Processing of (personal) data by the entity in charge of the online application process
Information regarding the processing of your personal data during the application process and in connection with this website:
We are pleased that you have applied to one or more companies within the 1Q Health Group. Transparency and the trustworthy handling of your personal data are essential foundations for a successful partnership. Therefore, we are providing you with information on how the company or companies to which you have applied process your data and how you can exercise your rights under the General Data Protection Regulation (GDPR). The information below provides, in the first section, an overview of the collection and processing of your personal data in connection with the application process, and in the following section, information on data processing in connection with the use of this website.
1. Who is responsible for data processing?
The “controller” is the company listed below to which or for which you have applied:
1Q Health GmbH
Gewerbestr. 8
82064 Strasslach-Dingharting
Germany
Email: 1q-hq-dataprotection@1qhealth.com
ABJ alive GmbH
Am Steinkreuz 12
95473 Creußen
Germany
Email: 1q-abj-dataprotection@1qhealth.com
Beauty Production GmbH
Am Langacker 20
95233 Helmbrechts
Germany
Email: 1q-bep-dataprotection@1qhealth.com
DRONANIA pharmaceuticals GmbH
Karl-Benz-Str. 3
86825 Bad Wörishofen
Germany
Email: 1q-dro-dataprotection@1qhealth.com
Hawlik Gesundheitsprodukte GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-hgp-dataprotection@hks-hs.de
HKS health solutions GmbH
Gewerbestrasse 32
5211 Lengau
Austria
Email: 1q-hks-dataprotection@1qhealth.com
Mycotrition GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-myc-dataprotection@mycotrition.com
VivaCell Biotechnology GmbH
Ferdinand-Porsche-Str. 5
79211 Denzlingen
Germany
Email: 1q-viv-dataprotection@1qhealth.com
2. How can you contact the data protection officer?
You can contact the data protection officer at the following email address: DSB-1q-health@intersoft-consulting.de
3. Which of your personal data is used?
Your personal data is processed as part of the application process. Where necessary, processing is carried out to conduct the application process; in certain cases, it is based on your consent. The processed data includes the following categories of data:
Standard information processed as part of the application process:
- Applicant master data (first name, last name, address, desired position)
- Qualification data (cover letter, resume, previous employment, professional qualifications, etc.)
- (Employment) references and certificates (performance data, evaluation data, etc.)
- Correspondence during the application process
Special information that is processed, if necessary, depending on the position to be filled:
- Criminal background check
- Credit report
- Results of medical fitness examinations (fit, unfit, conditionally/partially fit)
- Information regarding work permit / residency status
Other information processed as part of the application process - including, where applicable, information provided voluntarily:
- Publicly available, job-related data (e.g., profiles on professional social networks)
- Voluntary information (e.g., application photo, information regarding severe disability status, or other voluntarily provided information)
- Results of work samples, aptitude, and performance tests
- Reference information
- Interview notes, interview evaluations, and hiring recommendations
- Information regarding the status and progress of the application process
- Technical metadata related to the application process
4. What are the sources of the data?
We process the personal data you provided during the application process
and, if applicable, personal data from the following sources:
- Other companies within the 1Q Health Group (see above under “1”)
- Recruitment service providers (staffing agencies, headhunters, or recruitment consultants)
and, where applicable, personal data is processed that originates from public sources, i.e., professional social networks.
5. For what purposes is your data processed and on what legal basis?
Your personal data is processed in particular in compliance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (“Bundesdatenschutzgesetz” (BDSG)) as well as all other applicable laws.
5.1 Data processing for the decision regarding the conclusion of an employment contract (Art. 6(1)(b) GDPR)
Personal data of applicants is processed for the purposes of the application process if this is necessary for the decision regarding the conclusion of an employment contract (pre-contractual measures).
The necessity and scope of data collection are determined, among other things, by the position to be filled. If the position you are applying for involves particularly confidential tasks, increased personnel and/or financial responsibility, or is subject to certain physical and health requirements, more extensive data collection may be necessary. To ensure data protection, such data processing takes place only after the applicant selection process has been completed and immediately prior to your hiring.
5.2 Data processing based on your consent (Art. 6(1)(a) GDPR, § 26(2) BDSG)
If you have voluntarily consented to the collection, processing, or transfer of certain personal data, this data will be processed on the basis of this consent. In the following cases, your personal data will be processed on the basis of your consent - unless otherwise specified - for a period of up to 18 months:
- Use of your applicant data for future or alternative job openings
- Inclusion in a talent pool or in internal applicant or candidate databases
- Contacting you at a later date outside of the specific application process
- Processing of additional information provided voluntarily
- Obtaining and processing references and recommendations from third parties
- Conducting aptitude, personality, assessment, or similar selection tests
- Conducting and processing video or online interviews
- Active sourcing beyond publicly available information
- Sharing of applicant data within the corporate group (group companies)
- Disclosure of applicant data to external third parties outside the scope of data processing on behalf of the company
- Use of applicant data for statistical analysis (exclusively anonymized or aggregated, no personal reference)
5.3 Based on the legitimate interest of the controller (Art. 6(1)(f) GDPR)
In certain cases, your data will be processed to safeguard a legitimate interest of the company to which you have applied or that of a third party.
