definitions

Any terms not defined in this Privacy Policy shall have the meaning given to such terms in the Data Protection Legislation.

changes to our privacy statements

We may need to change this privacy notice from time to time. In that event, we will post an updated version of our privacy notice on this page that will apply to all of your information that we hold at that time.

note

If you choose not to provide us with certain information, we may not be able to (continue to) provide you with the products or services you request.

third party websites and services

Our website and services may contain links to third party websites. When you use our Services, you may be directed to third-party websites. Your use of these websites and services is subject to the terms of use, privacy policies, and cookie policies of those third parties. Please read the privacy policies and terms of use of those websites, as we are not responsible for them.

content

A. privacy policy
B. privacy policy for persons applying (recruiting)
C. privacy policy active use of the website - verification and confirmation of identity

A. privacy policy

The protection of your data is important to us. We place the highest value on the protection of your data. That is why we respect your privacy. We always inform you about it transparently, what we need your data for and whether or how long we store it.

content
  1. general information
    1.1. processing of personal data
    1.2. responsible company
    1.3. data subject rights
    1.4. recipients of personal data (general information)
    1.5. information on data transfer to the USA and other non-EU countries
    1.6. SSL and/or TLS encryption
  2. collection and processing of personal data when visiting our website
    2.1. hosting and Content Delivery Networks (CDN)
    2.2. cookies / tools
    2.2.1. consent with Usercentrics
    2.2.2. form.taxi
    2.2.3. Font Awesome (local embedding)
    2.2.4. LinkedIn
    2.2.5. XING
    2.2.6. TuCalendi
  3. other functions and offers (within and outside the website)
    3.1. contacting / communicating / collaborating
    3.2. mailing
    3.3. privacy policy for persons applying (recruiting)
  4. objection or revocation to the processing of your data

1. general information

With this privacy policy, we would like to inform you about the collection of personal data when using of our website and related services. This privacy policy applies to all websites or services that refer to this privacy statement.

1.1. processing of personal data

Personal data (in short: data) in the sense of § 4 EU General Data Protection Regulation (GDPR) are all information, relating to an identified or identifiable natural person, e.g. name, address, e-mail address etc.

1.2. responsible company

The company responsible for the processing of personal data within the meaning of § 4 (7) GDPR is: concilio et labore GmbH, Amselweg 4, 54306 Kordel, e-mail@cetl.lu (see our legal notices).

We have not appointed a data protection officer, as

  • we do not employ 20 or more employees who regularly process personal data automatically (company size / number of employees).
  • we do not process sensitive data revealing race, ethnic origin, political opinion, religious beliefs, trade union membership, health or sex life of an individual (level of detail of data).
  • our core activity does not consist in the transfer of personal data (business area).
  • we do not process any data that requires a data protection impact assessment (processing risk).

Certain processing operations may be carried out under the responsibility of other companies. This is indicated below in the respective description of the processing, if this is the case.

1.3. data subject rights

You have the following rights as a data subject of the data processing in accordance with the legal provisions with regard to the personal data concerning you:

  • right to information,
  • right to rectification or cancellation,
  • right to restriction of processing,
  • right to object to processing,
  • right to data portability.

You also have the right to complain to a data protection supervisory authority about our processing of your personal data.

When processing your rights, we may ask you for proof of identity. For more information on how we process your data in this process, please see 3.1.

1.4. recipients of personal data (general information)

In the course of our business activities, we cooperate with various external bodies. In some cases, this also requires the transfer of personal data to these external bodies. We only disclose personal data to external bodies if this is necessary in the context of the performance of a contract, if we are legally obliged to do so (e.g. disclosure of data to tax authorities), if we have a legitimate interest in the disclosure pursuant to Art. 6 (1) lit. f GDPR or if another legal basis permits the disclosure of data. When using processors, we only disclose personal data of our customers on the basis of a valid contract on commissioned processing. In the case of joint processing, a joint processing contract is concluded.

In addition to the listed receiving parties in each section below, we transmit the collected data for processing to the appropriate internal departments and to other affiliated companies within the vidulus group or to external service providers, data processors according to the required purposes. In addition, we forward the data to the following recipients:

  • Platform / hosting service providers have access to personal data from a third country (countries outside the European Economic Area). So-called standard contractual clauses pursuant to § 46 GDPR have been concluded as suitable guarantees. For third countries / companies for which a adequacy decision exists, the adequacy decision shall also apply. Further information can be found here: “international dimension of data protection”.

