Processing of (personal) data by the entity in charge of the online application process
Privacy policy for applicants (m/f/d)
The protection of your personal data is particularly important to us. Therefore, we would like to inform you in the following about our data protection principles, which Biofrontera AG and its affiliated companies within the meaning of § 15 ff. AktG (German Stock Corporation Act), to which you apply, in order to enable you to have a trustworthy application process.
Pursuant to Art. 4 No. 1 of the EU General Data Protection Regulation ("GDPR"), personal data is information about the personal or material circumstances of an identified or identifiable natural person. This includes information such as your name, address, telephone number and date of birth, but also data about your specific career and qualifications, etc., which can be assigned to a specific person with reasonable effort (hereinafter referred to as "data").
This data protection declaration applies in addition to our existing general data protection declaration on our website, which provides you with specific information on how we process your data in the context of website visits or in the case of non-application-specific topics.
Person responsible and data protection officer
The Biofrontera company to which you have applied or to which the recruiter has transferred your data is responsible for processing your data.
For all data protection issues, you can contact the Biofrontera companies
- at our central business address for data protection issues
Hemmelrather Weg 201, 51377 Leverkusen, Germany
with the addition "data protection”
or
- by e-mail at datenschutz@biofrontera.com.
Data collection
The application process requires that you provide us with the data necessary for their assessment and selection. You can submit your application to us either online via an applicant management system (recruiting software from a third-party provider) or by e-mail. Any application documents sent by e-mail will be entered into the applicant management system. Your data, which you transmit to us online, will be encrypted in accordance with the state of the art. When applying by e-mail, please note that e-mails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the application between the sender and the reception on our server.
Your data is required for the implementation and the decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Art. 6 (1) (b) GDPR). This means that we need and thus process your data for the purpose of a possible employment.
In individual cases, we will obtain your consent to the processing or transfer of your data. This may be the case, for example, if your application is to be kept for a longer period of time or if your application is to be considered for another position within our company or another group company (talent pool). In these cases, your consent is voluntary and can be revoked by you at any time for the future. The legal basis for this is Art. 6 para. 1 letter a) GDPR.
If we obtain information from your public profile on professional social networks, we base the processing on our legitimate interest in forming a decision-making basis for establishing an employment relationship with you. The legal basis is Art. 6(1)(f) GDPR in conjunction with Art. 9(2)(e) GDPR.
In addition, we process your data insofar as this is necessary for the assertion of legal claims and defence in legal disputes and this is necessary for the fulfilment of legal obligations. The legal basis for this is Art. 6(1)(c) and (f) GDPR. Within this framework, we therefore process your data for fraud prevention and the fulfilment of documentation obligations, among other things. The legitimate interest is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act ("german AGG").
Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from you within the scope of the application procedure so that we or you can exercise the rights arising from labour law and social security and social protection law and fulfil obligations in this regard, their processing is carried out in accordance with Art. 9 (2) letter b) GDPR. 2(b) GDPR, in the case of the protection of vital interests of you or other persons pursuant to Art. 9(2)(c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of fitness for work, for medical diagnosis, health or social care or treatment or for the management of health or social care systems and services pursuant to Art. 9(2)(h) GDPR. In the case of a communication of special categories of data based on voluntary consent, their processing is based on Art. 9(2)(a) GDPR).
Your data will only be processed for purposes other than those mentioned above if such processing is permissible pursuant to Art. 6 (4) GDPR and is compatible with the original purposes. We will inform you about such processing prior to any such further processing of your data.
Recipients of the data
In the context of the application process, your data will be accessed by those who need it to fulfil our obligations and to carry out our internal processes (e.g. personnel and the specialist departments for the respective advertised position). The employees authorised to access the data are obliged to maintain confidentiality and to protect business and trade secrets as well as data protection.
Certain personnel administration and management tasks are carried out centrally within the group of companies. This also includes applicant management, for which Biofrontera AG is responsible within the entire corporate group. Biofrontera AG acts either as the person responsible for filling its own vacancies or as an order processor in relation to other Biofrontera companies, insofar as the filling of their vacancies is concerned. Corresponding data protection contracts exist between the individual companies in the group.
