Data Privacy Policy for Personnel Leasing (PES)

We, the Porsche Engineering Services GmbH (hereinafter “we” or “PES”), are taking the protection of your personal data and its confidentiality very seriously. Your personal data is processed only within the scope of the statutory provisions of data protection law, in particular the EU General Data Protection Regulation (hereinafter “GDPR”) and the German Federal Data Protection Act (hereinafter “BDSG” or “Bundesdatenschutzgesetz”).

In this privacy policy, we provide you with information about the processing of your personal data and your data protection rights in the context of personnel leasing in the Group environment.

1. Data controller and data protection officer; contact data

The controller within the meaning of data protection legislation is:

Porsche Engineering Services GmbH
Etzelstraße 1
74321 Bietigheim-Bissingen
Germany
pe-datenschutz@porsche-engineering.de

Please do not hesitate to contact us if you have questions or suggestions relating to data protection.

You can reach our data protection officer via:

Porsche Engineering Services GmbH
Data Protection Officer
Etzelstraße 1
74321 Bietigheim-Bissingen
Germany
pe-datenschutz@porsche-engineering.de

With regard to data processing within the framework of Porsche Group's internal administration and joint procedures through centralized systems, we and Porsche AG (Dr. Ing. h.c. F. Porsche AG, Porscheplatz 1, 70435 Stuttgart, Germany; where the Data Protection Officer of Porsche AG can also be reached) are jointly responsible as joint controllers. The joint processes particularly pertain to the operation and use of jointly used databases, platforms and IT systems. With respect to the joint processes, we and Porsche AG jointly determine the purposes and means of processing.

In an agreement on joint controllership pursuant to Article 26 GDPR, we and Porsche AG have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfills which data protection obligations. In particular, it was determined how an appropriate level of security and your rights as a data subject can be ensured, how the information duties under data protection law can be fulfilled jointly and how potential data protection incidents can be monitored. This also includes ensuring that reporting and notification obligations are fulfilled.

Porsche AG is at your disposal as your central contact point. You can also assert your rights with regard to the processing of personal data in joint controllership vis-à-vis us as jointly responsible Group Company. In case you contact us, we and Porsche AG will coordinate in accordance with the aforementioned agreement pursuant to Article 26 GDPR in order to respond to your inquiry and to guarantee your rights as a data subject.

2. Subject matter of data protection

The subject matter of data protection is the protection of personal data. This is all the information that relates to an identified or identifiable natural person (“data subject”). This covers, for example, information such as name, postal address, e-mail address or telephone number, but also information that arises during the personnel leasing procedure, such as information about your qualifications.

3. Purposes and legal bases for data processing

An overview of the purposes of and legal bases for data processing within the scope of the personnel leasing is provided below.

Within the framework oft he personnel leasing, employees are hired out to other companies in order to intercept peaks or to support them with special qualifications. For this purpose, data is transferred to Porsche AG during preparation and execution, but also data is transferred to the employment agency on the basis of legal obligations.

3.1 Preparation and execution of the personnel leasing

We process personal data if this is necessary to prepare and execute the personnal leasing procedure. The purposes cover in particular:

  • Compilation of short curriculum vitae data
  • Carrying out selection procedures with Porsche AG

Further details regarding the purposes of data processing may be obtained from the documents made available to you within the framework of the personnel leasing procedure.

Data is processed on the basis of Article 6 (1) (b) and Article 88 GDPR in conjunction with Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz). We process the personal data that is required to conduct the personnel leasing procedure.

If no personnel leasing arises, your data will be deleted, unless legal grounds apply for not doing so. If the latter is the case, we anonymize the data once the other legal grounds cease to apply. You can then no longer be identified. Data is processed after anonymization only for the purpose of statistical analysis.

3.2 Compliance with legal obligations

We also process your personal data to comply with legal obligations to which we are subject. The obligations may arise, for example, from commercial, tax, money laundering, financial or criminal law. The purposes of processing arise from the respective statutory obligation; the processing generally serves the purpose of complying with the state-imposed obligations of supervision and disclosure.

