Skip to main content

Processing of (personal) data by the entity in charge of the online application process

Privacy Information for Applicants 

 

According to Articles 13 and 14 of the General Data Protection Regulation (GDPR) 

 

For the sake of better readability, we refrain from using gender-specific language. All personal references apply equally to all genders. 

 

Dear applicant, 

We are pleased about your interest in our company. In accordance with the provisions of data protection laws, especially the General Data Protection Regulation ("GDPR"), we would like to inform you about the processing of your personal data by e-mobilio, headquartered at Medienbrücke 7th Floor, Gisela-Stein-Str. 21, 81671 Munich (hereinafter also referred to as "e-mobilio," "we," or "us") during the application process and your related rights. 

 

Contents 

  1. Data Controller & Data Protection Officer 

  2. Joint Controllers of the Data Processing 

Controller A 

Controller B 

 

Name:     e-mobilio GmbH 

Address:     Medienbrücke 7th Floor 

                              Gisela-Stein-Str. 21, 

                               81671 Munich 

Email:     info@e-mobilio.de 

Phone:     +49 89 / 25555560 

 

 

Managing Directors: Ralph Missy, Denis Reichel 

Name:     co2.auto GmbH 

Address:                 Medienbrücke 7th Floor 

                  Gisela-Stein-Str. 21, 

                               81671 Munich 

Email:     info@co2.auto 

Phone:     +49 89 / 77997933 

 

 

Managing Directors: Ralph Missy, Denis Reichel 

 

 

Name:     co2.auto GmbH  

                               Branch Austria 

Address:     Simmeringer Hauptstraße 24, 1110 Vienna 

Email:     info@co2-auto.at 

Phone:     +49 89 / 77997933 

 

 

Managing Directors: Ralph Missy, Denis Reichel 

 

 

 

 

1.2    Data Protection Officer 

 

Controller A 

Controller B 

 

You can reach our Data Protection Officer at the following contact details: 

 

Lutz Mönig c/o Pohl Consulting Team GmbH Mengeringhäuser Straße 3 

34454 Bad Arolsen 

Email: datenschutz@e-mobilio.de 

You can reach our Data Protection Officer at the following contact details: 

 

Lutz Mönig c/o Pohl Consulting Team GmbH 

Mengeringhäuser Straße  

34454 Bad Arolsen 

Email: datenschutz@co2.auto  

 

If you believe that the processing of your data violates data protection laws or your data protection rights have been infringed in any way, you can contact our management or the competent supervisory authority: 

 

Bavarian Data Protection Authority (BayLDA)  

P.O. Box 1349  

91504 Ansbach  

Phone: +49 981 180093 0 | Email: poststelle@lda.bayern.de 

 

2.    Purposes and Legal Basis of Processing 

 

We process your personal data in compliance with applicable laws, particularly the GDPR and the German Federal Data Protection Act (BDSG), based on the following legal grounds: 

 

  • For employment decisions: We primarily process your personal data for the establishment of an employment relationship (Art. 6(1)(b), Art. 88 GDPR in conjunction with §26(1) BDSG).  

  • For legitimate interests: We may process your personal data to protect our legitimate interests or those of third parties. This includes, for example, the assertion, exercise, or defense of legal claims during the application process (e.g., in compliance with the General Equal Treatment Act (AGG)) (Art. 6(1)(f) GDPR). 

  • Based on your consent: If you have given consent for specific purposes, such as considering your data for future vacancies, we process your data based on this consent (Art. 6(1)(a), Art. 9(2)(a), Art. 88 GDPR in conjunction with §26(2) BDSG). You may withdraw your consent at any time with future effect (see section 8 of this Privacy Information).  

  • For employment purposes: If an employment relationship is established, we will process your personal data for employment purposes in accordance with Art. 6(1)(b) GDPR, Art. 88 GDPR, and §26(1) BDSG. 

 

  1. Categories of Personal Data 

 

We process only data relevant to your application and the interview process. This may include: 

 

  • Personal details and contact information (e.g., name, address, email, phone number, date and place of birth, gender, marital status, nationality, visa, and work permit if required). 

  • Special categories of personal data (e.g., marital status that may infer your sexual orientation, health information such as disability status, photos revealing ethnic origin, or religion). 

  • Education, qualifications, and employment data (e.g., professional qualifications, training, certificates). 

  • Other application documents (e.g., cover letter, CV, photo). 

  • Additional data provided during the interview. 

 

The provision of personal data during the application process is voluntary, but necessary to make a 

decision about establishing an employment relationship. 

