1. General

When you register with or when you use the Job Portal, we process certain personal data through which your identity can be determined (“personal data”). You provide this data when you create an account, set up a profile and/or apply for a job on the Job Portal. It may also be data that we have received from you or authorized third parties (e.g. approved recruitment agencies or external job exchanges that are authorized to forward personal data concerning you to us). In addition to the personal data collected through the Job Portal, we may also collect other personal data relating to you for certain purposes in connection with your profile in the Job Portal or with a particular job application (e.g. in connection with job interviews we conduct with you) to the extent permitted or required by applicable law. We collect this personal data so that you can create an account on the Job Portal, set up a profile and/or apply for a job. We would also like to keep you up to date (if you have consented) regarding new job postings, notify you of or recommend possible suitable job postings, contact you by email or phone about job postings, if applicable, and send you information about career opportunities.

2. Creating a user account and profile

When you create an account on the Portal (or if we do this with your consent on your behalf or if a third party platform at your request or a recruitment agency on your behalf), we collect the following personal data that concerns to you in order to create the account:

• Email address, password, first name, last name, phone number, country
• Account settings regarding the accessibility of your profile (recipient) and your consent regarding the receipt of notifications about new job postings.

• Mandatory information: First name, last name, email address, phone number, country and region, CV.
• IP address and information on the use of the portal

You may use your personal data stored by third parties (e.g. StepStone) to create the user account and profile in the Job Portal for selected job postings. We store the information listed above as a maximum. For information on how these third parties handle your personal data, please refer to their privacy policies. Once you have created a user account in the Portal, you can enter and/or upload further information to your profile, such as your CV and further profile information (how did you hear about this job, details of the source, whether our recruiters may contact you in connection with job offers that may be of interest to you), information about your education and work experience as well as professional certificates, language skills and mobility. Once you have created a user account in the portal, you can enter and/or upload further information in your profile, such as your CV and other profile information (how did you hear about this job, details of the source, whether our recruiters may contact you in connection with job offers that may be of interest to you), information about your education and work experience, as well as professional certificates, language skills and mobility.

3. Application

You also have the option to apply for a specific job in the Portal. In this case, you may – in addition to the information described in Section I.2 –submit additional job-specific information, such as whether you are authorized to work in the country for which the job you are applying is advertised, etc. We use the personal data described here and in Section I.2 solely for the purpose of the application process. This may include reviewing your application and conducting interviews either by phone, online or in person. This may also include reviewing the documents you submit and personal information that these documents contain through appropriate programs to ensure that your skills and experience meet the requirements outlined in the job description. However, this does not represent an automated decision-making process. It serves solely to support our recruiting staff in the selection process. All decisions concerning your application are made autonomously by individuals. This data processing is based on Article 6 (1) lit. b) GDPR for the implementation of the employment relationship (for Germany supplemented by Section 26 (1) BDSG, the effectiveness of which in relation to the GDPR has, however, currently been called into question by the European Court of Justice) and Article 6 (1) lit. f) GDPR for the protection of legitimate interests.

In Germany, other people and platforms are involved in the bidding process. In order to prepare a job offer, data may be stored outside the central personnel management system used at Bilfinger (SuccessFactors) and this data will be processed by the respective Bilfinger company. The Works Council of the respective Bilfinger company in Germany also has access to the appropriate scope of information on the applicant profile and earnings information.

For US citizens, the following additional information applies:

United States (US) privacy law is a complex web of national, state, and local privacy laws and regulations. There is no comprehensive national data protection law. The US does, however, have a number of largely sector-specific privacy and data security laws at the federal level, as well as many other privacy laws at the state (and local) level.

Basically, it should be noted that recruiters in the US conduct a background check via First Advantage Background Check for every applicant that enters the selection process. For this purpose, the responsible Bilfinger company forwards the full name and the email address to be transmitted for registration or application. If necessary, a comparison is made with the crime register, a drug database and social media screening.

