1. Who we are and how you can reach us
The controller of the processing of personal data on this website is:
2. What data we do (not) process, for what purpose, for how long and on what legal basis
2.1. Logging and analysis
We collect data about your access to the site which may allow identification and store it in the form of server log files. The following data is logged in this way:
HTTP status code
date and time
the browser identifier (user agent string) transmitted by your browser
exact file name (URL) of the requested file(s)
Referer (address from which the respective page is called)
Body bytes sent
These log files are only used in the context of processing errors or improving the website. However, we reserve the right to check the server log files retrospectively if there are concrete indications of illegal use.
This data is automatically deleted after 6 months, unless it is exceptionally needed for longer (for example, as evidence).
The legal basis for data processing is Art. 6 para. 1 UAbs. 1 lit. f DSGVO1. Legitimate interests in the processing on the basis of Art. 6 para. 1 UAbs. 1 lit. f DSGVO are the guarantee of the functionality and security of our website, its improvement and the defense against attacks and other abuses.
2.2. Data processing upon contact
If you call us or send us a message, for example via the contact form or by e-mail, we need your e-mail address, your postal address or a telephone number if we are to answer you. Instead of your name, you can also use a pseudonym. We will use this data as well as the date and time of your contact exclusively for processing your request, unless it is clearly a business contact. In the case of a business contact, we will use your data for customer and prospect support, in particular to contact you individually (insofar as this is legally permitted) - if necessary after researching further data - in order to make you offers and to clarify your need for our services and/or the possibility of a cooperation. We assume that this is in your interest. Your data will normally not be passed on to third parties. If we determine that we are not responsible for your request and cannot help you ourselves (for example, if you contact us, but your request concerns the yes®-specific service of your bank), we will make every effort to forward your request to the correct contact or to provide you with the correct contact, unless this is clearly not in your interest. We delete your data as soon as it is no longer needed for the respective purpose, i.e. usually three months after the last contact with you, whereby we only delete all requests that are ready for deletion once a quarter for reasons of proportionality. If you have any queries, please contact us again within three months.
If we continue to process your data for the purpose of customer and prospect support, we will delete your data as soon as you object to the processing or by March 31 of the second calendar year after your last business contact or expression of interest.
The legal basis for the data processing is Art. 6 para. 1 UAbs. 1 letters b and f DSGVO. Legitimate interest in case of processing based on Art. 6 para. 1 UAbs. 1 letter f DSGVO is to fulfill your request or to achieve that your request is fulfilled by forwarding your request or, in case of processing for the purpose of customer and prospect care, to promote the sales of our services and corresponding advertising.
Exceptions: We must store business and commercial letters and other tax-relevant documents in order to fulfill the retention obligations under commercial and tax law; we normally delete them by March 31 of the seventh calendar year after they come into existence, and in the case of accounting documents, of the eleventh calendar year after they come into existence.
The storage period of your data may deviate from the above-mentioned periods due to statutory retention and limitation periods, for example due to §§ 195 ff. BGB4 (GERMAN CIVIL CODE).
If your request serves a special purpose (e.g. application), then only the explanations regarding the special purpose apply to the data processing in this context. You may receive these separately.
2.3. Data processing upon application
When you apply to us, we process the information that we receive from you as part of the application process, e.g. by means of a letter of application, CV, certificates, correspondence, telephone or verbal information. In addition to your contact details, information about your education, work experience and skills is particularly relevant to us; without this information, we cannot determine your suitability and cannot consider your application. We will only assess you according to your suitability for the respective position. You do not have to send us a photo. Information about your family situation, etc. is also not required. Since most of our jobs are security-related and for many positions, especially in the technical area, application documents alone are not sufficient, but we would also like to look at source codes created by you, for example, in order to assess your suitability, we usually conduct research on applicants on the Internet. However, we limit ourselves to public information in professional networks, code repositories, technical platforms for discussing problems, for example. We are happy if you point us to representative works by indicating your username. The information researched in this way will not be stored.
Your data will initially be processed exclusively for the purpose of carrying out the application procedure. If your application is successful, it will become part of your personnel file and will be used for the implementation and termination of the employment relationship and deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after sending the rejection letter in order to clarify any legal claims that may be necessary. If you have received reimbursements or other tax-relevant transactions (e.g. invitation to a meal), the corresponding accounting documents are regularly stored until March 31 of the eleventh calendar year after the payment at the latest in order to fulfill the retention obligations under commercial and tax law; in the case of commercial and business letters and other tax-relevant documents, they are stored for the seventh calendar year after their creation.
The legal basis for data processing in the application process and as part of the personnel file is Section 26 (1) sentence 1 BDSG and Article 6 (1) subparagraph 1 letter b DSGVO and, if you have given your consent, Article 6 (1) subparagraph 1 letter a DSGVO. Research in the context of job applications is the legal basis § 26 para. 1 p. 1 BDSG5 and Art. 6 para. 1 UAbs. 1 letters b and f and, if applicable, Art. 9 para. 2 lit. e DSGVO, whereby legitimate interests are the guarantee of security in the company and the selection of suitable applicants. The legal basis for data processing after a rejection is Art. 6 para. 1 UAbs. 1 letter f DSGVO. Legitimate interest in this respect is the defense against legal claims. The legal basis for storage under commercial and tax law is Art. 6 para. 1 UAbs. 1 lit. c DSGVO in conjunction with. §§ 147 AO, 257 HGB.
