PRIVACY POLICY

Name and contact details of the responsible party

The following entity is responsible for this website pursuant to Art. 4 No. 7 of the General Data Protection Regulation (hereinafter referred to as: “responsible party” or “we”):

SAP Fioneer GmbH
Dietmar-Hopp-Allee 14
69190 Walldorf
Germany

STATUTORY AUTHORIZATION TO REPRESENT:
Patrick Schmid, Tim Tomann, Dirk Kruse

Contact:
E-MAIL: CONTACT@SAPFIONEER.COM

Data processing by means of communication

a) Scope of processing.
The data controller can be reached by mail, e-mail, contact form if necessary, telephone or via social networks for your requests. Simple requests that do not require your identification can be made anonymously. Insofar as your identification should be necessary, e.g. in order to answer you or call you back, the controller collects your contact data.
If you write a message via the contact form of the responsible person, he collects the personal data you entered (first name, last name, e-mail address, message content). In addition, he collects your IP address and log files about the date and time of sending the message.

b) Purpose of processing
Your personal data is processed in order to identify you, to assign your message to an existing contract, a job advertisement, a job application process or any other business relationship, if applicable, to store it, to answer it or to forward it, if applicable.

c) Legal basis of the processing
If you have given the data controller consent on the occasion of correspondence with you, e.g. within the framework of the contact form, the data controller may process your data within the framework of your consent pursuant to Art. 6 (1) p. 1 lit a DSGVO.
In individual cases, the processing of your data may be necessary for the performance of a contract to which you are a party or for the implementation of pre-contractual measures that are carried out at your request, Art. 6 (1) p. 1 lit. b DSGVO.
The processing of personal data may also be based on the legitimate interests of the controller pursuant to Art. 6 (1) p. 1 lit. f DSGVO.

d) Legitimate interests
The controller has a legitimate economic interest in being reachable via its contact forms and (electronic) means of communication for processing and responding to inquiries with interest in its products and to respond to your inquiries. In addition, he has a legitimate interest in processing your data insofar as you are, for example, a director, employee, job applicant, customer, potential customer or other representative of a contractual partner of the responsible party. The data controller also collects information in order to review your job application. He also processes your data for the purpose of contract performance, assertion or defense of claims.

e) Recipients or categories of recipients
As a rule, your personal data will be processed by the data controller. The latter will only pass on your personal data, which it has received via electronic means of communication, to external recipients to the extent that this is necessary in individual cases in order to process your request.

f) Transfer to third countries
The responsible party will not transfer your personal data abroad unless you agree to this.

g) Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected and due to retention obligations under contract law, commercial law or tax law. Application documents are kept for at least two months after receipt of the rejection (§ 15 para. 4 AGG). Invoice documents are kept for 10 years, commercial letters for 6 years.

h) Possibility of objection and removal
As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f DSGVO (Article 21 (1) DSGVO).
Insofar as the controller bases the processing of your data on your consent or on a contract, you do not have the right to object.

i) Obligation to provide
Your personal data such as title, first name, last name, e-mail address are required to transmit the request via the contact form to the controller. Otherwise, the provision of your personal data is voluntary. In the event that you do not provide your personal data, the person responsible may not be able to process or respond to your inquiries, requests or wishes. However, if you do not provide the person responsible with your e-mail address in the contact form or provide it incorrectly, he will not be able to answer you.

j) Cookies, Pixel and similar technologies

Cookies are small text files, pixel are small graphic files, that are stored on your computer (together hereinafter “Cookies”). Cookies make it possible to identify you as a specific customer and to store both your personal preferences when using our website and technical information. The main benefit for you is that you do not have to enter specific information stored in the Cookies every time you visit our website. Cookies do not necessarily reveal personal information. If, however, you enter personal information on our website, this may be associated with the data stored in the cookies.

You can deactivate or block the storage of Cookies in your browser generally or only for our site. To find out how, please see the help function of your browser. Please note that blocking Cookies may impair the user-friendliness of our website.

k) Google Analytics

On our website we use Google Analytics a web analysis service of Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, “Google”). Google Analytics enables the generation of statistics to help us understand website traffic and its sources. We use Google Analytics solely for statistical purposes, such as to track how many users have clicked on a particular item or information. As a company based in Germany, our legal basis is Art. 6 (1) f) DSGVO in conjunction with § 15 para. 3 German Federal Telemedia Act (TMG). The retention period of the cookie is 2 years. Google Analytics is based on cookies and records information about your use of our website including your IP address. To prevent users being identified by their IP addresses, we use a special code to ensure that your IP address is recorded solely in truncated and therefore anonymized form. It is no longer possible to identify individual users with this truncated IP address. Further information on data protection when using Google Analytics can be found under the following link: https://support.google.com/analytics/answer/2700409?hl=en&ref_topic=2611283. You can prevent the collection of data through the Google Analytics cookie by installing the plug-in available at the following link: https://tools.google.com/dlpage/gaoptout.

General information on Google’s processing: The information recorded by Google is transmitted to Google based in the United States. Google has self-certified its adherence to the EU-US Privacy Shield, https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. Please click here for further information on data protection at Google: https://policies.google.com/privacy?hl=en.

You can change your settings by going to the Google Marketing Platform’s deactivation page or the deactivation page of the NAI (Network Advertising Initiative) http://www.networkadvertising.org. Alternatively, you can deactivate Google Cookies on the Digital Advertising Alliance website using the following link. You can also block the storing of Cookies by changing the settings in your browser.

l) Google Analytics Audience

We use Google Analytics Audiences, a service provided by Google. Google Analytics Audience uses cookies that are stored on your computer and other mobile devices (e.g. smartphones, tablets, etc.) to help analyze how users use these devices. As a company based in Germany, our legal basis is Art. 6 (1) f) DSGVO in conjunction with § 15 para. 3 TMG. The retention period for the cookie is 2 years. Google gains access to the cookies created by Google AdWords and Google Analytics. In the course of use, data, such as the IP address and user activities, is transmitted to a server of Google. You can prevent Google from collecting the data as described under the “General information on Google’s processing” section above.

For further information on data protection when using Google Analytics and how to install the browser plugin to prevent Google Analytics from tracking your activities please see the “Google Analytics” section (k) above.

Data processing by log files

a) Scope of processing
Each time the website of the responsible party is called up, its system automatically collects data and information from the computer system with which you as a user call up the website of the responsible party. This data is stored on the server of the responsible party in a log file. (so-called log files) are stored and processed. The following personal data is collected:
Log files store, among other things, the IP address, the browser used, time and date and the system used by a site visitor. Only anonymized IP addresses of website visitors are stored by the responsible party. At the web server level, this is done by storing an IP address 123.123.123.XXX in the log file by default instead of the actual IP address of the visitor, e.g. 123.123.123, where XXX is a random value between 1 and 254. It is no longer possible to establish a personal reference.

b) Purpose of the processing
The IP address is a string of numbers that uniquely assigns your computer system for the time of calling up the above-mentioned website. The IP address is used to receive and send data packets and enables a user to retrieve a website. The temporary storage of the IP address on the server of the responsible party is necessary in order to transmit the page content to the user’s computer system after calling up this website, so that the user can perceive the content.
The storage in log files takes place in order to ensure the functionality of the website and to be able to detect any transmission errors that may occur. In addition, this data is used by the responsible party to optimize the website and to ensure the security of its information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

c) Legal basis of the processing
The processing is carried out on the basis of the legitimate interests of the responsible party according to Art. 6 para. 1 p. 1 lit. f DSGVO.

d) Legitimate interests
The controller has a legitimate interest in processing the above personal data for the above purposes in order to ensure that its product and service information is available online.

e) Recipients or categories of recipients
Your personal data will be disclosed to the data processing department of the controller and to its contractors contracted to host and provide IT resources for the operation of the website.

f) Third country transfer
The Controller does not intend to transfer your personal data abroad.

g) Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. The user’s IP address must remain stored for the duration of the session in order to enable the use of the website.
In the event that your data is stored in the log file, the data collected therein will be stored indefinitely.

h) Possibility of objection and elimination
As a user, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f DSGVO (Article 21 (1) DSGVO). In this case, the controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a user, or the processing serves the purpose of asserting, exercising or defending legal claims.
The processing of personal data to provide the website and to create the log file is absolutely necessary for the operation of the website. Therefore, the user cannot object to this type of processing.

i) Obligation to provide
The processing of log files is necessary to properly display the website. In the event that you do not provide an IP address, page retrieval is excluded for technical reasons.

