Data Protection

The protection of your data is important to us
We have taken it upon ourselves to support your personal career development with technical and management personnel, to be available to you as a long-term partner throughout the stages of your career.

At the centre of this responsibility is the duty to be forthright with you regarding your personal data that we record, how we use those data, and with whom we share them.

If you use our services, this duty will be based on the following data privacy statement.

Data privacy statement in accordance with the GDPR

I.    Name and address of the controller

The controller as defined by the General Data Protection Regulation, other national data protection laws of the member states, and other data protection provisions, is:

arcoro GmbH
Ziegelhäuser Landstr. 39
69120 Heidelberg, Germany
Tel.: +49 (0) 6221 47 84 20

Email: info@arcoro.de
Website: www.arcoro.de

II.    Name and address of the data protection officer

The controller’s data protection officer is:

Hr. Patrick Gsell
Rechtsanwalt
Rathausstr. 6
74348 Lauffen am Neckar
ww.anwalt-gsell.de

III.    General information on data processing

1.    Extent of the processing of personal data

We collect and use personal data from our users only if this is needed for our content and services and to provide a functional website. We periodically collect and use our users’ personal data only with their consent. This does not apply if practical circumstances prevent us from obtaining prior consent or we may process the data under statutory provisions.

2.    Legal bases for processing personal data

If the data subject permits us to process personal data, Art. 6 (1) a GDPR serves as the legal basis.
If personal data must be processed to fulfil a contract whose contracting party is the data subject, the legal basis is Art. 6 (1) b GDPR. This also applies to processing operations that are necessary to implement pre-contractual measures.
If personal data must be processed to fulfil a legal obligation to which our company is subject, the legal basis is Art. 6 (1) c GDPR. If vital interests of the data subject or another natural person necessitate the processing of personal data, the legal basis is Art. 6 (1) d GDPR.
If the processing is necessary to safeguard a legitimate interest of our company or a third party, and that legitimate interest is not outweighed by the interests, basic rights and freedoms of the data subject, the legal basis will be Art. 6 (1) f GDPR.

3.    Data deletion and duration of storage

The data subject’s personal data will be deleted or blocked as soon as the purpose of storage no longer applies. We may also store that data if such storage is provided for through the European or national legislature, in the form of directives under European Union law, statutes or other provisions to which the controller is subject. The data will also be deleted or blocked if a storage period prescribed by the standards mentioned expires, unless the data must be stored for longer to conclude or fulfil a contract.

4.    Use of Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc., (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; “Google”). This use entails the mode of operation “Universal Analytics”. Data, sessions and interactions across multiple devices can be allocated to a pseudonymous user ID to analyse a particular user’s cross-device activities.

Google Analytics uses cookies, text files that are stored on your computer and allow us to analyse how you use our website. The information the cookie generates about your use of this website is normally transmitted to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, Google will truncate your IP address in advance within the member states of the European Union or other Contracting Parties to the EEA Agreement. In exceptional cases, the full IP address will be transmitted to a Google server in the USA and truncated there. The IP address transmitted as part of Google Analytics will not be pooled with other Google data. On behalf of this website’s operator, Google will use this information to evaluate how you use the website, compile reports about website activities, and render additional services for the website operator which are connected with the use of the website and the internet. These purposes also include our legitimate interest in data processing. The legal basis for the use of Google Analytics is § 15 (3) TMG (German Telemedia Act) or Art. 6 (1) 1 f GDPR. The data we send that are connected to cookies, user recognition (such as a user ID) or advertiser ID will be deleted automatically after 14 months. Once per month, we delete data whose retention period has expired. You will find more information about usage conditions and data protection under https://www.google.com/analytics/terms/gb.html or under https://policies.google.com/?hl=en-GB.

You can prevent the cookies from being stored by adjusting your browser settings accordingly, but we must point out that if you do, you will not be able to use all of this website’s functions to their full extent. You can also prevent Google from recording and processing the data generated by the cookie which relates to your use of the website (including your IP address) by downloading and installing the browser add-on. Opt-out cookies prevent your data from being recorded when you visit our website in the future. To prevent Universal Analytics from recording your data across various devices, you must implement the opt-out on all the systems you use. If you click here, the opt-out cookie will be set: Deactivate Google Analytics

IV.    Provision of the homepage and creation of log files

1.    Description and extent of the data processing

Whenever our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data will be collected:

(1)    Information on the browser type and the version used
(2)    The user’s operating system
(3)    The user’s internet service provider
(4)    The user’s IP address
(5)    Date and time of access
(6)    Websites from which the user’s system is directed to our internet site
(7)    Websites which are accessed from the user’s system via our website

The log files contain IP addresses that allow allocation to a specific user. This can be the case, for example, if the link to the website from which the user arrives at the internet site, or the link to the website to which the user navigates, contains personal data. The data will also be stored in our system’s log files. This data will not be stored together with other personal data of the user.

2.    Legal basis for data processing

The legal basis for storing the data and the log files temporarily is Art. 6 (1) f GDPR.

