Privacy Notice for Applicants

General Information

Scope

In this privacy notice, we explain what information (including personal data) is processed in connection with an application to shopware AG in accordance with applicable legal provisions.

Please note that the shopware Job Portal may be integrated into websites or other online presences of shopware AG that are subject to separate privacy notices. These can generally be found under the “Privacy” menu item in the navigation of the relevant shopware website. Those separate privacy notices also contain, for example, information on cookies or similar technologies used on the relevant shopware website to collect personal data.

This privacy notice applies exclusively to the processing of personal data transmitted to shopware AG in connection with an application, in particular personal data transmitted via the shopware Job Portal. Below, we explain what information we process when handling the application submitted to us.

Data Controller

We take the protection of your personal data and the statutory obligations serving that protection very seriously. The law requires comprehensive transparency regarding the processing of personal data. Only if you are sufficiently informed about the purpose, nature, and scope of the processing can you, as the data subject, understand that processing.

The controller within the meaning of the General Data Protection Regulation (GDPR) is

shopware AG

Ebbinghoff 10

48624 Schöppingen

Germany

Hereinafter referred to as the "controller" or "we".

You can contact the controller at:

legal@shopware.com

You can contact the Data Protection Officer at:

Sascha Kremer

KREMER LEGAL

Brückenstraße 21

50667 Cologne

+49 221 53479083

sascha.kremer@kremer.legal

Definitions

The terms used in this privacy notice (e.g. data categories, purposes, legitimate interests, and terms from the GDPR) are explained in the “Definitions” section.

General Information on Data Processing

We process personal data only to the extent permitted by law. Personal data is disclosed only in the cases described below. Personal data is protected by appropriate technical and organizational measures (e.g. pseudonymization and encryption).

Unless we are legally required to store personal data or disclose it to third parties (in particular law enforcement authorities), the question of which personal data we process, for how long, and to what extent we may disclose it depends on the purpose for which we process your data and on which of our services you use in the individual case.

Retention Period

Personal data will be erased as soon as the purpose of the processing no longer applies or another ground for erasure pursuant to Art. 17(1) GDPR applies (e.g. if you withdraw consent previously given to us). In exceptional cases, however, we may continue to process your personal data if an exception to the obligation to erase applies, in particular under Art. 17(3) GDPR or another statutory provision (e.g. a statutory retention obligation).

Processing based on consent: We will store personal data processed on the basis of your consent until you withdraw that consent. Following any withdrawal, we will store the data for a period of three years as evidence of the consent previously given.

Personal data that we process in connection with an application (see below) will be stored for six months after completion of the application process.

Retention period for data subject requests: After the request has been processed, we will store and retain the data relating to your request in accordance with the applicable rules in order to document compliance with the data subject request for a period of three years.

Automated decisions in individual cases, including profiling

Automated individual decision-making, including profiling, does not take place.

Rights of data subjects

As a data subject, you have the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, and the right to data portability under Art. 20 GDPR. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

The data protection supervisory authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information, North Rhine-Westphalia

Kavalleriestr. 2

40213 Düsseldorf

However, you are free to lodge a complaint with another data protection supervisory authority.

Notification Obligations of the Controller

We will notify all recipients to whom your personal data has been disclosed of any rectification or erasure of your personal data or any restriction of processing pursuant to Art. 16, Art. 17(1), and Art. 18 GDPR, unless such notification is impossible or would involve disproportionate effort. We will inform you of those recipients upon request.

Obligation to Provide Data

Unless otherwise stated in the information on the legal bases, you are not required to provide personal data. If we base the processing on Art. 6(1)(b) GDPR, your personal data is required for the performance of a contract or in order to take steps prior to entering into a contract. If you do not provide the personal data, performance of the contract or conclusion of the contract will not be possible. If you do not provide the data in cases covered by Art. 6(1), first sentence, points (a) and (f) GDPR, it will not be possible to use the affected services.

Transfers of data to third countries

Transfers of data to third countries outside the European Union (EU) and the European Economic Area (EEA) are permitted only in compliance with the special requirements of Art. 44 et seq. GDPR. Where such a transfer to a third country takes place in the course of processing your personal data, we indicate the transfer to a third country and the legal basis for that transfer in the relevant sections below.

