Data protection

The data requested in the application form are mandatory for processing your application. Unfortunately, we will be unable to consider your application if you do not agree to have your data collected and stored. Below, you will find explanations on the handling of your data and the underlying legal provisions.

1.    Who is responsible?

The controller responsible for processing your personal data within the meaning Article 4(7) of the General Data Protection Regulation (GDPR) is DFS Deutsche Flugsicherung GmbH.

CEO:
Arndt Schoenemann (Chairman and CEO)

Group Data Protection Officer:
datenschutzbeauftragter@dfs.de

2.    Purpose of data processing

Your data will only be used to process your application and carry out the associated selection process. Use of your data for any other purpose is excluded.

If provided, applicants can send us their applications using an online form. The data are transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form on the internet. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the application between the sender and receipt on our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software as well as platforms and services from third-party providers in compliance with legal requirements.

3.    Type of data

Applicant data (such as personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, CV, certificates and other personal or qualification information provided by applicants with regard to a specific position or voluntarily).

The application process requires that applicants provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the details provided there.

4.    Legal basis

The legal basis for the processing of personal data in the application process is Article 6(1)(b) of the GDPR.

Insofar as special categories of personal data within the meaning of Article 9(1) GDPR (such as health data or ethnic origin) are requested from applicants as part of the application process, the data are processed on the basis of Article 9(2) b and h GDPR. In the case of voluntary communication of special categories of personal data, their processing is based on Article 9(2)(a) GDPR.

Inclusion in a talent pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time for the future.

5.    Recipient

Access to your data is primarily limited to employees of DFS Human Resources Management.

In the context of managing our HR IT system, system administrators also have access to data.

Applicant data are passed on to the manager responsible for the job advertisement and, in the event of recruitment, to the relevant staff council.

The data are neither disclosed to other functions in the company nor to third parties or third countries.

The data of applicants for the training to become an air traffic controller or for the dual course of studies for air traffic controllers is passed on to external service providers (German Aerospace Centre (DLR) and various test providers) as part of the aptitude test.

 
6.    Data erasure / anonymisation

In the event of a successful application, the data provided by applicants may be processed by us for the purposes of the employment relationship.

Anonymisation takes place at the latest after a period of six months after completion of the application process under Article 17(1)(a) GDPR, so that we can answer any follow-up questions about the application and fulfil our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any travel expense reimbursements are archived in accordance with tax regulations.

In the case of applications for the training to become an air traffic controller, detailed application documents (attachments) will be stored to process questions for up to 12 months following the end of the application process and then deleted. Basic information is retained within the scope of the statutory retention obligations and to avoid duplicate applications as part of any age limits.

If you join our talent pool, you will be asked every six months whether you wish to extend your involvement.

 
7.    Your rights

You can exercise the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18) and data portability (Art. 20), provided that the relevant requirements of the GDPR apply. 

In cases in which the processing of your personal data is based on consent under Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, you have the right pursuant to Article 7(3) GDPR to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

If you consider the processing of your personal data to be an infringement upon your rights, you may exercise your right to lodge a complaint with a supervisory authority (Art. 77).

Introduction

With the following privacy policy, DFS, hereinafter referred to as "we", would like to explain what types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us on the topics of training, dual courses of studies and direct job entry, in particular on our career websites and within external online services, such as our social media profiles (hereinafter collectively referred to as "online services").

Any terms used are not gender-specific.

As at April 2025

Table of contents

• Controller
• Data protection officer
• Relevant legal bases
• Overview of processing
  • Security measures
  • Transfer and disclosure of personal data
  • Use of cookies
  • Contact us
  • Provision of the online services and web hosting
  • Application process
  • Web analysis and optimisation
  • Online marketing
  • Presence in social networks
• Amendment and updating of the privacy policy
• Definitions of terms

Controller

DFS Deutsche Flugsicherung GmbH

Headquarters
Am DFS-Campus 10
63225 Langen, Germany
Chairman and Chief Executive Officer (CEO):
Arndt Schoenemann

E-mail address: info@dfs.de
Telephone: +49 (0)6103/707-0

Data protection officer

E-mail address: datenschutzbeauftragter@dfs.de

Relevant legal bases

In the following, we inform you of the legal basis of the General Data Protection Regulation (GDPR), on the grounds of which we process personal data. Please note that in addition to the provisions of the GDPR, the national data protection regulations in your or our country of residence and domicile may apply. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.
 
