Data Privacy Policy

This Data Privacy Policy explains how we process personal data as part of our business operations providing global search, consulting and evaluation services, and how this data processing impacts on our website.

hartmann consultants GmbH & Co. KG (“we”, “us”, “hc”) undertakes to store your personal data securely and to process said data in accordance with applicable data privacy law, specifically in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 (hereinafter “GDPR”) of the European Union.

1. Responsibility (Data controller)

Responsible for data issues under the terms of Art. 4 (7) GDPR:

hartmann consultants GmbH & Co. KG
Maffeistrasse 3
80333 Munich, Germany
Telephone: +49 89 540 45 48 00
Fax: +49 89 540 45 48 19
Email: info@hartmann-consultants.com

You can contact our Data Protection Officer at:
hartmann consultants GmbH & Co. KG
Data Protection Officer
Maffeistrasse 3
80333 Munich, Germany
Telephone: +49 89 540 45 48 00
Fax: +49 89 540 45 48 19
Email: datenschutz@hartmann-consultants.com

2. To whom does this Data Privacy Policy apply?

We provide all our global clients with our Executive Search, Board Search, Volume Search, Potential Analysis and Digital Leadership Audit services (“our services”). This Data Privacy Policy applies to you whether you are a candidate for one of our clients, an individual we are assessing on behalf of a client, a client, a source or referee of a candidate, or an employee of a client.

In addition, the Data Privacy Policy applies to you if you attend one of our events or visit our website.

The following terms are used for the purposes of this Data Privacy Policy:

Candidate denotes an individual who is a candidate or applicant but may also theoretically be an employee of a client;

Client denotes any company, organization, official authority, or individual which commissions us to provide our services;

Referee denotes an individual providing a personal or professional reference with respect to a candidate;

Source denotes an individual providing us with information or knowledge about a candidate or company.

3. Collecting information

Our clients expect us to find the best possible employees to fill vacancies in their companies. To do so, we must use automated systems, online databases, and other information sources, and contact a wide number of people. In addition to our clients, these include referees and sources who assist us in making our decisions.

We collect information from candidates directly or when sent to us in the form of emails, letters, or professional networks (e.g. LinkedIn, Xing).

4. Use of personal data

As a general principle, we limit the collection, processing, and use of personal data to the extent and type of data required. Personal data constitutes all data which refer personally to you as an individual, e.g. name, address, email addresses, user behavior.

Candidate

We process personal data for a variety of purposes:

  • In conducting searches for suitable candidates in confidential assignments in which the client’s name is initially withheld. This means that if we believe, after interviewing you, that you are suitable for a specific position, we may pass information about you and your qualifications to the client in anonymized form. If the client believes you may be suitable, we will discuss your candidacy with you in detail. You may be interviewed by one of our consultants and be entered on a shortlist for a presentation to our client. At this stage, after consulting with you we provide further details to the client, who may then contact you directly. Data processing for these purposes is effected on the basis of Art. 6 (1) 1 lit. b GDPR.
  • Anonymized for periodic mapping or research tasks on behalf of our clients. These activities have the purpose of enhancing our understanding of a specific market. They constitute legitimate interests under Art. 6 (1) 1 lit. f GDPR and serve as the lawful basis on which we undertake data processing. Where you have given consent to processing of your personal data for these purposes and to being contacted by us or third parties, we process your data based on your consent as set forth in Art. 6 (1) 1 lit. a GDPR. You may withdraw your consent at any time (see Section 9).
  • In performing an assignment within the scope of which we have agreed a program such as Potential Analysis or Audit with you. In this case, data processing of your personal data as required for provision of our services is performed on the basis of Art. 6 (1) 1 lit. b GDPR.
  • For the purpose of monitoring equality to increase the diversity of our pool of candidates, provided this is permissible under applicable law. This information is anonymized and aggregated.
  • To improve the service we offer. For example, you may be asked to complete one of our voluntary online satisfaction surveys (see Section 10). Improvement of our services to enhance your satisfaction constitutes a legitimate interest as understood by Art. 6 (1) 1 lit. f GDPR. Data processing is performed on this lawful basis.
  • By your granting of consent to the use of your personal data for marketing purposes, to receive information about our services, White Papers, newsletters, events, etc. (see Section 7). Data processing for these purposes is based on Art. 6 (1) 1 lit. a GDPR. You may withdraw your consent at any time (see Section 9).

