Data Protection and Privacy Policy

for Website Visitors   -   for Candidates

Data Protection Declaration for Website Visitors

Name and address of the data controller

The responsible body within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is: Constares GmbH

Hansastraße 10

80686 München Germany

Telefon: +49 89 125039830

E-Mail: info@constares.com

Name and address of the data protection officer

The data protection officer of the data controller is:

Jörg Hermann Freibadstr. 30
81543 München
Germany

Telefon: +49 89 200 033 580
E-Mail: datenschutz@constares.com

General information on data processing

Legal basis for processing personal data

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If you have consented to data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, insofar as special categories of data are processed in accordance with Art. 9 para. 1 GDPR. In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or access to information in your end device (e.g. via device fingerprinting), the data processing is also carried out on the basis of Section 25 (1) TDDDG. Consent can be revoked at any time. If your data is required to fulfill the contract or to carry out pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b GDPR. Furthermore, we process your data if this is necessary to fulfill a legal obligation on the basis of Art. 6 para. 1 lit. c GDPR. Data processing may also be carried out on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

Data deletion and storage period

We adhere to the principles of data minimization in accordance with Art. 5 para. 1 lit. c GDPR and storage limitation in accordance with Art. 5 para. 1 lit. e GDPR. We only store your personal data for as long as is necessary to achieve the purposes stated here or as provided for by the retention periods stipulated by law. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as quickly as possible.

External links

This website may contain links to third-party websites or to other websites under our responsibility. If you follow a link to a website outside our responsibility, please note that these websites have their own data protection information. We accept no responsibility or liability for these third-party websites and their data protection notices. Therefore, before using these websites, please check whether you agree with their data protection declarations.

You can recognize external links either by the fact that they are displayed in a different colour from the rest of the text or underlined. Your cursor will show you external links when you move it over such a link. Only when you click on an external link will your personal data be transferred to the destination of the link. In particular, the operator of the other website will receive your IP address, the time at which you clicked on the link, the page on which you clicked on the link and other information that you can find in the data protection information of the respective provider.

Please also note that individual links may lead to a data transfer outside the European Economic Area. This could give foreign authorities access to your data. You may not have any legal remedies against this data access. If you do not want your personal data to be transferred to the link destination or even to be exposed to unwanted access by foreign authorities, please do not click on any links.

Rights of data subjects

As a data subject within the meaning of the GDPR, you have the opportunity to assert various rights. The data subject rights arising from the GDPR are the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to object (Article 21), the right to lodge a complaint with a supervisory authority and the right to data portability (Article 20).

Right of revocation:

Some data processing can only take place with your express consent. You have the option to revoke your consent at any time. However, this does not affect the legality of the data processing up to the point of revocation.

Right of objection:

If the processing is based on Art. 6 para. 1 lit. e or f GDPR, you as the data subject can object to the processing of your personal data at any time for reasons arising from your particular situation. You also have this right in the case of profiling based on these provisions within the meaning of Art. 4(4) GDPR. If we cannot demonstrate a legitimate interest in the processing that outweighs your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims, we will refrain from processing your data after the objection has been made.

If the processing of personal data serves the purpose of direct marketing, you also have the right to object at any time. The same applies to profiling associated with direct marketing. Here, too, we will no longer process personal data as soon as you raise an objection.

Right to lodge a complaint with a supervisory authority:

If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, without prejudice to any other administrative or judicial remedy.

Right to data portability:

If your data is processed automatically based on consent or fulfilment of a contract, you have the right to receive this data in a structured, common and machine-readable format. You also have the right to request that the data be transferred and made available to another data controller, insofar as this is technically feasible.

Right of access, rectification and erasure:

You have the right to obtain information about the processing of your personal data with regard to the purpose, categories and recipients of the data processing, as well as the duration of storage. If you have any questions on this topic or on other topics regarding personal data, you can of course contact us using the contact options provided in the legal notice.

