Status: 15 December 2022
GreenGate Partners Rechtsanwaltsgesellschaft mbH & Co. KG
Tel.: +49-(0)30 5093235-0
(“GreenGate” or “we”)
as a controller within the meaning of the General Data Protection Regulation (“GDPR”) carries out processing of personal data. Section 1 contains “General Information” regarding the processing of personal data. In the following sections, we describe individual processing situations, namely in Section 2 the “Visiting the Website and the GreenGate LinkedIn Page”, in Section 3 the “Establishment and Performance of Mandate Relationships”, and in Section 4 the “Application to GreenGate”.
SECTION 1 – GENERAL INFORMATION
The protection of personal data entrusted to us has a particularly high priority for us. We measure every processing of personal data against the principles of Art. 5 of the GDPR and use appropriate technical and organizational measures to ensure that personal data is always
- processed lawfully, fairly and in a manner comprehensible to the data subject (“lawfulness, fairness, transparency”);
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
- accurate and, where necessary, kept up to date (“accuracy”);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
If we want to process personal data for purposes other than those for which they were originally collected, we observe the requirements of Art. 6 (4) of the GDPR. In particular, such a change of purpose will usually not take place without informing you again. This applies in particular if we decide to use data provided to us for direct marketing purposes.
Name and address of the data protection officer
You can reach our data protection officer
- by mail to the address of GreenGate, for the attention of the data protection officer
- by phone +49-(0)89 2778253-0
- by e-mail to firstname.lastname@example.org
- you have given your express consent in accordance with Art. 6 (1) lit. a, if applicable Art. 9 (2) lit. a of the GDPR in conjunction with § 26 (2) of the BDSG,
- the disclosure is necessary pursuant to Art. 6 (1) lit. f of the GDPR for the assertion, exercise or defense of legal claims or due to other legitimate interests of GreenGate and/or third parties and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
- in the event that a legal obligation exists for the disclosure pursuant to Art. 6 (1) lit. c of the GDPR, or Art. 9 (2) lit. b of the GDPR, as the case may be, as well as
- this is necessary according to Art. 6 (1) lit. b of the GDPR, possibly also § 26 (1) Sentence 1 BDSG for the establishment and implementation of a contractual relationship, possibly also an employment relationship with you.
We use the help of service providers for individual activities (e.g. IT support, hosting of our mail servers, etc.). These are obligated by means of corresponding agreements in accordance with Art. 28 of the GDPR as processors to strictly maintain confidentiality as well as to exclusively process data according to instructions.
The attorney-client privilege remains unaffected. Insofar as data are subject to attorney-client privilege, they will only be disclosed to third parties that are carefully selected service providers whom we have specifically obligated to maintain secrecy in accordance with § 43e BRAO and who have been informed of the criminal liability of a breach of attorney-client privilege.
Transfers to third countries
Transfers of your personal data to third countries outside the EU or the European Economic Area (“EEA”) are generally not intended. However, it may happen that we use service providers who process data outside the EU / EEA. Unless the EU Commission has issued an adequacy decision within the meaning of Art. 45 of the GDPR for the country of residence of a recipient of your personal data, we will ensure in these cases that an adequate level of data protection is established at the recipient before the transfer of your personal data. This means that a level of data protection comparable to the standards applicable under the GDPR is achieved via EU Standard Data Protection Clauses (including additional security measures, if applicable).
Your rights as a data subject
As a data subject, you have the right:
- in accordance with Art. 15 (1) of the GDPR to request information about whether personal data relating to you is being processed by us;
- pursuant to Art. 15 (1) of the GDPR to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category or categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- pursuant to Art. 15 (3) of the GDPR to request a copy of the data we have processed about you;
- in accordance with Art. 16 of the GDPR to immediately demand the correction of incorrect or completion of your personal data stored by us.
- to request the deletion of your personal data stored by us in accordance with Art. 17 of the GDPR;
- to request the restriction of the processing of your personal data in accordance with Art. 18 of the GDPR;
- pursuant to Art. 20 of the GDPR to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller.
If you wish to exercise your rights as a data subject, simply send an e-mail to email@example.com.
Revocability of consents
In accordance with Art. 7 (3) of the GDPR, you may withdraw your consent at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.
If you wish to exercise your right of withdrawal, simply send an e-mail to firstname.lastname@example.org.
Your right of objection
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) lit. f of the GDPR, you may object to the processing of your personal data pursuant to Art. 21 of the GDPR, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right of objection, which will be implemented by us without specifying a particular situation.
