Data privacy information for job candidates and applicants
Deutsche Telekom attaches great importance to protecting your personal data. It is important to us to inform you what personal data we collect, how your data is processed.
Who is responsible for the data processing?
The system growth hub represents a joint approach in managing job candidates and applicants within Deutsche Telekom and its subsidiaries. Therefore, the responsibility is shared in the following manner:
Deutsche Telekom AG (DTAG)
Deutsche Telekom AG acts as the provider of this platform on behalf of all subsidiaries and itself. DTAG is responsible to maintain the system, specify/enforce the data processing (collected data, purposes and sub-processors) and to ensure security. It acts as the data controller for job candidates globally and for applicants applying directly at Deutsche Telekom AG.
National business units and subsidiaries
National business units and subsidiaries hire independently from DTAG but use the growth hub platform provided by DTAG to support their recruiting processes. This means, that the company of Deutsche Telekom that you apply at is responsible for the data processing (data controller) of applicant data, while Deutsche Telekom AG and its sub-processors provide the respective service.
Where can I find the information that is important to me?
General information on privacy of growth hub
General information on privacy of growth hub, in particular on collected data, intended use, responsibility structure, your rights and involved sub-processors, etc. can be found in the following sections of this data privacy information.
For general inquiries regarding privacy, please contact the Group Data Privacy Officer at Deutsche Telekom AG:
Dr. Claus D. Ulmer, Friedrich-Ebert-Allee 140, 53113 Bonn, datenschutz@telekom.de
You can send a request for information in accordance with Art. 15 GDPR for this specific data processing to growthhub_team@telekom.de
Specific information depending on the subsidiary you apply at
If you are applying at a national business unit or subsidiary of Deutsche Telekom, additional information is provided to you regarding exact responsibilities, DPO contact and local obligations such as varying deletion periods. Requests for information (Art. 15 GDPR) regarding the application process shall be directed to the local contact. Please check section 7 at the end of this document or use below links if you are applying at one of these subsidiaries:
What data do we process and why?
Our main purposes for processing of your data are:
- maintaining a talent pool with candidates interested in job offers throughout DTAG (based on your consent - Art. 6 (1) (a) GDPR)
- selecting fitting candidates for our vacant positions (based on our legitimate interest, for preparation of contracts and to comply with legislation - Art. 6 (1) (b), (c) and (f) GDPR)
- enabling essential system functionality and user experience - Art. 6 (1) (b) and (f) GDPR
- ensuring security of our systems via logging, monitoring and backup (based on requirement to implement technical and organization security measures - Art. 32 (1) GDPR)
Candidate Profiles (Talent Network)
We offer a voluntary service for persons interested in job opportunities (candidates) at Deutsche Telekom, which is called Talent Network. A candidate profile can be created by
- you actively registering it on our job portals with the functionality “Join Talent Network”.
- being loaded from another recruiting system managed by your employing entity of Deutsche Telekom. If this is the case, you will be informed about this procedure via the respective system.
- a recruiter that took interest in your profile and added it from a public source (e.g. LinkedIn). If this is the case, we will reach out to you and ask for your consent to keep the candidate profile. After two weeks without feedback or if you actively decline, we will delete the candidate profile without undue delay.
The candidate profile may contain but is not limited to the following data:
Data | Description |
---|---|
Contact info | Mainly your full name, academic degree, address (permanent and contact one), e-mail address, phone number, business network profile link. |
Profile picture | The profile picture you uploaded directly, via your CV or which is derived from you business network profile. |
CV | Your CV directly and/or typical data that is part of your CV, such as date of birth, work experience, education, skills, language proficiency. |
Other data obtained from business network profile | If you decide to connect/import your business network profile, we process data you provided there. This data mostly aligns with typical CV data but could include additional data. |
In addition to your candidate profile we track certain recruiting activity linked to your candidate profile to support collaboration between you and our recruiters. For example, communication (e.g. via mail) is recorded, so that another recruiter would be able to take over, when your first contact person is absent. Please see table below for details on such data.
Data | Description |
---|---|
Communication | In order to support work and collaboration of recruiters, communication with candidates (e.g. via mail) is recorded. |
Meetings | We keep track of meetings we have scheduled together. |
Applications | Applications you submit using your candidate profile. |
Feedback | Feedback you received for your applications. |
Notes | Recruiters can create free-text notes for candidates e.g. to record additional info or arrangements already made. |
You register a candidate profile based on your consent in accordance with Art. 6 (1) (a) GDPR. We regularly ask for your consent to keep the profile inside Eightfold (every year). If we do not receive feedback, we will delete your profile and recruiting activity without undue delay. Apart from that, you can always decide to delete your candidate profile on your own. We will use your profile to find matching positions and to reach out to you with interesting information or details about job opportunities. Your data will be shared with other subsidiaries of Deutsche Telekom in the following manner:
- Across Deutsche Telekom AG and all of its subsidiaries. Under this option, we can consider you for open positions that fit your profile worldwide.
Applications
Our main purpose for processing your application data is our legitimate interest to find a right candidate for the vacant positions in Deutsche Telekom AG and its subsidiaries. The ways through which we are able achieve this legitimate interest and process your personal data are, e.g. evaluation and assessing of the information included in your CV, motivation letter, references, videos or in questionnaires provided by us, while using various HR tools or techniques and conducting an interview with you either online or personally. If you attend a personal interview, your data may be processed also in the CCTV system in our premises, since we have legitimate interest to ensure health and safety of our employees and to protect our assets and your belongings. Last, but not least, we may process your data for the purpose of legal claims and proceedings and if we are requested to do so by the public authorities.
Applications (provided directly or via your candidate profile) are complex data processing structures. This is why we provide detailed explanations regarding the processing purposes below.
Purpose | Description |
---|---|
Job interview and candidate selection | We can conduct the interview directly with you, or we can ask external personal agency to do so and then to provide us with information about you. We assess and evaluate the information from your CV and motivation letter submitted to us via various job portals or through references. We process your data based on our legitimate interest to find the right candidate for the position in our organization under art. 6 (1) (f) of GDPR. |
Internal review | If you are already employed in Deutsche Telekom AG Group (or if you have worked in Deutsche Telekom AG Group in the past) and you apply for another internal position, we can use information from your personal file in order to supplement information that you provide to us in job application. We process your data based on our legitimate interest to find the right candidate for the position in our organization under art. 6 (1) (f) of GDPR. |
Assessment | We may ask you to undergo an assessment of your skills, personality or cognitive aptitude. Such assessments are usually performed using third-party software or a third-party company, who will share the results with us. Prior to undergoing such an assessment, we will provide you with further information relevant to your specific situation. We process your data based on our legitimate interest to find the right candidate for the position in our organization under art. 6 (1) (f) of GDPR. |
Pre-employment screening | Depending on the nature of the job, we may ask a pre-employment screening expert to determine whether there are any circumstances which would disqualify you as a candidate from that job. Whether or not a screening will occur, as well as the scope and purpose will be discussed with you prior to the start of the screening. We process your data based on our legitimate interest to find the right candidate for the position in our organization under art. 6 (1) (f) of GDPR, resp. if the screening is required by the law, then we will process your data based on legal basis under art. 6 (1) (c) of GDPR. |
Obtaining references | We may decide to obtain references from individuals who have worked with you in the past. Generally, we will only contact those individuals if you have provided us with their names and contact details. If you are already an employee in some entity of Deutsche Telekom AG Group, we may ask for references from your manager and/or co-workers, without your knowledge. We process your data based on our legitimate interest to find the right candidate for the position in our organization under art. 6 (1) (f) of GDPR. |
Onboarding process | If we decide you are the right candidate for the position in our organization, we will process your data to start the onboarding process. We will create you the accounts in various internal systems and we will enable you to access the applications necessary to start your onboarding. We will process your data as part of our pre-contractual and contractual relationship, i.e. based on art. 6 (1) (b) of GDPR. |
Ensure health, safety and security in our premises | We want our employees and persons attending our premises to be healthy and safe. Therefore, we use security measures such as CCTV system, to ensure that our employees, visitors and property are safe. We process your data based on our legitimate interest to ensure security in our premises and safety of our employees and property under art. 6 (1) (f) of GDPR. |
Dispute resolution | We may process personal data for the purposes of resolving legal disputes, claims, complaints or proceedings. We process your data based on our legitimate interest to defend ourselves against the claims under art. 6 (1) (f) of GDPR or if required so by the law, i.e. under art. 6 (1) (c) of GDPR. |
Compliance with the law | We may have to process your personal data to comply with the law or with a decision of respective public authority or with a judicial order. For this purpose, we process your data based on art. 6 (1) (c) of GDPR. |
Cooperation within DT AG Group and our business promotion | If you apply at a local business unit, data might be shared as part of DTAG Group activities, including promotion of local businesses within DTAG Group as well as on the external market. Further details on how applications are shared within the group can be found below. We process your data based on our legitimate interest to find the right candidate for the position in our organization and to cooperate within DTAG Group under art. 6 (1) (f) of GDPR. |
When you are submitting an application, your data will be shared within Deutsche Telekom Group according to the following rules (you are able to choose one option):
- Consider me for all open positions worldwide
- Consider me for all open positions in the country in which I am based
- Consider me only for jobs I apply to
Deutsche Telekom Service Europe Romania S.R.L. is involved as the recruiting process agent per default.
Data that is processed as part of your application includes, but is not limited to:
Data | Description |
---|---|
Contact info | Mainly your full name, academic degree, address (permanent and contact one), e-mail address, phone number, business network profile link. Legal basis for the processing is Art. 6 (1) (b), (c) and (f) GDPR. |
CV | Your CV directly and/or typical data that is part of your CV, such as date of birth, work experience, education, skills, language proficiency. Legal basis for the processing is Art. 6 (1) (b), (c) and (f) GDPR. |
Information from your motivation letter | Any information that you decide to mention in your motivation letter. Legal basis for the processing of such data is Art. 6 (1) (f) GDPR |
Eligibility for work | Information related to possible obligation to prove legal eligibility for performance of respective job. Legal basis for the processing of such data is Art. 6 (1) (b), (c) and (f) GDPR. |
Declaration of integrity | Depending on the nature of the job and the country in question, we may request you to provide us with declaration from relevant public authority confirming that you have not been convicted of any crime, which would disqualify you from the selection process of applicant for the respective job. Legal basis for the processing of such data is Art. 6 (1) (b), (c) and (f) GDPR. |
Information provided through video call | It is possible that you will provide us with some of the abovementioned information in form of video or during the video call. Legal basis for the processing of such data is Art. 6 (1) (f) GDPR. |
Information provided as part of online assessment | We may process information about you that we encounter as part of an online assessment of your abilities, skills, and personality, including some technical information about equipment you use (e.g. IP address). Legal basis for the processing of such data is Art. 6 sec. (1) (f) GDPR. |
Security-related information | Information about your entrance to our premises, your activities on CCTV records. Legal basis for the processing is Art. 6 (1) (f) GDPR. |
Special data category | Information about your health, however only in case this information is relevant for performance of job that you apply for. Legal basis for the processing is Art. 9 (2) (b) GDPR. |
Generally, we delete applications 6 months after we have found a suitable candidate for a position. If you were successful, your application might be retained in your personnel file in accordance with applicable legislation and our internal HR regulations. However, if the required retention differs in your country, we fulfil those specific requirements. For details see section Specific information depending on the subsidiary you apply at.
Cookies
We process only technically necessary cookies to assure Eightfold is working as intended or that are essential for your user experience. Cookies are saved as long as a user session exists, but no longer than 1 day.
Logs
We save data about your access, usage and about critical actions executed by you (especially if you are a privileged user). This is done to investigate potentially harmful or malicious actions that lead to an incident. Logs are saved for a maximum of 6 months.
The basis for the storage of log data is Article 32 (1) GDPR. The log data is used exclusively for purposes of data protection control, data backup and to ensure proper operation. An evaluation of log data for the purpose of performance and behavior control does not take place.
Who does Deutsche Telekom pass my data on to?