Right to restriction of processing:

You may assert your right to the restriction of processing of your personal data at any time. To do this, you must meet one of the following requirements:

• You contest the accuracy of the personal data. While the accuracy of the data is being verified, you have the right to demand that its processing is restricted.
• You contest the accuracy of the personal data. While the accuracy of the data is being verified, you have the right to demand that its processing is restricted.
• If processing is unlawful, you can request the restriction of the use of the data as an alternative to deletion.
• If we no longer need your personal data for the purposes of processing, but you need the data to assert, exercise or defend legal claims, you can request the restriction of processing as an alternative to deletion.
• If you object to the processing in accordance with Article 21(1) GDPR, we will weigh up your interests against ours. Until this weighing up is completed, you have the right to request the restriction of processing.

The effect of restricting processing is that, apart from storage, the personal data may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a member state.

Provision of the website (web host)

When you access our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or our hosting company’s

• IP address of the website visitor's end device
• device used
• host name of the accessing computer
• visitor's operating system
• browser type and version
• name of the retrieved file
• time of server request
• amount of data
• information on whether the retrieval of the data was successful

Instead of operating this website on our own server, we may also commission an external service provider (hosting company) to operate it on their own server, which we have named above in this case. The personal data collected by this website will be stored on the hosting company’s servers. In addition to the data mentioned above, the web host also stores for us, for example, contact requests, contact details, names, website access data, meta and communication data, contract data and other data generated via a website.

The legal basis for processing this data is Article 6(1)(f) GDPR . Our legitimate interest is the technically error-free presentation and optimization of this website. If the website is called up in order to enter into contract negotiations with us or to conclude a contract, this serves as a further legal basis (Article 6(1)(b) GDPR). In the event that we have commissioned a hosting company, a order processing contract will have been agreed with this service provider.

Whitepaper and direct marketing

By downloading the whitepaper, you confirm that you would like to receive future newsletters at the email address you have provided. The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a GDPR and Section 7 para. 2 no. 3 UWG. Your data will be stored for as long as you wish to receive the newsletter. In the event of cancellation, you will no longer receive a newsletter from us.

Use of Cookies

Our website uses “cookies”. Cookies are information that a web server (server that provides web content) stores on your end device in order to be able to identify this end device. They are either stored temporarily for the duration of a session (session cookies) and deleted at the end of your visit to a website or permanently (permanent cookies) on your end device until you delete them yourself or they are automatically deleted by your web browser.

Cookies can also be stored on your device by third-party companies when you visit our website (third-party requests). This enables us, as the operator, and you, as a visitor to this website, to make use of certain third-party services that are installed on this website. Examples of this are cookies for processing payment services or cookies for displaying videos.

Cookies have a wide range of uses. They can improve the functionality of a website, control shopping cart functions, increase the security and convenience of website use and carry out analyses of visitor flows and behavior. Depending on the individual functions, cookies must be classified according to data protection law. If they are necessary for the operation of the website and are intended to provide certain functions (shopping cart function) or serve to optimize the website (e.g. cookies to measure visitor behavior), they are used on the basis of Art. 6 para. 1 lit. f GDPR. As the website operator, we have a legitimate interest in the storage of cookies for the technically error-free and optimized provision of our services. In all other cases, cookies are only stored with your express consent (Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG).

If cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in this data protection notice. Your required consent will be requested and can be revoked at any time.

Use of external services

External services are used on our website. External services are services from third-party providers that are used on our website. This can be done for various reasons, for example for embedding videos or for the security of the website. When using these services, personal data is also passed on to the respective providers of these external services. If we do not have a legitimate interest in using these services, we will obtain your consent as a visitor to our website, which can be revoked at any time, before using them (Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG).

Marketing

Our website uses tools that offer services relating to campaigns, web analysis and personalization. This enables a central and comprehensive collection of all data, which in turn is necessary for the optimization and planning of digital campaigns. These services can be set and used by our advertising partners via our website to create a profile of your interests and show you relevant ads on other websites.

The processing of the data is based on the legal basis of consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG). As a website visitor, you have consented to the processing of your personal data with your voluntary, express and prior consent. Without separate consent, the personal data will not be processed by us in the manner described above, provided that there is no other legal basis within the meaning of Art. 6 para. 1 GDPR on which we base the processing. We will proceed in the same way if you revoke your consent. This will not affect the lawfulness of the processing carried out until you revoke your consent.

