Table of contents
- Overview of processing
- Applicable legal bases
- Security measures
- Transmission and disclosure of personal data
- Third party data processing
- Commercial and business services
- Online offer and web hosting
- Application procedures
- Promotional communication via mail, fax or telephone
- Presence in social networks
- Deletion of data
- Rights of the persons concerned
With the following data protection declaration, we, flex2know GmbH, would like to inform you about which kind of personal data we use and to what extent we process it (hereinafter also referred to briefly as “data”). The data protection declaration applies to all processing of personal data carried out by us, both within the framework of the provision of our services and in particular on our websites as well as in mobile applications (hereinafter collectively referred to as the “Online Offer”).
83646 Bad Tölz
Overview of processing
The following table summarizes the types of data processed and the purposes for which they are processed, and refers to the data subjects.
1. Types of data processed
- Basic data (e.g. names, addresses)
- Candidate data (e.g. personal details, contact details, application documents such as cover letter, curriculum vitae), certificates, as well as any other certificates communicated by applicants with respect to a certain position, or, on a voluntary basis, information of their person or qualification)
- Content data (e.g. text input, photographs, videos)
- Contact details (e.g. e-mail, telephone numbers)
- Meta/communication data (e.g. device information, IP addresses)
- Contract data (for example, contract object, term, customer category)
- Payment data (for example, bank details, invoices, payment history)
2. Categories of persons affected
- Customers, business partners and contract partners
- Interested parties and communication partners
- Users (e.g. website visitors, users of online services)
3. Purposes of processing
- Provision of our online services and usability
- Application procedure
- Office and organisational procedures
- Direct marketing (e.g. by e-mail or by post)
- Contact enquiries and communication
- Security measures
- Contract services
- Administration and response to requests
4. Relevant legal bases
In the following, we share the legal bases of the Data Protection Basic Regulation (GDPR), on the basis of which we process your personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence and domicile.
- Consent (Art. 6 Para. 1 S. 1 lit. a GDPR) – The data subject has given his/her consent to the processing of personal data relating to his/her for a specific purpose or for several specific purposes.
- Fulfilment of contract and pre-contractual enquiries (Art. 6 Para. 1 S. 1 lit. b. GDPR) – The processing is necessary for the performance of a contract of which the data subject is a party, or for the performance of pre-contractual measures, of which the data subject is a party at the request of the data subject.
- Legal obligation (Art. 6 Par. 1 S. 1 lit. c. GDPR) – The processing is required to fulfill a legal obligation which the person responsible is subjected to.
- Legitimate interests (Art. 6 Para. 1 S. 1 lit. 1 f. GDPR) – Processing is required for the purpose of safeguarding the legitimate interests of the person responsible or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, prevail.
- Art. 9 Para. 1 S. 1 lit. b GDPR (application procedure as pre-contract or contract relationship)
Insofar as special categories of personal data within the meaning of Art. 9 of the German Data Protection Act have been identified within the framework of the application procedure, the following shall apply para. 1 GDPR (e.g. health data, such as severely handicapped status or ethnic origin) for applicants in order that the person responsible or the person concerned may take into account the provisions of labour law and exercise the rights conferred by the law on social security and social protection and exercise his or her right to fulfil its obligations in this respect, their processing shall be carried out in accordance with Art. 9 Para. 2 lit. b. GDPR, in case of the protection of vital interests of applicants or other persons according to Art. 9 para. 2 lit. c. GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the ability to work for medical diagnostics, care or treatment in the health or medical care sector. Social sector or for the management of systems and services in the health or social sector according to Art. 9 Para. 2 lit. h. GDPR. In the case of a notification of specific categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 Para. 2 lit. a. GDPR.
In accordance with the legal requirements, we shall take into account the state of the art, the implementation costs and the nature, extent, circumstances and purposes of the processing, as well as the different probabilities of occurrence, and the extent to which the rights and freedoms of natural persons are threatened, technical and organisational measures in order to achieve a level of protection appropriate to the risk.