- To defend legal claims in proceedings under the General Equal Treatment Act (AGG). In the event of a legal dispute, we have a legitimate interest in processing the data for evidentiary purposes.
- Data matching with EU anti-terrorism lists pursuant to Regulations (EC) No. 2580/2001 and 881/2002: As a company, we are obligated under EU law to cooperate in the fight against terrorism. No funds may be made available to individuals or organizations listed on the terrorism lists (prohibition on provision). For this reason, we are generally required to conduct a name comparison with the terrorist lists and do so as necessary.
6. Applicant database
With your consent, your application documents will be added to the applicant database so that we can consider you for future suitable vacancies and contact you. The legal basis for this is your consent pursuant to Art. 6(1)(a) GDPR, § 26(2) BDSG. Granting consent is voluntary and may be revoked at any time with future effect, e.g., by sending an email to the Data Protection Officer or the controller (see above under “1”). Neither the granting nor the revocation of consent affects the ongoing application process. The lawfulness of the processing carried out up to the time of revocation remains unaffected.
7. To whom will your data be disclosed?
Your data is primarily processed by the Human Resources department and the department head filling your position. In some cases, however, other internal and external departments are also involved in the processing of your data.
Internal departments:
- Human Resources
- Managers / Hiring Managers
- Relevant departments
- Executive Management
Other authorized internal personnel, to the extent necessary and legally permissible for the conduct of the recruitment process. If you consent to group-wide sharing - companies within the 1Q Health Group:
1Q Health GmbH
Gewerbestr. 8
82064 Strasslach-Dingharting
Germany
Email: 1q-hq-dataprotection@1qhealth.com
ABJ alive GmbH
Am Steinkreuz 12
95473 Creußen
Germany
Email: 1q-abj-dataprotection@1qhealth.com
Beauty Production GmbH
Am Langacker 20
95233 Helmbrechts
Germany
Email: 1q-bep-dataprotection@1qhealth.com
DRONANIA pharmaceuticals GmbH
Karl-Benz-Str. 3
86825 Bad Wörishofen
Germany
Email: 1q-dro-dataprotection@1qhealth.com
Hawlik Gesundheitsprodukte GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-hgp-dataprotection@hks-hs.de
HKS health solutions GmbH
Gewerbestrasse 32
5211 Lengau
Austria
Email: 1q-hks-dataprotection@1qhealth.com
Mycotrition GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-myc-dataprotection@mycotrition.com
VivaCell Biotechnology GmbH
Ferdinand-Porsche-Str. 5
79211 Denzlingen
Germany
Email: 1q-viv-dataprotection@1qhealth.com
External service providers:
- Recruitment agencies, headhunters, and/or HR consultants
- Providers of applicant tracking systems
- Providers of aptitude, specialized, or assessment tools
- Video conferencing service providers
- Email and communication service providers
- IT service providers (e.g., hosting, maintenance, and support providers)
- Service providers for document and data destruction
8. Is your data transferred to countries outside the European Union (so-called third countries)?
Countries outside the European Union (and the European Economic Area “EEA”) handle the protection of personal data differently than countries within the European Union. Service providers located in third countries outside the European Union are also used to process your data. There is currently no decision by the European Commission that these third countries generally offer an adequate level of protection. Special measures have been taken to ensure that your data is processed in third countries with the same level of security as within the European Union. Standard data protection clauses provided by the European Commission are concluded with service providers in third countries. These clauses provide appropriate safeguards for the protection of your data with service providers in third countries. If you wish to review the existing safeguards, you may request access to them at: 1q-hq-dataprotection@1qhealth.com.
9. How long will your data be stored?
Your personal data will be stored for as long as necessary to make a decision regarding your application. If an employment relationship is not established between you and the company to which you applied, this data will continue to be stored to the extent necessary to defend against potential legal claims. Your data will generally be deleted within 6 months for companies located in Germany and within 7 months for companies located in Austria after the application process has ended. If an employment relationship is not established but you have given your consent to the continued storage of your data, your data will be stored until you revoke your consent, but for no longer than 18 months. In specific cases, your data may also be stored for a longer period for the purpose of defending against potential legal claims.
10. What rights do you have in connection with the processing of your data?
Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR. With regard to the right of access and the right to erasure, the restrictions under Sections 34 and 35 of the BDSG apply.
