Issued on: August 31st, 2021
1. Contact details of the data controller and the data protection officer
idealo internet GmbH (hereinafter also referred to “idealo”, “we” or “us” ) is the data controller for the idealo careers website in accordance with the General Data Protection Regulation (GDPR). Our contact details are as follows:
idealo internet GmbH, Zimmerstrasse 50, 10888 Berlin, Germany
Phone: +49 30 56 83 83 70 Fax: +49 30 80 09 70 50 2 Email: firstname.lastname@example.org
Our data protection officer can be contacted at:
idealo internet GmbH Datenschutzbeauftragter, Zimmerstrasse 50, 10888 Berlin, Germany
In the following, we provide you with comprehensive information about the purposes for which and the scope within which we process your personal data during the use of the idealo careers website.
2. Collection and processing of personal data
When you use the idealo careers website, we process the personal data listed in Section 3. Furthermore, we process personal data in connection with the use of the idealo career site where you provide this data voluntarily, e.g. in the context of an application via the online application form, registration for the idealo Talent Pool, an enquiry sent to us, or because there is another legal basis for this (see Section 4).
3. Categories of data processed
As soon as you visit the idealo careers website, our system automatically collects technical information. This can include:
Information about the browser type and version used
Operating system of the device from which the request originates
Internet Protocol Address (IP Address)
Mobile device ID
Date and time of access
Web analysis data / pseudonymised user profile (cookie ID, Ad-ID etc., see below for more information)
Websites from which the user got to our website
Websites accessed by the user from our website
Furthermore, we process the following personal data where you have communicated it via the online application form, the third-party integrations “Apply with Indeed” and “Log in with LinkedIn” or via any other means:
Personal master data (name, address, date of birth)
Communication data (telephone number, email address)
Information about your professional and educational qualifications, your further training and coaching and anything else you have sent to us via your application
Career-related information in the public domain via so-called career networks, in particular Xing, LinkedIn, talent.io, honeypot.io and stackoverflow
4. Occasions, reasons for and content of processing
We process your personal data for the purposes of your employment application as far as this is necessary for making a decision about a future employment relationship with us. The legal basis for this is § 26 para. 1 BDSG (En: Federal Data Protection Act) and Art. 6 para. 1 lit. b GDPR.
Furthermore, we can also process your personal data as far as this is necessary to defend against legal claims arising from the application procedure that are lodged against idealo. The legal basis for this is Art. 6 para. 1 lit. f GDPR whereby the legitimate interest could, for example, be a burden of proof in regard to legal proceedings brought about under the Allgemeine Gleichbehandlungsgesetz (En: General Act on Equal Treatment). Upon the commencement of an employment relationship between you and us, we may process the personal data already received from you, as far as this is necessary, for the purposes of the employment relationship and the implementation or fulfilment of rights and obligations regarding the representation of the employees’ interests arising from a law, a collective agreement (Ger: Tarifvertrag) or a works agreement (Ger: Betriebsvereinbarung / Dienstvereinbarung), in accordance with § 26 para. 1 BDSG.
5. Location of processing of applicant data
We may send your personal data to companies affiliated with us as far as this is permissible in accordance with purposes and legal bases set out in Section 4. In addition, personal data in the form of contracts will be processed on our behalf pursuant to Art. 28 GDPR, in particular by the operator of our data centre and the provider of the applicant management system Recruitee (Recruitee B.V. Keizersgracht 313 1016 EE Amsterdam, Netherlands).
We ourselves do not transfer your personal data to countries outside of the European Economic Area ("EEA"), except in cases where it is permitted under the GDPR. In order to also ensure the protection of your personal rights in the context of these data transfers, we use the standard contractual clauses of the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR when drafting contractual relationships with recipients in third countries.
For the USA, the European Commission decided on 12th July 2016, that under the regulations of the EU-US Privacy Shield, an adequate level of data protection exists (adequacy decision, Art. 45 GDPR). Further information - including the certification of the service providers we use - is available at https://www.privacyshield.gov. We only use US service providers who are certified under the EU-US Privacy Shield.
6. Disclosure of your data to third parties
We will only disclose your personal data to third parties where such a transmission is necessary in order to fulfill our legal obligations to you, and where this is visibly done by or together with another provider (e.g. in the case of cooperation agreements), where we are otherwise legally entitled or obliged to disclose the data, or where you have provided us with the relevant consent.
In certain cases, we also use external service providers or affiliated companies, which we have contracted to process data for us in accordance with our instructions. Such service providers are contractually bound by us as data processors in compliance with the strict provisions of the GDPR, and are not permitted to use your data for any further purposes. Primarily, these are companies in the sectors of IT services and telecommunications. These include, for example, companies that provide us with software or computing capacity and companies that support us in the administration and maintenance of the systems.
This disclosure of data to processors takes place on the basis of Art. 28 para. 1 GDPR, or alternatively on the basis of our legitimate interest in the economic and technical benefits associated with the use of specialized data processors, Art. 6 para. 1 lit. f GDPR.
Where we are legally obliged to do so, or where this is permitted under data protection law, we will disclose personal data to public authorities, e.g. to police or the state prosecutor’s office (Art. 6 para. 1 lit. c GDPR). The disclosure of this data takes place on the basis of our legitimate interest in combatting abuse, the prosecution of crimes, and in safeguarding, asserting and enforcing claims, which are not considered to be outweighed by your rights and interests in the protection of your personal data, Art. 6 para. 1 lit. f GDPR.
7. Cookies and other technologies
idealo, and the partners named below and in the Privacy Settings, will save data to your device in part for the purposes of collecting information on the use of a website or app. Additional data, such as the IP address of the computer and information about the software being used, is also collected.
This typically involves the use of so-called cookies. Cookies are small files that your browser stores on your device in a folder created specifically for the purpose. Among other things, they can be used to determine whether you have ever visited a website before. If you decide to stay logged into your user account despite leaving the idealo websites, cookies can also be used to save your login data, so that you do not need to enter this data every time you access the site. Many cookies contain a unique identifier known as a cookie ID. This code consists of a sequence of characters that allow websites and servers to be mapped to the particular internet browser in which the cookie has been saved. This enables the websites that are visited to differentiate between the individual browser of a specific user and other internet browsers that contain different cookies. Cookies cannot identify you personally without additional information. Whenever an app is used, a technology comparable in its function to cookies is used instead, such as the operating system-specific advertising ID, vendor ID or a randomly generated user ID.
We use different types of cookies. On the one hand, we use technical cookies, without which the functionality of the idealo websites and certain features would be restricted. On the other, we use optional analysis and marketing cookies, in order to make our services more user friendly and market them in such a way.
In order that we may offer our services, guarantee the security of the website, prevent fraud, fix errors and make content technically available on the website, the use of certain cookies and similar technologies is required (special categories). The settings you have made in the privacy settings, and the consent you have given or objections you have made to cookies, are also stored on your device. The use of these cookies is necessary, so that we can provide the service you expect of us. Further information on these special cookie categories can be obtained from the Privacy Settings.
b. Recruitee Cookies
The provider of the applicant management system used by idealo, Recruitee (see above) sets the following cookies:
_recruitee_careers > Saves the previously visited site via which the user reached the idealo careers site. This cookie is deleted at the end of the session.
allow_cookies > Saves the acknowledgment of the notification on cookie use. Specifically when the “OK” button is clicked in response to the cookie notification. This cookie is deleted after one year.
c. Other services
To conduct surveys to determine the Candidate Experience, we use the services of Starred B.V., Singel 542, 1017 AZ Amsterdam, The Netherlands ("Starred"). For this purpose, the following personal information will be stored and processed for a period of 30 days on servers of AWS (Amazon Web Services) in Ireland, EU:
For the automation purposes within the scope of applicant management, we use the workflow automation software "Zapier" from Zapier, Inc. 548 Market St. #62411; San Francisco, CA 94104-5401, USA. To this end, Recruitee submits the following personal information to Zapier to trigger automated email delivery for participation in surveys to determine the Candidate Experience by Starred:
8. Web analysis, marketing
In order to adapt our content to the interests of our users, to display usage-based online advertising and to measure the success of our advertising, we use a number of services that collect data from our website and analyse this data for us. Where these service providers are not themselves the data controller with specific regard to data protection legislation, they are always bound by instructions when processing the pseudonymised user data on the basis of a data processing agreement. The legal basis for this processing is always Art. 6 para. 1 lit. f GDPR.