If you wish to exercise your right to object, simply send an e-mail to email@example.com.
Right of appeal
You have a general right of appeal to a competent data protection supervisory authority. As a rule, you can contact the data protection supervisory authority responsible for your place of residence to exercise this right of complaint.
If we introduce new data processing procedures that require your prior consent or in respect of which you have a right of objection, we will ask you for your consent prior to commencing data processing or inform you separately of the right of objection to which you are entitled.
SECTION 2 – VISITING THE WEBSITE AND THE GreenGate LinkedIn PAGE
Our website collects a series of general information each time it is accessed by a data subject or an automated system. This general information is stored in the log files of our web server. The browsers and versions used, the operating system used by the accessing system, the website from which an accessing system accesses our website, the sub-websites that are accessed on our website, the date and time of access to our website, an Internet protocol address (IP address), the Internet service provider of the accessing system and other similar information that can be used to prevent attacks on our systems are recorded.
When using this general information, we generally do not draw any conclusions about a specific person. Rather, this information is needed to deliver the content of our website correctly and to provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.
The legal basis for data processing is Art. 6 (1) lit. f of the GDPR. Our legitimate interest follows from the purposes for data collection listed above. The aforementioned log files are regularly deleted after one week and only in the event of a cyberattack, if necessary, are kept longer until the incident is clarified.
Contacting us by e-mail or phone
When you contact us by e-mail or telephone, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions and process your requests. A communication of further information – in particular the content of the communicated request – is made in the case of general inquiries expressly on a voluntary basis and with your consent, Art. 6 (1) lit. a of the GDPR or in the case of (pre-
)contractual inquiries on the basis of Art. 6 (1) lit. b of the GDPR.
Insofar as this involves information on communication channels (e.g. e-mail address, telephone number), you also consent to us contacting you via this communication channel, if necessary, in order to respond to your request.
Your data, which we have received in the course of any contact you made, will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, your request has been fully processed and no further communication with you is necessary or desired by you. Please note that in the case of (pre-)contractual inquiries, legal retention obligations may arise for us and we may only be able to delete your data after their expiry.
GreenGate on LinkedIn
GreenGate has set up its own page on the social network LinkedIn. We have a legitimate interest in presenting ourselves on the world’s largest platform for professional exchange, using to draw the attention of potential clients to us and our services, to contact them, colleagues or other multipliers and to build and maintain a network of professional contacts. The legal basis for the data processing operations described below is therefore Art. 6 (1) lit. f of the GDPR.
When you visit our site on LinkedIn, follow our site, leave comments or likes, write us a message, or otherwise use a feature of LinkedIn on our site, we receive information about your name, your current position with a company, where you work, and other company information. We also learn about the ways in which you have interacted with our site through LinkedIn. We may use this information to respond to your interaction, such as replying to a comment. Outside of LinkedIn, we do not store your information without explicitly communicating this within LinkedIn (for example, if we agree to continue the conversation via email as part of an exchange via LinkedIn messages). If you write messages to us via LinkedIn, the information in the section “Contacting us by e-mail or phone” applies accordingly.
LinkedIn also provides us, as the operator of the company page, with so-called Page Insights reports. These are aggregated statistical information that LinkedIn creates based on the personal data of visitors to our site. For example, we learn from which regions the visitors to our site come, how often our site is accessed, in which industries visitors to our site are active, and similar information. LinkedIn does not provide us with any information that would allow us to draw conclusions about individual members of the network.
With regard to the Page Insights reports, we and LinkedIn are joint controllers within the meaning of Art. 26 of the GDPR or other relevant data protection laws (such as in Switzerland or the United Kingdom). As part of its Page Insights Joint Controller Addendum, LinkedIn has assumed the obligation to inform users about the processing of their personal data. LinkedIn also takes the lead in processing data subject requests (see “Your rights as a data subject” and “Your right of objection” above). You can nevertheless also address requests in this regard to us.
Links to other websites
SECTION 3 – ESTABLISHMENT AND PERFORMANCE OF MANDATE RELATIONSHIPS
Contact data collection
When you mandate us or act on behalf of a company or other organization that mandates us, or we contact you as a result of a mandate relationship, we collect the following information:
- name and contact details;
- if applicable, position in the company / organization, authority to sign, power of attorney;
- if applicable, information that is necessary for the assertion and defense of your rights within the scope of the client relationship.
