1. Controller and DPO
‘Controller’ means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 Nr. 7 GDPR). The controller for the present processing activities is
Tel.: +49 30609807440
The contact data of the data protection officer corresponds to the data of the data controller mentioned above. With the addition of "data protection officer", you can reach the data protection officer directly.
2. Use of the website, our services and operational security
When you access our website or use our services via our website, your web browser transmits various personal data to our web server. Of this data, we process your IP address (the unique address of your computer on the Internet) so that the web browser you use can retrieve content from our website and thus use it. The relevant legal basis for this is Art. 6 para. 1 lit. f) GDPR since by visiting our website it is also in your interest that we technically realize the presentation. If the visit to our website serves the conclusion of a contract or the initiation thereof, the applicable legal basis is Art. 6 para. 1 lit. b) GDPR.
For statistical purposes we process:
- Date and time of access
- Name and URL of the page or file accessed
- Browser used, operating system of the end device
- HTTP status code
We do not use this data with reference to your person, but for the purpose of statistical analysis, in particular how and under what technical circumstances our website is used and in order to be able to make improvements. This data is not processed together with other data. It is not possible to establish a personal reference. User profiles are created. The legal basis for the use of the data for the creation of the statistics is also Art. 6 para. 1 lit. f) GDPR. Our legitimate interest for such processing is that this statistical data enables us to detect errors on our website and to optimize it.
IP addresses are processed in connection with a date and time stamp next to the called URL for the purpose of detecting and defending against hacker attacks against our website. In doing so, we refer to Art. 6 Para. 1 lit. f) GDPR, whereby our legitimate interest lies in ensuring the operational security (Art. 32 GDPR) of our website. The IP addresses are deleted after 90 days, unless a further purpose justifies the continuation of the processing. In this case, we delete the data as soon as the purpose ceases to apply.
If you use our services, personal data may be transferred to a third country because we use the services of technical providers. These providers act as our vicarious agents and enable us to provide our services at all. The information required for this can be found in our cookie banner and the information provided there. The technical service providers we currently use and the respective third country are listed in the following table.
Please note our notice on third-country transfers.
2.1 Note on transmission to third countries
At various points, we point out that transfers are made to third countries. Third countries are countries outside the EU or the EEA. With a few exceptions, there is no level of data protection in third countries that is comparable to the GDPR. Therefore, a transfer to a third country may result in personal data not being subject to a level of protection comparable to the GDPR. Such a risk may also exist if a company based in the EU has a parent company in the USA (e.g. Google or Facebook). In these cases, the EU subsidiary of a company may use the services of the parent company, resulting in a transfer to a third country, even though the company responsible for data protection is located within the EU.
Until now, such a transfer could be justified by concluding so-called standard contractual clauses. In this case, two companies agree that personal data will be handled in a manner appropriate to the GDPR.
The problem here is that government agencies in the third country do not have to adhere to these agreements. It can happen that such accesses are not subject to any judicial reservation or even take place covertly, so that you cannot defend yourself in any way. It is also to be feared that data obtained in this way will be merged with other data and that profiles of individuals will be compiled in this way. The resulting consequences can be of such a varied nature that it is impossible to assess or even present them here. The possible types of consequences may in particular be of an economic, political or general nature that restricts freedom. Also, particularly serious consequences are generally not excluded.
Therefore, it is not possible to give a reliable answer as to how high the risk is for you personally. You should therefore weigh up your consent carefully. If you do not give your consent, this will not be associated with any disadvantages for you. Our offers are also open to you on the same conditions in all other ways.
2.2 Settings for Cookies
On our website, the cookie banner and the information provided there explain which cookies we use for which purpose, which data is processed, to whom and to which country the data collected by these cookies is transmitted and whether these cookies are dependent on your consent. When using our website and our services, it is necessary for us to inform you which cookies are set, i.e. which information is stored on your computer via the browser. For this purpose, we use a tool that enables the legally compliant presentation and explanation of cookies. The processing of personal data in this context is based on Art. 6 para. 1 lit. c) GDPR, as we are legally obliged to take this measure. Further details about this process can be obtained directly from our cookie banner.
The handling of cookies can also be set directly via your web browser and depends on the web browser you use. Via the following links you can find out how to change the settings of your web browser.
- Chrome Browser – https://support.google.com/accounts/answer/61416?hl=de
- Internet Explorer – https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
- Microsoft Edge – https://support.microsoft.com/de-de/windows/microsoft-edge-browserdaten-und-datenschutz-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd
- Mozilla Firefox – https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
- Safari – https://support.apple.com/de-de/guide/safari/manage-cookies-and-website-data-sfri11471/mac
2.3 Use of our services
If you are our customer and provide us with data in this context, we will process this data within the scope of implementing the contractual relationship. In principle, you will also receive all information and details on data processing within the scope of the contractual relationship while concluding the contract itself.
