Data protection
General note and mandatory information

This privacy policy clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as 'data') within our online offer and the associated websites, functions and content as well as external online presences, such as our social media profile. (hereinafter collectively referred to as 'online offer').

Person responsible

Lukas Rogge & Drazen Nikolaus GbR
Römerstrasse 15
63450 Hanau
Tel.: +49 69 870046466
E-Mail: info@calmaroi.de

Data Protection Officer

Die Auditoren GmbH
Mercatorstraße 2
40545 Düsseldorf
E-Mail: datenschutzprofi_17@die-auditoren.de

Types of data processed
  • Contact form
  • Inventory data (e.g. first name and surname, date and place of birth, nationality, marital status, in individual cases your birth register number)
  • Contact details (e.g. postal address, telephone and fax numbers, e-mail address)
  • Bank details, social security data
Purpose of the processing

As an intermediary between jobseekers and companies, we process personal data for the purpose of job placement. Furthermore, we process personal data in order to register foreign job seekers in Germany and to accompany their relocation.

Further purposes of processing
  • Provision of the online offer, its functions and contents
  • Answering contact requests and communicating with users
  • Security measures
Terminology used

'Personal data' means any information relating to an identified or identifiable natural person (hereinafter 'data subject')

'Processing' means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.

The 'controller' is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A 'processor' is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

'Third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent is an expression of self-determination under data protection law. It is the voluntary, informed and unambiguous expression of will in the form of a statement or other unambiguous affirmative act by which the data subject indicates that they consent to the processing of their personal data. Consent that has been given can be revoked at any time.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR, the legal basis for processing for the performance of our services and implementation of contractual measures as well as responding to inquiries is Art. 6 para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

The processing of applicant data is carried out to fulfill our (pre-)contractual obligations in the context of the application process within the meaning of Art. 6 para. 1 lit. b. GDPR Art. 6 para. 1 lit. f. GDPR if the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, § 26, BDSG also applies).

The application procedure requires applicants to provide us with their application data. If we offer an online form, the necessary applicant data is marked, otherwise it is derived from the job descriptions and generally includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. Applicants can also voluntarily provide us with additional information.

By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the type and scope set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).

If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We therefore cannot assume any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending it by post. Instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post.

Security measures

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Deletion of data and storage duration

We will delete or block your personal data as soon as the purpose for storing it no longer applies. In addition, however, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject. This applies, for example, to data that must be stored for commercial or tax law reasons, such as billing data for subscriptions. Your data will be blocked or deleted if a storage period prescribed by these regulations expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

The data provided by applicants may be processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is not successful, the applicant's data will be deleted 6 months after receipt. Applicants' data will also be deleted within 6 months if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified revocation by the applicant, the deletion will take place after a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

We delete applications for successful vacancies 6 months after the employment contract has been signed and the position has been taken up. Relevant payroll data is archived in accordance with statutory tax regulations.

Rights of the data subjects

Right to lodge a complaint with the competent supervisory authority
In the event of breaches of data protection law, the data subject has the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority for data protection issues is the state data protection officer of the federal state in which our company is based. The authority responsible for us is
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Website: https://datenschutz.hessen.de

Right of withdrawal
You have the right to withdraw your consent in accordance with Art. 7 (3) GDPR with effect for the future.

Right of objection
You can object to the future processing of data concerning you at any time in accordance with Art. 21 GDPR. In particular, you may object to processing for direct marketing purposes.

Right to information
You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, you can request the following information:

  • the purposes of processing
  • the categories of personal data that are processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, whereby in connection with the transfer to a third country or to an international organization you also have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of a right to rectification or erasure of personal data concerning you or to restriction of processing by us or a right to object to such processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • if the personal data is not collected from you, all available information about the origin of the data
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

We will provide you with a copy of the personal data that is the subject of the processing within one month of receiving your request for information. For any further copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, we will provide you with the information in a commonly used electronic format, unless you specify otherwise.

Right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure ('right to be forgotten')
You have the right to obtain from us the erasure of personal data concerning you without undue delay and we are obliged to erase personal data without undue delay where one of the following grounds applies:

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • You withdraw your consent on which the processing was based and there is no other legal basis for the processing.
  • You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing.
  • The personal data was processed unlawfully.
  • The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States.
  • The personal data was collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

If we have made the personal data concerning you public and we are obliged to delete it, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you have requested them to delete all links to this personal data or copies or replications of this personal data.

