Send email Copy Email Address


This data protection notice informs you about the processing of your personal data (hereinafter: data) in the application process.



Controller    1
Processing of personal data and purpose of processing    2
Legal basis    2
Data security    2
Storage    3
Data sharing    3
Data processing outside the European Union    3
Data subject rights    4
Right to object    4
Actuality and change of this privacy policy    5

The controller for data processing within the meaning of the GDPR and other data protection regulations is: 
CISPA - Helmholtz Centre for Information Security gGmbH 
Stuhlsatzenhaus 5 
66123 Saarbruecken 
Tel.:+ 49681 87083 1001
Fax: + 49 681 87083 8801

Managing Director: 
CISPA is represented by the managing directors Prof. Dr. Dr. h. c. Michael Backes and Dr. Kevin Streit. 

Data Protection Officer: 
You can reach our data protection officer at:  
If you have any questions about data protection, you can also contact our data protection department at :

Processing of personal data and purpose of processing
The following categories of data may be subject to processing: contact data, application documents, master data, qualifications, health data. 
We process the data you have provided only for the purpose of and within the scope of the application process. We process the data you have sent us in connection with your application in order to assess your suitability for the position (or other open positions in our companies, if applicable) and to carry out the application process. This may include, among other things, arranging appointments for job interviews, pre-contractual measures as well as the decision on the establishment of an employment relationship. 

Legal basis
The processing of your data is carried out for the fulfillment of necessary pre-contractual measures in the context of the application procedure within the meaning of Art. 6 (1) lit. b. GDPR, to fulfill a legal obligation of the controller according to Art. 6 (1) lit. c GDPR, to achieve the data processing necessary for the legitimate interest of the controller/ a third party, unless interests, fundamental rights and freedoms of you, which require the protection of personal data, prevail according to Art. 6 (1) lit. f GDPR. 
The legitimate interest in this case is the data backup and data archiving as technical-organizational measures for the purpose of ensuring data availability, resilience and recoverability pursuant to Art. 32 (1) lit. b, c GDPR.
Processing for the purpose of deciding on the establishment of an employment relationship takes place within the meaning of Section 26 (1) sentence 1 BDSG. The provision of data is necessary for the course of the application procedure of the controller. 
Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are voluntarily communicated within the scope of the application procedure, their processing shall additionally be carried out in accordance with Art. 9 (2) lit. a GDPR (e.g. health data, such as severely disabled status. 
With the help of our online application portal, you can apply directly for advertised positions. For this purpose, a corresponding registration is required. 

Data security 
You can submit your application using an online form on our website or our online application portal. The data is transmitted to us in encrypted form in accordance with a state-of-the-art encryption method.

In the event of a successful application, the data you provide will be further processed by us for the purposes of forming the employment relationship. Otherwise, if the application for a job offer is not successful, your data will be deleted. Your data will also be deleted if an application is withdrawn.
Subject to a justified revocation or objection, the data will be deleted after a period of six months after the position has been filled (completion of the application process) so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the General Equal Treatment Act (AGG). Invoices for any travel expense reimbursements are archived in accordance with tax law requirements. 

Data sharing
After receiving your application, your data will be reviewed by our onboarding department. Suitable applications are forwarded internally to the department managers for the respective open position. 

Recipients outside CISPA:

Graduate School
If you apply for a so-called preparatory or dissertation phase, your data will be forwarded to the Saarland University (UdS) within the framework of the cooperation between CISPA and UdS, insofar as this is necessary for recruitment via the so-called Graduate School of the UdS, or insofar as professors of the UdS participate in committees for recruitment. In principle, only those persons have access to your data who require the access for the proper course of our application procedure.
With the Graduate School of the UdS, principles for the joint processing of personal data and the respective data protection-relevant tasks and responsibilities in the context of the application process have been defined in a written agreement pursuant to Art. 26 GDPR. In particular, the parties have reached an agreement on who is responsible in which way for exercising your data subject rights according to Art. 15 to 22 GDPR and for fulfilling the information obligations according to Art. 13 and 14 GDPR. 
The central point of contact for you is CISPA, which handles information obligations, the exercise of data subject rights, data protection incidents and other essential duties with the support of the Graduate School of the UdS. 

External reviewers and evaluators 

E.g., in the Stanford program and faculty hiring process.

Open Campus
Our online application portal is operated by OpenCampus GmbH as a cloud service. A contract for order processing in accordance with Art. 28 GDPR has been concluded with this service provider.

Data processing outside the European Union
As a rule, no data processing takes place outside the European Union.
If we transfer your data outside the EU/EEA (e.g., to external reviewers as part of the Stanford Program), the processing will only take place to the extent that the third country has been confirmed by the EU Commission to have an adequate level of data protection, consent has been obtained, or other appropriate data protection safeguards are in place.

Data subject rights
You have the following rights with respect to the processing of your data by CISPA: 

•    You have the right to request confirmation as to whether data concerning you is being processed and the right to be informed about this data and to receive further information and a copy of the data in accordance with Art. 15 GDPR. 
•    You have according to. Art. 16 GDPR the right to request the completion of the data concerning you or the rectification of incorrect data concerning you. 
•    In accordance with Art. 17 GDPR, you have the right to demand that data concerning you be deleted without delay (right to erasure), or alternatively, in accordance with Art. 18 GDPR, to demand restriction of the processing of the data. 
•    You have the right to request to receive the data concerning you that you have provided to us, in accordance with Art. 20 of the GDPR, and to request its transfer to other data controllers. 
•    You have the right to withdraw given consents according to Art. 7 (3) GDPR with effect for the future.
•    Pursuant to Art. 77 GDPR, you can file a complaint with the supervisory authority responsible for data protection. As a rule, you can contact the supervisory authority of your place of residence or the Independent Data Protection Center Saarland for this purpose: 
Independent Data Protection Center SaarlandState 
Commissioner for Data Protection and Freedom of Information
Fritz-Dobisch-Strasse 12
66111 Saarbrücken
Phone : (0681) 94781-0
Fax: (0681) 94781-29

Right to object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation.
If you wish to exercise your data protection rights, you can also contact our data protection staff unit by e-mail at datenschutz@cispa. de or our data protection officer at 
Actuality and change of this privacy policy
This privacy policy is currently valid and has the status April 2022.
Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this data protection notice.