Measures shall include, in particular, ensuring the confidentiality, integrity and availability of data by controlling the physical and electronic access to the data as well as the access concerning them, the input, passing on, securing availability and their separation. In addition, we have procedures which allow for the exercise of data subjects’ rights, the deletion of data and responses to the threat of the data. In addition, we take the protection of personal data into account as early as the development stage or selection of hardware, software and procedures in accordance with the principle of data protection, by technology design and user-friendly data protection pre-settings.
Shortening the IP address: If it is possible for us or a storage of the IP address is not necessary, we shorten or have your IP address shortened. In the case of shortening the IP address, also known as “IP masking” the last octet, i.e. the last two numbers of an IP address, is deleted (the IP address is in this context, an identifier individually assigned to an Internet connection by the online access provider). The purpose of shortening the IP address is to prevent a person from being identified on the basis of their IP address, or can be made considerably more difficult.
SSL encryption (https): To protect your data transmitted via our online service, we use an SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transmission and disclosure of personal data
As part of our processing of personal data, it happens that the data is disclosed to other places, transferred to firms, legally independent organisational units or persons. The recipients of this data may be for example, payment institutions for payment transactions, IT service providers or providers of services and content that are integrated into a website and are responsible for IT tasks. In such a case, we shall observe the statutory provisions and shall in particular conclude corresponding contracts or agreements, which serve the protection of your data, with the recipients of your data.
Data transfer within the organization: We may transfer personal data to other locations within our organization, and grant them access to this information. Insofar as such a disclosure is used for administrative purposes, the passing on of the data is based on our authorized entrepreneurial and business interests or, provided that it is necessary to fulfill, or if the consent of the persons concerned or a legal permission is available.
Data processing in third countries
If we collect data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or the transfer of data to other persons, bodies or companies, this shall only take place in accordance with the legal requirements.
Subject to clear consent or contractually or legally required transmission of data, we process or leave the data only in third countries with a recognised level of data protection, as the “Privacy-Shield” certified US processors, or on the basis of special guarantees, such as contractual obligation by so-called standard protection clauses of the EU Commission, the existence of certifications or obligatory internal data protection regulations (Art. 44 to 49 GDPR, Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de)
Cookies are text files that contain data from visited websites or domains and are stored by a browser on your computer’s hard drive. A cookie is primarily used to store information about users during or after their visit within an online offer. The stored data can include e.g. the language settings on a web page or the login status. The term cookies includes for us also other technologies that perform the same functions as cookies (e.g. if user information is stored using pseudonymous online identifiers, also referred to as “user IDs”).
We use the following cookie types and functions:
- Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
- Permanent cookies: Permanent cookies remain stored even after closing the browser. So for example, the login status can be saved or preferred content can be displayed directly if the user revisits a website. Likewise, the interests of users, that are used to measure the range or for marketing purposes, may be stored in such a cookie.
- First-Party-Cookies: First-Party-Cookies are set by ourselves.
- Third party cookies Third party cookies are mainly used by advertisers (so-called third parties) in order to process user information.
- Necessary cookies (also: essential or absolutely necessary cookies): Cookies may be absolutely necessary for the operation of a website (e.g. to save logins or other user input or for security reasons).
Webtracking procedure (range measurement): Analysis programs and other techniques for evaluating your user procedures are not used on our website.
Commercial and business services
We process data of our contractual and business partners, e.g. customers and interested parties (in summary referred to as “Contractual Partner”) within the framework of contractual and comparable legal relationships as well as connected measures and within the scope of communication with the contractual partners (or pre-contractual), e.g. in order to answer any questions you may have.
For the aforementioned purposes, we inform the contracting partners before or in the context of the Data collection, e.g. in online forms, by special marking (e.g. colours) or symbols (e.g. asterisks etc.), or personally.
We delete the data after expiry of legal retention period and comparable obligations, i.e. basically after 4 years, unless the data is stored in a customer account, or because it must be kept for legal reasons (e.g. for tax purposes usually 10 years). We shall delete data, which have been disclosed to us by the contractual partner within the framework of an order, in accordance with the requirements of the order, generally after the end of the order.