10.1 Right to object
What rights do you have in the event of data processing based on a legitimate or public interest?
Pursuant to Article 21(1) of the GDPR, you have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) of the GDPR (data processing in the public interest) or pursuant to Article 6(1)(f) of the GDPR (data processing to safeguard a legitimate interest); this also applies to profiling based on these provisions. In the event of your objection, your personal data will no longer be processed, unless the processing company can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
10.2 Withdrawal of consent
You may withdraw your consent to the processing of personal data at any time. Please note that the withdrawal only takes effect for the future.
10.3 Right of access
You may request information regarding whether the company stores personal data about you. If you wish, you will be informed of the specific data, the purposes for which the data is processed, to whom this data is disclosed, how long the data is stored, and what other rights you have regarding this data.
10.4 Additional rights
In addition, you have the right to have incorrect data corrected or to have your data deleted. If there is no reason for further storage, your data will be deleted; otherwise, processing will be restricted. You may also request that all personal data you have provided be made available to you or to a person or company of your choice in a structured, commonly used, and machine-readable format. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
10.5 Exercising your rights
To exercise your rights, you may contact the data controller or the data protection officer using the contact details provided. Your requests will be processed promptly and in accordance with legal requirements, and you will be informed of the measures taken.
11. Is there an obligation to provide your personal data?
The provision of personal data is neither required by law nor by contract, nor are you obligated to provide personal data. However, the provision of personal data is necessary for the application process to proceed. This means that if you do not provide personal data when applying, the application process cannot be carried out.
12. Automated decision-making pursuant to Art. 22(1) and (4) GDPR
There is no automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR.
13. Specific privacy notice for online meetings, conference calls, and webinars via “Microsoft Teams” of the companies listed under “1”
We (= the company listed under “1” from which you received the video/teleconference invitation or with whose representatives you are conducting a video/teleconference) would like to inform you below about the processing of personal data in connection with the use of “Microsoft Teams.” Microsoft Teams is a proprietary application of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Teams can be used as follows:
- as a client application by signing in with your Microsoft 365 account
- via the mobile app on your tablet, smartphone, etc.
- as a web application via your web browser.
13.1 Who is the controller responsible for data collection and processing?
The entity responsible for data processing directly related to the use of Microsoft Teams is the company listed under “1” from which you received the video/teleconference invitation or with whose members you are conducting a video/teleconference. Note: If you visit the “Microsoft Teams” website, the provider of “Microsoft Teams” is responsible for data processing. However, visiting the website is only necessary for using “Microsoft Teams” in order to download the software required to use “Microsoft Teams”. If you do not want to or cannot use the “Microsoft Teams” app, you can also use “Microsoft Teams” via your browser. In this case, the service is also provided via the “Microsoft Teams” website.
13.2 How can you contact our data protection officer?
You can contact the data protection officer at the following email address: DSB-1q-health@intersoft-consulting.de
13.3 What is the purpose of the processing?
We use “Microsoft Teams” to conduct conference calls, online meetings, video conferences, and/or webinars (hereinafter: “online meetings”). Our focus here is on internal and external communication.
13.4 What data is processed?
When using “Microsoft Teams,” various types of data are processed. The scope of the data also depends on what information you provide before or during your participation in an “online meeting”. The following personal data is subject to processing: User information: e.g., display name, email address (if applicable), profile picture (optional), preferred language
Meeting metadata: e.g., date, time, meeting ID, phone numbers, location, duration of the call Text, audio, and video data: You may have the option to use the chat function during an “online meeting”. In this regard, the text you enter is processed to display it in the “online meeting.” To enable video display and audio playback, data from your device’s microphone and any video camera on the device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the “Microsoft Teams” application. Service-generated data: This includes the user’s IP address and an anonymized user ID; the ID of the Teams meeting and the tenant may also be identifiable.
Availability status: If you have a Microsoft account in our organization, your availability status may be visible to other users in our organization. If you do not wish to use Microsoft’s automated status updates, you can also set them manually. Poll results: When the poll feature is used in meetings. File attachments: Files shared in chat or in a channel.
13.5 What is the scope of processing?
We use “Microsoft Teams” to conduct “online meetings.” We have generally disabled the technical capability to record or transcribe “online meetings” by default. If activation is required in exceptional cases, we will inform you transparently in advance and - where necessary - request your consent. If it is necessary for the purpose of documenting the results of an online meeting, we will log the chat content. However, this will generally not be the case. Automated decision-making within the meaning of Art. 22 GDPR is not used.
