Last update: December 2020
- the personal data we collect, store, process, block and erase (collectively referred to as ‘processing’),
- what we use these data for,
- how you can object or withdraw your consent to the use of these data and
- the other rights you have as a data subject and how you can assert them.
1. Who is responsible for data processing and who can I contact?
The responsible body for data processing (data controller) in the sense given in the GDPR is:
92318 Neumarkt, Germany
Phone: +49 (0) 9181 231-90
Fax: +49 (0) 9181 231-265
Phytoneering Extract Solution GmbH
Bionorica research GmbH
6020 Innsbruck, Austria
Phone :+43 (0) 512 276808
Fax : +43 (0) 512 276808 8840
Since Bionorica SE operates a joint applicant portal with its German subsidiaries and Bionorica research GmbH in Innsbruck, Bionorica SE is always responsible for the underlying processing of personal data.
In terms of data protection law, this processing is carried out under the joint responsibility of Bionorica SE and the respective subsidiary in accordance with Art. 26 GDPR. The following key points apply to joint processing:
- Bionorica SE and the respective subsidiary are equally responsible for the legality of the joint processing and take appropriate technical and organizational measures so that the rights of the data subjects are guaranteed at all times.
- Bionorica SE undertakes to make the information required by Art. 13 and 14 GDPR also publicly available with regard to joint processing.
- In order to ensure adequate transparency and reliable assertion of data subject rights, all data subject rights during joint processing can always be asserted against Bionorica SE as the parent company.
- Bionorica SE and the respective subsidiary are equally responsible for the information obligations resulting from Art. 33, 34 GDPR towards the supervisory authority or those affected by a violation of the protection of personal data.
- Both parties are jointly liable for the damage caused by processing that does not comply with the GDPR in the external relationship together towards the data subject.
We would be happy to provide you with an extract from our "Agreement on the joint processing of personal data in accordance with Art. 26 GDPR". For this purpose, please also contact the above-mentioned contact.
2. Am I obligated to provide data?
In the context of your application, you only have to provide the personal data which are required to process your application or which we are legally obliged to collect. Without this data, we will usually not be able to process your application.
3. Which sources and data does Bionorica SE and its subsidiaries use?
We only process personal data that we receive from our applicants as part of the application process.
The personal data, which we process, include in particular:
- Master and framework data (e.g. name, address and other contact details, date of birth),
- Information on school, training and previous occupations,
- information on general skills,
- Application documents (curriculum vitae, cover letter, references and certificates),
- as well as other data comparable to the categories mentioned.
4. Processing purposes and legal basis
We process personal data in accordance with the provisions of the European General Data Protection Regulation (EU GDPR) and the German Federal Data Protection Act (BDSG) according to the following legal bases:
4.1. To fulfil contractual obligations (Art. 6 para. 1 cl. 1 lit. b GDPR)
The processing of personal data in the application process takes place in order to carry out pre-contractual measures, which take place at the request of the applicant.
4.2. Based on legitimate interests (Art. 6 para. 1 cl. 1 lit. f GDPR)
If necessary, we process personal data beyond the actual fulfilment of the contract to safeguard our legitimate interests.
This includes in particular the following activities and processes:
- ensuring of IT security and safeguarding of IT operations in our company,
- assertion of legal rights and defence in legal disputes (e.g. as part of the judicial review of alleged German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz) violations),
- Identification of follow-up applications based on your general data (name, date of birth, email address and the name of the position for which you have applied),
- Comparison with sanctions lists that go beyond the legally prescribed but usual.
If you granted us consent to process personal data for specific purposes, this processing is lawful based on this consent.
After granting your consent, you can withdraw it at any time. This also applies to the withdrawal of declarations of consent given to us before the GDPR came into effect. Please note that withdrawal of your consent does not affect the lawfulness of processing carried out up to the time of withdrawal.
You can withdraw consent free of charge by sending a formless statement to the contact given in Section 1. If you withdraw your consent by telephone, we may ask you to provide additional proof of your identity in another way.
4.4. Based on legal requirements (Art. 6 para. 1 cl. 1 lit. c GDPR) or in the public interest (Art. 6 para. 1 cl. 1 lit. e GDPR)
Like every company, Bionorica SE has numerous legal obligations which make processing of personal data necessary. As examples, e.g., identification obligations for prevention of money laundering, comparison with legally prescribed sanctions lists (e.g. checking of payees as part of the reimbursement of travel expenses of the applicant) or meeting of tax obligations and regulatory documentation requirements for medicinal products can be stated here.
5. When is automated individual decision-making in individual cases used?
We generally do not use fully automated decision-making according to Art. 22 GDPR for processing an application. If we employ these techniques in individual cases, we will inform you about this separately insofar as we are required to do so by law.
6. Who gets my data?
Within Bionorica SE and the subsidiaries, those offices and departments requiring your data for processing your application. Carefully selected and controlled service service providers employed by us may also receive data for these purposes, but within the scope of so-called contract data processing they are obligated to meet the data protection requirements that are also applicable to us. These can be, for example, companies in the fields of IT services (providers).
We only pass on data to recipients outside Bionorica if we have a legal basis (e.g. legal obligation, consent).
7. Are data transferred to companies in third countries or to international organisations?
A data transfer to locations in countries outside the European Union (so-called third countries) does not take place in the context of applications. Should such a transfer be necessary in individual cases (e.g. because you are applying for a position outside the EU) we will inform you separately about possible risks of a data transfer and ask for your express consent.
8. How long are my data stored?
We process your personal data only as long as necessary for fulfilment of our processing purposes described above. Your application data (with the exception of your name, email address, date of birth, position for which you have applied) will be automatically deleted in the applicant management system 6 months after the application process has been completed. Your name, date of birth, email address and the position you applied for will be deleted after three years.
Once the data are no longer needed for fulfilment of the processing purposes described above, they are erased unless their further processing is necessary – for a limited period – for the following purposes:
- fulfilment of retention obligations according to commercial and tax law: the German Commercial Code (HGB) and the German Money Laundering Act (GwG) should be mentioned. The retention and documentation periods prescribed there can be up to ten years.
- preservation of evidence in the context of the statute of limitations. Pursuant to Sections 195ff. of the German Civil Code (BGB) these statutory limitation periods can be up to 30 years, whereby the normal limitation period is three years.
9. What rights do I have as a data subject?
As a data subject you have the right to access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, and the right to data portability according to Art. 20 GDPR. With respect to the right to access and the right to erasure, the limitations set forth in Sections 34 and 35 BDSG apply. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).
You also have the right to object under Art. 21 GDPR. You can object to the processing of personal data on the basis of Art. 6 para. 1 lit. e or f GDPR at any time without giving reasons.