Insofar as we use third parties or platforms to provide our services, the following shall apply in the relationship between the parties, the terms and conditions and data protection notices of the respective third party providers, or platforms will apply.
In case of contact (e.g. via contact form, e-mail, telephone or via social media), the data of the inquiring persons will be processed, as far as this is necessary to answer the contact inquiries and to take the requested measures.
The answering of the contact inquiries within the scope of contractual or pre-contractual relations takes place to fulfil our contractual obligations or to respond to (pre)contractual enquiries and in all other respects to our contractual obligations, and due to the legitimate interests in answering the questions.
- Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g. text input, photographs, videos).
- Affected persons: Communication partners
- Purposes of processing: Contact requests and communication
- Legal basis: Performance of contract and pre-contractual enquiries (Art. 6 Para. 1 S. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Provision of the online offer and web hosting
In order to be able to provide our online services safely and efficiently, we use the services of one or more of our partners, several web hosting providers, from whose servers (or servers managed by them) the online offer is available. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security and technical maintenance services.
The data processed within the framework of the provision of the hosting offer, may encompass all information pertaining to the users of our website that occur during use and communication which arise in the context of use and communication. This includes regularly the IP address that is necessary to deliver the contents of online offers to browsers, and all entries made within our online offer or from websites.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server logfiles may encompass the websites and files retrieved, the date and time of the retrieval, the amount of data transferred, the notification of successful use of the operating system, referrer URL (the page previously visited) and the browser type and version, the system of the user and usually IP addresses and the requesting provider.
The server logfiles can be used for security purposes, e.g. to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, in order to ensure server utilization and stability.
- Processed data types: Content data (e.g. text input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Affected persons: Users (e.g. website visitors, users of online services).
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. 1 f. GDPR).
The application procedure requires that applicants provide us the data necessary for assessment and selection. The necessary information can be found in the job description.
In general, the required information includes personal information, such as name, address, contact details and proof of the qualifications required for the position. On request we will be happy to tell you also what information is required.
- Processed data types: Applicant data (e.g. personal data, postal and contact addresses, documents and information contained in the application, such as cover letter and curriculum vitae, certificates, as well as any other information on their person or qualification communicated voluntarily by applicants with respect to a specific post.
- Affected persons: Applicants.
- Purpose of processing: Application procedure (justification and possible later implementation as well as potential later termination of the employment).
- Legal basis: Art. 9 para. 1 sentence 1 lit. b GDPR (application procedure as a pre-contractual or contractual relationship) Insofar as special categories of personal data are involved in the application process data within the meaning of Art. 9 para. 1 GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants so that the person responsible or the person concerned can identify him or her, exercise rights arising from labour law and social security and social protection law and fulfil his or her obligations in this respect, their processing shall be carried out in accordance with Art. 9 para. 2. lit. b. GDPR, in the case of the protection of vital interests of applicants or other persons according to Art. 9 para. 2 lit. c. GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the ability of the employee to work, for medical diagnostics, care or treatment in the health or social sector or for the management of systems and services in the health or social sector according to Art. 9 para. 2 lit. h. GDPR. In the case of notification of special categroies of data, based on voluntary consent, their processing is carried out on the basis of Art. 9 Par. 2 lit. a. GDPR).
Promotional communication via mail, fax or telephone
We process personal data for the purposes of advertising communication, which may be transmitted via various channels, e.g. e-mail, telephone, mail or fax. In this context, we comply with the statutory requirements and obtain the necessary consent if communication is not permitted by law.
Recipients have the right to revoke any consent given at any time or to object to advertising communication any time. After revocation or objection, we may save the data required for proof of consent for up to three years, on the basis of our legitimate interests before we delete them. The processing of this data will be limited to the purpose of a possible defence against claims. An individual request for cancellation is possible any time, provided that the former existence of a consent is confirmed at the same time.
- Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., e-mail), telephone numbers).
- Affected individuals: Communication partners.
- Purposes of processing: Direct marketing (e.g. by e-mail or post).