To processors
We engage companies particularly in the following areas: IT, Recruiting Support, Affiliates.
Our current processors are
- Eightfold AI Inc, 2625 Augustine Drive, Suite 601, Santa Clara, CA 95054, USA
- Deutsche Telekom Services Europe Romania S.R.L., 319 G Splaiul Independentei, Sema Parc, Atrium House, 2nd floor, Bucharest, District 6, Romania
- Possibly subsidiaries and associated companies of Deutsche Telekom AG based on the conditions described above.
Owing to legal obligations
In certain cases, we are legally obliged to transfer data to a state authority that requests it.
How is my data protected?
We make reasonable efforts to ensure a level of security appropriate to the risk associated with the processing of your personal data. We maintain technical and organizational measures designed to protect your personal data within our organization against relevant security threats, including against unauthorized access, destruction, loss, alteration or misuse. Your data is only accessible to a limited number of personnel who need access to perform their duties. For measures implemented specifically in the growth hub application, please refer to the next section. In case you wish to learn more about our technical and organizational measures, you can contact
- the Deutsche Telekom AG DPO (listed in the beginning of this document) for general technical and organizational measures
- the application team at growthhub_team@telekom.de for more details on technical and organizational measures implemented in growth hub
- the respective DPO contacts of DTAG subsidiaries listed in the section “Specific information depending on the subsidiary you apply at” for information regarding local technical and organizational measures (especially in handling your application)
Where is my data processed?
Data is stored and servers are running within data centers of Amazon Web Services, Inc. (sub-processor of Eightfold) in Frankfurt, Germany. Eightfold AI Inc., together with its sub-processors delivers services (development, maintenance, product and customer support) from outside of the EU. To ensure a secure handling of data according to GDPR, the Standard Contractual Clauses (SCC) as predetermined by the European Commission were agreed with Eightfold. Additionally, the following technical and organizational measures were implemented to protect your data:
- Data at rest and in transfer is encrypted according to state-of-the-art. The encryption key is managed by Deutsche Telekom AG – this means that Eightfold is being permissioned to use cryptography primitives without owning the actual key.
- Detailed logging of non-EU data access with strict purpose limitation – this means that access to the data is continuously monitored and it is ensured that it is bound to a certain purpose (e.g. support ticket opened by employee).
Am I subject to automated decision making or profiling?
Your personal data may be subject to profiling. During the candidate selection process, we use a matching model to identify how well you match the vacant position to which you applied. We do not rely solely on such results and they are always revised by our employees which reduces the significance of such processing to a minimum.
The Eightfold Matching Model is an artificial intelligence system which produces a match score, that predicts the match of a profile to a position. It ranges from 0 through 5 in increments of 0.5 (5 indicates the highest possible match). Relevant recruiting personnel has insights into these scores and all the other candidate data to make informed hiring decisions. Per Eightfold’s design it is not intended to execute hiring decisions autonomously. Only a recruiter is able to advance an applicant.
Technical Details
In detail, the goal of the Eightfold Matching Model comprises the creation of an enriched talent profile for a candidate, a calibrated job profile and discovering complex relationships between these components which result in the Eightfold Match Score (likelihood that candidate will perform well in the application process and succeed in the job).
The enriched talent profile of a candidate is created using supplied candidate data (e.g. CV), company HR data (e.g. past hirings) and other public or proprietary data (e.g. data about employers) and includes the following components:
- Profile Data (incl. Similarity Data): e.g. roles, skills, companies, education and fields of study (partially as numerical data)
- Supplemental Candidate Data: e.g. awards, publications, patents, references, past employment history
- Related-Entity Data: e.g. skills of peers with same role at the current company, people at target organization who may know the candidate
- System-Derived Insights: Talent Insights (e.g. quality of education, career growth progression, industry experience), Personality Insights (e.g. team player, high endurance) and Predicted Next Roles.
Through Similarity Data, the Eightfold Matching Model is able to find suitable positions for you based on what e.g. your skills mean and not which exact phrases you chose to describe your skills. On technical level, Eightfold analyzes context of certain words that appear together (e.g. skills often appearing together in given candidate profiles or fields of study that that are often mentioned together). The model learns which concepts are closely related to each other or which are quite different (e.g., “UI design” and “web design” in today’s understanding are very similar and candidates with either skill could be interesting for a web designer position).
