1. General information on data processing

Northrail GmbH (Northrail) appreciates your visit to the website and your interest in the companies and products of the Northrail Group. We take the protection of your private data very seriously and want you to feel secure when visiting our website. As the responsible party in terms of data protection, we inform you below about the nature and extent of the processing of personal data.

The protection of your privacy when processing personal data is an important concern for us, which we take into account in our business processes. As a matter of principle, we only process personal data insofar as this is necessary for the provision of functional websites, for contacting you via the email addresses provided on our websites and for the provision of our content and services.

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. In the case of processing of personal data that is necessary for the performance of a contract, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. In addition, processing may be necessary to protect our legitimate interests pursuant to Art. 6 (1) lit. f GDPR.

The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may take place beyond this if this has been provided for by the European or national legislator. Data will also be blocked or deleted if a prescribed storage period expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

Personal data will only be transferred to state institutions and authorities within the framework of mandatory European and national legal provisions. Our employees are obliged by us to maintain confidentiality.

For your security, we use SSL or TLS encryption to protect the transmission of all content that you send to us. You can recognise this encrypted connection by the fact that the address line of the browser changes from "http://" to "https//" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

2. Collection and processing of personal data on our websites

When you visit our website, our web server stores, among other things, the server log files listed in detail below by default. Additional data may be stored if this has been provided for by European or national legislation.

SERVERLOGFILES

When you visit our website, our web servers store (as server log files) by default, among other things, information on the type and version of browser you are using, the operating system you are using, the website from which you are visiting us, the web pages you visit on our site, the date of the visit and, for security reasons, for example to detect attacks on our websites, the amount of data sent in bytes and, for a period of 7 days, the IP address assigned to you by your internet service provider. Storage may take place beyond this if this has been provided for by the European or national legislator. The temporary storage of the IP address by the system is necessary to enable delivery of the web pages to the user's computer. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. This purpose is also our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR.

With the exception of the IP address, personal data is only stored if you provide it to us of your own accord, for example by sending us your email address and/or your contact details.

3. Collection and processing of personal data when contacting us by email

On our website, it is possible to contact us via the email addresses provided. In this case, the user's personal data transmitted with the email will be stored. In this context, the data will not be passed on to third parties, unless the point "Passing on personal data to third parties" of this data protection declaration provides for this. The data is used exclusively for processing the conversation and is used solely for processing the contact. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of contact by email, this is the case when the respective conversation with the user has ended, i.e. when it is clear from the circumstances that the matter in question has been conclusively clarified.

The legal basis for the processing of this data is Art. 6 para. 1 lit. f GDPR. If the email contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR.

4. Collection and processing of personal data for job applications

PURPOSES AND LEGAL GROUNDS OF PROCESSING

In so far as it is necessary to make a hiring decision, we process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The legal grounds for the processing are provided by Art. 88 GDPR in conjunction with Section 26 BDSG for the purposes of the employment relationship, if this is necessary to make a hiring decision.

Furthermore, we can process personal data relating to you if necessary in order to comply with legal obligations (Art. 6 (1) lit. c GDPR) or to exercise or defend against legal claims. The legal basis is Art. 6 (1) lit. f GDPR. For example, we have a legitimate interest in a burden of proof in a process in accordance with the German General Act on Equal Treatment (AGG).

If you grant express consent to the processing of personal data for specific purposes, that processing is lawful by virtue of your consent in accordance with Art. 6 (1) lit. a GDPR and Section 26 (2) BDSG. You can withdraw consent at any time with future effect (see ‘YOUR RIGHTS’ below).

If an employment relationship comes into being between you and us, we may, in accordance with Art. 88 GDPR in conjunction with Section 26 BDSG, continue to process personal data that you have already provided for purposes related to the employment relationship, to the extent necessary for managing or terminating the employment relationship or to exercise or meet any rights or obligations arising from a law, collective agreement, company agreement or operating agreement (collective agreement) concerning the protection of employees’ interests.

CATEGORIES OF PERSONAL DATA

We only process data linked to your application. This can include general personal information (name, address, contact details etc.), details concerning your professional qualifications, school education or professional training, and any other information you provide to us in connection with your application.

SOURCES OF DATA

We process personal data that we receive when you contact us or submit your application by post or email, or that you send us through our HR software HRworks. In addition, we may process professional information that you have made publicly available, such as profiles on professional social media networks. The legal basis here is Section 26 (1) in conjunction with (8) sentence 2 BDSG. If we do not collect data directly from you, but rather from an active profile on an online job platform (e.g. StepStone), or if you present an inactive or only partially active profile during the application process, we may collect personal data in addition to professional information.

RECIPIENTS OF DATA

Within our company, we will only share your personal data with the departments and people who need the data to comply with contractual and legal obligations or to pursue our legitimate interests.

We can disclose your personal data to our affiliates, provided that this is admissible with regard to the purposes and legal grounds set out under ‘PURPOSES AND LEGAL GROUNDS OF PROCESSING’.

Your personal data are processed on our behalf under processing contracts within the meaning of Art. 28 GDPR. In these cases, we ensure that personal data are processed in accordance with the provisions of the GDPR. In this case, the categories of recipient are providers of applicant management systems and software. Our provider is HRworks GmbH, Waldkircherstr. 28, 79106 Freiburg im Breisgau, Germany.

The software from HR-Works uses the following technically necessary cookies:

• HrwJobApplicationmanagementSession

This cookie is used by the applicant management software ‘HRworks-Bewerbermanagement’. It displays the session of the person in our job portal. This is necessary for operational reasons in order to distinguish between the users of the session. This cookie is technically necessary.