13.6 What are the legal bases for data processing?
To the extent that personal data of employees or job applicants of the companies listed under “1” is processed, Article 6(1)(b) of the GDPR forms the legal basis for data processing. If, in connection with the use of “Microsoft Teams,” personal data is not necessary for the establishment, performance, or termination of the employment relationship but is nonetheless an essential component of using “Microsoft Teams,” then Article 6(1)(f) of the GDPR generally serves as the legal basis for data processing. In these cases, our interest lies in the effective conduct of “online meetings” for the purpose of internal and external communication. Here, too, our interest lies in the effective conduct of “online meetings.” With regard to service-generated data, both we and Microsoft also have an interest in ensuring the proper functioning and IT security of the IT systems. With regard to the processing of video and/or audio recordings, this is done voluntarily by enabling the camera and/or microphone, so that Article 6(1)(a) of the GDPR (consent) constitutes the legal basis. Consent may be revoked at any time with effect for the future by revoking the authorization of the camera and/or microphone. The same applies to the use of the chat function with regard to the processing of text data. You will not suffer any disadvantages if you choose not to participate.
13.7 Who are the recipients of your data?
When using Microsoft 365, various personal data is transmitted to Microsoft. We have entered into a data processing agreement with Microsoft pursuant to Article 28 of the GDPR, under which Microsoft has committed to complying with various obligations under the GDPR. Microsoft also uses additional subprocessors. In these respective legal relationships, the respective agreements on data processing within the meaning of Article 28(3) of the GDPR apply. Recipients of the content you express, post in the chat, or display continue to be the participants in the respective “online meeting".
13.8 Is data processed outside the European Union?
Data is generally not processed outside the European Union (EU), as we have limited our storage locations to data centers within the European Union. However, we cannot rule out the possibility that data may be routed through internet servers located outside the EU. This may be the case, in particular, if participants in an “online meeting” are located in a third country. However, the data is encrypted during transmission over the Internet and is thus protected against unauthorized access by third parties. Processing in third countries is carried out on the basis of the EU Standard Data Protection Clauses adopted by the European Commission pursuant to Art. 46 GDPR. These have been contractually agreed upon with Microsoft, and corresponding obligations are passed on to Microsoft’s subprocessors. In addition, Microsoft and we implement many different supplementary measures to ensure a comparable level of data protection in the third country, e.g.:
For example, Microsoft is certified to ISO 27001, ISO 27002, and ISO 27018, among others. To the extent that this is within our control, we will deactivate the optional Connected Experiences and keep the transmission of diagnostic and telemetry data to Microsoft to a minimum. This significantly reduces Microsoft’s analysis of your behaviour for its own purposes and the number of data transfers to the third country. In addition, for any transfer of personal data to the U.S., there is an adequacy decision by the European Commission pursuant to Art. 45 GDPR within the framework of the EU-U.S. Data Privacy Framework for companies certified under this framework, such as Microsoft Corporation.
13.9 When is your personal data deleted?
We generally delete personal data when there is no longer a need for further storage. A need may exist, in particular, if the data is still required to fulfill contractual obligations, or to review, grant, or defend against warranty and, where applicable, guarantee claims. In the case of statutory retention obligations, deletion is only considered after the respective retention period has expired. You have the option at any time to access, extract, and delete the content data stored in Teams. Teams chats and posts are automatically deleted as communication data after a retention period of two years. Audio and video calls are not recorded. Service-generated data is stored by default for up to 180 days after collection; longer retention periods are possible if this is necessary for the security of the services or to comply with legal or regulatory requirements.
13.10 What rights do you have regarding the processing of your data?
You have the following rights with respect to the personal data concerning you:
13.10.1 General rights
You have the right to access, rectification, erasure, restriction of processing, objection to processing, and data portability. To the extent that processing is based on your consent, you have the right to withdraw this consent with future effect.
13.10.2 Rights regarding data processing based on legitimate / public interest
Pursuant to Article 21(1) of the GDPR, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) GDPR (data processing in the public interest) or Article 6(1)(f) GDPR (data processing to safeguard a legitimate interest); this also applies to profiling based on these provisions. In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
13.10.3 Rights regarding direct marketing
If we process your personal data for the purpose of direct marketing, you have the right, pursuant to Art. 21(2) GDPR, to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for the purpose of direct marketing, we will no longer process your personal data for these purposes.
13.10.4 Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.
13.11 Is there an obligation to provide your personal data?
The provision of your data is generally voluntary. However, if you do not consent to the processing of data in connection with your use of Microsoft Teams, you will not be able to use the services provided.
To enter into an employment relationship, you must provide us with the personal data necessary to carry out the employment relationship or that we are required to collect by law. If you do not provide us with this data, we will not be able to carry out the employment relationship.
14. Changes to this information
The privacy notice is updated to reflect changes in functionality or legal requirements. Therefore, you should review the privacy notice at regular intervals. If your consent is required or if parts of the privacy notice contain provisions regarding the contractual relationship with you, changes will only be made with your consent.
