Privacy Policy for the Job Application Portal of Munich International School e.V.

Last updated: 10 February 2025

1. Introduction

This Privacy Policy outlines how Munich International School e.V. („we,“ „our,„ or „the School“) processes and protects the personal data of individuals who apply for job openings through the job application portal hosted on https://careers-mis.de/ (the „Portal“). We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The security and lawful processing of your data are of utmost importance to us.

2. Controller

The controller responsible for data processing on this portal is: Munich International School e.V. Schloss Buchhof 82319 Starnberg, Germany +49 (0) 8151 3660 info@mis-munich.de If you have any questions regarding the processing of your personal data, you may contact us or our Data Protection Officer: Bernard Columberg dpo@mis-munich.de +49 (0) 8151 366 101

3. Categories of Personal Data Processed

We collect and process the following categories of personal data as part of the job application process:

• Personal identification details: Full name, date of birth, address, phone number, and email.
• Application materials: Curriculum vitae, cover letter, references, and certificates.
• Job-specific data: Job title, job ID, qualifications, and skills.
• Communication data: Messages, emails, or feedback related to your application.
• Technical data: IP addresses and access logs for security and maintenance purposes.

4. Purpose and Legal Basis for Data Processing

We process your personal data for the following purposes:

1. Application processing and recruitment: To manage your application and assess your qualifications for the relevant position.
   • Legal basis: Article 6(1)(b) GDPR (processing necessary for the performance of a contract or pre-contractual measures).
2. Communication with applicants: To provide updates on the status of your application.
   • Legal basis: Article 6(1)(f) GDPR (legitimate interest in efficient communication).
3. Compliance with legal obligations: To comply with legal retention periods or labor regulations.
   • Legal basis: Article 6(1)(c) GDPR (compliance with legal obligations).
4. Security monitoring and fraud prevention: To ensure the security of our systems.
   • Legal basis: Article 6(1)(f) GDPR (legitimate interest in IT security).

5. Data Sharing and Recipients

We share your data with the following third parties only when necessary for processing your application, hosting the site, or maintaining system security:

• Strato GmbH: Responsible for website hosting and infrastructure support, under a Data Processing Agreement (DPA) ensuring data security and GDPR compliance.
• Perbit Software GmbH: Manages the job application processing, stores your application materials temporarily, and facilitates communication between you and the HR department, under a DPA ensuring compliance with GDPR.
• Third-party job boards: If your application is posted to external job platforms like LinkedIn or StepStone.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by legal obligations. The retention periods are as follows:

• Unsuccessful applications: Data will be deleted after rejection.
• Successful applications: Data will be transferred to the employee record and retained in accordance with our employment policies.

The specific deletion periods for Perbit-hosted data are defined in their DPA.

7. Perbit Software GmbH as Data Processor

We use Perbit Software GmbH to manage job applications, host uploaded documents, and handle communication with applicants.

• Nature of the processing: Perbit processes data on behalf of the School, including storing application materials, categorizing data, and facilitating communication.
• Data storage location: Perbit’s data centers, located in Germany, ensure compliance with GDPR.
• Retention: Data is retained in accordance with the DPA established with Perbit Software GmbH, including a retention period for the application data. Data will be deleted or anonymized after the recruitment process concludes unless otherwise agreed.

For more information, you can review Perbit’s Privacy Policy.

8. Strato GmbH as Hosting Provider

Our job application portal is hosted by Strato GmbH, a German-based web hosting provider that ensures GDPR-compliant processing as outlined in the DPA established with them.

• Nature of the processing: Strato provides hosting services, maintains the infrastructure for the job application portal, and stores job application materials.
• Data storage location: Data is stored in Strato’s data centers in Germany, ensuring compliance with European data protection laws.
• Data security measures: Strato ensures data security through:
  • Encrypted data transmissions (SSL/TLS)
  • Regular data backups
  • Physical and technical access controls
• Retention period: Strato retains data during the contract period and deletes stored data after the contract terminates, in accordance with the statutory retention period (typically up to 10 years for financial and billing data).

You can find more details in Strato’s Privacy Policy.

9. WordPress as CMS

The job application portal is built using WordPress CMS, but no personal data is processed or stored by WordPress itself, as we do not use WordPress services such as Jetpack, Akismet, or similar.

• Nature of processing: WordPress is used purely for managing content (i.e., the job application portal interface) and does not process or store personal data.
• Exclusion from data processing: No personal data is shared with or processed by WordPress.

10. Data Subject Rights

As a data subject, you have the following rights under GDPR:

• Right to access (Art. 15 GDPR): Request access to the personal data we hold about you.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): Request deletion of your personal data.
• Right to restriction (Art. 18 GDPR): Restrict the processing of your data under certain conditions.
• Right to data portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used format.
• Right to object (Art. 21 GDPR): Object to the processing of your data under specific circumstances.
• Right to lodge a complaint: You have the right to file a complaint with the relevant data protection authority.

To exercise any of these rights, please contact us at [email address].

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These include:

• Encryption via SSL/TLS for data transmission.
• Regular security audits.
• Access controls and password-protected systems.

12. Data Transfers to Third Countries

While we do not transfer personal data to countries outside the European Economic Area (EEA), some third-party services (e.g., Perbit Software GmbH and Strato GmbH) may involve processing data in locations outside the EEA, such as their servers in Germany, under the appropriate GDPR compliance measures.

13. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy to reflect changes in legal requirements or our data processing practices. The latest version will always be available on the job application portal. For any questions regarding this Privacy Policy, please contact us at po@mis-munich.de