Please find enclosed information about our processing of your personal data and your claims and rights arising from data protection regulations in accordance with Article 13 GDPR.
1. Who is responsible for data processing and who can I contact?
Lupus alpha Asset Management AG
60327 Frankfurt am Main
If you have any questions about data protection, please contact:
We have appointed the following Data Protection Officer:
Verimax GmbH, Warndtstr. 115, 66127 Saarbrücken
2. What sources and data do we use?
We process personal data (Art. 4(2) GDPR) that we receive from you in the context of the selection and recruitment process or during the employment relationship. In addition, where necessary for the employment relationship, we process personal data that we collect from other bodies on a legal basis (e.g. situation-related queries concerning tax-relevant data from the responsible tax office, information on incapacity for work at the health insurance company). We also process personal data that we may have obtained from third parties (e.g. personnel intermediaries). Relevant personal data includes, in particular, your master data (first name, surname, personnel number, date of birth, address and other contact details), the log data arising from the use of the IT systems as well as other data from the employment relationship (e.g. time recording data, leave periods, incapacity periods, assessments, training, social data, bank details, custody information on employee transactions for compliance audit, social security number, pension insurance number, salary data and tax identification number) and other data comparable to the above categories, such as conversation and video recordings. This may also include special categories of personal data under to Art. 9(1) GDPR (e.g. health data in the context of a disability or in relation to sickness notifications).
3. Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (DS-GVO) and the Federal Data Protection Act (BDSG).
3.1 To fulfil contractual obligations (Art. 6(1)(b) GDPR in conjunction with § 26 para. 1 BDSG; Art. 88(1) GDPR in conjunction with § 26 (4) BDSG)
The processing of personal data is primarily carried out in the context of employment, i.e. in particular for the purposes of recruitment, the performance of the employment contract, including the fulfilment of obligations laid down by law or by collective agreements (work arrangements), and for the purposes of claiming individual or collective rights and benefits associated with employment and for the purposes of termination of employment. In particular:
- the recording of periods of attendance and absence;
- payroll accounting and travel expense reimbursement;
- personnel management (e.g. company car settlement, insurance, retirement provision);
- for personnel records, departure management (e.g. certificate creation).
3.2 In the context of the balancing of interests (Art. 6(1)(f) GDPR)
Where necessary, we process your data beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. In particular:
- for the execution and documentation of legal, technical or economic audits (e.g. auditors, reliability audit in accordance with MLA, etc.) required by law or operational requirements;
- to ensure proper data processing in accordance with IT security and data protection requirements (e.g. log files);
- to analyse and correct technical errors;
- to ensure system security and system availability;
- to optimise and control the systems (e.g. updating the list of blocked websites, blacklist; optimising network services);
- for data protection control/for data protection and data security purposes;
- for the purpose of identifying contact persons (e.g. names, telephone numbers, e-mail addresses, function, department/team affiliation) and conducting internal and external communication;
- for personnel planning and personnel controlling;
- for personnel resource planning and scheduling;
- for personnel management;
- for permitted conduct and/or performance control;
- for admission/access control;
- for personnel reporting;
- for personnel development;
- for the storage of resubmission data (e.g. expiry of the probationary period, limitation period, maternity leave duration, etc.);
- for the automated execution of driver’s license control, in general the holder’s liability.
3.3 Based on your consent (Art. 6(1)(A) GDPR)
If you have given us consent for the processing of personal data for certain purposes (e.g. to carry out operational integration management; conduct employee surveys on a voluntary basis), the lawfulness of such processing is confirmed on the basis of your consent. Consent can be revoked at any time after it has been granted. This also applies to the revocation of declarations of consent that were given to us, such as for publications in the context of the employee newspaper, before the validity of the GDPR, i.e. before 25 May 2018.
Please note that revocation only applies to the future. Processing that took place before the revocation is not affected.
3.4 Based on legal requirements (Art. 6(1)(c) GDPR in conjunction with § 26 BDSG)
In addition, as an employer, we are subject to various legal obligations, i.e. legal requirements. Processing is carried out e.g.
- to comply with legal requirements (e.g. tax matters, regulatory requirements, official statistics, social security, etc.),
- for the fulfilment of legal information obligations.
3.5. Processing of special categories of personal data for the fulfilment of statutory/collective contractual obligations in the field of labour law, social security law or social protection (Art. 9(2)(b) GDPR in conjunction with § 26(3) BDSG), assessment of working capacity (Art. 9(2)(h) in conjunction with 22(1)(b) BDSG)
Insofar as we process special categories of personal data, this serves in the context of the employment relationship to exercise rights or fulfil legal obligations under labour law, social security law and social protection. In particular:
- Providing health data to the health insurance company,
- Registering severe disability due to additional leave and determining the compensation levy for non-employment of the severely handicapped.
In addition, the processing of health data in accordance with Art. 9(2)(h) in conjunction with § 22(1)(b) BDSG may also be necessary for the assessment of your working capacity.
4. Who receives my data?
Within the company, the entities (e.g. the respective executives and departments) receiving your data are the ones that need it to fulfil our contractual and legal obligations.
In addition, we also use different service providers to fulfil our contractual and legal obligations. You can obtain a list of the processors and other service providers we use, with whom we have developed long-term business relationships, from our data protection management system or upon request.
In addition, we may transfer your personal data to other recipients outside the company, insofar as this is necessary for the fulfilment of our contractual and legal obligations as an employer. Thse may include, for example:
- Authorities (e.g. pension insurance institutions, professional pension institutions, social security institutions, tax authorities, courts),
- Employee’s bank (SEPA payment provider),
- Health insurance funds,
- Travel management for the organization and settlement of trips abroad,
- Group insurance (accident, health insurance, etc.)
- Provision of company pension plans.
5. How long will my data be stored?
If necessary for the purposes mentioned above (No. 3), we process and store your personal data for the duration of your employment relationship, which includes, for example, the initiation and execution of the employment contract. It should be noted in this context that the employment relationship is a continuing obligation, which is created for a number of years.
In addition, we are subject to various storage and documentation obligations arising, among other things, from the Commercial Code (HGB) and the Tax Code (AO). The storage periods are up to ten years according to these obligations.
The storage period is also assessed according to the statutory limitation periods, which generally amount to 3 years but may, for example, be up to thirty years under §§ 195 et seq. of the German Civil Code (BGB).
6. Is data transferred to a third country or to an international organisation?
Data is not transferred to third countries (states outside the European Economic Area - EEA). Only in the case of employee postings, for legitimation with counterparties in securities trading and for regulatory reporting requirements and for the organisation and processing of trips abroad is the transfer of personal data to third countries necessary in certain cases. This applies in particular to hotel reservations, flight bookings, rental vehicles, visas, etc.
7. What data protection rights do I have?
Each data subject has the right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to data portability under Art. 20 GDPR and a right to object under Art. 21 EU GDPR. The restrictions under §§ 34 and 35 BDSG apply to the right to information and the right to erasure. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). E.g. the Hesse State Representative for Data Protection and Freedom of Information, P.O. Box 3163, 65021 Wiesbaden
8. Is there an obligation for me to provide data?
In the context of your employment, you only have to provide personal data that is necessary for the establishment, execution and termination of the employment relationship and the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will generally not be able to execute the employment contract with you.
9. To what extent does automated decision-making (including profiling) exist in individual cases?
In principle, we do not use automated decision-making, including profiling, in accordance with Art. 22 GDPR to establish, implement and process the employment relationship. If we use these procedures in individual cases, we will inform you of this separately if this is permitted by law.