Data Protection notice

Introduction

This data protection notice applies to the processing of personal data we collect when you visit our website, use our mobile app, when we provide you our Services and the processing of personal data of persons who work for companies with which we conduct (or intend to conduct) business.

 

Your privacy and the security of your personal data is important to

 

GULP Information Services GmbH
Landsberger Straße 187
80687 München

 

and

 

GULP Solution Services GmbH & Co. KG
Breite Straße 137-139
50667 Köln

 

and

 

GULP Consulting Services GmbH
Landsberger Straße 187
80687 München

 

and the rest of the Randstad Group companies.  We are responsible for ensuring that all personal data entrusted to us is processed in accordance with applicable data protection legislation.


This notice explains who we are, for what purposes we may use your personal data, how we handle it, to whom we may disclose it such as clients, service providers and/or other Randstad Group Companies, where it may be transferred to or accessible from and what your rights are.

About us

The controllers (referred to in this notice as: “we” or “us”), will process your personal data in accordance with this data protection notice (such personal data sometimes also referred to as “information”).


Except as otherwise set out below, the controllers are ‘controller’ within the meaning of applicable data protection legislation.


For the efficient operation and management of our business, Randstad Group Companies may in certain instances jointly define the purposes and means of Processing Personal Data (joint controllers).


Processing activities where Randstad Group companies can jointly process personal data are those related to operating a joint client and personnel database, in particular for the purpose of staffing projects and positions. In this context the following entities  process data within a joint controllership intended starting March 21st, 2022:

 

  • Randstad Deutschland GmbH & Co. KG
  • Randstad Outsourcing GmbH
  • Randstad Automotive GmbH & Co. KG
  • GULP Information Services GmbH
  • GULP Consulting Services GmbH
  • GULP Solution Services GmbH & Co. KG
  • GULP Schweiz AG
  • Mühlenhoff & Partner GmbH (Risesmart) 

 

Presumably as of 20.06.2022, the following companies will additionally join the aforementioned joint controllership:

  • Tempo Team Management Holding GmbH
  • Tempo-Team Personaldienstleistungen GmbH
  • Tempo-Team Engineering GmbH
  • Tempo-Team Outsourcing GmbH
  • Tempo-Team Managed Service Provider GmbH

The essence of the joint controllership arrangement can be found here  as soon as the agreement is in force.

In addition, the above companies have a joint controllership agreement with Randstad N.V. regarding managing our Misconduct Reporting Procedure and Sanctions checks. We will provide you with the essence of this joint accountability agreement upon request.


Please contact us (see the section “Contact us” below) if you want to know more about these jointly-controlled processing activities or would like to receive a summary of the joint controllers’ roles and responsibilities and/or exercise your data protection rights regarding any jointly-controlled processing of your personal data.

Website visitor

When you visit the www.gulp.de website or a GULP App app, we collect some information related to your device, your browser and to the way you navigate our content. We may use cookies to collect this personal data. Controller in this context is GULP Information Services GmbH.

 

Cookies are small text files that are saved on your device when you visit our website. Cookies enable the website to remember your actions and preferences (for example, your choice of language) and recognize you when you return, so that we may analyze trends, determine your areas of interest and  administer our website in order to speed up the navigation process and to make your site experience more efficient.

 

What personal data do we collect

When you visit these websites, we gather information that relates to your device, your browser and to the way you navigate our website content, such as:

  • the Internet Protocol (IP) address of your device
  • the IP address of your Internet Service Provider
  • device screen resolution
  • device type (unique device identifiers)
  • browser and operating system versions
  • geographic location (country only)
  • preferred language used to display
  • the date and time of access to the website
  • the internet address from which you were directly linked through to our website
  • the control system that you use
  • the parts of the website that you visit
  • the pages of the website that you have visited and the information that you viewed
  • the hyperlinks you have clicked
  • the results of voluntary surveys you take
  • the material that you send to or download from our website
  • the contact details and communication you voluntarily share with us

If you choose to download reports or white papers; or to subscribe to newsletter news, events and alerts; or submit an inquiry you may be asked to fill out a form with information such as your name, e-mail address, job title and company. From the moment you engage in one of the aforementioned actions, GULP will be able to relate the information listed above about your device, your browser and to the way you navigate the website content directly to you. If you voluntarily decide to provide personal data, this data will be stored until the purpose no longer applies or until you revoke your consent, however, it will be deleted at the latest after one year without interaction.

 

Why do we need you personal data

GULP processes your personal data only for the purposes specified below:

 

Purposes for which we process your personal data Legal grounds for the processing of your personal data
To manage the website and for system administration purposes (e.g. also for diagnosing technical problems, analyse the traffic to our website)

(a) Legitimate interest in managing our website, marketing and communications strategy (Art. 6 (1) lit. f GDPR); and/or
(b) Where (a) is not possible because local mandatory law requires so, only in those limited cases may this be based on a consent according to Art. 6 (1) lit. a GDPR

For web analytics, in order to optimize the user experience (analyzing the way our pages are visited, analyzing trends, observe and measure how our visitors engage with our website) and the quality of the content provided to you (e.g. job posting)

(a) Legitimate interest in improving our website, marketing and communications strategy (Art. 6 (1) lit. f GDPR); and/or
(b) Where (a) is not possible because local mandatory law requires so, only in those limited cases may this be based on a consent according to Art. 6 (1) lit. a GDPR

