Data Privacy Policy for Applicants


Dear job applicant, 

with this data privacy policy ("policy") FINN GmbH, Prinzregentenplatz 9, 81675 Munich, Germany ("FINN", "we" or "us") would like to explain to you how and for which purposes we process and use your personal data in connection with your application and which rights and options you have in this respect. 

Who is responsible for your personal data?

The FINN entity to which you sent your application will be the responsible controller for your personal data. 

For which purposes do we use your personal data?

We will process your personal data as required in connection with your application, in particular for the following purposes ("Permitted Purposes"):

  • Processing of your application, including review and analysis of your qualifications and skills, to confirm your references and educational background, for background checks and public register checks and considering your suitability for the job opportunities for which you applied, communication with you, conducting assessment centers and any other evaluation processes and organization of any travel required and expense reimbursement;

  • Entering into a contract with you and in the course of the onboarding process if you are made an offer by us and accept it the personal data you provide will be processed for the onboarding process and for the conclusion of the contract.

  • Security purposes, including protecting our property, controlling access to our premises and facilities (including CCTV), ensuring integrity and security of our IT and communication systems, websites and other systems and investigating, preventing and detecting security threats, fraud, theft or other criminal or malicious activities;

  • Legal documentation purposes (such as record keeping obligations);

  • Compliance reasons, in particular monitoring and assessing compliance with our internal policies and standards and our legal and regulatory obligations;

  • Disputes and enforcement of claims, including supporting us in dealing with and solving disputes, complying with orders of courts, authorities or other public bodies, enforcing our contractual agreements and to establish, exercise or defend legal claims.

Where you have expressly given us your consent, we may also use your personal data for the following purposes:

  • Including you in our job applicant data base, to provide you by email, telephone or other communication channels you permitted us to use with information about job opportunities.

  • Sending you information and updates by email about FINN and our products and services, and invitations to programs, customer surveys or other events.

We will not use your personal data for taking any automated decisions affecting you or creating profiles other than described above.

On which basis do we process your information?

We will process your personal data for the above Permitted Purposes only

  • where it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into such a contract;

  • where it is necessary for our or a third party's legitimate interests, always provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our "legitimate interests" may include our commercial interests in operating our business in a professional, sustainable manner, in accordance with all relevant legal and regulatory requirements;

  • for our compliance with our legal obligations;

  • where it is necessary to protect your or another person's vital interests;

  • where we have obtained your specific or, where necessary, explicit consent to do so. We will in each case inform you about the processing of your data and your related rights prior to obtaining your consent.

The legal bases for processing of your personal data are set forth in Article 6 of the European Data Protection Regulation ("GDPR").

Which personal data do we collect?

Unless otherwise agreed with you, we will collect only personal data which are required in connection with your application for the above purposes. This includes any information you provide to us directly with your application and any information which is derived from such created data or otherwise collected in the course of your application process. 

This may include the following categories of data:

  • Personal details, such as name, address, date of birth, marital status, emergency contact details, country of residence, national insurance number, prior or expected salary, bank details, social security and tax related details;

  • Application Data, such as contact details of your prior employer, position and career data, CV, details of your qualifications, professional experience and skills;

  • Identification documentation, such as copies of your passport, driving license, national or work ID card, or other documentation (which may include photographs submitted by you);

  • Further information related to our application, such as expense reimbursement data, assessment centers or other assessment methods, reference checks, credit and background checks and public register checks; 

  • Data relating to access to and use of our systems, facilities and premises;

  • Data relating to disputes and enforcement of claims, including data relating to or generated from proceedings, disputes, negotiations, statements, pleadings or other related communication or activities;

  • Other personal data derived from or generated by pursuing the above Permitted Purposes.

Special categories of Personal Data.  Where required for the above Permitted Purposes and only where required or permitted by applicable law or where you have specifically given us your consent, we may process special categories of your personal data such as:

  • Your confession (e.g. for church tax purposes);

  • Data in relation to an existing disability to comply with related statutory workplace security or insurance obligations; or

  • Biometric data (e.g. for access control or security purposes).

From which sources do we collect personal data?

We may collect your personal data for the above Permitted Purposes

  • primarily directly from you in the course of your application, e.g. when you complete job applicant questionnaires, visit our intranet, our website or other communication platforms and when you communicate with us in relation to your application.

  • from third parties, e.g. from references, educational institutions or public registers.

  • from data generated in the course of your application process (e.g. expense reimbursement, assessment centers and other assessment methods or from recording and monitoring of your access and use of our premises, facilities and communication and IT systems).

  • We may also collect personal data that you have made public on professionally-oriented social networks, such as LinkedIn (where such personal data has relevance to your professional life).

How do we protect your personal data?