Furthermore, data may be processed on our behalf on the basis of contracts pursuant to Art. 28 GDPR (order processing contracts), in particular by the provider of the personnel administration and applicant management software Personio GmbH (https://www.personio.de/). The data transmitted to Personio GmbH is transferred via TLS encryption and stored in a database on servers in Germany operated by this third-party provider. We are exclusively responsible for the data. Personio GmbH fulfils all requirements of the GDPR and is data protection compliant as a company and as software.
Apart from that, no data is transferred to third parties unless you have previously given your express consent to the transfer or there is a legal obligation to transfer. In principle, no data is transferred to bodies or persons outside the European Union (EU) or the European Economic Area (EEA). An exception here is the applicant data of applicants for our headquarters in the UK.
Your data may be forwarded to law enforcement agencies and, if necessary, to injured third parties without your express consent if it is necessary to clarify unlawful conduct or for legal prosecution. However, this only happens if there are concrete indications of unlawful or abusive behaviour. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities. The disclosure of this data is based on our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims, unless your rights and interests in the protection of your data are overridden, Art. 6 (1) (f) GDPR.
Saving your data
We store your data for a period of 6 months after a rejection. This is necessary for the burden of proof in proceedings under the AGG. This does not apply if the processing and storage of your data is necessary in the specific case for the assertion, exercise or defence of legal claims (duration of a legal dispute).
After this period has expired, the data will be deleted. You have the option to withdraw your application at any time. This will result in your data in the applicant database being deleted immediately, subject to the restrictions mentioned below. However, should you wish individual data submitted by you to be deleted, we reserve the right to store your data for a limited period of 6 months in order to be able to comply with the obligations to provide evidence under the AGG.
If your application is successful, we will store your personal data for the entire duration of your employment in accordance with the information obligations for employees, which we will send you upon acceptance of employment.
Inclusion in a talent pool
If we reject your application, we may wish to store it in our applicant database ("talent pool") for further contact. This further storage will only take place in consultation with you and after you have given your consent (Art. 6 Para. 1 Letter a) GDPR). If you send us your unsolicited application and we do not currently have a suitable offer for you, your data will also be stored in our talent pool after prior consultation with you and on the basis of your consent. If your speculative application is not of interest to us, you will receive a rejection. No further storage will then take place.
If you are stored in our talent pool as a result of your application, we will use your data to maintain contact with you, e.g. to pass on interesting job offers from Biofrontera companies to you. If you expressly wish to be included in our talent pool by consenting to storage in the talent pool, we will store your data until you revoke your consent, but for no longer than 12 months. You will be informed one month before expiry and can thus extend the storage of your data in the talent pool for a further 12 months. After expiry, your data will be deleted automatically and without separate notification.
Your rights (data subject rights)
You have extensive rights with regard to the processing of your data.
Right to information
You have the right to information about the data stored by us, in particular, for what purpose the processing is carried out and how long the data is stored (Art. 15 GDPR). This right is limited by the exceptions of Section 34 of the German Federal Data Protection Act (so called "BDSG"), according to which the right to information does not apply in particular if the data is only stored on the basis of statutory retention requirements or for data security and data protection control, the provision of information would require disproportionate effort and a misappropriation of the data processing is prevented by appropriate technical and organisational measures.
Right to rectification of inaccurate data
You have the right to demand that we rectify the data concerning you without delay if it should be inaccurate (Art. 16 GDPR).
Right to erasure
You have the right to demand that we erase (Art. 17 GDPR) the data concerning you. These conditions exist in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have withdrawn consent without the data processing being able to continue on another legal basis, d) you successfully object to the data processing, or e) in cases of the existence of an obligation to erase on the basis of EU law or the law of an EU member state to which we are subject. This right is subject to the restrictions from Section 35 of the BDSG, according to which the right to erasure may be waived in particular if, in the case of non-automated data processing, there is a disproportionately high effort for the erasure and your interest in the erasure is to be regarded as low.
Right to restriction of processing
You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists in particular if a) the accuracy of the data is disputed, b) you request restricted processing instead of deletion under the conditions of a justified request for deletion, c) the data is no longer required for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.