 

4.    Sources of Personal Data 

 

We process personal data you provide through contact, postal mail, email, or our applicant portal at https://e-mobilio.jobs.personio.de/ (provided by Personio GmbH). In certain cases, we also collect personal data from third parties, especially from professional networks like LinkedIn or Xing, or from recruitment agencies. 

 

5.    Recipients or Categories of Recipients of Personal Data 

 

We share your personal data within our company only with departments and individuals who need it to fulfill pre-contractual, contractual, or legal obligations, or to protect our legitimate interests. 

 

Additionally, your data may be shared with our affiliated companies as part of our joint responsibility, as detailed in Appendix 1. 

 

Where applicable, we use service providers to process your personal data (for example, for our applicant management system, IT services, and data centers). Your personal data will only be processed on our behalf and based on data protection agreements. For more information, you are welcome to contact us. 

 

Data transfers to recipients outside of e-mobilio will only occur if permitted or required by legal provisions, necessary for fulfilling legal obligations, or if we have your consent. 

 

6.    Transfers to Third Countries 

 

As a rule, your personal data is processed exclusively within Germany, the European Union, and the European Economic Area (EEA), where the provisions of the GDPR apply. A data transfer to countries, states, or international organizations outside the EEA (“third countries”) generally does not take place. 

 

However, if one of our service providers, or their potential service providers, has their headquarters, parent company, or data centers in a third country, e-mobilio may transfer your personal data to a so-called third country, where the GDPR provisions do not apply. In such cases, data transfers to third countries will only occur if the conditions of Chapter 5 (Art. 44 – 50) of the GDPR and other provisions of the GDPR are implemented and complied with. 

 

This mainly concerns the providers of our cloud applications, our company-wide communication system, and our CRM system. 

 

While we ensure that servers located in Germany and the EU are used for data storage wherever possible, we cannot completely rule out that your data may be transferred to and processed in a third country (e.g., the USA) in this context. 

 

We have signed contracts with all our service providers and have contractually agreed that their contractors must always comply with guarantees in accordance with Chapter 5 (Art. 44 – 50) of the GDPR, ensuring compliance with the European level of data protection. Upon request, we will provide you with a copy of these guarantees. 

 

7.    Duration of Data Storage 

 

We store your personal data for as long as necessary for making a decision about your application. If an employment, training, or internship relationship results from the application process, we will store your data as long as it is required to provide the associated employment relationship. 

 

If we cannot consider you for a position, your personal data or application documents will be deleted no later than six months after the end of the application process (after the rejection decision is announced), unless a longer retention period is required or permitted by law. We are subject to various retention and documentation obligations arising from the Commercial Code and employment law provisions. The retention periods specified there range from five (5) to ten (10) years. Finally, the storage duration is also determined by the statutory limitation periods, which according to §§ 195ff. of the German Civil Code (BGB) are generally three (3) years, but can be up to thirty (30) years in certain cases. Furthermore, we only store your personal data to the extent that it is legally required or necessary in specific cases for asserting, exercising, or defending legal claims during the duration of a legal dispute. 

 

If you have not already given us your consent to store your application in our talent pool in advance, you may receive an invitation to include your data in our talent pool following the application process. This allows us to consider you for future vacancies during our applicant selection process. If we have your consent, we will store your application data for 12 months from the date of your consent and will 

  then delete it accordingly. 

 

8.    Your Rights 

 

You have the right to access your personal data according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to notification according to Article 19 GDPR, and the right to data portability according to Article 20 GDPR. 

 

Furthermore, you have the right to lodge a complaint with a data protection supervisory authority according to Article 77 GDPR if you believe that the processing of your personal data is not lawful. This right to complain exists without prejudice to any other administrative or judicial remedy. 

 

If the processing of your personal data is based on your consent, you are entitled, according to Article 7 GDPR, to withdraw your consent at any time without giving reasons, with effect for the future. Processing carried out before the withdrawal remains unaffected. Please note that we may be required to retain certain data for a specified period to comply with legal obligations (see Section 7 of this Privacy Policy). 

 

If the processing of your personal data is carried out to protect legitimate interests pursuant to Article 6 (1) sentence 1 lit. f GDPR, you also have the right to object to the processing of your personal data at any time for reasons arising from your particular situation, according to Article 21 GDPR. In such cases, we will cease processing your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. 

 

To exercise your rights or if you have any further questions regarding data processing, you can contact us using the details provided in Section 1. 

 

9.    Automated Decision-Making / Profiling 

 

We do not use automated decision-making in the application process and the initiation of an employment relationship according to Article 22 GDPR. Profiling is generally not carried out by us. 

