Data privacy notice for job applicants of astora GmbH according to art. 13, 14 and 21 GDPR
Date: January 2023
The following information describes how and for what purpose the astora GmbH (hereinafter also referred to as “astora” or “we”) processes the personal data of their job applicants.
Personal data is, according to Art. 4 No. 1 of the General Data Protection Regulation (GDPR), any information relating to an identified or identifiable natural person.
1. Responsibility for data processing and contact details
The responsible party within the meaning of Article 4 No. 7 for the processing of your personal data is:
astora GmbH, Human Resources, Karthäuserstraße 4, 34117 Kassel, Germany
phone: +49 561 99858-3333
You can reach our data protection officer / or our data protection team at
astora GmbH, attn: data protection officer, Karthäuserstraße 4, 34117 Kassel, Germany
2. Type of processed data
We process your personal data as part of your application, in case you provide this personal data with your application documents or in the further course of the application process.
Data processing includes the following categories of personal data if they are necessary for the purposes set out in Section 4:
- Master data (e.g. title, last name, first name, email address, telephone number, zip code and city),
- Application data (e.g. information about previous activities in the group, period of notice, salary expectations),
- Special data categories (Article 9 GDPR) that you voluntarily provide with your application,
- Data on your education,
- Data about your non-professional interests,
- Other data that you voluntarily provide to us as part of the application process, e.g. data contained in your application letter, CV or job references,
- Communication data: content of personal email or telephone conversations and other data that arise when we exchange data with you (e.g. when raising queries or using the contact form, etc.),
- Data on how you became aware of us or, if applicable, the name and data of the career fair through which you contacted us,
- Data on who recommended you, in the case of the internal referral scheme where employees can suggest other employees,
- Data that may arise where IT-based tools support your application (e.g. language setting, settings, technical cookies),
- Statements on data protection:
- Consent to the processing of personal data,
- Declarations on the revocation of a consent given by you,
- Declarations of objection against the processing of personal data,
- Statements on how to exercise your rights of access, rectification, erasure, restriction of processing and data portability, including the information you provide to us when exercising your rights.
- Internal applicant number,
- If applicable, job number.
In addition, if applicable and required by national legislation, we may also process other data:
- Test results or certificates (e.g. eye test, police clearance certificate).
As a rule, we do not process any personal data that we have received from third parties. However, when we work with third parties, such as head-hunters and recruitment agencies, they provide your applicant data to us.
Third-party job portals and social media platforms often advertise our job vacancies by independently reading them from our company websites or third-party websites (e.g. job portals) and linking to them on their platforms. Please note, that you can access our Recruiting Management System directly via these platforms and upload your application documents there. The social media platforms don’t have any service relationship with us.
3. Duration of data storage
We process and store your personal data for the required duration of the application process. This also includes, i.a. the initiation and execution of a contract. If the application process ends without you being hired, your data and application documents will be deleted within 6 months of completing the application process. You will not be informed separately about the deletion.
Application documents submitted in paper form by post will be returned to you immediately, as our application process is exclusively digital.
If you are hired at the end of the application process, both your personal data and your application documents will be used to draw up the employment contract and then included in your personnel file.
In addition, we store your personal data if and insofar as the law provides for this, for example for the defence of legal claims within the respective limitation periods. The exact legal regulations result in turn from the respective relevant national legal system of the processing company according to number 1.
4. Purposes of data processing and legal basis
We process your personal data for various purposes in compliance with the relevant data protection regulations, in particular the German Data Protection Regulation and national data protection laws. Basically, the purposes for which we process your data are the following:
- Processing of data relating to the employment relationship, i.e. to fulfil contractual obligations or to carry out pre-contractual measures (Art. 6 Para. 1 lit. b GDPR),
- To protect legitimate interests (Art. 6 Para. 1 lit. f GDPR),
- After your prior consent (Art. 6 Para. 1 lit. a GDPR) and/or
- To fulfil legal obligations (Art. 6 Para. 1 lit. c GDPR).
If you provide special categories of personal data in accordance with Art. 9 GDPR, data processing will take place on the basis of Art. 9 Para. 2 lit. b GDPR for the purpose of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law.
In detail, we process your personal data for the following purposes and on the legal basis specified in each case:
- Application process and contract initiation including communication with you
Data or categories of data processed: Master data; application data; data on how you became aware of us; data about your education; data about your non-professional interests; other data that you voluntarily provide to us as part of the application process; communication data.
Legal basis: Art. 6 Para.1 lit. b GDPR, §26 Federal Data Protection Act (BDSG)
- When concluding an employment contract with us: Transfer of the data to the personnel file of the individual concerned. This serves as a check for abuse and as a basis for the subsequent professional development of the individual concerned.
Data or categories of data processed: Master data; application data; information on how you became aware of us; data about your education; data about your non-professional interests; other data that you voluntarily provide to us as part of the application process; communication data.
Legal basis: Art. 6 Para.1 lit. b and f GDPR.
- Assertion of legal claims and defence against legal disputes
Data or categories of data processed: Master data; any personal data that is the subject of the legal claim or dispute.
Legal basis: Art. 6 Para.1 lit. f GDPR.
- Management of declarations of consent and revocation in relation to data privacy
Data or categories of data processed: Master data, privacy declarations.
