Processing of (personal) data by the entity in charge of the online application process

Thank you for your interest in ECFR, we are very pleased you are considering applying for a position in our organization. Please take a moment to review the following information on processing of your personal data in connection with your application.

Who is responsible for the processing of your personal data?

This information applies to the entire pan-European ECFR organization, which is formed of five legal entities as detailed below. Since all ECFR legal entities operate in a highly integrated manner, they are jointly responsible for the processing of your personal data according to article 26 of the GDPR and UK GDPR.
The ECFR legal entities, as joint controllers according to Art. 26 GDPR and UK GDPR have amongst themselves agreed that European Council on Foreign Relations (ECFR) e.V. will take primary responsibility for complying with GDPR and UK GDPR obligations, in particular transparency obligations and individuals’ rights.

European Council on Foreign Relations (ECFR) e.V.

Unter den Linden 17
10117 Berlin
berlin@ecfr.eu
+49 (0) 30 32 50 51 00

ECFR

Registered Office: First Floor, 10 Queen Street Place
London, EC4R 1BE
london@ecfr.eu
+44 (0) 20 7227 6860

Consejo Europeo de Relaciones Exteriores

Calle Felipe IV 9, 1º Derecha
28014 Madrid
madrid@ecfr.eu
+34 91 523 4818

Le Conseil européen – ECFR

13, Rue Paul Lelong
F-75002 Paris
paris@ecfr.eu
+ 33 (0) 1 83 79 08 06

The European Council on Foreign Relations Italy

Legal address: Via Emilia 86/90
00187 Roma
rome@ecfr.eu
+39 06 89172538
You can find further information about ECFR, the details of authorized representatives and other contact details in the imprint on our website.

Our data protection officer

European Council on Foreign Relations (ECFR) e.V. has appointed a data protection officer (DPO). In case of any queries you may contact the DPO by using the contact details above and adding “attn of the DPO” or via e-mail: dataprotection@ecfr.eu

How can you send us your application?

We kindly ask you to send your application by using the online form. Your data will then be transferred through encrypted channels. To enter your data and documents in the online form, you will be asked to provide your e-mail and a password. You can use these details to review, complete, amend or delete your application later.

Recruiting platforms

If you apply for a position through a recruitment website where we have posted a job ad, such as Indeed, Stepstone or LinkedIn, then we will receive your application from this platform. With regard to personal data processed by the recruitment platform in the context of your LinkedIn or Stepstone profile, the recruitment platform is responsible for this. Please refer to the privacy notice of these platforms for more information on how they process your personal data. The platform will only share such data with us as authorized by you. Any further processing on our behalf for the purposes mentioned below will take place on servers provided by our service providers.

What personal data will we process and for which purposes?

We will process any information sent by you in connection with your job application to assess your suitability for the position (or any other open position within ECFR) and to carry out the subsequent screening and selection process. This includes your name, gender, e-mail, password and application documents.

What is the legal basis for the processing of your personal data?

Primarily, our legal basis for the processing of your personal data with regards to any application procedure is Article 6 (1) b GDPR. Thereafter, any processing of data which is necessary in connection with our decision to enter in an employment relationship with you shall be permitted.
Besides art. 6 (1) b GDPR, the legal basis for the processing of your personal data by one of our other ECFR legal entities may follow from relevant national data legislation, including:
  • the UK GDPR and the DPA 2018 in the UK,
  • the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales in Spain,
  • the French Data Protection Act in France and
  • the Italian Privacy Code in Italy.
In those cases where we keep your application even after the position has been filled, the legal basis is art. (6) a GDPR.
Should any data be necessary for legal prosecution after completion of the application process, data may be processed based on the requirements of art. 6 DSGVO, in particular to safeguard our legitimate interests pursuant to art. 6 (1) 1 lit. f GDPR, these interests being the assertion of or defense from any claims.

How long will we store your personal data?

If you are successful and we offer you a position within ECFR, we will transfer your personal data from our application process over to our human resources department.
Should your application be rejected, we will delete your personal data within six months after the decision being made, unless you have consented to being added to the applicant pool. In this case we will store your application for another twelve months and contact you in case of any future suitable openings within ECFR.
If you are sending a spontaneous application to work at ECFR, we will keep your personal data for a year, unless you specify otherwise via e-mail. This will allow us to contact you with any other openings that could match your profile, including internships positions.

Who will receive your personal data?

Upon receiving your application, it will be reviewed by our HR department as well as any staff responsible for deciding on the position you are applying for. As a matter of principle, only ECFR staff who are directly involved in the handling of your application will be provided with access to your personal data.
We use a service provider based in Switzerland, with whom we have signed a data processing agreement (DPA) to store and manage all application data.
In certain cases we may also store your application on servers provided by Microsoft, with whom we have signed a data processing agreement (DPA).

Where will your personal data be processed?

Your personal data will be processed mainly on servers provided by our service provider within the European Union.
Microsoft is currently hosting our data in the UK, for which an EU adequacy decision exists, but it is possible that some data may be processed on Microsoft servers in the US. Microsoft has integrated standard data protection clauses into the DPA (data processing addendum) to guarantee safe processing of your personal data even in the US, which is considered an unsafe third country by the EU commission when it comes to the protection of your personal data. One of the potential risks of processing personal data in the US might be that US authorities could access this personal data. Strictly speaking, this is possible even when Microsoft hosts our data on EU servers. Microsoft has undertaken to seek legal recourse for any access requests by public authorities and we have no reason to believe Microsoft is not able to comply with the standard data protection clauses and sufficiently safeguard your personal data.

Your rights

You have the right to information about the personal data processed by us about your person.
In the case of a request for information which is not made in writing, we may ask you to provide us with further proof of identity.
Furthermore, you have the right to correction, deletion, or restriction of the processing of your personal data to the extent to which you are legally entitled to such rights.
You also have the right to object to the processing of your personal data within the scope of the statutory provisions.
You have a right to data portability, again with the scope of the statutory provisions.
To exercise your rights, we kindly ask you to address any queries to European Council on Foreign Relations (ECFR) e.V., using the contact details provided above.

Right to complain

Lastly, you have the right to complain to the data protection supervisory authorities about our processing of your personal data.

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.