If you choose to download our reports or white papers or to subscribe to news, events and alerts, fill in webforms, we will use the information you provide us to send you the content requested, to communicate with you (including, where you agree, to send you related information that might be of interest to you) and to improve our marketing and communication strategy We can send whitepapers, newsletters, events and alerts where you have given consent according to Art. 6 (1) lit. a GDPR to receive this. If you are no longer interested in these messages of the controller you are always able to opt-out from receiving such communications.
For managing specific inquiries you sent to us via contact form or e-mail (mailto-links) (a) Legitimate interest of improving our website, marketing and communications strategy (Art. 6 (1) lit. f GDPR);
(b) If the contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR, i.e. the realisation of pre-contractual measures.
Cooperating with law enforcement agencies/courts, management of legal disputes/claims and handling any reports through the controller's misconduct reporting procedure Processing is necessary for the purpose of the legitimate interests pursued by the controller according to Art. 6 (1) lit. f GDPR, which include the protection of company assets, protecting its legal interests, managing legal claims/disputes and handling reports of potential misconduct within or relating to the controller

Our cookies

Please find more information on the cookies, plug-ins, tracking tools as well as social media we use, for what purpose, how long your data will be stored, with whom it will be shared and further settings for configuring or deleting in our cookie notice

 

Applicants and Candidates

We use your personal data when providing our HR-services, which include services in the field of recruitment and selection, mediation, temporary staff, project matching, secondment, payroll, personal development, career guidance, coaching, planning, and personnel and salary administration as further described in the Terms and Conditions (collectively “Services”).

 

By innovating at scale, the controllers will fulfill our compelling vision: to empower lifelong employability and deliver on our brand promise of proactivity, transparency and guidance to offer a truly enriching talent experience for finding a job around the world.

 

What personal data do we collect about you

As a candidate, we collect and process personal data about you such as:

 

  • Identification information – we may process your name, contact information (including home address, home phone number and mobile phone number), citizenship and country of residence, date of birth, (in exceptional cases) gender, digital signature and languages spoken.
  • CV/resumes and other recruitment information – we may process your CV/resume, work history, information about your skills, your experience and educational background and other relevant information (such as your photograph, interview results and personal data included in the cover letter or as part of the application process).
  • Compensation and benefits information – we may process personal data relating to your current compensation and benefits including (without limitation) your current bonus, recurring payments and benefits.
  • Performance-related information – performance-related information including (without limitation) information on your performance reviews from your employer or clients you have worked for.
  • Government issued identifiers – we may process government issued identifiers including (without limitation) the national identification number, social insurance number and social security number, as legally required.
  • Photographs and video footage – when participating in recruitment-related events, meetings, conferences etc., we may process photographs or videos of you.
  • Visitor information – when accessing our buildings, we may collect your name, contact details, car plate number, and other identification for security reasons. Where we are legally required to do so we may also ask you to disclose information about your health (including information related to viral infections, flu, etc.) for health and safety reasons.
  • Survey results – we may process your responses to questions in surveys.
  • Information you choose to share with us – we may process additional personal data if you choose to share that with us.
  • Contracts and invoicing - depending on your chosen service as freelancer, we may process information about the necessary contracts and invoices, included but not limited to bank account information.

 

This data may be obtained directly or indirectly from you, e.g. by e-mail, form, by uploading a curriculum vitae (CV) or by using LinkedIn or XING ("individual application"); or by registering and creating an applicant account with or without a newsletter subscription. In case we obtained the data indirectly from you, we will inform you of the purpose and data sources we use, when we communicate with you in connection with our Services (e.g. to alert you about a job opportunity), or in any event within one month of the time we indirectly obtain your data. The exception is where the provision of this information to you would cause disproportionate efforts. In that case, we may take alternative measures to protect your rights and freedoms. 

 

Why do we need your personal data

We processes your personal data only for the purposes specified below:

 

Purposes for which we process your personal data Legal grounds for the processing of your personal data
To provide our Services to you (including matching and proposing you to clients, interviews, assessments). For example, we may process your personal data to recommend jobs to you based on your profile and enable our consultants to provide you with tailored job opportunities, career advice, reskilling options, inclusiveness, suggest additional training where necessary and introduce you to hiring managers.

(a) The processing of your data and the use of automated systems is necessary to provide you with the matching services, and is therefore based on (pre-) contractual necessity according to Art. 6 (1) lit. b GDPR
(b) If and only if the local process would not amount to a legally binding contractual relationship under (a) or if applicable law prescribes otherwise, the exception could be based on our legitimate interest to build and maintain a relationship (Art. 6 (1) lit. f GDPR).
(c) Furthermore, data required for the placement or talent pool may also be collected and processed on the basis of consent according to Art. 6 (1) lit. a GDPR.

Invoicing of assignments (freelancers) This processing is necessary for the fulfillment of contractual obligations according to Art. 6 (1) lit. b GDPR.
Training and updating of systems/statistical purposes. Some of the systems that we use to provide our Services are based on machine learning technology. In order for that technology to function reliably, it needs to be trained and updated on the basis of existing data. We may also process personal data in an aggregated manner for statistical purposes. Based on our legitimate interest in training and updating our systems according to Art. 6 (1) lit. f GDPR. We have implemented mitigating measures to limit the privacy impact, such as de-identification and an easy opt-out in your choices.
Dispute management, litigation and handling any reports through the controllers' misconduct reporting procedure Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests, managing legal claims/disputes and handling reports of potential misconduct within or relating to the controllers (Art. 6 (1) lit. f GDPR)
Compliance with labor, tax and social security laws and other legal or regulatory requirements (e.g. equal opportunity and workplace diversity requirements) Processing is necessary for compliance with employment and compliance with our legal obligations under labor, tax, social security and other laws and regulations according to Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b + i GDPR
Events and event photographs or video footage

Based on our legitimate interest (Art. 6 (1) lit. f GDPR) in maintaining a good relationship with our community of candidates and promoting our services by inviting you to our events (if you are an applicant) or consent according to Art. 6 (1) lit. a GDPR (if you are a former employee).
In case of publishing the footage, we will generally ask for your consent (Art. 6 (1) lit. a GDPR) if needed.