  • Analysis service providers will have access to personal data from a third country (countries outside the European Economic Area). So-called standard contractual clauses pursuant to § 46 GDPR were concluded as suitable guarantees. For third countries / companies for which an adequacy decision exists, the adequacy decision also applies. Further information can be found here: “international dimension of data protection”.

  • IT support service providers will have access to personal data from a third country (countries outside the European Economic Area). So-called standard contractual clauses pursuant to § 46 GDPR have been concluded as suitable guarantees. For third countries / companies, for which an appropriateness resolution exists, the appropriateness resolution shall also apply. Further information can be found here: “international dimension of data protection”.

  • Authorities: In the event of a legal obligation, we reserve the right to disclose information about you, if we are obliged to transmit them to competent authorities or law enforcement agencies, according to § 6 (1) c GDPR (legal obligation).

For more information, see the corresponding paragraphs in each section.

1.5. information on data transfer to the USA and other non-EU countries

Among other things, we use tools of companies domiciled in the United States or other from a data protection perspective non-secure non-EU countries. If these tools are active, your personal data may potentially be transferred to these non-EU countries and may be processed there. We must point out that in these countries, a data protection level that is comparable to that in the EU cannot be guaranteed. For instance, U.S. enterprises are under a mandate to release personal data to the security agencies and you as the data subject do not have any litigation options to defend yourself in court. Hence, it cannot be ruled out that U.S. agencies (e.g., the Secret Service) may process, analyze, and permanently archive your personal data for surveillance purposes. We have no control over these processing activities.

1.6. SSL and/or TLS encryption

For security reasons and to protect the transmission of confidential content, such as inquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption program. You can recognize an encrypted connection by checking whether the address line of the browser switches from “http://” to “https://” and also by the appearance of the lock icon in the browser line.

If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.

2. collection and processing of personal data when visiting our website

When visiting and using our website, we already collect personal data. In this section you will find more information about website-specific processes and tools, especially from external partners. For more information about processes that can also take place in an offline context, see section 3.

2.1. hosting and Content Delivery Networks (CDN)

Purpose / Information:
In the case of merely informational use of the website, i.e. if you do not otherwise transmit information to us, e.g. via a contact form, we only collect the personal data that your browser transmits to servers and that are required for the presentation of our website and are technically necessary to ensure stability and safety.

Cookies / tools used: Type A. For more information, see “cookies / tools”.

Receiver:
We are hosting the content of our website at the following provider:

2.1.1. Amazon Web Services (AWS)

The provider is the Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter referred to as “AWS”).

When you visit our website, your personal data will be processed on AWS servers. This may also result in the transfer of personal data to the parent company of AWS in the United States. The transfer of data to the US is based on the EU’s standard contractual clauses. For details please consult: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

For more information, please see the AWS Data Privacy Policy: https://aws.amazon.com/privacy/.

AWS is used on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in a depiction of our website that is as reliable as possible. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

2.1.2. Amazon CloudFront CDN

We use the Content Delivery Network Amazon CloudFront CDN. The provider is Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (hereinafter referred to as “Amazon”).

Amazon CloudFront CDN is a globally distributed Content Delivery Network. During these transactions, the information transfer between your browser and our website is technically routed via the Content Delivery Network. This enables us to boost the global availability and performance capabilities of our website.

The use of Amazon CloudFront CDN is based on our legitimate interest in keeping the presentation of our web services as error free and secure as possible (Art. 6(1)(f) GDPR).

The data transfer to the United States is based on the Standard Contract Clauses of the EU Commission. You can find the details here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

For more information on Amazon CloudFront CDN please follow this link: https://aws.amazon.com/privacy/.

Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

For more receivers, see the section 1.4. on general receivers.

2.2. cookies / tools

We only use technically necessary cookies. Functionality, tracking, performance, targeting and advertising cookies are not used. Cookies are small text files that are placed on your end device by your browser to store certain information. The next time you visit our website with the same end device, the information stored in cookies will subsequently be passed on either to our website (“first party cookie”) or to another website to which the cookie belongs (“third party cookie”).

