Data Privacy for Enboarder

_{Information on data processing}

You will be contacted by e-mail or SMS before your first day at BASF to participate in onboarding via the platform. You can then decide which communication channel you would like to use to receive onboarding information (e-mail or SMS). The first time you access the platform, you will be asked to request a PIN code for access. This will be sent to you by e-mail or SMS, depending on the communication channel you have chosen. You will then receive automated messages at irregular intervals, alerting you to new information and tasks in the onboarding platform. To use the platform, you need an internet-capable device with a browser (Chrome, Firefox, Internet Explorer), such as a computer or smartphone. 

The following data are processed:

Communication data

In order to be able to contact you via the platform, the following data is transmitted to Enboarder and used for the online service:

• Master data (first name, last name, prefix (Van, von etc.), academic title)
• Communication data (private e-mail, private mobile number, communication language) 
• Data on the employment relationship (date of entry, start date, personnel number, org unit (department), company code (company), place of work, employee subgroup, time limits, shift/working time model, job title or, in the case of trainees, also training occupation)

Other information

To initiate an order with BASF (e.g. workplace equipment, work clothes) or to evaluate the online service in a survey, further information can be requested from you and stored on the platform. Possible examples:

• Shoe size
• Dress size
• Desired language for the computer / keyboard

The data provided by you will be used exclusively 

• to communicate with you to provide or request information from you
• to carry out the measures necessary for onboarding (e.g. ordering work clothes)
• to further improve BASF's online service for our new employees by asking you about your experience with onboarding. 

The data will not be used to assessing your performance. The data will only be viewed by those persons who are responsible for the onboarding of new employees at BASF, in particular the Human Resources department and your future manager or departments of the company who provide you with your work equipment or allow you access to the BASF site. This may also involve data transfers within the Group.

BASF processes your personal data in compliance with the provisions of the General EU Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) as well as all other relevant laws (e.g. BetrVG, ArbZG, etc.). Your personal data is treated confidentially.

Processing for the fulfilment of pre-contractual and contractual obligations (Section 26 (1) sentence 1 BDSG, Art. 6 (1b) GDPR)

The processing of your personal data on the basis of 3 a) and 3 b) is carried out for the purpose of onboarding and thus the execution of the employment relationship. The legal basis for this is § 26 paragraph 1 sentence 1 BDSG, Art. 6 paragraph 1b GDPR.

Processing based on legitimate interests (Art. 6 para. 1f GDPR)

The processing of your personal data on the basis of 3 c) takes place in order to further improve our online service in the context of onboarding. The legal basis in this respect is Art. 6 para. 1f GDPR). The legitimate interests of BASF are to improve the design of the onboarding in order to ensure a smooth start to the first working day and to improve it for new employees.

Further Permissions

Where necessary, we also process your data to help solving crimes. The legal basis is § 26 Sect. 1 Clause 2 BDSG.

We will not publish your personal data. Within our company only persons and bodies (e.g. HR department, Works Council, Severely Disabled Representatives) who need your personal data for fulfillment of their contractual and statutory duties will receive your data.

Within the BASF group your data is provided to specific companies within the group if they centrally perform key tasks for affiliates within the company group (such as payroll or company pension) or perform cross-company functions on the basis of the organizational structure (such as HR development).

In addition, in order to fulfill our contractual and statutory obligations we in part employ different service providers (e.g. travel service, collection service provider, IT service provider, consulting companies).

We may also disclose your personal data to other recipients outside of the company if necessary for fulfillment of our contractual and statutory duties as an employer. These may be, for example:

• Official bodies (pension insurance provider, occupational pension schemes, Social Security providers, tax authorities, courts)
• The employee’s bank (SEPA-payment medium)
• Receiving offices of healthcare providers
• Official bodies in order to guarantee claims from the company pension scheme
• Third party debtors in the case of salary and wage garnishing
• Receiver in the case of private insolvency
• Auditors and surveyors

Our cloud provider and HR service provider are bound by contract to observing strict regulations regarding data protection. They are committed to handle your personal data with care. They are prohibited to use your personal data for their own purposes or to pass the personal data on to third parties.

