Privacy policy for Applicants1 (Recruiting)

According to Art. 4 No. 1 of the EU General DataProtection Regulation (GDPR), personal data is information about the personal or factual circumstances of an identified or identifiable natural person. This includes information such as your name ,address, telephone number and date of birth, but also data about your specific career and qualifications, etc.,which can be assigned to a specific person with reasonable effort (hereinafter referred to as „Data“).

Controller and Data Protection Officer

The osapiens Companies2 to which you have applied or to which the recruiter has transmitted your data is responsible for processing your data.

For all data protection issues you can reach us at

at the central business address for data protection issues
Julius-Hatry-Strasse 1, 68163 Mannheim,Germany

with the addition of „Data Protection“or

by E-Mail at

Data Protection Officer of these Companies is:

TÜV SÜD Academy GmbH
Larissa Bichert, certified Data ProtectionExpert
Westendstrasse 160, 80339 Munich

You can also reach the Data Protection Officer centrallyat our above-mentioned E-Mail address(

Data collection

The application process requires that you provide us with the data necessary for their assessment and selection. You can submit your application to us either online via an applicant management system(recruiting software from a third-party provider) or byE-Mail. Any application documents sent by E-Mail will be entered into the applicant management system.Your data, which you transmit to us online, will be transmitted to us in encrypted form in accordance with the state of the art. When applying by E-Mail, please note that e-mails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the application between the sender and the reception on our server.

As part of the applicant selection process, we collectand process the following categories of data:

• Contact and inventory data on your application profile (e.g. first and last name, address, date of birth, country, e-mail, telephone number, mobile number, marital status, nationality).

• Training, performance, and employment data and application materials (e.g., resume, cover letter, career development data, qualifications, skills, language proficiency, work experience).

• Other application documents (e.g. information on your desired salary, notice period, willingness to travel, your motivation, cover letter, references and job-specific information).

• The channel by which your application reached us (e.g. email, Indeed, recruiter, etc.)

• Special categories of data (e.g. information ondisability, health or health restrictions, if applicable). We only process this data withinthe legally permissible scope.

We may also obtain the above data about you from other sources, including external business partners, e.g. personnel service providers. If you are hired using a personnel service provider, we will store your data in the personnel file created for you. If you are not hired for the corresponding vacancy as part of this process, all applicant records will then be deleted when the job filling process is complete. We may also receive data that you submit on job-related social networks, such as Indeed Job Board, LinkedIn, or from other publicly available sources (only if the data has relevance to your professional life). The purpose is to contact you about job offers or to verify the accuracy of your information from the application documents.

Nature and purposes of processing

We collect your data exclusively for the following purposes:

>> Initiation and establishment of the employment relationship.

>> To contact you in case you should be considered for an alternative position.
>> To contact you in case you should be considered for an alternative position.
>> To send you personalized information about vacancies with us in accordance with the consent you have given.

Legal basis

Your data is required for the implementation and the decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Art. 6para. 1 letter b) GDPR). This means that we need and thus process your data for the purpose of a possible employment.

The legal basis for the processing of your data for the purpose of the employment relationship is Art. 88GDPR and Art. 6 para. 1 lit. b) GDPR. Data is only collected and processed for this purpose if this is required by law or according to the employment contract.

In individual cases, we will obtain your consent to the processing or transfer of your data. This may be the case, for example, if your application is to be kept fora longer period or if your application is to be considered for another position within our company or another group company (talent pool). In these cases, your consent is voluntary and can be revoked by you at anytime for the future. The legal basis for this is Art. 6para. 1 letter a) GDPR.

In addition, we process your data insofar as this is necessary for the assertion of legal claims and defense in legal disputes and this is necessary for the fulfillment of legal oblig GDPR. In this context, we therefore process your data, among other things, for fraud prevention and to fulfill documentation obligations. The legitimate interest is, for example, a duty to provide evidence in proceedings under the General EqualTreatment Act (AGG).

Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from you in the context of the application procedure so that we or you can exercise the rights arising from employment law and social security and social protection law and fulfill obligations in this regard, their processing is carried out in accordance with Art. 9 (2) letter b) GDPR. 2 letter b) GDPR, in case of protection of vital interests of you or other persons pursuant to Art. 9 para. 2 letter c) GDPR or for the purposes of preventive health care or occupational medicine, assessment of fitness for work, medical diagnosis, health or social care or treatment or for the management of health or social care systems and services pursuant to Art. 9 para. 2 letter h) GDPR. Incase of communication of special categories of databased on voluntary consent, their processing is based on Art. 9 (2) (a) GDPR).

In addition, we process your data insofar as this is necessary for the assertion of legal claims and defense in legal disputes and this is necessary for the fulfillment of legal obligations. The legal basis for this is Art. 6 (1)(c) and (f) GDPR.

Your data will only be processed for purposes other than those stated above if such processing is permitted under Art. 6 (4) GDPR and is compatible with the original purposes. We will inform you about such processing prior to any such further processing of your data.

Recipient of the data

As part of the application process, your data will be accessed by those who need it to fulfill our obligations and carry out our internal processes (e.g. HumanResources and the specialist departments for the respective advertised position). The Employees authorized to access the data will be obligated to maintain confidentiality and to protect business and trade secrets as well as data privacy.

Certain personnel administration and personnel management tasks are performed centrally within the corporate group. This also includes applicant management, for which osapiens Holding GmbH is responsible within the entire group of Companies.osapiens Holding GmbH acts either as the responsible party regarding filling its own vacancies or as an order processor vis-à-vis other osapiens Companies, insofar as it is a matter of filling their vacancies.Corresponding contracts under data protection law exist between the individual Companies of the group ofCompanies.

Furthermore, data may be processed on our behalf based on contracts pursuant to Art. 28 GDPR (order processing contracts), this in particular by the provider of the personnel administration and applicant management software Personio GmbH( The data transmitted to Personio GmbH is transferred via TLS encryption and stored in a database on servers in Germany operated by this third-party provider. We are the only party responsible for the data. Personio GmbH complies with all requirements of the GDPR and is data protection compliant as a company as well as a software.

Apart from that, no data is transferred to third partiesunless you have given your express prior consent tothe transfer or there is a legal obligation to transfer thedata. In principle, no data transfer to bodies or personsoutside the European Union (EU) or the EuropeanEconomic Area (EEA) takes place.

Your data may be forwarded to law enforcementauthorities and, if necessary, to injured third partieswithout your express consent if it is necessary to clarifyunlawful conduct or for legal prosecution. However,this only happens if there are concrete indications ofunlawful or abusive behavior. We are also legallyobligated to provide information to certain publicauthorities upon request. These are law enforcementagencies, authorities that prosecute administrativeoffenses subject to fines and the tax authorities. Thedisclosure of this data is based on our legitimate interest in combating abuse, prosecuting criminaloffences and securing, asserting and enforcing claims,unless your rights and interests in the protection ofyour data are overridden, Art. 6 (1) (f) GDPR.

Saving your data

We store your data for a period of 6 months after a rejection. This is necessary for the burden of proof in proceedings under the AGG. This does not apply insofar as the processing and storage of your data is necessary in the specific case for the assertion, exercise or defense of legal claims (duration of a legal dispute).

After this period, the data will be deleted. You have the option to withdraw your application at any time. This will result in your data being immediately deleted from the applicant database, subject to the restrictions mentioned below. However, should you wish individual data submitted by you to be deleted, we reserve the right to store your data for a limited period of 6 months to be able to comply with the obligations to provide evidence arising from the AGG.

If your application is successful, we will store your personal data for the entire duration of your employment in accordance with the information requirements for Employees, which we will send to you upon acceptance of employment.

Inclusion in a talent pool

If we reject your application, we may wish to store it in our applicant database ("talent pool") for further contact. This further storage will only take place in consultation with you and after you have given your consent. If you send us your unsolicited application and we do not currently have a suitable offer for you, your data will also be stored in our talent pool after prior consultation with you. If your unsolicited application is not of interest to us, you will receive a rejection. In this case, your data will not be stored any further.