In the following, you can find details of the analysis services and marketing partners we use:
a. Facebook Website Custom Audiences and Conversion Pixel
Within our website, we use the “Website Custom Audiences” pixel operated by the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA. This involves so-called tracking pixels being integrated into our websites. When you visit our websites, the tracking pixel allows a direct connection to be created between your browser and the Facebook server. Facebook receives from your browser, amongst other things, the information that our website was accessed from your device. If you are a Facebook user, Facebook can thus collate the visit to our websites with your user account. Please note that we have no knowledge of the content of the data transmitted, or of how this data is used by Facebook. We are only able to select targeted groups of Facebook users (specific ages, interests etc.) to whom our advertising should be shown. In the process, we use one of two functions of Custom Audiences, whereby no data sets, and in particular no email addresses of our users - neither encrypted nor unencrypted - are transmitted to Facebook.
b. indeed Conversion Tracker
We use the conversion tracker provided by Indeed (Indeed Ireland Operations Limited, 124 St. Stephen’s Green, Dublin 2, Ireland). The conversion tracker is used to measure the success of premium recruitment advertising and recruitment marketing campaigns posted on indeed.com as well as to create invoices based on the exact number of applicants. Therefore the Indeed conversion tracker is integrated into the confirmation page (post-apply page) which appears after an online application has been successfully sent. Every successful application is reported back to Indeed when the candidate started his/her search on indeed regardless of the candidate’s activity in the meantime.
Use of the Indeed conversion tracker occurs whenever we set the marketing solutions within the framework of the Premium Ad placements and Indeed Targeted Ads to “Apply”.
Whenever the integrated “Apply with indeed” function is used, Indeed may also save its own cookies on your computer.
More information can be found at https://de.indeed.com/legal
c. LinkedIn Insight-Tag
The LinkedIn Insight Tag collects data relating to visits to our website, including URL, referrer URL, IP address, device and browser characteristics (User Agent) and a timestamp. This data is encrypted, the IP addresses are truncated and the direct IDs of LinkedIn members are removed within seven days in order to pseudonymise the data. The pseudonymised data that remains is then deleted by LinkedIn within 180 days.
LinkedIn does not share personal data with the website owner, it only provides reports about the website audience and ad performance. LinkedIn also provides retargeting for website visitors, enabling the website owner to show personalised ads away from his/her website by using this data, but without identifying the member. LinkedIn members can control the use of their personal data for advertising purposes via their account settings.
Whenever the integrated “LinkedIn Apply” function is used, LinkedIn may also save its own cookies on your computer.
d. Google Ads
We have integrated Google AdWords on this website. Google AdWords is an online advertising service that allows advertisers to place advertisements both in the search results of Google and in Google’s advertising network. Google AdWords allows an advertiser to predefine certain keywords, by means of which an advertisement is displayed in the search results of Google exclusively when the user of the search engine accesses search results related to the keyword. In the Google advertising network, the advertisements are distributed to thematically relevant websites using an automated algorithm with reference to the predefined keywords. The operating company of the services of Google AdWords is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA. The purpose of Google AdWords is to promote our website by displaying interest-based advertising on the websites of third-party companies and in the search results of the Google search engine, as well as displaying third-party advertising on our website. If you come to our website via a Google advertisement, Google saves a so-called conversion cookie to your browser. The definition of cookies is available above. A conversion cookie becomes invalid after thirty days and is not used to identify the data subject. Until the conversion cookie expires, it is used to determine whether certain sub-pages, for example a job advert, are accessed on our website. The conversion cookie allows both us and Google to track whether a data subject that comes to our website via an AdWords advertisement successfully completed an online job application or interrupted the process of completing an online job application.
The data and information collected by the conversion cookie is used by Google to create visitor statistics for our website. In turn, these are used by us to determine the total number of users that have accessed idealo via AdWords advertisements, and thus to determine the success or failure of the respective AdWords advertisements, and to optimise these for the future. Neither our company nor any other advertising customers from Google AdWords receive information from Google that could allow the data subject to be identified.
The conversion cookie saves personal information, for example the websites visited by the data subject. For each visit to our websites, personal data is sent to Google in the USA, including the IP address of the internet connection used by the data subject. This personal data is saved by Google in the USA. Under certain circumstances, Google may disclose the personal data collected using this technical process to third parties.