Through the stored and returned information, the respective website can recognize that you have already called up and visited it with the browser of your end device. We use this information to optimally design and display the website according to your preferences. Only the cookie itself is identified on your end device. Any further storage of personal data only takes place with your express consent or if this is absolutely necessary in order to be able to use the service offered and accessed by you accordingly.

This website uses the following types of cookies / tools, the scope and functionality of which are explained below:

Type A: Technical / Range Measurement - to ensure that the requested service can be provided, including basic analysis (no consent required under the Data Protection Directive 2002/58/EC).

Please note that the tools listed in the following subsection may not be in use all the time.

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your device or for the use of specific technologies, and to document the former in a data protection compliant manner. The party offering this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 München, Germany, website: https://usercentrics.com (hereinafter referred to as “Usercentrics”).

Whenever you visit our website, the following personal data will be transferred to Usercentrics:

  • your declaration(s) of consent or your revocation of your declaration(s) of consent
  • your IP address
  • information about your browser
  • information about your device
  • the date and time you visited our website

Moreover, Usercentrics shall store a cookie in your browser to be able to allocate your declaration(s) of consent or any revocations of the former. The data that are recorded in this manner shall be stored until you ask us to eradicate them, delete the Usercentrics cookie or until the purpose for archiving the data no longer exists. This shall be without prejudice to any mandatory legal retention periods.

Usercentrics uses cookies to obtain the declarations of consent mandated by law. The legal basis for the use of specific technologies is Art. 6(1)(c) GDPR.

Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

2.2.2. form.taxi

Our website uses form.taxi, a web service provided by the https://form.taxi website (hereinafter “form.taxi”). In order to provide you with the functionality of the form, we send the data you provide to form.taxi. This data is processed and stored there and passed on to us by e-mail. In addition, form.taxi collects, among other things, other data such as your IP address, your type of browser, the domain of the website, the date and time of access in order to provide the desired functionality of the form. Legal basis for the use of form.taxi is § 6 para. 1 p. 1 lit. f GDPR (legitimate interest). The data processing and storage takes place within the European Union. For more information, please refer to the privacy policy of form.taxi: https://form.taxi/de/privacy.

Receivers: The main service provider is wrkt*biz Reinhard Söllradl, 4070 Eferding, Austria, support@form.taxi

Deletion: We delete the data accruing in this context after storage is no longer required, or processing is restricted if there are legal retention obligations. The contents of the form submissions are stored for a maximum of 1 year.

Legal basis: § 6 (1) f GDPR (for processing in accordance with the above-mentioned legitimate interest)

2.2.3. Font Awesome (local embedding)

This website uses Font Awesome to ensure the uniform use of fonts on this site. Font Awesome is locally installed so that a connection to Fonticons, Inc.’s servers will not be established in conjunction with this application.

For more information on Font Awesome, please and consult the Data Privacy Declaration for Font Awesome under: https://fontawesome.com/privacy.

2.2.4. LinkedIn

This website uses elements of the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Any time you access a page of this website that contains elements of LinkedIn, a connection to LinkedIn’s servers is established. LinkedIn is notified that you have visited this website with your IP address. If you click on LinkedIn’s “Recommend” button and are logged into your LinkedIn account at the time, LinkedIn will be in a position to allocate your visit to this website to your user account. We have to point out that we as the provider of the websites do not have any knowledge of the content of the transferred data and its use by LinkedIn.

If your approval (consent) has been obtained the use of the abovementioned service shall occur on the basis of Art. 6 (1)(a) GDPR and § 25 TDDDG (German Telecommunications Act). Such consent may be revoked at any time. If your consent was not obtained, the use of the service will occur on the basis of our legitimate interest in making our information as comprehensively visible as possible on social media.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.linkedin.com/help/linkedin/answer/a1343190/datenubertragung-aus-der-eu-dem-ewr-und-der-schweiz?lang=en.

For further information on this subject, please consult LinkedIn’s Data Privacy Declaration at: https://www.linkedin.com/legal/privacy-policy.

2.2.5. XING

This website uses elements of the XING network. The provider is the New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.

Any time one of our sites/pages that contains elements of XING is accessed, a connection with XING’s servers is established. As far as we know, this does not result in the archiving of any personal data. In particular, the service does not store any IP addresses or analyze user patterns.

