Table of Contents

• Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• Transmission of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Business Processes and Procedures
• Providers and Services Used in the Course of Business
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Blogs and Publication Media
• Contact and Inquiry Management
• Communication via Messenger
• Artificial Intelligence (AI)
• Video Conferences, Online Meetings, Webinars, and Screen Sharing
• Cloud Services
• Newsletters and Electronic Notifications
• Customer Reviews and Rating Procedures
• Presence in Social Networks (Social Media)
• Plug-ins and Embedded Functions as well as Content
• Management, Organization, and Auxiliary Tools
• Processing of Data in the Context of Employment Relationships
• Application Process
• Definitions of Terms

Controller

NIK Executive Search GmbH
Volker Geiße
Am Sudhaus 9
89077 Ulm

Authorized representatives: Nina Kummerlöwe

Email address: vg@nik-executivesearch.com

Phone: 0731. 15900 11

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Master data.
• Employee data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication, and procedural data.
• Social data.
• Applicant data.
• Image and/or video recordings.
• Audio recordings.
• Log data.
• Performance and behavioral data.
• Working time data.
• Salary data.

Special Categories of Data

• Health data.
• Religious or philosophical beliefs.
• Trade union membership.

Categories of Data Subjects

• Service recipients and clients.
• Employees.
• Interested parties.
• Communication partners.
• Users.
• Applicants.
• Business and contractual partners.
• Pictured persons.
• Third parties.
• Customers.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organizational procedures.
• Conversion tracking.
• Target group formation.
• Organizational and administrative procedures.
• Application process.
• Feedback.
• Marketing.
• Provision of our online offer and user-friendliness.
• Establishment and implementation of employment relationships.
• Information technology infrastructure.
• Financial and payment management.
• Public relations.
• Sales promotion.
• Business processes and economic procedures.
• Artificial Intelligence (AI).

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the regulations of the GDPR, national data protection provisions may apply in your or our country of residence or domicile. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 (1) (a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 (1) (f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR) – Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g., health data, such as severely disabled status or ethnic origin) are requested from applicants as part of the application process so that the controller or the data subject can exercise employment law and social security and social protection law rights and fulfill obligations in this regard, their processing is carried out in accordance with Art. 9 (2) (b) GDPR, in the case of the protection of vital interests of applicants or other persons according to Art. 9 (2) (c) GDPR, or for purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services according to Art. 9 (2) (h) GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is based on Art. 9 (2) (a) GDPR.
• Processing of special categories of personal data concerning health, occupation, and social security (Art. 9 (2) (h) GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the validity of the GDPR and Swiss FADP: These privacy notices serve both to provide information under the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms “processing” of “personal data”, “overriding interest”, and “sensitive personal data” used in the Swiss FADP, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” used in the GDPR are applied. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss FADP within the scope of application of the Swiss FADP.

Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, securing availability, and its separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data endangerment. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software, and procedures in accordance with the principle of data protection, by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): In order to protect the data of users transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the evolved and more secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signaled by displaying HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and encrypted.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies (which can be seen from the postal address of the respective provider or if the privacy policy expressly points out the data transfer to third countries), this is always done in accordance with the legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, which meet the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual protection ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the Standard Contractual Clauses serve as additional security. Should there be changes under the DPF, the Standard Contractual Clauses act as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For the individual service providers, we will inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/.

Appropriate security measures apply to data transfers to other third countries, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the EU Commission’s information offering: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with statutory provisions as soon as the underlying consents are revoked or there are no longer any legal bases for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for the prosecution or protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing operations.

If there are multiple specifications for the retention period or deletion periods of data, the longest period always applies. Data that is no longer retained for its original intended purpose but due to legal requirements or other reasons, will be processed by us exclusively for the reasons that justify its retention.

