Data protection notice for employees
as of March 2021
DLE Group AG
You can contact our data protection officer at:
DLE Group AG
Tauentzienstraße 1110789 Berlin
We process personal data that we receive from our employees in the context of the employment relationship. In addition, we process personal data that we have received from you, to the extent necessary for the purposes of hiring, fulfilling the employment contract and terminating the employment relationship.
2.1 Personal data includes:
(1) Personal details (e.g. name and address and contact details and birthday, birthplace and nationality)
(2) family data (e.g. marital status and information on children)
(3) Religious affiliation
(4) Health data (if relevant for the employment relationship, e.g. in the case of a severe disability)
(5) Identification data (e.g. ID data)
(6) Tax identification number
(7) Information on skills and employee development (e.g. training and professional experience and language skills and further training)
2.2 Other relevant personal data may include:
(1) Information on the employment relationship (e.g. date of entry and designation of activity and title)
(2) Wage tax-relevant data from the fulfilment of contractual obligations (e.g. salary payment)
(3) Social security data
(4) Data on pensions and pension funds
(5) Data on working time (e.g. records of working time and holidays and sickness and data relating to business trips)
(6) Authorization data (e.g. access and admission rights).
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):
3.1 For the fulfilment of contractual obligations (Art. 6 sec. 1 b GDPR, Section 26 BDSG)
The processing of data is carried out for the establishment, implementation or termination of the employment relationship or for the implementation of pre-contractual measures, which are carried out upon request. If you receive additional benefits (e.g. childcare grant), your data will be processed to fulfil these additional benefits, if this is necessary.
3.2 In order to safeguard the legitimate interests of the controller (Art. 6 sec. 1 f GDPR)
If necessary, we process your data beyond the actual performance of the contract in order to safeguard legitimate interests of us or of third parties:
(1) Publication of official contact data on the intranet and in the internal telephone book and on the website
(2) Recordings of employee interviews (e.g. documentation of the defined goals and the achievement of the goals) for verification purposes
(3) Transmission of personal data for internal administrative purposes among individual companies of company groups
(4) Cyber- and information security – processing of personal data by authorities, Emergency Response Teams and Security Incident Response Teams, service providers of electronic communication networks and services, as well as service providers of security technologies and services
(5) Processing of personal data for purposes of direct advertising in case of a special relationship
3.3 Based on your consent (Art. 6 sec. 1 a GDPR in conjunction with Art. 88 GDPR and Section 26 (2) BDSG)
If you have given us consent for the processing of your personal data, processing will only take place in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Consent granted may be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent that were granted to us before the GDPR, i.e. before 25 May 2018. The revocation of consent only has effect for the future and does not affect the legality of the data processed until the revocation.
3.4 Due to legal requirements (Art. 6 sec. 1 c GDPR as well as Art. 88 GDPR and Section 26 BDSG)
As a company, we are subject to various legal obligations, i.e. legal requirements (e.g. social security law, occupational safety, if applicable tax laws) as well as regulatory requirements. The purposes of the processing include, among other things, identity verification, the fulfilment of social security and tax control-, reporting- or documentation obligations as well as the management of risks in the company.
Insofar as special categories of personal data are processed in accordance with Article 9(1) GDPR, this serves in the context of the employment relationship for the exercise of rights or the fulfilment of legal obligations under labour law, social security law and social protection (e.g. disclosure of health data to the health insurance company, recording of severe disability due to additional leave and determination of the severely disabled levy). This is done on the basis of Art. 9 sec. 2 (b) GDPR in connection with Section 26 (3) of the German Data Protection Act (BDSG). In addition, the processing of health data may be required for the assessment of your ability to work in accordance with Article 9(2) (h) in connection with Section 22 (1) (BDSG). In addition, the processing of special categories of personal data may be based on consent in accordance with Article 9(2) (a) GDPR in connection with Section 26 (2) of the German Data Protection Act (e.g. company integration management).
Within DLE, those positions that need it to fulfil the contractual, legal and supervisory obligations as well as to safeguard legitimate interests, e.g. the human resources department, have access to it.
Service providers and vicarious agents employed by us may also receive data for these purposes, provided that they need the data to perform their respective services. These are, for example, companies in the categories of payroll, training providers and IT services. All service providers are contractually obliged to treat your data confidentially.