If your approval (consent) has been obtained the use of the abovementioned service shall occur on the basis of Art. 6 (1)(a) GDPR and § 25 TDDDG (German Telecommunications Act). Such consent may be revoked at any time. If your consent was not obtained, the use of the service will occur on the basis of our legitimate interest in making our information as comprehensively visible as possible on social media.

For more information on data protection and the XING share button please consult the Data Protection Declaration of Xing at: https://privacy.xing.com/en/privacy-policy.

2.2.6. TuCalendi

You can make appointments with us on our website. We use TuCalendi for booking appointments. The provider is Appload Solutions S.L., C. Bethencourt Alfonso, 38002 Santa Cruz de Tenerife, Spain (hereinafter “TuCalendi”).

To book an appointment, you enter the requested data and the desired date in the screen provided for this purpose. The data entered will be used for the planning, implementation and, if necessary, a follow-up appointment. The appointment data is stored for us on the servers of TuCalendi, whose privacy policy can be viewed here: https://www.tucalendi.com/en/privacy.

The data you have entered, will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Mandatory legal provisions, in particular retention periods, remain unaffected.

The legal basis for data processing is Art. 6 (1)(f) GDPR. The website operator has a legitimate interest in making it as uncomplicated as possible to arrange appointments with potential customers and existing clients. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

3. other functions and offers (within and outside the website)

In addition to the online use of our website, we offer various other services for which we also process your personal data in an offline context.

Deviating from 1.2., in some cases the company of the vidulus group is the responsible company for the functions and offers listed below, which has already been named to you in the course of the communication. Therefore, if sections of this privacy policy are referred to, e.g. via link, and a responsible company has already been named to you in the course of the communication, e.g. in the footer / signature of an email, this company is the responsible company according to. § 4 No. 7 GDPR.

3.1 contact / communication / cooperation

Purpose / Information: When communicating and/or cooperating with us, e.g. by e-mail, via a contact form on our website, via a data exchange platform, whether as a business partner or customer, the data you provide (your e-mail address, your name and telephone number, if applicable, or the specified personal data within the communication) will be stored by us, e.g. in order to answer your questions or to comply with the communication required for our business purposes.

When processing the data generated in the course of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal review or in accordance with the respective communication request.

Receivers and Sources: In order to combat money laundering and terrorism, we are required by law to carry out a comparison with sanctions lists. Therefore, we also process your data to comply with legal requirements to match against these lists. Furthermore, we process your data in the vidulus group for the prevention and investigation of criminal offenses and other misconduct, assessment and management of risks, for internal communication and for related administrative purposes.

If an affiliated company reports working with you, we will share our experience of working with the affiliated company.

If you are a business partner, we will cross-check your data with published lists of misleading sellers (e.g., World Intellectual Property Organization warning lists and Bundesanzeiger Verlag GmbH) to make an informed decision about any payments.

If you are a business customer or partner, it may be necessary to transfer your personal data to prospective buyers as part of a corporate transaction. As a rule, anonymized data is processed as part of the due diligence process. If necessary, however, it may also be necessary to process personal data in a specific individual case. Our legitimate interest is based on the execution of the corporate transaction.

In addition, we transmit the data to the following recipients:

  • Platform / hosting service providers.

Transfers to third countries are possible. As appropriate guarantees, so-called standard contractual clauses have been concluded in accordance with § 46 GDPR. For third countries/companies for which an adequacy decision exists, the adequacy decision also applies. Further information can be found here: “international dimension of data protection”.

Additional receiving parties can be found in section 1.4. on general receiving parties.

Deletion/objection: We delete the data accrued in this context again after the storage is no longer required, unless there are legal retention obligations or statutes of limitations must be observed.

Legal basis:

§ 6 (1) b GDPR (for processing in connection with a contract or a situation similar to a contract)
§ 6 (1) c GDPR (for processing in connection with a legal obligation)
§ 6 (1) f GDPR (for processing operations in accordance with the above-mentioned legitimate interest)

3.2 Mailing

Purpose/Information: As a selected customer or business partner, you will also receive individual product information, news notices and offers from us by mail (letter).

This is a special form of direct marketing, which is also our legitimate interest and intensifies the bond with the above-mentioned persons by providing them with exclusive information.

Receivers:

  • platform / hosting service providers
  • communication service providers
  • shipping service providers

Transfers to third countries are possible. So-called standard contractual clauses pursuant to § 46 GDPR have been concluded as suitable guarantees. For third countries/companies for which an adequacy decision exists, the adequacy decision also applies. Further information can be found here: “international dimension of data protection”.

Additional receiving parties can be found in section 1.4. on general receiving parties.

Deletion/objection: Your provided data will be deleted as soon as you have unsubscribed, unless this conflicts with legal retention obligations or statutes of limitations. You can unsubscribe or object according to the process as described in the letter or in the Objection section below.

Legal basis: § 6 (1) f GDPR (legitimate interest).

3.3 Privacy policy for persons applying (recruiting)

For more information on the application process, please refer to the separate privacy policy for persons applying (recruiting).

4. objection or revocation against the processing of your data

If you have given your consent to the processing of your data, you may revoke it at any time. Such revocation will affect the permissibility of processing your personal data after you have expressed it to us.

Insofar as we base the processing of your personal data on the balance of interests, you can object to the processing. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which is presented by us in each case in the description of the functions and offers. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either discontinue or adjust the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue the processing.

Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us of your advertising objection using the contact details provided under „responsible company“.

B. privacy policy for persons applying (recruiting)

This privacy policy informs you about how we process your personal data when you apply for a job we have advertised. It also describes your data protection rights, including the right to object to some of the processing we do. For more information about your rights and how to exercise them, please see the “your rights” section.

This privacy policy applies in addition to our existing general privacy policy, which provides you with specific information on how we process your personal data in the context of website visits or non-application specific topics.

content
  1. responsible
  2. data collection
  3. type and purposes of the processing of personal data
  4. legal bases
  5. recipients of the data
  6. your rights
    6.1. right to information
    6.2. right to rectification or erasure
    6.3. right to restriction of processing
    6.4. right to data portability
    6.5. right to object to processing
  7. retention period
  8. admission to the applicant pool
  9. objection or revocation of your consent to the processing of your data

1. persons responsible

The person responsible for the processing of personal data within the meaning of § 4 (7) GDPR is the company named in the job advertisement.

The contact details of the person(s) responsible for data protection can be found here.

2. data collection

As part of the selection process, we collect and process the following categories of personal data:

  • contact details in your application profile (e.g. first and last name, e-mail, telephone number);
  • information from the application form (this includes e.g. salary requirements, your motivation, information on disability (only if relevant for the advertised position);
  • application documents (including e.g. CV, cover letter, career development data, qualifications and language skills);
  • results of (video) interviews;
  • if applicable, references that you provide to us.

We may also obtain the above data about you from other sources, including external business partners, e.g. recruitment companies. We may also receive data that you have made public on job-related social networks, such as LinkedIn, or that you submit to us through other websites, such as Monster Job Board, or from other publicly available sources (only if the data has relevance to your professional life). The purpose is to contact you about job offers or to verify the accuracy of your information from the application documents.

3. nature and purposes of the processing of personal data

Your personal data will be processed exclusively for the following purposes:

  • to initiate and establish the employment relationship;
  • to contact you should you be considered for an alternative position;
  • if you have given us your consent, to ask you about your satisfaction with the application process;
  • to contact you based on your unsolicited application;
  • to send you personalized information about job openings in accordance with the consent you have given.

We collect and process your personal data in order to offer advertised positions and to carry out the selection process. Providing your personal data as part of the application process is voluntary. However, the provision of personal data is necessary for the processing of your application or the conclusion of an employment contract with us.

If we obtain information from your public profile on professional social networks, we base the processing on our legitimate interest in forming a decision-making basis for establishing an employment relationship with you. The legal basis is § 6 (1) f) GDPR in conjunction with § 9 (2) e) GDPR.

If we invite you to participate in a survey about your satisfaction with the application process with us, the relevant legal basis is your consent pursuant to Section 26 BDSG in conjunction with § 7 GDPR.

Furthermore, we may process personal data about you insofar as this is necessary to defend asserted legal claims against us arising from the application process. The legal basis for this is § 6 (1) b) and f) GDPR. The legitimate interest is, for example, a duty to provide evidence in proceedings under the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG).

5. recipients of the data

We may transfer your personal data to companies affiliated with us, insofar as this is permissible within the framework of the purposes and legal bases set out above. For data processing in our online application for job applications, we have jointly determined the purposes and means of data processing. Therefore, the companies are jointly responsible for the processing of personal data. You can also request the deletion of your profile, as described in the section „retention period“”.