 

Should we use such procedures in individual cases, we will inform you separately about this and your associated rights, provided that this is required by law. 

 

10.    Changes to this Privacy Policy 

 

e-mobilio reserves the right to change this Privacy Policy at any time. 

 

 

Annexes 

Annex 1: Privacy Information on Joint Responsibility under Article 26 (2) GDPR 

Annex 1: Privacy Information on Joint Responsibility under Article 26 (2) GDPR 

 

  1. Preamble 

 

The data controllers collaborate in the area of applications in accordance with Article 26 GDPR in conjunction with Article 4 No. 7 GDPR (collaboration between two or more controllers in the processing of personal data). Since it may be possible or necessary for the jointly responsible parties to access your personal data within the framework of this collaboration, they are jointly responsible for the protection of your personal data in the processes described below. Below, the essential content of the agreement between the controllers to fulfill their obligations under the GDPR is outlined. 

 

2.     Joint Controllers 

 

Controller A 

 

Controller B 

 

Name:     e-mobilio GmbH 

Address:     Medienbrücke 7th Floor 

                              Gisela-Stein-Str. 21 

                              81671 Munich, Germany 

Email:     info@e-mobilio.de 

Phone:     +49 89 / 25555560 

 

Managing Directors: Ralph Missy, Denis Reichel 

Name:     co2.auto GmbH 

Address:     Gisela-Stein-Str. 21, 

                               81671 Munich, Germany 

 

Email:     info@co2.auto 

Phone:     +49 89 / 77997933 

 

 

Managing Directors: Ralph Missy, Denis Reichel 

 

Name:     co2.auto GmbH 

                                Austria Branch 

Address:     Simmeringer Hauptstraße 24 

                               1110 Vienna 

Email:     info@co2-auto.at 

Phone:     +49 89 / 77997933 

 

Managing Directors: Ralph Missy, Denis Reichel 

 

 

 

3.     Purposes and Description of Processing 

 

 

2. Joint Controllers 

 

Controller A 

Name: e-mobilio GmbH 

Address: Medienbrücke 7th Floor 

Gisela-Stein-Str. 21 

81671 Munich, Germany 

Email: info@e-mobilio.de 

Phone: +49 89 / 25555560 

Managing Directors: Ralph Missy, Denis Reichel 

 

Controller B 

Name: co2.auto GmbH 

Address: Gisela-Stein-Str. 21 

81671 Munich, Germany 

Email: info@co2.auto 

Phone: +49 89 / 77997933 

Managing Directors: Ralph Missy, Denis Reichel 

 

Controller B (Austria Branch) 

Name: co2.auto GmbH Austria Branch 

AddressSimmeringer Hauptstraße 24 

1110 Vienna, Austria 

Email: info@co2-auto.at 

Phone: +49 89 / 77997933 

Managing Directors: Ralph Missy, Denis Reichel 

 

3.     Purposes and Description of Processing 

 

The purpose of data processing is to fill vacant positions at all controllers through coordinated applicant management. The applicant data is used to assess suitability and is necessary to decide on an invitation for an interview. 

The applicant data is processed jointly by all parties to maximize synergy. Joint campaigns are conducted, and the results, in the form of acquired applicant data, are accessed collectively. 

Applications are received by mail, email, or via the homepage of the respective controllers, or through a central online application portal. In the case of telephone applications, applicants are asked to use one of the aforementioned methods. In the case of paper applications, Human Resources opens the mail, stamps it, scans it, and enters it into the applicant management tool "Personio." For online applications, confirmation of acknowledgment of the provided privacy policy is obtained during the initial submission process, and information on the transfer of data within affiliated companies is provided. The data is mostly collected automatically or entered into the applicant management system by employees. A SaaS application from Personio GmbH is used as a tool. The data is made available to the respective controller for processing. In the case of a negative decision, the applicant is notified immediately. In the case of a positive outcome, an initial interview is conducted via video conference. Subsequently, the applicant is invited for an in-person interview. If this leads to employment, the application documents are transferred to the personnel file. Electronic applications are also processed through the email inbox. The further procedure is identical to the postal route. Electronic documents are not returned. In both cases, electronic data is deleted after six (6) months, unless the applicant consents to longer storage in the applicant pool. Another method is the use of online platforms where either the company or the applicants present themselves. Management is done through the Personio application, and the process follows the same description as above. In each case, electronic data is deleted after six (6) months unless the applicant consents to longer storage in the applicant pool. 

 

4    Affected Groups of Individuals 

 

The affected groups of individuals for Controllers A and B are applicants. 