We are pleased that you have applied to one or more companies within the 1Q Health Group. Transparency and the trustworthy handling of your personal data are essential foundations for a successful partnership. Therefore, we are providing you with information on how the company or companies to which you have applied process your data and how you can exercise your rights under the General Data Protection Regulation (GDPR). The information below provides, in the first section, an overview of the collection and processing of your personal data in connection with the application process, and in the following section, information on data processing in connection with the use of this website.
1. Who is responsible for data processing?
The “controller” is the company listed below to which or for which you have applied:
1Q Health GmbH
Gewerbestr. 8
82064 Strasslach-Dingharting
Germany
Email: 1q-hq-dataprotection@1qhealth.com
ABJ alive GmbH
Am Steinkreuz 12
95473 Creußen
Germany
Email: 1q-abj-dataprotection@1qhealth.com
Beauty Production GmbH
Am Langacker 20
95233 Helmbrechts
Germany
Email: 1q-bep-dataprotection@1qhealth.com
DRONANIA pharmaceuticals GmbH
Karl-Benz-Str. 3
86825 Bad Wörishofen
Germany
Email: 1q-dro-dataprotection@1qhealth.com
Hawlik Gesundheitsprodukte GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-hgp-dataprotection@hks-hs.de
HKS health solutions GmbH
Gewerbestrasse 32
5211 Lengau
Austria
Email: 1q-hks-dataprotection@1qhealth.com
Mycotrition GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-myc-dataprotection@mycotrition.com
VivaCell Biotechnology GmbH
Ferdinand-Porsche-Str. 5
79211 Denzlingen
Germany
Email: 1q-viv-dataprotection@1qhealth.com
2. How can you contact the data protection officer?
You can contact the data protection officer at the following email address: DSB-1q-health@intersoft-consulting.de
3. Which of your personal data is used?
Your personal data is processed as part of the application process. Where necessary, processing is carried out to conduct the application process; in certain cases, it is based on your consent. The processed data includes the following categories of data:
Standard information processed as part of the application process:
- Applicant master data (first name, last name, address, desired position)
- Qualification data (cover letter, resume, previous employment, professional qualifications, etc.)
- (Employment) references and certificates (performance data, evaluation data, etc.)
- Correspondence during the application process
Special information that is processed, if necessary, depending on the position to be filled:
- Criminal background check
- Credit report
- Results of medical fitness examinations (fit, unfit, conditionally/partially fit)
- Information regarding work permit / residency status
Other information processed as part of the application process - including, where applicable, information provided voluntarily:
- Publicly available, job-related data (e.g., profiles on professional social networks)
- Voluntary information (e.g., application photo, information regarding severe disability status, or other voluntarily provided information)
- Results of work samples, aptitude, and performance tests
- Reference information
- Interview notes, interview evaluations, and hiring recommendations
- Information regarding the status and progress of the application process
- Technical metadata related to the application process
4. What are the sources of the data?
We process the personal data you provided during the application process
and, if applicable, personal data from the following sources:
- Other companies within the 1Q Health Group (see above under “1”)
- Recruitment service providers (staffing agencies, headhunters, or recruitment consultants)
and, where applicable, personal data is processed that originates from public sources, i.e., professional social networks.
5. For what purposes is your data processed and on what legal basis?
Your personal data is processed in particular in compliance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (“Bundesdatenschutzgesetz” (BDSG)) as well as all other applicable laws.
5.1 Data processing for the decision regarding the conclusion of an employment contract (Art. 6(1)(b) GDPR)
Personal data of applicants is processed for the purposes of the application process if this is necessary for the decision regarding the conclusion of an employment contract (pre-contractual measures).
The necessity and scope of data collection are determined, among other things, by the position to be filled. If the position you are applying for involves particularly confidential tasks, increased personnel and/or financial responsibility, or is subject to certain physical and health requirements, more extensive data collection may be necessary. To ensure data protection, such data processing takes place only after the applicant selection process has been completed and immediately prior to your hiring.
5.2 Data processing based on your consent (Art. 6(1)(a) GDPR, § 26(2) BDSG)
If you have voluntarily consented to the collection, processing, or transfer of certain personal data, this data will be processed on the basis of this consent. In the following cases, your personal data will be processed on the basis of your consent - unless otherwise specified - for a period of up to 18 months:
- Use of your applicant data for future or alternative job openings
- Inclusion in a talent pool or in internal applicant or candidate databases
- Contacting you at a later date outside of the specific application process
- Processing of additional information provided voluntarily
- Obtaining and processing references and recommendations from third parties
- Conducting aptitude, personality, assessment, or similar selection tests
- Conducting and processing video or online interviews
- Active sourcing beyond publicly available information
- Sharing of applicant data within the corporate group (group companies)
- Disclosure of applicant data to external third parties outside the scope of data processing on behalf of the company
- Use of applicant data for statistical analysis (exclusively anonymized or aggregated, no personal reference)
5.3 Based on the legitimate interest of the controller (Art. 6(1)(f) GDPR)
In certain cases, your data will be processed to safeguard a legitimate interest of the company to which you have applied or that of a third party.
