Info obligations
Art. 11, 12, 13 GDPR

Information on processing
of personal data
by Invatio GmbH

With this letter we inform you about the processing of your personal data by Invatio GmbH in the context of your contractual or pre-contractual service relationship. (B2B, B2C, and in the internal relations of the company)

Invatio GmbH is a “controller” within the meaning of the General Data Protection Regulation (“GDPR”). In accordance with the requirements of the GDPR, we as the controller are obliged to provide you with the following information. We hereby explain to you how we process your personal data during and following your contractual or quasi-contractual contact with Invatio GmbH.

We will inform you separately if we process your data to a different extent for a different reason.

This information letter is not part of the contractual relationship or any other contract-like agreement between Invatio GmbH and you. In order to avoid any misunderstanding, we emphasize that this letter serves solely to fulfil our statutory information obligations and cannot establish any rights and obligations of Invatio GmbH or change existing agreements.

This information letter applies to all current, former and future
Contractual partners of Invatio GmbH, Bergstraße 11, 37308 Schimberg, Germany and also serves as a supplement to the information for applicants.

This information letter has been valid since 01.01.2024

Personal data is any information relating to an identified or identifiable natural person. It is sufficient if the respective information is linked to the name of the data subject or can be established independently of this from the context. Your personal data therefore includes all information that relates to you and on the basis of which you can be identified.

Data processing is any process in connection with personal data. For example, the collection, recording, organization, storage, adaptation or modification, use, transmission and dissemination, but also the deletion and destruction of data.

The categories of personal data that we process from you include in particular

  • Your master data (first name, surname, name affixes, nationality, date of birth, gender, marital status, maintenance obligations and personnel number, etc.),
  • Your contact details (private address, mobile/landline telephone number, e-mail address, etc.),
  • the log data generated when using the IT systems,
  • as well as other data from various contractual relationships (such as information on the initiation of the employment relationship, start and end of employment, place of employment, employment conditions, vacation periods, any previous convictions, periods of incapacity for work, warnings, performance assessments, bank details, social data, pictures, social security and pension insurance number, tax identification number and salary data).

Personal data must be in accordance with Art. 5 GDPR

  1. processed lawfully, fairly and in a manner that is comprehensible to the data subject (“lawfulness, fairness and transparency”);
  2. be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) (“purpose limitation”);
  3. be adequate, relevant and limited to what is necessary for the purposes of the processing (“data minimization”);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  5. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject (“storage limitation”);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures (“integrity and confidentiality”).

    As a rule, your personal data is collected directly from you as part of the contractual relationship or during other contract-like relationships with Invatio GmbH. In certain constellations, your personal data is also collected by other bodies due to legal regulations. This includes, for example, event-related requests for tax-related information from the relevant tax office and information on periods of incapacity for work from the relevant health insurance fund. We may also have received data from third parties (e.g. employment agencies or regulatory authorities). In addition, however, you can obtain access to the processing, storage and forwarding of your personal data at any time within the scope of your legal rights.

    Your personal data is processed in compliance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws (e.g. ArbZG).

    The primary purpose of data processing is the establishment, performance and termination of contractual or quasi-contractual relationships. The overriding legal bases here are Art. 6 (1) b), c), d), f) GDPR, Section 26 (1) BDSG.

    Invatio GmbH also processes your data in order to comply with your legal obligations, in particular in the area of tax and social security law. This is done on the basis of Art. 6 para. 1c) GDPR.

    If necessary, we also process your data on the basis of Art. 6 para. 1 f) GDPR in order to protect our legitimate interests or those of third parties (such as public authorities). This applies in particular to the investigation of criminal offenses (on the basis of Section 26 (1) sentence 2 BDSG) and other administrative purposes, such as data processing for statistical purposes.

    We process your data in particular for the following purposes:

    • Management of the contractual relationship via electronic or other systems,
    • Management
    • Management of administrative, tax and commercial measures resulting from the contractual relationship with you, including the processing of disbursements and advance payments, consideration of seizure and transfer orders, necessary notifications to the employment agency,
    • Inclusion in lists and dispatch of these lists within the company and affiliated companies (legitimate interest: Facilitation of communication within Invatio GmbH and efficient allocation of tasks across individual companies).
    • If necessary, recording and checking the images recorded by surveillance cameras to the extent permitted by law. (Legitimate interest: Protection of business premises against unauthorized access and protection of the integrity and confidentiality of personal data and other business documents as well as protection against theft).