Furthermore, personal data may be processed on our behalf on the basis of contracts pursuant to § 28 GDPR, this in particular by providers of systems for applicant management and applicant selection procedures. There is no transfer of personal data to third parties if it is not related to the applicant management and applicant selection process or in addition to the purposes described in the section „type and purposes of the processing of personal data“.

Transfers may involve the transfer of personal data to recipients outside the European Union / European Economic Area. Standard contractual clauses have been concluded with these external service providers, unless they are based in countries with an adequacy decision pursuant to Art 45 GDPR.

For more information, see see “international dimension of data protection”.

We reserve the right, in the event of a legal obligation, to disclose information about you if the disclosure is required of us by lawful authorities or law enforcement bodies. The legal basis is § 6 (1) c) GDPR.

6. your rights

6.1 right to information

You have the right to information about the personal data stored about you in our company. To do so, please contact the responsible person named above.

6.2 right to correction or erasure

You can correct your personal data by sending an e-mail to e-mail@cetl.lu. You can also request the deletion of your data under certain conditions.

6.3 right to restriction of processing

Under certain conditions, you can request the restriction of the processing of your data, e.g. if the accuracy of your data is disputed and should be verified by us.

6.4 right to data portability

Under certain conditions, we will provide you with the data in a structured, common and machine-readable format.

6.5 right to object to processing

You may object to the processing of your data on the basis of our legitimate interests. Further information can be found in the section „objection or revocation of your consent to the processing of your data“.

In addition, you have the right to lodge a complaint with a supervisory authority at any time.

7. retention period

We store your personal data for a period of 6 months. This is necessary for the obligation to provide evidence in proceedings under the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG). Furthermore, we store your data for this duration in case of an alternative job advertisement for which you are a suitable person. You can request the deletion of your application profile or the withdrawal of your application by contacting us at e-mail@cetl.lu.

If your application is successful, we will retain your personal data throughout the duration of your employment in accordance with the Employee Privacy Policy, which we will provide to you upon acceptance of employment.

8. admission to the applicant pool

If we do not make you a job offer, you may be able to join our applicant pool. In case of admission, all documents and information from the application will be transferred to the applicant pool in order to contact you in case of suitable vacancies.

Admission to the applicant pool is based exclusively on your express agreement (Art. 6(1)(a) GDPR). The submission agreement is voluntary and has no relation to the ongoing application procedure. The affected person can revoke his agreement at any time. In this case, the data from the applicant pool will be irrevocably deleted, provided there are no legal reasons for storage.

The data from the applicant pool will be irrevocably deleted no later than two years after consent has been granted.

If you have given your consent (§ 6 (1) a GDPR) to the processing of your data (e.g. if you participate in a survey about your satisfaction with the application process), you may revoke this consent at any time. Such revocation will affect the permissibility of the processing of your personal data after you have expressed it to us.

Insofar as we base the processing of your personal data on the balance of interests (§ 6 (1) f GDPR), you may object to the processing. This is the case if the processing is in particular not necessary for the performance of a contract with you, which is described by us in the chapter „type and purposes of the processing of personal data“. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the merits of the case and either discontinue or adapt the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing.

C. privacy policy active use of the website - verification and confirmation of identity

In addition to the purely informational use of our website, you can also actively use our website to make use of products such as identity verification with artificial intelligence and biometrics without the involvement of a human employee. In addition to processing your personal data for purely informational use, we will then also process other personal data from you that we need to provide the relevant service.

We provide due diligence services to companies (our clients) who are under certain legal obligations or choose to verify the identity of their clients. Our clients may ask their customers (the end users) to use our services to provide their identity documents to our customers.

The processing of your data in connection with the verification and confirmation of identity is carried out on behalf of the relevant company, such as a bank or a management company (managing investment funds), at whose request the verification is carried out.

When we process end client data, we do so in accordance with our client’s instructions. We are the data processor. If you are the end client, our client is the data controller of your information. Our client determines why, what and how your data is collected, used, disclosed and retained and the legal basis on which it is processed.

The processing of your data in connection with the verification and confirmation of identity is carried out using technology provided by ID-Pal Limited, a company incorporated under the laws of Ireland with company registration number 578727 and registered office at 145 Pearse Street, Dublin, 2, D02 CP08, Ireland (“ID-Pal”).

We process your data for the sole purpose of verifying your identity and confirming it to our customer.

