Data Privacy Policy for Personnel Marketing and the Application Procedure in the Electronic Application System (PES)

We, the Porsche Engineering Services GmbH (hereinafter “we” or “PES”), appreciate your interest in our company.

Your privacy is important to us. We therefore take the protection of your personal data and its confidentiality very seriously. Your personal data is processed only within the scope of the statutory provisions of data protection law, in particular the EU General Data Protection Regulation (hereinafter “GDPR”) and the German Federal Data Protection Act (hereinafter “BDSG” or “Bundesdatenschutzgesetz”).

In this privacy policy, we provide you with information about the processing of your personal data and your data protection rights if you do not belong to the data subject groups of employees, applicants, customers, prospects, or suppliers/service providers.

1. Data controller and data protection officer; contact data

The controller within the meaning of data protection legislation is:

Porsche Engineering Services GmbH
Etzelstraße 1
74321 Bietigheim-Bissingen
Germany
pe-datenschutz@porsche-engineering.de

Please do not hesitate to contact us if you have questions or suggestions relating to data protection.

You can reach our data protection officer via:

Porsche Engineering Services GmbH
Data Protection Officer
Etzelstraße 1
74321 Bietigheim-Bissingen
Germany
pe-datenschutz@porsche-engineering.de

With regard to data processing within the framework of Porsche Group's internal administration and joint procedures through centralized systems, we and Porsche AG (Dr. Ing. h.c. F. Porsche AG, Porscheplatz 1, 70435 Stuttgart, Germany; where the Data Protection Officer of Porsche AG can also be reached) are jointly responsible as joint controllers. The joint processes particularly pertain to the operation and use of jointly used databases, platforms and IT systems. With respect to the joint processes, we and Porsche AG jointly determine the purposes and means of processing.

In an agreement on joint controllership pursuant to Article 26 GDPR, we and Porsche AG have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfills which data protection obligations. In particular, it was determined how an appropriate level of security and your rights as a data subject can be ensured, how the information duties under data protection law can be fulfilled jointly and how potential data protection incidents can be monitored. This also includes ensuring that reporting and notification obligations are fulfilled.

Porsche AG is at your disposal as your central contact point. You can also assert your rights with regard to the processing of personal data in joint controllership vis-à-vis us as jointly responsible Group Company. In case you contact us, we and Porsche AG will coordinate in accordance with the aforementioned agreement pursuant to Article 26 GDPR in order to respond to your inquiry and to guarantee your rights as a data subject.

2. Subject matter of data protection

The subject matter of data protection is personal data. This is all the information that relates to an identified or identifiable natural person (known in legislation as the data subject). For example, it covers information such as name, mailing address, e-mail address, and telephone number, as well as information that originates during the application procedure and during use of the electronic application system, such as details of your qualifications, education and training, and previous jobs.

3. Purposes of and legal grounds for data processing in personnel marketing and the application procedure

Below you will find an overview of the purposes of and legal grounds for data processing in personnel marketing and during the application procedure.

If an employment contract is concluded with you, further data processing is governed by our privacy policy for the employment relationship.

3.1 The application procedure and its preparations

We process personal data in the extent necessary for the application procedure and, if applicable, to prepare an employment contract with you. The main purposes of data processing are:

  • Recording and checking your application
  • Application management and the selection process (forwarding to the responsible persons in-house, organizing and conducting interviews, recruitment management and administration)
  • Organizing and holding selection days and tests for certain application procedures, such as the trainee program, apprenticeships, and general application days
  • In the case of internal applications for in-house Porsche programs: application management and the selection process

Further details on the purposes of data processing may be found in the documents you receive during the application procedure.

Data is processed on the basis of Article 6 (1) (b) and Article 88 GDPR in conjunction with Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz). We process the personal data that is required to conduct the application procedure and, if applicable, to prepare an employment contract.

If no employment contract arises, we will anonymize your data after six months, unless legal grounds apply for not doing so. If the latter is the case, we anonymize the data once the other legal grounds cease to apply. You can then no longer be identified. Data is processed after anonymization only for the purpose of statistical analysis.