    If we wish to process your personal data for a purpose not mentioned above, we will inform you in advance.

    Special categories of personal data are particularly personal and sensitive data, such as information on racial and ethnic origin, political opinions, religious and philosophical beliefs, information on trade union membership, as well as the processing of genetic data, biometric data, health data or data on a person’s sex life or sexual orientation.

    We process special categories of your personal data only to the extent absolutely necessary and permitted by law, in accordance with Art. 9 para. 2 lit. b) GDPR. Insofar as special categories of personal data are processed, this serves the exercise of rights or the fulfillment of legal obligations under employment law, social security law and social protection law (for example, the disclosure of health data to health insurance companies, recording of severe disability due to additional leave and determination of the severely disabled levy or the payment of church taxes) within the scope of the employment relationship.

    We only process personal data relating to criminal convictions and offenses to the extent permitted by law.

    If necessary, we may collect information about any criminal convictions and offenses concerning you as part of the initiation of the employment relationship itself or be entrusted with such information by you or by a third party as part of the employment relationship.

    We will only use your personal data about criminal convictions and offenses to the extent that this is necessary for the performance of the employment relationship and in our interest. For example, to check your ability to perform certain positions or tasks in the employment relationship or to support authorities in investigations, insofar as we are legally obliged to do so.

    In exceptional cases, we may also process personal data in relation to criminal suspicions and accusations, insofar as this is necessary to protect our operational interests.

    No. We process your personal data exclusively for the aforementioned purposes. Should we come to the conclusion that other processing is necessary, we will inform you of this, stating the legal basis for further data processing.

    In principle, we do not require your consent to data processing, provided that it is carried out in compliance with the provisions of this information sheet.

    In exceptional cases, we may ask you for your written consent to carry out activities in relation to data processing that go beyond the aforementioned scope. In these cases, we will inform you in detail about the reasons and the legal basis for such data processing and about your rights in order to provide you with a sufficient information basis for consent.

    You can also revoke your consent to us at any time. The consequence of a revocation is that we will no longer process data to the extent originally authorized from the date of receipt of the revocation, unless we are entitled to do so by law.

    As part of your contractual relationship, you must provide the personal data that is required for the establishment, implementation and termination of the service relationship and the fulfillment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will not be able to perform the contractual relationship properly.

    We do not intend to use your personal data as part of an automated decision-making process in such a way that this processing has a legal effect on you or significantly affects you in any other way.

    Should we deviate from this decision, we will inform you in detail.

    Within Invatio GmbH, only those persons receive your personal data who need it to fulfill contractual and legal obligations. This may include employees in human resources as well as supervisors and managing directors. In addition, we may use external service providers (“processors”) to fulfill our contractual and legal obligations. These external service providers may include in particular

    • Google Workspace, Pipedrive, Strato, Odoo, Mailchimp, tax consulting company

    You can ask Invatio GmbH for full contact details at any time.

    In addition, we may transfer your personal data to other recipients outside Invatio GmbH if this is necessary to fulfill the contractual obligations of the controller. These can be, for example

    • Authorities (such as pension insurance providers, social insurance providers, regulatory authorities, tax offices, etc.)
    • Our and your bank (SEPA payment medium)
    • Postal and telecommunications service provider
    • Travel agencies, hotels, etc.
    • Customers, tenants, business partners, tradesmen, etc.
    • Affiliated companies
    • Third party debtor in the event of seizure
    • Insolvency administrator in the event of personal insolvency
    • Other authorities, insofar as legally required

    You can request the contact details from Invatio GmbH in accordance with your statutory rights.

    In all cases where personal data is passed on to third parties, we assume responsibility for safeguarding your data protection interests to the extent required by law. However, if there is a breach of the GDPR, we will inform you of this.

