Data protection information for employees
Your employer must process your personal data in connection with your employment relationship. The handling of this so-called “personal data” is regulated by special legal provisions. These regulations include, in particular, the EU General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”).
Fels attaches great importance to the responsible handling of your personal data. In this data protection information, we explain what information (including personal data) is processed in connection with your employment relationship.
In particular, we will inform you about
- which company is responsible for processing your personal data, so that you know who to contact if you have any questions;
- that we process data for your employment relationship that you have provided in connection with your recruitment as well as data that is collected in the course of your work for us;
- that we process your personal data for certain specified purposes and on the basis of the statutory provisions;
- that certain personal data must be processed by us because we cannot fulfil the employment relationship with you without this data
- that we also have to transfer certain personal data from you to other organisations or possibly also to other countries and what precautions we take to protect your data;
- how long we store your personal data; and
- what rights you have with regard to your personal data.
On the following pages you will find the legally required information on the processing of your personal data:
1. Who is responsible for data processing?
The data controller for the processing of personal data under data protection law is the Fels company with which you have concluded your employment contract or the company that is shown on your remuneration statement or that is responsible for the payment of company pension benefits (“contractual employer”). You will find the contact details of your contractual employer in your employment contract or as an imprint in your payroll document. Where this data protection information refers to “we” or “us”, this refers to your contractual employer.
The data protection officer for Fels can also be contacted at datenschutz@fels.de or by telephone on 0170 4587328.
2 What data do we process?
The fulfilment of your employment relationship requires the processing of personal data:
Master data: We process basic data about you and your employment relationship with us, which we collectively refer to as “master data”.
This includes in particular
- all information that you have provided to us in the course of the application process or that we have requested from you (e.g. name, address, telephone number, e-mail address, date of birth, marital status, nationality, religious denomination, details of your education and professional background);
- the data that we have collected in connection with your employment with us (such as, in particular, the details of the employment contract concluded with you and information on your organisational integration into our company); and
- data required for payroll accounting, for the settlement of company pension benefits or in the context of participation in an employee participation programme.
Historical data: We process personal data that is generated in the course of your employment relationship, which may go beyond a mere change to your master data and which we refer to as “historical data”. This includes in particular
- Information about the work you have performed, such as attendance and absence times and any assessments of your performance under your employment contract;
- Information about the services we provide, such as the salary payments made to you and the provision of other benefits;
- Information that you provide to us in the course of your employment – either actively or in response to a request from us;
- personal data that we receive from you or third parties (in particular government bodies such as social insurance institutions or (tax) authorities) in the course of your employment relationship. This includes, for example, information on incapacity to work due to illness, pregnancy or the birth of a child, any disability, marriage or entering into a civil partnership; and
- personal data that is required in the form of permanent account management, e.g. to document entitlements to company pension benefits or participation in employee participation programmes.
Usage data: We process personal data that is generated in the course of your employment based on your use of the company infrastructure. This includes in particular
- information about your use of the company IT infrastructure (such as your business e-mail account and Internet access or the other applications, programmes and end devices made available to you); and
- Information about your use of other company infrastructure such as (time clocks or other time recording systems).
- Data from the SAP SuccessFactors training tool
The aforementioned data categories may also include special types of personal data, in particular information relating to your health (e.g. information about your incapacity to work in the event of a sick note).
3. for what purposes and on what legal basis do we process your data?
The processing of master data, history data and usage data is carried out to fulfil the employment relationship with you on the basis of Article 6 (1) (b) GDPR and Section 26 (1) (f) GDPR. 1 BDSG.
We may also process master, history and usage data to fulfil legal obligations to which we are subject; this is done on the basis of Article 6(1)(c) GDPR.
These legal obligations include the reports we are required to submit to social insurance providers and (tax) authorities, as well as cross-checking against sanctions lists.
A sanctions list is a publicly accessible list of persons, associations or companies against whom economic and/or legal restrictions have been imposed by states or communities of states.
The provision of financial benefits, including the payment of wages, to persons on these lists is prohibited.
Where necessary, we also process your data beyond the execution of the employment relationship and the fulfilment of legal obligations to protect our legitimate interests or the interests of third parties; this is done on the basis of Article 6 (1) f) GDPR. Our legitimate interests include
- Group-wide processes for the internal management of employee data
- the assertion of legal claims and defence in legal disputes;
- the prevention and investigation of criminal offences;
- ensuring the security of the IT systems we use;
- ensuring building and plant safety.
