Data Privacy White Paper

Modified on Thu, 1 Jun, 2023 at 12:00 PM

Privacy, Law & Trust
in connection with talentsconnect’s JobShop

Trust is at the heart of a successful contractual relationship. And trust starts with transparency. Because this is essential, we want to start now, not just when we start working together. In this document, we inform you about our contractual framework and the measures we have taken in the areas of data protection and data security.

Our Contractual Standards

"Software as a Service" contract

As a Software-as-a-Service provider, we offer our customers an Internet-based recruiting technology that enables them to post jobs online and market them on a data-driven basis for the duration of the contract. The licence agreement consists of

An offer,
Our terms and conditions, and
A data processing agreement pursuant to Art. 28 GDPR.

Data processing related to our services

We provide our services to you under a hybrid data processing model:

We operate the JobShop on our infrastructure under our responsibility within the meaning of Art. 4 No. 7 GDPR ("talentsconnect as controller") until the candidate submits the application. We then send the candidate data directly to your applicant management system, which you operate under your data protection responsibility within the meaning of Art. 4 No. 7 GDPR ("customer as controller"). From the moment the candidate data is submitted, and in connection with the Recruiting Home, we will act for you as a commissioned data processor pursuant to Art. 28 of the GDPR ("talentsconnect as processor").
We have defined accountability interfaces in our contracts, such as the transfer of candidate data and accountability for appropriate information and/or consent forms for candidates.

talentsconnect as a Controller

Within the scope of our responsibility under data protection law, we will of course, comply with all relevant data protection regulations, in particular the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and relevant special data protection standards, as well as when processing data on behalf of third parties. We take strict technical and organisational measures to ensure the confidentiality, availability, integrity, and authenticity of the personal data provided as part of the provision of the JobShop. We require all of our employees to maintain confidentiality and to delete personal data in accordance with legal requirements.

We undertake to do so within the framework of our contractual relationship (Section 12 of the General Terms and Conditions).

talentsconnect as a Processor

With each license agreement, we also enter into a contract for data processing services (Data Processing Agreement) with our customers, which complies with the requirements of the GDPR and industry standards.

In addition to the legal agreements required by Article 28 (3) of the GDPR, we provide comprehensive information on the technical and organisational measures implemented. Furthermore, upon request, we can provide the information security policies relevant to our customers.

We have carefully selected our subcontractors and will provide a list of all information on the purpose of use as well as contractual regulations prior to the conclusion of the contract, together with the data processing agreement. In principle, the servers of our subcontractors are located in the EU/EEA. However, if this is not possible in individual cases, we have implemented additional measures to protect the data of candidates and your employees in addition to the EU standard contractual clauses. These include, for example, encryption and pseudonymization measures, with the matching rule remaining on our servers in the EU.

Data Protection & Data Security

As a Software-as-a-Service provider that provides your candidates with a career portal ("JobShop"), your employees with access to the Recruiting Home to manage the JobShop, and transmits candidate data to you via the agreed channels, the secure and trustworthy handling of our customers' candidate and employee data is very important to us and an integral part of our product strategy.

Our world is changing rapidly and so are the requirements for data protection: We will continue to meet all (legal) challenges to protect the data of your company and your future and current employees, and to continuously improve the protection of our customers' (personal) data.

Our JobShop is therefore designed to collect as little personal data as possible and - where possible - to encrypt (all data in the database ("encryption at rest"), "data in motion" and passwords), to pseudonymize and aggregate, and to make responsibilities clear and transparent to applicants. We work with a comprehensive, documented Information Security Management System (ISMS) and place high demands on verifiable technical and organisational data security. In the following sections, we would like to provide you with an overview of the measures we have taken to protect our customers and their applicants and employees, to ensure high data protection and security standards, and the contractual assurances we give our customers.

Data Protection

When using the JobShop, responsibilities are clearly defined in terms of the actual spheres of control and access:

We operate the JobShop under our data protection responsibility, Art. 4 No. 7 GDPR, and make this transparent to applicants by providing appropriate information. This includes our imprint, the description of responsibility in the JobShop's privacy policy, and the talentsconnect logo banner. This allows us to technically flexibly develop the JobShop and provide applicants with the best possible application experience. In relation to our customers, this ensures that customers are not drawn into a contractual responsibility that is beyond their factual control.

