Privacy notice for external consultants in accordance with article 13 GDPR

NAME AND CONTACT DETAILS OF THE CONTROLLER

The controller responsible for the lawful processing of personal data is Iskander Business Partner GmbH, in particular the Freelancer Management and Finance/Controlling departments.

DATA PROTECTION OFFICER OF ISKANDER BUSINESS PARTNER GMBH

Mr Ralf Jäger (external Data Protection Officer) | datenschutz@i-b-partner.com

CATEGORIES OF DATA

Iskander Business Partner GmbH collects, stores, transfers and uses various types of your data (data processing) within the framework of our cooperation. This covers the entire “lifecycle” of our contractual relationship. This means that your data may be processed from the initiation of a specific contractual relationship (time of first contact) through to its termination and, in part, beyond in connection with the final contractual settlement by Iskander Business Partner GmbH.
The data categories used are described below.

Master and Contact Data
These data are required in order to contact you and to engage you or conclude a contract with you. This includes, for example, your name, address, place of residence, email address and telephone number, as well as any existing residence permits and work permits (where required).

Qualification Data
These data provide information about your professional or technical qualifications and are necessarily required in order to decide on the award of a specific assignment. This includes, among other things: professional career history, previous employment relationships, education, places of education, where applicable graduation certificates and certificates, and any further training undertaken.

Contract and Order Data
These include, on the one hand, the data relating to any framework agreement concluded with you, i.e. its content, date and duration. On the other hand, they include data forming the basis of your specific assignment or individual contract. This includes: assignment period, assignment location, scope of assignment, role description, daily rate, as well as any agreed engagement parameters or framework conditions such as preferred place of assignment, availability, expected daily rate and engagement model (time and materials, fixed price, etc.).

Billing Data
These are the data required to carry out billing properly in accordance with the underlying contractual provisions. This includes, for example, the amount of your remuneration and the date the contract was concluded. Your bank details, such as your bank account information, also fall within this category.
Furthermore, this category includes all data required for invoicing our corporate clients or business partners. In particular, this concerns data derived from your service records, e.g. working hours (= period of performance) and places of work or deployment, as well as events/campaigns/information/marketing activities carried out with your involvement in connection with your assignment with the corporate client (= scope of services), and your project or PO number.

Further Categories of Data
In addition, we may process further data that we may obtain from your CV, for example date of birth, nationality, profile picture or passport photograph, completed training courses, as well as other data arising in the course of your work for us that do not fall within any of the categories described above.

PURPOSE AND LEGAL BASIS OF PROCESSING AND LEGITIMATE INTERESTS

We process the data described above for various purposes associated with the establishment, performance or termination of our contractual relationship (= engagement):

Acquisition and Inclusion in Our Consultant Pool
In order to potentially engage you at a later date, we collect and store data about you which we receive directly from you in the form of an application, as well as from third parties (such as clients or other consultants who recommend you) and/or from publicly accessible sources (such as LinkedIn or Xing). Based on this data, we contact you regarding the possible inclusion of your contact details and profile in our consultant pool.
This includes your master and contact data as well as your qualification data.

The legal basis for this is Article 6(1)(f) GDPR (legitimate interests; our interest is the potential initiation of a business and contractual relationship with you in order to engage and deploy you in the future).

You must consent to inclusion in the consultant pool by providing your consent. We will then store your contact details and profile in our system on a permanent basis in order to approach you, where necessary, for the conclusion of a framework agreement and subsequent individual contracts. The legal basis for this is Article 6(1)(a) GDPR (consent).

Conclusion and Performance of Framework Agreements and Individual Engagements
Where a specific assignment is envisaged, we will contact you in order to conclude a framework agreement (if not already in place) and to engage you for a project with one of our corporate clients by means of an individual contract (“engagement”). In the event of an engagement, we process your data for the performance and monitoring of the contract. This includes transferring the necessary data to the relevant client, managing engagements and invoicing your services (including the verification of service records, timesheets and invoices, and payment of your invoices).
This includes your master and contact data, qualification data, contract data and billing data.

The legal basis for this data processing is Article 6(1)(b) GDPR (pre-contractual measures and contract performance) in connection with the framework and/or individual agreements concluded or to be concluded with you.

We also process the aforementioned data from your engagements for internal analysis for management and strategic purposes. The legal basis for this is Article 6(1)(f) GDPR (legitimate interests: our interest is the internal management and evaluation of our business metrics in order to develop new services for our clients and carry out our planning).