We will only use your personal data in accordance with this Data Privacy Policy or where we are obliged or authorized by law to provide your data to third parties or have your consent to do so. Where provision of the data to third parties is obligatory by law, data processing is performed on the basis of Art. 6 (1) 1 lit. c GDPR.

Please note that our clients have themselves naturally undertaken to comply with applicable data protection law. We have no influence over their data processing procedures or awareness of the full scope of their data processing operations. We do not receive any regular information about our clients’ erasure of the personal data they collect.

Client

We use client data to perform our services for you (lawful basis: Art. 6 (1) 1 lit. b GDPR) and for other legitimate business purposes such as marketing (lawful basis: Art. 6 (1) 1 lit. f GDPR).

Sources and referees

We use data from sources and referees to provide our services, and specifically to elicit their voluntarily stated opinions about a candidate. Data processing for these purposes is based on Art. 6 (1) 1 lit. f GDPR; provision of our services constitutes our legitimate interest.

We may also use this information to offer you our services as a prospective client. Such marketing purposes constitute a legitimate interest as understood by Art. 6 (1) 1 lit. f GDPR. Data processing is performed on this lawful basis.

5. Type of personal data that we collect and process

Candidate

If we approach you proactively to discuss a position or if you continue to pursue an employment application, you may be required to give further personal data, e.g. date of birth, education, professional career and resume or CV. Your resume is likely to include the following information: professional career to date, education, professional qualifications, memberships of professional associations, written documents, testimonials, and references.

We process any relevant psychometric assessments, psychological tests, or results from such assessments or tests only if you have granted your express consent (lawful basis: Art. 6 (1) 1 lit. a GDPR; you may withdraw this consent at any time – see Section 9).

We may occasionally ask you to provide information about protected characteristics such as ethnicity or marital status. We do this for the purpose of promoting equality of opportunity and only in locations where it is permissible under local law. This information is always anonymized and aggregated and is never passed to third parties without your express consent.

We may also collect personal data from third-party databases and other public sources to gain more information concerning you which is relevant to the position (lawful basis: Art. 6 (1) 1 lit. b GDPR if we are already in contact, and Art. 6 (1) 1 lit. f GDPR if we have not yet established contact with you).

Client

In addition to basic contact data, we also collect information about your position and other information supplied to us by your organization to enable us to build effective business relations (lawful basis: Art. 6 (1) 1 lit. b and f GDPR).

Sources and referees

In addition to basic contact data, we also collect information about your references as information source, details of your connections to and knowledge of a candidate, and your opinion on the candidate. We may obtain this information directly from you or from publicly available information sources. Data processing for these purposes is based on Art. 6 (1) 1 lit. f GDPR; provision of our services constitutes our legitimate interest.

6. What we do

In the case of specific positions, one of our employees or consultants may call you to discuss details. For other positions we may place an advertisement to which you can reply online or by mail. We will inform you at that point of our data protection policy.

In addition to recruiting for specific executive positions, we process personal data in anonymized form when conducting market surveys to map out specific business areas or profile inquiries and help our clients to gain a picture of the talent pools available.

7. Sensitive data

We occasionally seek your consent to processing personal data for specific and limited purposes. We will always do this before processing sensitive or special categories of personal data: ethnic origins, political opinions, religious or philosophical beliefs, membership of unions, data about health, relationships or sexual orientation, health and/or biometric data. We encourage you to refrain from providing us with sensitive personal data unless we expressly request you to do so and have obtained your consent (lawful basis: Art. 6 (1) 1 lit. a GDPR; you may withdraw your consent at any time – see Section 9).

8. Use of our website

8.1 General

This Data Privacy Policy applies only to our website. If you are directed to our website from other websites or move to other websites from our website, please ensure you read the separate data privacy policy of these other sites.

When you use our website purely for information purposes, i.e. if you do not register or supply us with information by other means, we only collect the personal data sent to our server by your browser. If you would like to view our website, we collect the following data which are technically necessary for us to display our website correctly to you and ensure its stability and security:

  • IP address
  • Date and time of access
  • Time difference to Greenwich Mean Time (GMT)
  • Content of request (concrete page)
  • Access status / HTTP status code
  • Data volume transferred
  • Website from which the request is made
  • Browser
  • Operating system and user interface
  • Language and version of browser software

The data specified are processed by us for the following purposes:

  • Ensuring smooth connection setup of our website
  • Ensuring a pleasant user experience for visitors to the website
  • Evaluation of system security and stability, and
  • Other administrative purposes

The lawful basis for data processing is Art. 6 (1) 1 lit. f GDPR. The above listed purposes of data collection constitute our legitimate interest. We never use the data thus collected to draw conclusions about your individual identity.

