ARISTO PRIVACY POLICY

Datenschutzerklärung

In der nachfolgenden Datenschutzerklärung erhalten Sie einen detaillierten Überblick über die Verarbeitung Ihrer personenbezogenen Daten bei Besuch unserer Website www.aristo-group.com. Diese Website wird von der Aristo Group betrieben, der unsere Unternehmen Aristo Personnel GmbH, Aristo Recruitment GmbH und die Aristo AG mit Sitz in der Schweiz angehören. Die nachstehende Datenschutzerklärung gilt für sämtliche genannten Gesellschaften in gleicher Weise und ist zur einfacheren Verständlichkeit zusammengefasst. Insoweit nachfolgend einheitlich von Aristo Group gesprochen wird, umfasst dies sowohl die Aristo Personnel GmbH, Aristo Recruitment GmbH als auch die Aristo AG.

1.1. Contact details of the parties responsible and the data protection officerContact details of the parties responsible and the data protection officer

1.1.1. Aristo Personnel GmbH

Aristo Personnel GmbH

Aristo Personnel GmbH Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com The Aristo Personnel GmbH is the party responsible, as long as it is about the placement of candidates into a permanent position at our clients.

1.1.2. Aristo Recruitment GmbH

Aristo Recruitment GmbH

Alter Hof 5 Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com The Aristo Personnel GmbH is the party responsible, as long as it is about the placement of candidates into a permanent position at our clients.

1.1.3. Aristo AG

Brandschenkestrasse 30

Brandschenkestrasse 30 Brandschenkestrasse 30 8001 Zurich Switzerland Tel: + 41 44 508 76 70 E-Mail: info@aristo-group.com Website: www.aristo-group.com The Aristo Personnel GmbH is the party responsible, as long as it is about the placement of candidates into a permanent position at our clients.

Brandschenkestrasse 30

Alter Hof 5 Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com The Aristo AG is the party responsible as long as it is about the hiring out of specialists to our clients in the context of personnel leasing as well as the placement of candidates in a timely restricted project at our clients. Name and address of the data protection officer The data protection officer is: Mr. Ralf Zlamal3 E-Mail: info@aristo-group.com

2.1. Principle

This data protection applies to all clients and people interested, employees as well as other contractual partners and all other natural persons that visit our website and make use of the services and benefits.

2.2. Principles on the extent of processing personal data

We share the philosophy laid down in the General Data Protection Regulation (GDPR) and the Federal Data Protection Act, that restricts the collection and processing of personal data (“data”) as much as possible. Therefore, we only process personal data, as long as it is required and as far as it is clearly defined, which is going to be shown to you in the following (principles on data avoidance and data economy). Data processing is only admissible as long as it can be based on a sufficient legal basis or your consent (principle of legality).

2.3. General information on the legal basis for the processing of personal data

2.3.1. General legal basis

The processing of personal data is prohibited in principle and only exceptionally admissible. The admissibility of data processing can only occur when the processing of data can be based on a suitable legal basis. In conclusion, the following can be considered as such:

  • As long as we sought the consent of the person affected for the processing operation of personal data, article 6 para. 1 a GDPR serves as the legal basis.
  • Article 6 para. 1 b GDPR serves as the legal basis for processing personal data, that is required for fulfilling a contract, of which the contractual partner is the person affected. This is also true for processing operations that are required for the execution of pre-contractual actions.
  • As far as the processing of personal data is required for fulfilling the legal obligation, which we are subject to, article 6 para. 1 c GDPR serves as the legal basis.
  • In case vital interest of the person affected or any other natural person require the processing of personal data, article 6 para. 1 d GDPR serves as the legal basis.
  • As long as the processing is required for performing a task, that is in the public interest or in the exercise of official authority, that was transferred to us, article 6 para. 1 e GDPR is the legal basis for processing.
  • If the processing is required for protecting a justified interest of our company or a third party and these interests, fundamental rights and freedoms of the person affected do not outweigh the first mentioned interest, article 6 para. 1 f GDPR serves as the legal basis for processing.

2.3.2. Special legal basis when processing special categories of personal data pursuant to article 9 GDPR

The processing of personal data from which the racial and ethical origin, political opinion, religious or philosophical beliefs or the trade union membership emerge, as well as the processing of genetic data, biometric data for clear identification of a natural person, health data or data on sex live or sexual orientation of a natural person is forbidden. Exceptionally the processing of these special categories of personal data can be permitted by us, as long as there is a suitable legal basis for it. As such, the following can be considered in particular:

  • As far as the person affected has explicitly agreed to the processing of the special categories of special data for one or several purposes defined, this is the legal basis of the processing (art. 9 para. 2 a GDPR). This does not apply if pursuant to Union law or the law of the member states the prohibition on processing the special categories of personal data cannot be lifted.
  • In case the person affected published data obviously, article 9 para. 2 e GDPR is the legal basis for the processing.
  • As long as the processing of data for assertion, execution or defence of claims is required, the processing according to article 9 para. 2 f GDPR is admissible.
  • The processing of data is admissible, as long as it is on the basis of the Union law or the law of a member state that is in an appropriate relation to the pursued objective, maintains the essence of the right to data protection and prescribes appropriate and specific actions for protecting fundamental rights and interests of the person affected that is required due to a significant public interest, cf. art. 9 para. 2 g GDPR.

2.4. Objection and revocation against the processing of your data

If you have given a consent for processing your data, you can revoke this at any time. Such a revocation influences the admissibility of the processing of your personal data, after you have informed us about it. As long as we base the processing of your personal data on the balance of interests, you can revoke the processing. This is the case, in particular, when processing is not required for fulfilling a contract with you, which is shown by us respectively with the subsequent description of the functions. When executing such a revocation, we ask for stating reasons, as to why we should not process your personal data. In case of your justified objection, we will examine the situation and will either stop processing the data and/or adapt it or show you our compelling legitimate grounds, on the basis of which we will continue the processing. It goes without saying that you can object to the processing of your personal data for purposes of advertising and data analysis at any time.

2.5. Data deletion and storage period

Your personal data will be deleted or blocked, as soon as the purpose for storage no longer applies; blocking means in this context any kind of cancellation of the data related to your person (e.g. for statistical purposes). Furthermore, storage can occur when it was prescribed by the European or national lawmaker in regulations, laws or other rules, which we are subject to. Blocking or deleting data also occurs, when a storage period expires due to the mentioned standards, unless, there is a need to continue storing the data for concluding a contract or fulfilling a contract.

3.1. Data protection for candidates

3.1.1. When applying for a certain position on the website: Scope of data processing

You can directly apply as a candidate for the job openings on our website. Therefore, we will require different personal data from you. The data is put into an input mask and transferred to us and stored. It is mandatory to collect the following data in the framework of the application process:

  • Title (gender)
  • Surname, first name
  • Email address
  • Message

Furthermore, the following information can be shared voluntarily:

  • Phone number
  • Address
  • Information in an attachment (pdf)

In addition, we ask you to submit, in particular, CVs, reports, qualifications, cover letter. The scope of the personal data transferred in the context of the attachment and/or the attachments is subject to your own estimate and cannot be influenced by us.  However, to that extent we refer to the fact that considering your application to a job opening can only be successful, as long as your application is convincing according to the general prevailing opinion. In particular, it can lead to the processing of the following personal data: Date of birth, place of birth, marital status, information on your work permit and your residence permit, nationality, availability, photograph, language skills, work experience so far and project history, schooling and training, further education, fields of work and specialism, skills and know how, qualifications, references, publications, soft skills, hobbies, memberships, social insurance and tax information as well as -contributions, disclosures. Please consider, that in particular CVs, reports, cover letters or further data left by you for introductory purposes, also regularly reveals information on “special categories of personal data” pursuant to art. 9 GDPR (e.g. a photo, that shows the ethical original, information on severe disability, etc.). As the Aristo Group wishes to assess all the candidates solely according to their qualifications, we would like to ask you kindly to omit the statements “special categories of personal data”. However, transfer the respective information to us and agree that we can process this information and, in accordance with this data protection statement, can transfer it to third parties. Data for the purpose of the application are only sent to us, when you click the respective check box (opt-in) and agree to the collection, storage, editing, use and transfer of your data pursuant to this data protection statement

3.1.2. Data collection by the Aristo Group via and/or from generally accessible data sources and recommendations: Scope of data processing

  • First name and surname
  • Phone number
  • Email address
  • Place of residence
  • Focus of qualification (e.g. project leader)
  • Training / work experience
  • Skills

After storing your data, we contact you immediately, however, within one month at the latest and inform you about the processing of your data.

3.1.3. Registration on “My Aristo”

You can register as a candidate on our website and create your profile in our candidate pool (database). As a registered user you can keep logging in and maintain your profile continuously. The data required for the registration is entered into an input mask. It is mandatory to collect the following data in the framework of the application process:

  • Title (gender)
  • Surname, first name
  • Email address
  • Type of employment
  • Sector

Furthermore, the following information can be shared voluntarily:

  • Phone number
  • Address

If you would like to receive suitable job offers from the Aristo Group as a registered user, you can set up an individual job profile after logging in; you can also directly apply for job openings directly from “My Aristo”. Moreover, you can give further information on your field of specialism, the sector, the region and type of employment on “My Aristo” and transfer further information on yourself by uploading attachments (pdfs). The scope of the personal data transferred in the context of the attachment and/or the attachments is subject to your own estimate and cannot be influenced by us. However, to that extent we refer to the fact that considering your application for a job opening can only be successful, as long as your application is convincing according to the general prevailing opinion. In particular, it can lead to the processing of the following personal data: Date of birth, place of birth, marital status, information on your work permit and your residence permit, nationality, availability, photograph, language skills, work experience so far and project history, schooling and training, further education, fields of work and specialism, skills and know how, qualifications, references, publications, soft skills, hobbies, memberships, social insurance and tax information as well as -contributions, disclosures. Please consider, that particularly CVs, reports, cover letters or further data left by you for introductory purposes, also regularly reveals information on “special categories of personal data” pursuant to art. 9 GDPR (e.g. a photo, that shows the ethical original, information on severe disability, etc.). As the Aristo Group wishes to assess all the candidates solely on their qualifications, we would like to ask you to kindly omit the statements “special categories of personal data”. However, transfer the respective information, and agree that we can process this information and can transfer it to third parties in accordance with this data protection statement. Data for the purpose of the application are only sent to us, when you click the respective check box (opt-in) and agree to the collection, storage, editing, use and transfer of your data pursuant to this data protection statement.

3.1.4. Description and purpose of data processing

In the context of your concrete and general application for a potential job, we normally create a qualification profile from your information without your postal address, email address and further contact details (“personal contact data” in the following”), however, including information on availability, work location, hourly rate, project related experience as well as information on your profile, possibly your photo and information from further data and files given to us for the purpose of introduction. On the basis of concrete customer requests, we carry out a so-called “matching” in order to find out whether you match a concrete project offer and/or a job advertisement of one of our clients or not. This means, that we filter and/or derive from the data transferred to us by you (in particular from the text in your CV, your project history, etc.), skills (capabilities) and experience to semi-automatically and/or manually carry out the allocation of your person to the customer request; the semi-automatic evaluation of your data can occur, in particular, by using codes/filters, that we implement for restricting the search of suitable candidates for respective projects. This can lead to the fact that you are not going to be considered for certain customer requests and/or customer requirement profiles due to the semi-automatic derivation (project offer and/or a job position). Overall, the processing of your data serves the purpose of assessing your suitability for positions to be transferred currently or in future for which you apply or for which we would like to consider you. Furthermore, the processing serves the purposes of staying in touch with you and keeping you informed on the process of your application or informing you about other and/or other job openings interesting for you. Communication taking place between you and the Aristo Group is historically documented by us in a so-called CRM system (customer-relationship-management-system). Along these direct contacts, also internal annotations and/or indications are kept in the CRM system, that are relevant for the current or future appointment process. The processing of your data serves the purpose of working on processes in a faster, error-free way and without losing information, in order to make an optimised service pursuant to your wishes and imagination available.

3.1.5. Disclosure to third parties

Your qualification profile that is stored in our database is made available to potential customers as a file. Thereby, potential customers have the possibility to read your qualification profile and assess and/or select according to certain criteria. Thus, the qualification profile serves the introduction to customers aiming at realising the placement at a customer. Potential customers are not able to directly search in our database; they do not have access to your personal contact details. Naturally, we cannot take any responsibility for the confidential, earmarked and privacy-compliant treatment of the data given by you, in particular, your personal contact details by potential customers. Please consider this, in particular, when stating data in your qualification profile, when leaving further details and files for introductory purposes and when giving personal contact details e.g. on a social network to a potential customer.