As a rule, we do not require any special categories of personal data within the meaning of Art. 9 DSGVO for the application process, such as information on your health, religion, ethnic origin, sexual orientation. We ask you not to provide us with such information in the first place. If such information is exceptionally relevant for the application process, we will process it together with your other applicant data. This may, for example, concern information about a severe disability that you can provide to us voluntarily and which we then need to process in order to fulfill our special obligations with regard to severely disabled persons. In these cases, the processing serves the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection. The legal basis for the data processing is then Art. 9 (2) lit. b DSGVO, §§ 26 (3) BDSG, 164 SGB IX6.
3. Voluntary provision of your data
You are not obliged to provide us with personal data. If you do not provide us with certain information that we need to handle your request (for example a way to contact you if you want an answer from us), we may not be able to do so. In the context of special procedures (e.g. when using the yes® Account Chooser) it may be necessary for you to provide us with certain information because otherwise we will not be able, for example, to redirect you to the bank log-in website. However, we will always point this out to you in the specific situation.
4. Recipients of the data
Your personal data will remain in our area of responsibility, except in special exceptional cases (e.g. in the event that we forward an inquiry erroneously addressed to us to the right contact), in which we expressly inform you, however, to whom your data will be sent. In some cases it may be necessary to pass on your data to external advisors, for example in the case of legal disputes to lawyers (legal basis Art. 6 para. 1 subpara. 1 letter f GDPR; purpose and legitimate interest: establishment, exercise or defence of legal claims). Our administrators have the possibility to access data processed by IT. We list further recipients of your data in the notes on the respective data processing. In certain cases, we may need to disclose your personal data to third parties so that you can obtain the desired service (e.g. reimbursement of costs in an application procedure), in particular to vicarious agents such as tax accountants, banks and other payment service providers as well as postal service providers.
In certain areas, such as web hosting, e-mail hosting, ticket system and analysis, we use specialized service providers:
Microsoft Ireland Operations Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Atlassian Pty Ltd, Level 6, 341 George St, Sydney NSW 2000, Australia
These are strictly bound to our instructions by an agreement on commissioned data processing and may not process the data for their own purposes. Processing by these data processors and their data processors takes place only in the EU with the exception of the following corporations. If the processing of your data by one of these providers takes place in an unsafe third country (countries without a corresponding data protection law), it will be ensured that this is done on the basis of appropriate protection measures according to Art. 44 et seq. GDPR, for example by agreeing on standard data protection clauses of the EU Commission, which are supplemented in individual cases by appropriate protective measures such as encryption of the data in accordance with Art. 46 para. 2 c) GDPR.
5. Automated decision making, profiling
Automated decision making or profiling does not take place.
6. Your rights
You have a right of access, to rectification or erasure, restriction of processing, to object to processing and to data portability under the respective statutory preconditions with regard to the personal data concerning you. In particular, you have the right to object to the processing of your data for advertising purposes at any time without incurring costs other than the transmission costs according to the basic rates of your provider (e.g. the costs of an e-mail = usually none). If data processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until the withdrawal or of the processing on another legal basis. If you want to exercise these rights, you can simply write to firstname.lastname@example.org. If we call you, you can of course also tell us directly in the conversation.
You also have the right to complain to a data protection supervisory authority about our processing of your personal data, for example to the German supervisory authorities which are responsible for us. You will find a list of supervisory authorities by clicking on the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
If you have any questions or requests regarding data protection, please feel free to contact us by mail to email@example.com at any time.
7. Your right to object to processing
To the extent that processing of your personal data is based on Art. 6 para. 1 subpara. 1 lit. e or f GDPR, you have the right to object to processing in accordance with Art. 21 GDPR. If your objection is made for reasons arising from your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of or for the establishment, exercise or defence of legal claims. If your objection is directed against direct marketing, including profiling, insofar as it is connected with such direct marketing, we will no longer process your personal data for these purposes.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as amended from time to time. ↩
Fiscal Code of Germany in the version promulgated on 1 October 2002 (Federal Law Gazette [Bundesgesetzblatt] I p. 3866; 2003 I p. 61), last amended by Article 17 of the Act of 17 July 2017 (Federal Law Gazette I p. 2541), as amended from time to time. ↩
Commercial Code in the revised version published in the Bundesgesetzblatt (BGBl., Federal Law Gazette), Part III, Section 4100-1, Book 1, as amended by Article 11 of the Act of 18 July 2017 (Federal Law Gazette Part I p. 2745), Book 2, as amended by Article 3 of the Act of 22 December 2015 (Federal Law Gazette Part I p. 2567), and Book 5, as amended by Article 5 of the Act dated 5 July 2016 (Federal Law Gazette Part I p. 1578), as amended from time to time. ↩
Civil Code in the version promulgated on 2 January 2002 (Federal Law Gazette [Bundesgesetzblatt] I page 42, 2909; 2003 I page 738), last amended by Article 4 para. 5 of the Act of 1 October 2013 (Federal Law Gazette I page 3719), as amended from time to time. ↩
Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), as amended from time to time. ↩
Social Code, Book IX, of 23 December 2016 (Federal Law Gazette I p. 3234), last amended by Article 5 of the Act of 8 July 2019 (Federal Law Gazette I p. 1025), as amended from time to time. ↩