- Legal basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), Legitimate interests (Art. 6 Para. 1 GDPR), Right to vote (Art. 6 Para. 1 GDPR), Right to vote (Art. 6 Para. 1 GDPR) S. 1 lit. f. GDPR).
Presences in social networks
We maintain online presences within social networks in order to communicate with the users active there, or to provide information about us. We would like to point out that user data may be processed outside the European Union. This may result in risks for the users, because e.g. the enforcement of the rights of the users could be made more difficult. With regard to US vendors who are certified under the Privacy Shield or who offer comparable guarantees of a secure level of data protection, we would like to point out that those are therefore obliged to comply with EU data protection standards.
Furthermore, the data of users within social networks are usually used for market research and advertising purposes. For example, the user’s behaviour and interests resulting from it, can be used to create user profiles. The user profiles can in turn be used, e.g. to create advertisements within and outside the networks which are presumably correspond to the interests of the users. As a rule, cookies are stored on the user’s computers for the purpose to store the user behaviour and the interests of the users. Furthermore, data may also be stored in the user profiles independently of the hardware of the users (in particular, if the users are members of the respective platforms and are logged in to these).
For a detailed description of the respective forms of processing and the possibilities for objection (opt-out) we refer to the data protection declarations and information of the operators of the respective networks. Also in the case of requests for information and the assertion of rights of data subjects, we would like to point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and give information. Should you still need help, you may turn to us.
- Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., e-mail), telephone numbers), content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Affected persons: Users (e.g. website visitors, users of online services).
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. 1 f. GDPR).
Services and service providers in use:
Deletion of data
The data processed by us will be deleted in accordance with the statutory provisions as soon as permissions are revoked or other permissions end (e.g. if the purpose of the processing of the data is not valid anymore or they are not necessary for the purpose).
If the data are not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be blocked and not used for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons, or their storage for the purpose of asserting, exercising or defending legal claims or for the protection of rights for any other natural or legal person.
We ask you to inform yourself regularly about the content of our data protection declaration. We adapt the data protection declaration as soon as the changes in data processing carried out by us make this necessary. We will inform you as soon as the changes result in an action of cooperation on your part (e.g. consent), or any other individual notification is required.
If you have any questions regarding our data protection declaration, please contact the person in charge (Contact details see above and in the imprint).
Rights of the persons concerned
Under the GDPR, you are entitled to various rights as data subjects, which are derived in particular from Articles 15 to 18 and 21 of the GDPR:
- Right of objection: You have the right, for reasons arising from your particular situation, at any time to object to the processing of personal data concerning you, which are processed on the basis of Art. 6 Par. 1 e or f GDPR; this also applies to any objection to profiling based on these provisions. If the personal data concerning you are processed for the purpose of direct marketing, you have the right at any time to object to the processing of your personal data for the purpose of each advertising, this also applies to profiling to direct advertising in case it is connected to such direct advertising.
- Right of revocation of consent: You have the right to revoke consent given at any time.
- Right to information: You have the right to demand confirmation as to whether the data in question is processed and to obtain information about these data as well as further information and a copy of the data, in accordance with legal requirements.
- Right to rectification: You have the right, in accordance with the legal requirements, to demand the completion of the data concerning you or the rectification of inaccurate data concerning you.
- Right to delete and restrict processing: In accordance with legal requirements, you have the right to the right to demand that data concerning you be deleted immediately or, alternatively, in accordance with the following provisions to demand a restriction of the processing of the data in accordance with the statutory provisions.
- Right to transfer data: You have the right to obtain any data concerning you, that you provide us in accordance with legal requirements, in a structured, common and machine-readable format, or to request their transmission to another responsible person.
- Complaint to the supervisory authority: You also have the right, in accordance with the statutory provisions, to inform a supervisory authority, in particular in the Member State of your habitual residence, of your workplace or the site of the alleged infringement, if you believe that the processing of your personal data violates of the GDPR.
The supervisory authority responsible for flex2know GmbH is the Bavarian State Office for Data Protection Supervision. (BayLDA), Promenade 18, 91522 Ansbach.