Data Privacy Statement for Job Applications

(dated 31 January 2023)

THIS DATA PRIVACY STATEMENT FOR JOB APPLICATIONS comprises information on how 3B Pharmaceuticals GmbH, a german limited liability company with its registered seat at MagnusstraSSe 11, 12489 Berlin, Germany (“3B Pharmaceuticals” or “WE”), AS a data controller with respect to the COLLECTION AND HANDLING OF JOB APPLICATIONS, processes personal data of the natural persons that, in their discretion, have decided to APPLY FOR A JOB OPPORTUNITY AT 3B PHARMACEUTICALS (“you”).

there may be other situations in which we process your personal data, e.g. if you are a customer of 3B Pharmaceuticals, or if you are working for any of our customers, partners, or suppliers, or if you VISIT OUR WEBSITE OR SOCIAL MEDIA PROFILES. please use the contact information provided herein if you seek information on any processing operation(s) concerning your personal data that are not comprised by this data privacy statement FOR JOB APPLICATIONS.

1. General Statement

(1) Personal Data. This Data Privacy Statement for Job Applications explains how we collect, process, and delete your personal data as a controller under applicable data protection laws, in particular the EU General Data Protection Regulation (“GDPR”). “Personal data”, according to Art. 4 No. 1 of the GDPR, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(2) Your Options. This Data Privacy Statement also describes the options available to you regarding our use of your personal data and the steps you can take to access your personal data and ask us to correct or delete it.

(3) Principles for the Processing. Personal data is solely collected, processed, and deleted in accordance with applicable law, and subject to the following principles for the processing of personal data: Personal data are:

  • processed lawfully, fairly and in a transparent manner in relation to you;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

(4) Change in Processing Purposes. In the event that we intend to process personal data for purposes other than those set forth in this Data Privacy Statement for Job Applications, we will notify you of such changes and inform you of the purposes for which your personal data will be used and who, if any, the recipients are.

(5) Data of Minors. Subject to local laws, we do not knowingly collect data from minors, and our job advertisements are not targeted at minors.

(6) Requirement to Provide Personal Data. The provision of personal data is neither legally nor contractually required, nor are you obliged to provide us with your personal data. However, the provision of personal data is required for the conclusion of an employment contract with us. This means that if you do not provide us with personal data when applying for a job, we cannot and will not enter an employment relationship with you. Such job application would be futile.

2. Processing Activities

(1) Submission of a Job Application. To decide on the chances of success of a job application, the provision of personal data is desired and required. We require name and contact details, date of birth, place of birth, details of professional circumstances, professional qualifications, professional experience, certificates, and details of other special qualifications in accordance with the specific job advertisement (such as language skills or programming knowledge). You can provide us with further information voluntarily, but it is not a prerequisite for consideration of you job application. Failure to provide this information will not result in any disadvantages for you. This voluntary given information also includes application photos. We will store and process your application documents digitally; this applies regardless of how you send us your application documents, i.e. in particular also for job applications sent to us by regular mail. The legal basis for processing your personal data is Section 26 para 1 sent. 1 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), insofar as it concerns information that we request from you as part of the application process for the establishment of an employment relationship with us. If you voluntarily provide us with further information in your application documents, we will process this based on your consent, Art. 6 para. 1 lit. a of the GDPR in conjunction with Section 26 para. 2 of the BDSG. Please note that resumes, cover letters or other data provided by you may also contain information about “special categories of personal data” as defined in Art. 9 para. 1 of the GDPR (e.g., a photo that reveals ethnic origin, information about severely disabled status, etc.). If you send us information of this kind, you agree that we may store this information as part of your application documents, Art. 9 para. 2 lit. a of the GDPR in conjunction with Section 26 para. 2 of the BDSG. Insofar as special legal obligations arise for us from health-related information, for example regarding a severely disabled status, we will process this data on the basis of Art. 9 para. 2 lit. b of the GDPR in conjunction with Section 26 para. 3 of the BDSG in order to comply with these legal obligations.

