Privacy statement (applicants)

As of: July 2023

Dear applicants,

With this privacy statement, we would like to let you know

• which personal data we collect, store, process, block and erase (this shall be collectively re-ferred to as “processing”),
• the purposes we use them for,
• how you can object to their use or withdraw your consent, as well as
• what other rights you have as a data subject and how you can exercise them.

1. Who is responsible for the data processing and who can I contact?

The data controller, as set out in the GDPR, is:

Lomapharm GmbH
Langes Feld 5
31860 Emmerthal, Germany
Phone: +49 (0) 5155-2791-0
Fax: +49 (0) 5155-2791-219
Email: service@lomapharm.de

2. Is there an obligation to make data available?

In the context of your application, you only need to provide the personal data that are necessary for processing your application or which we are legally obliged to collect. Generally speaking, without these data, we would not be able to process your application.

3. What sources and data does Lomapharm GmbH use?

We only process personal data that we receive from our applicants as part of the application process.

The personal data we process particularly include:

• master and framework data (e.g. name, address, other contact details, date of birth),
• information on education, training and previous employment,
• information on general skills,
• application documents (curriculum vitae, cover letter, references and certificates),
• as well as other data that are similar to data in the specified categories.

4. Purposes of the processing and legal basis

We process personal data in accordance with the provisions of the European General Data Protec-tion Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) based on the following legal bases:

To fulfil contractual obligations (Art. 6(1)(b) GDPR)

The personal data are processed as part of the application process for the purpose of the implementa-tion of pre-contractual measures taken at the applicant’s request.

4.1 As part of the balancing of interests (Art. 6(1)(f) GDPR)

Where necessary, we process personal data in a way that goes beyond the fulfilment of the contract itself in order to protect our legitimate interests.

This particularly includes the following activities and processes:

• safeguarding the IT security and IT operations of our company,
• the establishment of legal claims and defence in legal disputes (e.g. as part of the judicial review of alleged violations of the German General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz- AGG)),
• identification of follow-up applications on the basis of your framework data (name, date of birth, email address and the name of the post for which you are applying),
• checking against sanctions lists that go beyond what is prescribed by law but which are customary.

4.2 On the basis of your consent (Art. 6(1)(a) GDPR)

To the extent that you have given consent to the processing of personal data for specific purposes, this processing of the data shall be lawful on the basis of your consent.

Consent given to us can be withdrawn at any time. This also applies to the withdrawal of declara-tions of consent that were given before the GDPR came into effect. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

You can withdraw consent that you have given us free of charge and informally via our contact data stated in point 1. If consent is withdrawn by phone, we ask that, if necessary, you provide additional proof of your identity using another means.

4.3 On the basis of legal requirements (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)

Like every company, Lomapharm GmbH is also subject to many legal obligations which make it neces-sary to process personal data. Examples of these include, for instance, obligations in relation to identi-fication in order to prevent money laundering, compliance with documentation obligations under taxa-tion and pharmaceutical law and checking against sanctions lists that are prescribed by law (e.g. check-ing payees when reimbursing the applicant’s travel expenses).

To what extent is there automated decision-making in individual cases?

We generally do not use any fully automated decision-making, as referred to in Article 22 GDPR, to process an application. If we implement this procedure in individual cases, you will be informed of this separately, insofar as this is legally required.

5. Who will receive my data?

Within Lomapharm GmbH, the bodies and departments that receive your data are those which re-quire them to process your application.
Disclosure to other recipients outside Lomapharm GmbH shall only take place if there is a legal basis for this (e.g. a legal obligation or consent).

6. Are data transferred to companies in third countries or an international organisation?

Data are generally not transferred to bodies in states outside the European Union (so-called third countries) in the context of applications. If such a transfer is necessary in an individual case (e.g. because you are applying for a position outside the EU) we will inform you separately of the possi-ble risks of a data transfer and request your express permission.

7. How long will my data be stored?

We process your personal data only as long as it is necessary to fulfil the purposes of the processing described above. Your application data (except for your name, email address, date of birth and the position you have applied for) shall be erased in the applicant management system six months after the end of the application process. Your name, date of birth, email address and the position that you have applied for shall be erased after three years.

If the data are no longer necessary for the fulfilment of the processing purposes described above, they will be erased, unless their processing (for a limited time) is necessary for the following pur-poses:

• Fulfilling retention obligations under commercial and tax law: These include the German Commercial Code (Handelsgesetzbuch – HGB) and the German Anti-Money Laundering Act (Geldwäschegesetz – GwG). The periods for retention and documentation stated there last up to 10 years.
• Preservation of evidence in the context of legal limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation pe-riods may last up to 30 years, whereas the standard limitation period lasts for three years.

8. What rights do I have as a data subject?

As the data subject, you have the right of access under Article 15 GDPR. If a query is not in writing, we ask that, if necessary, you provide additional proof of your identity using another means. Moreo-ver, you have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, as well as the right to data porta-bility under Article 20 GDPR. The right of access and the right to erasure are subject to the limits ac-cording to Sections 34 and 35 of the German Federal Data Protection Act. In addition, there exists a right to lodge a complaint with a competent data supervisory authority (Article 77 GDPR in conjunc-tion with Section 19 of the German Federal Data Protection Act).

Furthermore, you have the right to object under Article 21 GDPR and you can object to processing of personal data on the basis of Article 6(1)(e) or (f) GDPR at any time without giving reasons.