3.1.6. Legal basis of data processing

The legal basis for the processing of data is art. 6 para. 1 p. 1 a GDPR when presenting your consent, as long as special categories of personal data are processed, your consent forms the complementary legal basis in accordance with art. 9 para. 2 a GDPR. To this extent you consent, that your personal data (in particular in the above mentioned scope) can be processed in the context of this data protection statement for the described purposes. The Aristo Group is allowed to transfer your personal data in the required scope for the purpose of creating a placement with a potential customer. Forwarding your personal data to third parties does not take place without an explicit consent, as long as it is not required for the provision of the service or the execution of the contract. If your application and/or a placement effort for a concrete position is not successful, you can consent that Aristo Group processes your data also beyond the termination of the concrete placement. Then, Aristo Group is allowed to use your data and contact you at a later stage, in particular, in order to stay in touch with you for the continuation of the placement or a new placement. If the application and/or the registration has already served the fulfilment of the contract, of which you are the contractual party or the execution of the pre-contractual actions, the additional legal basis for processing data is art. 6 para. 1 p. 1 b GDPR.

3.1.7. Duration of storage; possibility of objection and removal

The data is deleted as soon as it is no longer needed for fulfilling the purpose the data was collected for. If the processing of data already serves the execution of the contract, of which you are a contractual partner of or the execution of a pre-contractual action, then the data is deleted when it is no longer required for the execution of the contract. There can be a need to store your personal data, also after concluding a contract, in order to adhere to contractual or legal obligations – in particular retention provisions according to commercial and tax law- or to maintain our justified interest:

  • The storage for maintaining the commercial and/or tax-law retention provisions in the required scope, which we are subject to. The deadlines for fulfilling the commercial and/or tax-law retention provisions account for ten years – in accordance with the legal requirements for all documents that are necessary for profit determination; for commercial letters (also emails) the retention period is six years. The legal basis for this is art. 6 para. 1 p. 1 c GDPR.
  • According to the regulations of the BGB (German Civil Code) limitation periods can amount to up to 30 years, whereby the regular limitation period equals to three years. Therefore, we keep contractual documents as well as documents that are in connection with the contract, in accordance with these limitation period regulations in order to be able to conduct possible (legal) disputes. The legal basis for this is art. 6 para. 1 p. 1 lit f GDPR.

If the processing of your data is based on a consent you can revoke this consent for the future at any time either fully or partially by sending a respective message to datenschutz@aristo-group.de. By clicking on the respective check box (opt in) before sending your entered data to us you agree to the processing of your data pursuant to this data protection statement. The same is true in case you send us your data by email or by any other means. If you revoke your consent, it might be that you cannot be placed with a vacant post, in particular, as thereby the generally commercially available validity of your general or concrete application is no longer safeguarded and therefore a potential customer can no longer get an idea of who you are. If you revoke your consent, we will principally delete your data; if the data is required for fulfilling a contract or for executing pre-contractual actions, an early deletion of data is only possible, provided there are no contractual or legal obligations for deletion present.

3.2. Data protection for customers

3.2.1. When there is a needs or search enquiry for candidates: Scope of data processing

If, as a customer, you are looking for highly-qualified specialists in the area of life science you can send us a non-binding request (via email, phone, fax or via the enquiry contact form on our website) by stating your project and/or need. We will process the search requested submitted to us by you and introduce a suitable specialist to you provided the availability by submitting a qualification profile to you. As long as you are using the contact form on our website in the context of getting in touch, it is mandatory to collect the following data:

  • IP address
  • Date and time of your message
  • Name
  • Email address
  • Subject
  • Message

Furthermore, you can make the following statements voluntarily:

  • Information in a data attachment

Initially, we cannot control whether and to what extent you will submit further personal data in the data attachment to us and we will process them. If not required, however, we ask not to submit any personal details in a data attachment to us.

3.2.2. Data collection by the Aristo Group via and/or for generally accessible data sources and recommendations: Scope of data processing

The Aristo Group is a specialised personnel service provider for the placement of highly-qualified specialists in the area of life science. We either place you as freelancers in temporary projects (via the Aristo Recruitment GmbH) or as candidates in a direct position with our clients (via the Aristo Personnel GmbH). Furthermore, you can work as an employee via the Aristo AG at our clients in the context of the personnel leasing. Therefore, the Aristo Group also actively searches and/or also receives personal data about candidates from generally accessible sources from potential customers and/or their representatives and contact partners. In search of potential customers and/or their representatives we look, in particular, in external sources such as XING and other career networks, on which we find information about you. The same is true in case of recommendations, that we are informed about numerously by clients and your colleagues. Initially, in these cases we store the personal data of you that we receive from public sources and/or from the person recommending you. This normally entails:

  • First name and surname
  • Position, possibly specialist department
  • Company
  • Phone number
  • Email address
  • Interests

After storing your data, we contact you immediately, however, within one month at the latest and inform you about the processing of your data.

3.2.3. Description and purpose of data processing

We create anonymised, web-based project and/or job advertisements (in the following “corporate data”) from your data, however with a specific description of your needs in the project and/or the requirements for the position and/or the candidates including the required soft and hard skills as well as further relevant information. These project and/or job advertisements can be seen in the search of potential candidates accessible on the website of the Aristo Group. Furthermore, we carry out a so-called “matching” in order to find out whether a candidate is suitable for a concrete project offer and/or a job advertisement or not. This means that we compare the enquiries and/or requirement profile (project offer and/or a job advertisement) sent to us by you with the data given to us from the data sets of the candidates (in particular from the text of the CVs, the project history, etc., his/her skills (capabilities) and experiences) semi-automatically and/or manually and execute an allocation; the semi-automatic evaluation of your data can occur in particular by using codes/filters, that we implement for limiting the search of suitable candidates for respective projects. This can lead to the fact that a candidate is not going to be considered for certain customer requests and/or customer requirement profiles due to the semi-automatic derivation (project offer and/or a job position). Overall, the processing of your data serves the purposes of finding the candidates suitable for filling your position. Furthermore, the processing serves the purposes of staying in touch with you and keeping you informed on the process of your candidate search or informing you about other interesting candidates for you. Communication taking place between you and the Aristo Group is historically documented by us in a so-called CRM system (customer-relationship-management-system). Along these direct contacts, also internal annotations and/or indications are kept in the CRM system, that are relevant for the current or future appointment process. The processing of your data serves the purpose of working on processes in a faster, error-free way and without information loss, in order to make an optimised service pursuant to your wishes and imagination available.

3.2.4. Legal basis of data processing

the legal basis for the processing of the data is art. 6 para. 1 p. 1 a GDPR provided your consent is present. If the request serves the fulfilment of the contract, of which you are the contractual party or the execution of the pre-contractual actions, the additional legal basis for processing data is art. 6 para. 1 p. 1 b GDPR. In order to carry out an allocation of your enquiry in our company, the maintenance of our justified interest serves as another legal basis, art. 6 para. 1 f GDPR; hereby, our justified interests result from the illustrated purposes, we assume, however, that your interests do not outweigh ours.

3.2.5. Duration of storage; possibility of objection and removal

The data is deleted as soon as it is no longer needed for fulfilling the purpose the data was collected for. If the processing of data already serves the execution of the contract, of which you are a contractual partner or the execution of a pre-contractual action, then the data is deleted when it is no longer required for the execution of the contract. There can be a need to store your personal data, also after concluding a contract, in order to adhere to contractual or legal obligations – in particular retention provisions according to the commercial and tax law- or to maintain our justified interest:

  • The storage for maintaining the commercial and/or tax-law retention provisions in the required scope, which we are subject to. The deadlines for fulfilling the commercial and/or tax-law retention provisions account for ten years – in accordance with the legal requirements for all documents that are necessary for profit determination; for commercial letters (also emails) the retention period is six years. The legal basis for this is art. 6 para. 1 p. 1 c GDPR.
  • According to the regulations of the BGB (German Civil Code) limitation periods can amount to up to 30 years, whereby the regular limitation period equals to three years. Therefore, we keep contractual documents as well as documents that are in connection with the contract, in accordance with these limitation period regulations in order to be able to conduct possible (legal) disputes. The legal basis for this is art. 6 para. 1 p. 1 f GDPR.

If the processing of your data is based on a consent you can revoke this consent for the future at any time either fully or partially by sending a respective message to datenschutz@aristo-group.de. The same is true in case you send us your data by email or by any other means. If you revoke your consent, your enquiry might no longer by processed. If you revoke your consent, we will principally delete your data; if the data is required for fulfilling a contract or for executing pre-contractual actions, an early deletion of data is only possible, as long as there are no contractual or legal obligations for deletion present.

On our website, we offer every visitor the possibility to get in touch via a contact form by stating personal data. The following data are submitted by you compulsorily in the context of getting in touch via the contact form:
  • IP address
  • Date and time of your message
  • Name
  • Email address
  • Subject
  • Message

Furthermore, you can make the following statements voluntarily:

  • Information in a data attachment

Whether and to what extent you will submit further personal data in the data attachment to us and we will process them, cannot be controlled by us initially. If not required, however, we ask not to submit any personal details in a data attachment to us.

4.1. Purposes of data processing

The processing of your data serves the processing and reply to your enquiry. Stating your email address is required in order to get in touch with you.  Stating your name serves the personalisation of your enquiry and/or the reply as well as the internal allocation in our company.

4.2. Legal basis of data processing

The legal basis for the processing of the data is art. 6 para. 1 p. 1 a GDPR provided your consent is present. If the request serves the fulfilment of the contract, of which you are the contractual party or the execution of the pre-contractual actions, the additional legal basis for processing data is art. 6 para. 1 p. 1 b GDPR. In order to carry out an allocation of your enquiry in our company, the maintenance of our justified interest serves as another legal basis, art. 6 para. 1 f GDPR; hereby, our justified interests result from the described purposes, we assume, however, that your interests do not outweigh ours.

4.3. Duration of storage; possibility of objection and removal

The data is deleted as soon as it is no longer needed for fulfilling the purpose the data was collected for. This is particularly the case when your enquiry was processed conclusively and possibly responded to. If getting in contact already serves the execution of the contract, of which you are a contractual partner or the execution of a pre-contractual action, then the data is deleted when they are no longer required for the execution of the contract. There can be a necessity to save personal data beyond that in order to meet the contractual and legal obligations and maintain our justified interest. As long as the processing of your data is based on a consent you have the possibility to revoke the consent. By clicking on the respective check box (opt in) before sending your entered data to us you agree to the processing of your data pursuant to this data privacy statement. If, in addition, the data is required for fulfilling a contract or for executing pre-contractual actions, an early deletion of data is only possible, provided there are no contractual or legal obligations for deletion present.

5.1. Processing your data when visiting our website

5.1.1. Description and purpose of data processing

Our system automatically captures data and information from your computer system of the computer opening our website (personal data, that your browser sends to our server). This is also provided for, as long as you are not registered or sending us information otherwise. The following data is collected:

  • IP address of the user
  • Date and time of request and/or access
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/http status code
  • Amount of data to be transferred respectively
  • Website from which the request is coming (from which the system of the user accesses our internet page)
  • Website that is opened by the system of the user via our website
  • Information on the type of browser and the version used
  • Operating system and its surface
  • Language and version of the browser software

5.1.2. Purposes of data processing

The temporary storage of the mentioned data, in particular, the IP address by the system is necessary and required in order to enable the delivery of the website to your computer. Therefore, your IP address has to remain stored for the duration of the session. Furthermore, this serves the purpose of evaluating and further maintaining the system safety and system stability as well as other administrative purposes.

5.1.3. Legal basis of data processing

The legal basis for the temporary storage of your data is art. 6 para. 1 f GDPR. Our justified interest results from the above listed purposes for collecting data. In no case do we use the data collected for the purpose of drawing any conclusion to your person.

5.1.4. Storage period

The data is deleted as soon as it is no longer needed for fulfilling the purpose the data was collected for. This is the case when collecting data for providing the website, when the respective session is closed.

5.1.5. Possibility of objection and removal

Collecting the data for providing the website and saving the data in log files is essential for the operation of the website. Consequently, there is no possibility for you to object.

5.2. Use of cookies

5.2.1. Description and scope of data processing

Our website uses cookies. Cookies are text files, that are saved on the internet browser and/or from the internet browser on your computer system. If you open a website a cookie can be saved on your operating system. This cookie has a character string, that enables a definite identification of the browser when the website is opened again. Our website only uses transient cookies, as some elements on our website require that the requesting browser can be identified also after changing the site. This makes the use of so-called transient cookies (session cookies) necessary. These save a so-called session ID, with which different enquiries of your browser can be allocated to the common session. Thereby, your computer can be recognised again, when you return to our website. We use cookies, in order to design our website more user-friendly as several elements on our website require that the browser opened can be identified also after changing a site.  The session cookies are deleted when you log out or close the browser.

5.2.2. Purposes of data processing

The purpose of using technically necessary transient cookies and thus the respective data processing is to both enable and simplify the use of websites for you. Some functions on our website cannot be offered without the use of these cookies. It is important for them to be recognised again by your browser also after changing the site. This is for example true for language settings or remembering search terms. The user data collected by technically necessary cookies are not used for creating user profiles.