Right to data portability
You have the right to receive the data concerning you that you have provided to us from us in a structured, common, machine-readable format (Art. 20 GDPR), insofar as it has not already been deleted.
Right to object
You have the right to object to the processing of data concerning you at any time on grounds relating to your particular situation (Art. 21 GDPR). We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.
In accordance with Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation does not affect the lawfulness of the processing carried out on the basis of the previous consent. The only consequence of the revocation is that we may no longer continue the data processing based on this consent in the future.
Right in relation to automated decision-making
You have the right (Art. 22 GDPR) not to be subject to automated decision-making, including profiling, that has legal consequences for you or similar significant effects. We generally do not use automated decision-making or profiling in employment matters. However, if you have been subjected to an automated decision and do not agree with the outcome, you can contact us in the ways set out below and ask us to review the decision
Right to complain to the supervisory authority
You have the possibility to contact the data protection officer mentioned above or a data protection supervisory authority if you believe that the processing of data concerning you is in breach of the GDPR.
To exercise these rights, please contact the HR department or the data protection officer at the contact details provided above or the data protection supervisory authority. If you make a request for information and there is doubt about your identity, we may require you to provide information that will enable us to satisfy ourselves as to your identity.
[1] Biofrontera companies are Biofrontera AG, Biofrontera Pharma GmbH, Biofrontera Development GmbH, Biofrontera Neuroscience GmbH, Biofrontera Bioscience GmbH, Biofrontera UK Ltd (based in Cambridge), Biofrontera sucursal (based in Barcelona).
In addition to this data privacy statement, please view our general data privacy statement at Data Privacy Policy.
The protection of your personal data is particularly important to us. Therefore, we would like to inform you in the following about our data protection principles, which Biofrontera AG and its affiliated companies within the meaning of § 15 ff. AktG (German Stock Corporation Act), to which you apply, in order to enable you to have a trustworthy application process.
Pursuant to Art. 4 No. 1 of the EU General Data Protection Regulation ("GDPR"), personal data is information about the personal or material circumstances of an identified or identifiable natural person. This includes information such as your name, address, telephone number and date of birth, but also data about your specific career and qualifications, etc., which can be assigned to a specific person with reasonable effort (hereinafter referred to as "data").
This data protection declaration applies in addition to our existing general data protection declaration on our website, which provides you with specific information on how we process your data in the context of website visits or in the case of non-application-specific topics.
Person responsible and data protection officer
The Biofrontera company to which you have applied or to which the recruiter has transferred your data is responsible for processing your data.
For all data protection issues, you can contact the Biofrontera companies
- at our central business address for data protection issues
Hemmelrather Weg 201, 51377 Leverkusen, Germany
with the addition "data protection”
or
- by e-mail at datenschutz@biofrontera.com.
Data collection
The application process requires that you provide us with the data necessary for their assessment and selection. You can submit your application to us either online via an applicant management system (recruiting software from a third-party provider) or by e-mail. Any application documents sent by e-mail will be entered into the applicant management system. Your data, which you transmit to us online, will be encrypted in accordance with the state of the art. When applying by e-mail, please note that e-mails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the application between the sender and the reception on our server.
We collect and process the following categories of data as part of the applicant selection process:
- Contact and inventory data on your application profile (e.g. first and last name, address, date of birth, country, email, telephone number, mobile number, marital status, nationality).
- Training, performance and employment data as well as application documents (e.g. CV, cover letter, career development data, qualifications, skills, language skills, work experience).
- Other application documents (e.g. details of your salary requirements, notice period, willingness to travel, your motivation, cover letter, references and job-specific information).
- The channel through which your application reached us (e.g. email, Indeed, recruitment agency, etc.).
- Special categories of data (e.g. information on disability, health or health restrictions, if applicable). We only process this data within the legally permissible framework.
Nature and purposes of processing
We collect your data exclusively for the following purposes:
- To initiate and establish employment.
- To contact you should you be considered for an alternative position.
- To contact you based on your unsolicited application.
- To send you personalised information about our vacancies in accordance with the consent you have given.
