cewe.de
Suche Kontakt

Privacy policy for the Workday application portal

The protection of your personal data is a high priority for the affiliated companies of the CEWE Group. We strictly adhere to the legal provisions, in particular the EU General Data Protection Regulation (GDPR), when processing personal data.
 

The controller for the application portal is

CEWE Stiftung & Co. KGaA

Meerweg 30-32

26133 Oldenburg
 

If you have any questions about data protection, please contact the data protection officer:

CEWE Stiftung & Co. KGaA

Data Protection

Meerweg 30-32

26133 Oldenburg

Tel.: +49 (0)441 404299

Email: datenschutz@cewe.de

Ms Elwira Wall
 

If you apply for a position at another affiliated company of the CEWE Group via the application portal, that company will be the controller for the application process following the application and the associated data processing. You can find more detailed information on how to contact this company in the respective job advertisement.

Below, we provide information about the processing of your personal data when you visit and use the application portal. This includes both the data processing that occurs when you access the application portal and the data processing that occurs when you apply for a position via the application portal.

The application portal of Workday Limited, The King's Building, 152-155 Church Street, Dublin 7, D07 A0TN, Ireland, is used to receive and manage online applications.


1. Application

1.1. Application without a user account

Processing of your data

The application portal allows you to apply for currently advertised positions or submit speculative applications to affiliated companies of the CEWE Group. When using the application portal, the personal data required for this purpose is collected via the application form. This includes, in particular, your name, contact details and information about your previous professional career. Additional information may also be processed, such as details of your qualifications, availability, willingness to relocate, whether you have a driving licence, willingness to travel or your salary expectations. Some information in the application form is marked as mandatory. This information is required in order to process your application and assess your basic suitability for the advertised position. You can also voluntarily provide additional information that may help us to better assess your profile. Documents must also be enclosed with the application. A CV must be submitted. However, you also have the option of uploading additional documents. The legal basis for the processing of your data in the context of the application process is Section 26 (1) sentence 1 BDSG or Art. 6 (1) lit. b GDPR. If you have voluntarily provided us with personal data, this is done on the basis of your revocable consent in accordance with Art. 6 (1) lit. a.

We expressly point out that applications, in particular CVs, references and other data you send us, may contain special categories of personal data within the meaning of Art. 9 GDPR (data on racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership). If you provide us with such information in your online application, you expressly agree and consent to this data being processed for the purpose of handling your application.

All processing of your data is carried out for the purpose of processing your application.


Recipients of the data

The personal data collected in connection with the application will only be processed for the purpose of handling the application process and will be treated confidentially at all times. Incoming applications will only be made available to the company you have applied to and will only be made available to employees who are involved in the specific recruitment process. If you apply to a CEWE Group company based outside the European Economic Area (EEA), your application documents will be forwarded to the relevant company in the third country. Personal data will only be transferred to third countries to CEWE Group companies based in the United Kingdom (UK) or Switzerland. Both countries have been granted an adequacy decision by the European Commission, ensuring an adequate level of data protection.

As part of the application process, your data will also be forwarded internally to the relevant employee representative body if this is mandatory.

Workday Limited is used as a processor for the technical provision of the application portal. Within the framework of the processing relationship, it is contractually ensured that the processing of personal data is carried out exclusively in accordance with instructions and that appropriate technical and organisational measures are implemented to protect personal data in accordance with Art. 32 GDPR. Application data is stored exclusively on servers within the EEA. In the event of technical problems or support cases, Workday, Inc. may be used as a sub-processor. Workday, Inc. is certified under the EU-U.S. Data Privacy Framework, which ensures an adequate level of data protection. In addition, standard contractual clauses (SCC) have been agreed.


Deletion of data

If an employment contract is concluded, the personal data you have provided may be stored in the personnel file by the company where you are employed for the purpose of carrying out the usual organisational and administrative processes in compliance with the relevant legal requirements.

If you are not hired, your application documents will be deleted no later than 6 months after completion of the application process or after receipt of the rejection in the application portal (unless you have consented to be included in the talent pool). This short-term storage serves to defend against possible legal claims and to clarify any questions that may arise subsequently. If, within this period, it becomes apparent that further processing is necessary after weighing up the interests involved in order to defend legal claims, the data will be stored until this claim has been settled.


Talent pool

In the application form, you will be asked whether you would like to be included in the talent pool. If you have given your prior consent, your data will be stored (further) for a period of 24 months in the event of rejection, and your application may continue to be considered by the relevant company for future vacancies. Inclusion in the talent pool is voluntary. If you do not wish to be included in the talent pool, this will not affect your application in any other way.


