Data protection during the recruitment process
You are here:
1. Name and contact details of the controller responsible for the relevant processing activity
For the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable to Member States and other provisions pertaining to data protection, the data controller responsible for the application process is Charité – Universitätsmedizin Berlin (Charité).
Charité – Universitätsmedizin Berlin
2. Name and address of the Data Protection Officer
The Data Protection Officer appointed by the controller is Frau Janet Fahron. Address:
Datenschutz der Charité (Data Protection Office) – Universitätsmedizin Berlin
3. Nature and scope of data processing activities
When you decide to submit an application to Charité either by email or by mail, you are providing us with your personal data. These may include, in particular:
• Contact details (email address, telephone numbers, fax number)
• First and last names
• Address (street, house number, postal/ZIP code, town, state)
• Date and place of birth
• Disability status and extent of disability (optional information)
• Proof of secondary and higher/further education (transcripts and certificates)
• Proof of professional experience (references, employee evaluations, certificates proof of work experience, training and professional development)
• Information on generic competencies (experience gained abroad, driver's license with category/exemptions, other skills)
• Proof of practical/work placement(s) or work placement reference(s).
Should you submit your application by email, you are entering into electronic communication with us. Throughout the application process, our primary mode of communication will be via email. You agree to receiving emails from us. You also agree that notifications, decisions and any other communications we send to you by email will not need to be provided in a different medium, except where a different method of communication is mandatory under the law.
By submitting your application (data), you are agreeing to your data being processed and transmitted for the purposes of administering the application process.
5. Purpose of data processing
Data processing is conducted for the purposes of processing applications and administering the recruitment process.
Personal data are processed by the department responsible for issuing the job advertisement to which the application pertains. Access to personal data is limited to authorized persons from the recruiting unit or department with responsibility for administering the application process for the position in question, and to persons responsible for administering the recruitment process (Human Resources, employee representatives, representatives of the Office for Women's Affairs and Equal Opportunities, Disability Officers (where applicable), Staff Health Center).
Applications may also be forwarded within the Charité group of companies (e.g. speculative applications). In this case, the data protection regulations and terms and conditions of the relevant company will apply.
6. Duration for which data will be stored
Any data collected will be erased once they are no longer necessary for the purpose for which they were originally collected. Personal data collected as part of a particular application process will be erased at the earliest 2 months after the application process has been completed, which means they will be stored for a minimum of 2 months. The applicant’s data will be erased no more than 12 months after the date on which they started their employment.
7. Rights to object to processing, restrict processing, and have data erased
You have the right to withdraw your consent for the processing of your personal data at any time or ask for this processing to restricted. A withdrawal of consent renders storage unlawful; it removes the lawful basis for any future collection, processing and use of such data.
Please note, however, that the further processing of your application may no longer be possible if the application and selection process is still ongoing.
To register a withdrawal of consent, applicants should contact the department to which their application was submitted, quoting their reference number. Alternatively, you may register your withdrawal of consent by contacting the Berlin Data Protection and Freedom of Information Officer:
Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219 (visitors’ entrance: Puttkamerstr. 16 – 18 (level 5) 10969 Berlin | Email: mailbox(at)datenschutz-berlin.de.
In this case, all personal data stored as a result of your contacting us will be erased.
Rights of the data subject under the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG)
The processing of any of your personal data makes you a data subject under the GDPR. Please note that, as the data subject, you have the following rights regarding the controller:
1. Right of access
You may obtain from the controller confirmation as to whether or not personal data concerning your person are being processed.
Should this be the case, you may request access to the following information from the data controller:
(1) the purposes for which your personal data are being processed;
(2) the categories of personal data concerned;
(3) the recipient or categories of recipients to whom the personal data have been or will be disclosed;
(4) the envisaged duration for which the personal data will be stored, or, if no concrete information is available, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or the restriction of processing of personal data concerning the data subject, or the right to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) any available information as to the source of the personal data where these are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed as to whether any personal data concerning you are transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
3. Right to restriction of processing
You may request the restriction of processing of your personal data where the following applies:
(1) you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing but they are required by yourself for the establishment, exercise or defense of legal claims; or
(4) you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your own.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protections of rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. Where restriction of processing has been obtained pursuant to the above, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Obligation to erase data
You have the right to demand that your personal data be erased without undue delay, and the controller shall have the obligation to erase such personal data without undue delay where one of the following grounds applies:
(1) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw the consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
(4) your personal data have been unlawfully processed;
(5) your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
b) Information provided to third parties
Where the controller has made your personal data public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure of any links to, or copy or replication of, those personal data.
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) insofar as the right referred to under section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.
5. Right to notification
If you have invoked your right to obtain from the controller the rectification or erasure of personal data or restriction of processing, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You also have the right to request that the controller inform you about those recipients.
6. Right to data portability
You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR. In exercising your right to data portability, you shall also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Entrance: Alt-Moabit 60