- To defend legal claims in proceedings under the General Equal Treatment Act (AGG). In the event of a legal dispute, we have a legitimate interest in processing the data for evidentiary purposes.
- Data matching with EU anti-terrorism lists pursuant to Regulations (EC) No. 2580/2001 and 881/2002: As a company, we are obligated under EU law to cooperate in the fight against terrorism. No funds may be made available to individuals or organizations listed on the terrorism lists (prohibition on provision). For this reason, we are generally required to conduct a name comparison with the terrorist lists and do so as necessary.
6. Applicant database
With your consent, your application documents will be added to the applicant database so that we can consider you for future suitable vacancies and contact you. The legal basis for this is your consent pursuant to Art. 6(1)(a) GDPR, § 26(2) BDSG. Granting consent is voluntary and may be revoked at any time with future effect, e.g., by sending an email to the Data Protection Officer or the controller (see above under “1”). Neither the granting nor the revocation of consent affects the ongoing application process. The lawfulness of the processing carried out up to the time of revocation remains unaffected.
7. To whom will your data be disclosed?
Your data is primarily processed by the Human Resources department and the department head filling your position. In some cases, however, other internal and external departments are also involved in the processing of your data.
Internal departments:
- Human Resources
- Managers / Hiring Managers
- Relevant departments
- Executive Management
Other authorized internal personnel, to the extent necessary and legally permissible for the conduct of the recruitment process. If you consent to group-wide sharing - companies within the 1Q Health Group:
1Q Health GmbH
Gewerbestr. 8
82064 Strasslach-Dingharting
Germany
Email: 1q-hq-dataprotection@1qhealth.com
ABJ alive GmbH
Am Steinkreuz 12
95473 Creußen
Germany
Email: 1q-abj-dataprotection@1qhealth.com
Beauty Production GmbH
Am Langacker 20
95233 Helmbrechts
Germany
Email: 1q-bep-dataprotection@1qhealth.com
DRONANIA pharmaceuticals GmbH
Karl-Benz-Str. 3
86825 Bad Wörishofen
Germany
Email: 1q-dro-dataprotection@1qhealth.com
Hawlik Gesundheitsprodukte GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-hgp-dataprotection@hks-hs.de
HKS health solutions GmbH
Gewerbestrasse 32
5211 Lengau
Austria
Email: 1q-hks-dataprotection@1qhealth.com
Mycotrition GmbH
Gewerbestr. 8
82064 Straßlach
Germany
Email: 1q-myc-dataprotection@mycotrition.com
VivaCell Biotechnology GmbH
Ferdinand-Porsche-Str. 5
79211 Denzlingen
Germany
Email: 1q-viv-dataprotection@1qhealth.com
External service providers:
- Recruitment agencies, headhunters, and/or HR consultants
- Providers of applicant tracking systems
- Providers of aptitude, specialized, or assessment tools
- Video conferencing service providers
- Email and communication service providers
- IT service providers (e.g., hosting, maintenance, and support providers)
- Service providers for document and data destruction
8. Is your data transferred to countries outside the European Union (so-called third countries)?
Countries outside the European Union (and the European Economic Area “EEA”) handle the protection of personal data differently than countries within the European Union. Service providers located in third countries outside the European Union are also used to process your data. There is currently no decision by the European Commission that these third countries generally offer an adequate level of protection. Special measures have been taken to ensure that your data is processed in third countries with the same level of security as within the European Union. Standard data protection clauses provided by the European Commission are concluded with service providers in third countries. These clauses provide appropriate safeguards for the protection of your data with service providers in third countries. If you wish to review the existing safeguards, you may request access to them at: 1q-hq-dataprotection@1qhealth.com.
9. How long will your data be stored?
Your personal data will be stored for as long as necessary to make a decision regarding your application. If an employment relationship is not established between you and the company to which you applied, this data will continue to be stored to the extent necessary to defend against potential legal claims. Your data will generally be deleted within 6 months for companies located in Germany and within 7 months for companies located in Austria after the application process has ended. If an employment relationship is not established but you have given your consent to the continued storage of your data, your data will be stored until you revoke your consent, but for no longer than 18 months. In specific cases, your data may also be stored for a longer period for the purpose of defending against potential legal claims.
10. What rights do you have in connection with the processing of your data?
Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR. With regard to the right of access and the right to erasure, the restrictions under Sections 34 and 35 of the BDSG apply.
