Privacy and Cookie Policy

Privacy Policy

The protection of personal data and the responsible handling of information are important and special concerns for us, the Futurepath GmbH (“Futurepath”/”us”/”we”). We process personal data only in accordance with legal requirements, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). 

This privacy policy informs you in accordance with Art. 13, 14 GDPR about how we process personal data in case

• you visit our website and/or use the functions we provide on our website (e.g. newsletter signup, contact form) (see section B),
• you apply as a Tech Candidate (see section C.1),
• or you apply for a job with us (see section C.2),

Furthermore, we inform you about the protection of your privacy on the terminal equipment used by you within the meaning of Section 25 of the German Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz, “TTDSG”).

This privacy policy also contains information on recipients of your personal data within (see section A.4) and outside the EEA (see section A.5), erasure of your personal data and retention periods (see section A.3), your rights as a data subject (see section A.2), and automated decision making (see section A.6).

A. GENERAL INFORMATION 

• Controller and Data Protection Officer

Controller pursuant to Art. 4 No. 7 GDPR isFuturepath GmbH, Lützowufer 6-9, 10785 Berlin, [email protected].

Data Protection Officer isDr. Sebastian Heep, PLANIT // LEGAL, Jungfernstieg 1, 20095 Hamburg, [email protected].

• Your Rights 

As a data subject of our company’s data processing, you have the following rights under the respective legal requirements: 

• The right to confirmation as to whether we are processing data related to your person (Art. 15 GDPR).  
• The right to information about your personal data processed by us and to a copy of the data (Art. 15 GDPR).
• The right to rectification in the event that your personal data is inaccurate (Art. 16 GDPR).
• The right to erasure of your personal data (Art. 17 GDPR).
• The right to restriction (blocking) of your personal data (Art. 18 GDPR).
• The right to data portability (Art. 20 GDPR).

In the event that your personal data is processed on the basis of Art. 6(1)(e) or (f) GDPR, you may also object to the processing in question under the conditions of Art. 21(1) GDPR. 

You may object to the processing of your personal data for direct marketing purposes at any time and without giving reasons with effect for the future (Article 21(2) of the GDPR).

If the processing is based on your consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, you may withdraw your consent at any time with effect for the future (Art. 7(3) GDPR). 

You also have the right to contact the competent data protection supervisory authority (Art. 77 GDPR). 

If you have questions or complaints about data protection at Futurepath or would like to exercise one of your rights, you can contact our data protection officer at any time using the contact details provided above.

• Erasure of your personal data 

We erase your personal data 

• as soon as it is no longer necessary for the aforementioned purposes of processing; 
• in case, you object to a certain processing of data that is based on legitimate interests (Art. 6(1)(f) GDPR), unless there are compelling reasons for Futurepath to continue processing; 
• or in case you revoke your consent to the processing and if there is no other legal basis for processing. 

If and as long as an erasure conflicts with legal retention obligations, we limit the processing of your data to this archiving purpose (so-called data blocking) and erase your data upon expiration of the retention period. Typical retention periods under German commercial and tax law are six years at the end of the year for business letters (including e-mails) and ten years at the end of the year for accounting-related data.

• Data Transfer to third parties 

We will transfer personal data to third parties only where necessary for the provision of our service or otherwise allowed by the law. Within the scope of the purposes stated here, personal data is transferred to service providers involved in the provision of our services. In addition to their legal obligation to comply with all data protection regulations, these service providers are bound to additional contractual data protection requirements. This includes in particular contractual obligations as a processor in accordance with Art. 28 GDPR. In particular, we transfer personal data to the following categories of service providers:

• Service providers for accounting, financial institutions, tax and legal advice;
• IT service providers (e.g. for the hosting of our website); 
• Telecommunications service provider;
• IT service providers for administration and organisation; 
• Service providers for data destruction and facility services;
• Service providers for application management.

We transfer personal data to other recipients only if there is a legal justification or you have expressed your consent. We will only disclose your data to government authorities within the framework of statutory obligations or as a result of an official order or court decision and only insofar as this is permitted under data protection law.

