Privacy Policy for the SuccessFactors Job Portal

Preamble

The SuccessFactors Job Portal (hereinafter: “Portal”) is provided by DMG MORI AKTIENGESELLSCHAFT, Gildemeisterstraße 60, 33689 Bielefeld, Germany (hereinafter: “DMG MORI AG”), as the controller within the scope of the respectively applicable data protection law.

The Portal allows you to apply for open vacancies at DMG MORI AG and our affiliated companies (hereinafter: “DMG MORI”, “we” or “us”). Furthermore, you can join our candidate pool (hereinafter: “Talent Community”). Besides applying for open vacancies, the Talent Community allows you to:

  • Create and maintain a candidate profile;
  • Participate in cross-country, group-wide application processes for time spans defined in the system for each country;
  • Receive notifications for open vacancies at DMG MORI;
  • Apply more conveniently to open vacancies using an existing candidate profile.

If you are using the Portal, we will process your personal data. Personal data means any information relating to an identified or identifiable natural person. Since the protection of your privacy during the use of the Portal is a priority for us, we would like to provide you with the following information about which personal data we process when you are using the Portal and how we handle said data. In addition, we would like to inform you about the legal basis for the processing of your data and, where the processing is necessary for the purposes of our legitimate interests, also about our legitimate interests.

1. Information about the processing of your data

1.1 Information that is collected when you use our Portal

In the context of your use of the Portal, we automatically collect certain data that are necessary for the use of the Portal (access data). These data include: system access/usage/authorization data, i.e. webserver log files (IP address, date and time of access, browser).

These data are automatically transmitted to us, but not stored, in order to (1) enable us to provide the service and the associated functionalities to you; (2) improve the functionalities and performance features of the Portal, and (3) prevent and eliminate any abuse and malfunctions. This data processing is justified due to the fact that (1) the processing is necessary for the performance of the contract between you, as the data subject, and us pursuant to point (b) of Art. 6 (1) GDPR for the use of the Portal, or (2) we have legitimate interest in guaranteeing the functioning and the error-free operation of the Portal and in being able to offer a service meeting the demand of the market and in line with the interests, which overrides your rights and interests regarding the protection of your personal data within the scope of point (f) of Art. 6 (1) GDPR.

1.2 Information that is collected when you create a user account (login and registration)

Before you can use our Portal, a user account has to be created. In order to do so, you are required to provide the following information (registration data):

  • Username (email address) and password;
  • First name and last name;
  • Phone number, place of residence (country or region).

This data processing is justified due to the fact that (1) the processing is necessary for the performance of the contract between you, as the data subject, and us pursuant to point (b) of Art. 6 (1) GDPR for the use of the Portal, or (2) we have legitimate interest in guaranteeing the functioning and the error-free operation of the Portal and in being able to offer a service meeting the demand of the market and in line with the interests, which overrides your rights and interests regarding the protection of your personal data within the scope of point (f) of Art. 6 (1) GDPR.

In addition, you can decide on a voluntary basis

  • if your user account shall be visible (1) exclusively to recruiters responsible for vacancies you are applying for or (2) to all recruiters within your country/region or (3) to all recruiters worldwide;
  • if you would like to use our notification system.

In the following, we will inform you about the processing of your data and the legal bases that apply accordingly (1.3, 1.4 and 1.5).

1.3     Using the Portal to apply for open vacancies

If you use our Portal to apply for open vacancies, in addition to the registration data, you are required to provide the following personal data (hereinafter “mandatory application data”):

  • Form of address and place of residence;
  • Your (freely designable) resume/CV;
  • Existence of a work permit.

We will forward your application data to the affiliated companies participating in the application process for the vacancy you are applying for. When applying for an open vacancy, only the persons responsible to take the hiring decision or the persons closely involved in this process will have access to your data. Essentially, this applies to recruiters, line managers and, in some cases, heads of department. If you apply for a trainee program or for a vacancy that serves more than one DMG MORI company, several affiliated companies may jointly have access to your data.