5.2.3. Legal basis of data processing

The legal basis for the temporary storage of your data is art. 6 para. 1 f GDPR. Our justified interest results from the above listed purposes for collecting data. In no case do we use the data collected for the purpose of drawing any conclusion to your person. The legal basis for the processing of personal data by using cookies for analysis purposes is art. 6 para. 1 a GDPR when a respective consent is present.

5.2.4. Duration of storage; possibility of objection and removal

Cookies are stored on your computer and transferred to our site by it. Therefore, you as the user have full control over the use of cookies. By changing the setting in your internet browser, you can deactivate or restrict the transfer of cookies. Already saved cookies can be deleted at any time. This can also happen automatically. If cookies for our website are deactivated, it might be that all functions of the website can no longer be used fully.

5.3. Linking on social network/social media plug-ins

5.3.1. Description and scope of data processing

We are linked on social networks

  • Facebook,
  • LinkedIn,
  • XING and

You recognize the provider of the network by the tag on the box above its initial letter or the logo.  Hereby, we only use a so-called linking. When you visit our site, initially no personal data is forwarded to the providers of the social networks, the social media plug ins are deactivated. If you want to use one of the networks, click on the respective logo in order to set up a direct connection with the server of the respective network. Hereby, we only give you the possibility of communicating directly with the provider of the social network via the button. Only if you click on the marked box and thereby activate it does the provider receive the information that you have opened the respective website of our online offer. In this case, information that was collected when visiting our website will be send in the required scope (see item 5.1.1). As the plug in provider is collecting the data, in particular, via cookies, we recommend to delete all cookies in the security settings of your browser before clicking on the provider button. The data transfer takes place independently from the fact, whether you have an account with the plug in provider and are logged in there.  If you are logged in with the plug in provider, your data collected by us will be allocated directly to your account with the plug in provider. We recommend to log out regularly after using a social network, however, in particular, before activating the button, as you can thereby avoid an allocation to your profile by the plug in provider.

5.3.2. Purposes of data processing

The data is transferred for the purpose of simplifying the use of websites for users. By linking and/or plug ins, we offer you a simple way of interacting with social networks and other users so that we can improve our offer and make them more interesting for you as a user.

5.3.3. Legal basis of data processing

The legal basis for processing the data is art. 6 para. 1 p. 1 a GDPR provided your consent is present, as well as maintaining our justified interest pursuant to art. 6 para. 1 p. 1 f GDPR; our justified interest results from the illustrated purposes for data processing.

5.3.4. Duration of storage; possibility of objection and removal

Cookies are stored on your computer and transferred to our site by it. Therefore, you as the user have full control over the use of cookies. By changing the setting in your internet browser you can deactivate or restrict the transfer of cookies.  Already saved cookies can be deleted at any time. This can also happen automatically. If cookies for our website are deactivated, it might be that not all functions of the website can be used fully.

5.3.5. Purposes and legal basis for data processing, storage period, possibilities of objection and removal by the provider of the social network, transfer of data to third countries.

Neither do we have influence on the data collected and the data processing methods, nor are the full extent of the data collection, the purpose of processing and the storage periods known to us. Neither do we have any information on the deletion of the data collected by the third party. The provider possibly saves the data collected about you in a user profile and uses it for purposes of advertising, market research and/or creation of its website as needed. Such an evaluation, in particular, takes place (also for users that are not logged in) for providing advertisement as needed and in order to inform other uses of the social network about your activities on our website. You are entitled to object to the creation of these user profiles, whereby you have to get in touch with the respective third party of the social network for the execution of it. Further information on the purpose and scope of data collection and its processing by the provider can be found in its data privacy statement. There, you will also find further information on your respective rights and setting possibilities for protecting your privacy. Addresses of the respective plug in providers and URL with their data protection information: Facebook, Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook is subject to the EU US privacy shield https://www.privacyshield.gov/EU-US-Framework. LinkedIn LinkedIn Corporation, 1000 W. Maude Avenue,Sunnyvale, CA 94085,USA / LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland; further information on data collection: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy. LinkedIn is subject to the EU US privacy shield https://www.privacyshield.gov/EU-US-Framework. XING XING SE, Dammtorstr. 30, 20354 Hamburg; further information on data collection and data protection at XING: https://privacy.xing.com/de/datenschutzerklaerung Instagram Instagram LLC, 1601 Willow Rd, Menlo Park ca 94025, USA; further information on data collection and data protection: https://help.instagram.com/155833707900388. If you click on the link for an offer or activate a social plug in, it might be that personal data reach providers in countries outside the European Economic Area, that do not guarantee an “appropriate protection level” for the processing of personal data from the point of vie of the European Union (“EU”).  Please consider this circumstance before you click on a link or activate a social plug in and thus trigger the transfer of your data.

5.4. Incorporating Google Maps

5.4.1. Description and scope of data processing

We use the offer of Google Maps on this website. Thereby, we can show you interactive maps directly on the website and enable you the comfortable use of map functions. By visiting the website, Google receives the information that you have opened the respective page of our website. In addition, data mentioned in this statement under item 5.1.1 are transferred. This takes place independently of whether Google provides a user account by which you are logged in or whether no user account exists. If you are logged in on Google, your data will be directly allocated to your account. If you do not wish the allocation to your Google profile, you have to log out before activating the button. Google saves your data in a user profile and uses it for purposes of advertising, market research and/or justified creation of its website. Such an evaluation, in particular, takes place (even for user that are not logged in) for providing advertisement as needed and in order to inform other uses of the social network about your activities on our website. You are entitled to object to the creation of these user profiles, whereby you have to get in touch with Google for the execution of it.

5.4.2. Purposes and legal basis for data processing

The data processing, in particular, the data transfer to Google occurs to the extent of showing interactive maps directly on the website and to enable you the comfortable use of map functions as well as increasing the attractiveness of our website for you. Thereby, our online offer can be improved and designed in a more interesting way for you. The legal basis for processing the data is art. 6 para. 1 p. 1 a GDPR provided a consent is present, as well as maintaining our justified interest pursuant to art. 6 para. 1 p. 1 f GDPR; our justified interest results from the illustrated purposes for data processing. We assume that your positions protected by fundamental rights are not affected severely and therefore do not outweigh.

5.4.3. Purposes and legal basis for data processing, storage period, possibility of objection and removal at Google

Neither do we have influence on the data collected and the data processing methods, nor are the full extent of the data collection, the purpose of processing and the storage periods known to us. Neither do we have any information on the deletion of the data collected by Google. Google possibly saves the data collected about you in a user profile and uses it for purposes of advertising, market research and/or creation of its website as needed. Such an evaluation, in particular, takes place (also for users that are not logged in) for showing advertisement as needed and in order to inform other users of Google and its offers about your activities on our website. You are entitled to object to the creation of these user profiles, whereby you have to get in touch with the respective third plug in providers for the execution of it. Further information on the purpose and scope of data collection and its processing by Google can be found in the data protection statement of the provider. There, you will also find further information on your respective rights and setting possibilities for protecting your privacy: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; further information on data collection: https://www.google.de/intl/de/policies/privacy. Google processes your personal data also in the US and is subject to the EU-US privacy shield, https://www.privacyshield.gov/EU-US-Framework.

5.5. Web analysis by Google Analytics

Google Analytics uses this website, a web analyst provider of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files, that are saved on your computer that enable an analysis of the use of the website by you. The information generated by the cookie on your use of this website is normally transmitted and saved on a Google server in the US. In case of activating the IP anonymization on this website, however, your IP address is shortened previously by Google within member states of the European Union or in other contractual states of the agreement beyond the European Economic Area. The full IP address is only transferred to a Google server in the US in exceptional cases and shortened there. Google will use this information on behalf of the operator of this website in order to assess your use of the website, in order to compile reports on website activities and in order to provide further services connected with the website use and the internet use towards the website operator. The IP address transferred from your browser by Google Analytics is not joined with other data of Google. You can prevent the storage of cookies by a respective setting of your browser software; however, we point out, that you might not be able to use all functions of this website comprehensively.  Furthermore, you can prevent the collection of the data generated by the cookie and referred to by your use of the website (including your IP address) as well as prevent the processing of this data by Google, by downloading and installing the browser plug in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de. Google Analytics uses this website with the extension “_anonymizedIp()”. Thereby, IP addresses are processed further in a shortened way, so that reference to a person can be excluded.  As far as personal reference is made to the data generated about you, this is excluded immediately and thus the personal data is deleted immediately. We use Google Analytics in order to analyse the use of our website and improve it regularly. We can improve our offer by the statistics gained and design it in a more interesting way for you as a user. In exceptional cases, when personal data is transferred to the US, Google is subject to the EU-US privacy shield https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is art. 6 para. 1 p. 1 f GDPR. Information on the third party:  Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions: http://www.google.com/analytics/terms/de.html, Overview on data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, as well as data protection statement: http://www.google.de/intl/de/policies/privacy. In addition, this website uses Google Analytics for an analysis of visitor flows across any device, that are carried out via a user ID. You can deactivate the analysis on your use across any device in your customer account under “my data”, “personal data”. tp://www.google.com/analytics/terms/de.html and/or on https://www.google.de/intl/de/policies/

As far as not presented in a deviating way previously, we do not forward any personal data to companies, organisations or people outside our company, except in the following circumstances:

6.1. Forwarding data to affiliated companies in the context of the mutual data retention

The Aristo Group saves and processes your data collected in the context of using our website services (application portals for candidates; customer inquiry portal; “My Aristo” as well as the contact form) and the data collected about you by visiting our website in a mutually used IT system which all companies of the Aristo Group mentioned in item 1 can access. The data saved there are technically accessible to all companies of the Aristo Group named in item 1.

6.2. With your consent

As already shown above in detail, however, in some cases also beyond that, we forward personal data to companies, organisations and people outside our company, provided we have your consent for it (art. 6 para. 1 p. 1 a possibly in connection with art. 9 para. 2 a GDPR).

6.3. Processing by others

We make personal data available to the other companies that are affiliated with us in the group and/or in the corporate group as well as our third party business partners, other trustworthy companies and people that process them on our behalf. This takes place on the basis of our instructions and according to our data protection statement as well as other suitable confidentiality and security actions.

6.4. For legal reasons

We will forward personal data to companies, organisations or people outside our company, when we can assume in good faith that the access of this data or its use, retention or disclosure is required reasonably, in order to particularly adhere to current laws, regulations or legal procedures or to comply with an enforceable administrative order; the legal basis is art. 6 para. 1 p. 1 c possibly in connection with art. 9 para. 2 b GDPR.

If not expressively shown in this data protection statement, the transfer of your personal data does not take place to third countries (countries outside the EU and/or the EEA) or international organisations. We transfer your data in the context of the mutually used IT systems for operating the website also to the Aristo AG based in Switzerland – as shown individually. Switzerland has a suitable data protection level. This was ascertained by the EU commission by an adequacy decision (pursuant to art. 45 GDPR).
If not described differently above (item 3.1.4 as well as 3.2.3, an automated decision-making does not take place.
If personal data is processed about you, you are the affected person for the purpose of GDPR and you have the following rights against us and the party responsible. You can contact any party responsible mentioned in item 1.1 for executing your rights.

9.1. Right to information

You can request a confirmation from the party responsible on as to whether personal data affecting you is processed by us. If such a processing is the case, you can request access to the following information from the party responsible:

  • the purposes for which the personal data is being processed;
  • the category of personal data which is being processed;
  • the recipient and/or the categories of the recipients; who were given the personal data affecting you or are going to be given.
  • the planned storage period of the personal data affecting you or if no concrete statement is possible about it, the criterion for determining the storage period;
  • the existence of a right to correct or delete the personal data affecting you, a right to restrict the processing by the party responsible or a right to object against this processing;
  • the existence of a right to complain at a supervisory authority;
  • all information available on the origin of the data, if the personal data is not collected with the person affected;
  • the existence of an automated decision-making including profiling pursuant to art. 22 para. 1 and 4 GDPR and – at least in this case – meaningful information on the logic involved as well as the dimension and the pursued implication of such processing for the person affected.

You have the right to obtain information whether personal data affecting you is sent to a third country or an international organisation. In this context you can request via the suitable guarantees according to art. 46 GDPR to be informed about the transfer in this context.

9.2. Right of adjustment

You have the right of adjustment and/or completion towards the party responsible provided the personal data processed affecting you is incorrect or incomplete. The party responsible has to carry out the adjustment immediately.

9.3. Right of restricting the processing

Under the following requirements you can request the restriction of the processing of personal data affecting you:

  • if you dispute the correctness of the personal data affecting you for a certain period of time, that enables the party responsible to examine the correctness of the personal data;
  • the processing is unlawful and you reject the deletion of personal data and instead request for a restriction of the use of the personal data;
  • the party responsible no longer requires the personal data for the purpose of processing, however, you need them for the assertion, execution or defence of legal claims or
  • if you appealed the processing pursuant to art. 21 para. 1 GDPR and it is not certain yet whether the justified reasons of the party responsible outweigh your reasons.