Conduct surveys, Optimization Based on our legitimate interest to survey our candidates and freelancers so as to better understand their needs, to improve our services and to build and maintain a good relationship according to Art. 6 (1) lit. f GDPR
Business development (including sending direct marketing and offers) Depending on the circumstances this may be based either on your consent (Art. 6 (1) lit. a GDPR) or on our legitimate interest (Art. 6 (1) lit. f GDPR) to maintain good relations with our current or prospective clients and suppliers. You can always choose not to receive direct marketing and offers from us; see the section “Your data protection rights” below
Facilities, security and contingency planning purposes Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include safeguarding and securing our assets, our facilities, our information systems and our people (Art. 6 (1) lit. f GDPR)
To conduct corporate transactions (including mergers, acquisitions and divestments) Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the controllers’ interest in developing their business through mergers, acquisitions and divestments according to Art. 6 (1) lit. f GDPR
To receive performance related information

Requesting this personal information is based on your explicit consent (Art. 6 (1) lit. a GDPR).
As freelancer this processing is based on our legitimate interest in promoting you in the best possible way for potential new assignments according to Art. 6 (1) lit. f GDPR

Risk assessments, profile data enrichment and database maintenance (freelancer) The processing of your data and the use of automated systems is necessary to provide you with our services, and is therefore based on (pre-) contractual necessity according to Art. 6 (1) lit. b GDPR
Using matching software Processing is based on our legitimate interest to provide you with the best opportunities, however you will be given an explicit Opt-Out option according to Art. 6 (1) lit. f GDPR
Usage of messengers Only if you have given your consent according to Art. 6 (1) lit. a GDPR, using such software is possible.
Transfer to other Randstad entities

(a) The transfer of your data to other Randstad entities is necessary to provide you with the best possible matching services, and is therefore based on (pre-) contractual necessity according to Art. 6 (1) lit. b GDPR
(b) In cases, where (a) ist not applicable, we have a legitimate interest in promoting you and providing you with better chances in the project and job markets (Art. 6 (1) lit. f GDPR); and/or
(c) If your interest outweighs our legitimate interest, the transfer be based on your consent (Art. 6 (1) lit. a GDPR), therefore we will ask for your permission to share your personal data with our affiliates (that are not member of the joint controllership) or otherwise connected companies

Newsletter Only if you have given your consent according to Art. 6 (1) lit. a GDPR, we will send you newsletter regarding topics that might be of interest for you and are connected to our services
Anonymisation of data for further legitimate purposes, such as processing in test systems and for statistical purposes Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include optimizing their business and services (Art. 6 (1) lit. f GDPR)

 

How long we keep your personal data

Your data will generally be retained for as long as is necessary for the respective task fulfilment, taking into account the statutory retention periods. If the data must be retained due to legal obligations (for example, in the case of reimbursement of your travel expenses due to archiving obligations under tax law), the data will be deleted after expiry of the respective retention obligation. The archiving obligations under tax law regularly amount to ten years.


If you decided to only apply to one certain position without choosing to be included in our talent pool, your personal data will generally be deleted or anonymised after 6 months after a negative answer, unless you have given us your consent for a longer retention.


Data that we have transferred to our central HR system in order to carry out pre-contractual measures (application) will be anonymised no later than 120 calendar days after deletion of the applicant account. Should you (freelancer) have created a profile in our profile database, this entry will be deleted within 14 calendar days.


We delete or anonymise data that we process on the basis of your consent according to specification in the consent, however after three years at the latest.


If you have subscribed to our newsletter, you can unsubscribe at any time. For this purpose, you will find a corresponding link in each newsletter.

Temporary workers

We collect and process your data for the execution of our HR services, including mediation, staffing, secondment, payroll, recruitment & selection, in- and outsourcing, personal development and employability, reintegration, career guidance and outplacement, advice, planning and personnel and payroll administration.

 

What personal data do we collect about you

When you are a temporary worker on an assignment at one of our clients, we may process personal data about you such as:

  • Identification information – your name, contact information (including home address, home phone number and mobile phone number), citizenship and country of residence, date of birth, (in exceptional cases) gender, signature and languages spoken.
  • Professional information – we may process personal data related to your work including (without limitation) your job title, description and location, your department, professional email address, reporting levels, and employment status (full-time/part-time/etc.).
  • Financial information – financial information including (without limitation) your bank account number, bank details, VAT number.
  • Salary information – we may process salary information including (without limitation) recurring payments and benefits, your bonus.
  • Performance-related information – performance-related information including (without limitation) information on your performance reviews.
  • Disciplinary information – information relating to disciplinary measures taken against you, if any.
  • Grievance information – In order to assist in the reporting of grievances and (suspected) misconduct within the Randstad Group of companies, we have established dedicated channels through which stakeholders may voice concerns, either through local reporting mechanisms in place at the level of the local Randstad Group companies or, for serious misconduct (including whistleblowing), through our Integrity Line, the Randstad Group reporting facility. Whenever we receive a grievance report or a report about (suspected) misconduct we may process personal data related to the complainant, the other individuals mentioned in the complaint and the person(s) that is/are subject of the complaint and/or of the investigation into the complaint.
  • Government issued identifiers – government issued identifiers including (without limitation) the national identification number, social insurance number and social security number, as legally required.
  • CV/resumes and other recruitment information – your CV/resume and other relevant information (such as your photograph, interview notes and information included in the cover letter or as part of the application process).
  • Travel and expense data – travel and accommodation information and expenses including (without limitation) travel itineraries, hotel and travel reward cards.
  • Information you choose to share with us – information you choose to share with us, including (without limitation) information you share when using IT support or calling the helpline, and information about you that may be conveyed by your use of a webcam in communicating with us.
  • Vehicle information – information about your personal or company car including (without limitation) your license plate, parking tickets and driving fines.
  • Photographs and video footage – when participating in external or internal events, meetings, conferences or other events, we may process photographs or videos of you.
  • Trade union membership – data revealing your trade union membership.
  • Family and dependent information – information related to your family and dependents including (without limitation) emergency contact information.
  • Information related to identification/access control cards – employee identification and access control cards may contain your name, photograph, employee number and may be linked to other details on record (department, phone number, license plate).
  • CCTV footage – we may process footage of you obtained through our use of CCTV surveillance systems.
  • Survey results – we may process your responses to questions in employee or satisfaction surveys.
  • Information related to your usage of company devices, software and access to company network – we may process information related to your use of our devices, software and access to our networks, including (without limitation) your browsing history, your use of email, internet and social media, whether at the workplace, on our equipment or otherwise through our networks.
  • Visitor information – when accessing our buildings, we may collect your name, contact details, car plate number, identification, etc. for security reasons. Where we are legally required to do so we may also ask you to disclose information about your health for health and safety reasons.
  • Further special categories of data, such as:
    • Health-related information – health-related information including (without limitation) injuries and exposure, incident reports, disability, sickness and absences and maternity leave information, as legally required.
    • Religious affiliation information – data about your religious affiliation in case this is necessary for payrolling.
  • To the extent we process these special categories of data, we will protect, secure and use that information in a manner consistent with this notice and applicable laws.
  • Trade sanctions information relating to you – we may verify whether you are a politically exposed person, a specially designated national or otherwise subject to sanctions under applicable laws or regulations.

 

Why do we need your personal data

We processes your personal data only for the purposes specified below:

 

Purposes for which we process your personal data Legal grounds for the processing of your personal data
General HR management and administration purposes (including workforce management)

The processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + §26 (1) BDSG); and/or
Processing is necessary for compliance with employment and social security legal obligations (Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b GDPR)
Furthermore, data required for the placement or the talent pool may also be collected and processed on the basis of consent according to Art. 6 (1) lit. a GDPR.

Compensation, payroll and expense reimbursement (including reporting and billing to clients)

The processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + §26 (1) BDSG); and/or
Processing is necessary for compliance with employment and social security/tax legal obligations (Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b GDPR)
If and only if the local process would not amount to the above grounds, processing may be based on the legitimate interest of a third party (client) in verifying the correctness of invoicing (Art. 6 (1) lit. f GDPR)

Insurance, pension and other benefits

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + §26 (1) BDSG); and/or
Processing is necessary for compliance with employment and social security legal obligations (Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b GDPR)

Performance management, career development and training

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the development and training of employees according to Art. 6 (1) lit. f GDPR

Fleet management

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR) + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include safeguarding our assets according to Art. 6 (1) lit. f GDPR

Disciplinary and grievance management, investigations, appeals (including managing complaints) and handling reports through the operational misconduct reporting procedure Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests and managing legal claims/disputes (Art. 6 (1) lit. f GDPR)
Dispute management, litigation and handling any reports through the controllers’ misconduct reporting procedure

(a) The processing is based on legal obligations according to Art. 6 (1) lit. c GDPR;
(b) If and only if the local process would not amount to a legal obligation under (a) or if applicable law prescribes otherwise, the exception could be based on the legitimate interests pursued by the controllers or responsible authorities, which include the protection of company assets, protecting their legal interests, managing legal claims/disputes and handling reports of potential misconduct within or relating to Randstad according to Art. 6 (1) lit. f GDPR

Health and safety management

The processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
Processing is necessary for compliance with employment and social security legal obligations (Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b + i GDPR and §22 (1) lit. c BDSG).

Managing holidays, leaves and other absences

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + §26 (1) BDSG); and
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include improving efficiency in the workplace and the proper conduct of their business according to Art. 6 (1) lit. f GDPR

Compliance with labor, tax and social security laws and other legal or regulatory requirements (e.g. equal opportunity and workplace diversity requirements) Processing is necessary for compliance with employment and compliance with our legal obligations under labor, tax, social security and other laws and regulations according to Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b + i GDPR and §22 (1) lit. c BDSG

IT support

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include safeguarding our assets and ensuring security of our information systems according to Art. 6 (1) lit. f GDPR

Facilities, security and contingency planning purposes

 

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include safeguarding and securing our assets, our facilities, our information systems and our people according to Art. 6 (1) lit. f GDPR

Network and device usage optimization and related security controls (including company network access and authentication)

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include safeguarding our assets and ensuring security of our information systems according to Art. 6 (1) lit. f GDPR

Preventing, detecting and investigating fraud and other crimes, and compliance with sanctions regimes (including identification of politically exposed persons, specially designated nationals  and screening against sanctions lists)

Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests and managing legal claims/disputes according to Art. 6 (1) lit. f GDPR; and/or
Processing is necessary to comply with our legal obligations (including when authorities or administrations ask information about a temporary worker) according to Art. 6 (1) lit. c GDPR and Art. 9 (2) lit. b GDPR