 

5    Categories of Personal Data 

 

We only process data related to your application and interview. This may include the following personal data or data categories: 

 

  • Personal details and contact information, such as name, address, email address, phone number, date and place of birth, gender, marital status, nationality, visa, and work permit (if necessary), bank details (for reimbursement of travel expenses), internal interview records; 

 

  • Special categories of personal data, such as marital status information that may infer your sexual orientation, health-related information such as disability status, photos that may infer your ethnic origin and, if applicable, your vision and/or religion; 

 

  • Educational, performance, and employment data, such as information about your professional qualifications and educational background, details of vocational training, certificates; 

  • Other application documents, such as cover letters, CVs, photos; 

 

  • Additional data that you provide to us in connection with your application and interview. 

 

 

Providing your personal data in the application process is voluntary. However, we can only make a decision regarding employment if you provide the personal data necessary for the application process. 

 

 

6    Joint Responsibility and Assignment of Responsibilities in Process Stages 

 

Although joint responsibility exists, each controller is responsible for fulfilling data protection obligations according to their respective areas of responsibility for the process stages outlined below. 

 

 

6.1    Controller A is responsible for processing personal data in the following process stages within the joint responsibility: 

 

  • Data collection: Collection of project-related personal data from the relevant affected groups; information obligations according to Articles 13, 14, and 26 (2) sentence 2 GDPR. 

  • Data storage: Storage of data in the applicant management system or in separate data storage. 

  • Data processing/use: Capturing, processing, and evaluating the above-mentioned data categories in the applicant management system to screen relevant applicants. If necessary, forwarding to the appropriate contacts for application processing. In case of employment, forwarding data to personnel managers. Printing, copying, archiving, deleting, and destroying data and documents in compliance with legal requirements. 

  • Data deletion: According to the deletion concept. 

 

 

6.2    Controller B is responsible for processing personal data in the following process stages within the joint responsibility: 

 

  • Data collection: Collection of project-related personal data from the relevant affected groups; information obligations according to Articles 13, 14, and 26 (2) sentence 2 GDPR. 

  • Data storage: Storage of data in the applicant management system or in separate data storage. 

  • Data processing/use: Capturing, processing, and evaluating the above-mentioned data categories in the applicant management system to screen relevant applicants. If necessary, forwarding to the appropriate contacts for application processing. In case of employment, forwarding data to personnel managers. Printing, copying, archiving, deleting, and destroying data and documents in compliance with legal requirements. 

  • Data deletion: According to the deletion concept. 

 

6.3    Controllers A and B are jointly responsible for the following process stages: 

 

  • Determining the purpose of data processing, determining the affected categories of personal data, ensuring data subject rights according to Articles 15, 16, 17, 18, 19, 20, and 21 GDPR, documentation of technical and organizational measures (TOM) according to Article 32 GDPR, risk assessment and (if necessary) conducting data protection impact assessments (DPIA) according to Article 35 GDPR, consultation with supervisory authorities, evaluation, and monitoring of data processors according to Article 28 GDPR, provision and documentation of processing records (RoPA) according to Article 30 GDPR, evaluation and communication in case of data breaches according to Articles 33, 34 GDPR. 

 

7    Agreements between Controllers Regarding Their Data Protection Obligations 

 

7.1     Information Obligations according to Articles 13 and 14 GDPR 

 

According to contractual agreements, the controllers will provide the data subjects with the necessary information in accordance with Articles 13 and 14 GDPR in a transparent and easy-to-understand manner. Each controller will provide the other controller with all necessary information from their respective area of responsibility. 

 

7.2     Point of Contact for Exercising Data Subject Rights according to GDPR 

 

The controllers may designate a point of contact for data subjects to exercise their rights according to GDPR. Regardless of this arrangement, data subjects may generally assert their rights under Article 26 (3) GDPR with any of the controllers. The controllers will inform each other immediately of claims asserted by data subjects and provide each other with all necessary information for processing. 

 

7.3    Technical and Organizational Measures 

 

The controllers agree to comply with all legal requirements according to Article 32 GDPR by implementing appropriate technical and organizational measures to ensure an adequate level of protection for the processing of personal data. 

7.4     Further Data Protection Obligations according to GDPR 

 

The controllers commit to supporting each other in complying with the contractual agreements and all applicable data protection laws. This includes the following areas in particular: 

 

  • Measures in the event of data breaches; 

  • Cooperation with relevant data protection authorities; 

  • Creation and maintenance of processing records; 

  • Coordination on the deletion of personal data (legal retention periods, etc.); 

  • Involvement of data processors; 

  • Cooperation with data protection officers; 

  • Ensuring that all persons involved in data processing are bound by confidentiality. 

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.