Insofar as the data categories mentioned under point 2 contain special types of personal data (such as health data), we process these for the purposes of our obligations under labour law and social security law to the extent provided for by law; this is done on the basis of Article 9 paragraph 2 b) GDPR.
If we give you the opportunity to give your consent to the processing of personal data when establishing or in the course of the employment relationship, we process the data covered by the consent for the purposes stated in the consent; this is done on the basis of Article 6 (1) a) GDPR. If the consent relates to the processing of special categories of personal data (such as health data), the processing is carried out on the basis of Article 9(2)(a) GDPR.
Please note that
- the granting of consent to us is always voluntary and neither the granting nor the subsequent revocation of consent has any negative consequences for the performance of your employment relationship;
- that the non-granting of consent or its later revocation may nevertheless be associated with consequences, about which we will inform you before granting consent, and
- that you can revoke any consent given to us at any time with effect for the future, e.g. by sending a message by post, fax or e-mail via one of the contact channels mentioned.
4. are you obliged to provide data?
The provision of the master data, history data and usage data mentioned under point 2 is necessary for the conclusion of the employment contract and its execution between you and us, unless expressly stated otherwise by us when collecting this data. Without the provision of this data, we cannot conclude and execute an employment contract with you.
If we also collect personal data from you, we will inform you at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract (in particular your employment contract). As a rule, we identify information that is provided voluntarily and is not based on any of the aforementioned obligations or is not required for the conclusion of a contract.
5 Who receives your data?
Your personal data will be processed within our company. Depending on the type of personal data, only certain departments / organizational units have access to your personal data. This includes in particular the HR department, your superiors and – in the case of data collected via the IT infrastructure – the IT department to a certain extent. A role and authorization concept limits access within our company to those functions and to the extent necessary for the respective purpose of processing.
We may also transfer your personal data to third parties outside our company to the extent permitted by law. These external recipients may include in particular
- affiliated companies within the SigmaRoc Group to which we transfer personal data for internal administrative purposes;
- direct or indirect superiors who are employed by another company within Fels, insofar as this is necessary for the performance of the employment relationship with you;
- the service providers employed by us who provide services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
- non-public and public bodies, insofar as we are obliged to transfer your personal data due to legal obligations,
- Business partners, insofar as the transfer of personal data (e.g. your public company contact details) is necessary for the performance of the employment relationship.
6. is automated decision-making used?
When establishing or in the course of the employment relationship, we do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. Should we use such procedures in individual cases in the future, we will inform you of this separately to the extent required by law.
7. is data transferred to countries outside the EU/EEA?
The processing of your personal data takes place within the EU or the European Economic Area; a transfer to other countries (so-called “third countries”) is not planned.
If, in individual cases (e.g. in the case of a secondment), it becomes necessary to transfer personal data to recipients outside the European Union or the Agreement on the European Economic Area in order to fulfil the employment relationship, we will provide you with the information required by law prior to such a transfer.
8 How long will your data be stored?
We store your personal data as long as we have a legitimate interest in this storage and your interests in the discontinuation of storage do not outweigh.
Even without a legitimate interest, we may continue to store the data if we are legally obliged to do so (e.g. to fulfil storage obligations). We also delete your personal data without your intervention as soon as their knowledge is no longer necessary to fulfil the purpose of the processing or storage is otherwise legally inadmissible.
As a rule, the master data and other personal data collected in the course of the employment relationship are stored at least until the end of the employment relationship. The data will be deleted at the latest when the purpose has been achieved. This may also only occur after termination of the employment relationship. The personal data that we have to store in order to fulfil our storage obligations will be stored until the end of the respective storage obligation. Insofar as we store personal data exclusively for the fulfilment of retention obligations, it is generally blocked so that it can only be accessed if this is necessary with regard to the purpose of the retention obligation.
9. what rights do you have as a data subject?
As a data subject, you may
- to information about the personal data stored about you, Article 15 GDPR;
- to rectification of inaccurate or incomplete data, Article 16 GDPR;
- to erasure of personal data, Article 17 GDPR;
- to restriction of processing, Article 18 GDPR;
- to data portability, Article 20 GDPR, and
- to object to the processing of personal data concerning you, Article 21 GDPR.
To exercise these rights, you can contact us at any time – e.g. via one of the contact channels listed in the “Who is responsible for data processing?” section of this data protection information.
If you have any questions about the processing of your data, you can also contact our data protection officer.
You are also entitled to lodge a complaint with a competent supervisory authority for data protection, Article 77 GDPR.