Privacy Policy

Welcome to PolyTALENT GmbH! Protecting your personal data is a top priority for us as a digital recruiting agency. As a rule, you can use our website without actively providing personal data. However, as soon as you make use of our services—such as features on the website or within our application processes—the processing of personal data may become necessary. In such cases, we will inform you transparently about the type, purpose, and scope of data collection and—where required—obtain your consent beforehand.

We always treat your data confidentially and in accordance with the statutory data protection regulations (in particular the GDPR) and this privacy policy. We have also implemented extensive technical and organizational measures to protect your data as effectively as possible. Please note, however, that internet-based data transmission may have security vulnerabilities—absolute protection cannot be guaranteed. In the event of data protection incidents, we will inform you without delay and take all reasonable measures to close any gaps.

This privacy policy explains which personal data we collect, how we use it, for what purposes we do so, and what rights you have as a data subject. It applies to our website polytalent.de, other online services of PolyTALENT GmbH, and our business processes (in particular recruiting) in the DACH region (Germany, Austria, Switzerland). For processing activities involving persons in Switzerland, we also observe the requirements of Swiss data protection law; the terms used are to be understood as equivalent to the GDPR terms used here.

​

Controller

​

The controller within the meaning of data protection laws is:

PolyTALENT GmbH
Falkenbergstraße 5
49393 Lohne, Germany

​

Phone: +49 4442 8885790
Email: info@polytalent.de
Website: www.polytalent.de

​

Represented by the Managing Director: Mehmet Tarti.

​

If you have any questions about data protection, please contact us at the above details at any time. We have not appointed a data protection officer due to the lack of a legal requirement; however, all data protection matters are handled by our management with the utmost care.

​

General Information and Mandatory Disclosures

​

Legal Bases for Processing

​

We process personal data only on a permissible legal basis. This means that when we process your data, we do so either for the initiation or performance of a contract with you (Art. 6(1)(b) GDPR), on the basis of your consent (Art. 6(1)(a) GDPR), to safeguard legitimate interests of ours or third parties (Art. 6(1)(f) GDPR)—for example, in the efficient operation and security of our website or an optimized recruiting process—or where a legal obligation exists (Art. 6(1)(c) GDPR). In this privacy policy, we state the specific legal basis and purpose for the respective processing.

​

Data Security

​

We take the protection of your data very seriously. We treat your personal data confidentially and in accordance with statutory provisions and this policy. For security reasons, our website uses SSL/TLS encryption, identifiable by the https:// address and the lock symbol in the browser bar. This protects data you transmit to us in transit from being read by third parties. Nevertheless, internet data transmission is never completely secure.

​

No Disclosure Without Authorization

​

As a rule, your personal data will not be transferred to third parties, except: (1) to processors (service providers) commissioned by us with whom we have concluded a data processing agreement pursuant to Art. 28 GDPR (e.g., hosting providers, applicant management services, IT tools—these are identified in this policy), (2) if you have given us explicit consent to share data, (3) if the transfer is necessary for the performance of a contract (for example, transmitting your application documents to a client company—see below), or (4) if we are obliged to disclose data due to legal obligations or official orders. In all other cases, we do not share your personal data with third parties.

​

Retention Period

​

In principle, we store your personal data only as long as necessary for the respective purpose. Once the purpose of processing ceases to apply and there are no statutory retention periods (e.g., commercial or tax law retention), we routinely delete your data. If you have given us consent and later withdraw it, we delete the affected data unless another legal basis or obligation to retain applies.

Where relevant, we also state specific retention periods in the sections below (e.g., deletion periods for applicant data). If we do not provide such details, the above purpose-based storage principle applies.

​

Data Transfers to Third Countries

​

Our website and business processes also integrate services from providers outside the European Union (EU)/European Economic Area (EEA)—in particular from the USA. When using these services, personal data may be transferred to a third country or accessed from there. We explicitly point out that third countries such as the USA may not provide a level of data protection equivalent to that of the EU. In particular, there is a risk that US authorities may access data without you, as an EU citizen, having effective legal remedies.

We have no direct influence over such processing by third-party providers. Wherever possible, however, we enter into the European Commission’s Standard Contractual Clauses (SCCs) with providers or rely on adequacy decisions (if available) pursuant to Art. 45 GDPR. For example, some US providers are certified under the EU–US Data Privacy Framework, which indicates an adequate level of protection—otherwise, the SCCs serve as a safeguard. Details of any third-country transfers can be found in the explanations of the individual services in this policy.

​

Your Rights as a Data Subject

​

Under the GDPR and other applicable data protection laws, you have comprehensive rights regarding your personal data:

• Right of access (Art. 15 GDPR): You can request information at any time as to whether and which personal data we process about you. The information includes processing purposes, categories of personal data, recipients, and the planned retention period.

• Right to rectification (Art. 16 GDPR): If we have stored incorrect or incomplete data about you, you can demand prompt rectification or completion of this data.

• Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data (“right to be forgotten”) if the legal requirements are met—for example, if the data is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal basis, or processing was unlawful. Please note that statutory retention obligations may preclude immediate deletion—in such a case, deletion will occur promptly after the retention period expires.

• Right to restriction of processing (Art. 18 GDPR): In certain cases provided by law, you can demand restriction of processing. This means the data will continue to be stored but not otherwise processed (e.g., if you contest the accuracy of the data for the duration of verification).

• Right to data portability (Art. 20 GDPR): You have the right to receive data that we process automatically on the basis of your consent or for the performance of a contract in a commonly used, machine-readable format. Upon your request—and where technically feasible—we can also transfer this data directly to another controller.

• Right to object (Art. 21 GDPR):
  (1) If we process your data on the basis of legitimate interests (Art. 6(1)(f) GDPR) or in the public interest/exercise of official authority (Art. 6(1)(e) GDPR), you have the right to object at any time on grounds relating to your particular situation. In the event of your objection, we will cease processing the relevant data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
  (2) Where we process your personal data for direct marketing purposes (e.g., occasional emails with information about our services), you also have the right to object at any time. If you object, we will no longer use your data for direct marketing.

• Right to withdraw consent (Art. 7(3) GDPR): Many processing operations are permitted only with your explicit consent. You may withdraw consent at any time with effect for the future. The lawfulness of processing based on consent before its withdrawal remains unaffected.

• Right to lodge a complaint (Art. 77 GDPR): If you believe that the processing of your personal data violates the GDPR or other data protection laws, you have the right to lodge a complaint with a supervisory authority. You can contact the authority at your habitual residence, place of work, or our company headquarters. In Lower Saxony, for example, the competent authority is the State Commissioner for Data Protection of Lower Saxony (LfD Niedersachsen). In Austria, you can contact the Data Protection Authority (DSB); in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC).

To exercise your rights, you can contact us informally at any time, e.g., by email at info@polytalent.de. We will review your request promptly and implement the desired measures without undue delay—at the latest within the statutory deadlines.