Retention and deletion of data: The following general periods apply to retention and archiving under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as the work instructions and other organizational documents required for understanding them (§ 147 (1) No. 1 in conjunction with (3) AO, § 14b (1) UStG, § 257 (1) No. 1 in conjunction with (4) HGB).
• 8 years – Accounting records, such as invoices and cost receipts (§ 147 (1) No. 4 and 4a in conjunction with (3) sentence 1 AO and § 257 (1) No. 4 in conjunction with (4) HGB).
• 6 years – Other business documents: received commercial or business letters, reproductions of the sent commercial or business letters, other documents, insofar as they are of importance for taxation, e.g., hourly wage slips, operational accounting sheets, calculation documents, price markings, but also payroll documents, insofar as they are not already accounting records and cash register strips (§ 147 (1) No. 2, 3, 5 in conjunction with (3) AO, § 257 (1) No. 2 and 3 in conjunction with (4) HGB).
• 3 years – Data required to consider potential warranty and damage claims or similar contractual claims and rights and to process related inquiries, based on previous business experience and customary industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of the period at the end of the year: If a period does not expressly begin on a specific date and amounts to at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the time when the termination or other end of the legal relationship takes effect.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consents given at any time.
• Right of access: You have the right to request confirmation as to whether data in question is being processed and to request access to this data as well as further information and a copy of the data in accordance with the legal requirements.
• Right to rectification: You have the right, in accordance with the legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with statutory provisions, to demand that data concerning you be erased without delay, or alternatively, in accordance with statutory provisions, to demand a restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
• Complaint to a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process personal data of our contractual and business partners, such as customers, clients, prospects, suppliers, and other cooperation partners (collectively “Contractual Partners”), for the initiation, implementation, and processing of contractual relationships and comparable legal relationships. This also includes pre-contractual measures carried out upon request as well as communication related to the respective contractual relationship.

Processing primarily serves the fulfillment of our main and secondary contractual obligations. This includes the provision of agreed services, any updating and information obligations, the processing of warranty and other performance disruptions, the handling of revocations, terminations of continuing obligations, reversals, refunds, as well as the processing of other contract-related declarations and inquiries. Both one-time contracts and ongoing contractual relationships are covered.

We process in particular master data such as name, address and possibly company name, contact data such as email address and telephone number, contract and service data such as contract subject matter, contract duration, order or transaction number, usage and performance data, payment and billing data as well as communication contents and histories. If necessary, we also process data disclosed or transmitted to us as part of the execution of an order.

In addition, we process the data to protect our rights and to fulfill legal obligations. This includes in particular commercial and tax retention obligations, documentation obligations as well as possible verification and accountability obligations. Processing is also carried out on the basis of our legitimate interests in proper business management, internal administration, risk management, and IT security as well as the protection of our business operations and our Contractual Partners from misuse, endangerment of data, secrets, and other legal interests. This may also include the integration of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors or other vicarious agents, insofar as this is necessary for the execution of the contract or to fulfill legal obligations.

Personal data is only passed on to third parties if this is necessary for the fulfillment of the contract, for carrying out pre-contractual measures, for protecting legitimate interests or for fulfilling legal obligations. We will inform you separately about further processing, in particular for marketing purposes, within the framework of this privacy policy.

We inform the Contractual Partners which data is required in individual cases during data collection, e.g., in online forms by appropriate marking or in personal contact.

The data will be deleted as soon as they are no longer required for the aforementioned purposes and there are no opposing legal retention obligations. Statutory retention periods, in particular under commercial and tax law, may require longer storage. We delete data transmitted within the scope of a specific order after the completion of the order and the expiry of any retention periods, provided there are no further legal or contractual obligations to store them.