The following are some key federal-specific US laws:

• California Consumer Privacy Act of 2018 (CCPA)
• Colorado Privacy Act (CPA, effective July 1, 2023)
• Connecticut Data Privacy Act (CTDPA, effective July 1, 2023)
• Utah Consumer Privacy Act (UCPA, effective December 31, 2023)
• Virginia Consumer Data Protection Act (VCDPA, effective January 1, 2023)

4. Receipt of notifications about new job postings and information about career opportunities

Based on the settings you established when you created your account in the Job Portal or at a later point in time in the settings section of your profile (consent pursuant to Article 6 (1) lit. a) DSGVO), we will send you notifications about new job postings and/or information about career opportunities at Bilfinger. We will also contact you if, for example, we would like to suggest a suitable vacancy, invite you to a candidate day or to an interview. To the extent you have given us this consent as described above, we may use certain programs to help us identify other job openings and proactively contact you with potential job opportunities that may be relevant to you based on your skills and experience. You may withdraw your consent by changing your account settings to opt out of receiving notifications of new job postings and/or information about career opportunities at Bilfinger. Further, you can limit the visibility of your account or profile by setting the visibility in the visibility settings of your account to only job postings for which you are actively applying.

5. Further use of personal data

Personal data that concerns you is used in connection with the operation and management of the Bilfinger Group’s IT systems (both internally and externally-managed systems).
It is necessary to provide personal data for the conclusion and/or fulfillment of a contract with you. The provision of personal data is voluntary. If, however, if you do not provide personal data, this could potentially delay the application processes or the use of the portal.

In addition to Sections 1 to 5 above, personal data concerning you may also be processed for the following purposes and legal bases:

• Article 88 GDPR in connection with the respective national regulation and, if applicable, Article 6 (1) lit.GDPR for the initiation or implementation of contractual relationships.
• Article 6 (1) lit. c) GDPR, insofar as data processing is necessary for the fulfillment of legal obligations.
• Article 6 (1) lit. f) GDPR, provided that the data processing is necessary due to a legitimate interest.
• Article 6 (1) lit. a) of the GDPR, insofar as you give us express consent to process personal data for specific purposes. Consent given can be revoked at any time, with effect for the future Section VI 7.).
• For the provision of the job-sharing and forwarding functions, a connection is established to the provider AddToAny. Information on the processing of your personal data by AddyToAny can be found in the AddToAny Privacy Policy, which is available here.

Insofar as we process special categories of personal data in accordance with Article 9 (1) GDPR (e.g. health data, religious or trade union affiliation), this is done on the basis of Article 9 (2) lit. b) GDPR in accordance with the relevant national legal basis. For the assessment of your ability to work within the meaning of Article 9 (2) (h) of the GDPR in conjunction with the relevant national regulation, the processing of health data may be necessary.

Our website uses so-called “Cookies”. Cookies are small text files and do not harm your device. They are stored either temporarily for the duration of a session (“session cookies”), or for a specific duration beyond the session (“permanent cookies”) on your device.

The legal basis in connection with cookies (and comparable technologies), which are required to carry out the electronic communication process or to provide certain functions desired by you, are the legitimate interests in the secure and trouble-free provision of the website.

In all other cases, we will use cookies (and similar technologies) only with your consent. You can adjust or revoke your consent at any time with effect for the future in the “Privacy Settings” These can be accessed by clicking on the checkmark icon displayed on the website at the bottom left of the browser. There you will also find more information about the cookies (and similar technologies) that are used. The legal bases for any processing of personal data collected with the help of cookies are as follows:

• Article 6 (1) lit. f GDPR, provided there are legitimate interests, such as ensuring and improving the functional capability of the Job Portal. A legitimate interest may also exist in the assertion or defense of legal claims.
• Article 6 (1) lit. a GDPR, insofar as you grant us express consent to process personal data for specific purposes. Consent given can be revoked at any time, with effect for the future (see Section VI 7.).

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally, as well as activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

The Bilfinger Job Portal uses cookies to the following extent:

Cookies that are absolutely necessary (type 1): These are cookies that are absolutely necessary for the proper operation of the website and its functions. For example, it is unfortunately not possible to log into your candidate profile without the corresponding cookie.

Functional cookies (type 2): These are cookies that ensure maximum personal comfort when using the Bilfinger website. Cookies may contain language settings or font size changes, for example.

Performance cookies (type 3): These cookies provide Bilfinger with information about your browsing habits. They provide Bilfinger with information regarding which pages of the Job Portal are visited particularly often. This allows Bilfinger to improve the website and make the information you search for easily available. These cookies do not contain any personal data.

Third-party cookies (type 4): These are cookies from third parties, such as social networks, which integrate social media content into the Bilfinger website. In addition, Bilfinger uses third-party cookies to show advertisements that may be of particular interest to you or to measure the effectiveness of advertising campaigns. Cookie information is shared with third-party providers.

The following cookies are used:

• SAP as service provider (type 1): We use the following session cookies, all of which are necessary for the functioning of the website:
  • "route" is used for session stickiness
  • "careerSiteCompanyId" is used to send the request to the correct data center "JSESSIONID" is placed on the visitor's device during the session so that the server can identify the visitor
  • "Load balancer cookie" (actual cookie name may differ) prevents a visitor from jumping from one instance to another
• rmk0 (type 1): The encrypted e-mail address of the user, if known. Cookie Setter: First party; maximum duration: When the browser session ends
• rmk1 (type 1): The encrypted ID of the user, if any. Cookie Setter: First party; maximum duration: When the browser session ends
• rmk4 (type 2): Whether to pre-populate the Job Agent field with the user’s email address to prevent the user having to re-enter their email address. Cookie Setter: First party; maximum duration: When the browser session ends
• rmk12 (type 1): A number indicating whether the user has confirmed the cookie banner. If the cookie is not set, the banner can be displayed. If the cookie is set and its value is 1, the banner can be suppressed. This cookie remains in all user sessions, regardless of what type of cookies are enabled throughout the website. Cookie Setter: First party; maximum duration: Does not expire
• Matomo (formerly known as Piwik) pk_id und pk_ses (type 3): Matomo Analytics are used for reporting, evaluability and analysis. The visit of each page as well as the number of clicks and the activities on a job posting, within the job search and the course as well as the duration of stay are analyzed and recorded by the provider Matomo. This provides important metrics on the placement and visibility of job postings, as well as search results within the job search and the accessibility of elements within the site (see https://matomo.org/privacy-policy/)

Bilfinger aggregates the data collected for evaluation purposes, whenever this is possible. Bilfinger uses the SAP SuccessFactors tools "Recruiting Marketing Dashboard" as well as "Recruiting Marketing Analytics" for this purpose. You can object to the further collection and analysis of your data by Bilfinger at any time. Simply set an opt-out cookie in your browser. Please refer to the relevant manufacturer’s instructions for this. Please remember that you need to undertake these settings for each individual browser. When you delete the cookies stored on your device, you also delete the opt-out cookie. In this case, please set the appropriate cookie again.

We only forward your personal data within our Group of companies to those areas and persons who require this data to meet contractual and legal obligations or to implement our legitimate interests. We may forward your personal data to companies affiliated with us to the extent permitted by law. Your personal data is processed on our behalf on the basis of order processing contracts in accordance with Article 28 GDPR. In such cases, we ensure that the processing of personal data is carried out in accordance with the provisions of applicable data protection law. The categories of recipients in this case are Internet service providers and providers of application management systems and software:

• SAP SuccessFactors (SAP Cloud Services Data Center Frankfurt am Main)

Data will only be forwarded to recipients outside the company if this is permitted or required by law, if the forwarding is necessary to process and thus fulfill the employment contract, if you have granted us your consent or if we are authorized to provide information. Under these conditions, recipients of personal data may include, for example:

• Authorities, courts and consultants (e.g. lawyers), insofar as we are legally obligated to do so or if this is necessary to protect our rights
• Relevant third parties in the context of a corporate transaction, to the extent required for a transaction
• Recipients to whom disclosure is necessary for the purpose of establishing or fulfilling the contract or to the extent that such disclosure is directly necessary for the employment relationship.
• The e-mail provider of the respective candidate technically receives the possibility to read e-mails (personal data can also be found in them). This, however, is the responsibility of the applicant, as they choose their own e-mail provider. The e-mail is always sent unencrypted

Transfer of your personal data to third countries

The recipients of your personal data (see Section III. above) may be located in a country outside the European Union / European Economic Area. To the extent that the relevant country has not been recognized by the European Commission - by means of an adequacy decision - as a country in which personal data is adequately protected, we will only transfer your personal data to such countries if another mechanism of Article 44 et seq. GDPR justifies such a transfer (e.g. standard contractual clauses) or if an exception in accordance with Article 49 GDPR applies. Additional measures are taken / agreed upon as necessary to ensure adequate protection for the personal data. A list of the adequacy decisions can be found here .

In the absence of an adequacy decision, the standard contractual provisions of the European Commission (from the Implementing Decision (EU) 2021/914 of June 4, 2021) are regularly the basis for the forwarding. To the extent that the forwarding in this context is made to a service provider acting as a processor on our behalf, module two (Transfer of Data Controllers to Processors) of the standard contractual provisions is relevant; to the extent that the transfer is made to other third parties, module one (Transfer of Data Controllers to Processors) is relevant.

For more details about this forwarding and the forwarding mechanisms used in relation to it, please contact us at dataprivacy@bilfinger.com.

There are a number of options available to you for managing the type and amount of data we retain that concerns you.

• You can delete your entire account at any time.
• You can delete all or selected information in your profile.
• You can withdraw an application.

All three options result in the deletion of the personal data as described above, except for the data the retention of which is required by law.

Data collected for the purposes specified in this privacy notice will be retained only for as long as is necessary (i) for a specific application and/or (ii) for your registration in the Job Portal, and for a transition period (i.e., as long as required to comply with Bilfinger’s data retention obligations in accordance with applicable law or as long as retention of the data is permitted by law).

We will delete your account if you have not logged in for more than 12 months. In this case, you will receive a separate notification approximately 5 weeks prior to deletion informing you of the impending deletion.

Personal data concerning you will only be retained in a form that permits identification of you for as long as Bilfinger deems necessary to archive the purposes for which the data was originally collected or processed, or as specified in the relevant laws on data retention periods or as permitted by applicable law. We will delete your account if you have not logged in for more than 12 months.

You have the following rights, provided that the relevant legal requirements are met:

1. Right of access (Article 15 GDPR).

   You may request information about the processing of your personal data and a copy of the personal data that is the subject of the processing, provided that such copy does not adversely affect the rights and freedoms of others.

2. Right to rectification (Article 16 GDPR).

   You may request the correction of your personal data that are inaccurate and/or the completion of such data that are incomplete.

3. Right of deletion ("right to be forgotten") (Article 17 GDPR).

   You may request the deletion of your personal data in particular if (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) you have objected to the processing and there are no overriding legitimate interests for the processing, (iii) your personal data has been processed unlawfully, or (iv) your personal data must be deleted in order to comply with a legal obligation to which we are subject. The right to deletion does not, however, apply if the processing of your personal data is necessary for compliance with a legal obligation or for the assertion, exercise or defense of legal claims.

4. Right to limitation of processing (Article 18 GDPR).

   You may request the limitation of the processing of your personal data (i) for the period during which we verify the accuracy of your personal data if you have contested the accuracy of such data, (ii) if the processing of your personal data is unlawful and you request the restriction of the processing instead of the erasure of the data, (iii) if we no longer need the personal data but you need the data to assert, exercise or defend legal claims; or (iv) if you have objected to the processing until it has been verified whether our legitimate grounds override your interests, rights and freedoms.
   If processing has been limited, we will only process the data concerned - apart from storage - with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or an EU member state.

5. The right to notification in accordance with Article 19 GDPR.

   Bilfinger will notify all recipients to whom personal data is disclosed of any rectification or deletion of the personal data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You may request that we inform you about aforementioned recipients.

6. Right to data transferability (Article 20 GDPR).

   You may request that we provide you with your personal data that you have provided to us in a structured, commonly used and machine-readable format, insofar as the processing of your personal data is based on your consent or a contract and the processing is carried out automatically; in such cases, you may also request that the personal data be transferred directly to another controller, insofar as this is technically feasible.

7. Right to revoke consent at any time (Article 7 (3) sentence 1 GDPR).

   You can revoke your consent at any time with effect for the future, insofar as the processing is based on your consent, without affecting the lawfulness of the processing based on the consent prior to its revocation.

8. Right of objection (Article 21 GDPR).
   

   Right of objection Insofar as the processing of your personal data is carried out for the protection of legitimate interests pursuant to Article 6 (1) lit. f GDPR, you have the right, pursuant to Article 21 GDPR, to object to the processing of this data at any time for reasons arising from your particular situation. We will then no longer process this personal data unless we can demonstrate compelling reasons for the processing. These must override interests, rights and freedoms, or the processing must serve the assertion, exercise or defense of legal claims.

9. France - Right to digital legacy.

   If you are a resident of France, you have the right to determine instructions (general or specific) on the whereabouts of your personal data after your death.

10. Right to complain to a supervisory authority.

    You may lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. You can find the contact details of the European data protection authorities here.

If you are of the opinion that the processing of your personal data violates the GDPR, you can also contact us first using the e-mail address below. Please send your inquiries regarding the exercise of these rights (other than the right to complain to a supervisory authority) to dataprivacy@bilfinger.com.

We reserve the right to amend or modify this notice at any time to ensure compliance with applicable laws. Please check regularly if this note has been changed.