Applicant Privacy Policy

Dear Applicants.

Spryker enables companies to create winning transactional business models in B2B, Enterprise Marketplaces, Unified Commerce and B2C. It is the most modern cloud native platform-as-a-service solution. The Spryker software is headless, API based, enterprise-ready, and loved by customers, partners, sales, marketeers and developers worldwide.

Spryker is built out of trust and true innovation to create the most flexible and agile commerce software on the market. This requires a special mindset, relentless human effort, and lots of collaboration within our team, which we proudly call “Our Herd”.

In accordance with the provisions of Articles 13 and 14 GDPR, we hereby inform you, as Applicant and possible new Herd member about the processing of personal data collected about you and about your rights in connection with the data processing at Spryker Systems GmbH (“ Spryker ”). To ensure that you are fully informed about the processing of your personal data in the context of your employment at Spryker, please take note of the following information.

The protection of personal data is very important to Spryker. Spryker processes your personal for the purpose of your employment. Your personal data will be handled in strict confidence and in accordance with the relevant German and European data protection legislation.

We are committed to protecting your personal data, as well as achieving and maintaining your Trust in how we collect, process and handle that data. Protecting your privacy is very important to us, and central to the entire Spryker Herd.

This Privacy Policy applies to all personal data we collect or process about you in relation to your employment (regardless of whether you are a full time employee, a part time employee, a temporary employee, or an intern). Personal data is information, or a combination of pieces of information, that could reasonably allow you to be identified.

This privacy notice has been drafted and implemented in accordance with the principles set forth in the Spryker Privacy Policy, and describes how Spryker Systems GmbH and its affiliates “we”, ”us”, or “Spryker”) collect and process your personal data, how we use and protect this data, when and how we
may share this data, and your rights in relation to this data.

Spryker (and each of its affiliates) is the controller responsible for the personal data we collect and process. A list of Spryker’s affiliates can be found here:

Spryker Systems GmbH

Berlin: Heidestrasse 9-10, 10557 Berlin, GERMANY | Hamburg: Spitaler Straße 3, 20095 Hamburg,
GERMANY
Registration: Local Court of Hamburg (HRB 134310)
Managing Directors: Alexander Graf, Boris Lokschin

Spryker Systems America Inc.
80 Pine Street, Floor 24, New York, NY 10005, US
Director: Boris Lokschin

Spryker International GmbH
Berlin: Heidestrasse 9-10, 10557 Berlin, GERMANY | Hamburg: Spitaler Straße 3, 20095 Hamburg,
GERMANY
Managing Directors: Alexander Graf, Boris Lokschin

Spryker Systems Ltd.
170 Edmund Street, Birmingham B3 2JA, UK
Managing Director: Boris Lokschin

Spryker Systems Australia Pty Ltd.
Level 6, 8 Spring Street, Sydney NSW 2000, AUSTRALIA
Managing Director: Andres Reith

Body Responsible for Data Processing


The person responsible for data protection law, in keeping with the General Data Protection Regulation
(“ GDPR “), as well as all other applicable data protection regulations of EU, is:

Spryker Systems GmbH
Heidestraße 9-10
10557 Berlin
Germany

T +49 (30) 2084 983 50

W www.spryker.com

M [email protected]

How to reach out to Spryker’s data protection officer

The external company data protection officer of Spryker can be reached under:

Jentzsch IT
Dr. Jana Jentzsch
Alsterarkaden 13
20354 Hamburg
Germany
+49 40 228683860

I. For what purposes do we process your personal data?


Spryker processes your personal data particularly in compliance with the GDPR and the BDSG. By submitting an application via our recruitment website or third-party recruitment pages, you express your interest in taking up work with us. In this context, you transmit personal data, which we will use and store exclusively for the purpose of your job search / application process, to assess your application for the job offered and to communicate with you within the recruitment process.

In addition, your personal data may be used for following purposes:

  • Based on your consent to contact you in case of an alternative career opportunity within Spryker or a Spryker Group Company (“Spryker Group Talent pool”).
  • To contact you following your unsolicited application.

If an employment relationship is established, also for the execution of the employment relationship.

II. What is the legal basis of our processing?


In the first place, data processing is used to justify the employment relationship. The primary legal basis for this is Article 6 (1) (b) GDPR and Section 26 (1) BDSG.

In case you consent to the storage of your data in our Talent Pool, the processing of your data is based on Article 6 (1) (a), 7 GDPR in conjunction with Section 26 (2) BDSG. You can withdraw your consent at any time with effect for the future.

In the event that vital interests are impaired on your part or in the case of another individual, which require the processing of personal data, Article 6 (1) (d) GDPR is the legal basis for that processing.

Your data can also be processed by Spryker in order to be able to fulfil existing legal obligations if necessary. This is done on the basis of Article 6 (1) (c) GDPR and Section 26 BDSG.

If necessary, Spryker also processes your data on the basis of Article 6 (1) (f) GDPR in order to safeguard legitimate interests of Spryker or third parties (e.g., authorities). Spryker processes your personal data as part of its legitimate interest in ensuring IT-security and IT-operations. In any event, the existence of a
legitimate interest is carefully considered, as to whether your interests may outweigh ours.

To the extent that special categories of personal data are processed in accordance with Article 9 (1) GDPR, this serves to exercise rights or to fulfil rights or the fulfilment of legal obligations arising from labor law, social security law and social protection (e.g. disclosure of health data to the health insurance company, recording of a serious disability for determining the severe disability levy). This is done on the basis of Article 9 (b) GDPR and Section 26 (3) BDSG.

In addition, the processing of health data may be necessary for the assessment of your ability to work in accordance with Article 9 (2) GDPR and Section 22 (b) BDSG or other comparable national regulations. In addition, the processing of special categories of personal data may be based on consent under
Article 9 (2) (a) GDPR and Section 26 (2) BDSG (e.g., occupational health management). When we obtain information from your public profile on professional social networks, such as LinkedIn, we base this processing on our legitimate interest to build a decision base in order to establish an
employment relationship with you. The legal basis is Article 6 f) GDPR in conjunction with Article 9 (2) e) GDPR.
Furthermore, we may process personal data about you where this is necessary to defend ourselves against legal claims arising from the application process that are brought against us. The legal basis for this is Article 6 (1) b and f) GDPR; the legitimate interest is, for example, a burden of proof in proceedings
under the German General Equal Treatment Act (“ AGG” ).

If Spryker wants to process your personal data for a purpose not mentioned above, Spryker will inform you beforehand.

III. What rights do you have?


To the extent that Spryker processes personal data from you, you are a “data subject” within the meaning of the GDPR. As data subject, you are entitled to the following rights with regards to Spryker:

1. Right to Information Regarding Processing
You can request information from Spryker at any time, within the scope of the legal regulations (see Article 15 GDPR) as to whether personal data is being processed by Spryker.

2. Right to Correction
You have the right to correct and/or complete your data with Spryker, if the processed personal data concerning you is incorrect or incomplete, see Article 16 GDPR.

3. Right to Restrict Processing
With these requirements in place (see Article 18 GDPR), you may request that the processing of your
personal data be restricted.

4. Right to Deletion
You may request that the personal data concerning you be deleted immediately if the requirements are in
place (see Article 17 GDPR). The right to deletion does not exist if the processing is necessary, due to
contractual obligations to you or due to legal provisions.

5. Right to Information
If you have claimed the right to correct, delete, or restrict this processing against Spryker, Spryker is obliged to provide to all recipients to whom the personal data concerning you was disclosed, this correction or deletion of data or the restriction of processing. This does not apply to the extent that it proves impossible or involves disproportionate effort (see Article 19 GDPR). If you request this, we will inform you about these recipients.

6. Right to Data Transferability
You have the right to receive the personal data you have provided Spryker in a structured, common, and machine-readable format (see Article 20 GDPR). In addition, you have the right to transmit this data to any other company without hindrance through Spryker, provided that conditions are available.