General information on the legal basis for transfers:

• Where the transfer is based on an exception under Art. 49 GDPR, you will find the details in the relevant section.

• Where the transfer is based on an adequacy decision within the meaning of Art. 45 GDPR, you can find an overview of adequacy decisions here:

  Overview of adequacy decisions

• Where the transfer is based on the European Commission’s Standard Contractual Clauses within the meaning of Art. 46(2)(c) GDPR, you can find Commission Implementing Decision (EU) 2021/914, which contains the contractual clauses, here:

  Standard Contractual Clauses of the European Commission

• Where the transfer is based on Binding Corporate Rules (BCRs) within the meaning of Art. 46(2)(b) GDPR, you can find an overview of published BCRs here:

  Overview of Binding Corporate Rules

Right to Object

Pursuant to Art. 21(1) GDPR, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you where the processing is based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on those provisions. Where personal data is processed for direct marketing purposes, you have the right, pursuant to Art. 21(2) GDPR, to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing. The objection may be made informally and should be directed to the contact details provided above.

Withdrawal of consent

Pursuant to Art. 7(3), first sentence, GDPR, you have the right to withdraw your consent at any time with effect for the future in any form (e.g. by post or email). The lawfulness of the processing carried out on the basis of your consent before its withdrawal remains unaffected. Following your withdrawal, we will erase the personal data processed on the basis of your consent unless another legal basis for the processing applies. The withdrawal may be made informally and should be directed to the contact details stated above.

Use of the shopware Job Portal

Use of the shopware Job Portal and its functions regularly requires the processing of personal data. Unless otherwise indicated, the following information applies to the shopware Job Portal operated by us and referred to in this privacy notice.

Please note that links on our shopware Job Portal may lead you to other websites that are operated by third parties rather than by us. Such links are either clearly identified by us or can be recognized from a change in your browser’s address bar. We are not responsible for compliance with data protection requirements or for the secure handling of your personal data on those third-party websites.

Provision of the shopware Job Portal

Purpose of processing: Applicant management, HR administration, and personnel management

Legal basis: Art. 6(1)(f) GDPR

Data categories: Connection data, usage data

Legitimate interests: Provision, operation, and availability of digital products; operation, integrity, and security of digital products

Recipients of the data: (IT) service providers

Intended transfers to third countries: In individual cases, data is transferred to third countries. (Adequacy decision(s) and Standard Contractual Clauses of the European Commission)

Contact

Purpose of processing: Applicant management, HR administration, and personnel management

Legal basis: Art. 6(1)(f) GDPR, Art. 6(1)(b) GDPR (if the inquiry leads to a subsequent contract)

Data categories: Connection data, content data, master data (where applicable), and contact data (where applicable)

Legitimate interests: Applicant management

Recipients of the data: (IT) service providers

Intended transfers to third countries: In individual cases, data is transferred to third countries. (Adequacy decision(s) and Standard Contractual Clauses of the European Commission)

Processing of Applications

Implementation and handling of applicant management

Purpose of processing: Applicant management

Legal basis: Art. 6(1), first sentence, point (b) GDPR in conjunction with Section 26(1), first sentence BDSG; for forwarding your application to affiliated companies, Art. 6(1), first sentence, point (a) GDPR in conjunction with Section 26(1), first sentence, and (2) BDSG

Data categories: Master data, contact data, content data, contract data, applicant and employment data, connection data (where applicable), usage data (where applicable), and special categories of personal data within the meaning of Art. 9(1) GDPR (where applicable) (depending on the specific job posting; only data relating to your application that you provide to us and that we are permitted to process for the purpose of handling applications will be stored)

Recipients of the data: (IT) service providers, banks and other financial service providers, authorities and other public bodies, professionals bound by professional secrecy and their firms/institutions, staffing agencies, insurance companies, contractual partners (excluding customers), group companies, and other affiliated companies

Intended transfers to third countries: In individual cases, data is transferred to third countries. (Adequacy decision(s) and Standard Contractual Clauses of the European Commission)

Operation of a talent pool/applicant pool

Purpose of processing: Applicant management

Legal basis: Art. 6(1), first sentence, point (a) GDPR in conjunction with Section 26(1), first sentence, and (2) BDSG