This data processing is justified due to the fact it is necessary to perform the application process and your employment contract at DMG MORI that may result from the application process pursuant to point (b) of Art. 6 (1) GDPR. In addition, employee representatives (works council and representative body for disabled employees) may have to access your data in order to comply with legal obligations in the fields of labor law or social security law. The applicable legal basis for such cases is point (c) of Art. 6 (1) GDPR.

In addition, you can decide on a voluntary basis to provide the following personal data (hereinafter “optional application data”):

  • Academic title; suffix; nationality; language skills; visa status; current company; work experience; education; geographic mobility; earliest entry date; annual salary requirements; referrer name; as well as any information that you deem expedient and decide to share with us.

In accordance with the previously described procedure, the data that you decide to provide on a voluntary basis will be forwarded to the affiliated companies participating in the application process for the vacancy you are applying for.

The legal basis for the aforementioned processing activities is your consent pursuant to point (a) of Art. 6 (1) GDPR, if need be in conjunction with point (a) of Art. 9 (2) GDPR.

1.4 Using the Portal to become part of the Talent Community

You can also use our Portal additionally and on a voluntary basis to become part of the Talent Community. If you decide to become part of the Talent Community, your aforementioned (1.3) mandatory and optional application data will be checked for adequate vacancies by our authorized recruiters. In case of an adequate vacancy, the responsible affiliated company may contact you.

The legal basis for the processing activities connected to this is your consent pursuant to point (a) of Art. 6 (1) GDPR, if need be in conjunction with point (a) of Art. 9 (2) GDPR.

1.5 Using the notification system

You can also use our Portal optionally and on a voluntary basis to receive job alerts for new vacancies according to your predefined search criteria (e.g. keyword; location; country/region; job function; level of experience; notification frequency). In order to carry out this service, we process the following personal data:

  • Email address;
  • First name and last name;
  • If need be, other information provided by you on a voluntary basis that allow us to address you professionally.

The legal basis for the aforementioned processing activities is your consent to our notification system pursuant to point (a) of Art. 6 (1) GDPR.

1.6 Pixel Facebook

  • Within the scope of our online offer, the so-called Facebook pixel is used, which is operated by Facebook Inc, 1601 South California Avenue, Palo Alto, CA 94304, USA.
  • With the help of the Facebook pixel, it is possible to determine you as a target group for the display of ads (so-called Facebook Ads) and to show our ads only to users who are interested in our company or online offer.
  • We also use the Facebook service Custom Audiences and define specific target groups in Facebook based on users with certain characteristics. We intend to utilize the Facebook pixel as a means of ensuring that our Facebook ads correspond to the potential interest of users and do not have a harassing effect.
  • Facebook pixel also lets us determine whether users visit our website and/or perform certain actions, such as registering for the event offer (so-called conversion). For this purpose, we only receive statistical data from Facebook without reference to a specific person.
  • You can find Facebook’s privacy policy here: https://www.facebook.com/policy.php You can deactivate the collection by the Facebook pixel and use of your data here: https://www.facebook.com/settings?tab=ads.
  • The use of these tools serves marketing purposes. These purposes are also our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

1.7 LinkedIn Insight Tag

  • Using the LinkedIn Insight Tag, a conversion tool provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, we collect data about visitors to our website, including: IP address, URL, referrer URL, device characteristics, browser characteristics, page views, and timestamps. LinkedIn provides us with aggregate reports about our website audience and an overview of our ad performance.
  • This data is encrypted, anonymized within seven days, and the anonymized data is deleted within 90 days.
  • Using the LinkedIn Insight Tag, we identify users who have shown interest in our website and create target groups in order to show our advertising to the corresponding users again (so-called retargeting) as well as to gain additional information about the LinkedIn users. Targeted users cannot be identified in this process.
  • We use the LinkedIn Insight Tag to track whether users perform certain actions on our website (so-called conversions).
  • For more information about privacy on LinkedIn, please see LinkedIn’s privacy policy https://www.linkedin.com/legal/privacy-policy. If you are a LinkedIn user and do not want LinkedIn to collect data about you via our website and link it to your membership data stored on LinkedIn, you must log out of LinkedIn before visiting our website.
  • The use of these tools serves marketing purposes. These purposes are also our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

2. Disclosure and transfer of data

Apart from the occasions expressly specified in this Privacy Policy, a disclosure of your personal data without your express prior consent will only take place if it is legally permissible and/or necessary. This may, inter alia, be the case if the processing is necessary in order to protect vital interests of the user or another natural person.

