Privacy Notice for Applicants

Information for applicants pursuant to Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR) on the handling of personal data

 

1. Introduction

Dear applicant,

We hereby inform you which personal data we collect about you, how and why we process such data, and which rights you have under the GDPR.

1.1 Controller

CIRQL ONE GmbH
Langer Anger 7-9
69115 Heidelberg
Germany
Phone +49 6221 4053650
E-Mail: info@cirqlone.com
Website: https://cirqlone.com/

(hereinafter: „Cirql One” „we”, „us”, „our”)

1.2 Contact details of the Data Protection Officer

Thomas Ott
kolbcom GmbH
P 7, 22
68161 Mannheim
Germany
E-Mail: info@kolbcom.de

 

2. Nature, scope and purpose of the processing of personal data

2.1 Categories of data subjects

This Privacy Notice relates to data that we collect and process from applicants who apply for an employment relationship with us.

2.2 Categories of personal data

In connection with our recruitment process, we process the following personal data:

  • contact details, for example your private address, private telephone numbers and e-mail addresses;
  • identification data, for example your name, gender and date of birth;
  • your cover letter and curriculum vitae;
  • information on education and qualifications, including certificates and evidence of performance;
  • information on professional qualifications, achievements and skills;
  • information on previous work performance and professional career history;
  • information regarding any visas applied for;
  • information about your racial or ethnic origin, gender and health status that may be necessary in order to comply with anti-discrimination laws and reporting obligations towards authorities, and which we require in order to comply with statutory requirements relating to equal treatment;
  • where applicable, availability and salary information;
  • where applicable, requests and documents relating to police clearance certificates; where applicable, information concerning criminal proceedings relating to you that arises in the context of a review of your criminal record or as a result of a mandatory disclosure by you;
  • further special categories of personal data or other personal data that you voluntarily and unsolicitedly disclose in the context of your application.

2.3 Source of the personal data

We usually collect these data directly from you. In some cases, we collect data about you from third parties:

  • insofar as they relate to the establishment of an employment relationship, information on past criminal proceedings and convictions resulting from a review of criminal records;
  • information about your previous employment, including proof of employment, and further information regarding your suitability and qualifications for our company resulting from references provided by you and/or by third parties, such as recruitment agencies;
  • further information which we receive through external service providers commissioned by us to carry out applicant screening;
  • information obtained by us from certain publicly accessible sources, including the internet, such as Xing, LinkedIn and similar sources.

2.4 Purposes of processing and legal bases

The purpose of collecting and processing the data is to enable us to make a selection decision in relation to the respective advertised position or, in the case of unsolicited applications, in relation to our need for new employees, and to communicate this decision to the applicants.

2.4.1 Ongoing recruitment process / unsolicited application

The legal bases for processing in the context of an ongoing recruitment process and unsolicited applications are Section 26 BDSG in conjunction with Art. 6(1) sentence 1 lit. a and lit. b GDPR as well as Art. 9(2) lit. a GDPR.

Where we collect and process your personal data on the basis of your consent, this is done voluntarily and consent may be withdrawn at any time with effect for the future.

You may refuse to give your consent at any time without stating reasons and without having to fear any disadvantages as a result. Whether or not you give consent has no effect on your chances in the specific recruitment process.

Where you provide us with photographs or other information that is not required for the recruitment process, these data are stored on the basis of Art. 6(1) sentence 1 lit. f GDPR. The sole purpose of the processing in this respect is to properly record your application and to be able to process it without alteration. In accordance with the statutory requirements of the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz – AGG), the photograph is not taken into account in the selection decision regarding the filling of the position.

2.4.2 Inclusion in the applicant pool

You have the option of consenting to inclusion in our general applicant pool. You may give your consent, for example, as part of your online application or by e-mail to the e-mail address specified in the job advertisement.

If you consent, your personal data will be collected as described above and stored beyond the specific recruitment process for which you submitted an application. In particular, you consent to our use of these data in order to continue or reopen the recruitment process if you should be considered for another position, and to contact you accordingly.

This consent is voluntary and may be refused without stating reasons and without you having to fear any disadvantages in the specific recruitment process. Consent once given may be withdrawn at any time with effect for the future; in this case, your data will be deleted without undue delay after completion of the recruitment process or upon receipt of your withdrawal.

Irrespective of any withdrawal, your data will be deleted no later than after 12 months, unless further job opportunities have arisen in the meantime.

The legal bases for processing in this respect are Section 26 BDSG in conjunction with Art. 6(1) sentence 1 lit. a and lit. b GDPR.

 

3. Disclosure of data to third parties and cross-border data processing

3.1 Disclosure of data to third parties

Within our company, we disclose your personal data exclusively to those departments and persons who require such data in order to fulfil contractual and statutory obligations or to safeguard our legitimate interests.

We may transfer your personal data to affiliated companies to the extent this is permissible within the purposes described in section 2 of this Privacy Notice or where you have given us your consent to such disclosure. In these cases, disclosure covers the following company within our group:

Cirql One s.r.o., Galvaniho 15B, 82104 Bratislava, Slovakia

In some cases, your personal data are also processed by service providers engaged by us. Depending on the specific structure of the cooperation with third parties, the interaction in the context of processing is to be classified as separate controllership, processing on behalf of the controller within the meaning of Art. 28 GDPR, or joint controllership within the meaning of Art. 26 GDPR. Some recipients are also subject to statutory confidentiality obligations and process the data as independent controllers. By concluding the respectively required contractual arrangements, we ensure that the processing of personal data by our service providers is always carried out in accordance with the provisions of the GDPR. In this case, the categories of recipients are lawyers, IT service providers and operators of social media platforms.

