V2 (022024)
Peneder Holding GmbH uses the onlyfy one service (by XING) to process job applications. This Privacy Policy will inform you about the processing of your data by the onlyfy one service and by Peneder Holding GmbH.
With regard to interaction within the company account of Peneder Holding GmbH, Peneder Holding GmbH and New Work SE have shared responsibility pursuant to Article 26 GDPR, as they jointly determine the purposes and means of processing pursuant to Article 4 (7) GDPR. The current version of the agreement on shared responsibility pursuant to Article 26 GDPR, which New Work SE concludes with companies that use onlyfy one, can be viewed here https://www.xing.com/terms/onlyfy-one to gain information on the key aspects of the agreement.
onlyfy one is part of the extensive XING service operated by New Work SE, which pursues the aim of improving and simplifying users’ working lives with a variety of applications (onlyfy one, as well as the XING social and jobs network, kununu, etc.), and creates a more fulfilling working world of work for individuals while boosting the performance of companies. As part of the extensive XING service, onlyfy one is an online platform on which or through which talent and companies meet.
With regard to data processing for which New Work SE is solely responsible or is responsible within the scope of the shared responsibility with Peneder Holding GmbH, detailed information is available in the XING Privacy Policy at https://privacy.xing.com/en/privacy-policy. You will also find contact details for New Work SE, as well as for the New Work SE data protection officer there.
When submitting an application, you enter into a user relationship with New Work SE for the purpose of processing applications. In addition, you will receive support and New Work SE can present you with other opportunities in support of your career. A public profile will not be automatically created for you on the XING social and jobs network. The legal basis for New Work SE processing your data is, in particular, Article 6 (1)(b) GDPR (processing necessary for the performance of a contract).
You can pause the creation of your online application at any time and continue at a later point. Cookies are used for this purpose. The data you provide to create the user account, as well as any uploaded documents, are recorded in the company account of Peneder Holding GmbH in onlyfy one. The data remains recorded even if an application is paused and/or not completed. In this case, your application is flagged as incomplete and the data remains visible to Peneder Holding GmbH only.
The data you have provided as part of the online application can be read, edited, or updated in your candidate profile at any time.
If the calendar function is used, your data is processed during and for the purpose of setting appointments within the application process. The legal basis is Article 6 (1)(f) GDPR. The calendar function is provided by an IT service provider (Cronofy Ltd., United Kingdom). The United Kingdom is classified as a secure third country based on the adequacy decision of the European Commission. Further information on data protection at Cronofy is available here: https://www.cronofy.com/gdpr/ and https://docs.cronofy.com/policies/privacy-notice/
If you use the apply using WhatsApp function, your consent, which can be withdrawn at any time, forms the legal basis for communication (Article 6 (1)(a) GDPR). When applying via WhatsApp, all required applicant information is requested during a WhatsApp chat. The data is then sent directly to onlyfy one through a service provider, and is processed further there as part of and for the purpose of the normal application process.
The apply via WhatsApp function is provided by an IT service provider (PitchYou) that can gain access to your data for this purpose. More information is available here: https://www.pitchyou.de/en/pitchyou-gdpr. Candidate data from apply via WhatsApp are transferred to onlyfy one via an interface. Immediately after this transfer, candidate data are deleted from the apply via WhatsApp infrastructure in PitchYou. Further processing then takes place exclusively in onlyfy one.
Please note that you use your personal WhatsApp account for applications, and therefore we cannot rule out that messages will be transferred, to the USA in particular. WhatsApp data protection information, such as its processing or exercising of data protection rights with regard to WhatsApp is available here: https://www.whatsapp.com/legal/privacy-policy-eea.
Subject to your consent, your application will be sent from WhatsApp via the PitchYou infrastructure to onlyfy one. You have the right to withdraw your consent to this at any time. Either way, your application data will be deleted from the PitchYou infrastructure once transferred to onlyfy one, meaning that PitchYou will not process your data any further.
The FADP applies to circumstances which have an impact on Switzerland, even if said circumstances are initiated outside of Switzerland. Correspondingly, this privacy policy applies to information in line with the EU GDPR and the FADP. Here, EU GDPR terminology is used in favour of FADP terminology. However, FADP terminology is used if the FADP applies and the terminology differs from EU GDPR terminology in a given language. The About this site section on XING contains the name and address of our representative in Switzerland.
Version 2.4 (April 2022)
Information about data protection
We are pleased you have chosen to apply at Peneder Holding GmbH. Transparent and trustworthy handling of your personal data is an important foundation for successful collaboration. We wish to inform you how we process your data and how you can exercise your rights according to the General Data Protection Regulation (GDPR). The information below offers an overview of the collection and processing of your personal data in connection with the application process. Please read this Data Protection Declaration carefully before submitting your application.
a) Who is responsible for the data processing?
The controller as defined by Art. 4 (7) GDPR is:
Peneder Holding GmbH
Ritzling 9 4904 Atzbach
b) How can I contact the data protection officer?