Once the application data has been transferred to the customer's applicant tracking system (“ATS”), the applicant data leaves our sphere of control and is now located on the infrastructure controlled by the customer. Therefore, the responsibility under data protection law now lies with you as the customer. talentsconnect processes all personal data under the instruction and control of the customers from this point on, particularly in connection with the Recruiting Home as a commissioned data processor within the meaning of the General Data Protection Regulation.

Data Processing Agreement

As part of the discussion and negotiation of our cooperation, we will jointly define the obligations of talentsconnect - as data processor - and you - as data controller - in a Data Processing Agreement in accordance with Article 28 (3) of the GDPR. Together with our general contractual provisions, this will form the contractual basis for compliance with the GDPR and the German Federal Data Protection Act (BDSG). It sets out how we process and protect your data. The conclusion of a Data Processing Agreement is automatically part of our contractual package.

What personal data is collected when you use the JobShop?

In connection with the use of the JobShop, we collect and process data from visitors and applicants. In addition, when using the Remember Jobs function and in connection with the administration of the JobShop in the Recruiting Home, we process data of the customer's employees. This includes the following categories of data:

Master data (name, address, contact details including email)
Application data (resume, certificates, etc.)
In the context of the Recruiting Home: access data of the employees*.

Where do we store personal data?

We use the services of Dembach Goo Informatik GmbH & Co. KG in Cologne, Germany, which leverages Equinix's data centers (Düsseldorf, Germany) and Interxion (Düsseldorf, Germany).

Subcontractor

No Software-as-a-Service (SaaS) provider can provide all services itself. Therefore, it is critical to the continuity of our business that we use third-party service providers that we trust. Together with the Data Processing Agreement, you will automatically receive a list of all subcontractors we use to provide our services.

Data processing in connection with cookies in the JobShop is managed transparently for applicants in a consent and information banner, and data is stored pseudonymously and aggregated. Applicants can decide for themselves which processing they want to allow. At the customer's request, it is possible to replace the standard web analytics system we use with another web analytics system selected by us. In addition, other services can be integrated into the JobShop after consultation.

Transfers to third-party countries

If the subcontractors are located outside the EU/EEA or access the data from outside via group companies, we have - if no other protective measures according to Art. 46 GDPR - concluded the EU standard contractual clauses, 2021/915, with the respective subcontractor. In addition, against the background of the Schrems II decision of the European Court of Justice (C-311/18), we have taken additional protective measures with them to ensure an adequate level of data protection. We list these measures for you in connection with our data processing in the table with our subcontractors in the Data Processing Agreement. Furthermore, we have taken into account the categories of data, the sensitivity of the data, and the risks associated with the data transfer, and, depending on the risk category, we have implemented measures such as encryption, anonymization, and contractual provisions, among others, in the protective measures taken and in the selection of the providers.

New subcontractors

New subcontractors involved in data processing on behalf of the customer will be notified in advance by mail so that the customer can check beforehand.

Please note that as a SaaS service, we cannot customise our services and therefore cannot shut down individual subcontractors.

Control

At the end of the contract, or at your express request, we will delete all personal data relating to your employees. If an employee leaves your company, we can delete the data immediately upon your notification.

Deletion of candidate data:

We delete IP addresses after 14 days.
Applications are transferred to the customer's ATS and then deleted from our systems after 30 days, so that if the transfer is unsuccessful, the application can be resubmitted to the customer within that period. This period can be reduced to 14 days by individual agreement.
In the case of applications delivered by email or where FastApplication is not used, we do not store any data.
Saving of jobs by candidates: The associated data is automatically deleted once the candidate* has unsubscribed. There is a direct unsubscribe option in each email. If the reminder function is used for a specific job, the registration will be used for the desired job submission and then deleted.

Except for the processing necessary to provide our contractual services, we do not process data on behalf of our customers without their express instructions.

Miscellaneous

talentsconnect provides the JobShop with its responsibility as a service provider in the sense of Sec. 2 German Telemedia Act (TMG). Therefore, talentsconnect is also named as a service provider in the imprint in accordance with Sec. 5 TMG.