In addition, during your visit to our website we use cookies and analysis services. For more information and explanations, see particularly the “Cookies” section of this Data Privacy Policy below.

8.2 Cookies

Our website uses cookies to enable visitors to make use of specific functions of the website and for us to analyze the behavior of visitors to the site.

Cookies are small text files that are saved on your computer. Most of the cookies we use are session cookies, which are erased from your hard drive at the end of your browser session. Other cookies (known as persistent cookies) are stored on your computer and enable us to recognize your computer on your next visit.

You can prevent cookies from being stored by changing your browser settings accordingly. However, please note that in this case you may not be able to use the complete range of functions of this website to their full extent.

If you wish to prevent cookies from being stored on your computer, change your browser settings to deactivate cookies for our website or prevent cookies from being stored on your computer in general You can also erase any cookies stored on your computer by changing your browser settings.

Deactivation of the use of cookies may require a persistent cookie to be stored on your computer. If you erase this cookie, you will have to repeat the deactivation procedure.

We use the following types of cookies on our website:

  • sient cookies, i.e. cookies that are automatically erased when you close your browser. These particularly include session cookies, which save a session ID allowing various requests by your browser to be assigned to the session. This enables us to recognize your computer the next time you visit our website. Session cookies are deleted when you log out or close your browser.
  • Persistent cookies are cookies which allow you to configure your browser settings in accordance with your wishes. For example, they allow third-party cookies or all cookies to be refused. However, please note that if you do this, you may not be able to use all the functions of this website.

9. Your rights

9.1 You are under no obligation to provide us with your personal data. However, please note that if you do not, we may not be able to consider you in our services.

With respect to when and to what extent we use your personal data, you have the following rights in particular:

You have the right:

  • to request information about your personal data processed by us in accordance with Article 15 GDPR. Specifically, you can request information about the purposes of processing, the category of personal data, the categories of recipients to which your data has been or will be disclosed, the planned duration of storage, the existence of a right to correction, erasure, restriction of processing, or objection, the existence of a right to complain, the origin of your data where the data are not collected by us, and the existence of automated decision-making, including profiling and any detailed information on the process.
  • to request immediate correction of incorrect, or completion of incomplete, personal data under Article 16 GDPR.
  • to request erasure of your personal data stored by us in accordance with Article 17 GDPR, except in cases where processing of the data is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.
  • to require restriction of processing your personal data in accordance with Article 18 GDPR in cases where you dispute the accuracy of the data; where the processing is unlawful but you oppose the erasure of the data; and where we no longer need the personal data but you require them for the establishment, exercise, or defense of legal claims or have filed an objection to processing under Article 21 GDPR.
  • to receive your personal data which you have provided to us in a structured, commonly used, and machine-readable format, or to request transmission of those data to another controller, in accordance with Article 20 GDPR.
  • to withdraw your consent once granted to us at any time in accordance with Article 7 (3) GDPR (see Section 9 below). This has the consequence that in the future we may no longer perform data processing which had previously been on this lawful basis.
  • to lodge a complaint with a supervisory authority under Article 77 GDPR. In general, you can contact the supervisory authority of your customary place of residence or work or our registered office.

9.2 Right of objection or withdrawal of consent to processing of your personal data

If you have granted consent to processing of your data, you can withdraw your consent at any time in accordance with Article 7 (3) GDPR. Withdrawal of your consent, once granted, affects the lawfulness of our processing of your personal data.

Where we have processed your personal data as part of pursuing our legitimate interests in accordance with Art. 6 (1) 1 lit. f GDPR, you have the right to object to this processing under Article 21 GDPR. This applies in particular where processing is not required for the purpose of fulfillment of a contract with you, which is stated by us in our description of functions. If you exercise your right to withdraw consent or object to data processing, please state your reasons for wishing us to refrain from processing your personal data as customary. In cases of justified objection, we will examine the case and either cease or adjust our data processing operations, or inform you of our justified legitimate reasons for continuing processing.

10. Satisfaction surveys

If you take part in a satisfaction survey, we may ask you to voluntarily provide personal details including your name, email address, and views and opinions.

11. Transfer of information to third parties

11.1 General

In order to operate this website and offer Executive Search, Potential Analysis, or Audit services, we work closely with trusted partners with which we are obliged to exchange personal data. These partners include:

  • Our clients to which we provide Executive Search services. In this case we consult with you before transferring your data.
  • Prospective clients to which we may need to provide evidence of our understanding of a specific market and the people working in it. In this case your data are anonymized.