Pursuant to Art. 6 (1) lit. b of the GDPR, the data processing is necessary for the processing of the mandate and for the mutual fulfillment of obligations arising from the mandate agreement, in order to be able to identify you, to provide you with appropriate legal advice and representation, for correspondence with you and for the purpose of invoicing our consulting services.
Legal obligations, in particular under the GwG
We will also process your data if and to the extent necessary to comply with our legal obligations, such as obligations under the Act on the Tracing of Profits from Serious Crimes (Money Laundering Act, GwG). For the purposes of preventing money laundering and terrorist financing, we may in particular be obliged to collect and process data for the purpose of establishing your identity with certainty and your asset and shareholding relationships in accordance with § 10 of the GwG.
The legal basis for this processing of personal data is Art. 6 (1) lit. c of the GDPR. We would like to point out that, pursuant to § 11a of the GwG, we are not obliged to provide information in the event of possible transfers of your data to the competent supervisory authorities or the persons and institutions used by the competent supervisory authorities in the performance of their duties, or to the Central Authority for Financial Transaction Investigations (Zentralstelle für Finanztransaktionsuntersuchungen), and that you have no right to information in this respect.
Privacy Boxes and Data Rooms at iDGARD
For data exchange, we offer you the use of so-called privacy boxes and data rooms in the “iDGARD” application. “iDGARD” is a solution of Uniscon universal identity control GmbH, Ridlerstraße 57, 80339 Munich, Germany. The use of “iDGARD” requires the setup of a personal access linked to your e-mail address.
In order to set up this access, we process the contact data of those persons to whom we set up access for the purpose of implementing the client relationship (Art. 6 (1) lit. b of the GDPR) or, in the case of other parties who are not our clients, on the basis of the legitimate interest in the most secure data exchange possible (Art. 6 (1) lit. f of the GDPR). After activation of the access by you and selection of a password, we can exchange information via “iDGARD” or make it available within the application. When new information is uploaded, the authorized users of the relevant Privacy Box or Data Room will receive an e-mail informing them of this. This e-mail does not contain any information about the content of the uploaded information. Accesses and uploaded information will be deleted after completion of the relevant project or, at the latest, at the end of the mandate relationship.
Uniscon, as the operator of “iDGARD”, does not automatically collect log file data, nor are these stored. When using “iDGARD”, both the content and the metadata, i.e. who communicates when and how much with whom, are treated confidentially. Uniscon as the operator also has no access to this information. The content of the privacy boxes and data rooms is protected from legal access. External tracking or internal collection of user behavior does not take place. Cookies are used exclusively for so-called session management to ensure a stable process. These cookies are deleted from your computer as well as from Unsicon at the end of the session.
We use the “Microsoft Teams” tool to conduct conversations by means of video conferencing (hereinafter: “online meetings”). “Microsoft Teams” is a service of Microsoft Corporation or, for users based in the EU, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
If you access the “Microsoft Teams” website, the “Microsoft Teams” provider is responsible for data processing. However, calling up the Internet page is only necessary for using “Microsoft Teams” in order to download the software for using “Microsoft Teams”. If you do not want to or cannot use the “Microsoft Teams” application, you can also use “Microsoft Teams” via your browser. The service will then also be provided via the “Microsoft Teams” website to that extent.
For online meetings using “Microsoft Teams”, we always offer the option to join an online meeting by phone as well.
When using “Microsoft Teams”, various types of data are processed. The scope of the data also depends on the data you provide before or during participation in an online meeting. The following personal data are subject to processing:
- User details: e.g. display name, e-mail address if applicable, profile picture (optional), preferred language
- Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
- Text, audio and video data: You may have the option of using the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device are processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the “Microsoft Teams” application or the browser application.
As a rule, we will not record online meetings. If, exceptionally, we want to record an online meeting, we will inform you transparently in advance and ask for your consent. If it is necessary for the purpose of recording the results of an online meeting, we will record the chat content. However, this will usually not be the case. The legal basis for data processing when conducting online meetings is our legitimate interest in time- and resource-saving mandate management, also for our clients (Art. 6 (1) lit. f of the GDPR).
Personal data processed in connection with participation in online meetings will generally not be disclosed to third parties unless required for technical reasons. The provider of “Microsoft Teams” necessarily obtains knowledge of the above-mentioned data insofar as this is provided for in the context of our order processing agreement with Microsoft. Data processing outside the EU or EEA does not take place as a matter of principle, as we have restricted our storage location to data centers in the EU. However, we cannot exclude that the routing of data takes place via internet servers that are located outside the EU or EEA. This may be the case in particular if participants in an online meeting are located in a third country. However, the data is encrypted during transport over the Internet and thus protected against unauthorized access by third parties.