Note: The provision of your personal data is generally voluntary. However, certain services cannot be used without providing data—for example, we cannot process your application if you do not provide contact details or documents. In such cases, providing data is required for concluding a contract or for the service. There is no statutory or contractual obligation to provide personal data for purely informational use of the website.

​

Data Collection on Our Website

​

Below we explain how we collect and process personal data when you use our website.

​

1. Hosting and Website Platform

Our website is hosted by an external service provider to ensure a reliable and high-performance online presence. Specifically, we use:

• IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (Germany) as hosting provider. All data arising when visiting our website (e.g., IP addresses, requests, meta and communication data, website usage data, contents of form submissions) is processed on IONOS servers. IONOS provides the infrastructure and processes this data on our behalf. We have concluded a data processing agreement with IONOS to ensure GDPR-compliant processing.

• Wix.com as our website builder and platform. Our website was created using the tool from Wix.com Ltd., Tel Aviv, Israel. In providing the website, Wix may also process technical data of site visitors (e.g., IP address, device and browser information, cookies—see below). Wix.com operates global server locations (including outside the EU, e.g., the USA and Israel); an adequate level of data protection is ensured through EU Standard Contractual Clauses and the recognition of Israel as a data-protection-compliant third country. We have also concluded a data processing agreement with Wix.

Use of these hosting and website services is based on Art. 6(1)(f) GDPR (legitimate interest in the secure, fast, and efficient provision of our online offering) and Art. 6(1)(b) GDPR (performance of pre-contractual measures and contracts if you request services via the website).

Server log files: Each time our website is accessed, our servers or the host’s servers automatically collect general access data and store it in log files. This data includes, for example, the IP address of the requesting device, date and time of access, page/file accessed and status code, browser type and version, operating system used, referrer URL (the previously visited page). These log data cannot be readily assigned to specific persons and are not merged with other data sources. Collection occurs to ensure the functionality and security of the website (e.g., detection of attack attempts) and serves administrative purposes (Art. 6(1)(f) GDPR, legitimate interest in secure IT operations). Log files are generally deleted automatically after at most [7] days unless a security-relevant event requires longer storage.

​

2. Cookies and Consents

​

Our website uses cookies and similar technologies to improve the user experience and provide certain functions. Cookies are small text files stored by your browser on your device. They cause no harm. We use both session cookies (deleted automatically after your visit) and persistent cookies (which remain on your device until you delete them or their predefined retention expires).

Some cookies are technically necessary for the operation of the website (e.g., to maintain your session or provide functionalities). We set these necessary cookies on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in providing a functional and user-friendly website.

Other cookies serve to analyze your usage behavior or for marketing purposes. We set such cookies (in particular from third-party providers, see “Analytics Tools and Advertising” below) only with your consent (Art. 6(1)(a) GDPR). On your first visit, we may ask for your consent via a cookie banner. You can withdraw your consent at any time via our cookie settings or by deleting cookies.

Browser cookie settings: Regardless of consent, you can configure your browser to generally reject cookies, accept only certain cookies, or notify you before a cookie is stored. You can delete cookies already set at any time. Please note that disabling cookies may limit website functionality—technically necessary cookies are required for smooth operation.

Details on the individual cookies used by us (retention, provider, purpose, etc.) can be found via our cookie banner and settings. If you have questions, please contact us directly.

​

3. Contact Form and Enquiries

​

If you use our website contact form or contact us by email, phone, or fax, we process the personal data you provide (e.g., name, email address, telephone number, enquiry content). These data are used exclusively for the purpose of handling your enquiry and communicating with you.

Your enquiry data will not be passed on to third parties without your consent. In certain cases, however, we use processors for technical handling (e.g., hosters, email providers) who are bound by our instructions.

Processing your contact data is based, depending on the content of your enquiry, on Art. 6(1)(b) GDPR (to carry out pre-contractual measures or perform a contract if your enquiry aims at concluding a contract) or Art. 6(1)(f) GDPR (our legitimate interest in handling enquiries and maintaining business relationships). If we ask you for explicit consent (Art. 6(1)(a) GDPR)—e.g., for additional information or newsletters—we process your data on that basis.

Retention: We store enquiries as long as necessary to fully answer/handle them. Thereafter, we delete the data unless statutory archiving obligations apply. Business correspondence (including emails) may have to be retained for up to 6 (or 10) years under commercial and tax law. In such cases, we restrict processing to the permissible purpose.

4. Online Appointment Booking (Calendly)

We offer you the option to book appointments with us online. For this, we use Calendly, a scheduling service by Calendly LLC (Atlanta, Georgia, USA). If you access the Calendly scheduler on our website (or via a link we provide), you will be redirected to Calendly’s website. There you can select an appointment with us and enter details such as your name, email address, and any further contact information. These entries are required to schedule the appointment and send confirmations or updates.

The data you enter are processed via Calendly’s servers and stored for us for scheduling purposes. We receive information about the booked appointment and use it to hold the meeting. Calendly will automatically send you appointment confirmations and reminders by email if you have set this up.

No unauthorized disclosure: Calendly uses your data solely to provide the scheduling service on our behalf. According to Calendly, your data is not passed on to third parties. We have concluded a Data Processing Addendum (DPA) with Calendly to ensure GDPR-compliant processing.

Legal basis: Using Calendly is based on our legitimate interest (Art. 6(1)(f) GDPR) in offering you convenient and efficient appointment scheduling. If we ask you for consent during booking (e.g., to request specific data), processing is based on Art. 6(1)(a) GDPR. You can withdraw your consent at any time for the future by contacting us; already scheduled appointments are not affected.

Transfer to the USA: When using Calendly, personal data (especially your entered contact data and technical usage data) may be transferred to the USA. Calendly, LLC is certified under the EU–US Data Privacy Framework, which confirms an adequate level of protection. Additionally, we rely where necessary on EU Standard Contractual Clauses. Details are in Calendly’s privacy policy (available at https://calendly.com/pages/privacy).

We store your appointment data until the purpose of storage ceases—usually after the appointment has taken place and any follow-up has been completed—or until you ask us to delete it. Mandatory statutory retention obligations remain unaffected.

​

5. Online Funnels and Lead Generation (Perspective)

​

For certain campaigns or lead generation, we use so-called mobile funnels—interactive, mobile-optimized mini websites where interested parties (e.g., applicants or client contacts) can enter information, e.g., to request a consultation or apply easily.

Our funnels are created and operated using the external service Perspective. Provider: Perspective Software GmbH, Müggelstraße 22, 10247 Berlin. When you go through one of our funnels (e.g., via a link in an ad), the data you enter (typically name, contact information such as email/phone, and your answers to the funnel questions) are stored on Perspective’s servers and then transmitted to us. Perspective acts as a processor for us pursuant to Art. 28 GDPR. We have concluded a data processing agreement with Perspective ensuring your data is processed solely on our instructions and on EU servers. Perspective states that data are stored exclusively within the EU.