For questions about data protection, please email datenschutz@peneder.com.
According to Art. 4 (1) GDPR, personal data is all data that refers to an identified or identifiable natural person.
Applicant master data (first name, last name, title, email address, telephone number, address, date of birth, citizenship)
Qualifications data (cover letter, personal statement, resume, previous experience, professional qualifications and skills)
Voluntary information, such as a photo, disability status or other information that you voluntarily share with us in your application or voluntarily upload
Additional questions depending on the respective position (e.g. driver’s license, citizenship)
Communication between you and us as well as comments and evaluations concerning you that are created during your application process
Other data / data categories, e.g. publicly accessible professional data such as profiles on professional social media networks like XING or LinkedIn (possibly modifiable by the customer)
Special categories of personal data: If you provide information in your application documents that falls into special categories of personal data as defined by Art. 9 (1) GDPR (e.g. information that implies your sexual orientation; information on your health; information that implies your ethnicity or religion), we will also process this data only within the legally permissible framework.
a) Automated collection of usage data
When accessing the domain jobbase.io, your web browser automatically sends certain usage data for technical reasons. This information is stored separately from other data in log files. Prescreen collects the following information:
Date and time as well as duration of the access
Browser type/version
Operating system
URL of the previously visited web page
Quantity of data transmitted
A GeoIP lookup is performed based on your IP address (Internet Protocol address)
Names of the accessed files
http status code (e.g. “request successful”)
URL of the accessed web page
Access type (GET, POST)
This data is technically required in order to offer the functions of the e-recruiting system and to ensure the stability and security of the system. It is stored by Prescreen for a period of 12 months. Data that must be further retained for evidential purposes is excepted from the erasure until final clarification of the respective case.
The legal basis for processing of the data is Art. 6 (1) (f) GDPR.
b) Cookies
a) Data processing for purposes of employment – Section 26 BDSG (German Data Protection Act) (possibly modified by the customer for country-specific regulations)
Your personal data is used for purposes of selecting personnel to fill open positions, in other words for initiating a contract of employment. The necessity and the scope of data collection are determined according to the position to be filled, among other factors. More extensive data collection may be required if your desired position is associated with particularly confidential duties, entails significant responsibilities in the areas of human resources and/or finance, or requires certain physical and mental capabilities. The legal basis is Section 26 (1) German Data Protection Act (BDSG).
b) Consent – Art.6 (1) (a) and Art. 9 (2) (a) GDPR , Section 26 (2) BDSG
If you have declared to us your consent for processing specific personal data, this consent then forms the legal basis for processing of this data.
In the following cases (possibly modified by the customer), we process your personal data on the basis of your consent:
Inclusion in the candidate pool; in other words, we save your application documents after the current application process in order to consider you in subsequent application processes.
To be added by the company: Possibly other processing scenarios that are based on consent (e.g. forwarding of documents to other group companies / group-wide candidate pool, sending of feedback questionnaire). The data you have already provided in the application process will also be processed.
If we base data processing on your consent, you have the right to withdraw this consent at any time with future effect. Please inform us of this revocation by email to jobs@peneder.com. The legality of the processing of your data up to the time of revocation remains hereby unaffected.
c) Data processing based on a legitimate interest – Art. 6 (1) (f) GDPR
In certain cases, we process your data to safeguard a legitimate interest of ours or of third parties. A legitimate interest applies, for example, if your data is required for the establishment, exercise or defense of legal claims in connection with the application process (e.g. claims according to the General Equal Treatment Act). In the event of a legal dispute, we have a legitimate interest in processing the data for evidential purposes.
d) Feedback questionnaire
To optimize our application process and to improve as an employer, we offer you the opportunity to provide personal feedback. For this purpose, we will send (with prior consent – to be modified by the customer) a feedback questionnaire to you at the specified email address. If you participate in the survey, our service provider Prescreen (see item 5 “With whom is your data shared?”) will collect the feedback, position title, location of the position, job category and type of employment for which you have applied. This information will then be shared with kununu GmbH and possibly other verified evaluation platforms and published there without inclusion of your name. Kununu cannot establish a relationship to your person. However, please note that other parties, such as your employer, may be able to identify you based on the information provided in the published feedback.
e) Calendar feature (possibly modified by the customer)
If the calendar feature is used, your data will be processed within the scope and for the purposes of an application process. The legal basis for this is Art. 6 (1) (f) GDPR. The calendar feature is provided by an IT service provider (Cronofy Ltd., U.K.). Due to an adequacy decision by the European Commission, the U.K is classified as a safe third country. Information about privacy and security at Cronofy is available here: https://www.cronofy.com/gdpr/ and https://docs.cronofy.com/policies/privacy-notice/
Your data is primarily processed by our Human Resources department. In some cases, other internal and external parties also participate in processing the data.
Internal parties could be specialized areas or departments or the works council of our company.
