Data privacy information for the Rheinmetall Group application process

Data privacy information for applicants

I. Controller

Rheinmetall AG uses its electronic application management system as a central recruiting service to handle the recruitment and application process for other Rheinmetall Group companies. The Rheinmetall Group company specified in the respective job advertisement is the controller for that job advertisement and the processing of personal data in the application process.

II. Personal data

When submitting your application, you must provide at least the following information:

  • First name
  • Last name
  • E-mail address
  • Phone number
  • Address
  • Cover letter
  • CV

You can provide additional application-relevant information in order to complete your application documents during the application process.

Rheinmetall intentionally does not collect special categories of personal data (information on racial and ethnic origin, political opinions, religious or ideological beliefs, trade union membership, health or sexual orientation, genetic and biometric data). We therefore ask you not to provide any of the above information during the application process.

If special information is required based on the position to be filled, such as:

  • Certificate of Good Conduct
  • SCHUFA report
  • Results of the aptitude test
  • Results of the medical screening test (suitable, not suitable, restricted/limited suitability)
  • Results of the SÜG security clearance check

We will inform you during the application process and obtain this information separately.

The provision of personal information is not required by law or contractually obligated, nor are you required to provide your personal information; however, the provision of personal data is required to complete the application process. In other words, if you do not provide us with personal data when applying, we will not be able to complete the application process.

III. Contact information for the Data Protection Officer

You can contact Rheinmetall AG's Data Protection Officer as follows:

Rheinmetall AG
Corporate Compliance
Data Protection Officer
Rheinmetall Platz 1
40476 Düsseldorf

IV. Data source

We generally receive the data directly from you as part of the application process.

If you are being taken into consideration for a job, we will compare your name against the sanctions and terrorist lists. For certain jobs, we will verify your information after discussing it with you. To do this, we may, if necessary, verify your information by contacting previous employers as well as Dun & Bradstreet, Thomson Reuters World Check, Google, XING, LinkedIn, and other social media platforms.

V. Purpose and legal basis of the processing

All of the personal data provided by you in the application portal, including the data from all of the attachments uploaded by you, will be processed by Rheinmetall AG or the Rheinmetall Group company responsible for the respective job advertisement exclusively for the purpose of your application.

The Rheinmetall Group processes your personal data in compliance with the EU's General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) as well as all other relevant laws.

Applicants' personal data may be processed for the purposes of the application process if it is needed to make a hiring decision. The legal basis is Section 26 (1) BDSG and Art. 6 para. 1 sentence 1 lit. b GDPR.

The necessity and extent of the data collection are assessed, among other things, according to the position to be filled. More extensive data collection may be required if the position you are seeking involves engaging in highly confidential work, increased personal and/or financial responsibility, or is subject to certain physical and health conditions. In order to ensure data protection, the data will only be processed after the applicants have been selected and immediately before they are hired.

In certain cases, we process your data to protect one of our legitimate interests or that of a third party

  • to defend against legal claims in legal proceedings in accordance with the General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz, AGG). In the event of a legal dispute, we have a legitimate interest in processing the data for evidentiary purposes.
  • As a company, we are required under EU law to participate in the fight against terrorism by comparing data against the EU lists of terrorist organizations under Council Regulations (EC) No. 2580/2001 and 881/2002. Persons and organizations listed on the terrorist lists may not be provided with funds (prohibition of provision). For this reason, we are obligated to compare names against our terrorist lists.
  • For certain positions, we are required to review the applicant and his/her details for due diligence reasons. In these cases we will perform a pre-employment screening. If a pre-employment screening is necessary for your position, we will inform you in advance about the nature, form and extent separately (personally).
  • The transfer of the data as part of a technical supervision is carried out by an employee of another Group company.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

If you have voluntarily consented to the processing of certain personal data, this consent constitutes the legal basis for the processing of this data (see sentence 1 of Art. 6(1)(a) GDPR and Section 26(2) BDSG). We will process your personal data based on your consent in the following cases:

  • Inclusion in the talent pool, i.e., we will save the application documents beyond the current application process for consideration in other subsequent application processes (see point X)
  • Submission of the application to Group companies on a national basis (see point XI)
  • Submission of the application to Group companies on an international basis (see point XII)

If, contrary to our request, you have disclosed special categories of personal data to us, the collection and storage of that data will be based on Art. 9(2)(e) GDPR. There will be no further processing of the data.

VI. Recipient of the personal data

Your personal data will be accessible to the responsible HR managers within the Rheinmetall Group and will be made available to selected executives in individual cases. This may include executives of other Group companies within the scope of technical supervision. Technical supervision means that specific topics are grouped together company-wide under one unified management for the entire group. It is therefore possible that, depending on the job advertised, you may be employed by one company, but your manager is employed by another company.

The applicant system is operated as Software as a Service by an IT service provider, so the IT service provider also has access to the system as part of its maintenance and service activities.

VII. Countries outside the European Union

Generally Your personal data will be processed in Rheinmetall Group companies within the EU.

If as the advertised position concerns employment within a Rheinmetall Group company outside the European Union and the European Economic Area ("EEA") or your technical supervisor works outside the EEA, your personal data will also be shared with the Group company. To protect your privacy, we take special measures to ensure that your personal information is processed in the third party countries just as securely as if it were within the European Union.

VIII. Retention period

We will store your personal data for as long as needed for the decision on your application. If an employment relationship does not materialize, we will store your data for another eight months, as this is necessary to defend against possible legal claims.

