Privacy policy for applications to StepStone job vacancies:
We are very pleased about your interest in for applications to StepStone job vacancies. With this Privacy Policy, we aim to inform you about how, why and to what extent we process personal data, and what your rights are as a Data Subject.
1. Data Controller
Unless otherwise stated in this Privacy Policy, the Data Controller in accordance with Art. 4 no. 7 GDPR is StepStone GmbH, Völklinger Str. 1, 40219 Düsseldorf, Germany, Phone: +49 211 93493-0, E-Mail: [email protected] (hereinafter also “we” or “us”).
2. For what purposes and on what legal basis do we process personal data?
We process personal data concerning you for the purpose of your application for an employment relationship provided that this is necessary in order to make a decision regarding the establishment of such an employment relationship. The legal basis is Section 26 (1) in conjunction with paragraph (8) second sentence of the Federal Data Protection Act (BDSG) and Art. 6 para. 1 point b) GDPR.
In the event that an employment relationship is established between you and us, we may, pursuant to Section 26 (1) BDSGand Art. 6 para. 1 point b) GDPR, process the personal data already received from you for the purpose of such employment relation if necessary for the performance or termination of such employment relationship or for exercising or fulfilling the rights and obligations of the lobby group or employees resulting from a law or a collective agreement.
3. Which categories of personal data do we process?
We process data in connection with your application. This may include general information about you (such as your name, address, and contact details), information about your professional qualifications and education or information about professional training or other information you provide us in connection with your application. In addition, we may process job-related information made publicly available by you, such as a profile on professional social media networks.
4. What are the sources of personal data if we do not collect them from you?
As a rule, we collect personal data from you. In connection with an application, however, we may also collect personal data about you on professional social networks (e.g. LinkedIn, XING), insofar as this is required as part of the hiring process.
5. Accessing the website
When you use our service, we will automatically collect and process various data items. These include for example:
• Information about the end device accessing the site and the software used
• Date and time of the access
• Websites from which the user has accessed our website or which the user accesses through our website
• IP address
This IP address must be stored for technical reasons, even if only temporarily, in order to enable the website to be downloaded to the user’s end device. The legal basis for data processing is provided by Art. 6 para. 1 point b GDPR. Our servers also store your IP address for up to 14 days for internal security purposes (Art. 6 para. 1 point f GDPR).
6. Transmission of Data
6.1. Unless otherwise stated in this Privacy Policy, we will only transmit your personal data to third parties if transmission is required to comply with our contractual obligations to you and this evidently needs to be done through or jointly with another provider, if we are permitted or required by law to transmit the data on other grounds, or if you have provided us with the relevant consent.
6.2. We may transfer your personal data to companies affiliated with us, insofar as this is permissible within the scope of the purposes and legal bases set out in Section 2 because it is possible that you may likewise work for these companies within the scope of your employment relationship.
6.3. Your personal data may also be transferred to affiliated companies if you have given your consent to be included in the Talentpool. You can find more information about the Talentpool in section 9.
6.4. We also use contract data processors, i.e. companies that process personal data on our behalf and in accordance with our instructions, within the scope of contracts concluded with us. These contract data processors are:
6.4.1. SmartRecruiters GmbH, Wilhelmstraße 118, 10963 Berlin, which provides and hosts the application management system,
6.4.2. StepStone Continental Europe, Völklinger Str. 1, 40219 Düsseldorf, Germany, which conducts and manages the recruiting process for us,
6.4.3. StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany, which operates the jobboard stepstone.de,
6.4.4. Amazon Web Services, Inc. supports the hosting of the data. The hosting location is AWS Germany.
6.4.5. Textkernel B.V. (The Netherlands) supports the CV-Parsing and Parsing of documents from applicants and the insertion of this data into the appropriate field in the database.
6.4.6. ConnectMyApps AS, Smeltedigelen 1, 0195 Oslo, Norway, which transmits applicant data to StepStone's internal personnel management system and the data warehouse.
7. Data Transfer to Third Countries
A data transfer to a third country is not intended. It may only then be possible if you become part of the Talentpool and an affiliated company of the StepStone Group based in a third country accesses your application.
8. Storage Duration
We will only process personal data as long as it is necessary for the relevant purpose stated above. Personal data will then be deleted unless data erasure is prohibited by a statutory retention period. Applications are deleted 9 months after the end of the application process. The application process ends when you are hired or receive a rejection from us. If you are accepted into the talent pool, your application will be deleted 12 months after acceptance into the talent pool.
9. Talentpool
When you apply to StepStone, you can choose whether you want to be included in our Talentpool or not.
A Talentpool is a database of potential job candidates that can be accessed not only by the company you have applied to, but also by affiliated companies of the StepStone Group. The talent pool allows us to quickly find candidates who have already applied for jobs at StepStone and to check whether another advertised job matches their skills.
To ensure that your Profile will be found when searching the Talentpool, we will sort and mark all applications in the talent pool by occupational group, and specific skills or other characteristics will be marked with a ‘tag’. The assignment to an occupational group or a tag is done through CV parsing. CV parsing is a technology that reads your CV and extracts the relevant information for the application process. Additionally, tags can be manually assigned by the recruiter if further information is collected during the application process. In addition, we can receive information from applicants by having them fill out a form when they join the Talentpool.
10. Subjects’ Rights
10.1. Information and Rectification
You can receive information at any time and at no charge about whether we are processing personal data related to you and also about which information we are specifically storing about you. You are also entitled to receive a copy of the stored information. You can also have errors in your data corrected and missing information completed.
10.2. Erasure, Restriction of processing and “Right to be forgotten”
You can request that your data be erased and its processing restricted. Where erasure of your personal data is prohibited by statutory retention obligations, your data will be marked with the aim of restricting its future processing.
10.3. Data Portability
Where applicable, you also have the right to have your personal data transmitted to you or to another Data Controller in a structured, standardised and machine-readable format, as long as processing is performed on the basis of consent or contract using automated procedures. This does not apply, however, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. You also have the right to have the personal data transmitted directly from one Data Controller to another, provided that it is technically feasible to do so and does not infringe upon the rights and freedoms of other persons.
10.4. Withdrawal of Consent, Objecting to processing
You can withdraw your previously given consent at any time with future effect by contacting the address indicated in section 11.
Moreover, you have the right to object to the processing of your personal data at any time (where such processing is based on a legitimate interest) for reasons arising from your particular circumstances. This also applies to profiling activities based on these provisions. If such an objection is received, we will cease to process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, of if the processing is for the establishment, exercise or defence of legal claims.
If we are processing personal data for the purpose of direct marketing, you have the right to object to the processing of your personal data at any time for the purpose of such marketing by contacting the aforementioned address. This also applies to profiling insofar as it is connected with such direct marketing. You also have the right to file an objection for reasons arising from your particular circumstances against processing of your personal data that we are engaged in for scientific, historical research or statistical purposes, unless such processing is required to perform a task that is in the public interest.
10.5. Right of Complaint
You also have the right to submit a complaint to the competent supervisory authority and to seek legal remedies. The supervisory authority with whom the complaint was lodged will notify the complainant about the status and result of their complaint, including the option of seeking a judicial remedy.
11. Contact Details and your Rights as a Data Subject
Should you have any queries or comments on data protection and privacy or wish to exercise your rights as a Data Subject, please contact our Data Protection Officer at any time:
StepStone GmbH
Data Privacy
Völklinger Str. 1
40219 Düsseldorf
Germany
Last revised: August 27th, 2021