Information on Data Protection in Selection Procedures

When you apply for a job, Universität Hamburg processes the personal data you provide. The General Data Protection Regulation (GDPR) is the European Union’s standard legislation governing the processing of personal data. Processing means any operation the University performs on your personal data in the context of your application, e.g., collection, storage, use, transmission, making available for retrieval, or erasure.

The following provides information on what personal data are collected, from whom, and what happens to these data. You will also find out who to contact on this matter.

1. Who should you contact for questions or in case of problems?

1.1. Who is the Controller (person responsible for data processing)?

The responsible entity (Controller) under the GDPR is:

1.2 Who should you contact for questions?

For questions on the job advertisement procedure, contact the Job Advertisements Team of Universität Hamburg.

1.3 How do you contact the data protection officer?

2. For what purpose do we process your data?

Appointing staff involves conducting a selection procedure to ensure nondiscriminatory selection of the very best candidate based on qualifications, performance, and capabilities.

Personal data need to be collected from the candidates and processed within the selection procedure for legitimate decision-making pursuant to Article 88 GDPR in conjunction with Section 10 subsections 1–3 of the Hamburg data protection act (Hamburgisches Datenschutzgesetz, HmbDSG) in conjunction with Section 85 subsection 1 of the Hamburg civil service act (Hamburgisches Beamtengesetz, HmbBG). If necessary, application documents may be sent on to external HR consultation companies.

Additional documentation required for the decision-making process in a selection procedure include written or electronic communication with candidates, evaluations of the application documentation, documentation of the involvement of the departments and those representing specific interest groups (equal opportunity representatives, disability representatives, staff council), and, if applicable, other decision-making entities (e.g., the human resources department of Hamburg, regional regulatory authorities), the organization and conduct of aptitude assessment tools (e.g., interviews, assessment center), the evaluation of results from such assessments, the creation of a final statement, the sending of letters of rejection or appointment, and the associated creation of a personnel file.

In special circumstances, additional data may be collected as part of occupational medical examinations and/or security checks (see Section 5).

Use of data from Xing and LinkedIn

Our job portal allows you to use the autofill features provided by professional networks such as Xing and LinkedIn for application forms, as far as practicable.

The autofill feature for application forms submitted via Xing or LinkedIn requires you to have an existing account with the relevant network.

On connection with either network, the job portal is provided with an access token certifying an authenticated Xing or LinkedIn account. This does not communicate any personal data from Xing or LinkedIn to the job portal.

All communication with Xing and LinkedIn is encrypted. This process communicates the following personal data from Xing or LinkedIn to the application form within the job portal, in so far as this data exists within your Xing or LinkedIn account:

1. first name
2. last name
3. residential address
   1. street and house number
   2. postal code and city/town
4. email address

This data can of course be subsequently altered in your application form.

The individual platform operators are responsible for the communication of this data from Xing or LinkedIn, which is subject solely to their privacy policies. We would like to advise that we have no influence over any processing of any data by Xing or LinkedIn. Be aware that you may have to expressly log out of Xing or LinkedIn after the data has been communicated.

Xing privacy policy

LinkedIn privacy policy

Subsequent processing of any data shared to the application form is subject to the provisions listed in point 2.

3. How can you register for job alerts?

On the basis of your express consent (in accordance with Article 6 paragraph 1 letter a General Data Protection Regulation, GDPR) you can subscribe to our job alerts to find out about our current vacancies.

We use a double opt-in procedure for our job alert registration. This means that after you register, we will send an email to the address you provided, asking you to confirm that you would like to receive Universität Hamburg job alerts.

You only have to provide your email address to register for and receive Universität Hamburg job alerts. You will be notified only about job offers that match the filter criteria you selected. Once you have confirmed, we will store your email address for the purpose of sending you job alerts. If you do not confirm your registration for job alerts using the relevant email within 24 hours, your registration will be automatically deleted.

You can withdraw your consent to receive Universität Hamburg job alerts and unsubscribe at any time.

You can withdraw consent by sending an email to bewerbungen"AT"uni-hamburg.de.

4. What personal data do we process?

• personal identification and contact details
• application documents
  • cover letter
  • curriculum vitae
  • references/appraisals
  • proof of qualifications
  • other certificates
  • if applicable, further details from your application form
  • if applicable, further data or documents you provided
  • (voluntary) declaration of disability (pursuant to Article 9 paragraph 2 letter b GPDR in conjunction with Section 164, Book IX of the German Social Security Code (Sozialgesetzbuch IX, SGB )
• emails or letters concerning your application
• information gained from selection tools

Furthermore, with your consent, personal data may be collected from third parties. For example, the University may request your personnel file from your current human resources department if you are applying for a position in another department, a secondment, or a transfer from another public employer or another federal state.

5. How do we process these data?

Your information will be processed in an application management system that is operated externally.

The application documents you provide are stored electronically or, in the case of paper documents, kept by those responsible for processing it. Your personal identification and contact details as well as data relevant to the position (professional experience, qualifications, and special information you provide) are entered into an applicant management system, i.e., as electronic documents. These data are then supplemented by evaluations of your application documents.

