Additional Data Protection Statement for Employees
- 1. Categories of personal data processed
We regularly process the following personal data: name, name affixes, (private) address, contact data (phone, mobile phone number, e-mail address), date and place of birth, age, gender, nationality, marital status, number of children, tax data, bank details, staff number, contractual data (e.g. salary information, working hours, allowances, lump-sum payments, years of experience, start and termination of employment dates), pension fund and tax identification numbers, time sheet data (including holidays, sick leave), driving licence data, social security data, navigation data, salary statement data, information about payments to savings schemes, education and qualification data, information about the guardians of employees who are minors, travelling expense claim data, travel logs, staff planning and management data, access control data, inventory information, data about phased return to work schemes, data about participation in events, information about authorisations and competencies, possibly images and the protocol data for the use of the IT systems. In some cases, special categories of personal data such as medical data may also be processed.
As an employee, you must provide the personal data that are required to justify, implement and terminate the employee relationship and to meet the associated contractual obligations or that we are legally obliged to collect. Without these data we will usually not be able to provide you with an employment contract.
1.2. Sources of personal data
We receive your personal data directly from you (e.g. during the recruitment process or during the employment period). In some cases your personal data will also be obtained from other sources, based on statutory requirements. This particularly includes event-related enquiries of tax-related information from the relevant tax office, as well as information about sick leave periods from the relevant medical insurance fund. We may also have received data from third parties (e.g. job centres). We also process personal data that we have legitimately obtained from publicly accessible sources (e.g. professional networks).
1.3. The purposes for which we process personal data and the legal basis for their processing
Based on your consent in accordance with Article 6, Paragraph 1 (a) of the GDPR, Article 7 of the GDPR in conjunction with Section 26 Paragraph 2 of the amended Federal Data Protection Act, we process your data for the purposes of external representation of the company (e.g. images on corporate websites), in internal, IT-supported communication systems (e.g. portrait images as avatars on internal communication platforms or e-mail clients).
To meet our contractual obligations in accordance with Article 6, Paragraph 1 (b) of the GDPR in conjunction with Section 26 Paragraph 1 of the amended Federal Data Protection Act, we process your data for the purposes of justifying, implementing and terminating the employment contract concluded with you, especially to record time worked, for time management and to work out your salary and travel expenses (including calculating and deducting social security contributions). In addition, collective bargaining agreements (group, general and local company agreements as well as collective agreements) in accordance with Article 88 Paragraph 1 of the GDPR in conjunction with Section 26 Paragraph 4 of the amended Federal Data Protection Act may be used as authorisation regulations in terms of data privacy laws.
Based on legal provisions in accordance with Article 6, Paragraph 1 (c) of the GDPR, we process your data to fulfil various legal obligations, especially the obligation to compile commercial and tax evidence in accordance with Section 257 of the Commercial Code (HGB), Section 147 of the Fiscal Code (AO) and Section 41 Paragraph 1 of the Income Tax Act (EStG), to process income tax data according to Section 39b of the Income Tax Act, to run working hour accounts according to Section 7d Paragraph 1 Sentence 1 of the Fifth Book of the Social Code Ordinance (SGB V), and to document overtime in accordance with Section 16 Paragraph 2 of the Working Hours Act (ArbZG) and occupational health and safety in accordance with Section 11 of the Occupational Safety Act (ArbSchG), to keep records in accordance with Section 17 of the Minimum Wage Act (MiLoG), to assess hazards according to Section 5 of the Occupational Safety Act and to document residence permits according to Section 18 of the Residence Permit Act (AufenthG).
Moreover, we may be obliged on the basis of the European Anti-Terrorism Directives 2580/2001 and 881/2002 to compare your data to the so-called "EU Terrorist Lists" to ensure that no money or other economic resources are being provided for the purposes of terrorism.
To weigh up interests to maintain the legitimate interests of the controller or a third party according to Article 6 Paragraph 1 (f) of the GDPR, we process your data for the purposes of staff planning, staff management, staff development, staff guidance and maintaining staff data, for internal communication, e.g. for the provision of address books, the organisation and implementation of internal company events and mandatory training, the provision and use of IT systems and IT-supported communication systems (telephone, e-mail, chats, video conferences), scheduling, taking stock of the IT systems and software provided, the maintenance of the legitimate interests of third parties (e.g. public authorities), the prevention and investigation of criminal offences in accordance with Section 26 Paragraph 1 Page 2 of the amended Federal Data Protection Act, guaranteeing IT security (including access and version control) and maintaining IT operations.