(possibly modified by the customer)
Our external service provider is New Work SE. New Work SE, Am Strandkai 1, 20457 Hamburg (hereafter “Prescreen”), operates the e-recruiting system Prescreen under the domain *.jobbase.io (hereafter “jobbase.io”), where companies can post job ads as well as receive and manage applications.
As part of these activities, Prescreen processes personal data solely on behalf of and for the purposes of Peneder Holding GmbH and is therefore considered a processor according to Art. 4 (8) GDPR.
Jobbase.io is the central platform for our applicant tracking. When using our online form, your personal data is entered directly into jobbase.io. When an application is submitted by post or email, your data may also be transferred to the e-recruiting system.
(1) We store your personal data for as long as necessary for making the decision concerning your application. If you are not hired for the position in question, we may continue to store your data to the extent necessary for defending against possible legal claims. Your data will normally be deleted within 12 months after the end of the application process.
(2) If you are not hired but you have granted us consent to save your data (“candidate pool”), we will store your data until revocation of your consent or for a maximum of 24 additional months. Where specifically justified, we may also store your data for a longer time period for the purpose of defending against possible legal claims.
(3) If you retract your application before the end of the application process (in other words, if you delete your data and your account), the stored data will be restricted for the period of the continued application process and permanently deleted once 12 months have elapsed after the end of the application process.
(4) If you are no longer using your candidate profile and have not granted consent for continued data storage in the candidate pool, the data will be deleted within 12 months after the end of the application process.
(5) You can delete your candidate profile and your application documents, submit a deletion request or request a restriction of processing at any time.
(1) You can request information on whether we are storing personal data concerning you. Upon your request, we will inform you of what data is involved, the purposes for which the data is processed, who the data is shared with, for how long the data will be stored and what other rights you have in relation to this data.
(2) You also have the right to rectification or erasure of your data. You can also request that we make all personal data that you have shared with us available to you, another person or a company of your choice in a structured, commonly used and machine-readable format.
(3) You also have the right not to be subjected to a decision based solely on automated processing (including profiling) that produces legal effects concerning you. Within the context of the application process, we do not use any exclusively automated processes for making decisions.
(4) You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6 (1) (e) GDPR (data processing for reasons of public interest) or on Art. 6 (1) (f) GDPR (data processing for safeguarding of a legitimate interest), including profiling based on those provisions. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defense of legal claims.
(5) You also have the right to lodge a complaint with the competent supervisory authority.
(6) To exercise your rights, you can contact us by email datenschutz@peneder.com. We will process your requests as quickly as possible according to the statutory requirements and inform you of the measures we have taken or will take.
The provision of personal data is required neither by law nor by contract, nor are you obligated to provide the personal data. However, the provision of personal data is required for conducting the application process. In other words: if you do not provide us with any personal data along with an application, we cannot conduct the application process.
You can interrupt the creation of your online application at any time and continue it later. The platform utilizes technically necessary cookies for this purpose. Data is transmitted to jobbase.io during the application process. In other words: data you have provided for creation of a user account and any uploaded documents are entered into jobbase.io. The data remains here if you interrupt and/or do not conclude an application. In this case, your application is marked as incomplete, but the data remains visible to our company, to a limited extent.
You can view, edit or update the data you have provided within the context of the online application at any time in your candidate profile.
If you make no further changes in your candidate profile, such as concluding an ongoing application, starting a new application or changing the data of an existing application, your data will be deleted within 12 %applicationDataRententionUnit% after completion of the last active application process.
You can submit a request for erasure of your candidate profile and your application documents at any time. After the request for erasure has been submitted, you will be informed of the exact erasure date, and your data will be automatically deleted according to the conditions established in this Data Protection Declaration. (possibly to be modified by the customer)
Insofar as you use our Apply via WhatsApp, the legal basis for communication is your consent, which may be withdrawn at any time (Art. 6 (1) (a) GDPR). Whenever applying via WhatsApp, all required candidate details are requested via a WhatsApp chat. The data is then imported directly into our recruitment service provider’s system via a service provider and processed there within the scope and for the purposes of a regular application process.
The Application via WhatsApp function is provided by an IT service provider (PitchYou), which may access your data for this purpose. You can find more information here: https://www.pitchyou.de/data-privacy .
Please note that you use your own private WhatsApp account for applications, meaning that forwarding of messages, in particular to the U.S., cannot be excluded. The U.S. is currently considered an insecure third country, which means that it may not be able to guarantee the EU data protection standard. Certain data protection risks may be associated with data transfers (e.g., unauthorized access to your data by U.S. security authorities). However, end-to-end encryption is applied to sent and received messages. More information on WhatsApp.
WhatsApp's Privacy Policy, including how they process information and how you can exercise your rights, is available here: https://www.whatsapp.com/legal/privacy-policy-eea
If you wish to withdraw consent, please contact Rudolf Pohn per datenschutz@peneder.com.
The customer must indicate here whether an automated workflow for sending reminders to