If you use our solution without (directly) entering into a contract with us, you will receive the necessary information applicable to your specific usage context via the agency that provides you with access to our services. This applies, for example, if you use our solution as an employee or subcontractor. In this case, we usually act as a processor for your contractual partner / employer. In this case, the relevant contract as the legal basis for this data processing is between you and the entity that provides or enables you to access our solution and a special agreement pursuant to Art. 28 GDPR between your contractual partner / employer and us.
The following information on processed data categories applies insofar as the data categories are not already mentioned on the basis of another factual connection mentioned in this declaration. Accordingly, we process the following data categories insofar as you provide them to us:
- Personal master data, such as names (e.g., first name, last name, maiden name, last name), personal details (e.g., date of birth, marital status, gender)
- Contract master data (contractual relationship, product or contractual interest, order history)
- Address and contact data (e.g. street, house number, postal code, place of residence, e-mail address)
- Bank data (e.g. IBAN, BIC, name of bank), unless payments are processed via a payment service provider,
- Data from the execution of the contractual relationship regarding IT application and usage data (e.g. information entered, files stored, etc.)
The legal basis in all of the aforementioned cases is Art. 6 para. 1 lit. b) GDPR, whereby national regulations may apply in the relationship with your contractual partner (in Germany, for example, Section 26 para. 1 s. 1 BDSG). Insofar as data is transferred to third parties, this serves the purpose of implementing the contractual relationship.
The data processed in connection with the use of our services will be processed until the customer account or user profile is deleted, unless longer processing periods exist. These may result from accounting obligations or other laws. In any case, we delete this data as soon as the periods of these other legal obligations have expired and no other reason for further processing arises (e.g. in a legal dispute).
Please note our notice on third-country transfers.
If you subscribe to our newsletter, we will process the data you provide. The legal basis for the processing in connection with the sending of our newsletter is Art. 6 para. 1 lit. a) GDPR, as it is based on your consent. This consent can be revoked at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent until revocation is not affected by this. In the context of providing an e-mail address, we are obliged to verify the ownership of the e-mail and therefore send you a message containing a link to the e-mail address provided. This link must be clicked for validation. The processing within the scope of this procedure is based on Art. 6 para. 1 lit. c) GDPR, as we are obliged by law to provide evidence of the validation.
We delete your personal data associated with the newsletter subscription when you unsubscribe. We delete data that we need as proof that you have subscribed to the newsletter after the expiry of the limitation period for corresponding obligations to provide proof.
2.5 Analysis services
The analysis services we use can be seen from the integrated cookie banner. Please note the information provided there about the services. Analysis services have the purpose of tracking how our services and the websites used for this purpose are used and to optimize the design. If you have not given your consent, we will not use such services. If you give us your consent, the processing is based on Art. 6 para. 1 lit. a) GDPR.
Please see our note on third country transfers above.
The analysis services we currently use and the respective third country are shown in the following table.
2.6 Social Media
We use plugins and linking capabilities to social media as part of our website and in the provision of our services. These functions serve to connect your profile with our services. Personal data is only transmitted if you yourself have concluded a contract with the respective service provider and actively connect to this service yourself. Alternatively, you can partly share content from our website via these social media. In both cases, data processing is carried out exclusively by the respective service providers themselves based on the agreements made with you. For the sake of good order, we would like to point out that the use of such functions of our website or the services offered by us may result in third country transfers by the respective service provider.
Please see our note on third-country transfers above.
The social media services currently integrated by us and the respective third country are shown in the following table.
3 Application at Sablono
3.1 Application Portal
Sablono accepts applications exclusively via the designated application portal. This applicant portal gives you the opportunity to enter your application online and apply for one or more vacant positions at the company. When you visit the applicant portal, information is automatically collected and processed by the computer calling up the portal. The above-mentioned information applies to this.
3.2 General notes
In order to be able to apply, it is necessary to create an applicant profile. Required for the creation are the data first and last name, residence and the e-mail address as well as a username and a password.
Uploading documents or other information about your own career, other qualifications and skills, language skills and willingness to travel is generally voluntary and not mandatory for registration. To make it as easy as possible for you to apply for our positions, your applicant profile is valid for all applications via the portal.
In addition to the general profile information, further position-specific information is requested when you apply for a specific position. While the general information can also be used for other applications, the position-specific information is recorded and processed anew for each application. You may also be asked to provide equal opportunity data (e.g. ethnicity, gender, socio-economic background). This is done on a voluntary basis and only with your consent. The mandatory information is usually marked as such and all other information is voluntary.
In addition to the applicant profile, other data such as communication content (e.g. e-mail contact), assessments (e.g. results of assessment centers or aptitude tests) or accounting data (e.g. reimbursement of travel expenses) may also be processed when carrying out an application procedure, provided this is required by law or (pre-)contract or you have given your consent. As a rule, this data is not processed via the applicant portal.