Additional information about special categories of personal data:
Where special categories of personal data are processed in accordance with Article 9 Paragraph 1 of the GDPR, this is done as part of the employment contract to exercise rights or to fulfil legal obligations arising from labour laws, social security laws and social protection laws (e.g. providing medical data to the medical insurance fund, recording severe disabilities for the purpose of calculating additional leave and determining the levy to be paid in compensation for a lack of workers with severe disabilities). This takes place on the basis of Article 9 Paragraph 2 (b) of the GDPR in conjunction with Section 26 Paragraph 3 of the amended Federal Data Protection Act. Moreover, it may be necessary to process medical data in order to evaluate your ability to work in accordance with Article 9 Paragraph 2 (h) in conjunction with Section 22 Paragraph 1 (b) of the amended Federal Data Protection Act.
In addition, the processing of special categories of personal data may be based on consent according to Article 9 Paragraph 2 (a) of the GDPR in conjunction with Section 26 Paragraph 2 of the amended Federal Data Protection Act (e.g. company health management).
If we should want to process your personal data for a purpose not mentioned above, we will inform you in advance.
1.4. Data recipients
Data recipients within our company are employees, departments, the workers' council or disability officer, who may require such data for processing for the aforementioned purposes. Within the VILA VITA Group, your data will be transmitted to certain companies where these companies undertake central data-processing tasks (e.g. salary statements, managing and processing the company old age pension, disposal of documents). In addition, the processors we use according to Article 28 of the GDPR and other service providers may receive data.
In certain cases we also provide data to public authorities and institutions (e.g. supervisory authorities, tax authorities, financial authorities, social insurance companies, registration offices) as well as to creditors, their representatives and third-party creditors in the event of wage and salary distraint, insolvency administrators in the event of individual insolvency, centres responsible for benefit payments and centres dealing with claims against the company's pension fund. These data will only be forwarded if this is permitted or required by statutory regulations, if you consent to this transmission or if, for other reasons, we are authorised to transmit such data.
1.5. Period for which personal data are stored
Personal data will only be stored for as long as necessary to fulfil the relevant purpose or to fulfil our contractual or legal obligations. We are subject to various storage and documentation obligations. These are based on the Commercial Code (HGB), the Tax Ordinance (AO), the Money-Laundering Act (GwG) and the Income Tax Act (EStG). The storage periods may be up to ten years. It may also happen that personal data are stored for the period in which claims can be filed against us (a statutory limit of between three and thirty years).
1.6. Transfer of data to third countries
Processing of personal data outside the European Economic Area (EEA) will only take place where a third country has been confirmed by the European Commission as having appropriate data privacy laws according to Article 44 et seqq. of the GDPR or other appropriate guarantees regarding the protection of personal data.
1.7. Your rights
You have the right to:
□ access in accordance with Article 15 of the GDPR
□ rectification in accordance with Article 16 of the GDPR
□ erasure in accordance with Article 17 of the GDPR
□ restriction of processing in accordance with Article 18 of the GDPR and
□ data portability in accordance with Article 20 of the GDPR
The restrictions of Sections 34 and 35 of the GDPR apply to the rights to access and erasure. In addition, in accordance with Section 77 of the GDPR you have the right to submit a complaint to a data privacy supervisory authority, in accordance with Section 19 of the Federal Data Protection Act.
Any consent you grant us with regard to processing personal data may be withdrawn by you at any time with effect for the future.
1.8. Automated individual decisions
In some areas we make use of automated decision-making procedures. However, there will be no fully automated decision-making in individual cases. If this should be the case in future, we will inform you separately.
Information about the right to object pursuant to Article 21 of the EU General Data Privacy Regulations (GDPR):
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6 Paragraph 1 (e) of the GDPR (data processing in the public interest) and Article 6 Paragraph 1 (f) of the GDPR (data processing based on the balance of interests); this also applies to profiling based on this regulation in accordance with Article 4 No. 4 of the General Data Protection Regulations.
In the event of an objection, we will no longer process your personal data, unless we demonstrate compelling legitimate grounds that outweigh your interests, rights and freedoms, or if such processing serves the purposes of establishing, exercising or defending legal claims. Your objection may be sent in any form to the address provided in 1.