— Information on Data Protection
Processing applicant data

We take the protection of your personal data seriously and comply with all data protection regulations, in particular the EU General Data Protection Regulation (“GDPR” – DSGVO) and the German Federal Data Protection Act (“BDSG”). This means that we will only process your personal data if we are permitted to do so by law; if it is necessary when carrying out and managing your application process; if we have a legitimate interest in processing it; or if you have given your consent. In these data protection guidelines, we shall explain what information (including personal data) is processed by us in connection with your application process and what rights you have under the data protection law. Which data is processed in detail and how it is used is largely determined by the implementation and administration of your application process.

I. Who is responsible for data processing?
The entity responsible under data protection law for the processing of personal data is e-shelter security services GmbH & Co. KG, Eschborner Landstraße 100, 60489 Frankfurt am Main, info@e-shelter.io.

Please direct any questions regarding data protection to our data protection team at personal@eshelter.io. The data protection officer can be contacted via the aforementioned contact channels and under datenschutz@e-shelter.io.

II. What data do we process?
The implementation of your application process requires the processing of personal data:

1) master data: We process basic data about you and the application relationship that exists with you, which we refer to collectively as “master data”. This includes specifically:

a) information you have provided to us in the course of the application process or information we have requested from you (e.g., name, address, telephone number, e-mail address, date of birth, marital status, nationality, religious denomination, information on your education and professional career, photo if applicable);

III. For what purposes and on what legal basis do we process your data?
1. We process your data in accordance with Article 6, Paragraph 1 b) DSGVO for the implementation of pre-contractual measures that take place based on the application process. The purposes of the data processing result primarily from the application procedure and/or process. Data is processed in particular:

a) for application procedures
b) to fulfill existing obligations resulting from laws, ordinances, company agreements and individual contractual regulations
c) to store follow-up data.

2. We may also process your personal data to comply with legal obligations to which we are subject pursuant to Article 6, Paragraph (1)(c) DSGVO. These legal obligations include the notifications to social insurance carriers and (tax) authorities prescribed for us, but also labor law, tax and social insurance law retention regulations as well as commercial and tax retention regulations in accordance with the German Commercial Code and the German Fiscal Code.

3. When necessary, we process your data beyond the completion of the application procedure and the fulfillment of legal obligations, in order to protect our legitimate interests or the interests of third parties pursuant to Article 6, Paragraph (1)(f) DSGVO. Our legitimate interests include for example:

a) the enforcement of legal claims and defense in legal disputes
b) preventing and resolving criminal offences
c) ensuring the security of the IT systems that we use;
d) for official record keeping and communication purposes, prevention and investigation of criminal offenses.

4. Insofar as the categories of data listed in Section II contain special types of personal data (such as health data), we process these for the purposes of the obligations incumbent upon us under labor law and social security law to the extent provided for by law; this is done in accordance with Article 9, Paragraph (2) b) DSGVO.

5. When consent is given, the legality of processing personal data is in accordance with Article 6 Paragraph (1) a) DSGVO concerning processing for specified purposes (e.g., storage in applicant pools of the group of companies; further storage after the end of the application process).

Please note that

  • giving us consent is always voluntary, and that neither giving nor revoking it has any negative consequences for your application process
  • not giving, or subsequentially revoking consent may nevertheless be associated with consequences, about which we will inform you prior to your giving consent, and
  • you may revoke any consent given to us, to take effect at any time in the future, e.g., by notifying us by mail, fax, or e-mail via one of the contact channels mentioned on the first page of this information on data protection.

IV. Are you obliged to provide data?
The provision of the personal data stated in section II. is necessary for the implementation and administration of your application process, unless expressly stated otherwise by us when collecting this data. Without providing us with this data, we cannot carry out your application process. If we collect additional personal data from you, we will inform you at the time of the collection whether providing this information is required by law or contract or is necessary for your application process. In doing so, we generally indicate the information which may be provided voluntarily and not based on one of the aforementioned obligations or not required for the conclusion of a contract.

V. Who receives your data?
Your personal data is generally processed within our company. Depending on the type of personal data, only certain departments / organizational units have access to your personal data. This includes, in particular, the HR department, your possible superiors and – in the case of data collected via the IT infrastructure – to a certain extent also the IT department. A role and authorization concept restricts access within our company to the functions and scope that are required for the respective purpose of processing. We may also transfer your personal data to third parties outside our company to the extent permitted by law. These external recipients may include in particular:

  • affiliated companies within the Investa Real Estate Group to which we transfer personal data for internal administrative purposes, such as the implementation of application procedures of these companies
  • the service providers contracted by us who provide services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent. These are carefully selected by us and commissioned in accordance with data protection requirements.

With regard to data transfer to other recipients, we may only pass on information about you if this is required by law, you have given your consent, or we are authorized to pass it on. Other entities may also be data recipients, provided that you have given us your consent to the transfer of data.

VI. Is automated decision-making used?
As a matter of principle, we do not use automated decision-making (including profiling) according to Article 22 of the GDPR to carry out or during the application process. If we use these types of procedures in individual cases, we will inform you separately about this to the extent provided for by law.

VII. Is data transferred to countries outside the EU / EEA?
The processing of your personal data takes place exclusively within the EU or the European Economic Area; a transfer to other countries (so-called “third countries”) does not take place.

VIII. How long will your data be stored?
The criteria for determining the duration of storage are dictated by the end of the purpose and the subsequent statutory retention period. In principle, we store your personal data as long as we have a legitimate interest in this storage and your interests in the non-continuation of the storage do not outweigh it. Even without a legitimate interest, we may continue to store the data if we are required to do so by law (for example, to comply with storage obligations). We also delete your personal data without your intervention as soon as it is no longer necessary for the processing purpose, or the storage is otherwise legally inadmissible. As a rule, personal data is stored at least until the end of the application process. The data will be deleted when it has fulfilled its purpose.

This may also occur after the application process has been completed. The personal data that we have to store to fulfill retention obligations are stored until the end of the respective retention obligation period. If we store personal data exclusively for the fulfillment of retention obligations, these are blocked so that they can only be accessed if this is necessary regarding the purpose of the retention obligation.

Retention obligations can be, among others:

  • the fulfillment of storage obligations under labor and social security law as well as under commercial and tax law: these include the German Commercial Code (HGB) and the German Fiscal Code (AO). These stipulate retention and documentation periods of up to 10 years
  • the preservation of evidence within the framework of the statutory limitation provisions: According to §§ 195 et seq. of the German Civil Code (BGB), the regular limitation period is 3 years, although under special circumstances up to 30 years.

IX. What rights do you have as a data subject?
As a data subject, you have the right to

  • information about the personal data stored about you, Article 15 DSGVO,
  • rectification of inaccurate or incomplete data, Article 16 DSGVO,
  • deletion of personal data, Article 17 DSGVO,
  • restriction of processing, Article 18 DSGVO,
  • data portability, Article 20 DSGVO, and
  • object to the processing of personal data concerning yourself, Article 21 DSGVO.

Within the scope of the right to information and the right of deletion, the restrictions according to §§ 35 and 35 BDSG apply. You also have the right to register a complaint with a competent data protection supervisory authority, Article 77 DSGVO. To exercise these rights, you can contact us at any time – e.g., via one of the contact channels indicated at the beginning of this information on data protection. If you have any questions about the processing of your data, you can also contact our data protection officer.

Disclaimer: This is a translation of an original German document. The German version is the legal basis for this document.

e-shelter security services GmbH & Co. KG — Status: 07/2021