2.1

The data that you provide during registration or visit of our Portal are, to the extent necessary, disclosed within the DMG MORI Group for internal administration purposes.

A potential disclosure of the personal data is justified due to the fact that we have a legitimate interest in disclosing the data for administrative purposes within our group and that your rights and interests regarding the protection of your personal data are not overriding within the scope of point (f) of Art. 6 (1) GDPR.

2.2

If necessary for the investigation of unlawful and/or abusive Portal use or for the establishment of rights, personal data will be transferred to the law enforcement authorities or other authorities as well as, if applicable, to harmed third parties or legal advisers. However, such a transfer will only take place if there are indications suggesting unlawful and/or abusive conduct. Personal data may also be disclosed if such disclosure serves the purpose of enforcing terms of use or other legal claims. In addition, we are required by law to provide, upon request, information to certain public bodies. These bodies are law enforcement authorities, authorities prosecuting administrative offenses subject to a fine, and the fiscal authorities.

A potential disclosure of personal data is justified due to the fact that (1) the processing is necessary for the fulfillment of a legal obligation that we are subject to pursuant to point (f) of Art. 6 (1) GDPR in conjunction with national legal provisions regarding the disclosure of data to law enforcement authorities; or (2) if there are indications of abusive conduct or if we seek to enforce our terms of use, other conditions or legal claims, we have a legitimate interest in disclosing the data to said third parties and your rights and interests with regard to the protection of your personal data are not overriding within the scope of point (f) of Art. 6 (1) GDPR.

2.3

In order to provide our service, we are dependent on contractually affiliated companies of DMG MORI AG and on the following third-party companies and external service providers:

  • SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany;
  • SAP SE affiliates;
  • Third parties engaged by SAP, i.e. SAP SE or SAP SE’s affiliates in connection with the Portal services.

A potential disclosure of the personal data is justified due to the fact that (1) we have a legitimate interest in disclosing the data for administrative purposes within our group and your rights and interests regarding the protection of your personal data are not overriding within the scope of point (f) of Art. 6 (1) GDPR, and (2) we have chosen our third-party companies and external service providers as processors within the scope of Art. 28 (1) GDPR with care, have regularly audited them and subjected them to the contractual obligation to exclusively process any personal data as instructed by us.

2.4

In the context of the further development of our business, the structure of our company might change such that the legal form might be changed, subsidiaries, divisions and parts of the company might be established, purchased or sold. In case of such transactions, the candidate information might be transferred along with the part of the company to be transferred. We will ensure in any case of disclosure of personal data to third parties in the above described scope, that such disclosure is performed in accordance with this Privacy Policy and applicable data protection law.

A potential disclosure of the personal data is justified due to the fact that we have a legitimate interest in adjusting our company form, if need be, to the respective economic and legal circumstances and that your rights and interests regarding the protection of your personal data are not overriding within the scope of point (f) of Art. 6 (1) GDPR.

3. Data transfer to third countries

We also process data in states outside the European Economic Area (“EEA”). Specifically:

  • Our affiliated companies;
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, California, United States, 94043.

To safeguard the protection of your privacy and your fundamental rights and freedoms when such processing activities take place, we make use of the European Commission’s Standard Contractual Clauses pursuant to point (c) of Art. 46 (2) GDPR when setting up our contracts with recipients from third countries.

4. Changes of purpose

Your personal data will only be processed for other purposes than the ones described above if this is permitted by law or if you have consented to the changed purpose of the data processing. In case of further processing for other purposes than the ones for which the data were originally collected, we will inform you prior to the further processing for those other purposes and will provide you with any additional information relevant in this regard.

