Data protection notice for application procedures

We have drawn up this data protection notice to inform you about how personal data is processed in our online application process.

1. Contact data of the controller

Fotografen Online Service GmbH

Hausvogteiplatz 12

10117 Berlin

Contact data of our data protection officer

ISiCO Datenschutz GmbH

Am Hamburger Bhf 4, 10557 Berlin


2. Purpose of the data processing and legal bases

Online application form

You can apply to us for jobs we advertise via our online form. The purpose of the data processing is the selection of applicants for possible employment at Fotografen Online Service GmbH.

In order to receive and process your application, we gather the following applicant data:

  • given name and surname
  • e-mail address
  • telephone number
  • availability and
  • application documents (curriculum vitae and application letter).

You may also provide us voluntarily with additional information which you would like us to consider when reviewing your application (e.g. your preferred salary, additional documentation).

We will scrutinize your application and may get in touch with you, in particular, to make an appointment or clear up any queries.

When you apply for a job at we will not pass on your applicant data to third parties as a matter of basic principle. If you have any questions on data protection in the application procedure (for example questions about your rights under data protection law), kindly address yourself to or directly to our data protection officer at We will store your applicant data upon receipt of your application. If we accept your application and subsequently employ you, we will store your applicant data for as long as this is necessary for your employment and as long as we are under a legal obligation to do so.

If we reject your application, we will store your applicant data for a maximum of six months after that rejection unless you give us your consent to store them for a longer period ( talent pool). The data will be deleted automatically on expiry of that period.



In certain instances we access your public information on Linkedin through a Chrome extension to contact you in case we consider you fit one of our job postings. For this purpose we process your:


1. First & last name
2. Current location
3. List of current and past experiences
4. Skills
5. Recommendations (from current & past stakeholders)
6. Groups they are part of in LinkedIN
7. Their posts
8. Their educational background
9. How active you are in LinkedIN

We retain this information for 180 days after which period we delete the data if the applicant is not hired. talent pool

In conclusion of the application process, we will be glad to list your application data for a further 24 months in our talent pool. For this, it is necessary for you to give us your consent to the listing of the data in our talent pool. This way, we can identify other vacancy advertisements at and, if appropriate, get in touch with you again using the contact data stored. From time to time, but usually not more than once a week, we will then send you information about vacancies at which may be of interest to you, and/or get in touch with you again using the contact data stored. The data will be deleted on expiry of this period unless you have renewed your consent.


You may revoke your consent at any time with future effect by sending us an e-mail at


Communication with you and scheduling of appointments

To conclude the hiring procedure, and to conduct interviews with you, we process your:

  • Name
  • E-mail address
  • Photo

We store your data for the period necessary to conclude the recruitment process.


Tracking your behavior on the job posts page

To better understand how you interact with our job posts and to ensure an optimal experience, we track your behavior in these posts. For this purpose we process:

  • the screen size of your surfing device,
  • the device type and browser information,
  • the geographical location (only the country)
  • and the preferred language in order to display our website.

Areas of the websites in which personal data from you or third parties are displayed are automatically hidden by Hotjar and are therefore never traceable. In order to exclude a direct personal reference, IP addresses are only stored anonymously and processed further. However, Hotjar uses various third-party services such as Google Analytics and Optimizely. It may therefore be the case that these services collect data that is transmitted by your browser as part of web page requests. This would be, for example, cookies or your IP address.


We will retain this information for 8 months. We process these data based on your consent (GDPR Art.6.1a) collected via the cookie banner.


Use of Ashby Applicants Tracking System

We also use the applicant tracking system of Ashby, Inc., a Delaware Corporation, 49 Geary Street, Suite 411, San Francisco, CA, 94108, USA (“Ashby”).

We use Ashby to provide a web-based application process for recruiting employees and analyze the respective application process. Ashby offers you the functionality to apply to us directly via our website. The following personal data is processed by Ashby as a result:

  • First and last name;
  • Contact information (e.g. e-mail address);
  • Education and work history provided in resumes;
  • Interview feedback;
  • Communication data;
  • Other personal data that you voluntarily provide in your application.

If you provide special categories of personal data within the meaning of Art. 9 (1) GDPR, these will also be transmitted to Ashby and processed by Ashby. For more information about Ashby’s processing of data, please click here.


We store your personal data upon receipt of your application. If we accept your application and an the employment relationship is established, we will store your application data for as long as it is necessary for the employment relationship and to the extent that legal regulations require us to retain it.