Data categories: Master data, contact data, content data, contract data, applicant and employment data, connection data (where applicable), usage data (where applicable), and special categories of personal data within the meaning of Art. 9(1) GDPR (where applicable) (depending on the specific job posting; only data relating to your application that you provide to us and that we are permitted to process in the context of applications will be stored)

Recipients of the data: (IT) service providers, group companies and other affiliated companies, HR service providers

Intended transfers to third countries: In individual cases, data is transferred to third countries. (Adequacy decision(s) and Standard Contractual Clauses of the European Commission)

AI-supported evaluation of applications

Purpose of processing: Applicant management, HR administration, and personnel management

Legal basis: Art. 6(1), first sentence, point (b) GDPR in conjunction with Section 26(1), first sentence BDSG; for forwarding your application and its evaluation to affiliated companies, Art. 6(1), first sentence, point (a) GDPR in conjunction with Section 26(1), first sentence, and (2) BDSG

Data categories: Master data, contact data, content data, contract data, applicant and employment data, connection data (where applicable), usage data (where applicable)

Recipients of the data: (IT) service providers, banks and other financial service providers, authorities and other public bodies, professionals bound by professional secrecy and their firms/institutions, HR service providers, insurance companies, contractual partners (excluding customers), group companies, and other affiliated companies

Intended transfers to third countries: In individual cases, data is transferred to third countries. (Adequacy decision(s) and Standard Contractual Clauses of the European Commission)

Online recruitment test for software developers as part of the application process

Purpose of processing: Applicant management, HR administration, and personnel management

Legal basis: Art. 6(1), first sentence, point (b) GDPR in conjunction with Section 26(1), first sentence BDSG; for forwarding your application and the test results to affiliated companies, Art. 6(1), first sentence, point (a) GDPR in conjunction with Section 26(1), first sentence, and (2) BDSG

Data categories: Master data, contact data, content data, usage data

Recipients of the data: (IT) service providers, HR service providers, group companies, and other affiliated companies

Intended transfers to third countries: In individual cases, data is transferred to third countries. (Adequacy decision(s) and Standard Contractual Clauses of the European Commission)

Definitions

The terms used in this privacy notice (e.g. data categories, purposes, legitimate interests, and terms from the GDPR) are explained in the “Definitions” section.

From the GDPR

This privacy notice uses terms from the GDPR. You can consult the definitions (Art. 4 GDPR), for example, at eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679. The definition of data concerning health can be found in Art. 4(15) GDPR. If other special categories of personal data are processed, the relevant explanations are set out in Art. 4 and Art. 9(1) GDPR. If the processed data includes personal data relating to criminal convictions and offenses, the relevant information is set out in Art. 10 GDPR.

Additional Definitions

Data Categories

When we state the categories of data processed, this refers in particular to the following data:

• Master data

  (e.g. names, addresses, dates of birth)

• Contact data

  (e.g. email addresses, telephone numbers, messaging services)

• Content data

  (e.g. text entries, photographs, videos, contents of documents/files)

• Contract data

  (e.g. subject matter of the contract, terms, customer category)

• Payment data

  (e.g. bank details, payment history, use of other payment service providers)

• Usage data

  (e.g. browsing history on our website, use of specific content, access times, contact history or order history)

• Connection data

  (e.g. device information, IP addresses, URL referrers)

• Location data

  (e.g. GPS data, IP geolocation, access points)

• Diagnostic data

  (e.g. crash logs, website/app performance data, and other technical data used to analyze malfunctions and errors)

• Applicant and employment data

  (e.g. employment history, working hours, holiday, sick leave, performance reviews, training and continuing education, social data, bank account details, social security number, health insurance/health insurance number, salary expectations and salary data, tax identification number, certificates and records, data on public offices held, social security data, and data on occupational integration management)

The data categories listed above may constitute social data within the meaning of Section 67(2) SGB X.

Purposes of processing

In the following sections, for reasons of clarity and readability, we state the purposes pursued as purpose categories. In some cases, there may be overlaps with our “legitimate interests” (see the definitions below). This is inherent in the nature of the matter.