5. Period of data storage

We will erase or anonymize your personal data as soon as they are no longer necessary for the purposes for which we have collected and used them as described in the sections above. Usually, we will store your personal data for the period of the application process plus 6 months unless your data is necessary for the engagement of a criminal prosecution or for the establishment, exercise or defense of legal claims.

This shall not affect any specific provisions contained in this Privacy Policy or legal requirements for the storage and erasure of personal data, in particular such data that we must retain for tax reasons. Data provided by you in your user account to become part of the Talent Community will usually be stored for a period of 12 months subsequent to your last login unless your data is necessary for the engagement of a criminal prosecution or for the establishment, exercise or defense of legal claims.

6. Your rights as a data subject

6.1 Right of access

You have the right to obtain from us at any time upon request information within the scope of Art. 15 GDPR about the personal data concerning you which we are processing. In order to obtain such information, you may send your request by mail to the address provided below or per email to responsibility@dmgmori.com.

6.2 Right to rectification of inaccurate data

You have the right to obtain from us without undue delay the rectification of personal data concerning you, if such data are inaccurate. Please feel free to contact us to this end at the contact addresses provided below.

6.3 Right to erasure

Under the conditions described in Art. 17 GDPR, you have the right to obtain from us the erasure of personal data concerning you. These conditions give rise to a right to erasure in particular if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if the personal data have been unlawfully processed, if the data subject objects to processing or if the personal data have to be erased for compliance with Union or Member State law to which we are subject. With regard to the period of data storage see also section 5 of this Privacy Policy. Please contact us at the contact addresses provided below, if you would like to exercise your right to erasure.

6.4 Right to restriction of processing

You have the right to obtain from us restriction of processing in accordance with Art. 18 GDPR. This right exists in particular if the accuracy of the personal data is contested between the user and us, for a period enabling us to verify the accuracy; and if, in case of an existing right to erasure, the user requests a restriction of processing instead of erasure; furthermore, this right exists if the data are no longer necessary for the purposes pursued by us, but if the user requires them for the establishment, exercise or defense of legal claims, and if the successful exercise of the right to object is still disputed between us and the user. Please contact us at the contact addresses provided below, if you would like to exercise your right to restriction of processing.

6.5 Right to data portability

You have the right to receive from us the personal data that you have provided to us in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR. Please contact us at the contact addresses provided below, if you would like to exercise your right to data portability.

6.6 Withdrawal of consent

If you have given us your consent to the processing of your personal data, you can withdraw this consent at any time, free of charge and without incurring any future disadvantages. In order to do so, please send an email to disagree@dmgmori.com or a message to the contact addresses provided below. After you withdraw your consent, your personal data will no longer be used for the aforementioned purposes and – subject to a permitted processing for other purposes – will be erased immediately.

7. Right to object

Furthermore, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) of Art. 6 (1) GDPR (data processing in the public interest) or on point (f) of Art. 6 (1) (data processing based on a weighing of interests); this also applies to profiling based on this provision (Art. 21 GDPR). If you object, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

8. Right to lodge a complaint

Furthermore, according to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority with regard to our processing of your personal data.

9. Contact

If you have any questions or concerns regarding our handling of your personal data or if you would like to exercise the rights specified under sections 6 and 7 as the data subject, please feel free to contact us at responsibility@dmgmori.com. In addition, you may contact our Group Data Protection Officer at GILDEMEISTER Beteiligungen GmbH, FAO Group Data Protection, DECKEL MAHO Straße 1, DE-87459 Pfronten, Germany, responsibility@dmgmori.com.

10. Changes to this privacy policy

We will always keep this privacy policy up to date. Therefore, we reserve the right to change this Privacy Policy from time to time and to subsequently apply these changes to the collection, processing or use of your data. The current version of this Privacy Policy is at all times available in your user account.

Release date

May 20, 2023

Effective date

May 20, 2023