Electronic communication and professional secrets
We would like to point out that the use of electronic communication channels may involve risks for the confidentiality of the communication between you and us; this applies in particular to the use of e-mails, including fax messages transmitted by means of e-mail services. E-mails are transmitted encrypted based on the cryptographic industry standard such as TLS/SSL, but are regularly not end-to-end encrypted. If you contact us by e-mail or other electronic means, we may assume that you consent to our further use of these communication channels (Section 2 (2) BORA). Notwithstanding this, we will again draw your attention to the existing risks to the confidentiality of communication in an appropriate manner.
If, in the course of the client relationship, it should become necessary for us to defend ourselves against liability claims or if we have to make a claim against one of our clients due to outstanding invoices, the processing of personal data required for this purpose is based on our legitimate interest in being able to defend our legal position appropriately, Art. 6 (1) lit. f of the GDPR.
Storage period and retention obligations
The personal data collected by us for the establishment and execution of client relationships will be stored until the expiry of the statutory retention obligation (six years after the end of the calendar year in which the mandate was terminated) and then deleted, unless we are obliged to store the data for a longer period of time pursuant to Art. 6 (1) lit. c of the GDPR, we are obliged to store the data for a longer period of time due to tax and commercial law retention and documentation obligations (from HGB, UStG or AO), or further processing is necessary due to ongoing legal disputes, or you have consented to further storage in accordance with Art. 6 (1) lit. a of the GDPR.
SECTION 4 – APPLICATION TO GREENGATE
In order to decide on the prospects of success of an application, the provision of personal data is desired and also necessary. We require name and contact details, date of birth, place of birth, details of professional circumstances, professional qualifications, professional experience, certificates and details of other special qualifications in accordance with the specific job advertisement (such as language skills).
Further information is voluntary and not a prerequisite for consideration of an application. Failure to provide this information will not result in any disadvantages. This voluntary information also includes application photos.
Application documents are stored and processed digitally by us. This applies regardless of the way in which we receive the application documents, i.e. in particular also for applications sent to us by post.
The legal basis for the processing is § 26 (1) Sentence 1 BDSG, insofar as it is information that we request as part of the application process for the establishment of an employment relationship with us. We process information voluntarily provided in addition to this on the basis of consent, Art. 6 (1) lit. a of the GDPR in conjunction with. § 26 (2) BDSG.
In particular, resumes, cover letters or the other data provided for the purpose of the presentation often also contain information about “special categories of personal data” as defined in Art. 9 (1) of the GDPR (e.g., a photo that reveals ethnic origin, information about severely disabled status, etc.). The transmission of information of this kind includes the declaration that we store this information on the basis of consent as part of the application documents, Art. 9 (2) lit. a of the GDPR in conjunction with. § 26 (2) BDSG. Any processing of this personal data that goes beyond storage will only take place insofar as we expressly state this in this data protection declaration.
Insofar as special legal obligations arise for us from health-related information, for example regarding a severely disabled status, we will process this data on the basis of Art. 9 (2) lit. b of the GDPR in conjunction with. § 26 (3) BDSG in order to comply with these legal obligations.
Cooperation with personnel service providers and applicant platforms
We may also cooperate with external personnel service providers to fill vacancies and place advertisements on applicant platforms. Under certain circumstances, we may have received and evaluated certain personal data from these third parties before contacting an applicant on our part. In view of our contractual agreements with the personnel service providers and the applicant platforms, we assume that each applicant has also concluded agreements with them on the provision of their personal data to us as a potentially interesting or interested employer, or that applicants themselves have initiated the transfer of their data to us.
Further information on this is also contained in the data protection notices of the relevant personnel service providers or applicant platforms. Depending on the structure of these data protection notices, it is possible that the personnel service providers or applicant platforms may provide us with further profile information in addition to the application documents.
The legal basis for the transfer of personal data to us is our legitimate interest in the broadest possible selection of qualified applicants in accordance with Art. 6 (1) lit. f of the GDPR. We will process data that we obtain in this way from sources other than applicants directly in the same way as we process applications that we receive directly from applicants without the involvement of personnel service providers or applicant platforms. However, where available, we may use direct communication channels, e.g. from applicant platforms, to exchange messages with applicants.