    Your personal data will only be transferred to a country outside the EU or the EEA to a limited extent. If data is transferred to a country outside the EU or the EEA, we are aware that this is only permissible if the provisions of the GDPR are complied with. Accordingly, data will only be transferred if we can guarantee compliance with the statutory provisions. To this end, we will check whether the Commission has provided the recipient with an adequate level of protection in accordance with Art. 45 para. 3 GDPR or a guarantee has been obtained in accordance with Art. 46 GDPR.

    Only in exceptional cases will we carry out a transfer in accordance with Art. 49 para. 1 lit. a) GDPR if you have given your express consent or if the transfer is necessary for the performance of a contract, for important reasons of public interest or for the assertion, exercise or defense of legal claims.

    Invatio GmbH will delete your personal data as soon as it is no longer required for the above-mentioned purposes. After termination of the employment relationship, your personal data will be stored for as long as we are legally obliged to do so. This is generally the result of legal obligations to provide evidence and retain records, which are regulated in the German Commercial Code and the German Fiscal Code, among others. According to these legal regulations, the retention periods are currently up to ten years. In addition, personal data may be retained for the period during which claims can be asserted against us (statutory limitation period of three or up to thirty years).

    As a data subject of data processing, you have the following rights in particular under the GDPR (“data subject rights”)

    1. Rights to information
      You have the right to request information as to whether or not we process personal data relating to you. If your personal data is processed by Invatio GmbH, you have the right to information about

      • the purposes of processing;
      • the categories of personal data (type of data) that are processed;
      • the recipients or categories of recipients to whom your data has been or will be disclosed; this applies in particular if data has been or will be disclosed to recipients in third countries outside the scope of the GDPR;
      • the planned storage period, if possible; if it is not possible to specify the storage period, the criteria for determining the storage period (e.g. statutory retention periods) must be communicated;
      • Your right to rectification and erasure of data concerning you, including the right to restriction of processing and/or the right to object (see also the following sections);
      • the existence of a right of appeal to a supervisory authority;
      • the origin of the data, if personal data was not collected directly from you.

      You also have the right to be informed whether your personal data is the subject of an automated decisioni. are based on automated decision-making within the meaning of Art. 22 GDPR and, if this is the case, what decision-making criteria such automated decision-making is based on (logic) or what effects and scope the automated decision may have for you.

      If personal data is transferred to a third country outside the scope of the GDPR, you are entitled to information as to whether and, if so, on the basis of which guarantees an adequate level of protection within the meaning of Art. 45, 46 GDPR is ensured by the data recipient in the third country or what possible risks exist for you as a result of your consent given for such data transfers without the existence of an adequacy decision and without suitable guarantees.

    2. You have the right to request a copy of your personal data.
    3. Right to data rectification
      You have the right to demand that we rectify your data if it is incorrect, inaccurate and/or incomplete; the right to rectification includes the right to completion by means of supplementary declarations or notifications.
      A correction and/or addition must be made immediately – i.e. without culpable delay.
      to take place.
    4. Right to erasure of personal data

      You have the right to demand that we erase your personal data insofar as

      • the personal data are no longer necessary for the purposes for which they were collected and processed;
      • the data processing is based on your consent and you have withdrawn your consent, unless there is another legal basis for the data processing;
      • you object to data processing in accordance with. Art. 21 GDPR and there are no overriding legitimate grounds for further processing,
      • you object to data processing for the purpose of direct marketing in accordance with Art. Art. 21 para. 2 GDPR have objected;
      • your personal data has been processed unlawfully;

      There is no right to erasure of personal data if

      • the right to freedom of expression and information to the request for erasure
        is opposed;
      • processing of personal data (i) for compliance with a legal obligation to which the controller is subject
        obligation (e.g. statutory retention obligations), (ii) for the purpose of exercising
        public tasks and interests in accordance with Union law and/or the law of the
        Member States (including public health interests)
        or (iii) is required for archiving and/or research purposes;
      • the personal data for the establishment, exercise or defense of legal claims
        of legal claims are necessary.

      The deletion must take place immediately, i.e. without undue delay. If personal data has been made public by us (e.g. on the Internet), we must ensure, as far as technically possible and reasonable, that third party data processors are also informed of the deletion request, including the deletion of links, copies and/or replications.