10.1 Right to object
What rights do you have in the event of data processing based on a legitimate or public interest?
Pursuant to Article 21(1) of the GDPR, you have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) of the GDPR (data processing in the public interest) or pursuant to Article 6(1)(f) of the GDPR (data processing to safeguard a legitimate interest); this also applies to profiling based on these provisions. In the event of your objection, your personal data will no longer be processed, unless the processing company can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
10.2 Withdrawal of consent
You may withdraw your consent to the processing of personal data at any time. Please note that the withdrawal only takes effect for the future.
10.3 Right of access
You may request information regarding whether the company stores personal data about you. If you wish, you will be informed of the specific data, the purposes for which the data is processed, to whom this data is disclosed, how long the data is stored, and what other rights you have regarding this data.
10.4 Additional rights
In addition, you have the right to have incorrect data corrected or to have your data deleted. If there is no reason for further storage, your data will be deleted; otherwise, processing will be restricted. You may also request that all personal data you have provided be made available to you or to a person or company of your choice in a structured, commonly used, and machine-readable format. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
10.5 Exercising your rights
To exercise your rights, you may contact the data controller or the data protection officer using the contact details provided. Your requests will be processed promptly and in accordance with legal requirements, and you will be informed of the measures taken.
11. Is there an obligation to provide your personal data?
The provision of personal data is neither required by law nor by contract, nor are you obligated to provide personal data. However, the provision of personal data is necessary for the application process to proceed. This means that if you do not provide personal data when applying, the application process cannot be carried out.
12. Automated decision-making pursuant to Art. 22(1) and (4) GDPR
There is no automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR.
13. Specific privacy notice for online meetings, conference calls, and webinars via “Microsoft Teams” of the companies listed under “1”
We (= the company listed under “1” from which you received the video/teleconference invitation or with whose representatives you are conducting a video/teleconference) would like to inform you below about the processing of personal data in connection with the use of “Microsoft Teams.” Microsoft Teams is a proprietary application of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Teams can be used as follows:
- as a client application by signing in with your Microsoft 365 account
- via the mobile app on your tablet, smartphone, etc.
- as a web application via your web browser.
13.1 Who is the controller responsible for data collection and processing?
The entity responsible for data processing directly related to the use of Microsoft Teams is the company listed under “1” from which you received the video/teleconference invitation or with whose members you are conducting a video/teleconference. Note: If you visit the “Microsoft Teams” website, the provider of “Microsoft Teams” is responsible for data processing. However, visiting the website is only necessary for using “Microsoft Teams” in order to download the software required to use “Microsoft Teams”. If you do not want to or cannot use the “Microsoft Teams” app, you can also use “Microsoft Teams” via your browser. In this case, the service is also provided via the “Microsoft Teams” website.
13.2 How can you contact our data protection officer?
You can contact the data protection officer at the following email address: DSB-1q-health@intersoft-consulting.de
13.3 What is the purpose of the processing?
We use “Microsoft Teams” to conduct conference calls, online meetings, video conferences, and/or webinars (hereinafter: “online meetings”). Our focus here is on internal and external communication.
13.4 What data is processed?
When using “Microsoft Teams,” various types of data are processed. The scope of the data also depends on what information you provide before or during your participation in an “online meeting”. The following personal data is subject to processing: User information: e.g., display name, email address (if applicable), profile picture (optional), preferred language
Meeting metadata: e.g., date, time, meeting ID, phone numbers, location, duration of the call Text, audio, and video data: You may have the option to use the chat function during an “online meeting”. In this regard, the text you enter is processed to display it in the “online meeting.” To enable video display and audio playback, data from your device’s microphone and any video camera on the device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the “Microsoft Teams” application. Service-generated data: This includes the user’s IP address and an anonymized user ID; the ID of the Teams meeting and the tenant may also be identifiable.
Availability status: If you have a Microsoft account in our organization, your availability status may be visible to other users in our organization. If you do not wish to use Microsoft’s automated status updates, you can also set them manually. Poll results: When the poll feature is used in meetings. File attachments: Files shared in chat or in a channel.
13.5 What is the scope of processing?
We use “Microsoft Teams” to conduct “online meetings.” We have generally disabled the technical capability to record or transcribe “online meetings” by default. If activation is required in exceptional cases, we will inform you transparently in advance and - where necessary - request your consent. If it is necessary for the purpose of documenting the results of an online meeting, we will log the chat content. However, this will generally not be the case. Automated decision-making within the meaning of Art. 22 GDPR is not used.
