the contract in place pertaining to the use of the payment system. The legal basis for data storage and processing is in this case art. 6 para. 1.1.b GDPR.

WHU uses a service provider for automatic adding of credit in the context of our cashless payment system; this service provider is Payone Payment Services, provided by PAYONE GmbH. For this purpose, your data is transferred to PAYONE GmbH. Your credit card information is stored by PAYONE GmbH. In terms of data protection laws, PAYONE GmbH is independently responsible for the storage of this data. You can access PAYONE GmbH’s data privacy protection policy (art. 14 GDPR) using the following link: https://s3-eu-west-1.amazonaws.com/bspayone-docs/bspayone/PAYONE_Information_zu_Datenverarbeitung_gemaess_Art-14-DSGVO_062019.pdf

With respect to data processing in the MyAuthent app, we refer to the data protection policy specific to this app, which you can access before or during every use of the app.

            

Duration of data processing 

The maximum length of time that your data is stored depends on the  purpose of the data processing. The duration of the storage depends on how long  it is necessary to process the data for the given purpose, in particular with  regard to establishing, maintaining, or terminating your employment contract or  fulfilling our legal requirements (for  example, commercial or tax-related obligations under § 257 HGB and § 147 AO).       

    

At the end of your employment, your data is deleted at the end of three years after your exit, whereby the year in which you left the company is not included.

Any declarations of consent generally apply until revoked by the person concerned. However, an "unused" declaration of consent may expire after a period of 1.5 years. If the consent is not used for a period of 1.5 years, the data are deleted.

Statutory obligations according to § 257 HGB and § 147 AO remain unaffected.

Recipients of personal data

At WHU, data processing in the context of the employment relationship is carried out exclusively by the personnel department or other specialized department (e.g., IT, library), if necessary.

In addition, other students and staff may have access to your personal data as follows: Intranet (information platform, staff directory): first name, last name, business email address and telephone number, department, job title.

Furthermore, data may be transmitted to the following third parties, as necessary, to:

Social insurance (health fund/ health insurance, long-term care insurance, pension insurance, unemployment insurance), professional association, tax office, employment agency, government offices, insurance companies, credit institutes, trade supervisory office, TÜV, the data security representative, accreditation associations, and if necessary financial services.

    

Data  may also be transmitted within the scope of authentications by third-party  providers selected by you. This must be taken into  account accordingly in your choice of third-party providers.

Location of data processing

Your personal data is only processed either in Germany or in member states of the European Union. We do not transmit your personal data to countries outside the member states of the European Union (so-called third countries) or other international organizations.

Safety and technical and organizational measures

We take all technical and organizational precautions necessary in order to protect your personal data from loss, destruction, access, modification or disclosure by unauthorized persons, and misuse; this is in accordance with the provisions of Articles 24, 25 and 32 GDPR.

For example, we comply with the legal requirements for pseudonymizing and encrypting personal data, for ensuring the confidentiality, integrity, availability and resilience of systems and services related to processing, the availability of personal data and the ability to rapidly recover them in the event of a physical or technical incident, and the establishment of procedures to regularly check, assess, and evaluate the effectiveness of technical and organizational measures that ensure the safety of data processing.

Furthermore, we also observe the requirements of Art. 25 GDPR with regard to the principles of "privacy by design" (privacy by intentional technical design) and "privacy by default" (data protection by means of privacy-protecting default settings).

Your rights

You have a right to free information about your personal data and, if the respective legal requirements are met, a right to correct, block, or delete your data, to restrict processing and transmission of data, and a right of objection.

You also have the possibility to complain to the relevant regulatory authority.

If you have any questions regarding the processing of your personal data or if you have questions regarding the aforementioned rights or suggestions, please contact us or our external data protection officer:

Dr. Dornbach Consulting GmbH

Anton-Jordan-Straße 1

56070 Koblenz

E-Mail: datenschutz@whu.edu

Status: November 2021

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.