Information on Data Protection
for Job Applicants

Information that must be provided to job applicants under Articles 13, 14 and 21 of the General Data Protection Regulation (“GDPR”) in regard to the handling of personal data.

1.   Introduction

Dear Applicant,

With the following information, we would like to inform you about the personal data that we collect about you, how and why we process these data, and the rights you have under GDPR.

1.1 Responsible party (“controller”) 


represented by the Managing Directors Alexander Lörch and Rouven Lörch
Gewerbepark Birkenhain 1
63579 Freigericht
Tel.: +49 6051 8846-0
Fax: +49 6051 8846-480

(“We”, “Us”, “Our”)

1.2 Contact information of the Data Protection Officer

Thomas Kolb LL.M., external Data Protection Officer
kolbcom GmbH

P 7, 22
68161 Mannheim

2. Nature, scope and purpose of the processing of personal data

2.1 Categories of affected persons (“data subjects”)

This Information on Data Protection for Job Applicants (“Data Protection Information”) relates to data that we collect from, or about, job applicants who apply for employment with us or a CID group company, and subsequently process.

2.2 Categories of personal data

We process the following personal data in connection with our job application process:

  • identification data such as your name, photograph, sex, date of birth;
  • contact information such as your home address, private telephone numbers and email addresses;
  • your letter of application and curriculum vitae;
  • information relating to your education and qualification, including certificates of achievements and confirmations of work activities;
  • information relating to your professional qualification, successes, abilities, authorisations needed in connection with your work, requests for, and documentation relating to, police clearance certificates and / or membership of a professional association;
  • information relating to your previous work performance and professional career;
  • information relating to your state of health such as medical certificates, results of work-related fitness tests and other occupationally related medical examination reports and the results of drug and alcohol tests;
  • information relating to your racial or ethnic descent, sex and state of health which may possibly be needed to comply with anti-discrimination laws and notification duties vis-à-vis public authorities and which we need to fulfil the statutory requirements relating to equal opportunities;
  • information about you relating to criminal proceedings which becomes apparent as a result of inspecting your criminal record or from a notification which you have a mandatory duty to disclose; and
  • other sensitive personal data which you disclose voluntarily in the context of your job application.


2.3 Origin of the personal data

We will generally collect these data directly from you. In some instances, however, we collect data via third parties:

  • Insofar as these are related to the establishment of an employment relationship, information on past criminal proceedings and convictions that becomes apparent as a result of inspecting criminal records;
  • Information relating to your prior employment (including certificate of employment) and other information concerning your suitability and qualification for our company that is obtained from testimonials provided by yourself and / or by third parties (such as recruitment agencies);
  • Further information which we receive via external service providers whom we have charged with applicant screening;
  • Information obtained from certain publicly accessible sources (including the Internet – such as Xing, LinkedIn, etc.).


2.4 Purposes of the processing and legal bases

The purpose of the collection and processing is to be able to decide on a selection regarding the respective advertised position – or, in the case of unsolicited job applications, regarding our need for new employees – and to communicate this to the job applicant.


2.4.1 Ongoing application process / unsolicited job application

The legal bases for processing in the context of an ongoing application process and for unsolicited applications are Section 26 of the German Federal Data Protection Act (BDSG) in conjunction with point (a) and point (b) of the first sentence of Article 6 (1) GDPR, as well as point (a) of Article 9 (2) GDPR.

Insofar as we collect and process your personal data on the basis of your consent, this consent is provided on a voluntary basis and can be withdrawn at any time with effect for the future.

You can refuse to give your consent at any time without providing reasons, without you having to fear any disadvantages as a result of doing so. Whether you give your consent or not has no effect on your chances in the specific job application process.

If you send us photographs or other information that is not required for the job application process, these data will be stored on the basis of point (f) of the first sentence of Article 6 (1) GDPR. In doing so, the sole purpose of the processing is to document your application properly and to be able to process it in an unadulterated form. In accordance with the legal requirements of the German Equal Treatment Act (AGG), the photograph is not taken into account in the selection decision on occupying the position.


2.4.2    Inclusion in the job applicant pool

You have the option to consent to your inclusion in our general job applicant pool. To do so, you can give your consent in the context of your (online) application or by sending an e-mail to the e-mail address provided with the job advertisement.

If you give your consent, your personal data will be collected, as described above, and also be held beyond the scope of the specific job application process for which you originally submitted your application. In doing so, you consent, in particular, to us using these data to enable us to continue / reopen the job application process, should you be considered for an alternative position, and to enable us to contact you accordingly.

This consent is given voluntarily and may be refused without providing reasons, without you having to fear any disadvantages in the respective application process as a result of doing so. Consent, once given, may be withdrawn at any time with effect for the future; in this case, your data will be erased without undue delay as soon as the application process is complete or we receive your notification of withdrawal.

Irrespective of any withdrawal of consent, your data will be erased after 1 (one) year at the latest, provided that no further job opportunities have arisen in the meantime.

The legal bases for processing in this respect are Section 26 BDSG in conjunction with point (a) and point (b) of the first sentence of Article 6 (1) GDPR.

3. Forwarding of data to third parties, cross-border data processing

3.1 Forwarding of data to third parties

We will only pass on your personal data within our company to those business divisions and persons who need these data to fulfil contractual and legal obligations or to protect our legitimate interests.