If we reject your application, we will store your application data for a maximum of twelve months after rejecting your application, unless you give us your consent to store it for a longer period. If you have given us your consent separately, we will store the data you submitted as part of your application in our pool of applicants for a further 24 months after the end of the application process in order to identify any other positions that may be of interest to you and, if necessary, to approach you again. After this period, the data will be deleted. You can revoke this consent for the future at any time by sending us an e-mail to


3. Legal bases of processing


The legal bases for the processing of your applicant data are

  • Section 26 2. Sentence 1. of the BDSG (in conjunction with Art. 6 1. Sentence 1 (a) of the GDPR) on the basis of consent given by you.

If special categories of personal data (e.g. health data as in Art. 9 of the GDPR) are processed, this is done on the basis of Section 26 3. Sentence 1 of the BDSG (in conjunction with Art. 9 2. (b) of the GDPR) for the exercising of rights or the fulfillment of legal obligations under industrial relations law, the law on social security, and the law on social protection.

Please note that curricula vitae and references in particular, and other data that you send us for the purposes of the application, may also include particularly sensitive data (as in Art. 9 of the GDPR). We, therefore, recommend you not provide any information involving particularly sensitive data. If you do give us information of this kind, we will only use it to enable ourselves to keep your documents on hand and process your application in accordance with that information.


For the purpose of communication and appointments scheduling, we rely on the following legal base to process your data:

  • Taking pre-contractual steps to enter into a contract, at the request of the data subject pursuant to Article 6.1 (b) of the GDPR

For the purpose of tracking your behavior regarding our job posts, we rely on your consent (GDPR Art.6.1a).

For the purpose of recruiting employees and analyzing the respective application process via Ashby, we rely on the basis of  Art. 88 (1) GDPR in conjunction with Sect. 26 (1) BDSG (data processing for purposes of the employment relationship).

For sourcing candidates we rely on our legitimate interest (GDPR Art.6.1f) of finding the best candidate for a job opening.


4. Recipients of your personal data


For our applicant system, we use the external service provider Personio (Personio GmbH, Buttermelcherstrasse 16, 80469 Munich, hereinafter referred to as ‘Personio’). Applicant data is stored for us at Personio. The data are transmitted in encrypted form and stored exclusively in Germany on servers certified in accordance with ISO 27001. We have concluded a data processing contract with Personio pursuant to Art. 28 of the GDPR, which ensures that Personio only processes the data in accordance with our instructions and guarantees adherence to European data protection policy.


To communicate and schedule appointments with you we use:


1. Google Inc (communication)
2. Slack Technologies LLC (communication)


For applicants of IT positions (i.e developers, software engineers) the data is also shared with the:

1. Coderpad, Inc.

For tracking the applicant’s behavior in the job posts we use:

1. Hotjar Ltd

For recruiting and analyzing the application process we use:

1. Ashby, Inc.

We have concluded a data processing agreement with all the above-mentioned service providers.


5. Transfers of data


Part of the data processing described in this information on data protection can be done by our service providers, Indicated in this notice  When we pass on data to our service providers, they are only allowed to use that data in the fulfillment of their tasks. The service providers have been carefully selected and appointed by us. They are contractually bound by our instructions, have suitable technical and organizational measures at their disposal to protect the rights of data subjects, guarantee an appropriate level of data protection, and are carefully monitored by us.


Where data is transferred to a third country that does not have an adequacy decision from the European Commission, we have implemented appropriate safeguards to ensure data security (i.e. Standard Contractual Clauses). You can request a copy of the Standard Contractual Clauses by emailing us here:


Data may also be passed on in connection with inquiries by the authorities, court orders, and legal proceedings, if such passing on is necessary for prosecution or enforcement.


6. Your rights


You have the right to request information about the processing of your personal data by us at any time. We will explain the processing to you when providing that information and give you an overview of the stored data that relate to you.


If data stored by us are inaccurate or no longer up to date, you have the right to have that data rectified.


Moreover, you may call for the erasure of your data. If, in an exceptional case, erasure is not possible on account of other legal requirements, the data will be disabled, so that they are then available for that particular legal purpose only.


You may furthermore have the processing of your data restricted, for example, if you are of the opinion that the data stored by us are not correct. You also have a right to data portability, i.e. a right to have us send you a digital copy of the personal data you have provided on request.


To assert your rights as described here, you may apply using the above contact data at any time. The same applies if you wish to receive copies of guarantees of an appropriate level of data protection.


You have the right to withdraw your consent based on Article 7.3 of the GDPR. You can do so by contacting us at the following e-mail address:

Finally, you have the right to complain to the competent supervisory data protection authority by which we are governed. You may assert this right with a supervisory authority in the member state of your place of residence, the member state of your workplace, or the member state of the place where the infringement is presumed to have taken place. In Berlin, the competent supervisory authority is:


Berliner Beauftragte für Datenschutz und Informationsfreiheit

Alt-Moabit 59-61

10555 Berlin

Time for change


Less admin work


Happier parents and schools


Satisfaction guaranteed for you or get your money back.*