Data protection
Data protection information for applicants and talentsIn accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR)
1. Controller within the meaning of the GDPR
The controller responsible for processing your personal data in the context of the
application process is:
SAPHIR Deutschland GmbH
Kalkofenstr. 53
71083 Herrenberg, Germany
Represented by: Bruno Gross
2. Data protection officer
mhg protectit
Heerweg 19
72116 Mössingen, Germany
Managing Director: Michael Haug
DPO: Larissa Haug
3. Purpose of processing personal data
Your personal data will be processed for the purpose of conducting and handling the application process. This includes in particular:
– reviewing and evaluating your application,
– conducting selection and decision-making processes,
– contacting you as part of the application process,
– deciding whether to establish an employment relationship,
– introducing you to partner companies for suitable positions (Art. 6 (1) (a) GDPR),
– communicating with you, e.g. via online conferences (Art. 6 (1) (b) and (f) GDPR),
– using anonymized data for scientific purposes (Art. 6 (1) (a) GDPR).
If you have given us your express consent, your data will also be processed for the purpose of inclusion in our talent pool to inform you about job vacancies that may be relevant to you in the future or to pass them on to potential employers.
4. Legal basis for processing
Your personal data is processed based on the following legal provisions:
– Art. 6 (1) (b) GDPR (implementation of pre-contractual measures),
– Section 26 (1) Federal Data Protection Act (BDSG),
– Art. 6 (1) (a) GDPR (consent, in connection with the talent pool).
5. Categories of personal data
As part of the application process, we process the following categories of personal data in particular:
– Identification and contact details (e.g., name, address, telephone number, email address)
– Application documents (e.g., resume, cover letter, references, qualifications),
– Communication data (e.g., email correspondence, interview notes),
– Other personal data that you voluntarily provide to us as part of your application
6. Recipients of personal data
As part of our service, we pass on your personal data—in particular application documents, CV, and qualification profiles—to potential employers. This is done either in the context of a specific application for an advertised position or as part of active placement (e.g., unsolicited applications), provided you have consented to this.
The data is transferred using the tool “Canditate.ly – GUSTAV, 61 Greenpoint Ave #684, Brooklyn, NY 11222, United States. The transfer of data to the USA is based on the standard contractual clauses of the EU Commission. Personal data will be made available for download to potential employers; GDPR rights regarding applicant data remain unaffected by this.
Data is transferred exclusively for application purposes and in compliance with data protection regulations. You can revoke your consent at any time with future effect. An informal email to datenschutz@saphir-deutschland.de is sufficient.
7. Pseudonymized short profile
As part of the application process, we create a pseudonymized short profile of your career, which is passed on to interested companies via the SAPHIR talent catalog. This profile is deleted after the process is complete. Here, too, you can revoke your consent at any time.
8. Use of your data for research purposes
Anonymized applicant data may be used in scientific projects. Processing is carried out exclusively for research purposes and without reference to your person. Anonymization is irreversible. This data is no longer considered personal data and the GDPR does not apply. No consent is required in this case.
9. Use of External Services / Social Media Platforms
Microsoft Teams
For online job interviews, we use standard conferencing tools, particularly Microsoft Teams. The provider responsible is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft also maintains a branch in the EU (e.g., Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland). Privacy information regarding Microsoft Teams is available at: https://privacy.microsoft.com/de-de/privacystatement
We use WhatsApp to communicate with customers and prospective clients/applicants. The service provider responsible is WhatsApp Inc., 1601 Willow Road, Menlo Park, California 94025, USA. In the European Union, the platform is operated by WhatsApp Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. You can find more information about WhatsApp’s privacy policy here: https://www.whatsapp.com/legal/?eea=1#privacy-policy
We also use WhatsApp/Meta to send news, updates, and marketing information via WhatsApp newsletters. The processing of phone numbers and communication data is carried out exclusively with explicit consent in accordance with Art. 6(1)(a) GDPR.
We maintain professional profiles on LinkedIn. The entity responsible for data processing in connection with LinkedIn is LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, California 94085, USA. For Europe, there is a branch office in Germany: LinkedIn, Hofstatt 4th Floor, Sendlinger Str. 12, 80331 Munich. You can find LinkedIn’s privacy policy here: https://www.linkedin.com/legal/privacy-policy
Facebook & Instagram
Our profile pages on Facebook and Instagram are operated via services provided by the Meta platforms. The relevant providers are Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland (for Instagram & Facebook) and its parent company Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. Personal data may be processed within the scope of these platforms (e.g., during interactions, comments, or direct messages). You can find further privacy information at Meta: https://www.facebook.com/about/privacy
Legal Basis & Data Processing
The processing of personal data via the platforms is based on the following legal grounds:
– Consent of the data subject (Art. 6(1)(a) GDPR), e.g., for newsletters or social media interaction,
– Contract performance or pre-contractual measures (Art. 6(1)(b) GDPR), to the extent that the use is part of the service,
– Legitimate interest (Art. 6(1)(f) GDPR) for marketing and communication purposes, to the extent that this has been weighed against data protection interests.
In all cases, we process data only to the extent necessary for the respective purpose. The legal basis, purpose, retention period, and recipients are transparently outlined in our general privacy policy.
Data transfers to third countries
Platforms based outside the EU also process personal data in third countries (e.g., the U.S. or Ireland). These transfers are safeguarded by appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and, where necessary, additional protective measures.
Withdrawal of Consent & Data Subject Rights
You may withdraw your consent to the use of personal data for marketing, newsletters, or platform use at any time with future effect, without this affecting the lawfulness of the processing carried out prior to the withdrawal (Art. 7(3) GDPR). You can exercise your data subjects such as the right to access, rectification, data portability, erasure, and restriction—by contacting us or, in the case of the respective platform, directly through the platform.
10. Duration of storage
Your personal data will only be stored for as long as is necessary for the purposes for which it is processed.
After completion of the application process, your data will be stored for a period of six months to be able to defend against any legal claims.
If you have consented to be included in our talent pool, we will store your data until you revoke your consent, but for a maximum of 24 months.
11. Rights of data subjects
As a subject of data, you have the following rights:
– Right to information pursuant to Art. 15 GDPR,
– Right to rectification pursuant to Art. 16 GDPR,
– Right to erasure pursuant to Art. 17 GDPR,
– Right to restriction of processing pursuant to Art. 18 GDPR,
– Right to data portability pursuant to Art. 20 GDPR,
– Right to object to processing pursuant to Art. 21 GDPR.
You also have the right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data violates data protection regulations.
If the processing is based on your consent, you have the right to withdraw this consent at any time with effect for the future.
12. Necessity of providing personal data
The provision of your personal data is necessary for the application process. Without this data, your application cannot be considered.