Unless otherwise stated, the stated purposes are to be understood as follows:

• Advertising and personalized marketing measures:

  Includes, for example, the operation of public and, where applicable, restricted-access websites, apps, and/or external pages for general information about our products/services (e.g. the general website about our company, press pages, social media pages), personalized communication with users, prospective customers, and/or customers (e.g. newsletters), the display of (personalized) recommendations and advertising measures (e.g. personalized newsletters, advertisements on other websites, search engines, social media pages, and/or apps, as well as generally within advertising networks), and the merging and linking of data (where applicable, involving other parties such as publishers in advertising networks) to secure commission claims for advertising media.

• Security and emergency management:

  Includes all processes serving to ensure compliance with relevant security requirements and to prevent and/or manage accidents and emergencies, such as access controls, video surveillance, logging, evacuation, rescue operations, and loss mitigation.

• Analysis, performance measurement, and optimization of products and/or services:

  Includes, for example, opinion polls and voting, comparative tests (so-called A/B testing), analysis and (generally aggregated) evaluation of user, prospective customer, and/or customer behavior in online and/or offline contexts (e.g. through click paths, mouse movements, and heat maps), analysis and evaluation of the success of general and, where applicable, personalized marketing measures, and the needs-based design of our (digital) products and services based on the analyzed demand and/or usage behavior.

• Order fulfillment and contract management:

  Includes all processing operations necessary for the fulfillment of the relevant orders/contracts, such as the processing of master data and contact data to fulfill customer orders, payment processing including any necessary transfer of data to payment service providers, the handling of returns, and license verification.

• Operation and further development of internal IT systems:

  Includes, among other things, user management, authentication, and technical logging, as well as IT support, and the further development and adaptation of systems together with the related processing of personal data. This applies regardless of whether the IT systems are operated by the controller itself or by a service provider (processor) on behalf of the controller.

• Applicant management:

  Includes, among other things, recruitment marketing and processes relating to the initiation of employment, such as the handling of applications (digital and analog), communication with applicants, the conduct of interviews, assessment center procedures, and trial work, the establishment of talent pools, and the documentation of the outcome of applications.

• Business partner management:

  Covers all processes serving the analysis and selection of suitable business partners and the maintenance of existing business relationships.

• Warranty, guarantee, goodwill, and general service:

  Includes, in particular, the handling of warranty, guarantee, and goodwill cases, as well as any information on updates, improvements, and product recalls.

• Identity and/or credit check:

  The purpose of the processing is to verify the identity of the data subject, where this is necessary for the relevant process, and/or to assess the creditworthiness and/or solvency of a prospective customer or contractual partner.

• Information security:

  Covers processing operations serving protection against threats and the safeguarding of IT systems, as well as the achievement of the protection objectives of confidentiality, availability, and integrity of data, systems, and processes (e.g. distinguishing between human access and bot access, detecting and preventing abusive access, and carrying out security-related analysis of the use of digital products and services).

• Logistics and fleet management:

  Includes, among other things, the planning, management, and control of our logistics, including external logistics service providers, and the administration of our vehicle fleet, including compliance with statutory obligations.

• User, prospective customer, and/or customer support:

  Includes, for example, contact forms, chat systems including chatbots and call-back options, as well as the general handling of different enquiries (e.g. advice, service, complaints).

• HR administration and personnel management:

  Includes all processes relating to the performance of employment or processes closely connected with employment, such as onboarding, personnel administration, fulfillment of employer obligations, personnel development including training and continuing education, voluntary employer benefits, personnel planning and controlling, occupational health management, workplace social counseling, employee participation, measures to terminate employment, investigative and disciplinary measures, and offboarding.

• Project management, including project collaboration:

  Coordination and implementation of projects, project planning, project scheduling, exchange of information in the context of projects, and collaboration in the context of projects.

• Legal matters and compliance measures:

  Includes, for example, the assertion, exercise, and enforcement of legal claims, as well as processes to ensure compliance with legal requirements (e.g. in the context of data protection consent management) and to prevent and/or investigate and prosecute legal violations.

• Event management:

  Covers all processes required for the organization of offline and online events (e.g. registration, participant management, implementation of the event, processing of personal preferences and needs, and data processing in the context of video conferences and/or instant messaging services), photo, audio, and/or video documentation of events, and the issuance of certificates of participation.