(2) Sources of Your Personal Data. We may have received and evaluated certain of your personal data from the third parties mentioned hereinafter before we contacted you. In view of our contractual agreements with the personnel service providers and the applicant platforms, we assume that you have also concluded agreements with them regarding the provision of your personal data to us as a potentially interesting or interested employer, or that you have initiated the transfer of your data to us yourself. In this respect, please also note the data protection notices of the relevant personnel service providers or applicant platforms. Depending on the structure of these data protection notices, the recruitment service providers or applicant platforms may provide us with further profile information in addition to your application documents. The legal basis for the transfer of your personal data to us is, without prejudice to other legal bases for the transfer mentioned hereinbelow, our legitimate interest in the broadest possible selection of qualified applicants in accordance with Art. 6 para. 1 lit. f of the GDPR. We will process data that we obtain in this way from sources other than you directly in the same way as applications that you send to us directly without the involvement of personnel service providers or applicant platforms. However, where available, we may use direct communication channels, e.g. from applicant platforms, to exchange messages with you. After receiving your personal data, we will process it in the same way as described herein in the case of an application sent directly to us. Please note that we will not inform you again in detail about the source of your application after we have received it via a personnel service provider or an applicant platform. Because you initiated this application yourself via a specific recruitment service provider or applicant platform or were in any case in contact with this recruitment service provider or applicant platform in advance, you already have the information as to where we obtained your data; it is therefore not necessary to inform you again for legal reasons alone, Art. 14 para. 5 lit. a of the GDPR. Of course, we will still be happy to inform you upon request at any time about who exactly we have received your personal data from.

The above information on third-party sources of your personal data applies in particular to:

LinkedIn
We have set up our own page in the social network LinkedIn, and we also have a legitimate interest in using the world’s largest platform for professional exchange to place job adverts. The legal basis for the data processing described below is therefore Art. 6 para. 1 lit. f of the GDPR. Please check our general Data Privacy Statement for further information on the processing of data on LinkedIn. Reacting on job adverts that we have placed on LinkedIn, or sending applications, requires you to have or set up your own profile on LinkedIn. Therefore, please observe the LinkedIn User Agreement (https://de.linkedin.com/legal/user-agreement) and LinkedIn’s privacy policy (https://de.linkedin.com/legal/privacy-policy). In the European Economic Area (EEA) and Switzerland, LinkedIn is run by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. These documents explain that LinkedIn will collect, process, and display to us your personal data as a separate data controller. After receiving your personal data, we will process it in the same way as described herein in the case of an application sent directly to us.

XING
We have set up our own page in the social network XING, and we also have a legitimate interest in using this renowned platform for talent scouting to place job adverts. The legal basis for the data processing described below is therefore Art. 6 para. 1 lit. f of the GDPR. Please check our Data Privacy Statement for further information for further information on the processing of data on XING. Reacting on job adverts that we have placed on XING, or sending applications, requires you to have or set up your own profile on XING. Therefore, please observe the XING Terms of Use (https://www.xing.com/terms/xing) and Privacy Policy (https://privacy.xing.com/de/datenschutzerklaerung). XING is run by New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. These documents explain that XING will collect, process, and display to us your personal data as a separate data controller. After receiving your personal data, we will process it in the same way as described herein in the case of an application sent directly to us.

Join
The JOIN platform (www.join.com) enables companies to create a company profile on the platform, to place job adverts for open positions, to receive applications and to manage them. Furthermore, companies can also receive automated suggestions for interesting users on a regular basis, so that they can be contacted. Reacting on job adverts that we have placed on the JOIN platform, sending applications, and becoming eligible for automated suggestions requires you to be or become a user of the JOIN platform yourself. In this respect, please check carefully the General Terms (https://join.com/terms/) and JOIN’s Privacy Policy (https://join.com/privacy-policy/). These documents explain that JOIN will collect, process, and submit to us your personal data as a separate data controller. After receiving your personal data, we will process it in the same way as described herein in the case of an application sent directly to us.

(3) Application Management Platform. As a general platform for managing the application process (e.g. finding and evaluating applicants, data storage, and recruitment), we use the SaaS platform of JOIN Solutions AG, Landsgemeindeplatz 6, 9043 Trogen, Switzerland (“JOIN”). JOIN may process your personal data only in accordance with our instructions, and as a data processor on our behalf. JOIN processes your personal data in Switzerland, a country or which the European Commission has adopted an adequacy decision with respect to the data protection standards in accordance with Art. 45 of the GDPR. We have entered into a corresponding data protection agreement within the meaning of Art. 28 of the GDPR with JOIN concerning the following types of data: (a) Personal master data (e.g. name, title, academic degree, date of birth, telephone number, email address), (b) the data transmitted by the applicants (applicant data; curriculum vitae, references, references, certificates, etc.), (c) all information related to the application process recorded in the applicant management tool, such as messages sent via the platform, information about the application process and a candidate’s progress in the application process recorded on the JOIN platform, or questions, which are asked as part of the application process and are recorded on the JOIN platform, (d) data generated through the use of the applicant management tool, such as metadata, this includes information about how long an application process takes, how many candidates have applied and how far a candidate has come in the application process, (e) data generated through interactions with the applicant management tool, such as the answers provided to questions asked by candidates, data recorded by us that has not been deleted in the applicant management tool and contact establishing messages to the candidates or JOIN, Please note, however, that if this data is processed as part of other JOIN services, such as the allocation of suitable candidates or services for candidates, JOIN shall process this data as the controller as defined by the current data protection laws (see above).

(4) Contacting Us. We offer you the opportunity to contact us by e-mail or via specific contact forms (including third-party messaging tools, e.g. on LinkedIn or Join). In this case, the information you provide will be stored for the purpose of processing your inquiry. The legal basis for processing your personal data is your consent given at the time of submission of your inquiry (Art. 6 para. 1 lit. a of the GDPR) or, in the case of (pre-)contractual inquiries, Art. 6 para. 1 lit. b of the GDPR in conjunction with Section 26 para. 1 sent. 1 of the BDSG. The personal data we collect and process upon submission of your inquiry will be deleted after completion of the request and, if applicable, after expiry of statutory retention periods (i.e., for example, if you send us a pre-contractual message via e-mail and we then establish a contractual relationship).

(5) Contacting You and Internal Notes. To the extent necessary for the application process and the decision on filling the position, we also process data on the basis of Section 26 para. 1 sent. 1 of the BDSG in the course of correspondence with you in writing or in electronic form. Furthermore, we will make internal notes for the purpose of internal coordination and, if necessary, to provide evidence of proper, in particular non-discriminatory, decision-making, for example after reviewing your application documents or after a personnel selection interview.

(6) Talent Pool. If you do not apply to a specific job with us, or if we select someone else for the specific job opportunity but would still like to consider your application for future openings, we may add you to our talent pool and continue to store your application for future contact with you. However, this requires that you give us your express consent within the meaning of Art. 6 para. 1 lit. a, 9 para. 2 lit. a oft he GDPR in conjunction with Section 26 para. 2 of the BDSG. We will seek your consent separately, thereby stating the envisaged storage period in our talent pool (which may vary depending on your job profile and our current business needs). The general information provided herein applies accordingly to all job applications in our talent pool.

(7) Reimbursement of Travel Expenses. If you have traveled to a personnel selection interview, we will generally reimburse the travel expenses incurred by you and proven to us. For this purpose, we process the necessary additional information on the basis of Section 26 para. 1 sent. 1 of the BDSG, namely your bank account details, information on travel expense reimbursement claims incurred including receipts (cab, fuel receipt, train ticket or similar).

(8) Defense of Legal Claims Arising from the Application Process. Furthermore, we may process personal data about you insofar as this is necessary to defend asserted legal claims against us arising from the application process. The legal basis for this is Art. 6 para. 1 lit. f of the GDPR; the legitimate interest is, for example, a duty to provide evidence in proceedings due to an alleged violation of the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG).

(9) Storage Periods. We process the aforementioned data for the duration of the application process as well as for a period of six months after the job has been filled, unless otherwise specified herein. Insofar as an employment relationship between you and us does not come about, we may also continue to store data insofar as this is necessary for the defense against possible legal claims. Personal data we process as part of the reimbursement of travel expenses may be stored for a period until the end of the tenth calendar year following the date of reimbursement due to commercial and tax retention obligations. We are legally obligated to do so, and data processing for this purpose is based on Art. 6 para. 1 lit. c of the GDPR.

3. Data Recipients and Data Transfers

(1) Data Recipients. Unless stated to the contrary in this Data Privacy Statement for Job Applications, we will share your personal data with third parties only if (a) these recipients act as service providers who perform services on our behalf within the meaning of Art. 28 of the GDPR (e.g. hosting and web services), or (b) these data transfers are required for the following legitimate interests: (i) compliance with any valid legal process, request, law, rule or regulation; or (ii) detection and resolution of IT and data security concerns. These processing activities are based on legitimate interests as described above (Art. 6 para. 1 lit. f of the GDPR), and there may even be a legal obligation on our part to process your personal data for these purposes (Art. 6 para. 1 lit. c of the GDPR).

(2) Data Transfers. Usually and unless stated to the contrary in this Data Privacy Statement, we will not transfer any of your personal data to countries outside the European Union or the member states to the European Economic Area. Without prejudice to our obligation to specifically inform you if we wanted to transfer your personal data to such third country, we shall only transfer your personal data to recipients in third countries if the prerequisites set forth in Art. 44 et seq. of the GDPR are met. Hence, in order to appropriately safeguard your personal data, we make sure additional measures are put in place to protect your data, in particular by relying on EU Adequacy Decisions or EU Standard Contractual Clauses, for transfers of personal data to countries outside the EU/EEA, in addition to all the necessary privacy and security precautions required by applicable law.

4. Your Rights as a Data Subject

You have certain rights in relation to the personal data that we process about you. You may (a) access the information we hold about you (Art. 15 of the GDPR); we will provide you with this information usually within one month of your request at the latest;
(b) have your personal data corrected (Art. 16 of the GDPR) or deleted (Art. 17 of the GDPR); (c) obtain from us the restriction of processing under the conditions laid out in
Art. 18 of the GDPR; (d) have the information you provided to us sent to you or to another organization, where you have provided such information to us and we hold this information with your consent or for the performance of a contract with you (Art. 20 of the GDPR); and (e) lodge a complaint with the competent supervisory authority.

5. In Particular: Your Right to Object to the Processing of Personal Data

Where the legal basis for the processing of your personal data is our or a third party’s legitimate interest in accordance with Art. 6 para. 1 lit. f of the GDPR, you may, at any time and based on the grounds set out in Art. 21 of the GDPR, object to such processing.

6. No Automated Decision-Making Process

We do not use any automated decision-making processes within the meaning of Art. 22 of the GDPR, including profiling, which would produce legal effects concerning you as a data subject or similarly significantly affect you which means that we evaluate your job application personally, and the decision about your job application is not based solely on automated processing of your personal data.

7. Contact Information

(1) Contacting Us. You may contact us in our capacity as data controller at the address indicated herein (for the attention of the Data Security department). You may also contact us by telephone: +49(0)30 63 92 43 17; telefax: +49(0)30 63 92 43 16; or e-mail to info@3b-pharma.com.

(2) Data Protection Officer. If you have any question or concerns as regards the processing of your personal data, or if you want to exercise any of your rights, you may also directly contact our data protection officer by sending a letter to the address indicated herein (for the attention of the Data Protection Officer), or by contacting our data protection officer with an e-mail sent to datasecurity@3b-pharma.com.

8. Updates to this Data Privacy Statement

We may change this Data Privacy Statement from time to time and the most current version will always be posted on our website. Whenever we change this Privacy Policy, we will inform you either by revising the date at the top of the Privacy Policy that’s available on our website, or we may provide you with additional notice, such as a pop-up window or an added statement to our website’s homepage.