Emergency and disaster management

Based on a legitimate interest pursued by the controllers, which includes ensuring the safety of employees and candidates according to Art. 6 (1) lit. f GDPR; and
Where the above ground is not possible because local mandatory law requires so, only in those limited cases may this be based on a consent (Art. 6 (1) lit. a GDPR)

Relocation, mobility and travel management

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include improving efficiency in the workplace and the proper conduct of their business according to Art. 6 (1) lit. f GDPR

To monitor and enforce compliance with Randstad policies and procedures

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
For the purpose of the legitimate interests pursued by the controllers, which include safeguarding our assets and ensuring security of our information systems according to Art. 6 (1) lit. f GDPR

To monitor and enforce compliance with legal obligations applicable to us (including the requirements set out in your contract with us)

Processing is necessary for the performance of the temporary worker’s employment contract (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG); and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests and managing legal claims/disputes according to Art. 6 (1) lit. f GDPR

Recruitment and staffing

(a) (pre)contractual necessity for our services when matching (e.g. via Terms & Conditions on the website) or when we enter into an employment contract with you we require some data to be able to draw up this contract and to then be able to execute it correctly (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG);
(b) If and only if the local process would not amount to a legally binding contractual relationship under (a) or if applicable law prescribes otherwise, the exception could be based on our legitimate interest to build and maintain a relationship according to Art. 6 (1) lit. f GDPR;
(c) Where (a) and (b) are not possible or local mandatory law requires so, only in those limited cases may this be based on a consent (Art. 6 (1) lit. a GDPR)

Conduct surveys, optimization statistical purposes

(a) (pre)contractual necessity for our services when the survey is about your objective observation as an employee (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG);
(b) If and only if the local process would not amount to a legally binding contractual relationship under (a) or if applicable law prescribes otherwise, the exception could be based on our legitimate interest to better understand their needs, to improve our services and to build and maintain a good relationship with our temporary workers and with the clients our temporary workers work at according to Art. 6 (1) lit. f GDPR;
(c) Where (a) and (b) are not possible or local mandatory law requires so, only in those limited cases may this be based on a consent (Art. 6 (1) lit. a GDPR)

Events

(a) contractual necessity in case the events are initiated by the works council or serves your information on your relationship with us (Art. 6 (1) lit. b GDPR + + §26 (1) BDSG);
(b) If and only if the local process would not amount to a legally binding contractual relationship under (a) or if applicable law prescribes otherwise, the exception could be based on our legitimate interest to organise events so as to better build and maintain a good relationship with the community of temporary workers and with the clients our temporary workers work at according to Art. 6 (1) lit. f GDPR;

To manage memberships of employees to professional associations

 

The processing of this personal data is based on our legal obligations regarding payrolling, especially in connection with the collective wage agreement for temporary workers (Art. 6 (1) lit. c GDPR, Art. 9 (2) lit. b + i GDPR and §22 (1) lit. c BDSG, §26 (1) BDSG and §15 MTV Zeitarbeit).

To perform internal and external audits

(a) Based on legal requirement (such as the GDPR itself) according to Art. 6 (1) lit. c GDPR;
(b) Where (a) is not applicable, but we have a binding contract with you, this can be based on our contractual obligations (Art. 6 (1) lit. b GDPR);
(c) Where (a) and (b) are not applicable, this may be necessary for the purpose of the legitimate interests pursued by the controllers, which include improving efficiency in the workplace and the proper conduct of their business, including compliance with laws and regulations according to Art. 6 (1) lit. f GDPR

To conduct corporate transactions (including mergers, acquisitions and divestments)

Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the controllers’ interest in developing their business through mergers, acquisitions and divestments according to Art. 6 (1) lit. f GDPR

Transfer to other Randstad entities

(a) The transfer of your data to other Randstad entities is necessary to provide you with the best possible matching services, and is therefore based on (pre-) contractual necessity according to Art. 6 (1) lit. b GDPR
(b) In cases, where (a) ist not applicable, we have a legitimate interest in promoting you and providing you with better chances in the project and job markets (Art. 6 (1) lit. f GDPR); and/or
(c) If your interest outweighs our legitimate interest, the transfer will be based on your consent (Art. 6 (1) lit. a GDPR), therefore we will ask for your permission to share your personal data with our affiliates (that are not member of the joint controllership) or otherwise connected companies

Anonymisation of data for further legitimate purposes (such as processing in test systems and for statistical purposes)

Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include optimizing their business and services according to Art. 6 (1) lit. f GDPR

 

How long we keep your personal data

We process and store your data for as long as is necessary to fulfil our contractual and legal obligations. Please note that our employment relationship with you is a continuing obligation that is intended to last for years.

 

If your data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted or anonymised by us, unless its further processing or archiving is required for legal reasons. These legal reasons include, for example, retention obligations under commercial and tax law (from the German Commercial Code and the German Fiscal Code).

 

In addition, we may need your data for the fulfilment of social insurance obligations even after termination of the employment relationship (e.g. for issuing a certificate of employment), for which the deadlines of social law apply.

 

If we process your trade union affiliation within the framework of the collective agreement on temporary work (MTV Zeitarbeit), we delete it after the payroll has been settled.

 

Furthermore, we may need your data for evidentiary purposes in connection with the termination of the employment relationship or with regard to the rights and obligations arising from the employment relationship. As a rule, this data is deleted after the expiry of the limitation periods.

 

We delete or anonymise data that we process on the basis of your consent according to specification in the consent, however after three years at the latest.