If the processing of the personal data affecting you was restricted, this data can only be processed -let alone saved- with your consent or for the assertion, execution or defence of legal claims or for protecting the rights of another natural or legal person or for reasons of an important public interest of the Union or a member state. If the restriction of the processing was restricted according to the above-mentioned requirements, you will be informed by the party responsible before the restriction is revoked.

9.4. Right of deletion

9.4.1. Obligation of deletion

You can request from the party responsible that the personal data affecting you has to be deleted immediately and the party responsible is obliged to delete the data immediately as long as one of the following reasons apply:

  • The personal data affecting you is no longer needed for the purpose for which it was collected or was processed in any other way.
  • You revoke your consent on which the processing is based on pursuant to art. 6 para. 1 a or art. 9 para. 2 a GDPR and another legal basis for processing is missing.
  • You appeal against the processing pursuant to art. 21 para. 1 GDPR and there are no primary justified reasons for the processing or you appeal against the processing pursuant to art. 21 para. 2 GDPR.
  • The personal data affecting you was unlawfully processed.
  • The deletion of the personal data is required for fulfilling a legal obligation according to Union law or the right of a member state of which the party responsible is subject to.
  • The personal data affecting you was collected in connection with services of the information society offered pursuant to art. 8 para. 1 GDPR.

9.4.2. Information to third parties

If the party responsible has published the personal data affecting you and is obliged to delete it pursuant to art. 17 para. 1 GDPR, they have to take suitable actions by considering the technologies available and costs of implementation, also of technical nature, in order to inform the parties responsible for the data processing that they have requested the deletion of all links to personal data or of copies or replications of this personal data.

9.4.3. Exceptions

The right of deletion does not exist provided the processing is necessary

  • for executing the rights of freedom of opinion and information;
  • for fulfilling a legal obligation, that is required and subject to the processing pursuant to the law of the Union or the member states of which the party responsible is subject to or for performing a task that is in the public interest or results from the exercise of official authority, that was given to the party responsible;
  • for reasons of public interest in the area of public health pursuant to art. 9 para. 2 h and i as well as art. 9 para. 3 GDPR;
  • for archive purposes in the public interest, scientific or historic research purposes or for statistical purposes pursuant to art. 89 para. 1 GDPR, provided the law mentioned in section a) makes the realisation of the objectives of this processing impossible or influences them significantly or
  • for assertion, execution or defence of legal claims.

9.5. Right to information

If you have you asserted the right to adjustment, deletion or restriction of processing against the party responsible, they are obliged to disclose all recipients who they have given personal data affecting you, inform you about this adjustment or deletion of the data or restriction of the processing unless this proves to be impossible or is linked to an excessive effort. You are entitled to be informed about these recipients.

9.6. Right of data portability

You have the right to receive the personal data affecting you, which you have provided to the party responsible in a structured, usual and machine-readable format. In addition, you have the right to make the personal data available to another party responsible without the hindrance of the party, which you provided the personal data, provided

  • the processing is based on a consent pursuant to art. 6 para. 1 a GDPR or art. 9 para. 2 a GDPR or an agreement pursuant to art. 6 para. 1 b GDPR and
  • the processing takes place by automated methods.

In addition to executing this right, you have the right to have personal data affecting you being transferred from one party responsible to another party responsible, provided this is technically possible. Hereby, freedoms and rights of other people are not allowed to be restricted. The right of data portability does not apply to the processing of personal data that is required for performing a task that is in the public interest or results from the exercise of official authority that was given to the party responsible.

9.7. Right of objection

At any time, you have the right, for reasons occurring due to your special situation, to object against the processing of the personal data affecting you, that occurs due to art. 6 para. 1 e or f GDPR; this also applies for profiling based on these regulations.  The party responsible no longer processes the personal data affecting you, unless they can prove mandatory legitimate reasons for the processing that outweigh your interests, rights and freedoms or the processing serves the assertion, execution or defence of legal claims. If the personal data affecting you are processed to carry out direct advertisement you have the right to appeal against the processing of the personal data affecting you for the purpose of such advertisement; this also applies to profiling, provided it is in connection with such direct advertisement.  If you appeal against the processing for purposes of direct advertising, personal data affecting you will no longer be used for these purposes. You have the possibility, in connection with the use of services of the information society -irrespective of directive 2002/58/EG- to execute your right of objection by means of automated methods for which technical specifications are used.

9.8. Right of objection of the data protection statement

You have the right to revoke your data protection statement at any time. By revoking your consent, the legality of the processing from the consent to the revocation is not affected.

9.9. Right of not being the subject matter of an automated decision-making in individual cases including profiling

You have the right not to be subjected to a decision based on solely automated processing – including profiling – produces its legal effects with respect to you or influences you in a similar manner significantly. This does not apply, when the decision

  • for concluding or fulfilling the contract between you and the party responsible is required,
  • due to regulations of the Union or the member states, which the party responsible is subject to, it is admissible and these regulations entail suitable actions for maintaining your rights and freedoms as well as your justified interest or
  • take place with your expressive consent.

However, these decisions are not allowed to be based on the personal data of special categories pursuant to art. 9 para. 1 GDPR, provided art. 9 para. 2 a or g GDPR are not applicable and suitable actions were taken for the protection of the rights and freedoms as well as your justified interest. In view of the cases mentioned in (1) and (3), the party responsible takes suitable actions in order to maintain the rights and freedoms as well as your justified interest, to which at least the right of obtaining the intervention of a person by the party responsible to present its own position and to challenge the decision.

9.10. Right to complain at a supervisory authority

Irrespective of another administrative or legal remedy, you have the right to complain with a supervisory authority, in particular, in the member state of your residence, your workplace or the place of the alleged infringement which you believe violates the GDPR in terms of processing of the personal data affecting you. The supervisory authority, where the complaints was submitted, informs the about the status and the results of the complaint including the possibility of a judicial remedy according to art. 78 GDPR.

More information about privacy at Aristo:

The protection of your personal data is a top priority, and is taken into consideration in all business processes. When and insofar as you share personal data with us, it will be processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, as well as the statutory data protection provisions of the German Federal Data Protection Act (BDSG). The following Data Protection Notice provides a detailed overview of the processing of your personal data. “Personal data” means all information that relates to a natural person who has been or can be identified. With this Data Protection Notice, we are providing you with comprehensive information on the nature, scope and purposes of the collection of personal data and how this data will be processed. It additionally serves to provide you with information on the rights to which you are entitled in regard to the processing of your personal data.

1.1. Basic principle

This Data Protection Notice applies to all applicants and members of the talent pool of Aristo in the same manner, and is summarized in the interest of ease of understanding. Insofar as Aristo is mentioned in the following in a uniform manner, this shall be understood to encompass Aristo Personnel GmbH, Aristo Recruitment GmbH, Lenyx Logistik und Service GmbH and Aristo AG. This does not affect the respective responsibility with regard to data protection.

1.2. Supplementary applicability of particular provisions for particular services

There are additional data protection notices pertaining to certain services that supplement this Data Protection Notice. This particularly applies to the use of our website; the data protection declaration for use of our website can be accessed and viewed on our website.

2.1. Controller

The controllers as defined by the EU General Data Protection Regulation (GDPR) and other national data protection laws of the Member States and other data protection provisions are Aristo Personnel GmbH, Aristo Recruitment GmbH, Lenyx Logistik und Service GmbH and Aristo AG:

Aristo Personnel GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com

2.1.2. Aristo Recruitment GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com

2.1.3. Lenyx Logistik und Service GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com

2.1.4. Aristo AG

Brandschenkestrasse 30 8001 Zürich Switzerland Tel: + 41 44 508 76 70 E-Mail: info@aristo-group.com Website: www.aristo-group.ch

The representative of Aristo AG is

Aristo Holding GmbH Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-Mail: info@aristo-group.com Website: www.aristo-group.com Die Aristo AG ist Verantwortliche, soweit es um die Überlassung von Spezialisten an unsere Kunden im Rahmen der Arbeitnehmerüberlassung sowie um die Vermittlung von Kandidaten in zeitlich befristete Projekte bei unseren Kunden geht.

2.2. Data protection officer

Aristo has appointed a data protection officer. You can reach our data protection officer via the following contact information: Aristo Data Protection Officer Alter Hof 5 80331 Munich dsb@aristo-group.com

3.1. Scope of the processing of personal data

Aristo shares the underlying philosophy of the GDPR and the German Federal Data Protection Act (BDSG) that the collection and processing of personal data (“data”) must be minimized whenever possible. For this reason, we process personal data only when doing so is required for clearly defined purposes, which will be set out in the following (principles of data avoidance and data minimization). In such contexts, data processing is permissible only insofar as it can be justified according to a sufficient legal basis or your consent (principle of lawfulness).

3.2. General information on the legal bases for the processing of personal data

3.2.1. General legal bases

The processing of personal data is forbidden in principle and is permissible only in exceptional cases. The permissibility of data processing can be established only when the processing of the data can be supported by an appropriate legal basis. The following legal bases are definitively deemed appropriate:

  • Article 6(1)(a) GDPR serves as legal basis provided that we have obtained consent to the processing of personal data from the data subject.
  • Article 6(1)(b) GDPR serves as the legal basis for the processing of personal data if it is necessary for the performance of a contract to which the data subject is a party. This also applies to processing operations required to carry out precontractual actions
  • Article 6(1)(c) GDPR serves as the legal basis for the processing of personal data if it is necessary for the fulfillment of a legal obligation that applies to us.
  • Article 6(1)(d) GDPR serves as the legal basis in the event that the data subject’s vital interests or those of another natural person necessitate the processing of personal data.
  • Article 6(1)(e) GDPR is the legal basis for processing if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
  • Article 6(1)(f) GDPR serves as the legal basis for processing if the processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override those interests.

3.2.2. Special legal bases for the processing of special categories of personal data pursuant to Article 9 GDPR

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. In exceptional cases, the processing of these special categories of personal data by us can also be allowed if there is an appropriate legal basis for this. In particular the following legal bases come into consideration as appropriate:

  • If the data subject has given explicit consent to the processing of special categories of special data for one or more defined purposes, this can serve as the legal basis for processing (Article 9(2)(a) GDPR). This does not apply if the prohibition of the processing of special categories of personal data cannot be lifted pursuant to Union or Member State law.
  • Article 9(2)(e) GDPR is the legal basis for processing in the event that the data subject has manifestly made the data public.
  • Processing is permissible pursuant to Article 9(2)(f) GDPR if processing of the data is required for the establishment, exercise, or defense of legal claims.
  • Processing of data is permitted insofar as it is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; cf. Article 9(2)(g) GDPR.

3.2.3. Special legal basis for the processing of personal data in the employment relationship

According to Article 88(1) GDPR in conjunction with Article 26 BDSG, various specific features apply when processing personal data of employees for purposes relating to the employment relationship. These particularly include specific features regarding the legal bases for the processing of personal data for the purpose of the employment relationship as per Article 26(1) through (4) BDSG..

3.3. Objection and withdrawal of consent to the processing of personal data

If you have given us consent to process your personal data, you can withdraw your consent at any time. A withdrawal of this type influences the permissibility of the processing of your personal data once you have announced it to us. If our processing of your personal data is based on a balancing of interests, you can lodge an objection to the processing. This is particularly the case when the processing is not required for the performance of a contract with you, which we explain in the following description of functions. In the event of the exercise of an objection of this type, we request an explanation of the reasons why your personal data should not be processed in the manner implemented by our company. If the objection is justified, we will review the situation and either halt/adjust the data processing or inform you of the compelling legitimate grounds according to which we will continue the processing. Of course, you can object to the processing of your personal data for advertising and data analysis purposes at any time

3.4. Data deletion and retention duration

Your personal data will be deleted or blocked by us as soon as the purpose of retention ceases to apply; “blocking” in this context means any removal of references to your person in the data. In addition, retention may be provided for by the European or national legislatures in regulations, laws or other regulations to which we are subject. The data shall also be blocked or deleted when a retention period prescribed by the specified standards expires, unless there is a need for further retention of the data for the conclusion or performance of a contract.

4.1. Description and scope of data processing

If you apply for a specific job or internship at an Aristo Group company, personal data is processed in the context of the requisite application procedure. This can – depending on the content of your application – particularly include the following categories of personal data:

  • Master data and private contact information: in particular form of address, first names, last names, addresses, telephone numbers, e-mail addresses, marital status, and further data regarding family circumstances, age and date of birth, nationality;
  • If proxies, representatives or contact persons are named: their master data and private contact information as well as data regarding the type of representation and the degree of any relationship;
  • Qualifications and skills, in particular data regarding school qualifications, degrees, vocational qualifications, additional qualifications, certificates, language skills, special skills;
  • Any data contained in the ID card, driver’s license, or other submitted identification documents, or other authentication data;
  • Any data regarding exercise of further or previous employed or independent activities and any related data regarding contractual content and contractual partners;
  • Any data regarding equity investments in corporations;
  • Bank information;
  • Tax data, in particular tax ID, tax number, certificate in tax matters as well as social insurance data and employer’s liability insurance association data;
  • Data from postal, electronic, and telephone communication between you and Aristo as well as between you and third parties;
  • Health data, if applicable;
  • Any image recordings, particularly in the form of an application photo or in the context of a recorded or live video interview;
  • Any data communicated in the context of your application.

4.2. Source of the personal data

Aristo collects your personal data from you directly. Furthermore, Aristo also processes personal data that we have permissibly obtained from other Aristo Group companies (see Section 2.1.). In addition, in order to conduct the application process, it may be necessary to process personal data that we have obtained from third-party companies (e.g. past employers) or other third parties, e.g. social insurance funds etc., permissibly and for the respective purpose.

4.3. Purposes of data processing

Aristo collects and processes your data in order to conduct the application procedure. In particular, Aristo collects and processes your data for the following purposes:.

  • To check your suitability for the vacant job or internship;
  • To meet the existing social insurance-related and other legal obligations;
  • For correspondence with you and any proxies or representatives.

Your data shall solely be processed to check your application for the vacant post, and shall be sent to the directly responsible decision-makers. The applicant management system in which your data is stored is access-protected, meaning that only duly selected and authorized employees of the corresponding HR units and departments can have access to and process your data. Our employees are obliged to maintain confidentiality and comply with the applicable statutory data protection regulations.

4.4. Legal bases of data processing

4.4.1. Processing to meet pre-contractual obligations

The legal basis for the processing of your data is Article 6(1)(1)(b) in conjunction with Article 88(1) GDPR in conjunction with Article 26(1)(1) BDSG. Data processing is essential to the creation of contractual relationship between you and Aristo and to fulfillment of the resultant obligations. We need you to make your personal data available so that a decision can be made regarding your application. If you do not make your personal data available, it may not be possible to conclude a contract.

4.4.2. Processing based on your consent

In addition and in particular, as far as the processing of special categories of personal data is concerned (in particular data regarding your religion or beliefs, sexual orientation, ethnic origin, health data etc. of which you disclose voluntary information that can be derived from a transmitted photograph (application photograph)), the legal basis for the processing of this data is your express consent pursuant to Article 6(1)(1)(a) in conjunction with Article 9(2)(a) in conjunction with Article 88(1) GDPR in conjunction with Article 26(3)(2) and (2) BDSG, which you can provide in the context of your application; alternatively, Article 9(2)(e) GDPR can be a legal basis if you have clearly disclosed the data, particularly in the course of your application. If you do not provide the corresponding consent or there is no other legal basis, in some circumstances your application cannot be processed, or can be processed only after further consultation with you. Processing on the basis of your consent is also carried out if you agree to let Aristo to include your application – should it prove to be unsuccessful – in the general applicant pool so that it can be considered for other future vacancies (see also Section 4.5.2.).

4.4.3. Processing based on a legitimate interest

In addition, Aristo processes your personal data if doing so is necessary in order to safeguard the legitimate interests of Aristo or a third party (pursuant to Article 4(10) GDPR) and is not overridden by the interests or fundamental rights and freedoms of the data subjects (in the present case: you) which require the protection of personal data (Article 6(1)(1)(f) GDPR). Processing of your data based on a legitimate interest is particularly carried out if your data is stored in the IT systems jointly used with other Aristo Group companies. The Aristo Group comprises the companies stated in Section 2.1. These companies technically have access to the jointly used IT systems and the data stored there. Access to and processing of this data are carried out only if this is necessary in order to conduct and handle the application procedure with you in line with the purposes set out above. Furthermore, processing of your data based on a legitimate interest may take place so that Aristo can carry out internal controlling. In addition, your data may be processed so that Aristo can establish claims or defend itself against claims in legal disputes. In this respect, Aristo also assumes that your interests override your fundamental rights and freedoms that require the protection of your data.

4.5. Retention duration; objection and erasure options

Processing of your data is carried out for the duration of the respective application procedure until the post is filled. When your personal data no longer needs to be processed for the application procedure, it will be deleted after a period of six months. This period arises from the fact that Aristo must be able to defend itself against legal claims that you could enforce under the German General Act on Equal Treatment if Aristo rejects your application; the legal basis is Article 6(1)(1)(f) GDPR, with the legitimate interests of Aristo also arising from these stated purposes.

5.1. Description and scope of data processing

Aristo maintains a talent pool in which the contact information of promising people are included, for instance in the context of careers fairs. You have the opportunity to be entered in the talent pool. To this end, Aristo regularly processes the following elements of your data:

  • Master data and private contact information: form of address, first names, last names, addresses, telephone numbers, email addresses, age and date of birth;
  • Any CVs (in some cases including application photograph)
  • Any relevant (work-related) references and diplomas

5.2. Source of the personal data

Aristo collects your personal data from you directly. Furthermore, Aristo also processes personal data that we have permissibly obtained from other Aristo Group companies (see Section 2.1.). In addition, in order to conduct the application process, it may be necessary to process personal data that we have obtained from third-party companies (e.g. previous employers, online databases) or other third parties, e.g. social insurance funds etc., permissibly and for the respective purpose.

5.3. Purposes of data processing

In particular, Aristo collects and processes your data for the following purposes:

  • Sending of a newsletter to keep you up to date with developments at Aristo, interesting events and exciting job opportunities;
  • Making personal contact with you if Aristo would like you to recruit you for a specific job at Aristo;

5.4. Legal bases of data processing

5.4.1. Processing to meet contractual obligations

The legal basis for the processing of your data is Article 6(1)(1)(b) GDPR. Aristo processes your data in the course of a contractual relationship existing between you and Aristo that is concluded upon your entry in the talent pool. Processing of your data is necessary for fulfillment of the resultant obligations.

5.4.2. Processing based on your consent

Alternatively, the legal basis for the processing of this data can be your express consent pursuant to Article 6(1)(1)(a), possibly in conjunction with Article 9(2)(a), possibly in conjunction with Article 88(1) GDPR in conjunction with Article 26(2) BDSG, which you can provide when entering the talent pool.

5.4.3. Processing based on a legitimate interest

In addition, Aristo processes your personal data if doing so is necessary in order to safeguard the legitimate interests of Aristo or a third party (pursuant to Article 4(10) GDPR) and is not overridden by the interests or fundamental rights and freedoms of the data subjects (in the present case: you) which require the protection of personal data (Article 6(1)(1)(f) GDPR). Processing of your data based on a legitimate interest is particularly carried out if your data is stored in the IT systems jointly used with other Aristo Group companies. The Aristo Group comprises the companies stated in Section 2.1. These companies technically have access to the jointly used IT systems and the data stored there. Access to and processing of this data are carried out only if this is necessary for upkeep of the talent pool (in particular for notification of and participation in events, sending of newsletters and targeted communication with you). Furthermore, processing of your data based on a legitimate interest may take place so that Aristo can carry out internal controlling. In addition, your data may be processed so that Aristo can establish claims or defend itself against claims in legal disputes. In this respect, Aristo also assumes that your interests override your fundamental rights and freedoms that require the protection of your data

5.5. Retention duration; objection and erasure options

Aristo processes and stores your data only for as long as it is needed in order to fulfill the agreed purposes, in particular to fulfill contractual or statutory obligations arising from the contractual relationship with you; this happens for as long as the contractual relationship with you exists and the data passed on by you has to be retained in order to comply with statutory retention obligations. If the processing of your data is based on your consent, Aristo processes and stores your data only until you revoke the underlying consent. If there is no longer any basis for the processing of your data, Aristo will block any personal reference to you (particularly in our CRM system) in line with data protection rules, or, if this is not possible,will erase the data.

Unless otherwise described above, Aristo will not pass on any personal data to third-party companies, organizations, or persons except in one of the following situations:

6.1. Transfer of data to associated companies (Section 2.1) in the context of joint data retention

Aristo stores and processes your data in an IT system that is also used by the other Aristo Group companies named in Section 2.1. For this reason, the data stored there by Aristo is also technically accessible to these companies. Access to your personal data by these companies is allowed here only if this is essential for the stated purposes.

Transfer of data when conducting video interviews by means of StarLeaf and Skype

If you conduct a video interview by means of StarLeaf or Skype, your collected personal data (image and video data) is sent to the software provider as well as the other person or persons involved in the conversation. Aristo has no influence on the processing of your data by these third parties. Further information regarding data protection at StarLeaf can be found in StarLeaf’s data protection declaration via the following link: https://support.starleaf.com/legalinformation/starleaf-privacy-notice/. Further information regarding data protection at Skype can be found in Skype’s data protection declaration via the following link: https://privacy.microsoft.com/dede/privacystatement/

6.3. Forwarding of data to processors

Aristo makes personal data available to other companies associated with Aristo in the Aristo Group as well as to our third-party business partners and other trusted companies or persons that process the data on Aristo’s behalf. This takes place on the basis of precise instructions from Aristo and in accordance with this data protection declaration as well as other appropriate confidentiality and security measures

Unless expressly stated in this data protection declaration, your personal data will not be transmitted to third countries (countries outside the EU/the EEA) or international organizations. However, we also transmit your data to Aristo AG, based in Switzerland, in the context of our jointly-used IT systems, as specifically described. Switzerland possesses an adequate level of data protection. This has been determined by the European Commission by means of an adequacy decision (pursuant to Article 45 GDPR). In addition, we communicate your name and e-mail address to The Rocket Science Group LLC d/b/a MailChimp, a service provider for distribution of newsletters; MailChimp also processes your personal data in the USA and has signed up to the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAA G&status=Active).

No fully automated decision-making (including profiling) as per Article 22 GDPR is used to process the data passed on by you.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the data controller. You may contact any of the bodies listed in Section 2.1.1 through 2.1.4 to exercise your rights.

9.1. Right of access

You have the right to access to the data stored with the controller, particularly to information on the purpose of the processing and how long the data will be retained (Article 15 GDPR).

9.2. Right to rectification

You have the right to ask the controller to rectify and/or complete your personal data if the processed personal data pertaining to you is incorrect or incomplete. The controller is obliged to rectify the data without undue delay.

9.3. Right to restriction of processing

You have the right to request the restriction of the processing of your data. This right particularly applies for the duration of the review in the event that you have contested the accuracy of the data pertaining to you, as well as in the event that you would like processing to be restricted instead of exercising an existing right to erasure. A restriction of processing shall also take place in the event that the data is no longer necessary for our purposes, but you still need the data for the establishment, exercise, or defense of legal claims, and if the successful exercise of an objection is disputed between you and the controller (Article 18 GDPR).

9.4. Right to erasure

You have the right to request the erasure of the personal data pertaining to you by the controller. These requirements specify that you can request the deletion of your data if, for example, the controller no longer needs the personal data for the purposes for which it was collected or otherwise processed, the controller processes the data unlawfully, you have lodged a legitimate objection, you have withdrawn your consent, or a statutory obligation of deletion exists (Article 17 GDPR).

9.5. Right to data portability

You have the right to receive the personal data you have provided to the controller from the controller in a structured, common, and machine-readable format (Article 20 GDPR) unless it has already been deleted.

9.6. Right to object

You have the right to file an objection at any time to processing of personal data pertaining to you that is collected under Article 6(1)(1)(e) or (f) GDPR (Article 21 GDPR) for reasons relating to your particular situation. The controller will halt the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves the purpose of the establishment, exercise, or defense of legal claims. In the event that you object, for example, to the use of your data for advertising purposes, the controller will cease processing your data for such purposes

9.7. Right to withdraw consent

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9.8. Right not to be the subject of automated decisionmaking in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

  • is necessary for entering into, or performance of, a contract between you and the controller;
  • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safegu
  • is based on your explicit consent

However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. With regard to the cases referred to in points (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

9.9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

The protection of your personal data is a top priority, and is taken into consideration in all business processes. When and insofar as you share personal data with us, it will be processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, as well as the statutory data protection provisions of the German Federal Data Protection Act (BDSG). The following Data Protection Notice provides a detailed overview of the processing of your personal data. “Personal data” means all information that relates to a natural person who has been or can be identified. With this Data Protection Notice, we are providing you with comprehensive information on the nature, scope and purposes of the collection of personal data and how this data will be processed. It additionally serves to provide you with information on the rights to which you are entitled in regard to the processing of your personal data.

1.1. Basic principle

This Data Protection Notice applies for all customers who come into contact with us or are already in contact with us in the context of our intermediary services, as well as for all companies of Aristo in the same manner, and is summarized in the interest of ease of understanding. Insofar as Aristo is mentioned in the following in a uniform manner, this shall be understood to encompass Aristo Personnel GmbH, Aristo Recruitment GmbH, Lenyx Logistik und Service GmbH and Aristo AG.

