“StartUs-Insights.com” and “StartUs.cc” including all subdomains of StartUs GmbH
(1) Processing activities
Operation of career network and job exchange for (registered) customers
(2) Controller
StartUs GmbH
(3) Contact details of responsible entity for data protection
StartUs GmbH
c/o Data Protection
Mariahilfer Straße 136
1150 Vienna
Austria
info at startus-insights dot com
(4) Purposes of data processing
on the legal basis of performance or preparation of contracts
- Operation of an online job platform to compile the interests of potential employees and employers
- Keeping job advertisements accessible to prospective employees and employers, informing interested parties about suitable offers
- Provision of communication channels to the controller for servicing the contractual relationship
- Maintaining and enhancing customer satisfaction and customer retention through an analysis of user behavior
- Collecting user data to document reach
- Recommending jobs and candidates in the following cases:
- show best matching candidates to a job
- show best matching jobs to a candidate
- show best matching jobs to a job
- show best matching candidates to a candidate
- Enable network participants to establish and maintain networks
on the legal basis of the (overriding) legitimate interests of the controller: direct marketing
- Customer recovery and attracting new customers
- Dissemination/presentation of advertising for (other) goods and services of the controller by means of direct marketing (“marketing purposes”), to the extent permitted by law
- Analysis of reader behavior and personal preferences of customers for the purpose of targeted dissemination of advertising with the aim of avoiding scatter losses (using profiling, see paragraph 9)
(5) Legal basis for data processing
(a) Online use. Performance of the contract. The use of the career network and job exchange is already based on a contract as defined in Art. 6 (1) (b) GDPR; a registration relationship is established upon registration. Through the use of the social media channels of the controller the primary contractual relationship exists with the respective service provider.
(b) Additional services. Consent. The controller will obtain the customer’s express consent for specific services (e.g. social media tools, recommender tool). Such consent may be withdrawn at any time with effect for the future.
(6) Description of (overriding) legitimate interests for the purposes
Of IT security
The controller will store the IP addresses of its customers for a period of 7 days in order to protect against targeted attacks in the form of server overloads (Denial of Service attacks) or other damage to the systems. The controller has an overriding legitimate interest in such data processing for the purposes of maintaining the functionality of its online services (Recital 49 GDPR).
(7) Evaluating personal aspects of the customer (profiling)
Type: Evaluation of personal interests with regard to jobs
Description: For the purpose of compiling suitable job offers the controller processes and evaluates search and user behavior, and draws conclusions about specific personal interests. The controller uses those evaluated interests to send the customer targeted job offers.
(8) Objection to profiling
The customer may object to the use of their personal data for the purpose of profiling at any time and without having to state reasons. Upon objection, the controller will no longer use the customer’s personal data for the purposes of profiling.
(9) Obligation to provide data
The customer is under no obligation to provide data. Reasonable use of the platform is, however, inconceivable without entering any data.
(10) Automated decision-making
The customer is subject to no automated decision-making which would become legally effective vis-à-vis him.
(11) Processed types of data
Provided by the customer:
- Name/Company name, academic degree
- Username
- Phone number
- Email address
- Place of residence or address
- Title
- Date of birth
- Application text
- Message contents
- Password
- Curriculum vitae
- Photo, Video
- Uploaded data
- Information on the desired job
- Current occupation, work experience
- Languages and other skills
- Training and continuing education
- Contact requests
- Bookmarked jobs
Additionally collected by the controller:
- IP addresses (log files)
- Data on the terminal equipment
- Browser used
- Equipment used
- Communications protocol
- Information on account use (e.g. date created, number of logins, date of the last request)
- Information on newsletter subscription
- User ID
- Facebook user ID
- Facebook email address
- Facebook profile link
- Date of the last Facebook alignment
- LinkedIn user ID
- LinkedIn email address
- LinkedIn profile link
- Date of the last LinkedIn alignment
(12) Data sources (to the extent not provided by the customer nor collected by the controller)
- Source: Facebook login
Types of data: Email, name, sex, Facebook UID, Facebook link, photo - Source: Xing login
Types of data: Email, name, sex, Facebook UID, Facebook link, photo - Source: Google login
Types of data: Email, name, sex, Facebook UID, Facebook link, photo - Source: LinkedIn login
Types of data: Email, name, sex, Facebook UID, Facebook link, photo, current occupation - Source: MailChimp
Types of data: IP location, preferred email client, registration source, campaign details (receipt, open, click)
Social media channels:
- Facebook
Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, https://de-de.facebook.com/about/basics - LinkedIn
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, https://www.linkedin.com/legal/impressum - Xing
XING SE, Dammtorstraße 30, 20354 Hamburg, Deutschland, https://www.xing.com/imprint - Twitter
Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, https://twitter.com/de/tos - Google Plus
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, https://www.google.com/contact/
(13) External recipients of data:
Processor:
- Operator of the career network and job exchange: epiqo GmbH, Mariahilfer Strasse 136, 1150 Vienna, Austria
- Email campaign sending and sending of system emails “MailChimp” (and/or Mandrill): The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
- Pipedrive as CRM: Pipedrive Inc, 460 Park Ave South, New York, NY 10016, USA
- Extracting data from uploaded curricula vitae by “Textkernel”: Nieuwendammerkade 28A17, Amsterdam, Noord-holland 1022 AB
Analytics tools:
- Google Analytics (with “anonymize IP”): Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Adsense Ad banner:
Third-party vendors, including Google, use cookies to serve ads based on a user’s prior visits to your website or other websites. Google’s use of advertising cookies enables it and its partners to serve ads to you based on your visit to our sites and/or other sites on the Internet.
