Privacy policy for employees at CISPA

We are required by law to provide you with this information. Data protection and the handling of personal data is very important to us, so we always ensure that your personal data is processed properly. If you have any questions about your employee data and how it is processed, the Corporate Data Protection & Information Security Department and our Data Protection Officer are at your disposal. The data protection officer is not subject to any instructions, is independent in his position and is legally obliged to maintain secrecy and confidentiality (Article 38 GDPR, § 38 BDSG), so that you can contact him in confidence.

Controller

Responsible for data processing within the meaning of the GDPR and other data protection regulations is:

CISPA – Helmholtz-Zentrum für Informationssicherheit gGmbH
Stuhlsatzenhaus 5
66123 Saarbrücken
Germany
Tel.: +49 681 87083 1001
Fax: +49 681 87083 8801
E-Mail: info@cispa.de

Management:

CISPA is represented by the managing directors Prof. Dr. Dr. h. c. Michael Backes and Dr. Kevin Streit.

Data Protection Officer:

You can reach our data protection officer at: dsb@cispa.de
If you have any questions about data protection, you can also contact our corporate data protection & information security department: datenschutz@cispa.de

Purposes and legal basis of the processing

We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), insofar as this is necessary for the employment relationship. The legal basis for this is Article 88 GDPR and, if applicable, Article 6 para. 1 lit. b GDPR for the initiation and implementation of a contractual relationship, the employment contract.

In addition, we process personal data if this is necessary for the fulfilment of legal obligations (Art. 6 para. 1 lit. c GDPR) or for the defence and assertion of legal claims arising from the employment relationship. The legal basis for this is Art. 6 para. 1 lit. f GDPR. The legitimate interest lies, for example, in a possible obligation to provide evidence in the context of legal proceedings.

For certain data processing, we require your express consent within the meaning of Art. 6 para. 1 lit. a GDPR (e.g. use of images and personal data that are not required for the employment relationship). For this purpose, you can voluntarily sign corresponding declarations of consent. Consent given can be revoked at any time with effect for the future. In accordance with Article 88 of the GDPR, we may further process the personal data you have already provided as part of an application procedure for the purposes of the employment relationship, insofar as this is necessary for the commencement, implementation or termination of the employment relationship or for the exercise or fulfilment of the rights and obligations of the employee representative body resulting from a law or a collective agreement, a works or service agreement (collective agreement).

Special legal bases are:

Income Tax Act (§ 41a EStG - wage tax).
§ 28a SGB IV; §198 ff SGB V; § 190 ff, § 281c SGB VI, DEÜV (Data Collection and Transmission Regulation)
§ 829 para. 2 sentence 1 ZPO (garnishment of wages)
§ 16 para. 2 ArbZG and § 7d para. 1 sentence 1 SGB IV - Working Time Accounts Value Credit Agreement
Minimum Wage Act (§§ 16, 17 MiLoG)
Youth Employment Protection Act ( §§) 49, 50 JArbSchG)
Temporary Employment Act (§§ 7, 17 b AÜG)
Vocational Training Act (§§ 76, 88, 101 BBiG)
Rehabilitation and participation of persons with disabilities (§§ 163 SGB IX)
Certificate of employment (§ 312 SGB III)
etc.

We process the following personal data from you for the above purposes:

Name, address, date of birth, gender, bank details, nationality.
Information on your employment with us as well as on your qualifications and your career to date. This includes, for example, information on the highest school-leaving qualification or the highest vocational training and information that you have provided to us as part of the application process.
Data relevant to tax and social security law. This includes, among other things, your tax identification number, tax bracket, any child allowances, marital status and details of religious denomination (only if relevant for tax purposes). We may also collect this and other data regulated by law in § 39 e) of the Income Tax Act from the relevant tax authorities.
Information on taxable periods of previous employment in the current calendar year so that the tax calculation can be adjusted accordingly.
Information on your health insurance and, if applicable, on other employment-related additional insurances in order to be able to meet any payment obligations and reporting requirements.
Information on your parental status. We need this information in order to determine whether a contribution surcharge for long-term care insurance is to be paid in accordance with § 55 para. 3 of the German Social Security Code (Sozialgesetzbuch XI).
If you are not yet of age at the time of recruitment, we may ask you to submit an initial medical examination certificate. We are legally obliged to do this under § 32 of the Youth Employment Protection Act.
Sick leave, absences (holidays, special leave, etc.) or working hours.
Information on severe disabilities for the purpose of safeguarding your rights under Social Code IX and to calculate any compensatory levy under § 77 Social Code IX. You do not have to answer this question until you have been employed for six months. Before that, the answer is voluntary.
Optionally, a picture of you.