Consent (Art. 6(1)(1)(a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

Contract performance and pre-contractual enquiries (Art. 6(1)(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligation (Art. 6(1)(1)(c) GDPR)
Public interest (Art. 6(1)(1)(e) GDPR) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Processing of special categories of personal data (Art. 9(2) GDPR) – Insofar as special categories of personal data within the meaning of Article 9(1) GDPR (such as health data or ethnic origin) are requested from applicants as part of the application process, the data are processed on the basis of Article 9(2) b and h GDPR. In the case of communication of special categories of personal data based on voluntary consent, their processing is carried out on the basis of Article 9(2)(a) GDPR.

National data protection regulations in Germany:
In addition to the data protection provisions of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes in particular the law on the protection against misuse of personal data in data processing (German Federal Data Protection Act – BDSG).

 
Overview of processing

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

Security measures

• Truncation of the IP address: If it is possible for us or if it is not necessary to store the IP address, we will truncate your IP address or have it truncated. In the case of IP address truncation, also known as IP masking, the last octet, i.e. the last two digits of an IP address, are deleted (in this context, the IP address is an identifier individually assigned to an internet connection by the online access provider). The truncation of the IP address is intended to prevent or significantly complicate the identification of a person by means of their IP address.

• SSL encryption (https): We use SSL encryption to protect your data transmitted via our online services. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.
  
  

Transfer and disclosure of personal data

• As part of our processing of personal data, the data are transferred to other bodies, companies, legally independent organisational units or persons as required, or they are disclosed to them. The recipients of these data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. If personal data are processed by external contractors, this is done on the basis of a data processing agreement (DPA) within the meaning of Article 28 GDPR.
  
  

Use of cookies

• Cookies are data records that contain data from websites or domains visited and are stored by a browser on the user's computer. A cookie is primarily used to store information about a user during or after their visit to an online service. The information stored can include, for example, the language settings on a website, the log-in status, a shopping basket or the point at which a video was watched. The term "cookies" also includes other technologies that fulfil the same functions as cookies (for example, when user information is stored using pseudonymous online identifiers, also known as user IDs).

• The following cookie types and functions are used:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their browser.

  • Persistent cookies: Persistent cookies remain stored even after the browser is closed. For example, the log-in status can be saved or favourite content can be displayed directly when the user visits a website again. Likewise, the interests of users for reach measurement or marketing purposes can be stored in such a cookie.

  • First-party cookies: First-party cookies are set by us.

  • Third-party cookies
    Third-party cookies are mainly used by advertisers (third parties) to process user information.

  • Necessary (also known as essential, or strictly necessary) cookies: These cookies may be strictly necessary for the operation of a website (for example, to save log-ins or other user input or for security reasons).

  • Analytical, marketing and personalisation cookies: These cookies are also used to measure reach and when storing a user's interests or behaviour (such as viewing specific content, using functions, etc.) on individual websites in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also referred to as tracking. If we use cookies or tracking technologies, we will inform you separately in our privacy policy or when obtaining consent.

• Processing of cookie data on the basis of consent: Before we process or have data processed in the context of the use of cookies, we ask users for their consent, which can be revoked at any time. Before consent has been given, only cookies that are necessary for the operation of our online services may be used.

• Types of data processed: Usage data (such as websites visited, interest in content, access times), meta/communication data (such as device information, IP addresses).

• Data subjects: Users (such as website visitors, users of online services).

• Legal basis: Consent in the case of non-essential cookies (Art. 6(1)(1)(a) GDPR).

• Storage of data and deletion periods: Processed usage data (such as websites visited, interest in content, access times), meta/communication data (such as device information, IP addresses) are deleted after 365 days.

Contacting us

• When contact is made via the channels specified on the career site (such as via contact form, e-mail or telephone), the data of the enquiring persons are processed to the extent necessary to answer the contact enquiries and to conduct any measures requested. The response to contact enquiries in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual enquiries and otherwise in the context of safeguarding public interest.

• Types of data processed: Inventory data (such as names, addresses), contact data (such as e-mail addresses, telephone numbers), content data (such as entries in online forms).

• Data subjects: Communication partners.

• Purposes of the processing: Contact enquiries and communication.

• Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(1)(b) GDPR), public interest (Art. 6(1)(1)(E) GDPR).

• Storage of data and deletion periods: Processed contact data will be deleted at the latest 365 days after the last contact.

 
Provision of online services and web hosting

• To provide our online services securely and efficiently, we utilise the services of one or more web hosting providers from whose servers (or servers managed by them) the online services can be accessed. For these purposes, we may utilise infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

• The data processed as part of the provision of the hosting service may include all information relating to the users of our online services that is generated during use and communication. This regularly includes the IP address, which is necessary to be able to deliver the content of online services to browsers, and all entries made within our online services or from websites.