Processing Your Data in Relation to Contracts with Our Clients and Business Partners
We also process and, in particular, transfer your data for the initiation, conclusion and performance of specific or individual contracts with our clients or business partners, for example where a client specifically requests you or where we present you as part of a project tender. This includes transferring data to clients and processing data in connection with invoicing your services to our clients or business partners (including the verification of service records, timesheets and invoices).

This also includes your master and contact data, qualification data, contract data and billing data.

The legal basis for this processing is also Article 6(1)(b) GDPR (pre-contractual measures and contract performance) in connection with the framework agreement concluded with you and any individual contracts relating to assignments with specific clients.

Communication Outside Specific Contractual Relationships
We also process data to inform you, after inclusion in our system and independently of a framework agreement or specific contracts, about our events and activities, news, and invitations to events.

This concerns your contact details and data relating to your assignments (place of assignment, name/company of the client or business partner with whom you have worked, previous participation in events or marketing activities).

The legal basis for this processing is Article 6(1)(f) GDPR (legitimate interests: our interest is to inform you about our activities so that we can plan availability, enable mutual networking, offer professional information and training opportunities in relation to future assignments, and enable us to access you quickly from the consultant pool where required).

RECIPIENTS OR CATEGORIES OF RECIPIENTS

Internal recipients:
Depending on purpose and necessity, the following departments may have access to the data:

• Management / supervisors
• Recruiting staff
• Back office staff
• Account management
• Freelancer management
• Finance staff

External recipients:

• Clients
• Business partners
• Service providers (e.g. banks processing our payments)

SOURCE OF THE DATA

We primarily receive your data directly from you, for example from your application documents, your completed profile or from your work for us. Some personal data are generated through individual allocation (e.g. assignment of a personnel number) or automatically by our IT systems (e.g. creation of your user ID).

We may also receive data about you from our clients (e.g. as part of invoicing or your assignment) and we may consult publicly accessible sources (such as Xing or LinkedIn) when searching for suitable candidates.

RETENTION AND STORAGE PERIODS

If you do not consent to inclusion in the consultant pool, your data will be deleted afterwards.
After inclusion in our system based on your consent, we will delete your data only if you withdraw your consent.

Data relating to individual contracts and your specific assignments with corporate clients will be deleted within 6 years after the end of the respective assignment or project. Data relating to a framework agreement will be deleted no later than 10 years after its termination. Billing data will be stored for 10 years. The above retention periods begin at the end of the calendar year in which the contract ended or the billing took place.

Data from communications with you outside specific contractual relationships will be deleted promptly.

AUTOMATED DECISION-MAKING

No automated decision-making pursuant to Article 13(2)(f) GDPR is used in the processing of your data.

YOUR RIGHTS

Under the GDPR, you have various rights regarding your data, as outlined below:

Right of access (Article 15 GDPR)
Upon request, we will inform you whether and which data about you are stored.

Right to rectification (Article 16 GDPR)
You have the right to request the immediate rectification of inaccurate personal data and the completion of incomplete data.

Retention and Storage Periods

If you do not consent to inclusion in the consultant pool, your data will be deleted afterwards.
After inclusion in our system based on your consent, we will delete your data only if you withdraw your consent.

Data relating to individual contracts and your specific assignments with corporate clients will be deleted within 6 years after the end of the respective assignment or project. Data relating to a framework agreement will be deleted no later than 10 years after its termination. Billing data will be stored for 10 years. The above retention periods begin at the end of the calendar year in which the contract ended or the billing took place.

Data from communications with you outside specific contractual relationships will be deleted promptly.

PROVISION OF YOUR DATA – LEGAL OR CONTRACTUAL REQUIREMENT

Please note that the provision of personal data may be required by law (e.g. tax regulations) or may arise from contractual provisions (e.g. information about the contractual partner). Different retention periods apply: data relevant under tax law are generally retained for 10 years, while other data are generally retained for 6 years under commercial law requirements.
In some cases, the conclusion of a contract requires the data subject to provide personal data that must subsequently be processed by us. For example, the data subject is obliged to provide personal data where our company enters into a contract with them. Failure to provide the personal data would mean that the contract could not be concluded.

FUTURE CHANGES

Should any relevant changes occur in the future, we will inform you proactively.