• Data Transfer to recipients outside the European Economic Area (EEA)

If necessary, we may also transfer your data to recipients outside the EEA, in particular to the United States of America (“US”). If, as in the case of the US, the level of data protection lags behind the level of data protection within the EU, we provide suitable guarantees within the meaning of Art. 46 GDPR. This may include the agreement of standard contractual clauses of the EU Commission and, if necessary, additional measures to ensure an adequate level of data protection. In individual cases, we make the transfer to third countries dependent on your consent to this data transfer in accordance with Art. 49(1)(1)(a) GDPR.

• No automated individual decision-making

We do not use your personal data for automated individual decisions in the meaning of Art. 22(1) GDPR.

• Amendment of the Privacy Policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adapted accordingly. You can always find the latest version on our website.

B. PURPOSES AND LEGAL BASIS OF OUR DATA PROCESSING ACTIVITIES

The purpose and legal basis of our data processing depends on which of our services you use.

• Data processing during the general use of our website When you access our website, we collect and process Internet connection data (see section B.1.a) as well as certain telemedia- and usage data stored in the browser of your device (see B.1.b).

• Internet connection data

When you access our website, we process the internet connection data that your browser automatically transmits to our server. Therefore, your IP address and other usage data (e.g. date and time of the call, name of the page called, amount of data transferred and the requesting provider) will be transmitted to our server. We need this information to enable you to use our website, for example by adapting the website to the technical requirements of your terminal device. This internet connection data may also be personal data. The legal basis for this data processing is our legitimate interest in ensuring the security and usability of our website, Art. 6(1)(f) GDPR. 

• Access and storage on your device (“cookies”)

We use tracking technologies on our website that enable us or also our contractual partners or service providers to collect data relating to the use of our website. These tracking technologies are usually referred to as cookies, which is why we also use this term in the following. However, the following statements also apply accordingly to other tracking technologies or file formats, such as local storage, pixels, beacons or tags. 
Cookies are text files that are saved to the browser on your end device. User-related pseudonymous data can be stored for these files. This data can then be read in turn. When you visit our website for the first time, we display a so-called cookie consent banner to inform you about the tracking technologies we use and to give you the choice of which optional cookies you would like to agree to. You can change your choice at any time in the cookie settings of the cookie consent banner. 

• Technical necessary cookies

These cookies are technically necessary to provide the website functionality. We may not provide the website without deploying such cookies. In these cases, access to your device takes place on the basis of section 25(2)(2) TTDSG. Insofar as this information has a personal reference and is processed by us in our IT systems, the legal basis processing is our legitimate interest in providing you our website and ensuring data security, Art. 6(1)(f) GDPR. 
These are: 

• Cookies, which require your consent 

Non-essential cookies, we only use with your consent. We use the following categories of these consent-requiring cookies: 

• Functional cookies: These cookies allow us to remember an input or selection you have made (such language, or geographic region you are in) on our website and provide improved, more personalized functionality to you.

These are: 

• Statistics/Marketing: These cookies collect information about the use of the website, e.g. which pages are visited most frequently and how visitors navigate the website. They are intended to help us improve the user-friendliness of the website and thus the user experience. The cookie-providers used by us for this purpose may use the personal data to create user profiles.
  These are: 

By clicking on the respective button (e.g. “Accept” or “Save preferences”) in the cookie consent banner, you consent both to the storage and reading of information in these optional cookies (section 25(1) TTDSG) via our website and to the further processing of any personal data read out (Art. 6(1)(a) GDPR).

• Consent to third country transfer

We also use cookies on our website from third-party providers that are based in, or use servers in, third countries outside the European Union (EU) and the European Economic Area (EEA). The level of data protection in such third countries is regularly not comparable with that of the EU. This applies in particular to the USA, where surveillance authorities may access your data without any reason and where, if you are not a citizen of the USA, you currently have only very limited legal remedies against any access to your data. Such government access may not be effectively prevented even by additional agreements between us and the respective third-party provider. While the EU Commission and the USA government announced a “Trans-Atlantic Data Privacy Framework” in March 2022 as a new mechanism for USA-data-transfers, which is intended to provide EU citizens with additional remedies, this framework is not expected to be implemented until the end of 2022.