After receiving an application via a recruitment agency or an applicant platform, we will generally not inform applicants again in detail about the source of their application. Because applicants initiate this application themselves via a specific recruitment service provider or applicant platform, or have been in contact with this recruitment service provider or applicant platform in advance, they already have the information about where we obtained their data; therefore, for legal reasons alone, it is not necessary to inform them again, Art. 14 (5) lit. a of the GDPR. Of course, we will still be happy to inform applicants at any time upon request about who exactly we have received their personal data from.
If applicants do not apply for a specific job posting with us or if we select another person for the specific job posting but would nevertheless like to consider another application for future job postings, we may include applicants in our application pool. However, this requires the explicit consent of the applicants concerned within the meaning of Art. 6 (1) lit. a, 9 (2) lit. a of the GDPR in conjunction with § 26 (2) BDSG. In such cases, we will request this separately from the applicants concerned. In all other respects, the general data protection information also applies accordingly in these cases.
We reserve the right, on the basis of Art. 6 (1) lit. f of the GDPR, to collect further information on the professional career, previous employers or further qualifications of applicants from other sources. For this purpose, we will evaluate information in professional social media networks (e.g. LinkedIn, XING) as described below and compare it with the information in the application documents or process it for the purposes of the application process as described herein, if an applicant has created a publicly accessible profile there and stored such information there.
Such further evaluation serves our legitimate interest in getting to know our potential future colleagues better even before an interview. However, we will only carry out such evaluations once we have already made a pre-selection of all applications. We will only obtain further information as described above about applicants whom we would like to get to know better after such a pre-selection.
Personnel selection interviews
As part of our personnel selection interviews, we invite those applicants who appear to be best suited for the vacant position based on their application documents. In these interviews, we would like to get to know the applicants and their qualifications even better. The legal basis for the information provided in this way in addition to the application documents is § 26 (1) Sentence 1 BDSG, insofar as the information is more specific details and explanations of the applicant’s professional career.
If we also request information from applicants (e.g. on soft skills, their expectations and ideas with regard to a possible job for us), we collect this information on the basis of our legitimate interest in being able to assess our future colleagues as well as possible before deciding on the establishment of an employment relationship and thus to optimally fill an advertised position, Art. 6 (1) lit. f of the GDPR, § 26 (1) Sentence 1 BDSG.
Reimbursement of travel expenses
If we ask applicants to travel to a personnel selection interview in person, we can reimburse them for the travel expenses incurred and proven to us. For this purpose, we process the necessary additional information on the basis of § 26 (1) Sentence 1 BDSG, namely the applicants’ bank account details and details of any travel expense reimbursement claims incurred, including receipts (cab, fuel receipt, train ticket or similar).
Communication with applicants and internal memos
To the extent necessary for the application process and the decision on filling the position, we also process data on the basis of § 26 (1) Sentence 1 BDSG in the course of written or electronic correspondence with applicants. Furthermore, we will make internal notes for the purpose of internal coordination and, if necessary, to provide evidence of proper, in particular non-discriminatory decision-making, for example after reviewing the application documents or after a personnel selection interview.
Defense of legal claims arising from the application process
We may process personal data about applicants insofar as this is necessary to defend asserted legal claims against us arising from the application process. The legal basis for this is Art. 6
(1) lit. f of the GDPR; the legitimate interest is, for example, a duty to provide evidence in proceedings due to an alleged violation of the General Equal Treatment Act (AGG).
Further processing in the event of the establishment of an employment relationship
If an employment relationship is established between an applicant and us, we may process the personal data already received from the applicant for the purposes of the employment relationship in accordance with § 26 (1) Sentence 1 BDSG if this is necessary for the performance or termination of the employment relationship or for the exercise or fulfillment of the rights and obligations of the employee representative body resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement).
We process data from an application procedure for the duration of the application procedure as well as for a period of six months after completion of the job filling, unless otherwise specified below.
If an employment relationship between an applicant and us does not materialize, we may continue to store data to the extent necessary to defend against possible legal claims.
We process data in our application pool for a period of twelve months on the basis of any separate consent given to us for this purpose. If we consider applications from our database in the context of specific job filling procedures, the general information on the storage period applies accordingly.
Data that we process as part of the reimbursement of travel expenses may be stored for a period up to the end of the tenth calendar year following the date of reimbursement due to commercial and tax retention obligations. We are legally obligated to do so, and data processing for this purpose is based on Art. 6 (1) lit. c of the GDPR.
Status: 15 December 2022