Your data is required for the implementation and the decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Art. 6 (1) (b) GDPR). This means that we need and thus process your data for the purpose of a possible employment.
In individual cases, we will obtain your consent to the processing or transfer of your data. This may be the case, for example, if your application is to be kept for a longer period of time or if your application is to be considered for another position within our company or another group company (talent pool). In these cases, your consent is voluntary and can be revoked by you at any time for the future. The legal basis for this is Art. 6 para. 1 letter a) GDPR.
If we obtain information from your public profile on professional social networks, we base the processing on our legitimate interest in forming a decision-making basis for establishing an employment relationship with you. The legal basis is Art. 6(1)(f) GDPR in conjunction with Art. 9(2)(e) GDPR.
In addition, we process your data insofar as this is necessary for the assertion of legal claims and defence in legal disputes and this is necessary for the fulfilment of legal obligations. The legal basis for this is Art. 6(1)(c) and (f) GDPR. Within this framework, we therefore process your data for fraud prevention and the fulfilment of documentation obligations, among other things. The legitimate interest is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act ("german AGG").
Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from you within the scope of the application procedure so that we or you can exercise the rights arising from labour law and social security and social protection law and fulfil obligations in this regard, their processing is carried out in accordance with Art. 9 (2) letter b) GDPR. 2(b) GDPR, in the case of the protection of vital interests of you or other persons pursuant to Art. 9(2)(c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of fitness for work, for medical diagnosis, health or social care or treatment or for the management of health or social care systems and services pursuant to Art. 9(2)(h) GDPR. In the case of a communication of special categories of data based on voluntary consent, their processing is based on Art. 9(2)(a) GDPR).
Your data will only be processed for purposes other than those mentioned above if such processing is permissible pursuant to Art. 6 (4) GDPR and is compatible with the original purposes. We will inform you about such processing prior to any such further processing of your data.
Recipients of the data
In the context of the application process, your data will be accessed by those who need it to fulfil our obligations and to carry out our internal processes (e.g. personnel and the specialist departments for the respective advertised position). The employees authorised to access the data are obliged to maintain confidentiality and to protect business and trade secrets as well as data protection.
Certain personnel administration and management tasks are carried out centrally within the group of companies. This also includes applicant management, for which Biofrontera AG is responsible within the entire corporate group. Biofrontera AG acts either as the person responsible for filling its own vacancies or as an order processor in relation to other Biofrontera companies, insofar as the filling of their vacancies is concerned. Corresponding data protection contracts exist between the individual companies in the group.
Furthermore, data may be processed on our behalf on the basis of contracts pursuant to Art. 28 GDPR (order processing contracts), in particular by the provider of the personnel administration and applicant management software Personio GmbH (https://www.personio.de/). The data transmitted to Personio GmbH is transferred via TLS encryption and stored in a database on servers in Germany operated by this third-party provider. We are exclusively responsible for the data. Personio GmbH fulfils all requirements of the GDPR and is data protection compliant as a company and as software.
Apart from that, no data is transferred to third parties unless you have previously given your express consent to the transfer or there is a legal obligation to transfer. In principle, no data is transferred to bodies or persons outside the European Union (EU) or the European Economic Area (EEA). An exception here is the applicant data of applicants for our headquarters in the UK.
Your data may be forwarded to law enforcement agencies and, if necessary, to injured third parties without your express consent if it is necessary to clarify unlawful conduct or for legal prosecution. However, this only happens if there are concrete indications of unlawful or abusive behaviour. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities. The disclosure of this data is based on our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims, unless your rights and interests in the protection of your data are overridden, Art. 6 (1) (f) GDPR.
Saving your data
We store your data for a period of 6 months after a rejection. This is necessary for the burden of proof in proceedings under the AGG. This does not apply if the processing and storage of your data is necessary in the specific case for the assertion, exercise or defence of legal claims (duration of a legal dispute).
After this period has expired, the data will be deleted. You have the option to withdraw your application at any time. This will result in your data in the applicant database being deleted immediately, subject to the restrictions mentioned below. However, should you wish individual data submitted by you to be deleted, we reserve the right to store your data for a limited period of 6 months in order to be able to comply with the obligations to provide evidence under the AGG.