3.    Purpose of data processing

The IP address must be temporarily stored by the system so the webpage can be delivered to the user’s computer. To do so, the user’s IP address must remain stored during the entire session.

It is stored in log files to ensure the webpage’s functionality. The data also help us optimise the webpage and ensure the security of our IT systems. In this context, the data will not be evaluated for marketing purposes.
These purposes also include our legitimate interest in data processing under Art. 6 (1) f GDPR.

4.    Storage period

The data will be deleted when it is no longer needed to meet the goal for which it was collected. If the data was collected to provide the webpage, the data will be deleted when the session in question is over.

V.    Registration [check-in candidate]

1.    Description and extent of the data processing

Our internet site offers users the option of registering by entering personal data. The data is entered into an input mask, then transmitted to us and stored. The data will not be forwarded to third parties. The following data is collected during the registration process:

In addition, the following data will be stored at the time of registration:

(1)    The user’s IP address
(2)    Date and time of registration
(3)    Personal data (example: first name, last name, email, telephone number, location)
(4)    Career-related data (example: academic degree, course of studies, employer, technical skills, mobility, reason for wishing to change careers, ideal time for a new assignment, brief description of the assignment)

During the registration process, the user’s consent to have their data processed will be obtained using a tick box.

2.    Legal basis for data processing

If the user’s consent has been obtained, the legal grounds for processing the data is Art. 6 (1) a GDPR.

3.    Purpose of data processing

The registration does not serve to conclude a contract with the user:
The user must register for certain content and services to be kept ready on our webpage.

The identification of and information revealed by the contents serve future consultation based on the services arcoro GmbH offers in the environment of human resources consulting and coaching.

4.    Storage period

The data will be deleted when it is no longer needed to meet the goal for which it was collected. Personal data from the input mask of the contact form and that which was sent via email will be deleted when the respective conversation with the user has ended. The conversation will end when circumstances reveal that the situation concerned has been finally cleared up.

The additional personal data collected during the sending procedure will be deleted after a time limit of 30 days at the latest, provided you have fulfilled the processing purpose and contact has been established. If the data are still needed for human resources consulting, the data subjects will be informed of this during communication with company employees. Consent to the further processing is obtained separately.  If no contact is established, the personal data will be deleted automatically after seven days.

5.    Possibility for objection and rectification

As a user, you have the option of cancelling your registration at any time. You can have the data stored about you altered at any time. To delete or change the data, please email us at info@arcoro.de, or send a letter to the address (arcoro GmbH, Ziegelhäuser Landstr. 39, 69120 Heidelberg, Germany).

VI.    Contact form and email contact

1.    Description and extent of the data processing

A contact form is available on our internet site which can be used for making contact electronically. If a user takes advantage of this possibility, the data entered into the input mask will be transmitted to us and stored. These data are:

When the message is sent, the following data will be stored as well:

(1)    The user’s IP address
(2)    Date and time of registration
(3)    Personal data (first name, last name, email, reason for inquiry, message)
(4)    Optional information (company, position)

To process the data, your consent will be obtained during the sending procedure and this data privacy statement will be referred to.

In the alternative, contact can be made via the email address provided. In this case, the user’s personal data transmitted along with the email will be stored.

In this context, the data will not be forwarded to third parties. The data will be used exclusively to process the conversation.

2.    Legal basis for data processing

If the user’s consent has been obtained, the legal grounds for processing the data is Art. 6 (1) a GDPR.

The legal grounds for processing data transmitted when an email is sent is Art. 6 (1) f GDPR. If the email contact aims to conclude a contract, an additional legal foundation for the processing is Art. 6 (1) b GDPR.

3.    Purpose of data processing

Processing the personal data from the input mask serves the exclusive purpose of helping us process the contact that is made. Making contact through email also constitutes the required legitimate interest in processing that data.
The other personal data processed during the sending procedure serve to prevent misuse of the contact form and ensure the security of our IT systems.

4.    Storage period

The data will be deleted when it is no longer needed to meet the goal for which it was collected. Personal data from the input mask of the contact form and that which was sent via email will be deleted when the respective conversation with the user has ended. The conversation will end when circumstances reveal that the situation concerned has been finally cleared up.

The additional personal data collected during the sending procedure will be deleted after a time limit of 30 days at the latest, provided you have fulfilled the processing purpose and contact has been established. If the data are still needed for human resources consulting, the data subjects will be informed of this during communication with company employees. Consent to the further processing is obtained separately.  If no contact is established, the personal data will be deleted automatically after seven days.

5.    Possibility for objection and rectification

The user may at any time revoke their consent to have their personal data processed. If the user contacts us through email, they can object at any time to having their personal data stored. In such a case, the conversation cannot be continued.

If they do object, all personal data that was stored when contact was established will be deleted.

