Privacy Policy for the Employment Relationship (PEG)

We, the Porsche Engineering Group GmbH (hereinafter “we” or “PEG”), take the protection of your personal data and its confidentiality very seriously. Your personal data is processed only within the scope of the statutory provisions of data protection law, in particular the EU General Data Protection Regulation (hereinafter “GDPR”) and the German Federal Data Protection Act (hereinafter “BDSG” or “Bundesdatenschutzgesetz”).

In this privacy policy, we provide you with information about the processing of your personal data and your data protection rights within the scope of the employment relationship.

1. Data controller and data protection officer; contact data

The controller within the meaning of data protection legislation is:

Porsche Engineering Group GmbH
Porschestraße
71287 Weissach
Germany
pe-datenschutz@porsche-engineering.de

Please do not hesitate to contact us if you have questions or suggestions relating to data protection.

You can reach our data protection officer via:

Porsche Engineering Group GmbH
Data Protection Officer
Porschestraße
71287 Weissach
Germany
pe-datenschutz@porsche-engineering.de

With regard to data processing within the framework of Porsche Group's internal administration and joint procedures through centralized systems, we and Porsche AG (Dr. Ing. h.c. F. Porsche AG, Porscheplatz 1, 70435 Stuttgart, Germany; where the Data Protection Officer of Porsche AG can also be reached) are jointly responsible as joint controllers. The joint processes particularly pertain to the operation and use of jointly used databases, platforms and IT systems. With respect to the joint processes, we and Porsche AG jointly determine the purposes and means of processing.

In an agreement on joint controllership pursuant to Article 26 GDPR, we and Porsche AG have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfills which data protection obligations. In particular, it was determined how an appropriate level of security and your rights as a data subject can be ensured, how the information duties under data protection law can be fulfilled jointly and how potential data protection incidents can be monitored. This also includes ensuring that reporting and notification obligations are fulfilled.

Porsche AG is at your disposal as your central contact point. You can also assert your rights with regard to the processing of personal data in joint controllership vis-à-vis us as jointly responsible Group Company. In case you contact us, we and Porsche AG will coordinate in accordance with the aforementioned agreement pursuant to Article 26 GDPR in order to respond to your inquiry and to guarantee your rights as a data subject.

With regard to data processing within the scope of the inter-Group procurement platform, we the Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg and Audi AG, Auto-Union-Str. 1, 85045 Ingolstadt jointly bear responsibility as joint controllers.

With regard to the joint processes, we jointly determine the purposes and means of processing personal data. In an agreement on joint controllership pursuant to Article 26 GDPR, we, the Volkswagen AG and Audi AG have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfils which data protection obligations. In particular, it was determined how an appropriate level of security and your rights as a data subject can be ensured, how the information duties under data protection law can be fulfilled jointly and how potential data protection incidents can be monitored. This also includes ensuring that reporting and notification obligations are fulfilled. We are at your disposal as your central contact point. In case you contact us, we , the Volkswagen AG and Audi AG will coordinate in accordance with the aforementioned agreement pursuant to Article 26 GDPR in order to respond to your inquiry and to guarantee your rights as a data subject.

2. Subject matter of data protection

The subject matter of data protection is the protection of personal data. This is all the information that relates to an identified or identifiable natural person (“data subject”). This covers, for example, information such as name, postal address, e-mail address or telephone number as well as other information that necessarily originates within the scope of the employment relationship, such as details of your qualifications, education and training, and previous jobs.

3. Purposes and legal bases for data processing

An overview of the purposes of and legal bases for data processing within the scope of the employment relationship is provided below.

3.1 Preparation and execution of the employment relationship

We process personal data if this is necessary to prepare and execute the employment relationship. These purposes cover in particular:

  • Executing and supporting the tasks assigned to you and any other staff member (for example, processing work results).
  • Coordination and organization internal and external communications (e.g. correspondence with clients and customers)
  • Administration services for administrative proceedings in respect of the employment relationship (e.g. processing of missions)
  • Administration of the recruitment process (e.g. conclusion of an employment contract, creation of master files, employee introduction/onboarding)
  • Implementation of personnel support (e.g. performance of employee appraisals, consulting and implementation of individual measures, maintenance of personnel administration, settlement of changes to employment contracts, remuneration, implementation of assessment and target agreement proceedings, implementation of event management, implementation and use of the mood barometer)
  • Personnel development (e.g. qualification and continuing education, implementation of personnel development programmes, competence and talent management, monitoring and implementation of individual development measures)
  • Financial processing personal management (e.g. payroll accounting, processing of company pension schemes, processing of individual supplementary insurance policies, travel management, processing of company services and additional benefits, cooperation with authorities, fulfilment of legal obligations, labour and social law administration, time management)
  • Administration and implementation of company health management and company social counselling
  • Internal administration (e.g. plant catering, work safety, corporate security, personnel and deployment administration, Porsche Ideas Management, organisational development administration, coordination with works council, user management)
  • Processing of IT usage data (e.g. user ID, passwords) in IT systems for the purpose of professional use
  • Administration of the leaving process (support during retirement, termination of employment)
  • (Pre)contractual measures relating to vehicle leasing (VW and Porsche)
  • Personnel planning and controlling as well as reporting

Further details regarding the purposes of the data processing may result from the documents provided to you within the context of the employment relationship.

Data is processed on the basis of Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz). We process the personal data that is required within the scope of the employment relationship.

We delete the data if it is no longer required for the performance of the employment relationship and no other legal basis intervenes. If the latter is the case, we will delete the data after the other legal basis has ceased to apply. In particular, longer storage may be necessary in order to fulfill legal obligations (e.g. in connection with pension entitlements).

3.2 Compliance with legal obligations

We also process your personal data to comply with legal obligations to which we are subject. The obligations may arise, for example, from commercial, tax, money laundering, financial or criminal law. Measures in the areas of occupational safety, health management and aptitude tests may also result from legal obligations. The purposes of processing arise from the respective statutory obligation; the processing generally serves the purpose of complying with the state-imposed obligations of supervision and disclosure.

Data is processed on the basis of Article 6 (1) (c) GDPR. We process the personal data that is necessary for the fulfilment of the legal obligation.

We delete the data after the legal obligation has ceased to apply and if no other legal basis intervenes. If the latter is the case, we delete the data after the other legal basis no longer applies.

3.3 Safeguarding legitimate interests/processing purposes

In addition, we also process your personal data for safeguarding the legitimate interests pursued by us or third parties for the following purposes:

  • Administration of the entry process
  • Implementation of personnel support
  • Human resources development
  • Employment relationship processing
  • Administration and implementation of company health management and company social counselling
  • Internal administration
  • Administration of the leaving process
  • Personnel planning and controlling as well as reporting
  • Internal communication
  • Ensuring operational safety
  • Answering questions from authorities
  • Assertion of legal claims

Data is processed on the basis of Article 6 (1) (f) GDPR. We process the personal data that is required to safeguard legitimate interests, unless this is outweighed by your interest in the protection of your personal data.

We anonymize or delete the data when the purposes for which the data was required no longer apply, unless other legal grounds apply. If the latter is the case, we anonymize or delete the data once the other legal grounds cease to apply. After anonymization, you can no longer be identified.

3.4 Consent

If you give your consent to certain data processing activities, e.g. for the storage of your data relating to certain consulting or support services, your consent will always apply to those specific purposes; the purposes are defined in the specific declaration of consent.

Such data processing is based on Article 6 (1) (a) GDPR. You may withdraw your consent at any time, without, however, affecting the lawfulness of processing based on such consent up to the date of withdrawal.

We will delete the data if you have withdrawn your consent and no other legal basis intervenes. If the latter is the case, we will delete the data after the other legal basis no longer applies.

4. Recipients of personal data

Internal recipients: Within Porsche AG the only individuals who have access are those who need it for the purposes specified in Section 3.

External recipients: We will only forward your personal data to external recipients outside Porsche AG if this is necessary to fulfill the employment relationship, if another legal authorization or obligation exists or if we have obtained your consent.