3.2 Fulfilment of statutory obligations

We also process your personal data to comply with statutory obligations to which we are subject. These obligations may be due to laws on commerce, taxation, money laundering or finance. Measures relating to health management and aptitude tests may also be necessary due to statutory obligations. The purpose of data processing is based on the respective statutory obligation; processing is generally performed in order to comply with inspection and disclosure obligations imposed by government.

Data is processed on the basis of Article 6 (1) (c) GDPR. We process the personal data that is required in order to comply with the respective statutory obligation.

We delete the data once the statutory obligation ceases to apply, unless other legal grounds apply. If the latter is the case, we delete the data once the other legal grounds cease to apply.

3.3 Safeguarding of legitimate interests

We also process your personal data for the purposes of safeguarding our legitimate interests or the legitimate interests of third parties. We pursue the following interests, which at the same time are the respective purposes:

  • Operational reporting
  • Performing and optimizing personnel marketing and the recruitment process (performing consultations in personnel marketing, applicant surveys and statistical analyses)

Data is processed on the basis of Article 6 (1) (f) GDPR. We process the personal data that is required to safeguard legitimate interests, unless this is outweighed by your interest in the protection of your personal data.

We anonymize or delete the data when the purposes for which the data was required no longer apply, unless other legal grounds apply. If the latter is the case, we anonymize or delete the data once the other legal grounds cease to apply. After anonymization, you can no longer be identified.

4. Consent

If you have given consent for certain purposes, such as the checking of your application in other companies of the group, for inclusion in our Talent Pool, or in order to receive our "Job Abo" newsletter, for example, the purposes are evident in the wording of this granted consent.

To prevent misuse, we use the so-called double opt-in process for sending the newsletter.

Data is processed on the basis of Article 6 (1) (a) GDPR. You may withdraw your consent at any time without stating a reason. This withdrawal will not affect the lawfulness of processing based on consent given before it is withdrawn.

We delete the data when you have withdrawn your consent, unless other legal grounds apply. If the latter is the case, we delete the data once the other legal grounds cease to apply

5. Nature, scope and purposes of and legal grounds for data processing in relation to the electronic application system

Certain features of the electronic application system require you to register (see Item 6). This applies, in particular, to the application account, which you use to send us your application via the electronic application system and to manage and keep an eye on job offers. However, our electronic application system can also be opened without registering – but its range of functions is then considerably limited. Personal data may still be processed even if you use our electronic application system without registering.

Below you will find an overview of the nature, scope and purposes of and legal grounds for data processing in our electronic application system.

5.1 Provision of the electronic application system

When you access our website using your device, we process the following data:

  • Date and time of access
  • Duration of your visit
  • Type of device
  • Operating system used
  • Features that you use
  • Volume of data sent
  • Type of event
  • Referrer URL
  • IP address
  • Domain name

We process this data on the basis of Article 6 (1) (f) GDPR in order to make the electronic application system available, to ensure it functions technically, and to identify and rectify faults. Our aim is to enable the use of our website and to ensure a constantly good technical performance. This data is processed automatically when you open our electronic application system. You cannot use our electronic application system unless this data is provided. We do not use this data to gain personal information about you or to reveal your identity.

5.2 Application account

You can use the application account to send us your application via the electronic application system, and to manage and keep an eye on job offers. We recommend that you use the application account, because our internal processes and the application procedure itself are set up to work with this account. Even if you send us your application via another channel, your application will be scanned in as part of our internal processes, and the data will be further processed electronically (see Section 3). Your paper documents will then be returned to you by post.

If you wish to create an application account, you will need to register. We collect and process your registration details (username and password) during registration and login.

Your application account provides the option of creating an applicant profile. You can enter or upload your personal data (e.g., title, first name, surname, date of birth, place of birth, birth country, nationality, address, telephone number, e-mail address), your qualifications (e.g., education and training, any professional experience, language skills, IT skills), your application documents (e.g., cover letter, résumé, etc.), and other relevant information (e.g., desired salary, availability). Required fields in the online form are marked.

We process this data on the basis of Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz) in order to create your application account and applicant profile for conducting the application procedure and – if you have given your consent – to check your application in the Porsche Group or Talent Pool on the basis of Article 6 (1) (a) GDPR.