We will only transfer information as described in this Data Privacy Policy and will, wherever possible, limit disclosure to aggregated data to prevent, or avoid as far as possible, any possibility of your personal identification.

11.2 Third parties

We may also transfer information to third parties which process information on our behalf.

This is designed to support us in operating some internal business processes including email distribution, IT services, and client services. Under our agreement with these third parties, they undertake to process the data securely in compliance with our instructions.

Transfer of personal data to contracted data processors only takes place where the processors can offer sufficient guarantee of orderly and secure use of the data and contractually agree to comply with the principles set forth in this Data Privacy Policy and with statutory provisions. We will not inform third parties about your personal data or otherwise transfer the data to them unless the data transfer is required in order for us to provide the contracted performance or unless you have granted your consent for us to do so.

Your data may also be transferred to organizations in other parts of the world. As the data privacy laws in other regions may not match the standards of your home country, we will only transfer data where adequate data privacy is in place to protect the data stored in this country and where the local service provider complies with applicable data protection law at all times.

Where specified by law, we will take action to ensure that personal data processed in other countries is subject to the same level of protection as in your home country as a minimum requirement.

We may be obliged by a statutory requirement or court order to provide law enforcement authorities, official authorities, or third parties with information about you. In such cases we will act responsibly and take your interests into account wherever possible in responding to such enquiries.

If you have concerns about these agreements to transfer personal data to third parties, please contact us and request us to refrain from processing your personal data.

12. Data security measures

To protect your data, we have taken technical and organizational data security measures which are regularly reviewed and aligned to reflect technological progress.

However, please note that for technical reasons we cannot exclude non-observance of data protection and data security laws by other individuals or organizations whose actions are beyond our control.

13. Information on other individuals

If you provide us with information about other individuals – e.g. details of a referee or other personal contact – you must ensure that those individuals have consented to their information being shared. We advise you to keep a record of their consent and provide them with a copy of or link to this Data Privacy Policy.

14. Storage of your documents

We store your personal data for as long as is necessary to provide our services and in compliance with statutory, fiscal, and accounting requirements.

If you desire the erasure of your personal data which is stored by us, the data may be erased except in cases where processing the data is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

When your personal data are no longer required, we ensure they are erased or disposed of securely. Where required to do so by law, we will notify you after erasure or disposal.

15. Access rights

You have the right to request copies of your personal data stored by us. If you are of the opinion that the data are incorrect, you may also request us to correct the data. Under certain specific circumstances, you also have the right to request us to desist from processing your personal data. In addition, you have the right to request that we share your personal data with an individual appointed by you for your own purposes (right to data portability)

You can contact us by email or by writing to the address below. Please note that we may require proof of identity. We will deal with your enquiries within the time limit specified for the country in question.

Under certain circumstances, we may deny you access to some of your personal data in countries where such denial is required or permitted by law. Wherever possible, we will inform you of the grounds for denial.

16. Google Analytics

We use Google Analytics, a web analysis service operated by Google Inc. (“Google”). Google Analytics uses “cookies,” text files that are saved on users’ computers and allow their use of the website to be analyzed.

The information about users’ visits collected by the cookie is generally transferred to a Google server in the USA and saved there. While the USA does not have the same level of data protection as the EU, Google is a member of EU-U.S. Privacy Shield (see here for more information) and, in this capacity, undertakes to comply with European data privacy law.

This website has activated IP anonymization, so that Google first abbreviates users’ IP addresses within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the USA and abbreviated there in exceptional cases. We commission Google to use this information to evaluate the behavior of visitors to this website, to compile reports on website activity, and to provide us with further services related to website use and Internet use. These activities supply us with information about user behavior that enable us to optimize our website, products, and services to reflect user needs.

Google will under no circumstances associate the IP address transmitted by your browser within the operations of Google Analytics with other Google data.

You can prevent cookies from being stored by changing your browser settings accordingly. However, please note that in this case you may not be able to use the complete range of functions of this website to their full extent. Users can also prevent Google from recording and processing the data related to their website visit (including their IP address) generated by the cookies by downloading and installing the browser plugin for Google Analytics deactivation (available here). You can deactivate Google Analytics here: https://tools.google.com/dlpage/gaoptout?hl=en

For more information on how Google Analytics collects and processes your personal data, see  www.google.com/policies/privacy/partners