Information on data processing


1. Name and contact details of the person responsible:


ON.JOB GmbH

Marktstraße 81

37115 Duderstadt


2. Data Protection Officer:



3. Purposes and legal basis of data processing:


We process your personal data that we receive from you or third parties in the context of business relationships. This includes, among other things, your contact details such as name, address, telephone number, and email address. We also process other data that you voluntarily provide to us within the framework of a contractual relationship or in the context of contract initiation or for the implementation or processing of a project.

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other relevant data protection laws. We have implemented appropriate technical and organizational security measures (pursuant to Art. 32 GDPR) to ensure the protection of your personal data and regularly train our employees on data protection issues.

We process your personal data on the basis of the legal bases described below and for the purposes stated below:

1. the initiation, execution and termination of contracts (Art. 6 (1) (b) GDPR), e.g. fulfillment of a contract (provision of a service), general communication with business partners (e.g. answering inquiries about products and services, contract negotiations, etc.),

2. based on your consent (Art. 6 (1) (a) GDPR),

3. due to legal requirements (Art. 6 para. 1 c GDPR), e.g. to fulfil commercial or tax retention obligations, to fulfil obligations to provide information to authorities, etc.,

or: within the scope of our legitimate interests (Art. 6 (1) (f) GDPR). We strictly ensure that the processing of your personal data is necessary for us and that your interests as a data subject do not outweigh our interests in data processing.


Application process:


If we process your data for the purpose of the application process, we are entitled to do so pursuant to Art. 88 (1) GDPR in conjunction with Section 26 (2) BDSG (German Federal Data Protection Act) and, where applicable, Art. 9 (2) b) GDPR. Your personal data

will only be passed on to people who are involved in processing your application and who are necessary for processing.

Your application documents will be returned or destroyed after the application process has been completed. If you agree that we may retain your data in our pool of prospective applicants for future job postings beyond this period, we ask for your consent by email or post. Your contact details, information about any severe disability, and data on the receipt of your application, confirmation of receipt, invitation to an interview, and rejection or withdrawal of your application will be stored by us and deleted six months after the application process has been completed. If you are hired, this data will be stored in your personnel file and deleted after the end of your employment, in accordance with the statutory retention periods.


4. Categories of personal data


We only process data that is related to the establishment of a contract or pre-contractual measures. This may include general data about you or your company (name, address, contact details, etc.) as well as any other data you provide to us in the context of the establishment of the contract.


5. Sources of the data


We process personal data that we receive from you when you contact us, when you enter into a contractual relationship or when you take pre-contractual measures.


6. Recipients of the data


We only share your personal data within our company with those departments and individuals who need this data to fulfill contractual and legal obligations or to implement our legitimate interests. We may transfer your personal data to affiliated companies, provided this is permissible within the scope of the purposes and legal bases set out in Section 3 of this data protection information sheet. Your personal data will be processed on our behalf on the basis of order processing agreements pursuant to Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR. The categories of recipients in this case are internet service providers and providers of customer management systems and software. Data will otherwise only be shared with recipients outside the company if permitted or required by law, if the sharing is necessary for the processing and thus the fulfillment of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent, or if we are authorized to provide information. Under these conditions, recipients of personal data may include, for example:

• External tax advisor

• Public bodies and institutions (e.g. public prosecutor, police, supervisory authorities, tax office) if there is a legal or official obligation,

• Recipients to whom the transfer is directly necessary for the establishment or fulfilment of the contract.


7. Transfer to a third country


We will not transfer your data to a third country outside the European Economic Area (EEA) without your explicit consent.


8. Duration of data storage


Where necessary, we process and store your personal data for the duration of our business relationship or to fulfill contractual purposes. This includes, among other things, the initiation and processing of a contract. In addition, we are subject to various retention and documentation obligations, which arise, among other things, from the German Commercial Code (HGB) and the German Tax Code (AO). The retention and documentation periods prescribed therein are two to ten years. Finally, the storage period also depends on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.


9. Your rights


Every data subject has the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to notification pursuant to Art. 19 GDPR, and the right to data portability pursuant to Art. 20 GDPR. Furthermore, you have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR if you believe that your personal data is being processed unlawfully. This right of complaint exists without prejudice to any other administrative or judicial remedy.

The responsible data protection supervisory authority for ON.JOB GmbH is:


The State Commissioner for Data Protection of Lower Saxony

Barbara Thiel

Prinzenstraße 5

30159 Hanover


If the processing of data is based on your consent, you are entitled to revoke your consent to the use of your personal data at any time in accordance with Art. 7 GDPR. Please note that the revocation only applies to the future. Processing that occurred before the revocation is not affected. Please also note that we may be required to retain certain data for a certain period of time to comply with legal requirements (see Section 7 of this privacy policy).

Right of objection: If the processing of your personal data is carried out in accordance with Art. 6 (1) (f) GDPR to protect legitimate interests, you have the right to object to the processing of this data at any time for reasons arising from your particular situation, in accordance with Art. 21 GDPR. We will then no longer process this personal data unless we can demonstrate compelling legitimate grounds for the processing. These must outweigh your interests, rights and freedoms, or the processing must serve to assert, exercise or defend legal claims. In individual cases, we process your personal data in order to conduct direct advertising. You have the right to object at any time to processing for the purposes of such advertising. This also applies to profiling insofar as it is related to this direct advertising. If you object to processing for the purposes of direct advertising, we will no longer process your personal data for these purposes. To protect your rights, you can contact us using the contact details provided in section 1.


10. Necessity of providing personal data


The provision of personal data for the purpose of deciding whether to conclude or fulfill a contract, or for taking pre-contractual measures, is voluntary. However, we can only make a decision within the scope of contractual measures if you provide personal data that is necessary for the conclusion or fulfillment of the contract, or for taking pre-contractual measures.


11. Automated decision-making


In principle, we do not use fully automated decision-making in accordance with Art. 22 GDPR to establish, fulfil or carry out the business relationship or for pre-contractual measures.