We use the data collected in the funnel to process your request—for example, to contact you, provide further information, or (in the case of applications) review your application. Depending on the funnel design, purposes may vary (e.g., talent acquisition, scheduling, newsletter sign-up); we provide a brief notice in the funnel.

Legal basis: Where data collection in the funnel serves to initiate a contract or carry out pre-contractual measures (e.g., you request a quote, apply for a job, or ask for a callback), Art. 6(1)(b) GDPR is the legal basis. In other cases—e.g., if you voluntarily provide additional information or consent to receive marketing information—we process on the basis of your consent (Art. 6(1)(a) GDPR). Where applicable, a corresponding consent notice with a button will appear in the funnel. You can withdraw consent at any time with effect for the future by contacting us.

Data collected via Perspective are stored by us only as long as necessary for the intended purpose (see “Retention” above). If no further contact is made or you so request, we will delete your data. For questions about the funnel or data collection, you can also contact us directly.

Further information on data protection at Perspective can be found in Perspective’s privacy policy (https://www.perspective.co/de/datenschutzerklaerung).

​

Analytics Tools and Advertising

​

We use various analytics tools and tracking technologies on our website to evaluate user behavior, optimize our offering, and improve our marketing. Some of the tools described below are only activated with your consent (see cookie consent above). You can disable these tools at any time via our cookie settings or delete set cookies. Below we inform you about the services used:

​

1. Google Analytics

​

Our website uses Google Analytics, a web analytics service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for the USA: Google LLC, Mountain View, CA). Google Analytics enables us to analyze visitor behavior (e.g., which pages are viewed for how long, navigation paths, geographic region, device, etc.) to gain insights for improving our web offering and marketing.

How it works: Google Analytics uses cookies (see above) that enable your browser to be recognized. The information generated by the cookie about your use of our website is usually transmitted to a Google server in the USA and stored there.

We use Google Analytics in the latest generation “_gtag” mode (Google Analytics 4). We have activated IP anonymization (masking). This means Google truncates your IP address within the EU or EEA before transmission to the USA (removing the last digits), so a direct link to a person is excluded. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. Google will use the transmitted information on our behalf to evaluate website usage, compile reports on website activity, and provide us with other services related to website and internet usage. According to Google, the IP address transmitted as part of Google Analytics is not merged with other Google data.

Legal basis: We use Google Analytics only with your consent (Art. 6(1)(a) GDPR). On your first visit to our site, we ask via the cookie banner whether you agree to the use of Google Analytics. You can withdraw this consent at any time by changing the cookie settings or using the Google Analytics opt-out (see below). Without your consent, Google Analytics remains deactivated. Legal bases for any necessary data transfers to the USA are Google’s EU Standard Contractual Clauses; Google is also certified under the EU–US Data Privacy Framework.

Opt-out and browser add-on: You can withdraw or prevent Google Analytics from collecting your data by adjusting your cookie consent (reopen the cookie banner and deactivate Analytics) or by installing Google’s browser add-on to deactivate Google Analytics, available at: https://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you can click here: Disable Google Analytics to set an opt-out cookie that prevents future data collection when visiting our website (the opt-out then applies only in this browser and for our domain).

Retention at Google: In Google Analytics 4, default retention for usage data is significantly shortened. User and event data are automatically deleted or anonymized after 14 months. Please refer to your consent tool settings or Google’s information for the retention periods we have set. General information on Google’s privacy practices can be found in Google’s Privacy Policy (https://policies.google.com/privacy) and the Google Analytics Terms of Service.

​

2. Google Ads Conversion Tracking

​

We also use Google Ads with conversion tracking. This means that if you arrive at our website via a Google ad, Google Ads sets a cookie on your device (“conversion cookie”). This allows us to see whether and how you subsequently perform certain actions on our website (e.g., submit an enquiry, send a form). Each Google Ads customer receives a different cookie, so cookies are not tracked across the websites of different Ads customers. The information gathered using the conversion cookie is used to compile statistics and measure the success of our ads. We learn the total number of users who clicked our ad and visited a page tagged with a conversion tracking tag. We do not receive information that personally identifies users.

The use of Google Ads conversion tracking is based on our legitimate interest (Art. 6(1)(f) GDPR) in targeted advertising and success measurement. If you refuse the corresponding marketing cookies via the cookie banner or browser settings, conversion tracking will not take place.

Here too, data may be transferred to the USA; recipients are Google Ireland and Google LLC (USA). Safeguards are analogous to Google Analytics (Standard Contractual Clauses, DPF certification).

You can prevent conversion tracking by configuring your browser to block cookies or by deleting the cookie using your browser functions if already set. Further information on Google Ads and conversion tracking can be found in Google’s Privacy Policy (https://policies.google.com/privacy).

​

3. Facebook Pixel (Meta Pixel)

​

Our website uses the Facebook Pixel, an analytics tool from Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (for users outside the EU: Meta Platforms Inc., USA). The Facebook Pixel enables us to understand the effectiveness of our Facebook/Instagram ads and display targeted advertising (conversion tracking and retargeting). When you visit our pages (and with your consent), a direct connection to Meta’s servers is established via the pixel. Meta receives information that you visited our website and may associate this with your personal Facebook/Instagram account (if you are logged in there). We receive only anonymized statistical evaluations of the effectiveness of our ads; Meta may, however, use the data for its own advertising purposes according to its data policy.

Legal basis: The Facebook Pixel is used only with your consent (Art. 6(1)(a) GDPR). You can consent via our cookie banner. You may withdraw your consent at any time—for example, by deleting the relevant cookies or changing your settings. Alternatively, you can disable data collection via websites for ad targeting in your Facebook/Instagram account under ad settings.

Transfer to the USA: Data collected via the pixel may be transferred by Meta to servers in the USA and stored there. Meta (Facebook) is certified under the EU–US Data Privacy Framework; we have also concluded the EU Standard Contractual Clauses with Meta to ensure an adequate level of protection. Nevertheless, we have no influence as website operator on Meta’s further processing of your data.

Further information can be found in Facebook’s Data Policy (https://de-de.facebook.com/policy.php) and the Facebook Pixel help page.

​

4. LinkedIn Insight Tag

​

Our website uses the LinkedIn Insight Tag, an analytics and conversion tool from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. This tool helps us better understand visitors to our website who are LinkedIn members and to optimize our advertising on LinkedIn.

How it works: The Insight Tag places a LinkedIn cookie in your browser when you visit our website (if you have consented). If you are logged in to LinkedIn, LinkedIn may associate your visit to our site with your user account. LinkedIn then provides us, as site operator, with aggregated reports about the audiences of our website and the success of our LinkedIn ads. For example, we receive anonymized information about the professional characteristics of visitors (seniority, industry, company size, etc.), conversion events (e.g., when a certain action on the website occurs after clicking a LinkedIn ad), and can run retargeting campaigns (targeted ads on LinkedIn to our website visitors). According to LinkedIn, no directly personal data is passed on to us; we do not see individual user profiles, only aggregated information.