If an interview is conducted or other aptitude assessment tools are used, parts of your answers and the evaluations thereof are documented electronically and/or on paper, saved, entered into the applicant management system or in electronic documents, and assigned to your data.

As part of the decision-making process, your identification data are recorded and stored in a selection note together with the results from the aptitude assessment tools.

Your data will be kept confidential and will only be stored and processed in conjunction with this application procedure. Access to the data collected within the selection procedure is exclusively reserved to those involved in the recruitment process, including the respective representatives.

If you are appointed, the Department of Human Resources will include the personal data collected during the application process in your personnel file.

6. Under which conditions may we transfer your data?

Personal data may only be transmitted to other individuals, authorities, public, or nonpublic offices if you have given your consent or the transmission is authorized by law.

• Staff Council
  Within the scope of the Staff Council’s participation rights pursuant to the Hamburg employee representation act (Hamburgisches Personalvertretungsgesetz, HmbPersVG), personal data may be transmitted to the Staff Council for it to carry out its duties. The nature and extent of the participation are based on the HmbPersVG. The act also stipulates, among other things, that documents containing personal data are to be returned or destroyed after conclusion of the co-decision procedure (Section 78 subsection 5 HmbPersVG).
• Equal opportunity representatives
  Personal data may be disclosed or transmitted to the equal opportunity representatives of the respective departments for them to carry out their duties pursuant to the Hamburg equal opportunity act (Hamburgisches Gleichstellungsgesetz, HmbGleiG). The equal opportunity representatives are to be informed of any staffing, social, or organizational measures relating to equal opportunities for women and men and compatibility of work and family life.
• Representative of severely disabled members of staff
  The representatives of severely disabled members of staff are to be involved in all issues concerning severely disabled people as a group. For this reason, they are provided with the personal data required to carry out their duties. The nature and extent of participation are based on Section 178 of book IX of the German social code (Sozialgesetzbuch, SGB IX).
• Staff medical service for the civil service (Personalärztlicher Dienst, PÄD) / State occupational medical service (Arbeitsmedizinischer Dienst, AMD)
  In some cases, a medical examination by the PÄD or the AMD may be performed with your consent as part of the health check before appointment (Section 10 subsection 2 HmbBG). For this purpose, data is transferred to the PÄD or the AMD. Following the medical examination, the medical report is transmitted to the appointing authorities (Section 44 HmbBG).
• State office of criminal investigations (Landeskriminalamt, LKA) / State office for the protection of the constitution (Landesamt für Verfassungsschutz)
  If you are applying for a position giving you access to a security area as defined in Section 1 subsection 2 of the Hamburg security clearance and secrecy protection act (Hamburgisches Sicherheitsüberprüfungs- und Geheimschutzgesetz, HmbSÜGG), a security check will be conducted with your consent. For this purpose, your identification data are transmitted to the responsible LKA (Section 34 HmbSüGG) or the state office for the protection of the constitution (Section 3 subsection 2). The LKA or the state office for the protection of the constitution transmits the results of the pre-appointment security check to the department making the appointment.
• Human resources department of Hamburg / courts
  In the event of litigation, the data will, if necessary, be transferred to the Hamburg human resources department and the courts involved. If you are appointed, any additional data will be processed by your future department. You can obtain more information from the department in question.

We have also contracted external service providers for the purpose of conducting applications, particularly for managing your application and conducting assessment center procedures. These service providers are bound by our data processing provisions and are subject to a processing contract under Article 28 GDPR to ensure that they also observe data protection and privacy requirements.

7. How long do we store your data?

No later than 6 months after the end of the hiring procedure, all data that is not required for the establishment of an employment relationship, transfer, or in the context of HR development, will be deleted. However, an exception applies to applications for civil servant positions. These will be deleted 9 months after completion of the appointment procedure. This retention period is necessary for documenting the procedure and possible subsequent legal evaluation processes.

This shall not apply if legal provisions prevent deletion or if further storage is necessary for the purpose of presenting evidence.

Written application documents are destroyed at the latest upon expiration of the retention period.

8. What rights do you have (e.g., right of access, right to object, etc.)?

You have various rights pursuant to the GDPR. These are detailed under Articles 15 to 18 and Article 21 of the GDPR. 

• The right of access (Article 15 GDPR)
  You may request information on your processed personal data. In your request for information, you should provide sufficient details to allow the necessary data to be compiled.
• The right to rectification (Article 16 GDPR)
  You may request rectification of your personal data without undue delay if you find these to be inaccurate or no longer valid. If your data are incomplete, you can request that they be completed.
• The right to erasure / “right to be forgotten” (Article 17 GDPR)
  You have the right to have your personal data and information deleted by the Controller—that is, “the right to be forgotten” pursuant to Article 17 GDPR. Whether you can request the immediate erasure of your personal data depends on whether it is statutorily required by those responsible for its processing.
• The right to restriction of processing (Article 18 GDPR)
  Under specific conditions, you have the right to request restriction of processing of your personal data.