• AWSALB and AWSALBCORS

These two cookies are used by the applicant management software ‘HRworks-Bewerbermanagement’. On the one hand, they are necessary in order to allocate information to the correct server instance. On the other hand, they are necessary for the purposes of uploading application documents, so that the process can run smoothly for the applicants. This cookie is technically necessary.

More information about the HR software’s data protection provisions is available in the privacy policy of HRworks GmbH.

Otherwise, data are only disclosed to recipients outside of the company if statutory provisions permit or require it, the disclosure is necessary to comply with legal obligations or we have your consent.

TRANSMISSION TO THIRD COUNTRIES

We do not intend to transmit data to a third country.

DURATION OF DATA RETENTION

We store your personal data for as long as this is necessary to reach a decision on your application. Your personal data and application documents will be erased no later than six months after the end of the application process (e.g. notification that the application was unsuccessful), unless a longer retention period is legally necessary or admissible. Furthermore, we shall only store your personal data where legally necessary or for the duration of a legal dispute if necessary for the establishment, exercise or defence of legal claims.

If you have consented to the retention of your personal data for a longer period of time, we will store the data in line with your declaration of consent.

If the application process leads to employment, training or an internship, we will continue to store your data initially – where necessary and admissible – and then transfer the data to your personnel file.

After the application process, you might receive an invitation to join our talent pool. This enables us to consider you in our pool of applicants if a suitable vacancy should arise in future. If we have your consent to do so, we will store your application data in our talent pool in line with your consent or any future declarations of consent.

YOUR RIGHTS

Every data subject has the right to access information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to be notified pursuant to Art. 19 GDPR and the right to data portability pursuant to Art. 20 GDPR.

You are also entitled to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR if you consider that the processing of your personal data is unlawful. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

Where the processing of data is based on your consent, you are entitled under Art. 7 GDPR to withdraw your consent to the use of your personal data at any time. Please note that the withdrawal is only effective going forward. It does not affect processing which took place before your withdrawal of consent. Please also note that we might have to store certain data for a certain period of time in order to meet statutory requirements (see section 8 of this privacy policy).

Right to object:

Where your personal data are being processed for the purposes of a legitimate interest in accordance with Art. 6 (1) lit. f GDPR, you are entitled to object, on grounds relating to your particular situation, at any time to processing of personal data in accordance with Art. 21 GDPR. In that case, we shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing. These grounds must override your interests, rights and freedoms or serve the establishment, exercise or defence of legal claims.

If you wish to exercise your rights, you can contact us using the information provided in section 1.

NECESSITY OF PROVIDING PERSONAL DATA

When you provide personal data as part of application processes, you do so voluntarily. However, we cannot decide to establish an employment relationship or hire you unless you provide the personal data needed to complete the application.

AUTOMATED DECISION-MAKING

The decision on your application is not based exclusively on automated processing. As such, automated individual decision-making does not take place within the meaning of Art. 22 GDPR.

5. Passing on of personal data to third parties

Northrail GmbH will treat your personal data confidentially. This data is received centrally by Northrail GmbH when contact is made via our general email address and, where necessary, is passed on to other areas of the company within the scope of the stated purposes. Any further disclosure to third parties will only take place if we are legally obliged to do so, if we commission an external service provider to process your information and if data is processed on the basis of contracts in accordance with Art. 28 GDPR. An example of this is the sending of letters or emails or processing by host providers or providers of applicant management systems. These service providers only receive the information needed to fulfil their tasks. They are not allowed to use it for other purposes and are obliged to treat the information in accordance with the GDPR and the Federal Data Protection Act (new). We also conclude appropriate confidentiality agreements and, where applicable, order processing agreements with each partner. In all other cases, we will inform you if personal information is to be passed on to third parties, thus giving you the opportunity to give your consent.

6. Links to other websites

Northrail GmbH sets links to third-party websites on this website. On the websites of the third parties, the privacy policy of Northrail GmbH does not apply to the processing of personal data by this third party. Northrail GmbH recommends that you always inform yourself about the data protection information on the websites of these third parties.

7. User rights

You can request information about your personal data stored by us free of charge at any time. You are also entitled to have this data corrected or completed if necessary, should it prove to be incorrect or incomplete, and furthermore — if the respective conditions are met — to make use of your right to restrict the processing of your data or to demand the deletion of your personal data. This does not apply if storage is required by law. If deletion cannot be carried out, data processing will be restricted.

Your request should be sent to the following contact details: Northrail GmbH, Brandstwiete 1, 20457 Hamburg, email: datenschutz@northrail.eu

You also have the right to object at any time to the processing of personal data concerning you. This does not apply to data whose collection is absolutely necessary for the provision and operation of the websites. If you have contacted us by email or applied to us via an online job platform, you can also object to the storage of your personal data at any time. In such a case, the conversation cannot be continued and the application process cannot be continued. After receiving your objection, we will no longer use, process or transmit the data concerned for purposes other than the processing of the concluded contracts. The lawfulness of the processing carried out until the revocation remains unaffected by this.

If you wish to object to the collection, processing or use of your data by Northrail GmbH in accordance with these data protection provisions, either in whole or for individual measures, you can send your objection to the following contact details: Northrail GmbH, Brandstwiete 1, 20457 Hamburg, email: datenschutz@northrail.eu

8. Responsible body in the sense of data protection

Northrail GmbH
Brandstwiete 1
20457 Hamburg
Email: datenschutz@northrail.eu

9. Data Protection Officer

Proliance GmbH
Data Protection Officer Northrail GmbH
Leopoldstr. 21
80802 Munich