Cloudworx

Our website uses the service Cloudworx. The provider of this service is cloudworx GmbH, Rupert-Mayer-Straße 44, Gebäude 64.07a, 81379 München, Germany.

Presence on LinkedIn

Social networks process your users' personal data on a large scale. When you visit our profiles, your IP address and other information about the devices you use are processed, which makes it possible to assign IP addresses to individual users. We have no influence on this data processing. We would like to point out that you use our profiles on the social networks and their functions on your own responsibility. Details on data processing can be found in the operator's privacy policy.

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

Detailed information on the handling of personal data can be found in the following LinkedIn privacy policy: www.linkedin.com/legal/privacy-policy.

The purpose of our profiles on social media platforms is to increase our online presence and thus raise our profile. Therefore, the legal basis is legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Furthermore, with regard to the processing activities by the social networks, reference should be made to their own legal bases (e.g. consent pursuant to Art. 6 para. 1 lit. a GDPR), which you can find in the respective privacy policy.

In principle, we are jointly responsible with the social media platform for the data processing operations triggered when you visit our profile. You can therefore assert your rights as a data subject in accordance with Art. 15ff GDPR against the social media platform as well as against us. However, we would like to point out that we have no influence on data processing by the social media platform.

Version 14.10.2024

Data Protection Declaration for Candidates

Personal data as part of the application process

Personal data is information about the personal or factual circumstances of an identified or identifiable natural person. This includes information such as your name, your address, your telephone number and your date of birth, but also data about your specific career, etc., which can be assigned to a specific person with reasonable effort.

Application procedure

We process your applicant data exclusively for the purpose of and as part of the application process in accordance with the legal requirements. Applicant data is processed to fulfil our (pre-)contractual obligations as part of the applicant selection process within the meaning of Art. 6 para. 1 lit. b. GDPR and Section 26 BDSG, insofar as data processing becomes necessary for us, e.g. in the context of legal proceedings.

The application procedure requires applicants to send us their application documents. The required applicant data is labelled in the online form and is otherwise derived from the job descriptions. In principle, this includes personal details, address and contact details as well as the documents relating to the application, such as cover letter, CV and references. Applicants can also voluntarily provide us with additional information.

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).

Applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. In addition to an application via the online form and by e-mail, it is also possible to send us the application by post.

If the application for a job offer is not successful, the applicant's data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified cancellation by the applicant, the deletion will take place after a period of six months so that we can answer any follow-up questions about the application and fulfil our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

Types of data processed: Applicant data (e.g. personal details, address and contact details, CV, references and other personal or qualification information provided with regard to a specific position or voluntarily by applicants).

Data subjects: Applicants

Purposes of processing: Applicant selection procedure

Legal basis: Art. 6 para. 1 lit. b GDPR in conjunction with Section 26 para. 1 BDSG, legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Service providers used

We use the following third-party providers to carry out the online application process.

Salesforce: applicant management system and candidate database; service provider: salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany

Cloudworx: Process automation in Salesforce; Service provider: cloudworx GmbH, Rupert-Mayer-Straße 44, Building 64.07a, 81379 Munich, Germany

Microsoft Teams and Microsoft Bookings: Appointment scheduling and job interviews; Service provider: Microsoft Ireland Operations, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland

Talent pool

As part of the application process, we offer applicants the opportunity to be included in our "Talent Pool" on the basis of consent within the meaning of Art. 6 para. 1 lit. a and Art. 7 GDPR.

The application documents in the applicant pool will only be processed in the context of future job advertisements and will be destroyed after the period of one year at the latest. Inclusion in the talent pool is voluntary and has no influence on the current application process. This consent is voluntary and can be revoked at any time for the future.

Rights of the data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to withdraw consent: You have the right to withdraw any consent you have given at any time.

Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with the legal requirements.

Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with the legal requirements.

Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.

Right to data portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request that it be transferred to another controller.

Complaint to the supervisory authority: You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Version: 14.10.2024