Data processing for job advertisements and applicants

a) Scope of processing
We receive applications via our career website, by e-mail or by mail. In the context of application procedures, we process the personal data that identifies you. These are mainly name (first name as well as last name), e-mail address, telephone number(s), LinkedIn profile if applicable, information from or about the channel how you became aware of us. In addition, we store information on when you would be available for the vacant position, salary expectations and the data you provide us with, which includes your application documents, including date of birth, information on your professional and, if applicable, private career (references, letters of reference, portrait photos, information on marital status or private life situation).

b) Purposes and legal basis of processing
We process the above-mentioned personal data in order to identify you, to check your application, to contact you or to hire you as an employee, if applicable. This data processing is necessary to enter into an employment contract with you pursuant to Art. 6 para. 1 p. 1 lit. b DSGVO. By sending us your documents, you also implicitly give us your consent to process your data for these purposes. This data processing is based on your consent, Art. 6 para. 1 p. 1 lit. a DSGVO.
In the event that you are not (no longer) considered for the vacant position, you can give us your consent to store your personal data in our database (“Talent Pool”) until you revoke it, so that we can consider you for subsequent application procedures on the basis of your application documents and contact you as a potential applicant (Art. 6 (1) p. 1 lit. a DSGVO). This consent is voluntary and can be revoked at any time by e-mail. Your application documents will also be stored until it has been ensured that the deletion does not conflict with any legal claims. This data processing is based on the exercise of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f DSGVO. We have a legitimate interest in transferring your documents to our professional secrecy holders for the purpose of examining the legal situation in order to defend or assert claims. Furthermore, we retain your documents, insofar as this is necessary, for as long as we are subject to retention obligations in the respective individual case, Art. 6 (1) p. 1 lit. c DSGVO. You can find more information under Duration of storage.

c) Recipients or categories of recipients
Only authorized employees from our HR department or, e.g. in the case of interviews, the employees involved in the application process have access to your personal data. Our employees involved in HR issues have undertaken in writing to maintain data secrecy and have been informed of the legal consequences of violations. In the event that the examination of the legal situation, defense or assertion of (labor) legal claims should be necessary, our attorneys as professional secrecy holders will have access to your data and will process it accordingly.

d) Duration of storage
Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied. Your data will be stored for a period of 180 days beyond the end of the application process. As a rule, this is done to fulfill legal obligations or to defend against any claims arising from legal regulations. Subsequently, we are obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct reference to individuals for statistical evaluations (for example, proportion of women or men in applications, number of applications per period, etc.).
If we unfortunately had to decide against hiring you, your personal data will be restricted (Art. 18 DSGVO). In the restricted form, your data will be stored for a period of 6 months from receipt of the rejection.
If you receive an offer of employment with us as part of the application process and accept it, we will store the personal data collected as part of the application process for the duration of the employment relationship and beyond that for as long as required by statutory retention obligations. You will receive more information on data processing as an employee as an attachment to your employment contract.

e) Provision of your data
The provision of your data may be necessary for the conclusion of a contract. Insofar as you should decide to join our Talent Pool, the provision of your data is voluntary, however, we may not be able to identify you in the Talent Pool if your data is not provided for this purpose or not provided in full.

Definitions and data subject rights

  1. Why is this information available?
    According to Art. 13 and Art. 14 of the General Data Protection Regulation (GDPR), the legislator obliges the controller to inform users about the processing of their personal data.

    The following discloses the extent to which the controller processes the user’s personal data and the rights to which the user is entitled.

    In principle, no personal data of users will be processed, unless the processing is permitted by law (“legal grounds”). Consent given to the Controller by the User voluntarily and after prior information may also constitute a Legal Basis for the processing of the User’s personal data.
  2. What is personal data and who is affected?
    “Personal data” are, according to Art. 4 No. 1 DSGVO, any information relating to an identified or identifiable natural person (hereinafter “user”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    There are many circumstances in which the responsibility for processing such personal data lies with the controller, which makes the data subject a user. Users include, for example, users of the Controller’s websites, senders and recipients of letters, e-mails or other communications from the Controller, as well as callers and called parties, clients or other persons interested in legal advice, contractors, employees, customers, suppliers or cooperation partners of the Controller.
  3. What are the legal bases?
    Insofar as the controller has obtained consent from the user for the processing operations of personal data, Art. 6 (1) p. 1 lit. a DSGVO serves as the legal basis.

    When processing personal data that is necessary for the performance of a contract to which the user is a party, Art. 6 (1) p. 1 lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures at the request of the user. Insofar as processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, Art. 6 (1) p. 1 lit. c DSGVO serves as the legal basis. In the event that vital interests of the user or another natural person make processing of personal data necessary, Art. 6 (1) p. 1 lit. d DSGVO serves as the legal basis. If the processing is necessary to protect a legitimate interest of the controller or a third party and the interests, fundamental rights and freedoms of the user do not override the first-mentioned interest, Art. 6 (1) p. 1 lit. f DSGVO serves as the legal basis for the processing.

    In this data protection information, the user is informed for which purposes and on the basis of which legal basis his personal data are processed.
  4. How long will personal data be stored or when will it be deleted?
    The user’s personal data will be deleted or blocked as soon as the purpose for storing it no longer applies. Storage may take place beyond this if this is stipulated by the European or national legislator in Union regulations, laws or other regulations according to which the responsible party is obliged to store the personal data. Blocking or deletion of the data will also take place if a storage period prescribed by the aforementioned standards expires; unless further storage of the data is necessary for the conclusion or fulfillment of a contract.
  5. What technical and organizational measures are used?
    Ensuring data security is a particularly important concern for the controller. It therefore uses appropriate technical and organizational measures, in particular to protect the user’s personal data from risks during data transmissions and to protect against third parties gaining knowledge. The data security measures are reviewed and adapted in accordance with the current state of the art. The processing of personal data via the website of the responsible party is https-encrypted.
  6. what rights do i have as a user?
    6.1 Right to withdraw consent: The user has the right, in accordance with Art. 7 (3) DSGVO, to revoke his consent, once given, at any time vis-à-vis the controller. This has the consequence that the data processing, which was based on this consent, may no longer be continued for the future.

    6.2 Right to information: In accordance with Art. 15 DSGVO, the user has the right to request information about his personal data processed by the controller. In particular, he may request information about the processing purposes, the category of personal data, the categories of recipients to whom his data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of his data if it has not been collected by the controller, and the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.

    6.3 Right to rectification: In accordance with Art. 16 DSGVO, the user has the right to demand the immediate correction of incorrect or completion of his personal data stored by the responsible party.

    6.4 Right to erasure and to be forgotten: The User has the right to request, pursuant to Art. 17 DSGVO, the erasure of his personal data stored by the Controller, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.

    6.5 Right to restriction: In accordance with Art. 18 DSGVO, the user has the right to demand the restriction of the processing of his personal data, insofar as the accuracy of the data is disputed by him, the processing is unlawful, but the user objects to its erasure and the controller no longer requires the data, but the user needs it for the assertion, exercise or defense of legal claims or the user has objected to the processing in accordance with Art. 21 DSGVO.

    6.6 Right to data portability: Pursuant to Art. 20 DSGVO, the user has the right to receive his or her personal data that he or she has provided to the controller in a structured, common and machine-readable format or to request that it be transferred to another controller.

    6.7 Right to complain: The User may complain to a supervisory authority in accordance with Art. 77 DSGVO. As a rule, he can contact the supervisory authority of his usual place of residence or workplace or the headquarters of the controller for this purpose.

    6.8 Right to object: If the User’s personal data is processed on the basis of legitimate interests pursuant to Art. 6 UAbs. 1 Abs. 1 S. 1 lit. f DSGVO, the User has the right to object to the processing of his personal data pursuant to Art. 21 DSGVO, provided that there are grounds for doing so that arise from the User’s particular situation.

    To exercise the right of objection, it is sufficient to send an e-mail to the data controller.