You may opt-out of personalized advertising by visiting Ads Settings. (Alternatively, you can opt-out of a third-party vendor’s use of cookies for personalized advertising by visiting www.aboutads.info.)
Cloud and technical services:
- Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
- Code Enigma, Smithfield Business Centre., 5 St John’s Lane, London, EC1M 4BH, United Kingdom
- Google G Suite, Google LLC, Googleplex, Mountain View, California, USA
- WP-Engine for hosting StartUs Magazine: Irongate House, 22-30 Duke’s Place, London, EC3A 7LP, United Kingdom
All external recipients can be written to and contacted via the controller with regard to questions under data protection law.
(14) Transfer to third countries
The following data will be transmitted to countries outside of the EU in connection with data processing:
- Country: USA
Application: Google
Types of data:- Google Analytics: anonymized IP address, website title, browser-specific information, information about website use
- Google G Suite (storage): email address, name
- Country: USA
Application: Facebook
Types of data: Social plug-ins (upon consent using double click): IP address, website title, browser-specific information, information about website use - Country: USA
Application: LinkedIn
Types of data: Social plug-ins (upon consent using double click): IP address, website title, browser-specific information, information about website use - Country: USA
Application: MailChimp
Types of data: Transmission by email (newsletter): email address, name - Country: USA
Application: Mandrill
Types of data: Transmission by email (system messages): email address, name - Country: USA
Application: Pipedrive
Types of data: Online CRM (storage): email address, name, contact number
(15) Storage period
Non-registered users: Personal data (in particular the IP address) of (non-registered) visitors to the website will be stored for purposes of IT security for a period of 7 days.
Registered users: Data on registered users will be processed by the controller on the legal basis stated above for the term of the contractual relationship. Users may edit or delete such data at any time. In any case, the use agreement will end upon deletion of the account by the customer or after a period of 7 years of inactivity; this will lead to immediate deletion.
Registered employers: Generally, personal data of registered employers will be processed by the controller on the legal basis stated above for another 40 months after termination of the contract (= 36 months for potential contractual claims for damages + max. 4 months service period for a statement of claim) and then deleted (in any case, links to personal data). In any case, the use agreement will end after a period of 7 years of inactivity and will lead to immediate deletion.
(16) Rights of the data subject
- Basis: Art 15 GDPR “Access”
Contents: The customer shall have the right to obtain confirmation as to whether or not their personal data is being processed. - Basis: Art 16 GDPR “Rectification”
Contents: The customer shall have the right to obtain without undue delay the rectification of inaccurate personal data or to have them completed. - Basis: Art 17 GDPR “Erasure”
Contents: The customer shall have the right to obtain the erasure of personal data without undue delay as long as the reasons stated in Art 17(1) GDPR are fulfilled. - Basis: Art 18 GDPR “Restriction”
Contents: The customer shall have the right to obtain restriction of processing of personal data as long as the reasons stated in Art 18(1) GDPR are fulfilled. - Basis: Art 21 GDPR “Objection”
Contents: Objection to profiling. The customer shall have the right to object to the processing of their personal data for the purposes of profiling at any time. Objection to direct marketing: The customer shall have the right to object to the processing of their personal data for the purposes of direct marketing at any time. - Basis: Art 20 GDPR “Data portability”
Contents: The customer shall have the right to receive the personal data concerning him in a structured, commonly used, and machine-readable format.
(17) Right to lodge a complaint
- Basis: Art 77 GDPR
Contents: Each customer shall have the right to lodge a complaint with the supervisory authority if he considers that the processing of personal data relating to him infringes this Regulation.
(18) Supervisory authority
Austrian Data Protection Authority
Wickenburggasse 8-10
1080 Vienna
Phone: +43 1 52 152-0
Email: dsb at dsb dot gv dot at
Download this document.