• E-mail dispatch and hosting: The web hosting services we use also include sending, receiving and storing e-mails. For these purposes, the addresses of the recipients and senders as well as other information relating to the sending of e-mails (such as the providers involved) and the content of the respective e-mails are processed. The aforementioned data may also be processed for the purpose of recognising spam. Please note that e-mails on the internet are generally not sent in encrypted form. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received (unless an end-to-end encryption method is used). We can therefore accept no responsibility for the transmission path of e-mails between the sender and receipt on our server.

• Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (known as server log files). The server log files may include the address and name of the websites and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
  The server log files can be used for security purposes, for example to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and also to ensure the utilisation of the servers and their stability.

• Types of data processed: Content data (such as entries in online forms), usage data (such as websites visited, interest in content, access times), contact data, meta/communication data (such as device information, IP addresses).

• Data subjects: Users (such as website visitors, users of online services).

• Legal basis: Consent (Art. 6(1)(1)(a) GDPR).

• Storage of data and deletion periods: Processed usage data (such as websites visited, interest in content, access times), meta/communication data (such as device information, IP addresses) are deleted after 365 days.

Application process

All information on the processing of personal data in the application process can be found on our applicant portal. 

Web analysis and optimisation

• Web analysis (also referred to as reach measurement), carried out with the service provider Piwik Pro, is used to evaluate the flow of visitors to our online services and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online services or its functions or content are most frequently used or invite re-use. We can also understand which areas require optimisation.

• In addition to web analysis, we may also use test procedures, for example to test and optimise different versions of our online services or its components.

• In addition to web analysis, we may also use test procedures, for example to test and optimise different versions of our online services or its components. For these purposes, user profiles may be created and stored in a file (cookies), or similar procedures with the same purpose can be used. This information may include, for example, content viewed, websites visited, elements used there and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this can also be processed, depending on the provider.

• The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by truncating the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) are stored for web analysis, A/B testing and optimisation purposes, only pseudonyms. This means that we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.

• Data subjects: Users (such as visitors to the website, users of online services).

• Purposes of the processing: Reach measurement (such access statistics, recognition of returning visitors), tracking (such as interest/behavioural profiling, use of cookies), visitor action evaluation, profiling (creation of user profiles).

• Security measures: IP masking (pseudonymisation of the IP address).

• Legal basis: Consent (Art. 6(1)(1)(a) GDPR).

• Storage of data and deletion periods: Processed usage data (such as websites visited, interest in content, access times), meta/communication data (such as device information, IP addresses) are deleted after 365 days.

• Services used and service providers:
  Piwik PRO: The data handled using Piwik Pro are processed solely on our servers or on servers under our instruction; service provider: Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany (only when using Piwik hosting services); Website: https://piwikpro.de; Privacy Policy: https://piwik.pro/privacy-policy/

Online marketing

• We process personal data for online marketing purposes, which may include in particular the marketing of advertising space or the presentation of advertising and other content (collectively referred to as "content") based on the potential interests of users and the measurement of its effectiveness.

• For these purposes, user profiles are created and stored in a file (cookies) or similar procedures are used, by means of which the user data relevant for the presentation of the aforementioned content are stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, these can also be processed.

• The IP addresses of the users are also stored. However, we use available IP masking procedures (i.e. pseudonymisation by truncating the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) are stored as part of the online marketing process, but rather pseudonyms. This means that we and the providers of the online marketing processes do not know the actual identity of the users, but only the information stored in their profiles.

• The information in the profiles is generally stored in cookies or by means of similar procedures. These cookies can later generally also be read on other websites that use the same online marketing process and analysed for the purpose of displaying content as well as supplemented with further data and stored on the server of the online marketing process provider.

• As an exception, clear data may be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing processes we use, and the network links the user profiles with the aforementioned data. Please note that users can make additional agreements with the providers, for example by giving their consent during registration.

• We only receive access to summarised information about the success of our advertisements. However, as part of conversion measurements, we can check which of our online marketing processes have led to a conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.

• Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.

• Facebook Pixel: With the help of Facebook Pixel, it is possible for Facebook to determine the visitors of our online services as a target group for the display of adverts (Facebook ads). Accordingly, we use Facebook Pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of the partners cooperating with Facebook (Audience Network, https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online services or who have specific characteristics (such as interest in certain topics or products that can be seen from the websites visited) that we transmit to Facebook (custom audiences). With the help of Facebook Pixel, we also aim to ensure that our Facebook ads correspond to the potential interest of users and are not a nuisance. Using Facebook Pixel, we can also track the effectiveness of Facebook adverts for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook advert (conversion measurement).

