Information regarding joint controllership according to Art. 26 of the General Data Protection Regulation (GDPR)

With the following information, we provide you with the essential content that the companies of the Randstad Group have contractually defined in the course of a joint controllership pursuant to Article 26 of the GDPR for the processing of personal data in connection with the operation of a joint database for customers, prospects, candidates and applicants (hereinafter the database).

1. Joint operation, joint controllership

The database for clients, prospects, candidates and applicants is a joint system of the following legally independent companies of the Randstad Group:

 

  1. Company: Randstad Deutschland GmbH & Co.KG Address: Frankfurter Straße 100, D-65760 Eschborn
  2. Company: Randstad Outsourcing GmbH Address: Frankfurter Straße 100, D-65760 Eschborn
  3. Company: Randstad Automotive Solutions GmbH & Co. KG Address: Frankfurter Straße 100, D-65760 Eschborn
  4. Company: Randstad Logistics GmbH & Co. KG Address: Frankfurter Straße 100, D-65760 Eschborn
  5. Company: Randstad Professional GmbH Address: Landsberger Straße 187, D-80687 München
  6. Company: Randstad Professional Consulting GmbH Address: Landsberger Straße 187, D-80687 München
  7. Company: Randstad Professional Solutions GmbH & Co. KG Address: Breite Straße 137-139, D-50667 Köln
  8. Company: GULP Schweiz AG Address: Baslerstrasse 60, CH-8048 Zürich
  9. Company: Randstad RiseSmart GmbH Address: Kasernenstraße 49, D-40213 Düsseldorf
  10. Company: Randstad RiseSmart Transfergesellschaft mbH Address: Kasernenstraße 49, D-40213 Düsseldorf

(companies jointly referred to as „Randstad Group“).

 

The joint operation of the database entails that the companies of the Randstad Group in certain cases jointly determine the purposes and means of the processing of personal data and in this respect are to be regarded as joint controllers within the meaning of Article 26 (1) sentence 1 of the General Data Protection Regulation (hereinafter referred to as "GDPR").

The joint controllership of the Randstad Group companies covers all processing activities related to Customer Relationship Management, Candidate Relationship Management and Matching (matching of skills with customer job requirements) carried out in the context of the joint operation of the database.

2. What have the relevant Randstad companies agreed?

The companies have set out the principles for the joint processing of personal data and the respective data protection-relevant tasks and responsibilities within the scope of the joint operation of the database in a written agreement. In particular, the companies have reached an agreement on who is responsible in which way for managing your data protection rights pursuant to Articles 15 to 22 GDPR and for fulfilling the information obligations pursuant to Articles 13 and 14 GDPR.

The agreement reached between the companies also contains the basic rules for the internal organisation of their cooperation in the area of data protection in order to ensure the conditions for a seamless and smooth cooperation.

The essential content of this agreement is explained to you in the following sections.

3. How is the cooperation structured?

The companies have specifically defined in the agreement which responsibilities, accountabilities and powers the responsible employees from their companies are entitled to in each case with regard to joint data processing. Each company has appointed data protection officers who internally act as contact persons for all data protection issues in connection with the joint data processing.

In order to ensure data protection-compliant joint data processing, the companies shall also continuously coordinate and inform each other about all circumstances and findings from their respective spheres that could have a practical or legal impact on the joint data processing.

Notwithstanding this division of responsibilities, which only regulates the internal relationship between the companies, the companies are jointly responsible to you as the data subject for the lawfulness of the joint data processing.

4. Who is responsible for which obligations under the GDPR and what does this mean for you as a data subject?

a) Information obligations according to Art. 12 et seq. GDPR and Art. 26 (2) sentence 2 GDPR

The companies have agreed that they will coordinate the data protection information required under Art. 12 et seq. GDPR and make it available to the data subjects in a transparent and easily accessible manner. The information can be found in the respective data protection notices on the website of the respective company of the Randstad Group.