You can prevent cookies from being used by our website at any time by adjusting the corresponding setting in the internet browser used, and thus permanently opt out. Activating this setting in the internet browser in use would also prevent Google from saving a conversion cookie on your information technology system. Furthermore, you can delete any cookie saved by Google AdWords at any time using your internet browser or other software programs. You also have the option of withdrawing consent for the display of interest-based advertising from Google. To do this, you should access the link https://adssettings.google.com... and change the desired settings in each internet browser that you use.
e. Google Analytics
We have integrated Google Analytics (with anonymisation function). Google Analytics is a web analysis service which collects and evaluates data regarding the behaviour of visitors to websites. A web analysis service collects data, amongst other things, about the websites from which a data subject arrived at another website (known as the referrer), which sub-pages of the website were accessed, or how often and for how long a sub-page was viewed. A web analysis is predominantly used for optimisation of a website and for the cost-benefit analysis of online advertising.
The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA.
For the web analysis via Google Analytics we use the suffix "_gat._anonymizeIp". This suffix means that the IP address of the internet connection used by the data subject is abbreviated and anonymised by Google if the access to our websites originates in a Member State of the European Union or from another signatory state to the Treaty on the European Economic Area.
The purpose of the Google Analytics component is the analysis of visitor traffic on our website. Google uses the data and information obtained, amongst other things, to analyse the use of our website, in order to compile online reports for us which identify the activities on our websites, and in order to provide additional services relating to the use of our website.
We use the Google Analytics feature “Demographic and Interests Reporting”. In order to compile these statistical reports, Google makes use of data that Google has collected in connection with interest-based advertising and visitor data (e.g. age, gender and interests) from third-party providers. idealo cannot associate this data with a specific person or a specific user ID, but Google may be able to do so. You can opt out of data collection by Google by turning Google “ad personalisation” off at the following link: https://www.google.de/settings/ads.
We also use the Google Analytics feature “Google Signals”. This feature provides aggregated reports on cross-device user counts as well as different groups of users based on the different device combinations they use. This information is not associated for us with a specific person or a specific user ID. However, in order to compile these reports, Google uses the data of its users who have the “ad personalisation” option turned on in their Google account settings. For this reason, we assume that Google can associate the data with specific users who have Google accounts. You can opt out of the collection of data via Google Signals by turning Google “ad personalisation” off in your Google account: https://support.google.com/ads/answer/2662922?hl=en.
f. Google DoubleClick and Campaign Manager
We have integrated components of DoubleClick by Google on this website. DoubleClick is a brand owned by Google, under which predominantly online marketing solutions are marketed to advertising agencies and publishers.
The operating company of DoubleClick by Google is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA.
DoubleClick by Google transmits data to the DoubleClick server with every page impression, as well as with clicks or other activities. Each of these data transfers triggers a cookie request to the browser of the data subject. If the browser accepts this request, DoubleClick saves a cookie on the information technology system of the data subject. The definition of cookies can be found above. The purpose of the cookies is to optimise and display advertising. The cookie is used, amongst other things, to identify and display advertising that is relevant to the user, and to prepare reports about advertising campaigns and improve such campaigns. The cookie is also used to prevent multiple versions of the same advertisement being displayed.
DoubleClick uses a cookie ID which is necessary for the handling of the technical process. The cookie ID is required, for example, to display an advertisement in a browser. DoubleClick can additionally use the cookie ID to record which advertisements have already been displayed in a browser in order to avoid displaying duplicates. The cookie ID also enables DoubleClick to record conversions. Conversions are recorded, for example, when a user was previously shown a DoubleClick advertisement, and then subsequently uses the same internet browser to complete a purchase on the website of the advertiser.
A cookie from DoubleClick contains no personal data. A DoubleClick cookie can, however, contain additional campaign IDs. A campaign ID serves to identify the campaigns with which the user has already been in contact.
Each time one of the individual pages of this website, which we operate and on which a DoubleClick component has been integrated, is visited, your internet browser is automatically prompted by the respective DoubleClick component to send data to Google for the purposes of online advertising and the invoicing of commissions. Within the framework of the technical process, Google receives knowledge of data that Google also uses for the creation of commission invoices. Google can determine, amongst other things, that the data subject has clicked certain links on our website.