Storage

The data we process about you will be erased as soon as you have revoked your consent, objected to the processing, it is no longer required for the performance of the employment relationship or the employment relationship has been terminated and there are no statutory retention periods to the contrary.

The following statutory retention periods may influence the storage period of the data:

Receipts for the payroll account: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 41 I S. 9 EStG; § 257 I No. 1, 4 in conjunction with § 238 I HGB
Warnings: 2 to 2.5 years according to jurisdiction
Application documents, data: After decision not to appoint, up to 6 months, burden of proof of discrimination, time limit §§ 21 V, 22 AGG, Otherwise: on termination, termination of employment relationship
Proof of working hours under § 16 para. 2 ArbZG: 2 years
Proof of working hours under § 50 JarbSchG: 2 years
Proof of working hours under § 17 I MiLoG: 2 years
Other proof of working hours: 6 years, § 147 I No. 5, para. III AO

Passing on data

We will only pass on your personal data if this is necessary and there is a legal basis for doing so. We generally pass on your data to the following recipients:

Employment agency
Tax office
Employer's Liability Insurance Association
Banking institutions
Insurance companies
External service providers (payroll accounting, reimbursement of travel expenses, training and in-house training etc.)
Logistics companies
Document shredding
If applicable, funding source

Transfer outside the EU or EEA:
In principle, we do not intend to transfer your personal data to a third country. Should a transfer nevertheless take place – for example due to the use of certain software solutions - we will inform you about the processing of your personal data.

Data subjects' rights

You have the following rights with regard to the processing of your data by CISPA:

You have the right to request confirmation as to whether data is being processed and the right to be informed about this data and to receive further information and a copy of the data in accordance with Art. 15 GDPR.
You have the right, in accordance with Art. 16 GDPR, to request that the data concerning you be completed or that incorrect data be corrected.
In accordance with Article 17 of the GDPR, you have the right to demand that data relating to you be deleted without delay or, alternatively, to demand restriction of the processing of the data in accordance with Article 18 of the GDPR.
You have the right to obtain the data concerning you that you have provided to us in accordance with Art. 20 GDPR and to request that it be transferred to other data controllers.
You have the right to revoke any consent you have given in accordance with Art. 7 para. 3 GDPR with effect for the future.
Right of objection: You may object to the future processing of data concerning you in accordance with Art. 21 GDPR at any time (see below).
In accordance with Art. 77 GDPR, you may lodge a complaint with the supervisory authority responsible for data protection. As a rule, you can contact the supervisory authority of your place of residence or the Independent Data Protection Centre Saarland for this purpose:

Unabhängiges Datenschutzzentrum Saarland
Fritz-Dobisch-Straße 12
66111 Saarbrücken
Telefon: (0681) 94781-0
Telefax: (0681) 94781-29
E-Mail: poststelle@datenschutz.saarland.de

Right of objection

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f of the GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 of the GDPR, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which is implemented by us without specifying a particular situation.

If you would like to exercise your data protection rights, you can do so by e-mail at datenschutz@cispa.de or directly to our data protection officer at dsb@cispa.de.

Actuality and modification of this privacy policy

This privacy policy is currently valid and has the status June 2023.

Due to changes in legal or regulatory requirements, it may become necessary to amend this data protection declaration. We will inform you of any fundamental changes. The current data protection declaration can be called up and printed out at any time.