With regard to the transfer of data to recipients outside our company, it should first be noted that we as an employer only disclose necessary personal data in compliance with the applicable data protection regulations. In principle, we may only pass on information about our employees if legal provisions require this, you have given your consent or if we are otherwise authorised to disclose it.
Under these conditions, recipients of personal data may include:
(1) Social security carriers
(2) Health insurance companies
(3) Tax authorities
(4) Public authorities and institutions (e.g. finance authorities and law enforcement authorities) in the event of a legal or regulatory obligation
(5) Other companies for the processing of salary payments or similar entities to which we transmit personal data for the purpose of the contractual relationship (e.g. for salary payments)
(6) Auditors of economic and wage tax
(7) Service providers in the context of contract data processing relationships
(8) Joint controllers
Other data recipients may be the entities for which you have given us your consent to the transfer of data or to which we are authorised to transmit personal data on the basis of a balance of interests.
Data is transferred to bodies in countries outside the European Economic Area (so-called third countries) to the extent that
(1) it is required by law (e.g. tax reporting obligations)
(2) you have given us your consent or
(3) this is legitimised by the legitimate interest in data protection law and no higher interests worthy of protection of the data subject preclude this.
In addition, we do not transmit personal data to third-countries or international organizations.
However, for certain tasks, we use service providers who also use service providers who may have their headquarters, parent companies or data centres in a third country. A transfer is admissible if the European Commission has decided that there is an adequate level of protection in a third country (Article 45 GDPR). If the Commission has not taken such a decision, companies or service providers may only transfer personal data to service providers in a third country where appropriate safeguards are provided for (standard data protection clauses adopted by the EU Commission or the supervisory authority in a specific procedure) and enforceable rights and effective remedies are available.
We have also contractually agreed with our service providers that even with their contractual partners, guarantees of data protection must always be in place in compliance with the European level of data protection. On request, we will provide you with a copy of these warranties.
We process and store your personal data as long as this is necessary for the fulfilment of our contractual and legal obligations. It should be noted that the employment relationship is a permanent liability relationship, which is intended for a longer period of time.
If the data is no longer necessary for the fulfilment of contractual or legal obligations, it will be deleted on a regular basis, unless its temporary processing is necessary for the following purposes:
(1) Fulfilment of statutory retention obligations, which may arise, for example, from: German Social Code IV (Sozialgesetzbuch IV, SGB IV), German Commercial Code (Handelsgesetzbuch, HGB) and German Tax Code (Abgabenordnung, AO). The time limits for storage or documentation are usually six to ten years.
(2) Preservation of evidence within the framework of the statutory period of limitation. Pursuant to Section 195 ff of the German Civil Code (Bürgerliches Gesetzbuch, BGB), these limitation periods can be up to 30 years, with a regular limitation period of 3 years.
If the data is processed in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists. The above exceptions apply. The same applies to data processing on the basis of consent provided. As soon as you revoke this consent for the future, the personal data will be deleted, unless one of the mentioned exceptions exists. If the data is stored on the basis of a works agreement, the storage period is regulated there.
Everyone data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restrict processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. The restrictions in the case of the right of access and the right of cancellation apply in accordance with Sections 34 and 35 of the German Data Protection Code (Bundesdatenschutzgesetz, BDSG).
You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were granted to us before the General Data Protection Regulation (25 May 2018). Please note that the revocation will only have effect for the future. Processing operations that took place before the revocation are not affected.
In addition, there is a right of complaint with a competent data protection supervisory authority (Article 77 GDPR). For example, you can contact the National Commissioner for Data Protection and Freedom of Information at the following address:
The Berlin Commissioner for Data Protection and Freedom of Information
In the context of the employment relationship, you must provide the personal data necessary for the establishment, implementation and termination of an employment relationship and for the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract with you.
We do not use fully automated automatic decision-making in accordance with Article 22 GDPR to establish, execute and terminate the working relationship. Should we use these procedures in individual cases, we will inform you about this and your rights in this regard separately, if this is required by law.
We do not process your data with the aim of automatically evaluating certain personal aspects.
11.1 Case-by-case right of objection
You have the right, for reasons arising from your particular situation, to object against the processing of personal data concerning you at any time, which is based on Article 6 paragraph 1 letter f GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4 (4) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of the assertion, exercise or defence of legal claims.
11.2 Recipient of an objection
The objection can be made without form with the subject “opposition” with your name and address and should be addressed to:
DLE Group AG