These include the following companies:

  • Culturez GmbH, Gabriele-Münter-Straße 36, 73760 Ostfildern, Germany
  • JOIN Solutions AG, Erika-Mann-Straße 53, 80636 München, Germany

3.2 Cross-border data processing

In the context of the recruitment process, we use Microsoft 365 and the SharePoint service included therein for the storage and management of application documents. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. In this context, it cannot be ruled out that personal data may be processed in third countries or, in exceptional cases, accessed from there. Microsoft states that, for Microsoft 365, customer data and personal data are generally to be stored and processed within the EU/EFTA under the so-called EU Data Boundary. At the same time, however, Microsoft expressly documents that there may still be scenarios in which data are transferred outside this boundary in order to meet operational requirements or in which personnel outside the EU/EFTA access data remotely.

To the extent that personal data are transferred to third countries in this context, such transfer is carried out on the basis of appropriate safeguards within the meaning of Art. 46(2) lit. c GDPR, in particular on the basis of standard contractual clauses provided by Microsoft. For data transfers to the United States of America, an adequate level of data protection may also exist where the respective recipient is certified under the EU-U.S. Data Privacy Framework; Microsoft Corporation is listed as a participant therein.

Notwithstanding these measures, in the case of data transfers to third countries, it cannot be completely ruled out that authorities in those countries may access data or that data subject rights may not be enforceable in the same manner as within the European Union. However, through the careful selection of our service providers and the conclusion of appropriate contractual arrangements, we ensure that the highest possible level of protection is provided for your personal data. With regard to data transfers to the United States of America, the European Commission has adopted an adequacy decision which, in principle, ensures an adequate level of data protection.

 

4. Storage period and deletion periods

If your application does not result in an employment relationship and you have not given consent to inclusion in the applicant pool, we will delete your data no later than within six months after sending our rejection to you. If you have consented to inclusion in the applicant pool, we will store your data for 12 months after sending our rejection to you, unless further job opportunities have arisen in the meantime.

In the event of a successful application and subsequent employment with our company, your data that are necessary for the performance and organisation of the employment relationship will be stored for the duration of the employment relationship. You will be provided with separate information in this regard.

 

5. Your data protection rights

5.1 Your rights as a data subject

You have the right of access to the processing of your personal data carried out by us pursuant to Art. 15 GDPR, the right to rectification or erasure of your data pursuant to Art. 16 and Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to notification pursuant to Art. 19 GDPR, and the right to data portability pursuant to Art. 20 GDPR.

Where we process your personal data on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR, you have the right under Art. 7 GDPR to withdraw such consent at any time. Please note that withdrawal has effect only for the future. Processing carried out before your withdrawal is not affected by your withdrawal and remains lawful. Please also note that, despite your withdrawal, we may be legally obliged to retain and document certain data.

Right to object

Where the processing of your personal data is carried out pursuant to Art. 6(1) sentence 1 lit. f GDPR in order to safeguard legitimate interests, you have the right under Art. 21 GDPR to object at any time, on grounds relating to your particular situation, to the processing of such data. We will then no longer process these personal data unless we can demonstrate compelling legitimate grounds for the processing. Such grounds must override your interests, rights and freedoms, or the processing must serve the establishment, exercise or defence of legal claims.

In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to processing for such marketing purposes.

To exercise your rights, it is sufficient to send a notice in text form to the address specified under section 1.2 above or by e-mail to info@cirqlone.com.

5.2 Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR (Art. 77 GDPR). You may exercise this right before a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.

In Baden-Württemberg, the competent supervisory authority is:

Der Landesbeauftrage für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Heilbronner Straße 35
70191 Stuttgart
Germany
Tel.: +49 (0) 711/61 55 41 0
E-Mail: poststelle@lfdi.bwl.de

Further information is available at the following link:
https://www.baden-wuerttemberg.datenschutz.de/

 

6. Necessity of providing personal data

The provision of personal data for the initiation and performance of employment relationships is generally neither required by law nor contractually prescribed. You are therefore not obliged to provide personal data. Please note, however, that such data are generally necessary for the decision on whether to hire you.

If you do not provide us with personal data, we may be unable to make a selection decision in your favour. We recommend that you always provide only such personal data as are necessary for the application process.

 

7. Automated decision-making

As a rule, we do not use procedures involving fully automated decision-making within the meaning of Art. 22 GDPR. If, in individual cases, we do use such procedures, we will inform you separately and obtain your consent where this is required by law.

 

8. Contact

If you have any questions regarding the processing of your personal data, please feel free to contact us at any time. Please direct such enquiries to the address stated above.

 

9. Date and amendments to this Privacy Notice

This Privacy Notice is currently valid and is dated April 2026.

We reserve the right to update this Privacy Notice as necessary in order to adapt it to legal and technical developments or in connection with the offering of new services or products. If we amend our privacy policy, we will publish the amended version directly in this notice on our homepage and at such other locations as we consider appropriate. We reserve the right to amend this Privacy Notice at any time.