We maintain physical, electronic and procedural safeguards in accordance with the technical state of the art and legal data protection requirements to protect your personal data from unauthorized access or intrusion. These safeguards include implementing specific technologies and procedures designed to protect your privacy, such as secure servers, firewalls and SSL encryption. We will at all times strictly comply with applicable laws and regulations regarding the confidentiality and security of personal data.

With whom will we share your personal data?

We may share your personal data with:

  • Third parties in connection with a service provided to us or you on our behalf for the Permitted Purposes (such as training and educational providers, background check providers or third parties from whom we request a reference or information).

  • Service providers (so called data processors) domestically or abroad (in particular to the operator of our recruiting software "Lever" based in San Francisco and e.g. shared service centers, payroll or other service providers, including cloud providers) instructed by us to process personal data for the Permitted Purposes on our behalf and in accordance with our instructions only. We will retain control over and will remain fully responsible for your personal data and will use appropriate safeguards as required by applicable law to ensure the integrity and security of your personal data when engaging such service providers.

  • Public or governmental bodies such as social security and tax authorities, mutual indemnity associations, regulatory or enforcement authorities, attorneys or courts, where we are required to do so by applicable law or regulation or at their request if legally permitted and necessary to comply with a legal obligation or for the establishment, exercise or defense of legal claims.

  • Otherwise, we will only disclose your personal data when you direct or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or when we suspect fraudulent or criminal activities.

Where do we process your personal data?

In the course of our business activities, we may transfer your personal data also to recipients in countries outside of the European Union (EU) or the European Economic Area (EEA) and the United Kingdom, in which applicable laws do not offer the same level of data protection as the laws of your home country.

When doing so we will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of your personal data, in particular by entering into the EU Standard Contractual Clauses. The Standard Contractual Clauses applicable as of June 27, 2021 are available at the following link: We will replace older versions of the standard contractual clauses with the current version in accordance with legal requirements.

You may contact us anytime using the contact details below if you would like further information on such safeguards.

Your data protection rights

Subject to certain legal conditions, you may request access to, rectification, erasure or restriction of processing of your personal data. You may also object to processing or request data portability. In particular you have the right to object to the processing of your personal data for our legitimate interest. We will then no longer process the data for this purpose, unless our legitimate interests in processing take precedence over your interests and rights or the processing serves the assertion, exercise or defense of legal claims. You may as well request a copy of the personal data that we hold about you. If you make this request repeatedly, we may make an adequate charge for this. Please refer to Articles 15-22 GDPR for details on your data protection rights.

For any of the above requests, please send a description of your personal data concerned stating your name to the contact details below. We may require additional proof of identity to protect your personal data against unauthorized access. We will carefully consider your request and may discuss with you how it can best be fulfilled. Inquiries are processed by us immediately. In general, you will receive a response within one month.

If you have given us your consent for the processing of your personal you withdraw the consent at any time with future effect, i.e. the withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal. In case consent is withdrawn, we may only further process the personal data where there is another legal ground for the processing.

If you have any concerns about how your personal data is handled by us or wish to raise a complaint, you can contact us at the contact details below to have the matter investigated. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the competent data protection supervisory authority. In doing so, you have the choice of approaching the supervisory authority that is locally responsible for you or the supervisory authority that is responsible for us.

Are you required to provide personal data?

As a general principle, you will provide us with your personal data in connection with your application entirely voluntary. However, in certain circumstances we are required to collect certain personal data, for example because this personal data is required to carry out a legally required compliance screening or provide evidence of legally required trainings or qualifications. In these cases, if you do not provide us with the required personal information, we may be unable to properly conduct or continue your application process.

How long do we store personal data?

Your personal data will be deleted when it is no longer reasonably required for the Permitted Purposes or you withdraw your consent (where applicable) and we are not legally required or otherwise permitted to continue storing such data. We will in particular retain your personal data where required and appropriate for us to assert or defend against legal claims until the end of the relevant retention period or until the claims in question have been settled.

What are the consequences of a violation?

The unlawful processing of personal data or other violations of data protection law may be subject to criminal and regulatory prosecution in many countries and may also result in claims for damages. Violations of this statement will be punished in accordance with internal regulations.

How to get in touch with us

If you have any questions regarding your rights or if you have any specific requests relating to your personal data please contact us at:


Prinzregentenplatz 9

81675 Munich


Phone: +49 (0) 89 143770064


The contact details of our data protection officer are as follows:

Pridatect SL
Av. Josep Tarradellas 8-10,5º4ª, 08029, Barcelona
Commercial register number: B67077727

Updates of this data privacy policy

This Data Privacy Policy was last updated in September 2021. We reserve the right to update and change this Data Protection Notice from time to time in order to reflect changes in the way we use your personal data or changing legal requirements. We will publish the changes at /privacy-careers. Any amended Data Privacy Policy will apply from the date it is posted on our intranet or otherwise made available to you.