1.2. Supplementary applicability of particular provisions for particular services

There are additional data protection notices pertaining to certain services that supplement this Data Protection Notice for Customers. This particularly applies to the use of our website; you can learn about the processing of your personal data with regard to the use of our website from our Website Data Protection Declaration, which can be accessed and viewed on our website.

2.1. Controller

The controllers as defined by the EU General Data Protection Regulation (GDPR) and other national data protection laws of the Member States and other data protection provisions are Aristo Personnel GmbH, Aristo Recruitment GmbH, Lenyx Logistik und Service GmbH and Aristo AG:

2.1.1. Aristo Personnel GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com Aristo Personnel GmbH is the controller insofar as the placement of candidates in permanent positions with our customers is concerned.

2.1.2. Aristo Recruitment GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com Aristo Recruitment GmbH is the controller insofar as the placement of candidates in fixed-term projects with our customers is concerned.

2.1.3. Lenyx Logistik und Service GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com

2.1.4. Aristo AG

Brandschenkestrasse 30 8001 Zürich Switzerland Tel: + 41 44 508 76 70 E-mail: info@aristo-group.com Website: www.aristo-group.ch

The representative of Aristo AG is

Aristo Holding GmbH Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com Aristo AG is the controller insofar as the temporary provision of specialists to our customers in a personnel leasing context and the placement of candidates in fixed-term projects with our customers are concerned.

2.2. Data protection officer

Aristo has appointed a data protection officer. You can reach our data protection officer via the following contact information: Aristo Data Protection Officer Alter Hof 5 80331 Munich dsb@aristo-group.com

3.1. Scope of the processing of personal data

Aristo shares the underlying philosophy of the GDPR and the German Federal Data Protection Act (BDSG) that the collection and processing of personal data (“data”) must be minimized whenever possible. For this reason, we only process personal data when doing so is required for clearly defined purposes, which will be set out in the following (principles of data avoidance and data minimization). In such contexts, data processing is only permissible insofar as it can be justified according to a sufficient legal basis or your consent (principle of lawfulness).

3.2. General information on the legal bases for the processing of personal data

3.2.1. General legal bases

The processing of personal data is forbidden in principle and is only permissible in exceptional cases. The permissibility of data processing can only be established when the processing of the data can be supported by an appropriate legal basis. The following legal bases are definitively deemed appropriate:

  • Article 6(1)(a) of the GDPR serves as legal basis provided that we have obtained consent to the processing of personal data from the data subject.
  • Article 6(1)(b) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the performance of a contract to which the data subject is a party. This also applies to processing operations required to carry out precontractual actions.
  • Article 6(1)(c) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the fulfillment of a legal obligation that applies to us.
  • Article 6(1)(d) of the GDPR serves as the legal basis in the event that the data subject’s vital interests or those of another natural person necessitate the processing of personal data
  • Article 6(1)(e) of the GDPR is the legal basis for processing if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
  • Article 6(1)(f) of the GDPR serves as the legal basis for processing if the processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override those interests.

3.2.2. Special legal bases for the processing of special categories of personal data pursuant to Article 9 GDPR

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. In exceptional cases, the processing of these special categories of personal data by us can also be allowed if there is an appropriate legal basis for this. In particular, the following legal bases come into consideration as appropriate:

  • If the data subject has given explicit consent to the processing of special categories of special data for one or more defined purposes, this can serve as the legal basis for processing (Article 9(2)(a) of the GDPR). This does not apply if the prohibition of the processing of special categories of personal data cannot be lifted pursuant to Union or Member State law.
  • Article 9(2)(e) of the GDPR is the legal basis for processing in the event that the data subject has manifestly made the data public.
  • Processing is permissible pursuant to Article 9(2)(f) of the GDPR if processing of the data is required for the establishment, exercise or defense of legal claims.
  • Processing of data is permitted insofar as it is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; cf. Article 9(2)(g) of the GDPR.

3.3. Objection and withdrawal of consent to the processing of personal data

If you have given us consent to process your personal data, you can withdraw your consent at any time. A withdrawal of this type influences the permissibility of the processing of your personal data once you have announced it to us. If our processing of your personal data is based on a balancing of interests, you can lodge an objection to the processing. This is particularly the case when the processing is not required for the performance of a contract with you, which we explain in the following description of functions. In the event of the exercise of an objection of this type, we request an explanation of the reasons why your personal data should not be processed in the manner implemented by our company. If the objection is justified, we will review the situation and either halt/adjust the data processing or inform you of the compelling legitimate grounds according to which we will continue the processing. Of course, you can object to the processing of your personal data for advertising and data analysis purposes at any time.

3.4. Data deletion and retention duration

Your personal data will be deleted or blocked by us as soon as the purpose of retention ceases to apply; “blocking” in this context means any removal of references to your person in the data (e.g. for statistical purposes). In addition, retention may be provided for by the European or national legislatives in regulations, laws or other regulations to which we are subject. The data shall also be blocked or deleted when a retention period prescribed by the specified standards expires, unless there is a need for further retention of the data for the conclusion or performance of a contract.

4.1. Description and scope of data processing

4.1.1. Data collection from generally accessible sources and/or recommendations

Aristo is a specialized provider of personnel services in the area of the placement of highly qualified specialists in the field of life sciences. For this reason, Aristo uses generally accessible sources to search for potential customers and their authorized representatives and contact persons. In particular, we search external sources such as LinkedIn and XING and other career networks where we obtain information on you. The same applies in cases of recommendations that are shared with us by third parties. In these cases, we initially store those elements of your personal data that we obtain from these public sources or recommenders. This typically encompasses:

  • First and last name
  • Position, specialist department if applicable
  • Company
  • Telephone number
  • E-mail address
  • Need for services

After storing your data, we will contact you immediately, within one month at the latest, and inform you of the processing of your data.

4.1.2. (Further) data collection directly from you

If you or the company you work for are interested in making use of our services and being included in our database as a customer or the authorized representative or contact person of your company, which would be our customer, in order to be informed of potentially interesting candidates, we will collect additional personal data from you. This can typically encompass the following categories of data:

  • (Additional) master data and contact details, particularly: form of address and title, names, addresses, telephone numbers, email addresses
  • Potentially other data related to the establishment and performance of the contractual relationship, which could potentially contain or allow references to your person.

4.2. Purposes of data processing

Using your data, we create anonymized, web-based project/job listings (hereinafter “company data”) with a precise description of your needs for the project / the requirements for the role/candidates, including the required soft and hard skills and other relevant information. This additional information, and thus the company data, may also potentially include your personal data as a contact person for our customer. This company information can be viewed by potential candidates on the Aristo Group website. In addition, we send your “company data” to our candidates unsolicited if and insofar as we assume that you / the company for which you are acting as an authorized representative or contact person may be of interest to these candidates. We also carry out “matching” to find out whether or not a candidate is suitable for a specific project/job listing. This means that we collate the requests / requirement profile (project and/or job listing) you have sent to us with data from the candidates’ datasets (particularly CV text, project history, skills and experiences) through a partially automated and/or manual procedure and carry out a classification; in particular, the partially automated evaluation of your data can take place through the use of codes/filters that we use to restrict the search to suitable candidates for the respective projects. This can result in a situation where a candidate is not brought into consideration for specific customer requests / customer requirement profiles (project and/or job listings) due to the partially automated derivation. On the whole, the processing of your data serves the purpose of seeking out suitable candidates for the roles you intend to fill. The processing additionally serves the purpose of establishing contact with you in order to update you on the progress of your candidate search or to inform you of interesting candidates. The communication conducted between you and the Aristo Group is documented historically by us in a customer relationship management (CRM) system. In addition to this direct contact, internal notes and comments relevant to the current or future recruitment process are also recorded in the CRM system. This processing of your data serves the purpose of handling procedures quickly and without errors or loss of information so that we can provide you with optimized service in accordance with your wishes and expectations.

4.3. Legal bases of data processing

4.3.1. Processing based on the establishment/implementation of a contract

If the processing of your data already serves to facilitate the performance of a contract to which you are a party or the implementation of pre-contractual actions, an additional legal basis for processing of the data is Article 6(1)(1)(b) GDPR.

4.3.2. Processing based on statutory provisions

Aristo is subject to statutory and regulatory stipulations. The fulfillment of the statutory requirements arising from these requires the collection and processing of your personal data (Article 6(1)(1)(c) GDPR).

4.3.3. Processing based on legitimate interests

In addition, we process your personal data if doing so is necessary in order to safeguard the legitimate interests of Aristo or a third party (pursuant to Article 4(10) GDPR) and is not overridden by the interests or fundamental rights and freedoms of the data subjects (in the present case: you) which require the protection of personal data (Article 6(1)(1)(f) GDPR). In particular, processing of your data on the basis of a legitimate interest can take place so that Aristo can record and contact you as the authorized representative or contact person of the company you work for and which is (potentially) in a contractual relationship with Aristo or would like to make use of the services of Aristo. Your data may also be processed so that Aristo can establish claims or defend itself against claims in legal disputes. In this respect, Aristo also assumes that your interests override your fundamental rights and freedoms that require the protection of your data. If our processing of personal data is based on a balancing of interests, you can lodge an objection to the processing. In the event of the exercise of an objection of this type, we request an explanation of the reasons why the personal data should not be processed in the manner implemented by our company. If the objection is justified, we will review the situation and either halt/adjust the data processing or inform you of the compelling legitimate grounds according to which we will continue the processing.

4.3.4. Retention duration; objection and erasure options

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If the processing of the data already serves to facilitate the performance of a contract to which you are a party or the implementation of a pre-contractual action, then the data will be deleted once it is no longer needed for the performance of the contract. Concluding an agreement may also result in the necessity to store your personal data in order to meet contractual or statutory obligations – particularly retention obligations under commercial and tax law – or to safeguard our legitimate interests:

  • Retention in order to comply with retention obligations under commercial and/or tax law to the requisite extent applicable to us. The periods for the fulfillment of commercial and/or tax law retention periods are ten years, in accordance with the statutory provisions for all documents that are necessary for profit determination; the retention period for business letters (including e-mails) is six years. Article 6 (1)(1)(c) of the GDPR is the legal basis for this;
  • According to the provisions of the German Civil Code (BGB), statutory retention periods can amount to up to 30 years, with the regular retention period being three years. For this reason, we retain the contract documents and documents related to the contract in accordance with these statutory retention regulations in order to be able to conduct any potentially necessary (legal) disputes. Article 6 (1)(1)(f) of the GDPR is the legal basis for this

If the processing of your data is based on consent, you can send a corresponding message to datenschutz@aristo-group.de to wholly or partially withdraw this consent for the future. If you withdraw your consent, this may prevent you from being referred to positions to be filled, particularly if doing so causes your general or concrete application to lose the generally customary explanatory power and thus makes it impossible for potential customers to establish an image of who you are. If you withdraw your consent, we will delete your data as a general principle; if the data is necessary for the performance of a contract or the implementation of pre-contractual actions, then a premature erasure of data is possible only to the extent that this is not opposed by contractual or statutory obligations.

5.1. Description and scope of data processing; purpose of data processing

Aristo sporadically records and evaluates telephone conversations exclusively for the purpose of improving our services, particularly with regard to the quality of conversations with you and other contacts. In this respect, data on your speech as well as the content of conversations with you is collected, analyzed and potentially disclosed to third parties, particularly our employees for training purposes.

5.2. Legal bases of data processing

The legal basis for processing of your data is exclusively your express consent in the respective individual case, pursuant to Article 6(1)(1)(a) GDPR. You will be asked at the beginning of a phone call whether you would like to give your consent to the recording, analysis and further processing of the conversation for the purposes specified above; you may give or withhold your consent in each individual case; withholding your consent will not result in any adverse effects for you.

5.3. Retention duration; objection and erasure options

Aristo only processes and stores your data as long as you have not withdrawn the underlying consent or the recorded conversations are no longer needed for the specified purposes. If a legal basis for the processing of your data no longer exists, Aristo will delete your data.


6. Transfer of your data to third parties

Unless already specifically described above, we will not share your personal data with third-party companies, organizations or persons except in one of the following situations:

  • We share data with public bodies (authorities), companies, organizations or persons when we are obligated to do so in accordance with applicable laws, regulations, legal proceedings or enforceable official orders, or can assume in good faith that access to this data or the use, retention or transfer thereof can be reasonably expected to be necessary in order to fulfill equivalent obligations (Article 6(1)(1)(c) GDPR);
  • Aristo retains and processes your data in the context of the establishment and performance of a contractual relationship with you in an IT system that is also used by the other Aristo companies named in Section 1.1. For this reason, the data stored there by Aristo is also technically accessible to these companies. Access to your personal data by these companies is generally not allowed, but the possibility of this cannot be totally ruled out. The companies will access the data insofar as doing so is necessary for the business relationship with you and is not opposed to any of your legitimate interests (Article 6(1)(1)(f) GDPR);
  • We provide the data to our third-party business partners and other trustworthy companies or persons who process the data on our behalf. This takes place on the basis of precise instructions from us and in accordance with this data protection declaration.