The right to erasure ('right to be forgotten') does not exist if the processing is necessary:

  • to exercise the right to freedom of expression and information
  • for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
  • for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the assertion, exercise or defense of legal claims.

Right to restriction of processing
You have the right to demand that we restrict the processing of your personal data if one of the following conditions is met:

  • you contest the accuracy of the personal data concerning you for a period enabling us to verify the accuracy of the personal data
  • the processing is unlawful and you request the restriction of the use of the personal data instead of erasure
  • we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
  • You have lodged an objection to the processing as long as it has not yet been determined whether our legitimate reasons outweigh your reasons.

Where processing has been restricted in accordance with the above conditions, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, we will inform you before the restriction is lifted.

Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and carried out by automated means.

In exercising the right to data portability, you may request that the personal data be transmitted directly from us to another controller, insofar as this is technically feasible. The exercise of the right to data portability does not affect the right to erasure ('right to be forgotten'). This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Automated decision making / profiling

We do not use automated decision-making or profiling.

Cookies

If cookies or cookie-like technologies are used in the context of data processing, the storage of information in the end user's terminal equipment or access to information already stored in the end user's terminal equipment is carried out in accordance with Section 25 (1) TTDDG in conjunction with Art. 6 (1) (a) GDPR (consent).

If the use of cookies is deemed absolutely necessary for the operation of the website, this is done on the basis of Section 25 (2) TDDDG.

Collection of access data and log files

We, or our hosting provider, collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR. GDPR, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Provision of contractual services

We process inventory data (e.g., names and addresses as well as contact data of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 para. 1 lit. b. GDPR. GDPR. Data marked as mandatory in online forms is required for the conclusion of the contract.

As part of the use of our online services, we store the IP address and the time of the respective user action. The storage takes place on the basis of our legitimate interests, as well as those of the user in protection against misuse and other unauthorized use in accordance with Art. 6, para. 1 lit. f. This data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c GDPR.

Contact us

When contacting us (e.g. by contact form, email, telephone or via social media), the user's details are processed to process the contact request and its handling in accordance with Art. 6 para. 1 lit. b) GDPR. The user's details may be stored in a customer relationship management system ('CRM system') or comparable inquiry organization.

We delete the requests if they are no longer required. We review the necessity every two years

Integration of third-party services and content

On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR), we use content or service offers from third-party providers within our online offer. GDPR) content or service offers from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as 'content').

This always presupposes that the third-party providers of this content are aware of the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as 'web beacons') for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and contain, among other things, technical information about the browser and operating system, referring websites, visit time and other information about the use of our online offer, as well as being linked to such information from other sources.

Use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Ireland Limited ('Google'), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables us to analyze the behavior of visitors to our website and to improve user-friendliness.

Type of data collected
Google Analytics collects the following data, among others:

  • IP address (anonymized)
  • Duration of visit
  • Origin of the visitors (referrer)
  • Click behavior on the website
  • Device type and browser information

Legal basis of the processing
The processing of personal data by Google Analytics is carried out in accordance with Art. 6 para. 1 lit. a GDPR on the basis of your consent. You can withdraw your consent at any time.

IP anonymization
We have activated IP anonymization in Google Analytics. This means that your IP address is shortened within the EU and not stored in full.

Data transfer to the USA
Google Analytics transfers data to the USA. Google is certified in accordance with the EU-US Data Privacy Framework, which is intended to guarantee an appropriate level of data protection. Nevertheless, there is a residual risk, as US authorities could gain access to this data under certain circumstances.

Online presence in social media

We maintain online presences within social networks in order to communicate with the users active there and to offer information about us. When accessing the respective networks, the terms and conditions and data processing guidelines of their respective operators apply. Data may also be processed outside the European Union. For US providers that are certified under the Data Privacy Framework, this ensures an appropriate level of data protection.

  • Facebook & Instagram (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Irland) - Privacy policy
  • Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland) – Privacy policy
  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland) - Privacy policy
  • Xing (New Work SE, Am Strandkai 1, 20457 Hamburg, Deutschland) - Privacy policy
  • TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Irland) - Privacy policy