Personnel leasing must be notified to the competent employment agency. Data is processed on the basis of Article 6 (1) (c) GDPR in conjunction with Section (1a) AÜG. If we collect data on the basis of a legal obligation, you need to provide the personal data that is required for compliance with that legal obligation.

We delete the data once the statutory obligation ceases to apply, unless other legal grounds apply. If the latter is the case, we delete the data once the other legal grounds cease to apply.

4. Recipients of personal data

Internal recipients: Within the company the only individuals who have access are those who need it for the specified purposes.

External recipients: We will only forward your personal data to external recipients if this is necessary fort he specified purposes, if another legal authorization or obligation exists or if we have obtained your consent.

External recipients may include:

a) Processors
Group companies of Porsche AG or external service providers that we use to provide services, for example, in the areas of technical infrastructure and maintenance for the Porsche AG service or the provision of content. We carefully select and inspect these processors on a regular basis to make sure that the security and confidentiality of your personal data are safeguarded. The service providers may use the data only for the purposes specified by us and in accordance with our instructions.

b) Public bodies
Public authorities and governmental institutions such as fiscal authorities, public prosecutors or courts to which we (are required to) transfer personal data for compelling legal reasons or for safeguarding legitimate interests. In that case, the transfer will be based on Article 6 (1) (c) and/or (f) GDPR or on Section 26 (1) (2) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz).

c) Companies of the group
Companies of the Porsche AG Group, to which data is transferred based on consent in order to carry out the application procedure or to safeguard legitimate interests. The data is transferred on the basis of Article 6 (1) (a) and/or (f) GDPR or on Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz). You can find a list of Group companies at: https://www.porsche.com/usa/aboutporsche/service/.

5. Storage duration

For the storage duration of personal data, please refer to the relevant section on data processing. In addition, as a general rule, we store your personal data only for the length of time necessary to fulfill the intended purposes, or – if consent has been granted – until you withdraw your consent (and no other legal grounds apply). If you object, we delete your personal data unless its further processing is permitted by the relevant legal provisions. We also delete your personal data if we are obliged to do so for legal reasons.

6. Rights of data subjects

As a data subject you have numerous rights. Specifically:

Right of access: You have the right to obtain information from us about the data that we have stored about you.

Right to rectification and erasure: You have the right to demand that we rectify incorrect data and – provided the legal requirements are met – that we erase your data.

Restriction of processing: You have the right – provided the legal requirements are met – to demand that we restrict the processing of your data.

Data portability: If you have provided us with data based on a contract or consent and if the statutory requirements are met, you have the right to obtain the data provided by you in a structured, commonly used and machine-readable format or you may demand that we transfer this data to another controller.

Objection to the processing of data on the legal basis of “legitimate interest”: You have the right to object at any time, on grounds relating to your particular situation, to our processing of your data, provided this objection is based on the legal basis of “legitimate interests”. If you exercise your right to object, we will discontinue the processing of your data unless we can – pursuant to the legal requirements – prove compelling legitimate reasons for further processing overriding your rights.

Withdrawal of consent: If you have given us consent to process your data, you may withdraw this consent at any time with effect for the future. The lawfulness of the processing of your data prior to the withdrawal remains unaffected.

Right to lodge complaints with the supervisory authority: You may also lodge a complaint with the competent supervisory authority if you believe the processing of your data to breach applicable laws. To do so, you may contact the data protection authority that is competent for your habitual residence or country or the data protection authority that has competence over us.

Contacting us and exercising your rights: Furthermore, if you should have any questions on the processing of your personal data, your rights as a data subject or any consent that may have been given, you may contact us free of charge. If you wish to exercise any or all of your rights mentioned above, please contact www.porsche.com/privacy-contact/ or write a letter to the postal address specified in Section 1 above. In that case, please ensure that we will be able to accurately identify you. If you wish to withdraw your consent, you can use the method of contact that you used when you gave your consent.

7. Version

The latest version of this Privacy Policy applies.

Version date: 2019-11-30