Cofinpro
Your career
Compensation & Benefits
Application
Jobs
Cofinpro AG

Privacy policy

Privacy policy for employees

Information on data processing

We would like to inform our employees about how we handle their personal data in the context of the employment relationship.

 

Purpose of data collection

During the period of your employment, your personal data will be primarily processed for the execution and/or termination of the employment contract, including tasks related to the respective position. Other purposes may include processing for compliance with legal regulations (including third-party disclosure obligations) or measures for corporate development or communication.

 

Types of data processed by us

 

  • Applicant data: Name, date of birth, resume, nationality/work permit, etc., for the selection and hiring process, entry and exit management.
  • Private contact data: Address, phone number, email.
  • Business contact data: e.g., phone numbers, email, workplace, job title.
  • Image data: Photo for identification and images taken during company events.

 

Identification/payment data: ID card data or work permit for identification, birthplace, marital status, parentage, tax identification number, health insurance membership, tax class, deductions, religious affiliation for church tax, bank account number, any wage garnishments (for payroll and compliance with legal obligations).

 

Health data: e.g., for payroll, billing with health or accident insurance, or for legal obligations as an employer, such as company integration management or compliance with disability protection.

 

Time tracking, access, and usage data: Vacation times, working hours, time records regarding performed activities, closing times or access records, also electronic logs in the use of our IT infrastructure, etc.

 

Personnel screening data: e.g., criminal record, reliability check, or other necessary checks required for the activity for our clients.

 

Suitability and performance/behavior control data: Training and further education information, data for the purpose of measuring goal achievement (e.g., for variable compensation), data on violations of traffic regulations ("traffic tickets").

 

Other data in personnel administration: Secondary employment, data in the context of occupational health care and occupational health management, occupational safety, degree of disability, driver's license ownership, any employee surveys.

 

Categories of recipients

We transmit your personal data to the following recipients in order to fulfill legal obligations or obligations arising from the employment relationship:

 

  • Bank service providers, financial service providers, if necessary, service providers for calculating pension provisions:

    • For financial transactions and related services.
       

  • Service providers for the settlement of wages (tax consultants), auditors, service companies for information and communication technology, companies for software and device maintenance, service providers only for restructuring in the personnel department:

    • For the settlement and processing of salaries, financial audit purposes, IT services, and maintenance of software and devices.
       

  • Health, social, pension, and accident insurance carriers as well as other insurance companies and providers of asset-effective benefits:

    • Including health, social, pension, and accident insurance, as well as other insurance companies and providers of asset-effective benefits.
       

  • Authorities such as financial authorities, social funds, employment agencies, if necessary, security, health, traffic or related fine offices, customs authorities or monitoring agencies for undeclared work and minimum wage; other authorities:

    • Including financial authorities, social security institutions, employment agencies, and other relevant authorities.
       

  • Company medical service: 

    • For occupational health purposes.
       

     

  • Legally affiliated companies (group companies) as joint controllers: the essential contents of the regulation of tasks concerning the rights of data subjects can be requested at the specified contact address; according to Article 26 (3) GDPR, these rights can be claimed by data subjects from all involved companies.
     

  • Third-party debtors in the case of wage garnishment, insolvency administrators in the case of private insolvency:

    • For legal and financial purposes.
       

  • Business partners and customers (business contact details), temporary employment agencies if they are working for us as part of temporary employment:

    • For communication and business relationship management.
       

Basis of data processing

In the processing of your personal data, we naturally adhere to applicable laws. Therefore, processing only takes place on a legal basis. The following legal bases are particularly relevant in the employment relationship:

 

  • § 26 BDSG (as of 25.05.2018):
    • As far as necessary for the execution of the employment relationship or the clarification of a concrete suspicion of criminal activities.
       
  • Art. 6(1)(a):
    • Based on your consent, where generally not required for the conclusion or continuation of an existing contract.
       
  • Art. 6(1)(b):
    • For the establishment, execution, and termination of a contractual relationship.
       
  • Art. 6(1)(c):
    • To fulfill a legal obligation
       
  • Art. 6(1)(f):
    • To safeguard a legitimate interest.
       
  • Art. 88 GDPR:
    • Based on collective agreements (works agreements).
       

 

When processing your data within our legitimate interests, this may include:

 

  • Conducting electronic access controls.
  • Optimizing workforce planning.
  • Achieving efficiency gains through bundling services in individual group companies (especially personnel, IT, procurement).
  • Ensuring compliance with security regulations, requirements, industry standards, and contractual obligations.
  • Asserting, exercising, or defending legal claims, including data documentation of performance flows.
  • Avoiding harm and/or liability to the company through appropriate measures.
  • Conducting internal information and communication measures.
  • Reporting on corporate information.

 

You have the right to object to the processing of personal data based on legitimate interests for reasons arising from your particular situation. In such cases, we will no longer process your data unless we can demonstrate compelling legitimate grounds that override your rights and freedoms or if the processing serves the establishment, exercise, or defense of legal claims.

 

We do not use the personal data provided by you to make automated decisions concerning you.