Legal basis: Art. 6 Para.1 lit. a and c GDPR.
- Objection management (management of objections related to data privacy issues).
Data or categories of data processed: Master data, declarations on data protection
Legal basis: Art. 6 Para.1 lit. c GDPR.
- Management of data subjects' rights (handling data subjects' requests for access, rectification, erasure, restriction of processing and data portability in order to exercise data subjects' data protection rights).
Data or categories of data processed: Any data or category of data that is the subject of the specific request.
Legal basis: Art. 6 Para.1 lit. c GDPR.
- Access management in the Recruiting Management System
Data or categories of data processed: Logging of data for security measures and ensuring appropriate measures are taken to secure your data.
Legal basis: Art. 6 Para.1 lit. f GDPR.
- Sharing personal data within the Group for internal administrative purposes
Data or categories of data processed: IT and HR data, where these are Shared Services
Legal basis: Art. 6 Para. 1 lit. f GDPR, Recital 48
- Data you voluntarily provide to us to give us a better picture of your profile
Data or categories of data processed: Any sensitive data that you voluntarily share with us.
Legal basis: Art. 6 Para.1 lit. a GDPR, if applicable, if applicable, Article 9 GDPR.
- Further data processing within the framework of national legislation
Data or categories of data processed: Data which must or may be processed under national legislation
Legal basis: Art. 6 Para.1 lit. c and f GDPR.
5. Cookies on the website of the recruiting mangement system
Our job application management is carried out electronically with the help of a Recruiting Management System. You can access the Recruiting Management System via a link on the job advertisement and/or via our company website.
We use the so-called cookies or similar functions on the website of our Recruiting Management System to make our website technically available. We base the processing of your data through the cookies used for the aforementioned technically necessary purposes on our legitimate interest pursuant to Art. 6 Para. 1 lit. f GDPR, which is to be regarded as legitimate within the meaning of the aforementioned provision.
6. Recipients and categories of recipients
Personal data can be passed on to the following recipients and categories of recipients:
Internally, access to your data is only granted on the basis of authorization. In the case of ongoing application procedures, these are the involved HR business partners within the Human Resources department, interview partners and managers from the relevant business unit and, if necessary, the responsible committee (works council, possibly also representatives for severely disabled people). The IT department provides technical support and ensures the functionality of the Recruiting Management System.
6.1 Data processors
We use service providers who process personal data on our behalf (so-called processors, cf. Art. 4 No. 8, Art. 28 GDPR). This includes service providers in the areas of IT, telecommunications and business services.
In these cases, we have concluded order processing contracts with the service providers.
6.2 Disclosure to third parties
Insofar as we are authorized to do so on the basis of contractual or legal provisions, or on the basis of consent, we also pass on the above-mentioned personal data to other companies who process the data in joint responsibility (Art. 26 GDPR).
Such joint responsibility is given in the following areas
- Application process and HR,
- IT services.
In these cases, we have concluded joint responsibility agreements.
The main content of these agreements on joint responsibility is the ruling on the area of responsibility in the processing of your personal data. For example, any party against whom you make a claim is responsible for settling that claim. Each party is also responsible for the own legality of data processing regarding the establishment and performance of an employment relationship.
In addition, the agreement regulates the responsibility between the data controllers for the cases in which the data subjects exercise their rights. This relates to the right to have personal data rectified or erased or to restrict processing.
7. Transfer of data to a third country or to an international organisation
A transfer of your personal data to a third country or an international organization will only take place if this is necessary in the context of order processing and the requirements of Art. 44 et seq. GDPR are met.
A transmission will only take place if an appropriate level of data protection is ensured in the third country (Art. 45 GDPR), suitable guarantees exist (cf. Art. 46 GDPR) or there is another legal permission (cf. Art. 49 GDPR) and insofar as this is necessary for processing and thus for the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, the transfer is required by law or you have given us your consent.
8. Obligation to provide data
As part of your application, you only have to provide the personal data required to start and carry out the recruitment process. The application process cannot be started without this data.
9. Automatic decision making and profiling
We do not use your personal data for automated decision-making, including profiling.
10. Data subject rights
10.1 Information, correction, deletion, restriction of processing, data portability
Every data subject has the right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability from Art. 20 GDPR. In order to exercise the aforementioned rights, you can contact the offices named under number 1 (responsibility for data processing and contact details).
10.2 Right to object pursuant to Art. 21 GDPR
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data relating to you, which is based on Art. 6 Para.1 lit. f GDPR (data processing on the basis of legitimate interest). to insert this also applies to any profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If we process your personal data in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be made in any form and should be addressed to the offices named in section 1 (Responsibility for data processing and contact details). You will not incur any costs other than the transmission costs according to the basic tariff.
10.3 Withdrawal of a consent
If you have given us your consent to the processing of your personal data, you can revoke this consent at any time. As a result, we will no longer continue the data processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.
Please address the revocation of consent to the office specified in section 1. (Responsibility for data processing and contact details).
11. Right to complain to the supervisory authority
According to Art. 77 Para. 1 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your personal data is not lawful, in particular that it violates the GDPR. In this case, you have the choice of contacting the supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged violation. Irrespective of the aforementioned right to lodge a complaint, we will also accept your request ourselves (for contact details, see section 1. Responsibility for data processing and contact details).