Unless expressly stated in this data protection declaration, your personal data will not be transmitted to third countries (countries outside the EU / the EEA) or international organizations. However, we also transmit your data to Aristo AG, based in Switzerland, in the context of our jointly-used IT systems for the operation of the website. Switzerland possesses an adequate level of data protection. This has been determined by the European Commission by means of an adequacy decision (pursuant to Article 45 GDPR).

Unless otherwise explicitly described above, no automated decisionmaking takes place.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the data controller. You may contact any of the bodies listed in 2.1.1 through 2.1.3 to exercise your rights.

9.1. Right of access

You have the right to access to the data stored with the controller, particularly to information on the purpose of the processing and how long the data will be retained (Article 15 GDPR).

9.2. Right to rectification

You have the right to ask the controller to rectify and/or complete your personal data if the processed personal data pertaining to you is incorrect or incomplete. The controller is obligated to rectify the data without undue delay.

9.3. Right to restriction of processing

You have the right to request the restriction of the processing of your data. This right particularly applies for the duration of the review in the event that you have contested the accuracy of the data pertaining to you, as well as in the event that you would like processing to be restricted instead of exercising an existing right to erasure. A restriction of processing shall also take place in the event that the data is no longer necessary for our purposes, but you still need the data for the establishment, exercise or defense of legal claims, and if the successful exercise of an objection is disputed between you and the controller (Article 18 GDPR).

9.4. Right to erasure

You have the right to request the erasure of the personal data pertaining to you by the controller. These requirements specify that you can request the deletion of your data if, for example, the controller no longer needs the personal data for the purposes for which it was collected or otherwise processed, the controller processes the data unlawfully, you have lodged a legitimate objection, you have withdrawn your consent, or a statutory obligation of deletion exists (Article 17 GDPR).

9.5. Right to data portability

You have the right to receive the personal data you have provided to the controller from the controller in a structured, common and machine-readable format (Article 20 GDPR) insofar as it has not already been deleted.

9.6. Right to object

You have the right to file an objection at any time to processing of personal data pertaining to you that is collected under Article 5(1)(1)(e) or (f) GDPR (Article 21 GDPR) for reasons relating to your particular situation. The controller will halt the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves the purpose of the establishment, exercise or defense of legal claims. In the event that you object, for example, to the use of your data for advertising purposes, the controller will cease processing your data for such purposes.

9.7 Right to withdraw consent

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9.8. Right not to be the subject of automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

  • is necessary for entering into, or performance of, a contract between you and the controller;
  • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. With regard to the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

9.9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

The protection of your personal data is a top priority, and is taken into consideration in all business processes. When and insofar as you share personal data with us, it will be processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, as well as the statutory data protection provisions of the German Federal Data Pro-tection Act (BDSG). The following Data Protection Notice provides a detailed overview of the processing of your personal data. “Personal data” means all in-formation that relates to a natural person who has been or can be identified. With this Data Protection Notice, we are providing you with comprehensive information on the nature, scope and purposes of the collection of personal data and how this data will be processed. It additionally serves to provide you with information on the rights to which you are entitled in regard to the processing of your personal data.

1.1. Basic principle

This Data Protection Notice applies for all candidates who come into contact with us or are already in contact with us in the context of our intermediary services, as well as for all companies of Aristo in the same manner, and is summarized in the interest of ease of under-standing. Insofar as Aristo is mentioned in the following in a uniform manner, this shall be understood to encompass Aristo Personnel GmbH, Aristo Recruitment GmbH, Lenyx Logistik und Service GmbH and Aristo AG.

1.2. Supplementary applicability of particular provisions for particular services

There are additional data protection notices pertaining to certain ser-vices that supplement this Data Protection Notice for Candidates. This particularly applies to the use of our website, which is integrated with the “My Aristo” candidate application portal; you can learn about the processing of your personal data that takes place when this portal is used from our Website Data Protection Declaration, which can be accessed and viewed on our website.

2.1. Controller

The controllers as defined by the EU General Data Protection Regu-lation (GDPR) and other national data protection laws of the Member States and other data protection provisions are Aristo Personnel GmbH, Aristo Recruitment GmbH, Lenyx Logistik und Service GmbH and Aristo AG:

2.1.1. Aristo Personnel GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com Aristo Personnel GmbH is the controller insofar as the placement of candidates in permanent positions with our customers is concerned.

2.1.2. Aristo Recruitment GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com Aristo Recruitment GmbH is the controller insofar as the placement of candidates in fixed-term projects with our customers is concerned.

2.1.3. Lenyx Logistik und Service GmbH

Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com

2.1.4. Aristo AG

Brandschenkestrasse 30 8001 Zürich Switzerland Tel: + 41 44 508 76 70 E-mail: info@aristo-group.com Website: www.aristo-group.ch

The representative of Aristo AG is

Aristo Holding GmbH Alter Hof 5 80331 Munich Germany Tel: +49 89 599 1827 0 E-mail: info@aristo-group.com Website: www.aristo-group.com Aristo AG is the controller insofar as the temporary provision of spe-cialists to our customers in a personnel leasing context and the place-ment of candidates in fixed-term projects with our customers are con-cerned.

2.2. Data protection officer

Aristo has appointed a data protection officer. You can reach our data protection officer via the following contact information: Aristo Data Protection Officer Alter Hof 5 80331 Munich dsb@aristo-group.com

3.1. Scope of the processing of personal data

Aristo shares the underlying philosophy of the GDPR and the Ger-man Federal Data Protection Act (BDSG) that the collection and pro-cessing of personal data (“data”) must be minimized whenever pos-sible. For this reason, we only process personal data when doing so is required for clearly defined purposes, which will be set out in the following (principles of data avoidance and data minimization). In such contexts, data processing is only permissible insofar as it can Page be justified according to a sufficient legal basis or your consent (prin-ciple of lawfulness).

General information on the legal bases for the pro-cessing of personal data

3.2.1. General legal bases

The processing of personal data is forbidden in principle and is only permissible in exceptional cases. The permissibility of data pro-cessing can only be established when the processing of the data can be supported by an appropriate legal basis. The following legal bases are definitively deemed appropriate:

  • Article 6(1)(a) of the GDPR serves as legal basis provided that we have obtained consent to the processing of personal data from the data subject.
  • Article 6(1)(b) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the perfor-mance of a contract to which the data subject is a party. This also applies to processing operations required to carry out pre-contractual actions.
  • Article 6(1)(c) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the fulfillment of a legal obligation that applies to us.
  • Article 6(1)(d) of the GDPR serves as the legal basis in the event that the data subject’s vital interests or those of another natural person necessitate the processing of personal data.
  • Article 6(1)(e) of the GDPR is the legal basis for processing if the processing is necessary for the performance of a task car-ried out in the public interest or in the exercise of official au-thority vested in us.
  • Article 6(1)(f) of the GDPR serves as the legal basis for pro-cessing if the processing is necessary to safeguard the legiti-mate interests of our company or a third party and if the inter-ests, fundamental rights and freedoms of the data subject do not override those interests.

3.2.2. Special legal bases for the processing of special catego-ries of personal data pursuant to Article 9 GDPR

The processing of personal data revealing racial or ethnic origin, po-litical opinions, religious or philosophical beliefs, or trade union mem-bership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orien-tation shall be prohibited. In exceptional cases, the processing of these special categories of personal data by us can also be allowed if there is an appropriate legal basis for this. In particular, the following legal bases come into consideration as appropriate:

  • If the data subject has given explicit consent to the processing of special categories of special data for one or more defined purposes, this can serve as the legal basis for processing (Ar-ticle 9(2)(a) of the GDPR). This does not apply if the prohibition of the processing of special categories of personal data cannot be lifted pursuant to Union or Member State law.
  • Article 9(2)(e) of the GDPR is the legal basis for processing in the event that the data subject has manifestly made the data public.
  • Processing is permissible pursuant to Article 9(2)(f) of the GDPR if processing of the data is required for the establish-ment, exercise or defense of legal claims.
  • Processing of data is permitted insofar as it is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pur-sued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; cf. Ar-ticle 9(2)(g) of the GDPR.

3.3. Objection and withdrawal of consent to the processing of personal data

If you have given us consent to process your personal data, you can withdraw your consent at any time. A withdrawal of this type influ-ences the permissibility of the processing of your personal data once you have announced it to us. If our processing of your personal data is based on a balancing of interests, you can lodge an objection to the processing. This is par-ticularly the case when the processing is not required for the perfor-mance of a contract with you, which we explain in the following de-scription of functions. In the event of the exercise of an objection of this type, we request an explanation of the reasons why your per-sonal data should not be processed in the manner implemented by our company. If the objection is justified, we will review the situation and either halt/adjust the data processing or inform you of the com-pelling legitimate grounds according to which we will continue the processing. Of course, you can object to the processing of your per-sonal data for advertising and data analysis purposes at any time.

3.4. Data deletion and retention duration

Your personal data will be deleted or blocked by us as soon as the purpose of retention ceases to apply; “blocking” in this context means any removal of references to your person in the data (e.g. for statis-tical purposes). In addition, retention may be provided for by the Eu-ropean or national legislatives in regulations, laws or other regula-tions to which we are subject. The data shall also be blocked or de-leted when a retention period prescribed by the specified standards expires, unless there is a need for further retention of the data for the conclusion or performance of a contract.

4.1. Description and scope of data processing

4.1.1. Data collection from generally accessible sources and/or recommendations

Aristo is a specialized provider of personnel services in the area of the placement of highly qualified specialists in the field of life sci-ences. We can place you either as a freelancer on fixed-term project engagements (via Aristo Recruitment GmbH) or as a candidate for direct permanent employment with our customers (via Aristo Person-nel GmbH). You can also be engaged as an employee by one of our customers in the context of temporary personnel leasing via Aristo AG. Aristo actively searches generally accessible sources for candi-dates for these engagements. In particular, we search sources such as LinkedIn, XING and other career networks where we obtain infor-mation on you. We also receive information about you based on rec-ommendations, which are often sent to us by customers and your colleagues. In these cases, we initially store those elements of your personal data that we obtain from these public sources or recommenders. This typ-ically encompasses:

  • First and last name
  • Telephone number and e-mail address
  • Place of residence
  • Focus of qualifications (e.g. project manager)
  • Education / professional experience
  • Skills / soft skills

After storing your data, we will contact you immediately, within one month at the latest, and inform you of the processing of your data.

4.1.2. (Further) data collection directly from you

If, after we make contact with you but also in the event of an unsolic-ited application on your part, you are interested in being included in our database, or potentially would like to apply to an advertised po-sition with one of our customers directly, we will collect additional personal data from you. This can typically encompass the following categories of data:

  • (Additional) master data and contact details, particularly: form of address and title, names, addresses, telephone numbers, e-mail addresses, date of birth, marital status, nationality;
  • Image recordings, particularly in the form of an application photo or in the context of a video interview using StarLeaf and Skype;
  • (Further) data on your qualifications and knowledge, particu-larly: school education and vocational training and/or higher education, other training and professional education, profes-sional experience, previous roles and previous industries, pre-vious customers and project experience, references, language skills, other qualifications (driver’s license, etc.) and soft skills, publications;
  • Data on your availability, work locations, commercial terms,
  • Tax data, particularly VAT ID and/or tax ID;
  • Bank account data;
  • Data from commercial registry extracts and police clearance certificates;
  • Copies of identity documents (ID card and/or passport);
  • Insurance data, particularly on employers’ liability insurance;
  • For (intended) positions in Switzerland: data from AHV ID, re-ligious denomination data, data on spouse and children, work-load data, degree of fitness for work;
  • Potentially other data related to the establishment and perfor-mance of the contractual relationship.