You can prevent cookies from being used by our website at any time, as already described above, by adjusting the corresponding setting in the internet browser used, and thus permanently opting out. Activating this setting in the internet browser would also prevent Google from saving a cookie on your information technology system. Furthermore, cookies already saved by Google can be deleted at any time using your internet browser or other software programs. Detailed information on opting out of cookies can be found here: https://policies.google.com/technologies/ads?hl=en-GB.
g. Google Tag Manager
idealo uses the Tag Manager from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Tags are the IDs of data elements. Tracking pixels from the third-party providers named here are loaded on the websites. The Tag Manager tool itself (which implements the tags) is a cookie-free domain and does not record personal data. The tool ensures that other tags are triggered, which in turn may record data. However, Google Tag Manager does not access this data. Further information is available here: https://www.google.com/intl/en... and https://policies.google.com/pr... .
9. Social Networks
Icons from social networks which we have included on our careers site function solely as links, i.e. you can access the respective social network via our website. No data transfer occurs as a result of these icons being displayed.
YouTube is an internet video portal that enables video publishers to upload video clips and other users to view, rate and comment on these videos for free.
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA.
The aforementioned services are often not implemented by plug-ins on smartphones and tablets, but by a device-internal “sharing” function. Depending on how its settings are configured, information can also be provided to other social media service providers. For details, please refer to the user information of your device.
Please note that when YouTube components are displayed on the careers site, information relating to your browser, device and connection is sent to YouTube so that the content can be correctly displayed. We are currently working on a more privacy-friendly integration of these components.
11. Retention period
Retention period of applicant data
We store your personal data for as long as this is necessary for making a decision about your application. If no employment relationship arises between you and us, your application documents will be deleted no later than 120 days after we have notified you of a rejection unless you have consented to a longer retention period or we are entitled or obliged to do so for other reasons.
Retention period of analysis and marketing data
The exact retention period of a cookie can be found in the respective cookie by displaying this cookie in your browser.
12. Contact data and your rights as the data subject
If you have any questions or suggestions regarding data protection or how to exercise your rights as the data subject, please contact our data protection officer at any time via the address provided above.
a. Revocation of consent/Objection to the processing of data
You may revoke your previously given consent at any point in time, with effect for the future, by contacting the address provided above.
Furthermore, you have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out on the basis of a legitimate or public interest. This also applies to profiling based on these provisions. In the event of an objection, we will no longer process personal data unless we can prove compelling and legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
If we process personal data for direct marketing purposes, you have the right to object at any time to the processing of the personal data for the purpose of such advertising by contacting us at the aforementioned contact address. This also applies to profiling, insofar as it is associated with such direct marketing. In addition, you have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you for scientific or historical research purposes, or for statistical purposes, unless such processing is necessary for the performance of a task carried out for reasons of public interest.
b. Art. 15 GDPR – right of access for the data subject:
You have the right to request confirmation from us as to whether personal data relating to you is processed and, if so, what data this entails as well as the specific circumstances surrounding the processing of data.
c. Art. 16 GDPR – right to rectification:
You have the right to request that we immediately rectify any incorrect personal data concerning you. Taking into account the purposes of the processing, you also have the right to request that incomplete personal data concerning you be completed, also by means of a supplementary declaration.
d. Art. 17 GDPR – right to erasure:
You have the right to request that we immediately erase personal data concerning you if and to the extent the legal requirements to this regard are met.
e. Art. 18 GDPR – right to the restriction of processing:
You have the right to restrict the processing if and to the extent the legal requirements are met.
f. Art. 20 GDPR – right to data portability:
If data is processed by virtue of consent or in order to fulfil a contract, you have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format, and in so far that it is technically feasible, to transmit this data to another controller without us impeding this process or to have this data directly transferred to another controller.
g. Art. 77 GDPR in connection with Section 19 of the Federal Data Protection Act (BDSG) (new) – right to lodge a complaint with a supervisory authority:
You have the right to lodge a complaint with a regulatory authority at any time, in particular in the Member State of your habitual residence, your place of work or the place of alleged infringement, if you believe that the processing of personal data concerning you infringes existing law.
The regulatory authority responsible for idealo is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit (EN: Data Protection and Freedom of Information Commissioner for the State of Berlin)
Friedrichstr. 219, Visitor’s entrance: Puttkamerstraße 16 – 18 (5th floor), 10969 Berlin
Telephone: +49 30 13889-0
Telefax: +49 30 2155050
h. Existence of automated decision-making
We refrain from automatic decision-making including profiling according to Art. 22 GDPR.