7. Right to Object
For reasons arising from your particular situation, you have the right to object at any time to the processing of the personal data concerning you, which is provided under Article 6 (1) (f) GDPR. As a result of the objection, Spryker will no longer processes the personal data relating to you, unless Spryker can prove legitimate, compelling reasons for processing which outweigh your interests, rights, and freedoms, or when processing is used for the enforcement, exercise, or defense of legal claims.

You can inform Spryker or our data protection officer directly about your objection (please find contact data in Section 1 and 2).

8. Right to Revoke your Consent
If you have submitted consent, you can revoke it at any time from Spryker (see Article 7 GDPR). The revocation of consent does not affect the legality of the processing carried out on the basis of consent up until the revocation. In addition, in certain cases it is possible that Spryker will remain permitted to
process it on the basis of other legal bases.

9. Right to Lodge a Complaint at a Supervisory Authority
Regardless of any other administrative or judicial appeal, you have the right to lodge a complaint at a supervisory authority if you believe that the processing of the personal data concerning you violates the GDPR (see Article 77 GDPR).

IV. What personal data do we process?

1. Data we collect directly from you
Identifiers:
a. personal (e.g., name, date of birth) and contact details (e.g. phone number, email address, postal
address, mobile number).
b. information about family and dependents (e.g., for emergency contact purposes, for benefits, for
tax withholdings or for global mobility purposes including visa information).
c. citizenship or immigration information (e.g., passport details, driver’s license information,
government identification number, citizenship or immigration status).

Visual and Biometric Information:
a. photographs and/or biometric data (the latter only where required for security purposes).

Professional, Financial and Educational Information:
a. educational details (e.g., educational history, qualifications, certifications, skills) and job history
(e.g. previous employment, roles, performance history).
b. employment and compensation information (e.g., bank account details, payroll information,
employee benefits, tax information, equity plan participation).

Characteristics:
a. data for diversity monitoring, where allowed by law (e.g., race, ethnicity, gender, sexual orientation,
veteran status and/or disability).

Health Information:
a. information about physical or mental health or disabilities (e.g., information you provide when
requesting an accommodation, for a health-related leave of absence or when seeking assistance
with the processing of an insurance claim).

Internet Activity Information:
a. information submitted through voluntary surveys or assessments (e.g., Employee Survey).
b. any other personal information or data voluntarily disclosed (e.g., over email, Chatter, data
repositories, etc.).

  • Your full name
  • Your full address
  • Your phone number
  • Your email address
  • Your possible start day
  • Your desired salary
  • Your application photo
  • Your date of birth
  • Your birthplace
  • Your nationality and/or citizenship
  • Your gender
  • Information about your schooling, studies, vocational training, and further education
  • Your language skills
  • Your IT knowledge
  • Other qualifications and your motivations
  • Information about your career
  • Your application documents, such as cover letters, references, and CV
  • LinkedIn Profile etc.

We collect personal data directly from you or from our external partners, e.g. headhunters, embedded recruiters. We can also obtain information from professional social networks, such as LinkedIn, job boards, and from other publicly accessible sources (only information relevant to your professional life) for the purposes of actively approaching you with job offers or for the purpose of confirming the accuracy of the information presented by you within the course of the application.

You are under no obligation obliged to provide us with information that, under the General Act of Equal Treatment (“AGG”). Those data (like race, ethnic origin, gender, religion or beliefs, disability, age, or sexual identity) cannot be used. The same goes for application photos, illnesses, pregnancy, ethnic origin,
political beliefs, philosophical or religious beliefs, union membership, physical or mental health, or sex
life.

Personal data will only be processed for purposes related to your interest in current or future employment at Spryker and the processing of your application.
If your application to Spryker is successful, Spryker is entitled to continue using the data provided as part of employment with Spryker. In case your application is successful we may store your personal data within the subsequent employment in compliance with the applicable legal regulations. More information can be found in the Data Privacy Statement for employees that we will provide to you on acceptance of the job.

Only authorized HR staff and/or staff involved in the application process have access to your data. All Spryker employees are required to maintain confidentiality of personal data.