VII.    Rights of the data subject

If your personal data is processed, you are the data subject as defined by the GDPR and are entitled to the following fights toward the controller:

1.    Right of access

You can demand that the controller confirm whether we are processing personal data concerning you.
If this is the case, you can demand access to the following information from the controller:
(1)    the purposes for which the personal data is processed;
(2)    the categories of personal data being processed;
(3)    the recipient or categories of recipients to whom the personal data concerning you were or will be disclosed;
(4)    the planned duration of the storage of the personal data concerning you, or if no specific information is available to this end, the criteria for determining the storage period;
(5)    the existence of a right to have the personal data concerning you corrected or deleted, a right to restrict its processing through the controller, or a right to object to that processing;
(6)    the right to complain to a supervisory authority;
(7)    all available information on the origin of the data, if the personal data was not collected from the data subject;
(8)    the existence of automated decision-making, including profiling under Art. 22 (1) and 4 GDPR and—at least in these cases—meaningful information about the logic involved, as well as the implications and sought-after effects such processing would have for the data subject.
You have the right to demand whether the personal data concerning you are transmitted to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.

2.    Right to rectification

If the processed personal data that concerns you is incorrect or incomplete, you have the right against the controller to have it corrected, deleted, or both. The controller must undertake such correction without undue delay.

3.    Right to restriction of processing

You can demand that the processing of the personal data concerning you be restricted, under the following conditions:
(1)    If you dispute that the personal data concerning you is incorrect, for a duration which enables the controller to check its correctness;
(2)    The processing is incorrect and you waive your right to have it deleted, instead demanding that its use be restricted;
(3)    The controller of the personal data no longer needs it for the purposes of its processing, but you need it to assert, exercise or defend against legal claims, or
(4)    If you have filed an objection against the processing under Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.
If the processing of the personal data concerning you has been restricted, those data—regardless of their storage—may be processed only (1) with your consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
If the processing has been restricted according to the aforementioned conditions, the controller will inform you before that restriction is lifted.

4.    Right to erasure

a)    Obligation to erase
You may demand from the controller that the personal data concerning you be erased without undue delay, and the controller will be obligated to do so provided one of the following grounds applies:
(1)    The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2)    You withdraw your consent on which the processing is based under Art. 6 (1) a or Art. 9 (2) a GDPR, and there is no other legal basis for the processing.
(3)    You object to the processing under Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21 (2) GDPR.
(4)    The personal data concerning you was illegally processed.
(5)    The personal data concerning you must be erased to fulfil a legal obligation under EU or member state law to which the controller is subject.
(6)    The personal data concerning you was collected in regard to information society services offered pursuant to Art. 8 (1) GDPR.

b.    Information to third parties
If the controller has publicised the personal data and is obligated under Art. 17 (1) GDPR to erase that data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c)    Exceptions
The right to erasure does not exist if the processing is necessary:
(1)    to exercise the right to information and freedom of expression;
(2)    to fulfil a legal obligation required by EU or member state law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;
(3)    for reasons of the public interest in the area of public health under Art. 9 (2) h and i as well as Art. 9 (3) GDPR;
(4)    for purposes of archiving, academia or historical research which lie in the public interest, or for statistical purposes under Art. 89 (1) GDPR, insofar as the right mentioned in section a) is expected to prevent or seriously impair the realisation of the objectives of this agreement, or
(5)    to assert, exercise or defend against legal claims.

5.    Right to information

If you have asserted your right to rectification, erasure or restriction of the processing toward the controller, that controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or would entail a disproportionate effort.
You have the right to be informed by the controller about those recipients.

6.    Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as
(1)    the processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and
(2)    the processing occurs with the help of automated procedures.
In exercising this right, you may also effect that the personal data concerning you are transmitted directly from one controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others.
The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.

7.    Right to object

You have the right to object at any time, for reasons arising from your particular situation, if personal data concerning you are processed based on Art. 6 (1) e or f GDPR. This also applies to profiling based on these provisions.
The controller will cease processing the personal data concerning you unless the controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise or defend against legal claims.
If the personal data concerning you are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).

8.    Right to withdraw the declaration of consent granted under data protection laws

You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing consent will not affect the legality of any processing performed on the basis of that consent before that consent was withdrawn.

9.    Automatic decision-making in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision
(1)    is necessary to conclude or fulfil a contract between you and the controller,
(2)    is permitted under EU or member state law to which the controller is subject and which stipulate reasonable measures for guarding your rights, freedoms and legitimate interests, or
(3)    is made with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR unless Art. 9 (2) a or g GDPR apply and reasonable measures have been taken to protect your rights, freedoms and legitimate interests.
Regarding the cases mentioned in (1) and (3), the controller shall take reasonable measures to guard your rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your own point of view, and to contest the decision.

10.    Right to complain to a supervisory authority

If you believe that the processing of the personal data concerning you breaches the GDPR, you have the right to complain to a supervisory authority—especially in the member state of your abode, your workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies.
The supervisory authority to which the complaint is submitted shall inform the complainant about the status and results of that complaint, including the possibility for judicial remedy under Art. 78 GDPR.