Statistical evaluations

Finally, we would like to point out that the data you provide may be used to compile statistical evaluations in connection with the (online) application process. These statistics are compiled exclusively for our own purposes and are never personalised, but always in anonymised form.


1.2. Registration and login in the application portal

You have the option of setting up a personal user account in the application portal. When registering, you must enter your email address and a password of your choice. Setting up a user account has no influence on the processing of your data during the application process. However, the user account allows you to view the current status of your application process at any time. You can request the deletion of your user account at any time via your profile. If you do not request deletion yourself, your user account is linked to your application and will be deleted as soon as your application is deleted. We also reserve the right to delete user accounts at any time if misuse is detected. Misuse is deemed to have occurred in particular if dubious applications are sent via the user account.


1.3. Underage applicants

For job vacancies that are specifically aimed at minors (e.g. school internships or training), a mandatory question regarding age of majority is included in the application form. If a person is a minor, a declaration of consent will be provided, which must be signed by the parents. The application will be marked accordingly in the system. The signed consent form must be attached to the application and the application data will only be processed once parental consent has been received.


2. Application portal / website

2.1. Log files

When you visit our application portal, the web server temporarily collects and stores access data such as your IP address, browser used, operating system, and date and time of your visit. This information is primarily used as operational information necessary for diagnosing problems, monitoring system status, and troubleshooting. The legal basis for the temporary storage of data is Art. 6(1)(f) GDPR.


2.2. Cookies

Cookies are set so that you can use the application portal without any problems. Cookies do not harm your computer and do not contain viruses. Cookies are small text files that are stored on your computer and saved by your browser. This allows certain settings or entries to be saved and your browser to be recognised when you visit the site again. A basic distinction can be made between cookies that are technically essential for the operation and functionality of the website and those that enable additional functions, such as usage analysis or marketing functions. The application portal only uses cookies that are strictly necessary for the operation of the website in accordance with Section 25 (2) No. 2 TDDDG. The cookies used are mainly so-called session cookies, i.e. they are deleted again after the end of the session, i.e. after closing the browser.

Detailed information on the cookies used can be found in the following list:

Cookie name: PLAY_LANG, PLAY_SESSION, timezoneOffset, wd-browser-id, wday_vps_cookie, CXS_SESSION
Purpose: Session experience 
Description: Session experience – User, device and session ID cookies, as well as timestamp cookies to end sessions after inactivity. These cookies expire at the end of the session.
Storage duration: Session

Cookie name: TS* 
Purpose: security management
Description: Security management – Helps prevent cyber attacks on user interaction with the company's cloud applications. Checks whether the domain and subdomain cookies exchanged between the web server and client have been altered.
Storage duration: Session

Cookie name: CALYPSO_CSRF_TOKEN
Purpose: security management
Description: Security management – Contains a CSRF token to prevent cross-site request forgery attacks, i.e. to prevent a user from performing unintended actions on the career page.
Storage duration: Session

Cookie name: __cf_bm
Purpose: security management
Description: Security management – Identification and mitigation of automated traffic to protect the platform from malicious bots.
Storage duration: After 30 minutes of inactivity

Cookie name: Naming convention of WorkdayLB_*, WorkdayLB_UICLIENT, WorkdayLB_SAS
Purpose: load distribution
Description: Load balancing – to forward requests for a single session to the same server to ensure consistent service quality.
Storage duration: Session 

Cookie name: enablePrivacyTracking
Purpose: Cookie settings
Description: Tracker for recording user preferences for non-essential cookies from the cookie banner
Storage duration: Session


Rights of data subjects

The GDPR grants you certain rights when your personal data is processed:

1. Right of access (Art. 15 GDPR):

You have the right to request confirmation as to whether personal data concerning you is being processed. If this is the case, you have the right to access this personal data and to the information specified in Art. 15 GDPR.

2. Right to rectification and erasure (Art. 16 and 17 GDPR):

You have the right to request the immediate rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete personal data.

You also have the right to request that personal data concerning you be erased without delay if one of the reasons listed in detail in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued.

3. Right to restriction of processing (Art. 18 GDPR):

You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, e.g. if you have objected to the processing, for the duration of any review.

4. Right to data portability (Art. 20 GDPR):

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transfer of this data to a third party.

5. Right to object (Art. 21 GDPR):

If data is collected on the basis of Art. 6 para. 1 lit. f) GDPR (data processing to safeguard legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

6. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR):

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement.


Withdrawal of consent

If you have given us your consent, we would like to point out that you can withdraw your consent at any time with effect for the future. If you wish to withdraw your consent in the context of your application, please contact the contact details provided in the job advertisement. Otherwise, please contact the contact details provided for data protection in this privacy policy.


Automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR takes place in the context of applications via the application portal.