 

We may keep your personal data longer if necessary in connection with any actual or potential dispute (e.g. we need this personal data to establish or defend legal claims), in which case we will keep your personal data until the end of such dispute.

Business relations

In the context of our Services, we process your personal data if you are working for companies with which we are conducting (or intending to conduct) business (e.g. to make offers for the Services and to maintain a business relationship with the company you work for).

 

What personal data do we collect about you

We process the following personal data about you:

  • Identification information – we may process your name and other contact information (including email address, landline phone number and mobile phone number), gender, digital signature and languages spoken.
  • Professional information – we may process information related to your work including (without limitation) your job title, your location and your department.
  • Photographs and video footage – when participating in our events, meetings, conferences etc., we may process photographs or videos of you.
  • Survey results – we may process your responses to questions in surveys.
  • Visitor information – when accessing our buildings, we may collect your name, contact details, car plate number, identification, etc. for security reasons. Where we are legally permitted to do so we may also ask you to disclose information about your health for health and safety reasons.
  • Information you choose to share with us – we may process additional information if you choose to share that with us.
  • Trade sanctions information relating to you – we may verify whether you are a politically exposed person, a specially designated national or otherwise subject to sanctions under applicable laws or regulations.

Why do we need your personal data

We process your personal data only for the purposes specified below:

 

Purposes for which we process your personal data

Legal grounds for the processing of your personal data

To administer and manage the contractual relationship between the controllers and our clients and suppliers

(a) Necessary for the performance of the contract between the controllers and the client or supplier (Art. 6 (1) lit. b GDPR)
(b) If and only if the local process would not amount to a legally binding contractual relationship under (a) or if applicable law prescribes otherwise, the exception could be based on our legitimate interest to build and maintain a relationship according to Art. 6 (1) lit. f GDPR.

Transfer to other Randstad entities

(a) The transfer of your data to other Randstad entities is necessary for communication for the purpose of placement of human resources, and is therefore based on (pre-) contractual necessity according to Art. 6 (1) lit. b GDPR
(b) In cases, where (a) ist not applicable, we and affiliated or connected companies have a legitimate interest in offering you optimal job placements (Art. 6 (1) lit. f GDPR); and/or
(c) If your interest outweighs our legitimate interest, the transfer is based on your consent (Art. 6 (1) lit. a GDPR), therefore we may ask for your permission to share your personal data with our affiliated companies (which are not part of the joint responsibility) or otherwise connected companies

Business development (including sending direct marketing and offers)

Depending on the circumstances this may be based either on your consent (Art. 6 (1) lit. a GDPR) or on our legitimate interest (Art. 6 (1) lit. f GDPR) to maintain good relations with our current or prospective clients and suppliers. You can always choose not to receive direct marketing and offers from us; see the section “Your data protection rights” below
Facilities, security and contingency planning purposes For the purpose of the legitimate interests pursued by the controllers, which include safeguarding and securing our assets, our facilities, our information systems and our people according to Art. 6 (1) lit. f GDPR

Health and safety management

Processing is necessary for compliance with legal obligations (Art. 6 (1) lit. c GDPR, Art. 9 (2) lit. i GDPR and §22 (1) lit. c BDSG).
In case where no legal obligation is applicable, we may seek for your consent according to Art. 6 (1) lit. a) GDPR as well as Art. 9 (2) lit. a GDPR.

To conduct corporate transactions (including mergers, acquisitions and divestments) Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the controller’s interest in developing their business through mergers, acquisitions and divestments according to Art. 6 (1) lit. f GDPR

Events

Based on our legitimate interest to organise events so as to better build and maintain a good relationship with our clients and our suppliers according to Art. 6 (1) lit. f GDPR
In case this cannot be based on legitimate interest, we will seek your consent (Art. 6 (1) lit. a GDPR)

Preventing, detecting and investigating fraud

To comply with our legal obligations when some authorities or administrations ask information about our contact as a client (including personal data) according to Art. 6 (1) lit. c GDPR; and/or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests and managing legal claims/disputes according to Art. 6 (1) lit. f GDPR

IT support Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include safeguarding our assets and ensuring security of our information systems according to Art. 6 (1) lit. f GDPR
Conducting surveys (including satisfaction surveys)

(a) Based on our legitimate interest to survey our clients so as to better understand their needs, to improve our services and to build and maintain a good relationship with our client according to Art. 6 (1) lit. f GDPR;
(b) Where (a) is not applicable, this may be based on consent (Art. 6 (1) lit. a GDPR)

Dispute management, litigation and handling any reports through the controllers' misconduct reporting procedure

Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests, managing legal claims/disputes with our clients and suppliers and handling reports of potential misconduct within or relating to the controllers according to Art. 6 (1) lit. f GDPR

Compliance with legal or regulatory requirements

Processing is necessary for compliance with our legal or regulatory obligations (e.g. obligations under tax or administrative laws to keep certain information including personal data) according to Art. 6 (1) lit. c GDPR
Preventing, detecting and investigating fraud

To comply with our legal obligations when some authorities or administrations ask for information including personal data (Art. 6 (1) lit. c GDPR); and;or
Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include the protection of company assets, protecting their legal interests and managing legal claims/disputes according to Art. 6 (1) lit. f GDPR

To monitor and enforce compliance with policies and procedures of the controllers

For the purpose of the legitimate interests pursued by the controllers, which include safeguarding our assets and ensuring security of our information systems according to Art. 6 (1) lit. f GDPR

To perform internal and external audits

 