 

b) Managing of data subject rights

The specific rights to which you are entitled can be found in the section "Your rights" in our data protection information. If you wish to exercise your rights under Articles 15 to 22 GDPR with regard to the joint processing of your personal data by the companies, the following contact persons are available at the companies:

 

  1. Company: Randstad Deutschland GmbH & Co. KG, Contact person: Lars Beitlich, Contact details for data subject rights: betroffenenrechte@randstad.de
  2. Company: Randstad Outsourcing GmbH, Contact person: Lars Beitlich, Contact details for data subject rights: datenschutz-ros@randstad.de
  3. Company: Randstad Automotive Solutions GmbH & Co. KG, Contact person: Lars Beitlich, Contact details for data subject rights: betroffenenrechte@randstad.de
  4. Company: Randstad Logistics GmbH & Co. KG, Contact person: Lars Beitlich, Contact details for data subject rights: betroffenenrechte@randstad.de
  5. Company: Randstad Professional GmbH, Contact person: Lars Beitlich, Contact details for data subject rights: betroffenenrechte@randstad.de
  6. Company: Randstad Professional Consulting GmbH, Contact person: Lars Beitlich Contact details for data subject rights: betroffenenrechte@randstad.de
  7. Company: Randstad Professional Solutions GmbH & Co. KG, Contact person: Lars Beitlich, Contact details for data subject rights: betroffenenrechte@randstad.de
  8. Company: GULP Schweiz AG, Contact person: Lars Beitlich, Contact details for data subject rights: datenschutz@randstad.de
  9. Company: Randstad RiseSmart GmbH, Contact person: Udo Lahr, Contact details for data subject rights: datenschutz@muehlenhoff.com
  10. Company: Randstad RiseSmart Transfergesellschaft mbH, Contact person: Udo Lahr, Contact details for data subject rights: datenschutz@muehlenhoff.com

Notwithstanding this, you can also exercise the rights to which you are entitled in connection with the joint processing of your personal data directly against each individual company. In this case, the respective company will immediately forward the request to Randstad Deutschland GmbH & Co.KG for further processing, which is contractually entrusted with clarifying and responding to the data subject requests. To the extent necessary, the companies will assist Randstad Deutschland GmbH & Co.KG in responding to and handling of requests and concerns from data subjects.

 

c) Data protection incidents, communication with supervisory authorities

As the data protection officer, the respective contact person is also responsible for reviewing and handling in the event of breaches of personal data protection or a security-relevant disruption in joint data processing, including the fulfilment of any notification obligations to the competent supervisory authority (Art. 33 GDPR) or notification obligations to the data subjects (Art. 34 GDPR) that may be triggered as a result.

The companies have put in place arrangements to ensure that when a data protection incident within the sphere of influence of the respective company becomes known, a) all measures necessary to secure the data and to mitigate any possible adverse consequences for the data subjects are taken without undue delay and b) the data protection officers of the Randstad Group inform each other about the data protection incident.

The companies have also undertaken to inform each other immediately and completely if they discover errors or irregularities with regard to data protection provisions during the review of processing activities.

 

d) Fulfilment of other essential obligations under the GDPR

The companies have also contractually undertaken to ensure, within their respective spheres of competence and influence, compliance with the legal provisions, in particular the lawfulness of the data processing carried out by them within the scope of joint controllership.  In particular, each company shall in its respective sphere of competence and influence

  • ensure that only such personal data is collected that is absolutely necessary for the lawful handling of the process,
  • ensure that its personnel maintain data confidentiality in accordance with Articles 28 (3), 29 and 32 GDPR and are appropriately bound to data secrecy as well as instructed in the data protection provisions relevant to them,
  • implement the necessary technical and organisational security measures in accordance with Article 32 GDPR, check them regularly and keep them up to date with the current state of the art,
  • include the processing operations covered by joint controllership in its processing activity register pursuant to Art. 30 (1) GDPR and properly retain documentation within the meaning of Art. 5 (2) GDPR which serves as evidence of proper data processing within the scope of accountability.