4.2. Purposes of data processing

In the context of your inclusion in our database or in the event of a specific or general application to potential positions, we use your in-formation to create a qualification profile without your name, mas-ter data, images, mailing address, e-mail address and other contact data (hereinafter “personal contact data”), but with information on availability, hourly rate, qualifications, project-related experience from your profile and other project-relevant information where appli-cable. We send this qualification profile to our customers unsolicited, if and insofar as we assume that you may be of interest to this cus-tomer based on your profile. We also carry out “matching” on the basis of concrete customer requests to find out whether or not you are suitable for a specific project and/or job listing of one of our cus-tomers. This means that we filter out / derive your skills and experi-ence from the data you have provided to us (particularly the text of your CV, your project history etc.) in order to then carry out a partially automated and/or manual assignment of your profile to a customer request; in particular, the partially automated evaluation of your data can take place through the use of codes/filters that we use to restrict the search to suitable candidates for the respective projects. This can result in a situation where you are not brought into consideration for specific customer requests / customer requirement profiles (project and/or job listings) due to the partially automated derivation. Overall, the processing of your data serves the purpose of reviewing your suitability for current or future job placements that you would like to apply for or for which you would like to be consid-ered, and to facilitate your successful placement in interesting roles with prestigious contractual partners (customers). The processing additionally serves the purpose of establishing con-tact with you in order to update you on the progress of your applica-tions or to inform you of different / additional job listings that may be of interest to you. The communication conducted between you and Aristo is documented historically by us in a customer relationship management (CRM) system. In addition to this direct contact, internal notes and comments relevant to the current or future recruitment pro-cess are also recorded in the CRM system. This processing of your data serves the purpose of handling procedures quickly and without errors or loss of information so that we can provide you with opti-mized service in accordance with your wishes and expectations. In addition, the processing of your data serves the purpose of fulfilling public obligations that apply to us or to our customers for whom we would like to bring you into consideration. The processing of your data also serves the purpose of the general performance of the con-tractual relationship with you, and is required for the performance thereof.

4.3. Transfer of your data to customers for the review of your credentials, when applicable

Your qualification profile (cf. Section 4.2), which is stored in our database, is only made accessible to potential customers in anony-mized form (without personal contact data, cf. Section 4.2); this serves to prevent the customer from recognizing your identity to the furthest possible extent. The qualification serves the purpose of an initial introduction, evaluation and selection by the customer with the goal of achieving a placement. If the customer is interested in a placement, we will only share your name and other project-relevant personal data with the customer after prior consultation with you. Of course, it is not possible for potential customers to search our data-base directly; they have no access to your personal contact data. As a matter of course, we can assume no responsibility for the confiden-tial, purposeful, and data protection-compliant handling of your trans-ferred data, particularly your personal contact data, by potential cli-ents. Please keep this in mind particularly when entering your CV data, the transmission of additional data and files carried out for in-troductory purposes, and the sharing of personal data, e.g. via a so-cial network, with a potential customer. Additionally, we compare individual items of your information, partic-ularly concerning your references, qualifications and any criminal record, with the information we already possess or data provided by third parties (particularly reference providers, public databases) in or-der to verify the accuracy of your submissions; transmission of this data to the corresponding third parties may occur in this context. Be-yond this, we will only share your data with third-party service provid-ers who review your submissions, particularly concerning references, qualifications and any criminal record, on our behalf in exceptional cases; this occurs only if these reviews are appropriate and permis-sible in accordance with local law, and always takes place on the basis of exact instructions from us and in accordance with this data protection declaration.

4.4. Legal bases of data processing

4.4.1. Processing based on your consent

The legal basis for the processing of your data in the event of the existence of your consent is Article 6(1)(1)(a) GDPR; if special cate-gories of personal data will be processed, your consent pursuant to Article 9(2)(a) GDPR is a supplementary legal basis. In this respect, you give consent for your personal data (particularly in the scope specified above) to be processed within the framework of this Data Protection Notice for the purposes described. Aristo is permitted to transmit your personal data within the relevant requisite scope to po-tential customers for the purpose of initiating a placement. Your per-sonal data will not be transmitted to third parties without your express consent if doing so is not necessary for the performance of service or the execution of a contract. In the event, for example, that an ap-plication on your part or an attempted placement on our part for a specific role should prove unsuccessful, you can give your consent for the Aristo Group to continue processing your data even beyond the end of the specific placement attempt. Aristo is also permitted to use your data to contact you in the future, particularly in order to reach you for the continuation of the placement or for a new place-ment.

4.4.2. Processing based on the establishment/implementation of a contract

If the processing of your data already serves to facilitate the perfor-mance of a contract to which you are a party or the implementation of pre-contractual actions, an additional legal basis for processing of the data is Article 6(1)(1)(b) GDPR.

4.4.3. Processing based on statutory provisions

Aristo is subject to statutory and regulatory stipulations. The fulfill-ment of the statutory requirements arising from these requires the collection and processing of your personal data (Article 6(1)(1)(c) GDPR).

4.4.4. Processing based on legitimate interests

In addition, we process your personal data if doing so is necessary in order to safeguard the legitimate interests of Aristo or a third party (pursuant to Article 4(10) GDPR) and is not overridden by the inter-ests or fundamental rights and freedoms of the data subjects (in the present case: you) which require the protection of personal data (Ar-ticle 6(1)(1)(f) GDPR). In particular, processing of your data based on a legitimate interest may take place so that Aristo can carry out internal controlling. Your data may also be processed so that Aristo can establish claims or defend itself against claims in legal disputes. In this respect, Aristo also assumes that your interests override your fundamental rights and freedoms that require the protection of your data. If our processing of personal data is based on a balancing of interests, you can lodge an objection to the processing. In the event of the exercise of an objection of this type, we request an explanation of the reasons why the personal data should not be processed in the manner implemented by our company. If the objection is justified, we will review the situation and either halt/adjust the data processing or inform you of the compelling legitimate grounds according to which we will continue the processing.

4.4.5. Retention duration; objection and erasure options

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If the processing of the data already serves to facilitate the performance of a contract to which you are a party or the implementation of a pre-contractual action, then the data will be deleted once it is no longer needed for the performance of the con-tract. Concluding an agreement may also result in the necessity to store your personal data in order to meet contractual or statutory ob-ligations – particularly retention obligations under commercial and tax law – or to safeguard our legitimate interests:

  • Retention in order to comply with retention obligations under commercial and/or tax law to the requisite extent applicable to us. The periods for the fulfillment of commercial and/or tax law retention periods are ten years, in accordance with the statu-tory provisions for all documents that are necessary for profit determination; the retention period for business letters (includ-ing e-mails) is six years. Article 6 (1)(1)(c) of the GDPR is the legal basis for this;
  • According to the provisions of the German Civil Code (BGB), statutory retention periods can amount to up to 30 years, with the regular retention period being three years. For this reason, we retain the contract documents and documents related to the contract in accordance with these statutory retention regula-tions in order to be able to conduct any potentially necessary (legal) disputes. Article 6 (1)(1)(f) of the GDPR is the legal ba-sis for this.

If the processing of your data is based on consent, you can send a corresponding message to datenschutz@aristo-group.de to wholly or partially withdraw this consent for the future. If you withdraw your consent, this may prevent you from being referred to positions to be filled, particularly if doing so causes your general or concrete appli-cation to lose the generally customary explanatory power and thus makes it impossible for potential customers to establish an image of who you are. If you withdraw your consent, we will delete your data as a general principle; if the data is necessary for the performance of a contract or the implementation of pre-contractual actions, then a premature erasure of data is possible only to the extent that this is not opposed by contractual or statutory obligations.

5.1. Description and scope of data processing

Through our website, you have the opportunity to have your CV re-viewed by our experts and receive valuable tips and assistance for optimizing the presentation of your resume. To be able to make use of our service, you must enter the following data through the form on our website:

  • Your name and, if applicable, your company name
  • E-mail address and mobile number

In addition, you have the option of selecting your CV in a suitable file format and uploading it to our server. In this context, we collect the personal data that is contained in your CV; you can decide for your-self which of your data you would like to provide us with in this re-spect. Typically, however, the corresponding CVs contain the follow-ing data:

  • Master data and contact data;
  • Images, if applicable;
  • Data on your qualifications and knowledge, particularly: school education and vocational training and/or higher education, other training and professional education, professional experi-ence, previous roles and previous industries, previous custom-ers and project experience, references, language skills, other qualifications (driver’s license, etc.) and soft skills, publications;

5.2. Purposes of data processing

We process your master data and contact data entered through the form on our website exclusively for the purpose of making contact with you in order to carry out the CV check. We process your data contained in the CV exclusively for the purpose of reviewing the CV you have submitted with regard to current market requirements and standards and discussing and, if necessary, optimizing it with you. The provision of this data is required in order to be able to carry out the “Aristo CV Check.”

5.3. Legal bases of data processing

The legal basis for the processing of your data in the event of the existence of your consent is Article 6(1)(1)(a) GDPR; if special cate-gories of personal data will be processed, your consent pursuant to Article 9(2)(a) GDPR is a supplementary legal basis. In this respect, you give consent for your personal data (particularly in the scope specified above) to be processed within the framework of this Data Protection Notice for the purposes described.

5.4. Retention duration; objection and erasure options

Your data will be deleted as soon as it is no longer necessary for the purpose of its collection. Because and insofar as the processing of your data is based on consent, you can send a corresponding mes-sage to datenschutz@aristo-group.de to wholly or partially withdraw this consent for the future. If you withdraw your consent, it will likely no longer be possible to carry out the check for your CV. As a general principle, your data is deleted after your consent is withdrawn as long as there are no contractual or legal obligations standing in the way of the deletion.

Unless already specifically described above, we will not share your personal data with third-party companies, organizations or persons except in one of the following situations:

  • We share data with public bodies (authorities), companies, or-ganizations or persons when we are obligated to do so in ac-cordance with applicable laws, regulations, legal proceedings or enforceable official orders, or can assume in good faith that access to this data or the use, retention or transfer thereof can be reasonably expected to be necessary in order to fulfill equiv-alent obligations (Article 6(1)(1)(c) GDPR);
  • Aristo retains and processes your data in the context of the es-tablishment and performance of a contractual relationship with you in an IT system that is also used by the other Aristo com-panies named in Section 1.1. For this reason, the data stored there by Aristo is also technically accessible to these compa-nies. Access to your personal data by these companies is gen-erally not allowed, but the possibility of this cannot be totally ruled out. The companies will access the data insofar as doing so is necessary for the business relationship with you and is not opposed to any of your legitimate interests (Article 6(1)(1)(f) GDPR);
  • We provide the data to our third-party business partners and other trustworthy companies or persons who process the data on our behalf. This takes place on the basis of precise instruc-tions from us and in accordance with this data protection dec-laration.

Unless expressly stated in this data protection declaration, your per-sonal data will not be transmitted to third countries (countries outside the EU / the EEA) or international organizations. However, we also transmit your data to Aristo AG, based in Switzerland, in the context of our jointly-used IT systems for the operation of the website. Swit-zerland possesses an adequate level of data protection. This has been determined by the European Commission by means of an ad-equacy decision (pursuant to Article 45 GDPR).

Unless otherwise explicitly described above, no automated decision-making takes place.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the data controller. You may contact any of the bodies listed in 2.1.1 through 2.1.3 to exercise your rights.

9.1. Right of access

You have the right to access to the data stored with the controller, particularly to information on the purpose of the processing and how long the data will be retained (Article 15 GDPR).

9.2. Right to rectification

You have the right to ask the controller to rectify and/or complete your personal data if the processed personal data pertaining to you is in-correct or incomplete. The controller is obligated to rectify the data without undue delay.

9.3. Right to restriction of processing

You have the right to request the restriction of the processing of your data. This right particularly applies for the duration of the review in the event that you have contested the accuracy of the data pertaining to you, as well as in the event that you would like processing to be restricted instead of exercising an existing right to erasure. A re-striction of processing shall also take place in the event that the data is no longer necessary for our purposes, but you still need the data for the establishment, exercise or defense of legal claims, and if the successful exercise of an objection is disputed between you and the controller (Article 18 GDPR).

9.4. Right to erasure

You have the right to request the erasure of the personal data per-taining to you by the controller. These requirements specify that you can request the deletion of your data if, for example, the controller no longer needs the personal data for the purposes for which it was col-lected or otherwise processed, the controller processes the data un-lawfully, you have lodged a legitimate objection, you have withdrawn your consent, or a statutory obligation of deletion exists (Article 17 GDPR).

9.5. Right to data portability

You have the right to receive the personal data you have provided to the controller from the controller in a structured, common and ma-chine-readable format (Article 20 GDPR) insofar as it has not already been deleted.

9.6. Right to object

You have the right to file an objection at any time to processing of personal data pertaining to you that is collected under Article 5(1)(1)(e) or (f) GDPR (Article 21 GDPR) for reasons relating to your particular situation. The controller will halt the processing of your per-sonal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves the purpose of the establish-ment, exercise or defense of legal claims. In the event that you ob-ject, for example, to the use of your data for advertising purposes, the controller will cease processing your data for such purposes.

9.7. Right to withdraw consent

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of pro-cessing based on consent before its withdrawal.

9.8. Right not to be the subject of automated decision-mak-ing in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal ef-fects concerning you or similarly significantly affects you. This shall not apply if the decision

  • is necessary for entering into, or performance of, a contract be-tween you and the controller;
  • is authorized by Union or Member State law to which the con-troller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. With regard to the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and free-doms and legitimate interests, at least the right to obtain human in-tervention on the part of the controller, to express his or her point of view and to contest the decision.

9.9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the pro-cessing of personal data relating to you violates the GDPR. The su-pervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the com-plaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.