LinkedIn collects via the Insight Tag, among other things, the URL, referrer URL, IP address, device and browser characteristics, timestamp, and—if you are a LinkedIn user—your LinkedIn member ID (in hashed/pseudonymized form). LinkedIn truncates or pseudonymizes captured IP addresses within 7 days and deletes members’ direct identifiers within 7 days. The remaining pseudonymous data are then deleted within 180 days unless a conversion event defined by us requires longer use.

Legal basis: We use the LinkedIn Insight Tag only with your consent (Art. 6(1)(a) GDPR). You can consent in the cookie banner. You can change this decision at any time: withdraw consent by adjusting the cookie settings on our website or by opting out via LinkedIn. As a LinkedIn member, you can control in your account settings under “Privacy > Advertising” to what extent your behavior on websites may be used for targeted advertising. LinkedIn also offers an opt-out for tracking via the Insight Tag at https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out (for visitors who are not logged in).

Data transfer: LinkedIn stores collected data on servers including in the USA. LinkedIn is contractually committed to the EU Standard Contractual Clauses. According to its statements, LinkedIn is also certified under the Data Privacy Framework. Nevertheless, we cannot influence how LinkedIn further processes the data after transfer—LinkedIn may also use it for its own purposes (e.g., to improve its advertising services). For details, see LinkedIn’s Privacy Policy (https://www.linkedin.com/legal/privacy-policy).

Note: If you do not want LinkedIn to associate your visit to our pages with your user account, please log out of LinkedIn before visiting our website and delete the relevant cookies if necessary.

​

5. Other Advertising and Tracking Services

​

(Currently, we do not use any other external tracking or advertising tools that would need to be mentioned here. Should this change in the future, this privacy policy will be updated accordingly.)

Note: Beyond our website, we use social media platforms for our corporate presence (e.g., LinkedIn profile). For information on how data are handled on such platforms (so-called social media profiles) and on joint controllership pursuant to Art. 26 GDPR, please refer to the privacy policies on the respective platforms. These points are not part of this website privacy policy.

​

Plugins and Embedded Functions

​

We also embed certain external content and functions on our website to improve the user experience. This may involve transmitting your IP address and possibly other technical data (such as browser information) to the respective provider, as the content cannot be delivered to your browser without these data. In detail:

​

1. Google Web Fonts

​

To ensure consistent and appealing display of our fonts, we use Google Web Fonts. Provider: Google Ireland Limited, Dublin, Ireland (USA: Google LLC). When you access a page, your browser loads the required web fonts from Google to display texts and fonts correctly. In doing so, your IP address is transmitted to Google, and Google learns that our website was accessed via your IP.

The use of Google Web Fonts is in the interest of a consistent and visually appealing presentation of our online offering—this constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. Where consent is required (usually not, as web fonts are technically necessary), we obtain it beforehand (Art. 6(1)(a) GDPR). You can prevent loading fonts from external servers in your browser settings (some browsers offer a privacy mode), which may result in our site being displayed in a fallback font.

Further information on Google Web Fonts can be found in Google’s FAQs (https://developers.google.com/fonts/faq) and Google’s Privacy Policy (https://policies.google.com/privacy).

​

2. Google Maps

​

On our contact page (or elsewhere), a Google Maps map may be embedded to show our location and make navigation easier. Google Maps is a mapping service from Google Ireland Limited (Dublin, Ireland; USA: Google LLC).

When you access a page with embedded Google Maps, your browser establishes a direct connection to Google’s servers. At least your IP address and possibly a location reference are transmitted to Google. This information is usually transferred to a Google server in the USA and stored there. We have no influence over this transfer.

Use of Google Maps is in the interest of an attractive presentation of our online offerings and easy findability of locations indicated on the website—this is a legitimate interest under Art. 6(1)(f) GDPR. Where legally required (in particular due to data transfers to the USA or cookies set by Google Maps), we obtain your consent beforehand—based on Art. 6(1)(a) GDPR. You may withdraw consent at any time (e.g., by deleting the relevant cookies or changing your settings).

Data transfer to the USA: Google is certified under the EU–US Data Privacy Framework; we have also agreed Standard Contractual Clauses with Google. Nevertheless, when calling up Google Maps, the residual risk described above remains.

Further information on handling user data can be found in Google’s Privacy Policy: https://policies.google.com/privacy. There you will also find notes on settings to protect your privacy (Google account settings).

​

3. LinkedIn Plugin (Share Button / Social Plugin)

​

Our website may include functions and content from LinkedIn—for example, a LinkedIn share button under blog posts or a link to our LinkedIn company profile with a LinkedIn logo. When you see such a function on our site, it is initially displayed in a deactivated state (by default embedded as a simple graphic with no connection to LinkedIn servers). Only when you actively click the LinkedIn element (e.g., the share button) is a connection to LinkedIn established (two-click solution). By clicking, you consent to your browser connecting to LinkedIn.

By activating it, LinkedIn receives information that you accessed the corresponding page of our offering. In addition, various technical data (IP address, browser data, time) may be transmitted to LinkedIn. If you are logged in to LinkedIn at the time of interaction, LinkedIn can associate your visit to our site and your interaction (e.g., sharing our content) with your LinkedIn user account and may publish this information in your profile. If you want to prevent this, please log out of LinkedIn before clicking.

Legal basis: Embedding LinkedIn functions is based on our legitimate interest (Art. 6(1)(f) GDPR) in a user-friendly design and broader distribution of our content in social networks. Actual data transfer to LinkedIn occurs only after your interaction/click—from that moment, you are actively involved and processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw this consent at any time with effect for the future by refraining from using the social media function in the future or (where possible) disabling the embedded element.

We point out that after activation of the LinkedIn plugin, we have no influence over the scope and use of data collected by LinkedIn. LinkedIn may create a usage profile and use it for its own advertising purposes. For details, please refer to LinkedIn’s Privacy Policy (see link above).

(Note: We use the two-click method to protect your data—i.e., without your action, no data is transmitted to LinkedIn.)

​

Use of Audio/Video Conferencing Tools (Zoom, Teams, Webex, Aircall)

​

For communication with customers, applicants, and business partners, we use online conferencing tools as needed, in particular video conferencing and meeting platforms. Specifically, we use Zoom, Microsoft Teams, and Webex to conduct telephone or video conferences, online meetings, and candidate interviews.

When you communicate with us by video or audio conference using one of these tools, your personal data are processed by us and the respective provider. The exact types of data depend heavily on the information you provide and the functions you use. Typically, this includes:

• Contact data: your name, email address (for invitation/registration in the tool), and possibly telephone number (for dial-in). Occasionally, the tools request further details like your position/company if you enter them voluntarily.

• Meeting metadata: e.g., meeting topic, participant IP addresses, device/hardware information, time and duration of participation, possibly chat logs and shared content.

• Audio/video data: if you activate camera and/or microphone, your image and audio data are naturally transmitted during the session. You can always disable camera or microphone in the tool.