The deadline starts with completion of the individual application process (cancellation or hiring). This time applies for each of your applications.

If you are accepted into the talent pool (see point X) and your personal data is stored in the pool, the data will be deleted in accordance with the principles of the data protection law explained above with the proviso that we may request an update of your data after twenty-four months. If you do not respond to the request or do not update your information, we will remove you from the talent pool and delete your personal data and applicant profile.

IX. Rights of the data subject

All data subjects have

  • the right to information (Art. 15 of the GDPR),
  • the right to rectification (Art. 16 of the GDPR),
  • the right to erasure (Art. 17 of the GDPR),
  • the right to restrict processing (Art. 18 of the GDPR),
  • the right to object to the processing (Art. 21 of the GDPR) and
  • the right to data portability (Art. 20 of the GDPR).

With regard to the right to information and the right to erasure, the restrictions under Sections 34 and 35 of the BDSG apply.

You have, in accordance with Art. 21(1) of the GDPR, the right to object to the processing of your personal data that has been collected pursuant to sentence 1 in Art. 6(1)(e) of the GDPR (data processing carried out in the public interest) or pursuant to sentence 1 in Art. 6(1)(f) of the GDPR (data processing for the purposes of legitimate interests) at any time, for reasons arising from your particular situation. This also applies to profiling based on this provision. If you object to the processing, we will no longer process your personal information unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms or demonstrate that the processing is for the purposes of asserting, exercising or defending legal claims.

You may revoke your consent for the processing of personal data at any time. Please note that revocation of consent only has future effect.

You can request information about whether we have your personal information on file. If you would like, we can tell you what the data is, what the purpose of the data processing is, who disclosed it, how long the data is stored and what other rights you have with respect to that data.

In addition, you have the right to correct incorrect data or delete your data. If there is no reason for further storage, we will delete your data. Otherwise, we will restrict the processing. You may also request that we provide any personal information you provide to us in a structured, common and machine-readable format either to you or to any person or company of your choice.

You also have the right of appeal to the data protection supervisory authorities (Art. 77 of the GDPR in conjunction with Section 19 of the BDSG).

To exercise your rights, you can contact the controller or the data protection officer at the contact details provided above or the Recruiting Center at " Datenschutz-im-bewerbungsprozess@rheinmetall.com " or by mail to Recruiting Center, Hammfelddamm 7, 41460 Neuss under the subject "Data protection complaint." We will process your requests promptly and in accordance with legal requirements and inform you of the measures we have taken.

X. Inclusion in the talent pool

As part of the application process, we will examine whether we can add you to our talent pool. This is a database in which your applicant data is stored in order to be able to consider you for a suitable vacancy in the future. We would like to inform you about this opportunity and invite you to join our talent pool at a later stage in the application process. As part of this invitation, you will have the opportunity to consent to inclusion in the talent pool.

XI. Pre-Employment Screening (PES)

The PES only applies to selected jobs that are declared to be at risk according to a transparent system. In principle, the PES is currently planned for the following positions:

  • Executive Board members
  • Supervisory Board members
  • Managing directors
  • Management
  • Managers starting at the department head level as well as the department level in the areas of sales, purchasing, research and development, and finance
  • Positions in security-related areas such as corporate security, compliance officers and compliance managers
  • Legal representatives from the fields of anti-discrimination/diversity, the data protection officers, security officers, War Weapons Control Act (KWKG) representatives and security clearance check officers

If the job you are seeking requires a PES, we will inform you separately before carrying out the PES.

The PES includes:

  • Comparison with government and other sanction/terrorist lists (such as the EU Financial Sanctions List or OFAC list);
  • Financial background check through licensed search sources/databases (such as Dun & Bradstreet or Thomson Reuters World Check) and online research (e.g., Google or foreign search engines);
  • Review of social media platforms (e.g., professional networks or Twitter);
  • Verification of prior employment (current employer only after consultation and approval).

The following personal data will be processed as part of the PES:

  • Name;
  • Address (work and home);
  • Telephone and fax number / e-mail addresses;
  • Verification of the information in your CV;
  • Letters of reference;
  • Verification of education, training and other qualifications;
  • Financial background (Schufa report) - only performed when the position necessitates a high degree of trust, such as positions with budget responsibility or in security-relevant areas);
  • "Certificate of Good Conduct" from the police (only performed when the position necessitates a high degree of trust, such as positions with budget responsibility or in security-relevant areas).

The recipients of my personal data are the Rheinmetall Group Companies, with which I am seeking employment, as well as the Recruiting Center and the Compliance Assessment & Monitoring department of Rheinmetall AG.

You may reject or object to the data processing at any time at a later date with future effect, but we may not consider you for the selected position as a result.

The PES preventatively avoids compliance, security or other reputational risks associated with the selection of personnel and fulfills the company's obligation to take supervisory measures in the careful selection of personnel (Section 130 of the Administrative Offenses Act OWiG)).

Furthermore, the fundamental purpose of data processing activities is the general prevention of damage to the Rheinmetall Group and its various companies' reputations.

Permission to process data under the data protection law is determined by sentence 1 of Art. 6(1)(f) of the GDPR (legitimate interest) and, for the processing of special categories of personal data (see Art. 9(1) of the GDPR), only applies to data that the data subject has made publicly available (see Art. 9(2)(e) of the GDPR).

Specifically, the PES is intended to identify the following risks for the Rheinmetall Group:

  • Reputational damage from hiring "frauds"
  • Protection against terrorism and extremism
  • Danger of industrial espionage
  • Unwanted information leaks