Send email Copy Email Address


This data protection notice informs you about the processing of your personal data (hereinafter: data) in the application process.


The controller for data processing within the meaning of the GDPR and other data protection regulations is: 

CISPA - Helmholtz Centre for Information Security gGmbH 

Stuhlsatzenhaus 5 

66123 Saarbruecken 


Tel.:+ 49681 87083 1001

Fax: + 49 681 87083 8801



Managing Director: 

CISPA is represented by the managing directors Prof. Dr. Dr. h. c. Michael Backes and Dr. Kevin Streit. 


Data Protection Officer: 

You can reach our data protection officer at:  

If you have any questions about data protection, you can also contact our corporate data protection & information security department at:


Processing of personal data and purpose of processing

The following categories of data may be subject to processing: contact data, application documents, master data, qualifications, health data. 

We process the data you have provided only for the purpose of and within the scope of the application process. We process the data you have sent us in connection with your application in order to assess your suitability for the position (or other open positions in our companies, if applicable) and to carry out the application process. This may include, among other things, arranging appointments for job interviews, pre-contractual measures as well as the decision on the establishment of an employment relationship. 

Legal basis

The processing of your data is carried out for the fulfillment of necessary pre-contractual measures in the context of the application procedure within the meaning of Art. 6 (1) lit. b. GDPR, to fulfill a legal obligation of the controller according to Art. 6 (1) lit. c GDPR, to achieve the data processing necessary for the legitimate interest of the controller/ a third party, unless interests, fundamental rights and freedoms of you, which require the protection of personal data, prevail according to Art. 6 (1) lit. f GDPR. 

The legitimate interest in this case is the data backup and data archiving as technical-organizational measures for the purpose of ensuring data availability, resilience and recoverability pursuant to Art. 32 (1) lit. b, c GDPR.

Processing for the purpose of deciding on the establishment of an employment relationship takes place within the meaning of Section 26 (1) sentence 1 BDSG. The provision of data is necessary for the course of the application procedure of the controller. 

Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are voluntarily communicated within the scope of the application procedure, their processing shall additionally be carried out in accordance with Art. 9 (2) lit. a GDPR (e.g., health data, such as severely disabled status. 

With the help of our online application portal, you can apply directly for advertised positions. For this purpose, a corresponding registration is required. 

Data security

You can submit your application using an online form on our website or our online application portal. The data is transmitted to us in encrypted form in accordance with a state-of-the-art encryption method.


In the event of a successful application, the data you provide will be further processed by us for the purposes of forming the employment relationship. Otherwise, if the application for a job offer is not successful, your data will be deleted. Your data will also be deleted if an application is withdrawn.

Subject to a justified revocation or objection, the data will be deleted after a period of six months after the position has been filled (completion of the application process) so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the General Equal Treatment Act (AGG). Invoices for any travel expense reimbursements are archived in accordance with tax law requirements. 

Data sharing

After receiving your application, your data will be reviewed by our onboarding department. Suitable applications are forwarded internally to the department managers for the respective open position. 


Recipients outside CISPA:

Graduate School

If you apply for a so-called preparatory or dissertation phase, your data will be forwarded to the Saarland University (UdS) within the framework of the cooperation between CISPA and UdS, insofar as this is necessary for recruitment via the so-called Graduate School of the UdS, or insofar as professors of the UdS participate in committees for recruitment. In this context, the Graduate School of the UdS acts as a distinct controller in the sense of data protection law. In principle, only those persons have access to your data who require the access for the proper course of our application procedure.


External reviewers and evaluators 

E.g., in the Stanford program and faculty hiring process.


Open Campus

Our online application portal is operated by OpenCampus GmbH as a cloud service. A contract for order processing in accordance with Art. 28 GDPR has been concluded with this service provider.

Data processing outside the European Union

As a rule, no data processing takes place outside the European Union.

If we transfer your data outside the EU/EEA (e.g., to external reviewers as part of the Stanford Program), the processing will only take place to the extent that the third country has been confirmed by the EU Commission to have an adequate level of data protection, consent has been obtained, or other appropriate data protection safeguards are in place.

Data subject rights

You have the following rights with respect to the processing of your data by CISPA: 

  • You have the right to request confirmation as to whether data concerning you is being processed and the right to be informed about this data and to receive further information and a copy of the data in accordance with Art. 15 GDPR. 
  • You have according to. Art. 16 GDPR the right to request the completion of the data concerning you or the rectification of incorrect data concerning you. 
  • In accordance with Art. 17 GDPR, you have the right to demand that data concerning you be deleted without delay (right to erasure), or alternatively, in accordance with Art. 18 GDPR, to demand restriction of the processing of the data. 
  • You have the right to request to receive the data concerning you that you have provided to us, in accordance with Art. 20 of the GDPR, and to request its transfer to other data controllers. 
  • You have the right to withdraw given consents according to Art. 7 (3) GDPR with effect for the future.
  • Pursuant to Art. 77 GDPR, you can file a complaint with the supervisory authority responsible for data protection. As a rule, you can contact the supervisory authority of your place of residence or the Independent Data Protection Center Saarland for this purpose: 

Unabhängiges Datenschutzzentrum Saarland
Die Landesbeauftragte für Datenschutz und Informationsfreiheit

Fritz-Dobisch-Straße 12
66111 Saarbrücken
Telefon: (0681) 94781-0
Telefax: (0681) 94781-29


Right to object

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation.

If you wish to exercise your data protection rights, you can also contact our data protection staff unit by e-mail at datenschutz@cispa. de or our data protection officer at 

Actuality and change of this privacy policy

This privacy policy is currently valid and has the status September 2022.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this data protection notice.