V. Spryker Group Talent Pool


As part of “Spryker Group’s Talent Pool”, we offer you the option of storing your data for a longer period of time (365 days), so that it can be taken into account for future job placements. In the event that your application is considered for another vacancy at “Spryker Group” (please see Section 11), we will forward your application documents to the relevant department and/or respectively Spryker Group company and contact you by telephone or e-mail, if necessary. Spryker may also forward the data to countries outside the European Economic Area. However, the companies affiliated with Spryker will take the necessary steps to ensure that an appropriate level of data protection is maintained according to Article 44 et seq. GDPR. Before we will store your data in the “Spryker Group Talent Pool”, we will ask you for the consent to do so. If you do not give your consent to the inclusion of your data in the Spryker Group talent pool, you will not suffer any disadvantages in the current application process. You can revoke your consent at any time with effect for the future. To unsubscribe from the Spryker Group Talent Pool and stop receiving information on current job postings just send an email to: [email protected]

VI. How long will my data be stored?


Spryker deletes your personal data as soon as it is no longer necessary for the above-mentioned purposes and there are no legal documentation or record keeping requirements or retention periods to be meet. In addition, however, it may be that European regulations, applicable national laws, or other regulations require a longer storage of the data we process. If these storage periods expire, we will delete your data or restrict the processing of it.

If we cannot offer you an employment at Spryker, generally, we will keep your data up to 6 months for the purpose of being able to answer questions related to your application and rejection, unless other record keeping requirements come into question.

Furthermore, we reserve the right to store your data for 365 days after the application process has been concluded for the purpose of adding it to our Talent Pool in order to identify any other vacancies that may be of interest to you.

VII. Disclosure of your personal data to third parties


Your personal data will be shared with Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by Controller to help manage its recruitment and hiring process on Controller’s behalf. Accordingly, if you are located outside of the United States, it may be that your data
will be transferred to the United States once you submit it through this site. Please note that your data is stored on European Servers. If there is no legal legitimation, your data will not be transferred to the US. Because the European Union Commission has determined that United States data privacy laws do not
ensure an adequate level of protection for personal data collected from EU data subjects, the transfer will be subject to appropriate additional safeguards under the standard contractual clauses and sufficient technical and organizational measures.

VIII. Forwarding of your data to the Spryker Group


Your data may also be shared with other Spryker Group Companies for the purpose of applying. This is the case, for example, if your application follows the vacancy in another Spryker Group Company or if you have submitted an unsolicited resume that is not limited to Spryker. The Spryker Group contains of the
Spryker Systems GmbH and

Group Company
Address
Type
Spryker Systems Ltd. 170 Edmund Street, Birmingham,
West Midlands, England, B3 2HB
Subsidiary
Spryker Systems America Inc. 80 Pine Street, Floor 24, New York, NY 10005, USA
Subsidiary
Spryker International GmbH Heidestraße 9-10, 10557 Berlin,
Germany
Subsidiary
Spryker Systems Australia Pty Ltd. Level 6, 8 Spring Street, Sydney
NSW 2000, AUSTRALIA
Subsidiary


Spryker may also forward the data to countries outside the European Economic Area. However, the companies affiliated with Spryker will take the necessary steps to ensure that an appropriate level of data protection is maintained according to Article 44 et seq. GDPR.

Your data will only be transmitted if you have given your consent to do so. The legal basis for the use of the data is Article 6 (1) (a) GDPR and Section 26 BDSG or similar national regulations, as far as you have consented to this separately or based on Spryker’s interest according to Article 6 (1) (f) GDPR if necessary
for Spryker Group in the course of your application process. Your application will only be passed on if the content of your application relates thematically and regionally to the Spryker Group company in question. You can revoke your consent at any time with effect for future. Your data will be deleted if it is no longer
necessary to achieve the purpose.

IX. Concluding provisions

We reserve the right to adjust this Privacy Policy for Applicants at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the application process or other processes. In this case, the new Privacy Policy applies to any later visit of this recruitment website or any later job application.
In addition to this Privacy Policy, please view our general Privacy Policy at https://spryker.com/en/privacy- policy/