• Recordings: we do not record meetings without prior agreement. If we exceptionally wish to record a session (e.g., webinars for training), we will inform you in advance and—where required—request your consent. Participants are usually also visually notified by the tool when recording is active.

Please note that when using such tools, data are also processed by the tool providers. These include particularly technical connection data (such as your IP address, device model, operating system, approximate location) and the content data mentioned above (audio/video/chat), insofar as they are necessary for transmission and storage. Providers use this information partly to improve their service, to comply with legal obligations, and in some cases for their own business purposes (for US providers, e.g., telemetry and service optimization). We cannot fully influence these processing activities at the provider. However, we have concluded data processing agreements with each of the providers mentioned to ensure GDPR-compliant handling of your data.

Purpose and legal bases: We use these conferencing tools to communicate with you efficiently and regardless of location. This is our legitimate interest under Art. 6(1)(f) GDPR for general coordination, interviews, or meetings. Where the use is for fulfilling a contract or pre-contractual measures with you (e.g., a contractually agreed consultation), Art. 6(1)(b) GDPR is the legal basis. If we request your consent (e.g., for a recording or adding external participants), processing is based on Art. 6(1)(a) GDPR—you may withdraw consent at any time.

Retention: We store our own recordings or meeting notes only as long as necessary for the purpose (e.g., to follow up a conversation). If there is no longer a need, we delete such content without delay. Tool providers store your data for varying periods: some delete chat contents and technical logs after a few months on their own; others retain data longer for billing or analytics. We cannot influence this. Please refer to the privacy policies of the respective providers.

​

Tools used and provider privacy information:

• Zoom: Zoom Video Communications, Inc., San Jose, USA. Privacy Policy: https://zoom.us/privacy

• Microsoft Teams: Microsoft Corporation, Redmond, USA (for EU customers, typically Microsoft Ireland Operations Ltd., Dublin, Ireland). Privacy Statement: https://privacy.microsoft.com/de-de/privacystatement

• Cisco Webex: Cisco Systems, Inc., San Jose, USA. Privacy Statement: https://www.cisco.com/c/de_de/about/legal/privacy-full.html

When using the above tools, data may be transferred to the USA or other third countries (e.g., to parent companies in the USA). We base such transfers on the providers’ Standard Contractual Clauses and—where available—certification under the EU–US Data Privacy Framework.

​

Use of the Cloud-Based Phone System Aircall

​

We use the cloud phone system Aircall for our telephone communications. Aircall enables us to manage calls efficiently, forward calls to team members, and—where necessary—record conversations and automatically convert them into text notes. This allows us to better document customer and candidate conversations and improve our service. Automatic creation of call notes saves time and minimizes errors in conversation documentation.

Provider: Aircall SAS, 11–15 Rue Saint-Georges, 75009 Paris, France. Aircall operates a cloud platform where data processing generally takes place in data centers of the Aircall group. Please note that Aircall may also use sub-processors and servers in third countries (especially the USA) to provide the service. According to its statements, certain connection data (e.g., call metadata, recordings) are stored in the EU, while other data (e.g., technical analytics data) are hosted in the USA. Aircall ensures compliance with European data protection standards through contractual guarantees.

Data processed: When using Aircall, the following personal data may be processed: your phone number (and possibly the displayed name if stored in our contacts), date and time of the call, call duration, and any recordings of the conversation if we record the call. If we integrate Aircall into our CRM, notes on calls or transcriptions of conversation content may also be created and stored. This helps us maintain a complete communication history and track your concerns. Note: Calls are recorded only in exceptional cases and not without prior notice. By default, we use Aircall for live communication, where only connection data accrue.

Legal bases: Use of Aircall serves to efficiently conduct (pre-)contractual phone calls with you (Art. 6(1)(b) GDPR) and is based on our legitimate interest (Art. 6(1)(f) GDPR) in professional customer management and quality assurance in communication. Our legitimate interest includes being reachable and responsive via Aircall’s technical infrastructure, handling calls in a team, and documenting conversation content as needed. If we need your consent in rare cases (e.g., for a recording for training purposes), we will ask you explicitly and base processing on Art. 6(1)(a) GDPR—you may withdraw such consent at any time.

Processing on behalf and data security: We have concluded a data processing agreement with Aircall pursuant to Art. 28 GDPR. It stipulates that Aircall processes our callers’ data exclusively according to our instructions and in compliance with European data protection standards. Aircall implements technical and organizational measures to ensure data security (e.g., encryption, access controls). Nonetheless, we point out that data transmission over the public telephone network or the internet always entails a residual risk.

Third-country transfer: As an international service, processing of personal call data in third countries (such as the USA) cannot be ruled out (e.g., when we use international numbers or when Aircall servers are located there). Aircall undertakes to comply with appropriate safeguards for such transfers. In particular, under our agreement with Aircall, EU Standard Contractual Clauses are implemented to ensure a level of protection in line with the GDPR. We are happy to provide further information on request.

Retention: We retain call metadata (call lists with numbers, date, duration, etc.) as long as needed for business purposes (e.g., proof of communication, history of open cases) and while statutory retention obligations apply. We store call recordings or transcripts only as long as necessary for the respective purpose (e.g., until a matter is clarified or a recruitment process completed) and then delete or anonymize them unless legal reasons prevent deletion.

​

Applicant Management and Data in the Application Process

​

We are pleased that you are applying to us. During the application process, we process various personal data of applicants. Below we explain which data these are, for which purposes and on what basis we process them, and how long we store them.

​

1. Application Channels and Data Collection

​

You can apply to PolyTALENT in different ways:

• Online application form/careers page: On our careers website (https://jobs.polytalent.de) you will find current job postings. Via an embedded application form, you can apply directly online by entering contact details and uploading application documents (cover letter, CV, references, etc.). Our online careers page is provided by the Recruitee system, a cloud-based applicant tracking software by Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands. Recruitee acts as a processor for us. We have concluded a data processing agreement with Recruitee pursuant to Art. 28 GDPR. This means that the data you enter in the application form are stored directly on Recruitee’s secure servers and retrieved and processed by us there. Recruitee processes your data only on our instructions and not for its own purposes. (Note: According to Recruitee, data are stored on servers within the EU.)

• Application by email or post: You can also send us your application by email to bewerbung@polytalent.de or by post. In this case, after receipt we will transfer your documents into our electronic application system (i.e., manually enter them into Recruitee or our internal applicant management) in order to process them together with online applications. We store your original email application and attachments only temporarily as long as necessary for processing. Paper applications are securely stored after digitization and disposed of in accordance with the retention periods mentioned below.

• Application via online profiles: We may also use applicant data that you have made public on career platforms such as LinkedIn or XING, or we may be put in contact with candidates via personnel service providers. In such cases, we will inform you separately about the data source when contacting you. As a rule, however, we process only data that you have published yourself or that have been lawfully provided to us as part of a placement.

• Application via WhatsApp: Additionally, we offer—optionally—the possibility to communicate with us via WhatsApp in the application process. For details, see Section 4 below.