We may transmit your personal data to companies affiliated with us, provided that this is permissible within the context of the purposes set out in Section 2 of this Data Protection Information or you have given us your consent to such forwarding. In these cases, the forwarding encompasses the following CID GmbH companies:

  • CID Italia Srl, Piazza Walther-von-der-Vogelweide 8, 39100 Bolzano, Italy
  • CID Slovakia, s.r.o., Zuckermandel, budova CA, Žižkova 9. 811 02 Bratislava, Slovakia
  • UAB “CID Lietuva”, Raudondvario pl. 101, 47184 Kaunas, Lithuania
  • CID Digital Services, d.o.o., Trg republike 3, 1000 Ljubljana, Slovenia
  • CID Digital Services Ltd., 41 Church Street, Birmingham, B3 2RT, UK
  • CID Digital Services LLC, 1500 Broadway, Suite 1902, New York, NY 10036, USA
  • CID Austria GmbH, Zaunergasse 4, 1030 Wien, Austria

In some cases, your personal data will also be processed by service providers that are engaged by us. Depending on the concrete nature and form of the cooperation with third parties, the interaction in the context of processing will be classified as either: separate controllership; data processing under commission within the meaning of Article 28 GDPR; or joint controllership within the meaning of Article 26 GDPR. Some recipients are also subject to legal confidentiality obligations and process the data under their own responsibility. By concluding the contractual agreements necessary in each case, we ensure that the processing of personal data, also by our service providers, always complies with the provisions of GDPR. In this case, the categories of recipients are lawyers and IT service providers. The data are managed via our job applicant portal. For this purpose, we work together with the following company:

  • HRworks GmbH, Waldkircher Strasse 28, 79106 Freiburg, Germany


3.2 Cross-border data processing

We do not transmit data directly to third countries.

A transmission of data to the USA cannot be ruled out to the extent that our service provider HRworks relies on the services of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. The servers used are located exclusively in the EU.

An adequacy decision in accordance with Article 45 GDPR exists for the transmission of data to the USA. Moreover, the data transmission is protected by the conclusion of standard contractual clauses.


4. Storage duration and erasure deadlines

If your application does not result in an employment relationship and you have not given your consent to be included in the job applicant pool, we will erase your data at the latest 6 (six) months after we have sent you our rejection letter. If you have consented to be included in the applicant pool, we will hold your data for 12 (twelve) months after we have sent you our rejection letter, provided that no further job opportunities arise in the meantime.

In the event of a successful application and subsequent employment in our company, your data that are needed for implementing and organising the employment relationship will be held for the duration of the employment relationship. You will be informed separately about this.

5. Your data protection rights

5.1 Your rights as a data subject

You have the right to: access information about our processing of your personal data pursuant to Article 15 GDPR; the right to rectification or erasure of your data pursuant to Article 17 GDPR; the right to restriction of processing pursuant to Article 18 GDPR; the right to notification pursuant to Article 19 GDPR; and the right to data portability pursuant to Article 20 GDPR.

If we process your personal data on the basis of your consent in accordance with point (a) of the first sentence of Article 6 (1) GDPR, you have the right to withdraw this consent at any time pursuant to Article 7 GDPR. We would like to point out that a withdrawal is only effective for the future. Processing that occurred before your withdrawal of consent is not affected by your withdrawal and remains lawful. Please note that, despite your withdrawal, we are legally obliged to retain and document certain data (see Sections 4 and 6 of this Data Protection Information).

Right to object

Insofar as your personal data are processed in accordance with point (f) of the first sentence of Article 6 (1) GDPR to protect legitimate interests, you have the right in accordance with Article 21 GDPR to object to the processing of these data at any time for reasons arising from your particular situation. We will then cease to process these personal data unless we can demonstrate compelling legitimate grounds for the processing. These must override your own interests, rights and freedoms, or the processing must serve the establishment, exercise or defence of legal claims.

To exercise your rights, it suffices to send us a notification in text form, which you should please submit to the address of the Data Protection Officer set out under Section 1.2  or by e-mail to

5.2 Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning yourself infringes GDPR (Article 77 GDPR). You can exercise this right with a supervisory authority in the Member State of your habitual residence, place of work or the place of the alleged infringement. In the regional state of Hesse, Germany, the competent supervisory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
The Hessian Commissioner for Data Protection and Freedom of Information

Postfach 3163
65021 Wiesbaden
Tel.: +49 611 1408-121

Further information is available via the following link (available in German only):

6. Obligation to provide personal data

The provision of personal data for the initiation and performance of employment relationships is generally not required by law or contractually. You are therefore not obliged to provide personal data. Please note, however, that these data are usually required for making the decision on employment.

Should you desist from providing us with personal data, we may not be able to make a selection decision in your favour. We recommend that you only provide personal data that are required for the application process.

7. Automated decision-making

We principally do not use any processes that involve fully automated decision-making as set out in Article 22 GDPR. Should we use such processes in individual cases, however, we will inform you separately and obtain your consent if this is legally required.

8. Contact

Should you have any questions relating to the processing of your personal data, please do not hesitate to contact us at any time. In this case, please send them to the address of the controller or Data Protection Officer set out under Section 1.

9. Up-to-dateness and amendment of this Data Protection Information

This Data Protection Information is currently valid and has the status date July 2023.

We reserve the right to update this Data Protection Information as necessary to adapt it to legal and technical developments or in connection with the offer of new products and services. Should we change our privacy policy, we will post those changes directly in this Data Protection Information, on our website and at other places we deem appropriate. We reserve the right to change this Data Protection Information at any time.

We use cookies for statistical purposes to better understand your usage behaviour and to optimise our website design. For further details, please refer to our Data Protection Statement and Cookie Policy. You can withdraw your consent at any time using the link in the site footer.

Keep up with what we’re doing on LinkedIn.