3.3 Obligation to provide data
There is an obligation to provide the data if their processing is required by law or (pre-)contractually. For your application, you must provide Sablono with those data that are required for the hiring decision and thus for the examination of your professional competencies or that Sablono is obligated to collect. Without this data, registration is not possible or your application cannot be considered further.
If the data processing takes place based on overriding legitimate interests, you are generally not obliged to provide Sablono with your data.
3.4 Scope and purpose of data processing
With the creation of your profile and receipt of your application for a specific job posting, your data will be processed for recruitment purposes. In the phase of the contractual initiation of an employment relationship, Sablono as your potential employer has an interest in ensuring that you have the professional competence and personal suitability required for the vacant position. The scope of data processing, the course of the application procedure and the choice of means (e.g. telephone interview, assessment center, personal interview) depend on the requirements of the specific job advertisement. It depends on these which persons are involved in the data processing and thus have access to your data. These persons regularly include employees of the personnel department and supervisors. If other persons or bodies (e.g. service providers) have access to your data, this will always be on the basis of a contractual confidentiality agreement and/or a data protection contract
3.5 Legal basis of the data processing
The legal basis for the processing of your data during the application is Art. 6 para.1 p. 1 lit. b) GDPR, necessity for hiring decision and establishment of an employment contract. In addition, the nationally applicable legal basis for processing applicant data applies, provided that the country in which the controller is established has enacted one in accordance with Art. 88 para. 1 GDPR (In Germany: Section 26 para. 1 s. 1 BDSG). In order to ensure that neither funds nor other economic benefits are made available for terrorist purposes, your personal data is checked as part of a so-called terror list screening. The respective legal basis depends on the country in which you are applying.
3.6 Duration of the data processing
Your data will be processed for as long as is necessary to establish the employment relationship. The application ends with the hiring decision and thus also the purpose of the data processing for the application procedure. After expiration of the legal retention period for applicant data, your data will be deleted. The legal retention period depends on the applicable local law (in Germany currently: three months after the decision).
In order to make it as easy as possible for you to apply for various positions and to offer you additional functions, your applicant profile is also valid during the execution of an application or after its termination for applications via the applicant portal. Only the general profile information is stored and used; the job-specific information is deleted in accordance with the above-mentioned deadlines.
An automatic deletion of the applicant profile takes place after 6 months, if you have not used it for a certain period of time after the completion of your (last) application.
The processing of your data is necessary for the hiring decision. An objection to the processing will therefore result in the termination of the recruitment process and the rejection of your application.
4 Rights of data subjects
You are entitled to the following rights:
4.1 Right of access by the data subject (Art. 15 GDPR)
You have the right to obtain information about the data stored about you at any time.
4.2 Right to rectification (Art. 16 GDPR)
You have the right to have incorrect personal data concerning you corrected.
4.3 Right to erasure (Art. 17 GDPR)
You may also request the deletion of your personal data, for example if your data is no longer necessary for the purposes for which it was collected or otherwise processed.
4.4 Right to restriction of processing (Art. 18 GDPR)
You also have the right to request the restriction of the processing of your personal data. In such a case, the data will be blocked for any processing. This right exists in particular if the accuracy of the personal data is disputed between you and us.
4.5 Right to data portability (Art. 20 GDPR)
If we process your personal data for the performance of a contract with you or based on your consent, you also have the right to receive your personal data in a structured, common and machine-readable format and to have this data transferred to another controller, if and to the extent that you have provided us with the data.
4.6 Right to object (Art. 21 GDPR)
In addition, you may object to data processing for reasons arising out of your particular situation. However, this only applies in cases where we are processing data to fulfill a legitimate interest, to perform a task in the public interest or in the exercise of official authority, or for direct marketing purposes. If you can provide such a reason and we cannot demonstrate a compelling interest worthy of protection in the further processing, we will not further process this data for the respective purpose.
4.7 Right to revoke consent
If you have given us consent to process your personal data, you may revoke this consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can send the revocation in writing or by e-mail to Sablono. A statement of reasons is not required.
4.8 Right of complaint (Art. 77 GDPR)
You can contact the data protection officer with all matters relating to the processing of your personal data, of course also regarding violations of data protection law. In addition, you are free to seek judicial assistance. You also have the right to lodge a complaint with a supervisory authority at any time if you are of the opinion that the processing of personal data relating to you violates data protection regulations.
In the event of complaints regarding data protection, you can contact the supervisory authority responsible for your place of residence or the supervisory authority responsible for us:
Berlin Commissioner for Data Protection and Freedom of Information
Phone: +49 (0)30 13889-0
Fax: +49 (0)30 2155050