To this end, we process on behalf of our respective client the data you provide to us in the course of your use of the respective service and, where applicable, data provided to us by our respective client for the purpose of matching the data you have provided to us.

All information is collected in a fair manner. The information we collect is appropriate, relevant and not excessive in relation to the purposes for which it is requested.

For end users, this purpose is determined by our client, the data controller.

The extent to which this data is processed and also the legal basis for this processing depends on the intended or already existing contractual relationship between you and our respective customer as well as the legal requirements which demand proof of identity in individual cases. Depending on the legal basis for proof of identity, proof of the existence of a valid, official identification document (e.g. identity card or passport) may also be required. The following data will be processed:

Information you provide to us or our respective client, such as:

  • Photo and video images of you if you provide us with a “selfie” photo or video clip;
  • images of your identity card or passport;
  • biometric data if we compare your “selfie” photo with your photo ID;
  • details from your passport, such as first name, last name, gender, date of birth, nationality, passport number and machine readable zone information;
  • details from your national identity card or passport, such as your first name, surname, address, date of birth;
  • details from your proof of address documents, such as your first name, last name, address and account number, if available from the documents;
  • additional information you provide to us at the request of our customers, such as confirmation of your first name, last name, gender, address, date of birth, email address, mobile phone number, national identification number, marital status and;
  • the details of your device or the device you use to submit the data, such as manufacturer, model and operating system version. This information cannot be used to identify you as an individual.

For identification purposes, you create a portrait photo of yourself. The data transmitted by our respective customer, the identification data and the portrait photo are the subject of the fully automatic check. The fully automatic identification process can vary depending on the model. Either your data is compared with your identity document or an additional check is carried out to determine whether it is a valid identity document; if necessary, a biometric comparison of the portrait photo with the photo on your identity document is also carried out. Under certain circumstances, it may be necessary for you to consent to the processing of your biometric data for identification purposes on the basis of Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR.

We only use the information you provide to us to carry out identification and other checks on behalf of our customers who have commissioned us to do so.

Our product performs identification and verification checks using automated technical means. The results of these checks are used to verify your identity, which in turn may contribute to our client’s overall decision.

If you are an End Customer, we will report the results of our identity and verification checks about you to our relevant client.

Where we have established and verified your identity, we will provide the information we have collected to our relevant client. If applicable, you will receive a message about the result of the identification, depending on the design of the identification method. Our respective customer will process the transmitted data to fulfil its obligations under money laundering law or other identification obligations, as well as its rights and obligations arising from the contractual relationship between our respective customer and you.

In each case, your personal data will be processed on one or more of the following legal bases:

  • in the context of the respective contractual relationship with our respective customer, Art. 28 GDPR;
  • for the fulfilment of a contract, Art. 6 para. 1 lit. b GDPR;
  • to fulfil a legal obligation to which our respective customer is subject pursuant to Art. 6 para. 1 lit. c GDPR.

We may also need to disclose information to third parties to comply with applicable laws, regulations or lawful requests from law enforcement authorities. If we believe that we have received false or misleading information, or if we suspect criminal activity, we are required to record and report this to law enforcement authorities, which may be located either in Germany or outside Germany.

Except in the cases mentioned above, we will not share your personal data.

Personal data may be transferred to third parties who are our processors / sub-processors (ID-Pal) as part of our business model as described in the sections before. This may include the transfer of data to other countries for processing at a destination outside the European Economic Area (“EEA”). Such transfers will only take place on the basis of an adequacy decision by the European Commission as provided for in Article 45 of the GDPR or on the basis of approved safeguards as provided for in Article 46 of the GDPR.

All information, including personal data, is encrypted at rest and in transit. ID-Pal uses AWS in Europe for storage, application and database servers are protected by firewalls. Personal data is logically segmented to the extent that ID-Pal cannot access the personal data stored. Only respective authenticated customers of ID-Pal, us, have access to this information. We may provide ID-Pal with your personal data for the purpose of troubleshooting or technical support.

Although these measures are taken to ensure the security of your information, you should be aware of the many information security risks and take reasonable steps to protect your information. It is the nature of the Internet that we cannot guarantee the security of any information you transmit to us electronically, and any transmission is at your own risk.

We will retain your personal data for as long as we are instructed to do so by our data controller client, but no longer than 60 days.