If you are stored in our talent pool as a result of your application, we will use your data to maintain contact with you, e.g. to pass on interesting job offers to you.If you expressly wish to be included in our talent pool by consenting to the storage of your data in the talent pool, we will store your data until revoked, but for no longer than 12 months. You will be informed one month before the expiry date and can thus extend the storage of your data in the talent pool for a further 12months. After expiration, your data will be deleted automatically and without separate notification.

Your rights (data subject rights)

You have extensive rights regarding the processing of your data.

Right to information: You have the right to information about the data stored by us (e.g. copy of the personnel file), in particular, for what purpose the processing is carried out and how long the data is stored (Art. 15 GDPR). This right is limited by the exceptions of § 34 BDSG, according to which the right to information does not apply if the data is stored only due to legal retention requirements or for data security and data protection control, the provision of information would require a disproportionate effort and a misappropriation of data processing is prevented by appropriate technical and organizational measures.

Right to correct inaccurate data: You have the right to demand that we correct the data concerning you without delay if it is incorrect (Art. 16 GDPR).

Right to erasure: You have the right to demand that we erase (Art. 17 GDPR) the data concerning you.These conditions exist in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have revoked consent without thedata processing being able to continue on a different legal basis, d) you successfully object to the data processing, or e) in cases of the existence of an obligation to delete based on the law of the EU or anEU member state to which we are subject. This right is subject to the restrictions set out in Section 35 of theBDSG, according to which the right to erasure may be waived if, in the case of non-automated data processing, there is a disproportionate effort for erasure and your interest in erasure is to be regarded as low.

Right to restriction of processing: You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists in particular if a)the accuracy of the personal data is disputed, b) you request limited processing instead of deletion under the conditions of a legitimate request for deletion c)the data is no longer necessary for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.

Right to data portability: You have the right to receive from us the data concerning you that you have provided to us in a structured, common, machine-readable format (Art. 20 GDPR), insofar as this has not already been deleted.

Right to object: You have the right to object to theprocessing of data concerning you at any time ongrounds relating to your situation (Art. 21 GDPR). Wewill stop processing your data unless we candemonstrate compelling legitimate grounds for theprocessing which override your interests, rights andfreedoms, or if the processing serves the assertion,exercise or defense of legal claims.

According to Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation does not affect the lawfulness of the processing carried outbased on the previous consent. The only consequence of the revocation is that we may no longer continue the data processing based on this consent in the future.Note, however, that we may not be able to provide certain services or additional services if we are unable to process the data required for this purpose.

Right in connection with automated decision making: You have the right (Art. 22 GDPR) not to be subject to automated decision-making, including profiling, that has legal consequences for you or similar significant effects. We generally do not use automated decision making or profiling in employment matters.However, if you have been subjected to an automated decision and do not agree with the outcome, you may contact us in the ways set out below and request us to review the decision.

Right to complain to the supervisory authority:

You have the option to contact the data protection officer mentioned above or a data protection supervisory authority if you believe that the processing of data concerning you violates applicable data protection law.

To exercise these rights, please contact the HumanResources Department or the Data Protection Officer at the contact details provided above or a data protection supervisory authority. If you submit are quest for information and there are doubts about your identity, we may require you to provide information that will allow us to verify your identity.

1 The term applies equally to the female, male and neutral (diverse) gender.
osapiens Companies are osapiens Holding GmbH, osapiens Services GmbH, osapiens Hub GmbH, osapiens assetOps GmbH, osapiens Network GmbH, osapiens BrandOS GmbH (all of the aforementioned Companies seatedin Mannheim), osapiens COE Spain S.L (seated in Madrid), oneIDentity+ GmbH (seated in Munich) and fTRACEGmbH (seated in Cologne).

The protection of your personal data is particularly important to us. Therefore, we would like to inform you in the following about our data protection principles, which osapiens HoldingGmbH and its affiliated Companies within the meaning of Section 15 ff. AktG (German StockCorporation Act), to which you apply, in order to enable you to have a trustworthy application process.