If you delete your application account, we will also delete your user profile. For the deletion of actual applications, the regulations of Section 3 apply.

6. Recipients of personal data

Internal recipients: Within PES, the only persons who have access are those who need it for the purposes specified in Section 3.

External recipients: We forward your personal data to external recipients outside PES only if this is necessary for processing your application, if another legal authorization exists or if we have your consent to do so.

External recipients can be:

a) Processors
Companies of the Porsche AG Group or external service providers that are used within the scope of the application procedure. We carefully select and regularly inspect these processors, to make sure that your privacy is maintained. Service providers may use the data only for the purposes we have specified.

b) Public bodies
Authorities and public institutions, such as courts and financial authorities, to which we must transfer personal data for legal reasons. The data is transferred on the basis of Article 6 (1) (c) GDPR.

c) Companies of the Group
Companies of the Porsche AG Group, to which data is transferred based on consent in order to carry out the application procedure or to safeguard legitimate interests. The data is transferred on the basis of Article 6 (1) (a) and/or (f) GDPR or Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz). You can find a list of Group companies at: https://www.porsche.com/usa/aboutporsche/service/.

7. Storage duration

For the storage duration of personal data, please refer to the relevant section on data processing. In addition, as a general rule, we store your personal data only for the length of time necessary to fulfil the intended purposes, or – if consent has been granted – until you withdraw your consent (and no other legal grounds apply). If you object, we delete your personal data unless its further processing is permitted by the relevant legal provisions. We also delete your personal data if we are obliged to do so for legal reasons.

8. Data Subject Rights

As a data subject you have numerous rights. Specifically:

Managing the application account: If you have registered as a user of the application account, you can view, change, or delete your data yourself.

Withdrawing an application: If you are no longer interested in job offers, you can withdraw your application. In this case, going forward you will no longer be considered in the application and recruitment process. Your personal data will then be deleted in accordance with the legal provisions.

Right of access: You have the right to obtain information from us about the data that we have stored about you.

Right to rectification and erasure: You have the right to demand that we rectify incorrect data and – provided the legal requirements are met – that we erase your data.

Restriction of processing: You have the right – provided the legal requirements are met – to demand that we restrict the processing of your data.

Data portability: If you have provided us with data based on a contract or consent and if the statutory requirements are met, you have the right to obtain the data provided by you in a structured, commonly used and machine-readable format or you may demand that we transfer this data to another controller.

Objection to the processing of data on the legal basis of “legitimate interest”: You have the right to object at any time, on grounds relating to your particular situation, to our processing of your data, provided this objection is based on the legal basis of “legitimate interests”. If you exercise your right to object, we will discontinue the processing of your data unless we can – pursuant to the legal requirements – prove compelling legitimate reasons for further processing overriding your rights.

Withdrawal of consent: If you have given us consent to process your data, you may withdraw this consent at any time with effect for the future. The lawfulness of the processing of your data prior to the withdrawal remains unaffected.

Right to lodge complaints with the supervisory authority: You may also lodge a complaint with the competent supervisory authority if you believe the processing of your data to breach applicable laws. To do so, you may contact the data protection authority that is competent for your habitual residence or country or the data protection authority that has competence over us.

Contacting us and exercising your rights: Furthermore, if you should have any questions on the processing of your personal data, your rights as a data subject or any consent that may have been given, you may contact us free of charge. If you wish to exercise any or all of your rights mentioned above, please contact www.porsche.com/privacy-contact/ or write a letter to the postal address specified in Section 1 above. In that case, please ensure that we will be able to accurately identify you. If you wish to withdraw your consent, you can use the method of contact that you used when you gave your consent.

9. Links to third-party sites

Websites and services from other providers that are linked to our electronic application system are and have been designed and made available by third parties. We do not have any influence over the design, content, or function of these third-party services. We explicitly distance ourselves from all content on all linked third-party sites. Please note that third-party sites linked to our electronic application system may install their own cookies on your device or collect personal data. We have no influence over this. If you are concerned, please contact the providers of these third-party sites for the relevant information.

10. Version

The latest version of this Privacy Policy applies.

Version date: 2019-11-30