• Administration:

  Covers processes that primarily comprise the basic functions of business operations, such as communication, accounting, invoicing and reporting, documentation and archiving, and knowledge and contact management.

Legitimate interests

In the following sections, for reasons of clarity and readability, we state our legitimate interests within the meaning of Art. 6(1), first sentence, point (f) GDPR as categories. In some cases, there may be overlaps with our “purposes” (see the definitions above). This is inherent in the nature of the matter.

Unless otherwise stated, the legitimate interests stated are to be understood as follows:

• Promotion of sales activities:

  e.g. promoting our sales by evaluating customer demand and analyzing the interests and purchasing and demand behavior of our prospective customers, users, and/or customers.

• Promotion of economic interests:

  e.g. measures to reduce costs and achieve cost savings, to avoid/reduce significant additional costs, to increase revenue generally (in particular through outsourcing to service providers), and to avoid competitive disadvantages.

• Advertising and image enhancement, market and opinion research:

  e.g. opinion polls, voting, product and/or service reviews, and other reviews, as well as the integration of those results.

• Analysis and optimization of our own offerings, services, and advertising measures:

  e.g. analysis of user, prospective customer, and/or customer behavior in order to optimize processes, services, and products, the needs-based design of our products, services, and marketing measures, and direct customer engagement.

• Provision, operation, and availability of digital products:

  includes, for example, the integration of general functions of websites, apps, and other digital products.

• Operation, integrity, and security of digital products:

  in particular, defense against requests that overload the service (denial-of-service attacks) or excessive use of bots to destabilize a platform; IT security measures such as the storage of log files and, in particular, IP addresses for a longer period in order to detect and prevent abuse, including beyond the extent required by law.

• Direct marketing (personalized marketing):

  in particular, direct communications with prospective customers and customers that are not based on consent, such as product recommendations based on previous demand behavior, including the processing of data in preparation for direct marketing (e.g. customer segmentation, affinity assessments).

• Integration of desired or necessary functionalities:

  integration of functionalities that are in the customer’s interest, are activated at the customer’s request, and/or are necessary for the provision of the service (e.g. the integration of contact options on websites or in apps, or the possibility for the user to save configurations, such as a language selection).

• Assertion, exercise, or defense of legal claims:

  e.g. preservation of evidence and clarification of the facts in the event of a foreseeable legal dispute.

• Customer acquisition, customer retention, and customer recovery:

  e.g. operation of a customer relationship management (CRM) system for the support of prospective customers and customers.

• Freedom of opinion, press, and broadcasting:

  in particular, processing operations that were previously covered by the so-called media privilege.

• Protection of the physical integrity and health of data subjects

• Promotion of legitimate interests within a corporate group:

  performance of organizational, procedural, or business tasks arising from the cooperation of several affiliated companies (see the explanations in Recital 48 GDPR).

• Prevention of criminal offenses, administrative offenses, and other harmful acts:

  in particular, fraud prevention, preventive measures within the framework of an internal control system, and measures to investigate risks following corresponding suspicions or other indications of possible acts to the detriment of the controller or other persons.

• Reduction of downtime risks:

  identification of economic, technical, procedural, or organizational risks to the company that could result in a total or partial failure of the company, parts of the company, or the company’s products or services.

• Employee support:

  integration or implementation of services and activities that are in the interests of employees, such as satisfaction surveys, voluntary events and activities, birthday lists, sending greeting cards, and similar measures.

• Employee retention:

  integration or implementation of services and activities aimed at achieving long-term employee retention, such as fostering personal development, birthday lists, and sending birthday gifts.

• Other legitimate interests:

  Where applicable, these interests are explained separately in the relevant sections.

Categories of recipients

In the following section, we list the categories of recipients used in this privacy notice:

• Banks and other financial service providers

• Authorities and other public bodies

• Professionals bound by professional secrecy and their firms/institutions

• (IT) service providers (this may also include providers of AI systems (artificial intelligence))

• Opponents in legal disputes

• Group companies and other affiliated companies

• Customers and prospective customers

• Suppliers

• HR service providers

• Platform operators and media

• Associations, organizations, and interest groups

• Landlords

• Insurance companies

• Contractual partners (excluding customers)