Processing of (personal) data by the entity in charge of the online application process

INFORMATION CLAUSE (PRIVACY POLICY)

1. The controller of your personal data processed as part of the recruitment process is UniCredit NV/SA with its registered office in Brussels (Belgium), at: Sq. Victoria Régina 1, 1210 Saint-Josse-ten-Noode, registered in the Crossroads Bank for Enterprises under number 403.199.306, operating through its branch UniCredit S.A. Spółka Akcyjna Branch in Poland, with its registered office in Warsaw, at: ul. Dobra 40, 00-344 Warsaw (hereinafter referred to as the “Bank” or the “Controller”). You may contact the Controller by post at the address above or via email at: privacy@unicredit.pl.

2. Providing personal data specified by applicable law (in particular Article 22¹ of the Polish Labor Code in the case of employment contracts) is necessary to participate in the recruitment process. Failure to provide this mandatory data will prevent the Bank from considering your application.

Providing any data beyond the scope required by law (or data required for initiating a B2B/civil-law contract) is entirely voluntary. The provision of such voluntary data, or a refusal to provide it, will not affect your participation in the recruitment process or its outcome.

3. The Controller has appointed a Data Protection Officer (DPO), whom you may contact in all matters relating to the processing of personal data and the exercise of your rights:

by post at: ul. Dobra 40, 00-344 Warsaw,
by email at: dpo@unicredit.be or dpo@unicredit.pl.

4. Your personal data will be processed for the following purposes and on the following legal bases:

conducting the current recruitment process:
- for candidates applying for an employment contract, the legal basis for processing data required by law (Art. 22¹ of the Polish Labor Code) is Article 6(1)(c) of the GDPR (compliance with a legal obligation);
- for candidates applying for a B2B or civil-law contract, the legal basis is Article 6(1)(b) of the GDPR (taking steps at the request of the data subject prior to entering into a contract);
- with regard to additional data provided by you voluntarily (e.g., a photograph, hobbies), the legal basis for processing is Article 6(1)(a) of the GDPR (your consent, which may be withdrawn at any time).
future recruitment processes: provided that you give separate, explicit consent (Article 6(1)(a) of the GDPR);
defense against claims or the pursuit of claims: which constitutes the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

5. Special categories of data (as defined in Article 9(1) of the GDPR, e.g., health data, political opinions, religious beliefs). The Bank does not request, require, or encourage candidates to provide special categories of data during the recruitment process. If such data are provided by you on your own initiative, they will not be processed unless a specific legal provision requires it. Otherwise, such data will be immediately deleted or disregarded by the Bank.

6. You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

7. Recipients of your personal data will include the Controller’s authorized subcontractors (e.g. IT and recruitment system & service providers), entities authorized to receive personal data under applicable law, as well as entities affiliated with the Controller within the corporate group to which the Controller belongs (e.g. UniCredit Group), insofar as personal data are processed for the internal administrative purposes of that corporate group.

8. Personal data will be stored for a period of 12 months from the end of the current recruitment process. If you consent to the processing of data for future recruitment purposes, the data will be processed for a period of 12 months from submission, unless the consent is withdrawn earlier. Data processed for the defense or pursuit of claims will be stored until the expiry of the limitation period for such claims under applicable law.

9. You are entitled to the following rights under the conditions set out in the GDPR:

access to your data and to receive a copy thereof;
rectification (correction) of data;
erasure of data (the right to be forgotten);
restriction of processing;
data portability (to receive the data in a structured format);
to object to processing (where the legal basis is legitimate interest);
to withdraw consent at any time (without affecting the lawfulness of processing prior to its withdrawal).

10. To exercise your rights, please contact the Controller electronically or by post. Correspondence should include your first name, last name, and contact details (telephone/email).

11. You have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) - contact details available at: https://uodo.gov.pl/p/kontakt.

12. Data processing does not involve automated decision-making, including profiling.

13. International Transfers: As a rule, your personal data are processed within the European Economic Area (EEA). In the event that recruitment data must be transferred outside the EEA, the Controller will ensure an adequate level of protection by applying Standard Contractual Clauses approved by the European Commission or by relying on European Commission adequacy decisions. You have the right to obtain a copy of these safeguards.

*Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.