The legal basis for processing is Art. 6 (1) (b) GDPR for carrying out pre-contractual measures and fulfilling the respective contractual relationship, as well as Art. 6 (1) (c) GDPR for fulfilling legal obligations. Insofar as the processing is based on legitimate interests, it is carried out on the basis of Art. 6 (1) (f) GDPR. Insofar as the processing is based on Art. 6 (1) (f) GDPR, it is carried out to protect our legitimate interests in proper and efficient business organization, the internal administration and documentation of business transactions, the enforcement and defense of legal claims, ensuring IT and data security, preventing misuse and fraud, as well as the economic control and further development of our business operations. These interests consist in particular in ensuring safe and legally secure business operations and in safeguarding our entrepreneurial ability to act.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Contract data (e.g., contract subject matter, duration, customer category); Applicant data (e.g., personal details, postal and contact addresses, documents belonging to the application and the information contained therein, such as cover letters, CVs, certificates, and other information voluntarily provided by applicants regarding their person or qualifications). Employee data (information on employees and other persons in an employment relationship).
• Data subjects: Service recipients and clients; Interested parties; Business and contractual partners; Applicants. Employees (e.g., staff, applicants, temporary workers and other employees).
• Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and economic procedures.
• Retention and deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion”.
• Legal bases: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); Legal obligation (Art. 6 (1) (c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further notes on processing operations, procedures, and services:

• Coaching: We process the data of our clients as well as interested parties and other clients or contractual partners (uniformly referred to as “clients”) in order to be able to provide them with our services. The procedures carried out within the scope and for the purposes of coaching include: Contacting and communicating with clients, needs analysis to determine suitable coaching measures, planning and conducting coaching sessions, documenting coaching progress, collecting and managing client-specific information and data, scheduling and organizing appointments, providing coaching materials and resources, billing and payment management, follow-up and review of coaching sessions, quality assurance and feedback processes.
  The processed data, the nature, scope, purpose, and necessity of their processing are determined by the underlying contractual and client relationship.
  If it is necessary for our fulfillment of the contract, for the protection of vital interests or legally required, or if the clients have given their consent, we disclose or transmit the clients’ data, in compliance with professional regulations, to third parties or agents, such as authorities, billing offices, as well as in the field of IT, office or comparable services; Legal bases: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR).
• HR Services: We process the data of our customers and candidates (uniformly referred to as “customers”) for the provision of HR services, including recruitment, personnel development, and payroll. The required information is marked as such within the scope of order placement and includes the details required for service provision and billing, as well as contact information in order to be able to hold any consultations. Insofar as we gain access to information from end customers, employees, or other persons, we process this in accordance with legal and contractual requirements. Procedures required in the context of HR services include recruiting specialists, developing training and further education measures, managing personnel files and payroll, and providing HR consulting and support. In addition, they include conducting application processes and interviews, coordinating requirements between customers and candidates, selecting suitable candidates for vacancies, and monitoring working hours and performance records; Legal bases: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
• Recruiting Services: As part of our services, which include in particular the search for potential job candidates, contacting them, and placing them, we process the data of job candidates and the personal data of potential employers or their employees. We process the information and contact details provided by job candidates for the purpose of establishing, carrying out, and, if necessary, terminating a contract for job placement. We may also ask interested parties follow-up questions about the success of our placement service at a later date, in accordance with legal requirements.We process the data of both job candidates and employers to fulfill our contractual obligations in order to process the inquiries submitted to us regarding job placements to the satisfaction of the parties involved.

  We may log placement processes to be able to prove the existence of the contractual relationship and the consent of the interested parties in accordance with legal accountability obligations (Art. 5 (2) GDPR). This information is stored for a period of three to four years if we need to prove the original inquiry (e.g., to prove authorization to contact job candidates); Legal bases: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR).

• Management Consulting: We process the data of our customers, clients, prospects, and other clients or contractual partners (uniformly referred to as “customers”) to provide them with our contractual or pre-contractual services, in particular consulting services. The processed data, the nature, scope, purpose, and necessity of their processing are determined by the underlying contractual and business relationship. If it is necessary for our fulfillment of the contract or legally required, or if the customers have given their consent, we disclose or transmit the customers’ data, in compliance with professional regulations, to third parties or agents, such as authorities, courts, or in the field of IT, office, or comparable services; Legal bases: Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR).