The company specified in the job advertisement is responsible for data processing. The companies of the Bilfinger Group work closely together and have implemented a common Group policy on data protection to ensure the protection of the personal data of applicants and employees . You can contact the Group data protection department at dataprivacy@bilfinger.com

We process personal data that is collected or created by you when using the job portal, as well as personal data that is legitimately transmitted to us by authorized third parties (e.g., recruitment agencies, external job boards).

The processing of users' personal data is carried out for the following purposes:

• Creating a user account: This data is collected and processed in order to create a user account on the Bilfinger Job Portal.
• Setting up a profile: This data is processed in order to set up a candidate profile on the Bilfinger Job Portal.
• Applying via the Job Portal: This data is collected so that you can apply for job advertisements from Bilfinger companies via the Bilfinger Job Portal.
• Conducting job interviews: This data is processed for the purpose of conducting job interviews, either by telephone, online, or on site.
• Notification of new job vacancies: The data is processed for the purpose of voluntarily notifying you of new, suitable job vacancies.
• Sanctions list comparison: In order to fulfill our legal obligations under national and international sanctions regulations (in particular EU Regulations 881/2002 and 2580/2001), we process your personal data (name, date of birth if necessary) for the purpose of comparing it with relevant sanctions lists. This comparison is necessary to ensure that there are no legal obstacles to employment due to sanctions regulations.
  
  The comparison of personal data with international sanctions lists, in particular those of the UN, supranational sanctions lists of the EU, and national sanctions lists of EU and EEA member states, is carried out on the basis of Art. 6 (1) lit. c GDPR. In all other cases, in particular when comparing with sanctions lists of non-EU or non-EEA member states such as the USA (OFAC sanctions lists), the justification arises from our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

The data is processed on the basis of the following legal grounds:

• To carry out pre-contractual measures in accordance with Art. 6 (1) (b) GDPR (example: application via the job portal)
• To safeguard legitimate interests pursuant to Art. 6 (1) (f) GDPR (example: sanctions list comparison)
• On the basis of your consent pursuant to Art. 6 (1) (a) GDPR (example: notification of new job vacancies)

The following personal data is processed:

• Identification data (last name, first name, date of birth)
• Contact data (email address, telephone number, country (place of residence), region)
• Online data (date and time of account registration, IP address, password, candidate/applicant ID)
• Input data (resume, use of the portal (e.g., entering information about education, language skills, or uploading certificates))
• Application data (job posting ID, company applied to, video data for online interviews, if applicable).

When you use the Bilfinger Job Portal, we and selected third parties may use cookies and similar technologies to provide you with a better, faster, and more secure user experience. Cookies are small text files that your browser automatically creates and that are stored on your device when you use the Job Portal.

Our cookies and similar technologies have different functions:

• They may be technically necessary for the provision of our services.
• They help us to optimize our services technically.
• They help us improve your user experience (e.g., storing form data you have entered).

We use cookies and similar technologies that remain stored on your device only as long as your browser is active (session cookies), as well as cookies and similar technologies that remain stored on your device for longer (permanent cookies). Where possible, we take appropriate security measures to prevent unauthorized access to our cookies and similar technologies. A unique ID ensures that only we and/or selected third parties have access to cookie data.

Cookies used:

The data is processed internally and may be passed on to external service providers (processors pursuant to Art. 28 GDPR) to the extent necessary to fulfill the above-mentioned purposes.

• AEB SE: In the event of a contract offer, your data will be transferred to AEB prior to a contract offer for the purpose of conducting a sanctions list check. The AEB SE privacy policy can be found here: AEB SE - Privacy Policy .
• In the USA, the sanctions list check is only carried out after the contract offer has been sent.
• SAP SuccessFactors: The application management system used by Bilfinger.
  The SAP privacy policy can be found here: SAP Privacy Policy. SAP privacy policy can be found here: SAP Privacy Policy .
• AddToAny: A connection to the provider AddToAny is established to provide the "job sharing" and forwarding functions.
  The AddToAny privacy policy can be found here: AddToAny - Privacy Policy .

Further data transfer to recipients outside the company only takes place if this is justified by legal provisions, if the transfer is necessary for the execution of the employment contract, if we have your consent, or if we are authorized to provide information. Recipients under these conditions may include:

• Recipients to whom the transfer is directly necessary for the establishment/fulfillment of the contract or for the employment relationship. This varies depending on the type of position and company. For example:
  • e.g., in the context of a required company medical examination. To make an appointment, the surname, first name, and date of birth are sent to the company doctor before the contract is concluded. The results are sent to the persons concerned, who then Bilfinger of the inform "passed"/"failed"). If the person is hired, the passed examination is filed away. result (Bilfinger does not receive any health data, only the result "passed/failed."
• Authorities, courts, and consultants (e.g., lawyers), insofar as we are legally obliged to do so or this is necessary to protect our rights.
  • e.g., in the context of labor law lawsuits brought by applicants who feel disadvantaged.
• Relevant third parties in the context of a corporate transaction, if necessary.
• The email provider of the respective candidates has the technical capability to read emails. This is the responsibility of the applicants. Emails are generally sent unencrypted.

Personal data is processed on servers in member states of the European Union. As a rule, data is not transferred to third countries. If we do transfer your data to a third country, we ensure that appropriate safeguards are in place in accordance with Art. 44 ff. GDPR to guarantee an adequate level of data protection, e.g. by concluding EU standard contractual clauses.

The data will only be stored for as long as is necessary for a specific application and/or your registration on the portal. If the data processing is carried out in the legitimate interest of Bilfinger or a third party, the personal data will be deleted as soon as this interest no longer exists. Once the purpose of processing has been achieved, the data will be deleted in accordance with the statutory retention periods.

The following options are available to you for managing the type and scope of data we store about you:

• You can delete your entire account at any time.
• You can delete all or selected information in your profile.
• You can withdraw an application.

All three options will result in the deletion of your data, except for data that is required to be retained by law.

We will delete your account if you have not logged in for more than 12 months. In this case, you will receive a separate notification approximately 4 weeks in advance informing you of the upcoming deletion.

There is no comprehensive national data protection law in the United States (US). Instead, there are sector-specific data protection and data security laws at the federal level, as well as local data protection laws in the states.

Recruiters in the USA conduct a background check on all applicants in the application process using "First Advantage Background Check." For this purpose, the full name and email address are transmitted. If necessary, a comparison is made with the criminal record, a drug database, and social media screening. Information about First Advantage can be found here .

The sanctions list check is only carried out after a contract offer has been sent.

Some key federal US laws are:

• California Consumer Privacy Act of 2018 (CCPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Virginia Consumer Data Protection Act (VCDPA)

Users have the right to access, rectify, erase, restrict processing, the right to data portability, and the right to withdraw consent at any time. If you are a resident of France, you also have the right to digital legacy.

To exercise these rights, you can contact dataprivacy@bilfinger.com.

You can lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data violates the GDPR. The contact details of the European data protection authorities can be found here.