(a) Based on legal requirements (such as the GDPR itself) according to Art. 6 (1) lit. c GDPR;
(b) Where (a) is not applicable, but we have a binding contract with you, this can be based on our contractual obligations (Art. 6 (1) lit. b GDPR);
(c) Where (a) and (b) are not applicable, this may be based on the legitimate interests pursued by the controllers, which include the proper conduct of their business and accuracy of financial reporting according to Art. 6 (1) lit. f GDPR

Newsletter Only if you have given your consent according to Art. 6 (1) lit. a GDPR, we will send you newsletter regarding topics that might be of interest for you and are connected to our services

Anonymisation of data for further legitimate purposes (such as processing in test systems and for statistical purposes)

Processing is necessary for the purpose of the legitimate interests pursued by the controllers, which include optimizing their business and services according to Art. 6 (1) lit. f GDPR

How long we keep your personal data

We process and store your data for as long as is necessary to fulfil our contractual and legal obligations. Please note that the business relationship with you or your employer may be a continuing obligation that may last for years.

 

In detail, this results in the following:

 

If GULP is in contact with you to initiate a business relationship and no contract is concluded with you or your employer, your personal data will be anonymised 18 months after the start of contract initiation discussions.

 

If GULP is in contact with you to initiate a business relationship and a contract is concluded with you or your employer, or if your personal data is only collected and processed in connection with an ongoing business relationship, your personal data will be anonymised, as soon as it is clear that you do not wish a continuing business relationship and further processing or archiving is not required for legal reasons.

 

These legal reasons include, for example, retention obligations under commercial and tax law (from the German Commercial Code and the German Fiscal Code). The periods specified there for the retention of data generally amount to two to ten years.

 

Furthermore, we may need your data for evidence purposes in connection with warranty claims, the termination of the business relationship or with regard to the rights and obligations arising from the contract with you or your employer. With regard to this data, it is usually deleted after the expiry of the limitation periods, whereby the regular limitation period of the German Civil Code is three years.

 

If we process your data on the basis of consent, we delete the data processed in connection with the consent after revoking your consent.

HR technologies


Our use of innovative HR technologies for candidate matching and services

Our ultimate goal is to support people and organizations in realizing their true potential. We believe that the best way to achieve that goal is by combining our passion for people with the power of today’s HR technologies. By HR technologies we mean technologies that help us digitize and enhance a variety of recruitment-related processes.


For example we use chatbots to improve your talent experience. Chatbots give candidates the opportunity to answer questions based on the requirements of the job they apply for.  This is a user-friendly way for candidates to:

  • provide us with relevant information that may not be readily apparent from the application, profile or resume of a candidate.
  • know promptly whether their skills meet a job’s essential requirements and, if not, to easily explore other jobs or to identify gaps in their skillset.
  • answer at any moment convenient to the user.

As part of the larger recruitment process, HR technologies allow us to connect candidates more quickly to our consultants.  This, in turn, allows our consultants to better support candidates in exploring jobs and to deliver the right candidates more quickly to our clients. HR technologies also allow our consultants to find people based not only on the jobs they qualify for but also on the basis of jobs they are interested in.

 

Improving the client experience

HR technologies help us to search through a broader and more diverse set of candidates so that we become even better at finding the best talent with the most relevant skill-set for our clients. Thanks to these technologies our consultants can focus on the tasks that require genuinely human traits that technology cannot emulate: creativity and emotion.

 

Web beacons

Our emails may contain a single, campaign-unique "web beacon pixel" to tell us whether our emails are opened and verify any clicks through to links or advertisements within the email. We may use this information for purposes including determining which of our emails are more interesting to users, to query whether users who do not open our emails, wish to continue receiving them and to inform our advertisers in aggregate how many users have clicked on their advertisements. The pixel will be deleted when you delete the email. If you do not wish the pixel to be downloaded to your device, you should select to receive emails from us in plain text rather than HTML.

 

Responsible use of HR technologies

The controllers are committed to the ethical and responsible use of innovative HR technologies (you can read our AI principles here). We do not use these technologies as a substitute for humans or human interaction in any part of the processes. Instead, our use of HR technologies is intended to make interactions with clients and candidates more personal, relevant and meaningful.


We strive to involve human beings whenever we make decisions that significantly impact you.  If, in exceptional cases, we were to make such decisions based on a fully automated process (ie. without involvement of humans), we will only do so where that is permitted by law and after having notified you.


To ensure all candidates are treated fairly we take steps to avoid bias where we use HR technologies. For example:

  • We regularly test the output created by these technologies to identify potential unfair bias.
  • We regularly obtain expert advice to continuously improve the way in which we identify and remove bias.
  • Both our consultants and our search and match algorithms are thoroughly trained and always work together.

With whom do we share your personal data

We may share your personal data:

  • with other entities of the Randstad group of companies. We are part of a multinational group of companies and sometimes we may share personal data with other Randstad groups of companies for the purposes of efficient management of business, compliance with legal and regulatory requirements and to provide our Services to you (include as matching) and to our clients. For an overview of these entities, click here.
  • with clients of the controllers. Within the scope of our services, including recruitment and provision of temporary work.
  • with competitors of the controllers in the context of projects regarding master vendor or managed service providers.
  • with third parties providing HR-related services to use (e.g. payroll service providers).
  • with third party providers of IT-related services (e.g. we use an external provider to support our IT-infrastructure; e.g. an important part of our software and databases sit in a cloud-environment which is operated by a third party service provider).
  • with third parties providers of marketing-related services (e.g. we may store your personal data in a cloud-based CRM-application that is hosted and provided by a third party service provider; e.g. when we use a third party service provider to organise an event or survey we may share your personal data with that third party in order to invite you to that event/survey).
  • with providers of professional services (e.g. to our auditors, our tax advisors, our legal advisors).
  • with banks and insurers (e.g. in order to pay the salaries of our temporary workers we share some of their personal data with our bank).
  • with pension funds.
  • with public authorities (e.g. pursuant to applicable law the controllers must disclose personal data to the social security authorities and to tax authorities).
  • with law enforcement authorities, courts and regulatory authorities (e.g. as part of a criminal investigation police services may require us to disclose personal data to them).