 

Data collected by third parties

Through the ELSTAM procedure, we collect data for payroll accounting provided by the tax authorities to ensure accurate accounting. This particularly involves the data mentioned above related to payroll.

 

Retention period

Upon achieving the respective purpose, your data will be deleted in compliance with legal retention periods, usually 6 or 10 years, with various data categories such as professional pension planning retained for 30 years or longer.

 

Privacy policy for the use of a mobile device management system

We utilize a Mobile Device Management System (MDM) to manage the mobile devices provided to you during your employment with us. Mobile devices may include smartphones and laptops. An MDM system allows for device management by installing software on the device and connecting it to an administration platform. The IT department has access to this platform. The MDM system controls which apps can be downloaded or which websites can be visited (whitelisting and blacklisting). It uses containerization to separate private and business data, and remote access to the devices is possible. In cases of theft, this is a measure to erase personal data on the devices, protecting against unauthorized access. We primarily process the resulting personal data based on our legitimate interest under Art. 6(1)(f) GDPR.

 

Responsible for Processing Your Personal Data:

 

Cofinpro AG 
Untermainkai 27-28
60329 Frankfurt am Main
Phone: +49 (0) 69 - 299 20 87 60
(Cost of a call at your regular landline/mobile rates / custo de chamada para a rede fixa nacional)
Fax: +49 (0) 69 - 299 20 87 61
Email: welcome@cofinpro.de

 

Legal basis

The legal basis for processing your personal data in the context of video surveillance includes:

 

  • Article 6, Paragraph 1, Point f of the General Data Protection Regulation (DSGVO) for the protection of legitimate interests.
  • Article 6, Paragraph 1, Point b in conjunction with Article 88 of the General Data Protection Regulation (DSGVO) and Section 26 of the Federal Data Protection Act (BDSG) for the performance of a contract and compliance with legal obligations in the employment context.

 

Types of data

 

  • User's name,
  • Device name,
  • Serial number,
  • In the case of private use with containerization: Business data, such as documents and email communication, as well as installed apps.

 

Legitimate interests

Our legitimate interests include, but are not limited to:

 

  • Secure provision of business devices, even for private use,
  • Protection of our devices from malicious apps,
  • Deletion of personal data in case of theft to prevent unauthorized access,
  • Location tracking of lost devices.

 

Purpose of data processing

The processing of personal data on the device is a result of securing the device for both private and business use, and it is not the main focus. Given the potential for apps that do not meet data protection requirements or may install viruses and capture personal data through private use, it is essential to protect the personal data generated during your work for our company. Therefore, measures such as containerization or black- and whitelisting are implemented.

 

Furthermore, it is crucial to protect this data from unauthorized access by third parties, especially in the event of device loss. To ensure security, remote access or remote deletion is possible. However, GPS tracking, which is a feature of the MDM system, is not implemented by us.

In the event of loss, we use the MDM system to delete business-relevant data on your device. Deletion of other private data is possible for you through the iCloud Portal function.

Storage duration

The data is stored for as long as the purpose requires storage. The purpose usually ceases upon the employee's exit from the company or in case of the loss of the device.

Automated decision making

There is no automated decision-making.

Categories of recipients

  • Possibly affiliated companies
  • Transmission to security service providers
  • Transmission to legal advisors for the preparation of legal measures
  • Transmission to law enforcement authorities

Information about your rights

You have the right to:

  • Request confirmation from us as to whether we process personal data concerning you; if this is the case, you have the right to obtain information about this personal data and the details listed in Art. 15 of the GDPR.
  • Request the release of data concerning you in the restrictions of Art. 20 GDPR in a common electronic, machine-readable format. This also includes the release (to the extent possible) to another controller directly nominated by you.
  • Request us to correct your data if it is inaccurate, incorrect, and/or incomplete. Correction also includes supplementation through explanations or notifications.
  • Request us to delete personal data concerning you without undue delay if one of the reasons listed in Art. 17 GDPR applies. Unfortunately, we cannot delete data subject to a legal retention period. If you wish not to be contacted by newsletter or other means, we will store your relevant contact details on a blocklist.
  • Withdraw any consent you have given with effect for the future, without any disadvantage to you.
  • Request us to restrict the processing if one of the conditions listed in Art. 18 GDPR is met.
  • Object at any time to the processing of personal data concerning you for reasons arising from your particular situation. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims (Art. 21 GDPR).
  • Make use of administrative or judicial remedies without prejudice to any other administrative or judicial remedy. If you believe that the processing of personal data concerning you violates the GDPR, you have the right to complain to:
    • Our Data Protection Officer: datenschutz@cofinpro.de 
    • A supervisory authority in the Member State of your habitual residence, place of work, or the place of the alleged violation.

 

Changes to the privacy policy

We reserve the right to change our privacy policy as needed and publish it on this page. Please check this page regularly. The updated statement will come into effect upon publication, subject to applicable legal regulations. If we have already collected data about you that is affected by the change and/or is subject to legal information obligations, we will additionally inform you about significant changes to our privacy policy.