External recipients may include:

a) Processors
Group companies of Porsche AG or external service providers that we use to provide services, for example, in the areas of technical infrastructure and maintenance for the Porsche AG service or the provision of content. We carefully select and inspect these processors on a regular basis to make sure that the security and confidentiality of your personal data are safeguarded. The service providers may use the data only for the purposes specified by us and in accordance with our instructions.

b) Public bodies
Public authorities and governmental institutions such as fiscal authorities or courts to which we (are required to) transfer personal data for compelling legal reasons. In that case, the transfer will be based on Article 6 (1) (c) GDPR.

c) Companies of the Porsche AG Group
Companies of the Porsche AG Group, to which data is transferred based on consent, for the fulfillment oft he employment relationship, or to safeguard legitimate interests. The data is transferred on the basis of Article 6 (1) (a) and/or (f) GDPR or on Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz).

d) Companies of the Volkswagen AG Group
Companies of the Volkswagen AG Group, to which data is transferred based on consent, for the fulfillment of the employment relationship, or to safeguard legitimate interests. The data is transferred on the basis of Article 6 (1) (a) and/or (f) GDPR or on Section 26 (1) German Federal Data Protection Act (BDSG – Bundesdatenschutzgesetz).

e) Independent service providers
Consultants who perform services for Porsche AG within the scope of their assignment and to which data is transferred for the fulfilment of the employment relationship, or to safeguard legitimate interests. The data is transferred on the basis of Article 6 (1) (b) and/or (f) GDPR.

5. Data processing in third countries

If data is transferred to bodies whose headquarters or place of data processing is not located within a member state of the European Union or within a country that is a signatory to the treaty on the European Economic Area, we will ensure prior to such transfer – unless any of the legally permissible exceptions applies – that the recipient maintains an adequate level of data protection (e.g. based on an adequacy decision by the European Commission, through suitable guarantees such as a self-certification of the recipient under the EU–U.S. Privacy Shield or the use of EU Standard Contractual Clauses) or that you give your consent prior to such data transfer.

We can provide you with an overview of the recipients in third countries and a copy of the specifically agreed safeguards to ensure the adequate level of data protection. To obtain these, please use the contact details specified in Section 1.

6. Sources and data categories in case of collection by third parties

We not only process personal data that we receive directly from you. We may also receive personal data from third parties. Below you will find an overview of the sources and data categories applying to the collection of data by third parties:

  • We may receive information from Porsche AG affilates about their cooperation with you.
  • We may receive information from Volkswagen Group entities about their cooperation with you.
  • From public authorities such as courts of law or tax authorities

7. Storage duration

For the storage duration of personal data, please refer to the relevant section on data processing. In addition, as a general rule, we store your personal data only for the length of time necessary to fulfill the intended purposes, or – if consent has been granted – until you withdraw your consent (and no other legal grounds apply). If you object, we delete your personal data unless its further processing is permitted by the relevant legal provisions. We also delete your personal data if we are obliged to do so for legal reasons.

8. Data Subject Rights

As a data subject you have numerous rights. Specifically:

Right of access: You have the right to obtain information from us about the data that we have stored about you.

Right to rectification and erasure: You have the right to demand that we rectify incorrect data and – provided the legal requirements are met – that we erase your data.

Restriction of processing: You have the right – provided the legal requirements are met – to demand that we restrict the processing of your data.

Data portability: If you have provided us with data based on a contract or consent and if the statutory requirements are met, you have the right to obtain the data provided by you in a structured, commonly used and machine-readable format or you may demand that we transfer this data to another controller.

Objection to the processing of data on the legal basis of “legitimate interest”: You have the right to object at any time, on grounds relating to your particular situation, to our processing of your data, provided this objection is based on the legal basis of “legitimate interests”. If you exercise your right to object, we will discontinue the processing of your data unless we can – pursuant to the legal requirements – prove compelling legitimate reasons for further processing overriding your rights.

Withdrawal of consent: If you have given us consent to process your data, you may withdraw this consent at any time with effect for the future. The lawfulness of the processing of your data prior to the withdrawal remains unaffected.

Right to lodge complaints with the supervisory authority: You may also lodge a complaint with the competent supervisory authority if you believe the processing of your data to breach applicable laws. To do so, you may contact the data protection authority that is competent for your habitual residence or country or the data protection authority that has competence over us.

Contacting us and exercising your rights: Furthermore, if you should have any questions on the processing of your personal data, your rights as a data subject or any consent that may have been given, you may contact us free of charge. If you wish to exercise any or all of your rights mentioned above, please contact betroffenenrechte@porsche.de or write a letter to the postal address specified in Section 1 above. In that case, please ensure that we will be able to accurately identify you. If you wish to withdraw your consent, you can use the method of contact that you used when you gave your consent.

9. Version

The latest version of this Privacy Policy applies.

Version date: 2019-11-30