Processing of (personal) data by the entity in charge of the online application process

Privacy Notice to Applicants concerning personal data processing

Effective date of this notice: 10.12.2021

I. General information about the processing of your data 
This privacy notice, which refers exclusively to data collected as part of the online application process, is to inform you about how your personal data that is collected as part of the online application process is handled at our end according to Art. 12 – 14 General Data Protection Regulation (hereinafter: GDPR).
This notice explains
•    Who is responsible for the processing of your personal data;
•    What personal data we collect;
•    The purpose and legal basis of the processing;
•    With whom we share your personal data;
•    How long we store your personal data;
•    How we protect your personal data;
•    Where to address your questions or complaints.

General contact information 
If you have any questions about this privacy notice, you can contact us at any time using the contact information below:

Energy Nest AS.
Billingstadsletta 13
1396 Billingstad
Mail:post@energy-nest.com
Phone: +47 66 77 94 60
Web: https://energy-nest.com/

hereinafter referred to as “EnergyNest”, “we”, “us” or “our”.

Questions about data protection
If you have any questions about data protection with regard to our company or the online application process, you can contact us using the contact details given in the "General contact information" section or you can contact our Vice President People & Culture, Mr. Gunnar Schwartz, email: gs@energy-nest.com. 

Personal data we process as part of the application process 
Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual. This includes information such as, for example, your name, address, telephone number and date of birth, but also data relating to your specific career etc. by reference to which a specific individual can be identified with reasonable effort. However, information which cannot be (in)directly associated with your real-life identity is not personal data.

Personal data that you provide to us:
If you apply to us electronically, i. e. via e-mail or using our online form, we will collect and process the following personal data that you provide to us for the purpose of executing the application process and preparing contracts:

•    Identifiers: Name, email address, contact details, date of birth, telephone number.
•    Location information: address.
•    Employment information: resume/CV, certifications, qualifications.
•    Education information: School / university, degree/grades earned, your major, graduation date, skills, and additional details.
•    Special categories of personal data: Race, national origin, health data (e. g. any disabilities you may have), marital status, gender identity and expression, citizenship or citizenship status.
•    Background information: Details about previous employments that we have obtained from you or, subject to your permission, a third party as part of background checks, if any.
•    Meta data: Date/time of application, IP address, Browser information, Operating system used, language and version of the browser software, date and time of access, host name of the accessing end device, content of the request (specific website), access status/http status code, websites accessed via the website, referrer URL (the previously visited website), message as to whether the request was successful, amount of data transferred, time zone difference to GMT.

Personal data that we receive from third party sources: 
By submitting an application via our recruitment website or via “Personio“(Personio GmbH, Rundfunkplatz 4, 80335 München, contact: datenschutz@personio.de; hereinafter: “Personio”), you express your interest in taking up work with us. In this context, we may receive your identifiers, location information, professional or employment information and/or education information that you transmitted via other sources such as “Personio“, to the extent you have shared such information via third party sources. We will use and store this information exclusively for the purpose of your job search / application process.

Only authorized HR staff and/or staff of affiliated companies involved in the application process  have access to your data.
The personal data is stored, as a rule, exclusively for the purpose of filling the vacancy for which you have applied.
Should you be offered and accept a position with us during the application process, we will store the personal data collected as part of the application process for at least the duration of your employment.

Purposes / Legal basis for processing
We process your personal data for the initiation, performance or conclusion of the application process or employment relationship, as well as for the exercise and fulfillment of legal and contractual obligations or for the purposes of legal prosecution.

In detail:
•    Assessment of suitability: To assess your suitability for a role for which you have applied and to manage your application as well as to assess your working capacity, we may process your identifiers, location, special categories of personal data, professional or employment information and/or education information. The legal basis for this processing is Art. 6(1)(b) GDPR. When processing special categories of personal data, the legal basis is Art. 9(2)(b) GDPR.

•    Conduct reference checks: To conduct reference checks, we process your identifiers, professional or employment information, and education information. The legal basis for this processing is Art. 6(1)(b) in connection with the respective legal basis arising from national law.

•    Communication: To communicate with you about your application and respond to questions you may have about the application process, we process your identifiers, professional, employment and/or education information related to you and the specific communications with you. The legal basis for this processing is Art. 6(1)(b) GDPR in connection with the respective legal basis arising from national law.

•    Monitor compliance: Where permitted by local law, to monitor compliance with equal opportunities and non-discrimination policies, as well as for complying with our health, safety, and occupational health obligations, we process your protected classifications and special categories of data. The legal basis for the processing of personal data is Art. 6(1)(c) GDPR. To the extent we process special categories of personal data, we rely on the additional legal basis of Art. 9(2)(h) GDPR in connection with the respective legal obligation arising from Union law or national law.

•    Law enforcement: To respond to legal processes such as subpoenas, to pursue legal rights, defend litigation, or comply with requests of government or public authorities, we may process your identifiers, protected classifications / special category data, professional or employment information to the extent it is relevant to such legal purposes. The legal basis for this processing is Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. In such cases, our legitimate interest is in asserting or defending claims.

Insofar as the processing of your data in accordance with the purposes outlined above is based on Art. 6(1)(b) GDPR, the provision of your personal data is necessary for the preparation, conclusion, implementation and/or termination of the application procedure or the initiation of the employment relationship with you. You are not required to provide your personal data during the application process. However, if you do not provide the information or personal data, we may not be able to process your application properly or to manage your contact request. 

Storage period
In the event of a rejection, applicants personal data stored at our database will be deleted after 6 months after completion of the application process unless it is apparent that the data will be needed for legal reasons, such as defending against legal claims. In such cases the legal basis for this processing is Art. 6(1)(f) GDPR and our legitimate interest is in asserting or defending claims. If you are offered a job in the context of the application process, the data will be transferred to our HR information system. If your application is successful, the information will form part of your employment file and we will be entitled to process it for all relevant purposes in connection with your employment.

With whom we share your personal data 
As part of the application process, your data will be processed internally by employees in the HR department, recruitment coordinators, interview panelists, and department heads as well as hiring managers to whom your position would report. 
Data transmitted as part of your application on our website will be transferred using TLS encryption and stored in a database. This database and our recruiting website is operated by “Personio”, which offers a human resource and applicant management software solution (https://www.personio.com/legal-notice/). In this context, “Personio” is our processor under Art. 28 GDPR. We use "Personio" together with our affiliated companies (Energy Nest AS, Torre Remedios Business Center, Av. República Argentina 24, Sevilla; EnergyNest GmbH, Poststr. 14-16, 20354 Hamburg, Germany) for talent acquisition and for our application process via job boards as well as the career portal on our website.  For more information about our internal processing of your personal data and our classification as a joint controller, please see section II. Of this privacy notice below. To the extent engaged in the application process, “Personio" will process so-called “server logs”, general protocol data when you access to the application website, identifiers such as your personnel master data (in particular name, date of birth, address, contact details), contract master data (e. g. marital status, professional/educational qualifications, certificates) and employment information/inferences such as related assessments or email messages, that we will send to you. Your data processed in connection with “Personio” will be erased no later than six months after completion of the application process. 
The legal basis for the processing via “Personio” is Art. 6(1)(f) GDPR. Our legitimate interest in involving the external service provider is to optimize our digital application process (job posting and filling process) and to provide a simple application form for the applicants. For further details about privacy at “Personio”, please refer to https://www.personio.com/privacy-policy/.

Rights of data subjects 
If we as the controller process personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object to the processing of your personal data which occurs based on Art. 6(1)(e) or (f) GDPR at any time for reasons arising from your particular situation (Art. 21 GDPR). If you object, we will not process your data further, unless we can prove compelling legitimate reasons for the processing which outweigh your interests, rights, and freedoms or, moreover, the processing serves to establish and exercise or defend against legal claims (Art. 21(1) GDPR). Furthermore, under Art. 21(2) GDPR you have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that this is related to such direct marketing. In this privacy policy, we draw your attention to this right to object when describing each processing operation. If the personal data is processed with your consent, you have the right to withdraw this consent under Art. 7(3) GDPR. To assert your rights as a data subject in relation to the data processed during this online application process, please refer to our Contact details (see section 2).
If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice.

Concluding provisions / Changes to this privacy notice 
We reserve the right to adjust this data privacy statement at any point in time to ensure that it is always in line with the current legal requirements, or to accommodate changes in the application process or other processes. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application. We will post the new data privacy statement on this page and/or in the job ads that we post on our career website or other job boards and will indicate the date it goes into effect. If the changes allow us to use personal data in ways that are different from the ways specified at the time the information was originally collected, our website will contain a special notice about the changes and, if required by law, will prompt you for your consent for certain changes. In addition to this data privacy statement, please view our general data privacy statement at https://energy-nest.com/privacy-policy/. 

Automated decisions
We do not currently use automated decision making as part of the application process.


________________________________________
II. Information according to Art. 26(2) GDPR – Joint responsibility 

Background / Processing purposes
We process your personal data, as mentioned in section I. above, jointly with our affiliated companies (Energy Nest AS, Torre Remedios Business Center, Av. República Argentina 24, Seville; EnergyNest GmbH, Poststr. 14-16, 20354 Hamburg, Germany), especially within the framework of the "Personio" software. With this software, we intend to centrally manage and jointly organize the planning and filling of vacancies at our company and our affiliated companies. We have jointly determined the purposes and means of data processing and are therefore also jointly responsible for the protection of your personal data in accordance with Art. 26 DSGVO. For more details on the purposes of the processing, see information in section I. ("Purposes / Legal basis for processing").
Responsibilities
Within the scope of this joint controllership under data protection law (Art. 26 GDPR), we have reached agreements with our affiliated companies on who fulfills the existing obligations under the GDPR. This relates in particular to the exercise of data subjects’ rights and the fulfillment of the information obligations under Articles 13 and 14 of the GDPR. This agreement is necessary because your data is processed both by us in the context of managing your application documents in “Personio“ and by affiliated companies.
Joint Controller Agreement of the parties and effect on data subjects
While we are joint controllers, we and our affiliated companies fulfill the obligations under data protection law in accordance with the respective responsibilities for the individual processing stages: 
•    Each company is responsible for collecting applicant data via their job profile or job advertisement and for filling the respective position. 
•    We and our affiliated companies are jointly responsible for the administration of applicant data within our HR process as well as the adaptation or modification, reading out, querying and use.
•    We are jointly responsible with our affiliated companies for the restriction, deletion, or destruction of personal data.

Provision of privacy information and assertion of data subject rights
You can assert your data subject rights (see in detail the section "Rights of data subjects” above in section I.) against us as well as against our affiliated companies. We and our affiliated companies will inform each other without delay of any claims or legal positions asserted by data subjects. We will provide each other with all information necessary to respond to requests for information.
We shall provide the data subjects, irrespective of the responsibility for the respective processing phase, with the information required pursuant to Art. 13 and 14 of the GDPR in a precise, transparent, comprehensible, and easily accessible form in a clear and simple language free of charge. In this regard, the companies affiliated with us provide us with all the necessary information from their sphere of activity. 
Contact details / Questions about data privacy
You can contact us and our affiliates with questions about this privacy notice using the following contact information: 

Energy Nest AS.
Olav Brunborgs vei 6
1396 Billingstad
Mail:post@energy-nest.com
Phone: +47 66 77 94 60
Web: https://energy-nest.com/

EnergyNest Iberia SLU
Torre Remedios Business Center
Av. República Argentina 24, planta 3
41011 Seville
Spain

EnergyNest GmbH
Poststr. 14-16
20354 Hamburg

Legal basis of processing
The legal basis for joint processing is Art. 6(1)(f) GDPR. With the joint processing of personal data, we pursue the legitimate interest of centralizing and optimizing the application process and filling vacancies with interesting applicants from different destinations.
You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Contact details” above.

Storage period
The data processed in the course of applications will be deleted after 6 months after completion of the application process unless it is apparent that the data will be needed for legal reasons, such as defending against legal claims. In such cases the legal basis for this processing is Art. 6(1)(f) GDPR and our legitimate interest is in asserting or defending claims. If you are offered a job in the context of the application process, the data will be transferred to our HR information system. If your application is successful, the information will form part of your employment file and we will be entitled to process it for all relevant purposes in connection with your employment.

Third-country transfer
A transfer of data to a third country, i. e. to a country outside the European Union or the European Economic Area, does not currently take place. In the event of a future transfer to a third country, we will fulfil the requirements of Art. 44 et seq. GDPR.

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.