    5. Right to restriction of data processing
      You have the right to object to the processing of your personal data in the following cases
      to be restricted:

      • If you have disputed the accuracy of your personal data, you may request from
        request that your data is not used for other purposes for the duration of the accuracy check and is restricted in this respect.
      • In the event of unlawful data processing, instead of data erasure in accordance with
        Art. 17 para. 1 lit. d GDPR to restrict the use of data in accordance with Art. 18
        GDPR may require;
      • Do you need your personal data to assert, exercise or defend legal claims?
        defense of legal claims, your personal data will be stored in the
        other things but is no longer required, you can request that we restrict the
        processing to the aforementioned law enforcement purposes;
      • If you have objected to data processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether our interests in processing outweigh your interests, you can request that your data not be used for other purposes for the duration of the review and be restricted in this respect.

      Personal data whose processing has been restricted at your request may – subject to storage – only be (i) with their consent, (ii) for the assertion, exercise or defense of legal claims, (iii) to protect the rights of another natural or legal person; or (iv) processed for reasons of important public interest. If a processing restriction
      you will be informed of this in advance.

    6. Right to data portability
      Subject to the following provisions, you have the right to demand that the data concerning you be returned to you in a commonly used electronic, machine-readable data format. The right to data portability includes the right to transmit the data to another controller; on request, we will therefore – where technically possible – transmit data directly to a controller named by you or yet to be named. The right to data portability exists only for data provided by you and requires that the processing is based on consent or for the performance of a contract and is carried out by automated means. The right to data portability pursuant to Art. 20 GDPR does not affect the right to data erasure pursuant to Art. 17 GDPR. The data transfer is subject to the rights and freedoms of other persons whose rights may be affected by the data transfer.

      You can request information about the personal data stored about you at the above address. In addition, under certain conditions you can request the correction or deletion of your data. You may also have the right to restrict the processing of your data and the right to receive the data you have provided in a structured, commonly used and machine-readable format.

    7. Right of objection
      You have the right to object to the processing of your personal data for direct marketing purposes at any time with effect for the future without giving reasons; this also applies to profiling insofar as it is associated with direct marketing. In the event of an objection, we must refrain from any further processing of your data for the purpose of direct advertising. If we process your data to protect legitimate interests, you can object to this processing at any time with effect for the future on grounds relating to your particular situation. We will then no longer process your personal data for the aforementioned purpose, unless

      • we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
      • the processing is necessary for the establishment, exercise or defense of legal claims.
    8. Right of appeal
      You have the right to lodge a complaint at any time with the Data Protection Officer, as an independent and objective complaints body. The contact details are:

      Mrs. Muharema Samast
      Phone: +49 (0)36082 84 78 81
      E-mail: datenschutz@invatio-web.de

      You can also contact the State Commissioner for Data Protection and Freedom of Information

      federal state. The contact details are:

      Postal address:
      Thuringian State Commissioner for Data Protection and Freedom of Information
      P.O. Box 900455
      99107 Erfurt

      Phone: +49 (361) 57-3112900
      poststelle@datenschutz.thueringen.de

    In principle, there are no costs for you. We always provide copies of data in electronic form, unless you have specified otherwise. The first copy is free of charge as long as its creation does not require any additional effort. A reasonable fee may be charged for additional copies. The provision is subject to the rights and freedoms of other persons who may be affected by the transmission of the data copy. To protect your personal data from unauthorized access, we may request personal information from you to verify your identity.

    Yes. This information letter can be updated and changed at any time. If we make a change, you will be informed immediately by providing an updated version of the information letter.

    You have the option of contacting the above-mentioned data protection officer or the supervisory authority responsible for data protection at any time with a complaint. The above-mentioned supervisory authority is responsible for Invatio GmbH.

    The full text of the GDPR is available on the Internet at http://eurlex.europa.eu/legalcontent/DE/TXT/PDF/?uri=CELEX:32016R0679&from=DE

    If you have any further questions about the GDPR, you can also contact the data protection officer and/or the HR department at any time.