Therefore, in our Cookie Consent Banner, we also obtain your consent to such third-country data transfer (Article 49(1)(a) of the GDPR).

When deciding which cookies, you would like to consent to, please consider that by consenting to the setting of the cookies in question, you also consent to any associated transfer of your personal data to insecure third countries.

Which third party providers and cookies this concerns in detail can be found in the cookie settings of the cookie consent banner of our website.

• Google Analytics

As a tracking tool of a US provider, we use in particular the web analytics service Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you consent to the setting of the corresponding cookies in our Cookie Consent Banner, Google collects data relating to your use of our website. This is done by storing cookies with a pseudonymous user ID assigned by Google to your browser. This allows Google to assign data relating to the usage behaviour on our websites to this respective pseudonymous user. We have commissioned Google to use this information to evaluate the usage behaviour of the website, to compile reports on website activities and to provide us with further services related to website and internet usage. You can access Google’s privacy policy here.

The data collected by means of Google Analytics is also stored on Google servers in the USA. We have activated the IP anonymization function on our websites. This means that your IP address will be shortened by Google within member states of the EU or the EEA before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data. Nevertheless, you should consider when making your decision that the protective measures taken by Google are not sufficient, at least according to the opinion of various European data protection authorities, to effectively prevent possible access by the US authorities to your usage data. 
When deciding whether you wish to consent to our use of Google cookies, please note that by consenting to the setting of the relevant cookies you also consent to any associated transfer of your personal data to the USA.

• Withdrawal of your consent 

You can withdraw your consent given in the cookie consent banner at any time for the future (Art. 7(3) GDPR). To do so, call up the Privacy Policy. The link to the Privacy Policy is permanently available in the footer of our website. At the top of the Privacy Policy you are presented with the following withdraw-banner: 
By clicking on the banner, the cookie consent banner will open again. In the settings of the cookie consent banner, you have the option of revoking any consent you have already given by deselecting the relevant cookies. However, you can also select additional cookies there and declare further consents to us in this respect. The current status of your consent is displayed below the withdraw-banner. 
Your selection of optional cookies will in turn be saved to a cookie in your browser.

• Google Fonts 

We use the Google Fonts service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA on our website for optimization purposes, in particular to improve the use of our website for you and to make its design more user-friendly. Google Fonts enables us to use external fonts. For this purpose, the required font is loaded into the browser cache by your web browser when you call up our website. This is necessary so that your browser can display a visually improved representation of our texts. If your browser does not support this function, a standard font is used by your computer to be displayed. The integration of these fonts is done by a server call to our servers. A connection to Google servers does not occur. To our server the information is transmitted which of our web pages you have visited. The IP address of the browser of your end device is also stored. Legal basis for the implementation of Google Fonts is Art. 6(1)(f) GDPR, namely our legitimate interest in providing different fonts. You can access Google’s privacy policy here.

• Social Media 

Our website contains links to social networks (Facebook, Instagram, LinkedIn, Xing, Twitter). These services are operated exclusively by third parties. If you follow the links, information may be transmitted to these third parties. We use the so-called “Shariff solution” from c’t for links to social networks. This means that when you visit our site, in principle no personal data is passed on. Only if you click on one of the social share buttons, data will be transmitted to the respective provider. The purpose and scope of the data collection and the further processing and use of the data by the service provider, as well as your rights in this regard and setting options for protecting your privacy, can be found in the privacy notices of the respective service provider. You can find them here:

• Facebook is a social network. The service provider is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Parent Company: Meta Platforms, Inc, 1 Willow Road, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Policy: https://de-de.facebook.com/about/privacy/update.

• Instagram is a social network. The Instagram service is a Meta product provided by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Parent Company: Meta Platforms, Inc, 1 Willow Road, Menlo Park, CA 94025, USA; Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy. 