• Types of data processed: Usage data (such as websites visited, interest in content, access times), meta/communication data (such as device information, IP addresses), location data (data indicating the location of an end user's device).

• Data subjects: Users (such as visitors to the website, users of online services).

• Purposes of the processing: Tracking (such as interest/behavioural profiling, use of cookies), remarketing, visitor action evaluation, interest-based and behavioural marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (such as access statistics, recognition of returning visitors), target group formation (determination of target groups relevant for marketing purposes or other output of content), cross-device tracking (cross-device processing of user data for marketing purposes), registration processes, direct marketing (such as by e-mail or post).

• Security measures: IP masking (pseudonymisation of the IP address).

• Legal basis: Consent (Art. 6(1)(1)(a) GDPR).

• Storage of data and deletion periods: Processed usage data (such as websites visited, interest in content, access times), meta/communication data (such as device information, IP addresses) are deleted after 365 days.

• Services used and service providers:

  • Google Tag Manager: Google Tag Manager is a solution with which we can manage website tags via an interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online services). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of user's personal data, please refer to the following information on Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

  • Google Ads and conversion measurement: We use the online marketing process Google Ads to place adverts in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who are presumed to be interested in the adverts. We also measure the conversion of the adverts. However, we only learn the anonymous total number of users who clicked on our advert and were redirected to a page with a conversion tracking tag. We ourselves do not receive any information that can be used to identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com;

  • Facebook-Pixel: Facebook Pixel; service provider: https://www.facebook.com, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; 

Presence in social networks

• We maintain online accounts within social networks (fan pages) to communicate with the users active there or to offer information about us. The social media accounts of DFS are linked on the career site. The channels are not directly integrated on the career site. User data are not passed on to third parties via the career site in the sense of providers of social media channels. Before each jump to a social media channel and leaving the DFS career site, you are explicitly informed that you are leaving the career site and switching to the social media channel. The user must actively agree to the change. We would like to point out that if you deliberately click on the social media buttons or confirm before jumping to a fan page, user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user's rights. Furthermore, user data within social networks are generally processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts inside and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are generally stored on the user's computer, in which their usage behaviour and interests are stored.

• Furthermore, user data within social networks are generally processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts inside and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are generally stored on the user's computer, in which their usage behaviour and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

• In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly.

• Services used that can be accessed via further links:

  • Instagram: Social network; service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.

  • Facebook: Social network; service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com;

  • YouTube: Social network; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; 

  • WhatsApp: Messenger, service provider: WhatsApp Inc., 1601 Willow Road, Menlo Park, California 94025, USA

  • Xing: Social network, service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; 

  • LinkedIn: Social network, service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://de.linkedin.com/

  • TikTok: Social network, service provider: TikTok Technology Limited, The Sorting Office, Ropemaker Place, Dublin 2, Dublin, D02 HD23, Ireland; Website: https://www.tiktok.com/
    
    

Data protection information on the use of Facebook

With this privacy policy for the DFS Facebook fan page, we are informing you as a user of our DFS Facebook fan page within the framework of the European General Data Protection Regulation (GDPR) about the processing of personal data in connection with the use of this website.

Information about the DFS Facebook fan page

• Our DFS Facebook fan page is designed to inform you about events, job vacancies and other activities. Through exclusive insights into the corporate world and direct dialogue with interested parties, we want to make the employer DFS tangible for you.

• It is possible to use our Facebook fan page without providing personal data. You provide us with personal data (such as name, address, e-mail address or current location) on a voluntary basis when you contact us. These data will remain confidential and will not be passed on to third parties by us.

Processing of personal data by Facebook

• As the operator of the DFS Facebook fan page, we are jointly responsible with Facebook for the processing of personal data. Facebook processes user data for the following purposes:

   

  • Advertising, analysis, creation of personalised advertising

  • Creating user profiles

  • Market research

  • Statistical data in various categories such as total number of page views, likes, page activity, post interactions, video views, post reach, comments, shared content, responses, proportion of men and women, origin in terms of country and city, languages, views of all kinds

Data protection information on the use of YouTube

• Our website uses the provider YouTube LLC , 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for the integration of videos. Normally, information is sent to YouTube and cookies are installed on your computer when you access a page with embedded videos. However, we have integrated our YouTube videos with the extended data protection mode (in this case, YouTube still contacts Google's Double Click service, but according to the Google's privacy policy, personal data are not analysed). As a result, YouTube no longer stores any information about visitors unless they watch the video. When you click on the video, your IP address is transmitted to YouTube and YouTube learns that you have watched the video. If you are logged in to YouTube, this information will also be assigned to your user account (you can prevent this by logging out of YouTube before watching the video). We have no knowledge of and no influence on the possible collection and use of your data by YouTube.

Data protection information on the use of WhatsApp

• If you have any basic questions about a career at DFS, you are welcome to contact us via WhatsApp. This use is voluntary. You are also very welcome to contact us via our other channels or by e-mail or telephone. Data protection is very important to us: If you wish to communicate personal or confidential data, please use another communication channel. Legal basis (Art. 6(1)(1)(a) GDPR).

To communicate via WhatsApp, we use the services of WhatsApp Inc., 1601 Willow Road, Menlo Park, California 94025, USA. We have no influence on the data processing by WhatsApp. We cannot rule out the transfer of your data to the United States. WhatsApp has a certificate from the EU-U.S. Data Privacy Framework. You can find more information on data protection at WhatsApp in the privacy policy: https://www.whatsapp.com/legal/privacy-policy-eea

Amendment and updating of the privacy policy

• We ask you to inform yourself regularly about the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

• If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time, and we ask you to check the information before contacting us.

• Rights of the data subjects
  As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  • Revocability of consent: You have the right to withdraw your consent at any time.

  • Right of access: You have the right to request confirmation as to whether the data in question are being processed and to request information about these data as well as further information and a copy of the data in accordance with the legal requirements.

  • Right to rectification: In accordance with the legal requirements, you have the right to request the completion of data concerning you or the rectification of incorrect data concerning you.

  • Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the legal provisions.

  • Right to data portability: In accordance with the legal provisions, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format or to request the transmission of those data to another controller.

  • Complaint with a supervisory authority: In accordance with the legal provisions, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

 
Terminology

• This section provides you with an overview of the terms used in this privacy policy. Many of the terms are taken from law and defined above all in Article 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms are sorted alphabetically.

  • Controller: The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • Conversion measurement: Conversion measurement is a process that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' device within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can track whether the adverts we have placed on other websites have been successful.

  • Conversion tracking: Conversion tracking refers to a process that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' device within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can track whether the adverts we have placed on other websites have been successful.

  •  

  • Cross-device tracking: Cross-device tracking is a form of tracking in which user behaviour and interest information is recorded across devices in profiles by assigning users an online identifier. This means that user information can generally be analysed for marketing purposes regardless of the browsers or devices used (such as mobile phones or desktop computers). With most providers, the online identifier is not linked to clear data such as names, postal addresses or e-mail addresses.

  • Custom audiences: Custom audiences, or target group formation, is the term used when target groups are determined for advertising purposes, for example the display of adverts. For example, based on a user's interest in specific products or topics on the internet, it can be concluded that this user is interested in adverts for similar products or the online shop in which they viewed the products. The term "lookalike audiences", or similar target groups, is used when the content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating custom audiences and lookalike audiences.

  • IP masking: IP masking is a method in which the last octet, i.e. the last two numbers of an IP address, is deleted so that the IP address can no longer be used to uniquely identify a person. IP masking is therefore a means of pseudonymising processing procedures, especially in online marketing.

  • Interest-based and behavioural marketing: Interest-based and/or behaviour-based marketing is when the potential interests of users in advertisements and other content are predetermined as precisely as possible. This is done on the basis of information about their previous behaviour (such as visits to specific websites and time spent on them, purchasing behaviour or interaction with other users), which is stored in a profile. Cookies are generally used for these purposes.

  • Personal data: Personal data means any information relating to an identified or identifiable natural person (hereinafter data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • Processing: Processing means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically every handling of data, be it collection, analysis, storage, transmission or erasure.

  • Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to analyse, evaluate or predict (for example, interests in certain content or products, click behaviour on a website or location) specific personal aspects relating to a natural person (depending on the type of profiling, this includes information relating to age, gender, location data and movement data, interaction with websites and their content, shopping behaviour, social interactions with other people). Cookies and web beacons are often used for profiling purposes.

  • Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online service and can include the behaviour or interests of visitors in certain information, such as website content. With the help of reach analysis, website owners can, for example, recognise at what time visitors visit their website and what content they are interested in. This allows them, for example, to better customise the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes to recognise returning visitors and thus obtain more precise analyses of the use of an online service.

  • Remarketing: Remarketing, or retargeting, is when, for example, it is noted for advertising purposes which products a user was interested in on a website in order to remind the user of these products on other websites, for example in adverts.

  • Tracking: The term "tracking" is used when the behaviour of users can be tracked across several online services. As a rule, behavioural and interest information is stored in cookies or on the servers of the providers of the tracking technologies with regard to the online services used (profiling). This information can then be used, for example, to display adverts to users that are likely to match their interests.