If your application is successful, we will store your personal data for the entire duration of your employment in accordance with the information obligations for employees, which we will send you upon acceptance of employment.
Inclusion in a talent pool
If we reject your application, we may wish to store it in our applicant database ("talent pool") for further contact. This further storage will only take place in consultation with you and after you have given your consent (Art. 6 Para. 1 Letter a) GDPR). If you send us your unsolicited application and we do not currently have a suitable offer for you, your data will also be stored in our talent pool after prior consultation with you and on the basis of your consent. If your speculative application is not of interest to us, you will receive a rejection. No further storage will then take place.
If you are stored in our talent pool as a result of your application, we will use your data to maintain contact with you, e.g. to pass on interesting job offers from Biofrontera companies to you. If you expressly wish to be included in our talent pool by consenting to storage in the talent pool, we will store your data until you revoke your consent, but for no longer than 12 months. You will be informed one month before expiry and can thus extend the storage of your data in the talent pool for a further 12 months. After expiry, your data will be deleted automatically and without separate notification.
Your rights (data subject rights)
You have extensive rights with regard to the processing of your data.
Right to information
You have the right to information about the data stored by us, in particular, for what purpose the processing is carried out and how long the data is stored (Art. 15 GDPR). This right is limited by the exceptions of Section 34 of the German Federal Data Protection Act (so called "BDSG"), according to which the right to information does not apply in particular if the data is only stored on the basis of statutory retention requirements or for data security and data protection control, the provision of information would require disproportionate effort and a misappropriation of the data processing is prevented by appropriate technical and organisational measures.
Right to rectification of inaccurate data
You have the right to demand that we rectify the data concerning you without delay if it should be inaccurate (Art. 16 GDPR).
Right to erasure
You have the right to demand that we erase (Art. 17 GDPR) the data concerning you. These conditions exist in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have withdrawn consent without the data processing being able to continue on another legal basis, d) you successfully object to the data processing, or e) in cases of the existence of an obligation to erase on the basis of EU law or the law of an EU member state to which we are subject. This right is subject to the restrictions from Section 35 of the BDSG, according to which the right to erasure may be waived in particular if, in the case of non-automated data processing, there is a disproportionately high effort for the erasure and your interest in the erasure is to be regarded as low.
Right to restriction of processing
You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists in particular if a) the accuracy of the data is disputed, b) you request restricted processing instead of deletion under the conditions of a justified request for deletion, c) the data is no longer required for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.
Right to data portability
You have the right to receive the data concerning you that you have provided to us from us in a structured, common, machine-readable format (Art. 20 GDPR), insofar as it has not already been deleted.
Right to object
You have the right to object to the processing of data concerning you at any time on grounds relating to your particular situation (Art. 21 GDPR). We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.
In accordance with Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation does not affect the lawfulness of the processing carried out on the basis of the previous consent. The only consequence of the revocation is that we may no longer continue the data processing based on this consent in the future.
Right in relation to automated decision-making
You have the right (Art. 22 GDPR) not to be subject to automated decision-making, including profiling, that has legal consequences for you or similar significant effects. We generally do not use automated decision-making or profiling in employment matters. However, if you have been subjected to an automated decision and do not agree with the outcome, you can contact us in the ways set out below and ask us to review the decision
Right to complain to the supervisory authority
You have the possibility to contact the data protection officer mentioned above or a data protection supervisory authority if you believe that the processing of data concerning you is in breach of the GDPR.
To exercise these rights, please contact the HR department or the data protection officer at the contact details provided above or the data protection supervisory authority. If you make a request for information and there is doubt about your identity, we may require you to provide information that will enable us to satisfy ourselves as to your identity.
[1] Biofrontera companies are Biofrontera AG, Biofrontera Pharma GmbH, Biofrontera Development GmbH, Biofrontera Neuroscience GmbH, Biofrontera Bioscience GmbH, Biofrontera UK Ltd (based in Cambridge), Biofrontera sucursal (based in Barcelona).
In addition to this data privacy statement, please view our general data privacy statement at Data Privacy Policy.