• LinkedIn is a social network. The service provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Irland. Parent Company: LinkedIn Corp., 605 W Maude Ave, Sunnyvale, CA 94085, USA; Website: www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy. 

• Xing is a social network. The service provider is XING SE, Dammtorstraße 30, 20354 Hamburg, Deutschland. Parent Company: New Work SE, Am Strandkai 1, 20457 Hamburg; Website: www.xing.de; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung. 

• Twitter is a social network. The service provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Irland. Parent Company: Twitter Inc.,1355 Market Street Suite 900 San Francisco, CA 94103 United States; Website: www.twitter.com; Privacy Policy: https://twitter.com/de/privacy).

• Contact Form

If you contact us via the contact form provided on our website, your data will be processed in order to respond to your enquiry. Legal basis is either the performing of a contractual obligation or our legitimate interest in providing a contact form (Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR). You are neither obliged to contact us via the contact form nor to provide personal data. If you do not provide your personal information, we may not be able to process your request. Otherwise there will be no consequences for you. 

• Newsletter

You have the possibility to subscribe to a free newsletter. When registering for the newsletter, the data you enter in the input mask, namely your e-mail-address, your first name and your last name, is transmitted to and processed by us. In addition, the date and time of registration are collected during registration. For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy. We use the so-called double-opt-in procedure to register for the newsletter, i.e. your registration is only completed once you have reconfirmed your registration by clicking on a link in a confirmation e-mail sent for this purpose. If your confirmation is not received within 28 days, your registration will be deleted from our database. This ensures that no one else can register you for our newsletter. The data is used for sending the newsletter. The collection of your e-mail address is used to deliver the newsletter. The collection of other personal data during the registration process serves to prevent misuse of the services or the e-mail address used. The legal basis for the processing of the data after registration for the newsletter by the user is the consent of the user pursuant to Art. 6(1)(a) GDPR. The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. You can withdraw your consent at any time with effect for the future. To do so, you can also use the unsubscribe link that you will find in our newsletter emails.

• Customers, suppliers, business partners 

If you contact us as a customer, supplier or business partner, we process the personal data transmitted to us in order to process your request. The legal basis for the processing in these cases is Article 6(1)(b) GDPR, if a contractual relationship between you and us exists or is in the offing. If no contractual relationship exists or is in the offing, the legal basis is Article 6(1)(f) GDPR, namely our legitimate interest in processing the request.

1. JOB APPLICATIONS

• Application as a Tech Candidate

You have the possibility to apply via our website as a so-called “Tech Candidate” for open positions of our partner companies. 

• Application Mask for Tech Candidates 

To provide an easy way for applications as a Tech Candidate, we allocate an application mask on our website, within which you can enter certain personal data, namely 

• your first name,

• your last name, 

• your e-mail address and 

• your city. 

Furthermore, you have the possibility to upload additional documents (CV, certificates, etc.). These documents may also contain personal data about you (e.g. a photo of you, your business social media profiles, etc.). After reviewing the documents and information provided by you, we will get in touch and inform you about the further process. 

The application mask is provided to us by our Recruit CRM tool, a service of Workforce Cloud Tech Inc. As Workforce Cloud Tech Inc. processes personal data on our behalf in this context, we have concluded a corresponding order processing agreement with Workforce Cloud Tech Inc. which meets the requirements of Article 28 GDPR. 

When using the Recruit CRM a data transfer to the USA takes place. The data exporter is Futurepath, the data importer is Workforce Cloud Tech Inc. Since the USA is currently considered an insecure third country in relation to the EU/EEA, we have both concluded the current standard contractual clauses of the European Commission and taken supplementary safeguarding measures to legitimize the data transfer. 

You can find more information about data protection about the service Recruit CRM by Workforce Cloud Tech Inc. here. 

• Job-Interviews and further procedure 

If you are a suitable candidate for one of the advertised open roles, we will invite you to further interviews and testing. For this purpose, we will forward your data to the extent necessary to our testing partner expertlead GmbH, Lindentor 196 VV GmbH, as well as freelancers from its network, which will perform such technical interviews or tests. Their employees and community freelancers are obligated to adhere to data protection laws by way of data protection agreements pursuant to Art. 28 GDPR. 