 

We may also disclose your personal data to third parties:

  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; or
  • if all or a substantial part of our assets are acquired by a third party, in which case the personal data that we hold about you may be one of the transferred assets.

 
When we share your personal data as described above, such personal data may be transferred both within and outside the European Economic Area (EEA). In the event that we transfer your personal data internationally, we will only do so in line with applicable law, and we will require that there is an adequate level of protection for your personal data, and that appropriate security measures are in place.

 

Your personal data may be transferred from countries located within the EEA to countries located outside of the EEA (such as the United States). In such cases, we will require that the following safeguards are observed:

  • The laws of the country to which your personal data is transferred ensure an adequate level of data protection. Click here for the list of non-EEA countries that, according to the European Commission, provide an adequate level of data protection; or
  • The transfer is subject to standard data protection clauses approved by the European Commission. More information about those data protection clauses is available here; or
  • Any other applicable appropriate safeguards under article 46 of the EU General Data Protection Regulation (2016/679).

 
For more information about the safeguards that we have implemented to protect your personal data internationally, please contact us at

Lars Beitlich
Landsberger Str. 396
81241 München
Tel.: +49 (89) 85 63 346 - 0
E-Mail: datenschutz@gulp.de
Website: www.ifdus.de

How we will protect your personal data

We have technical and organizational security measures in place to protect your personal data from being accidentally lost, used, altered, destructed, disclosed or accessed in an unauthorized way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your personal data are governed by rules of the controllers for information and IT security, data protection and other internal regulations and guidelines applicable to the processing of personal data.


While we have measures in place to protect your personal data, it is important for you to understand that 100% complete security cannot be guaranteed. Accordingly, we have procedures in place to deal with data security incidents and to comply with legal requirements applicable to the detection, handling and notification of personal data breaches.

Your data protection rights

You have the following rights regarding your personal data:

 

Rights

What does this mean?

1. Right to be informed

You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. This is why we are providing you with the information in this notice.
2. Right of access

You have the right to access the personal data we keep about you – this is because we want you to be aware of the personal data we have about you and to enable you to verify whether we process your personal data in accordance with applicable data protection laws and regulations.

3. Right to rectification

If your personal data is inaccurate or incomplete, you have the right to request the rectification of your personal data.

4. Right to erasure

This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep it. This is not a general right to erasure, there are exceptions.

5. Right to restrict processing

You have rights to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to make sure the restriction is respected in future.

6. Right to data portability

You have the right to obtain and reuse your personal data in a structured, commonly used and machine-readable format in certain circumstances. In addition, where certain conditions apply, you have the right to have such personal data transferred directly to a third party.

7. Right to object to processing

You have the right to object to certain types of processing, in certain circumstances. In particular, the right to object to the processing of your personal data based on our legitimate interests or on public interest grounds; the right to object to processing for direct marketing purposes (including profiling); the right to object to the use of your personal data for scientific or historical research purposes or statistical purposes in certain circumstances.

8. Right to withdraw consent

If our processing of your personal data is based specifically on your consent, you have the right to withdraw that consent at any time. This includes your right to withdraw consent to our use of your personal data in the context of voluntary employee surveys.

9. Right to object to automated decision making

You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects for you or similarly significantly affects you.  Automated decision making takes place when an electronic system uses personal data to make a decision without human intervention.  This is not a general right to object, there are exceptions.  For example, we are allowed to use automated decision making where it is necessary to perform a contract with you and appropriate measures are in place to safeguard your rights.  For further information, see the section “Innovative HR technologies”.

 

You can exercise your rights by contacting us under datenschutz@gulp.de

 

We will handle your request with special care to ensure your rights can be exercised effectively. We may ask you for proof of identity to ensure that we are not sharing your personal data with anyone else but yourself!

 

You must be aware that, in particular cases (for instance, due to legal requirements) we may not be able to make your request effective right away.


In any case, within one month from your request, we will inform you on the actions taken.

 

You have the right to lodge a complaint with a supervisory data protection authority: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Links

Our website contains links to external third-party websites over whose content we have no influence. We cannot accept any liability for this third-party content and expressly distance ourselves from the linked pages. The respective provider or operator of the pages is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time of linking. Illegal contents were not recognisable at the time of linking. Should we become aware of any legal infringements, we will remove the corresponding link immediately.

SSL-Encryption

To protect the security of your data during transmission, we use encryption procedures via HTTPS that correspond to the current state of the art, e.g. SSL.

Changes to this Data Protection notice

We may update this notice from time to time. You can see the date on which the last change was made below in this notice. We advise you to review this notice on a regular basis so that you are aware of any changes.

Contact us

If you have any questions about this policy or any privacy concerns, or would like to exercise your rights, or obtain further information about the safeguards we have in place so that your personal data is adequately protected when transferred outside Europe, please contact us at

Lars Beitlich
Landsberger Str. 396
81241 München
Tel.: +49 (89) 85 63 346 - 0
E-Mail: datenschutz@gulp.de
Website: www.ifdus.de

This notice was updated on: December, 28th 2021