It cannot be eliminated that an IT service provider from a third country (e.g. Australia) gets rarely and limited access to your personal data during remote maintenance of IT services. We’ll inform you about exact details, if we are obliged by law.

Should we disclose personal data to service providers or companies within the BASF group outside of the European Economic Area (EEA) they will only be disclosed if the EU Commission confirmed an adequate data protection level for the third country or other data protection guarantees (such as binding corporate rules or EU standard contractual clauses) apply. You may request the information from the above specified contact details.

Our processor stores your personal data in an extremely protected computer center in Frankfurt on the Main (Germany). The transfer of personal data is encrypted. Our processor uses technical and organizational safety measures to protect your personal data against accidental or willful manipulation, loss, destruction, or access by unauthorized persons. All the security measures and the compliance with data protection regulations are regularly audited by an independent entity.

Your personal data within the platform will be stored and deleted after 6 months after you first working day in BASF. All personal data will be anonymized automatically.

Cookies

Enboarder uses the following cookies:

Embedded YouTube videos

•  Data processing

We have integrated YouTube videos into our digital onboarding tool, which are stored on the YouTube platform and can be played directly from our website. YouTube is a service of Google LLC, D/B/A YouTube. 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter as ‘Google’). The videos are all embedded in the so-called ‘2-click-mode’, which means that no data about you as a user is being transferred to Google if you do not activate the video function. Before the video function’s activation, only a preview image loaded from our own web server is being displayed.

Data will only be transferred to Google if you activate such video functions. Once being activated, we have no influence on this data transfer. The data transfer is carried out regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in at Google, your data will be assigned directly to your account. 

• Purposes and legal basis

We use YouTube videos on Enboarder to present those to you in an easy way. The legal basis for the processing of your personal data is your consent according to Art. 6 para. 1 sentence 1 lit. a GDPR. You grant this consent by activating the video function. If activated, your personal data will be transferred to Google as described above. 

In the course of the data transfer to Google, your personal data will be transferred to servers of Google, which might also be located in the USA. The USA is a country that does not have a level of data protection which is adequate to that of the EU. This means that personal data can be accessed by US authorities in a simplified manner and that there are only limited rights to such measures. If you activate the YouTube video function, you expressly consent to the transfer of data to Google and to the transfer of your personal data to servers located in the USA.

If you have given your consent, you have the right to revoke it at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

You can revoke you consent at any time for the future by deactivating the “YouTube” video function in the respective Enboarder sequence.

• Further information

Further information on data processing, in particular on the legal basis and storage period by Google, can be found in the provider's privacy policy (https://policies.google.com/privacy) and in the privacy banner on the YouTube platform. There you will also find further information on your rights and setting options to protect your privacy.

Google may also process your personal information in the United States, a third country without an adequate level of data protection.

As a user of the platform you have the following rights:

• Right of access (Art. 15 GDPR)

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information of the purposes of the processing.

• Right to rectification (Art. 16 GDPR)

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you.

• Right to erasure (Art. 17 GDPR)

You have the right to obtain form the controller the erasure of personal data concerning you without undue delay.

• Right to restriction of procession (Art. 18 GDPR)

You have the right to obtain from the controller restriction of procession where the conditions of Art. 18 GDPR apply.

• Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used und machine-readable format.

• Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your specific situation, at any time of processing of personal data concerning you. We process your personal data no longer unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this regulation (GDPR).

The supervisory authority with which the complaint has been lodged shall inform you on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 (GDPR).

Furthermore, you can file a complaint with the Data Protection Representative specified above or contact the Data Protection Authority, having jurisdiction for us:

Der Landesbeauftragte für den Datenschutz und
die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34
55116 Mainz