Usually, we will offer you to participate in a video interview via Google Hangouts (a service by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) or Zoom (a service by Zoom Video Communications Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA95113, USA). Please note, that both providers are located outside in the USA and that local data protection standards are not entirely equal to those within the EU. We are not responsible for the processing of personal data by Google and Zoom when using the tools. You can find Google’s privacy policy here and Zoom’s privacy policy here. You are neither obligated to use any of the tools, nor will it affect your application if you choose not to use one of the tools. If you do not wish to use one of the tools, please inform us so that we can conduct the interview via another media (e.g. by phone or in person).

If upon successful completion of the application process we offer you to get to know the hiring managers of the open advertised roles, we will process the necessary data required from you for this purpose. We will store the application files with your documents. Should your application not be successful, we will delete the data received from you within six months.

The legal basis for processing of your personal data within the whole process when applying as a Tech Talent is Art. 6(1)(b) GDPR. We process your data to fulfil the recruitment agreement with our customers. 

For quality assurance and improvement of application processes, we conduct feedback interviews with our customers. If personal data of you from the application process is processed in this context, the legal basis for this is Art. 6(1)(f) GDPR, namely our legitimate interest in monitoring our performance.

• Application at Futurepath 

When you want to apply for a job with us (rather than with one of our clients), you can use the application mask on our website (under “Career”).

• Application Mask by Personio

Within this application mask, you have to enter certain personal data, namely 

• your first name,
• your last name, 
• your e-mail address, 

• information, on when you are available, 

• your expected salary and 

• your CV. 

The specification of further information (not marked with an asterisk) is voluntary. These are  

• The name of your LinkedIn-Account and 

• Your phone number. 

Furthermore, you have the possibility to upload additional documents (certificates, etc.). These documents may also contain personal data about you (e.g. a photo of you, other business social media profiles, etc.). After reviewing the documents and information provided by you, we will get in touch and inform you about the further process.

The application mask is provided to us by Personio (Personio GmbH, Rundfunkplatz 4, 80335 München) based on our instructions. As Personio processes personal data on our behalf in this context, we have concluded a corresponding order processing agreement with Personio, which meets the requirements of Article 28 GDPR. Further information about the processing of personal data at Personio, you can find here. 

• Job-Interviews and further procedure 

For scheduling interviews, we use the service Calendly (Calendly LLC, 3423 Piedmont Road NE, Atlanta, GA 30305-1754, USA) or Google Calendar (a service by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). As these providers processes personal data on our behalf, we have concluded corresponding order processing agreements, which meet the requirements of Article 28 GDPR. Please note, that both providers are located outside in the USA and that local data protection standards are not entirely equal to those within the EU. Therefore, we concluded the current standard contractual clauses of the European Commission and have taken – where necessary – supplementary safeguarding contractual measures to legitimize the data transfer. More information about the processing of personal data at Calendly you can find here, more information about the processing of personal data at Google, you can find here. 

Usually, we will offer you to participate in a video interview via Google Hangouts (a service by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) or Zoom (a service by Zoom Video Communications Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA95113, USA). Please see section C.1.b. regarding these providers’ transfer to recipients of personal data outside the EEA.

If we make you an offer to join us, we will process the necessary data required from you for this purpose. We will store the application files with your documents. Should your application not be successful, we will delete the data received from you within six months. With your consent, we offer you to include you into our applicant pool. This may be helpful in case we do not have a suitable position at the time of your application. In such case, we will contact you once we do have a suitable vacant position. We will store your data for a maximum period of 12 months for this purpose. You may withdraw your consent at any time with effect for the future, e.g. by writing to “[email protected]”. In this case we will delete your application from the pool.

The legal basis for processing of your personal data within the whole process when applying for a job at Futurepath directly is Section 26 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), as the processing of personal data is necessary for selection decisions within the application process. 

Version of this privacy policy: September 2022

Futurepath GmbH