In principle, we collect only personal data related to your application. This includes in particular: your master data (name, address, contact details such as phone/email), all data from your application documents (CV with qualifications, references, cover letter, photo if provided, etc.), as well as notes we add during the process (e.g., interview notes, evaluation points). Special categories of data (Art. 9 GDPR), such as information on health, religious affiliation, ethnic origin, etc., are not required for the application process—please refrain from including such information if possible. If such information appears in your CV (e.g., photo, information about a disability), we will process it only insofar as permitted by law (in Germany, for example, to consider a severe disability pursuant to § 164 SGB IX) or if you give us your explicit consent.

Your application data are viewed and processed only by those persons involved in the selection process within our company. As a rule, these are HR staff (recruiters) and the responsible decision-makers in the department, possibly management. All employees entrusted with data processing are bound to confidentiality. No further transfer to third parties takes place unless your application relates to a position at one of our client companies (see Section 3 below).

​

2. Purpose and Legal Bases in the Application Process

​

The primary purpose of processing your application data is to conduct the application process, i.e., to assess your suitability for the advertised position and to decide on the establishment of an employment relationship. The main legal basis for this in Germany is § 26(1) BDSG (decision on hiring) in conjunction with Art. 6(1)(b) GDPR (initiation of a contractual relationship). Equivalent provisions apply in Austria (Art. 6(1)(b) GDPR in conjunction with §§ 3, 4 DSG) and Switzerland (Art. 4(5) FADP in conjunction with private law principles)—in simplified terms, we may process your data to conduct the application process and decide whether to offer you a job.

If you are subsequently hired, your data—where relevant—will be transferred to your personnel file and further processed pursuant to § 26(1) BDSG and Art. 6(1)(b) GDPR (performance of the employment contract).

If no employment results, we may further process your data to defend against potential legal claims. In particular, we reserve the right, in the case of rejection, to retain your documents for a certain period, for example in case of claims under the General Equal Treatment Act (AGG). The legal basis is Art. 6(1)(f) GDPR (legitimate interest, burden of proof in potential legal disputes). For details on retention, see Section 5 below.

If we ask whether we may include your application in our applicant/talent pool, this is done solely on the basis of your consent (Art. 6(1)(a) GDPR). Participation in the pool is voluntary and has no effect on the current application process. See Section 6 below for details.

If you grant us specific consents during the application process (e.g., for longer storage or forwarding to other positions), you may withdraw them at any time with effect for the future (Art. 7(3) GDPR). We will then—subject to statutory retention obligations—delete your data or refrain from further use.

​

3. Transfer of Applicant Data to Client Companies

​

PolyTALENT is a recruiting agency that searches for suitable candidates on behalf of client companies (headhunting). It may therefore happen that you apply to us while the position to be filled is in an external company (our client). In such cases, we act as an intermediary.

If your application concerns a position with a client, we will tell you this in the job posting or at the latest during the interview. In the course of the process, it will then be necessary to forward your application documents and relevant information to the client company so that it can get to know you and decide on hiring. The controller in the data protection sense for further processing is then the advertising company itself. We transmit your data to the client only to the extent necessary for the specific recruitment procedure (usually CV, qualifications, and possibly our recommendation/assessment). We ensure confidential handling by the client and obtain your prior approval where customary or required.

Depending on the constellation, the transfer to the client takes place either on the basis of Art. 6(1)(b) GDPR (performance of pre-contractual measures at your request—as you are in effect applying for that position with the company) or on the basis of your consent (Art. 6(1)(a) GDPR). In any case, we treat your data confidentially with the client. The client company will inform you about its data processing (e.g., via its own privacy notices in the applicant portal or during the interview).

If you do not agree to us forwarding your documents to a particular client company, you can express this at any time—we will respect your wish and then handle your application internally or, if desired, withdraw it entirely.

​

4. Communication via the WhatsApp Business API

​

We use the WhatsApp Business API for communication with applicants and interested parties. Technical provision is via a European API provider; we have a data processing agreement with this provider pursuant to Art. 28 GDPR. The messenger provider is WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (a Meta company).

​

Purpose and type of processing
WhatsApp is used solely for fast, efficient communication in recruiting (scheduling, brief queries, status information). Depending on the application source, we may specifically ask you to submit your CV to us via WhatsApp (e.g., as a PDF) to speed up the process. Alternatively, email or—where available—our upload portal are available at any time; you are not disadvantaged by your choice.

​

Data processed
Data processed may include mobile number, display name/profile name, message/file contents (e.g., CV, brief details), timestamps, and technical metadata. Message contents are end-to-end encrypted between devices. Metadata (e.g., communication times, participating numbers, device information) are processed by WhatsApp and may be stored outside the EU. We use the official API solution, do not sync local address books, and limit content to what is necessary; special categories of personal data (Art. 9 GDPR) should not be transmitted via WhatsApp.

​

Legal bases

• Art. 6(1)(b) GDPR (pre-contractual/contractual communication in the application process),

• Art. 6(1)(f) GDPR (legitimate interest in contemporary, user-friendly communication), insofar as overriding interests of data subjects do not prevail.

Relevant chat information (e.g., appointment confirmations, submitted documents) may be stored for specific purposes in our internal systems (e.g., applicant management).

​

Third-country transfer
WhatsApp/Meta may process data in third countries (especially the USA). Meta is certified under the EU–US Data Privacy Framework. In addition, our API provider relies on Standard Contractual Clauses (SCCs) and other contractual/technical measures to ensure an adequate level of protection.

​

Retention
Chat histories and any transmitted documents are processed only for specific purposes and retained only as long as required for the respective purposes or as required by law. If the purpose ceases or relevant deadlines expire, data will be routinely deleted or restricted in accordance with legal requirements.

​

Further information
WhatsApp’s privacy policy: https://www.whatsapp.com/legal/#privacy-policy

​

5. Retention Period for Applicant Data

​

We process and store your personal application data only as long as necessary for the decision regarding your application. If you are hired, the data will be transferred to your personnel file and further processed for employment purposes; we will inform you separately.

If you are not hired, your data will be restricted to the necessary extent after completion of the application process and—once there are no statutory or contractual retention or evidentiary obligations and no legitimate interests (in particular for the establishment, exercise, or defense of legal claims)—deleted in accordance with legal requirements. Until deletion, processing is carried out solely for these stated purposes (“blocking”).

If you have given us consent to be included in our applicant/talent pool, we will store your data for this purpose until you withdraw consent or the purpose ceases; thereafter deletion takes place in accordance with legal requirements.

Legal bases: § 26 BDSG, Art. 6(1)(b) GDPR; for any further retention for legal defense, Art. 6(1)(f) GDPR.

​

Use of Tools in Recruiting and Business Processes

​

1. Microsoft Power Automate

​

We use Microsoft Power Automate to simplify and accelerate internal processes—particularly in candidate pre-qualification and matching—via automated workflows. This concerns recurring tasks such as sending emails, updating databases, or the integration of various systems without manual intervention. The service enables the linking of multiple applications and execution of predefined processes so that data are automatically transferred and further processed between services upon certain events. In such automations, personal data may be processed, particularly data required for triggered workflows. This includes identification and contact data (e.g., name, email address, phone number), application and contract information, document contents, and status and log data (such as timestamps, device data, system and usage logs).

Recipient/processor: The operator of Microsoft Power Automate and recipient of processed data is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. For data subjects in the EU/EEA, Microsoft Ireland Operations Limited, One Microsoft Place, Dublin 18, Ireland, acts as contact and representative under Art. 27 GDPR. (Microsoft also maintains local representatives, e.g., in Switzerland: Microsoft Schweiz GmbH, 8038 Zurich.) Your data may also be processed outside the EU/EEA, particularly in the USA. Third-country transfer: Microsoft is a US provider. We have concluded a processor agreement meeting the requirements of Art. 28 GDPR (part of the Microsoft Online Services Terms) and agreed EU Standard Contractual Clauses under Art. 46(2) GDPR to ensure an adequate level of protection. Microsoft is also a certified member of the EU–US Data Privacy Framework (and the Swiss–US Data Privacy Framework), confirming an adequate level under Art. 45 GDPR. (Further information can be found on dataprivacyframework.gov; a copy of safeguards is available on request.)

Purpose and legal bases: The purpose of using Microsoft Power Automate is to automate and increase the efficiency of our business processes—particularly faster pre-qualification of candidates, seamless integration of applications, and reduction of manual routine tasks to minimize errors. Processing is based on Art. 6(1)(b) GDPR (insofar as necessary to perform a contract or pre-contractual measures with the data subject—for example, in the context of an application relationship, § 26 BDSG) and on Art. 6(1)(f) GDPR. Our legitimate interest lies in efficiency gains, relieving staff through automation of recurring tasks, and a consistent and productive process design.

Retention: We store personal data processed in connection with Power Automate only as long as necessary for the purposes mentioned or as long as we are legally or contractually obliged to retain them. Criteria for determining the retention period include, in particular, the duration of our contractual relationship with Microsoft as a service provider and any statutory retention periods. If the processing purpose ceases and there are no legal retention obligations, data will be blocked or deleted in accordance with legal requirements. Note: Providing personal data for Power Automate is neither legally nor contractually required; however, without certain data, the use of automated processes or related services may be restricted.

Further information on data protection and data security in Microsoft Power Automate can be found in Microsoft’s Privacy Statement (see Microsoft Trust Center).

​

2. Microsoft SharePoint

​

We use Microsoft SharePoint as part of Microsoft 365 to organize our internal and cross-department collaboration and document management efficiently. Via SharePoint, we manage, for example, team sites, intranet functions, shared document repositories, calendars, task lists, and workflows in a structured form. In doing so, personal data may be processed—particularly those contained in documents, user profiles, sharing settings, or comments. Typical data processed include contact and profile data (name, email address, stored profile information), content and metadata of documents (e.g., file uploads, version history, sharing notes), usage data (edited items, comments), and technical logs such as IP address, timestamps, device type, and similar communication data. All data transfers are encrypted; only authorized persons receive access to content based on role-based access rights.

Recipient/processor: Provider: Microsoft Corporation, USA, with the EU representative Microsoft Ireland Operations Ltd., Dublin. Data are stored within Microsoft’s cloud infrastructure. For European customers, Microsoft generally stores SharePoint data in data centers within the EU; however, processing in the USA cannot be ruled out in support or maintenance cases. Third-country transfer: The safeguards described in the previous section apply here as well. Microsoft is subject to Standard Contractual Clauses under Art. 46 GDPR and is certified under the EU–US Data Privacy Framework, ensuring an adequate level of protection.

Purpose and legal bases: The purpose of using SharePoint is to provide a structured, secure platform for collaboration within the company, including document management, knowledge sharing, and team communication. This is to organize internal processes efficiently and protect sensitive information. Legal bases are Art. 6(1)(b) GDPR (insofar as use is necessary for contract performance or pre-contractual measures—for example, in the context of projects with our clients or candidates) and Art. 6(1)(f) GDPR. Our legitimate interest lies in the efficient organization of internal processes, promoting effective collaboration, and securing our information through modern collaboration tools.

Retention: Personal data within SharePoint are retained only as long as necessary to achieve the purpose or as required by law. Decisive factors are our contractual relationship with Microsoft and any statutory or contractual retention periods. Once there is no legitimate purpose for further storage and no legal obligations, personal content is deleted or blocked in accordance with legal requirements. Providing your data for SharePoint is generally voluntary and not legally required; however, without certain information, collaboration via the platform may not be possible or only to a limited extent.

Further information can be found in the official privacy information for Microsoft SharePoint (Microsoft Trust Center).

​

3. Microsoft Forms

​

We use Microsoft Forms, a Microsoft 365 tool, to collect structured data from applicants—for example, during onboarding or feedback surveys. With Microsoft Forms we can create online forms and questionnaires that candidates or partner companies complete. The data collected depend on the purpose and may include personal details (e.g., name, contact details), professional information (e.g., qualifications, previous employers), and other data required for onboarding. In some cases, forms are used in cooperation with our partner companies (e.g., when a candidate is placed for hiring at a partner company); the information entered there is then forwarded to the respective company for that specific purpose. Personal data from Forms surveys or questionnaires are stored centrally in the Microsoft cloud and accessed and evaluated by us. We have concluded a data processing agreement with Microsoft and ensured via Standard Contractual Clauses that, in the event of access from third countries, an adequate level of protection exists. Microsoft generally processes European users’ data in EU data centers; however, processing in the USA may occur in individual cases (e.g., support). Microsoft is certified under the EU–US Data Privacy Framework, so transfers to the USA can be based on this guarantee.

Purpose and legal bases: Microsoft Forms is used to collect data from applicants and new employees in a structured way so as to manage hiring and onboarding efficiently. This allows us to capture necessary information (e.g., for employment contracts, profile matching, or organizational preparation of hiring) in a targeted and standardized manner. The legal basis—where data are collected to establish or prepare an employment relationship—is Art. 6(1)(b) GDPR in conjunction with § 26 BDSG (pre-contractual measures for an employment relationship). Where there is no immediate necessity, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in an efficient and traceable handling of the application and onboarding process. In cases where you voluntarily provide additional information or consent to forwarding your form data to a partner company, your consent (Art. 6(1)(a) GDPR) may also serve as a legal basis.

Recipients: Data collected via Microsoft Forms are treated confidentially. Within our company, only authorized persons (e.g., recruiting staff) have access. If the form is completed on behalf of a partner company (potential employer), that partner company receives the relevant answers to achieve the application/onboarding purpose. In addition, Microsoft as a processor necessarily gains knowledge of the form data insofar as required to provide the service. No further disclosure to third parties occurs without a corresponding legal basis or your explicit consent.

Retention: Data from Microsoft Forms are stored only as long as necessary to achieve the purpose of collection. If the purpose ceases (e.g., completion of onboarding or decision in the application process) and there are no legal retention obligations (e.g., under commercial or tax law), the form data will be deleted or blocked promptly. As a rule, we review the necessity of continued storage at the latest after the purpose ceases. Data transmitted to partner companies are subject to the retention periods applicable there from the time of transfer; copies of such data held by us are likewise deleted unless our own legal obligations (e.g., evidence obligations) require further storage. Participation in such data collections is voluntary—non-provision may, however, mean that we cannot continue the application or hiring process.

Further information on Microsoft Forms privacy can be found in the Microsoft Trust Center or Microsoft’s Privacy Statement.

​

4. Microsoft AI Services

​

PolyTALENT GmbH uses AI-powered services from Microsoft—for example, functions of the Microsoft Azure AI platform or Microsoft 365 (such as AI assistants like Microsoft Copilot)—to support the analysis of candidate profiles and job requirements and to generate automated matching recommendations. These AI functions help our staff work more efficiently by, for example, providing text suggestions or pre-matching candidate profiles with job postings. Note: There is no fully automated decision-making within the meaning of Art. 22 GDPR—the final selection or decision regarding candidates is always made by our recruiters as human beings. AI is used solely for support and provides recommendations that are reviewed.

In the course of using AI, personal data are processed insofar as required for analysis and recommendation generation. This includes, in particular, profile and application data of candidates (e.g., qualifications, career history, skills) and requirement data of open positions (job profiles, job descriptions), as well as possibly usage and interaction data generated when working with AI functions (e.g., which suggestions are accepted or rejected). These data may be transmitted to the AI models and algorithmically evaluated there to generate appropriate suggestions or analyses.

Recipient/processor: Provider of the AI services is Microsoft (see above, Microsoft Corp., USA, represented in Europe by Microsoft Ireland Operations Ltd.). Insofar as AI functions are integrated into our local Microsoft 365 environment, data remain within Microsoft’s cloud infrastructure. However, processing may occur on servers in the USA, as Microsoft operates the AI models centrally. Third-country transfer: Microsoft is contractually bound as a processor; we have concluded the relevant agreements and Standard Contractual Clauses. In addition, Microsoft is certified under the EU–US Data Privacy Framework for AI services, ensuring an adequate level of protection.

Purpose and legal bases: The purpose of using AI services is to optimize and accelerate our recruiting processes—e.g., through faster analysis of profiles, more accurate matching of candidates to vacancies, and support for our staff in routine assessments. Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in innovative, efficient processes and the continuous improvement of our services through AI support. This interest includes increasing placement efficiency and improving the quality of recommendations. Insofar as AI processing in individual cases serves to fulfill our obligations in the application process (e.g., automated pre-selection as a pre-contractual measure in the context of potential employment), Art. 6(1)(b) GDPR in conjunction with § 26 BDSG may also apply. We obtain consent (Art. 6(1)(a) GDPR) if we intend to evaluate special categories of personal data (Art. 9 GDPR) using AI—this is not part of our usual process.

Retention: Personal data arising from the use of AI services (e.g., analyses or recommendations) are stored only as long as necessary for the stated purpose. In many cases, processing is temporary—e.g., one-off analysis without permanent storage of AI-generated data. If storage occurs (e.g., logging AI recommendations for quality assurance), we follow the general deletion periods for our applicant data. These are based on the end of purpose or statutory retention obligations. Once the purpose is achieved and no retention reasons remain, AI output data are deleted or anonymized.

Further information on Microsoft’s AI services and their data protection can be found in Microsoft’s Privacy Statement (see Microsoft Trust Center).

​

5. Zapier

​

We use Zapier, an online automation service, to connect and simplify technical workflows between different systems. With Zapier, we can set up “Zaps”—automated workflows that transfer data from one application to another or trigger certain actions upon defined events. For example, we can ensure that when certain information is received in one system (such as a status change or a new record), a corresponding action is automatically triggered in another system without manual intervention. This increases the efficiency of our internal processes and reduces the risk of errors.

​

When using Zapier, we generally transmit only minimal personal data, as we take care not to send sensitive applicant data via this service. Depending on the configuration of workflows, however, it may be necessary to pass certain personal information between systems—this includes, for example, names, email addresses, or business contact details required to identify records. In exceptional cases, further data elements may be included in automated transmissions, depending on which applications are linked through Zapier. We design Zaps to be as data-sparing as possible to avoid unnecessary transfers of personal data.

​

Recipient/processor: Zapier is a service of Zapier, Inc., 548 Market Street, #62411, San Francisco, CA 94104, USA. For data subjects in the EU/EEA, Zapier has appointed an EU representative (DP-Dock GmbH, Ballindamm 39, 20095 Hamburg, Germany, under Art. 27 GDPR). (A representative for the UK also exists: DP Data Protection Services UK Ltd., London.) Zapier processes data on US-based servers. Third-country transfer: As a US company, Zapier involves transfers of personal data to the USA. We rely on Standard Contractual Clauses under Art. 46(2) GDPR and—since the 2023 framework—on Zapier’s participation in the EU–US Data Privacy Framework. Zapier has certified compliance with the EU–US Data Privacy Framework (including the UK and Swiss extensions), thereby guaranteeing an adequate level of protection.

​

Purpose and legal bases: By using Zapier, we aim to seamlessly link our IT systems to avoid manual data entry or duplicate entries. The service contributes to process automation, improving our service quality and efficiency. The legal basis for the associated processing is our contractual relationship with you or the performance of pre-contractual measures, Art. 6(1)(b) GDPR, insofar as the automated processes are necessary to perform the contract with the data subject. As a rule, we rely on a balancing of interests under Art. 6(1)(f) GDPR. Our legitimate interest lies in optimizing our processes through technical integration, improving our services, and relieving our staff of routine tasks.

​

Retention: Zapier itself stores the transmitted data only temporarily for the execution of Zaps. Within our systems, the applicable retention periods for the data in question apply (see the other sections of this privacy policy). As a rule, personal data transmitted via Zapier are not stored by us for longer than is necessary for the respective purpose or than we are legally required to retain them. The criteria for determining the retention period are based in particular on our contractual relationship with Zapier as a service and on any statutory retention obligations. Providing data via Zapier is neither legally nor contractually required; however, certain automated functions cannot be used without the corresponding data.

​

Further information on data protection at Zapier can be found in Zapier’s Privacy Policy.

​

Final Notes:

We update our privacy policy whenever changes to our data processing make this necessary (e.g., introduction of new tools, changes in the legal framework). Please check back regularly for the current version. The date of the last update can be found at the beginning of the policy.

If you have any questions or concerns about data protection, you can contact us at any time using the contact details provided above. We take your feedback seriously and aim to find a solution as quickly as possible.

Thank you for your trust and your interest in PolyTALENT. We assure you that we regard data protection not merely as a legal obligation, but as an integral part of our quality promise to candidates, clients, and partners.