13.6 What are the legal bases for data processing?
To the extent that personal data of employees or job applicants of the companies listed under “1” is processed, Article 6(1)(b) of the GDPR forms the legal basis for data processing. If, in connection with the use of “Microsoft Teams,” personal data is not necessary for the establishment, performance, or termination of the employment relationship but is nonetheless an essential component of using “Microsoft Teams,” then Article 6(1)(f) of the GDPR generally serves as the legal basis for data processing. In these cases, our interest lies in the effective conduct of “online meetings” for the purpose of internal and external communication. Here, too, our interest lies in the effective conduct of “online meetings.” With regard to service-generated data, both we and Microsoft also have an interest in ensuring the proper functioning and IT security of the IT systems. With regard to the processing of video and/or audio recordings, this is done voluntarily by enabling the camera and/or microphone, so that Article 6(1)(a) of the GDPR (consent) constitutes the legal basis. Consent may be revoked at any time with effect for the future by revoking the authorization of the camera and/or microphone. The same applies to the use of the chat function with regard to the processing of text data. You will not suffer any disadvantages if you choose not to participate.
13.7 Who are the recipients of your data?
When using Microsoft 365, various personal data is transmitted to Microsoft. We have entered into a data processing agreement with Microsoft pursuant to Article 28 of the GDPR, under which Microsoft has committed to complying with various obligations under the GDPR. Microsoft also uses additional subprocessors. In these respective legal relationships, the respective agreements on data processing within the meaning of Article 28(3) of the GDPR apply. Recipients of the content you express, post in the chat, or display continue to be the participants in the respective “online meeting".
13.8 Is data processed outside the European Union?
Data is generally not processed outside the European Union (EU), as we have limited our storage locations to data centers within the European Union. However, we cannot rule out the possibility that data may be routed through internet servers located outside the EU. This may be the case, in particular, if participants in an “online meeting” are located in a third country. However, the data is encrypted during transmission over the Internet and is thus protected against unauthorized access by third parties. Processing in third countries is carried out on the basis of the EU Standard Data Protection Clauses adopted by the European Commission pursuant to Art. 46 GDPR. These have been contractually agreed upon with Microsoft, and corresponding obligations are passed on to Microsoft’s subprocessors. In addition, Microsoft and we implement many different supplementary measures to ensure a comparable level of data protection in the third country, e.g.:
For example, Microsoft is certified to ISO 27001, ISO 27002, and ISO 27018, among others. To the extent that this is within our control, we will deactivate the optional Connected Experiences and keep the transmission of diagnostic and telemetry data to Microsoft to a minimum. This significantly reduces Microsoft’s analysis of your behaviour for its own purposes and the number of data transfers to the third country. In addition, for any transfer of personal data to the U.S., there is an adequacy decision by the European Commission pursuant to Art. 45 GDPR within the framework of the EU-U.S. Data Privacy Framework for companies certified under this framework, such as Microsoft Corporation.
13.9 When is your personal data deleted?
We generally delete personal data when there is no longer a need for further storage. A need may exist, in particular, if the data is still required to fulfill contractual obligations, or to review, grant, or defend against warranty and, where applicable, guarantee claims. In the case of statutory retention obligations, deletion is only considered after the respective retention period has expired. You have the option at any time to access, extract, and delete the content data stored in Teams. Teams chats and posts are automatically deleted as communication data after a retention period of two years. Audio and video calls are not recorded. Service-generated data is stored by default for up to 180 days after collection; longer retention periods are possible if this is necessary for the security of the services or to comply with legal or regulatory requirements.
13.10 What rights do you have regarding the processing of your data?
You have the following rights with respect to the personal data concerning you:
13.10.1 General rights
You have the right to access, rectification, erasure, restriction of processing, objection to processing, and data portability. To the extent that processing is based on your consent, you have the right to withdraw this consent with future effect.
13.10.2 Rights regarding data processing based on legitimate / public interest
Pursuant to Article 21(1) of the GDPR, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) GDPR (data processing in the public interest) or Article 6(1)(f) GDPR (data processing to safeguard a legitimate interest); this also applies to profiling based on these provisions. In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
13.10.3 Rights regarding direct marketing
If we process your personal data for the purpose of direct marketing, you have the right, pursuant to Art. 21(2) GDPR, to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for the purpose of direct marketing, we will no longer process your personal data for these purposes.
13.10.4 Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.
13.11 Is there an obligation to provide your personal data?
The provision of your data is generally voluntary. However, if you do not consent to the processing of data in connection with your use of Microsoft Teams, you will not be able to use the services provided.
To enter into an employment relationship, you must provide us with the personal data necessary to carry out the employment relationship or that we are required to collect by law. If you do not provide us with this data, we will not be able to carry out the employment relationship.
14. Changes to this information
The privacy notice is updated to reflect changes in functionality or legal requirements. Therefore, you should review the privacy notice at regular intervals. If your consent is required or if parts of the privacy notice contain provisions regarding the contractual relationship with you, changes will only be made with your consent.