The calibrated job profile is created using a job description with requirements, company HR data (e.g. skills of person previously in certain role or potential team mates of a person in a role) and other public or proprietary data (e.g. people that worked a certain time in a role). It spans the following components:
- Job Requirements: e.g. skills, education, industry experience
- Talent and Personality Insight Requirements: e.g. career growth progression, top 20% in university
- Ideal Candidates (incl. Weightings): e.g. people currently or previously in the role, previous successful applicants
- Team at Target Company Role: e.g. skills of potential team mates for the role
- Unqualified Candidates: e.g. rejected job candidates
To achieve the most accurate Eightfold Match Score, a deep neural network (DNN) is prepared in a multi-step approach. Initially, a base model is trained using publicly available data (e.g. professional social networks). For every job held throughout a persons career a calibrated job profile, enriched talent profile and indication whether the person got the job and held the position for a certain amount of time is created. Training a neural network involves teaching it to perform a specific task (e.g. predicting likelihood that person will get a job and be successful in it) by showing it examples (in this case peoples career stages) and adjusting its settings based on the mistakes it makes, until it becomes good at the task. It’s like teaching a computer brain to learn and improve over time.
This step is followed up by model refinement using company HR data. A similar method as with the initial training will be used in this process. Earlier job postings and applicants will be analyzed by creating calibrated job positions and enriched talent profiles of candidates at that time, together with an indication of success in the application process (e.g. telephone screen, interview or hired).
The refined model will be used inside the company to produce the Eightfold Match Score for certain candidates using calibrated job positions and enriched talent profiles. For more information, Eightfold’s publicly available patent can be checked: “SYSTEM, METHOD, AND COMPUTER PROGRAM FOR AUTOMATICALLY PREDICTING THE JOB CANDIDATES MOST LIKELY TO BE HIRED AND SUCCESSFUL IN A JOB”.
Bias
The Matching Model was audited regarding bias by the US company BABL AI Inc., which specializes on AI Auditing. They conduct bias audits according to New York City Local Law No. 144 of 2021 on Automated Employment Decision Tools (AEDTs). They primarily test for unusual selection rates of candidates with certain gender or race, known as disparate impact. Disparate impact is assumed, when the average score for a group of individuals divided by the average score of individuals in the highest scoring group (impact ratio) is lower than 80%. The Matching Model did not deliver impact ratios below 0.992 for gender categories and 0.923 for race/ethnicity categories. Apart from that, Eightfold passes additional formal audit requirements, such as having a accountable party for ethics and bias.
What data privacy rights do I have?
- Right to request/access information (on the categories of the personal data processed, the purposes of the processing, any recipients of the data, the envisaged storage period);
- Right to request that inaccurate or incomplete data be rectified or supplemented;
- Right to withdraw consent at any time with effect for the future;
- Right to request that data be erased, provided that
- the data is no longer required for the intended purpose and/or is being unlawfully processed, or
- you withdraw consent (unless there is another legal ground for the processing), or
- in the case of data processing on account of legitimate interests you object to the processing and there are no overriding legitimate interests for the processing, or
- data has been unlawfully processed, or
- the personal data has to be erased for compliance with a legal obligation;
- Right to demand under certain circumstances the restriction of data processing where erasure is not possible or the erasure obligation is disputed;
- Right to data portability subject to the conditions of Art. 20 of the GDPR;
- Right to object to the processing of your personal data set out in Art. 21 GDPR in the cases of Art. 6 Abs.1 e/f GDPR;
- Right to lodge a complaint with a data protection supervisory authority regarding the processing of data;
- Right not to be subjected to automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect.
Specific information depending on the subsidiary you apply at
Deutsche Telekom Cloud Services (DTCS)
Responsibility
Please consider that depending on the location of the job you are applying for within DTCS, one of the following DTCS companies is responsible for the protection of your personal data and for ensuring compliance with this Privacy Statement as the controller:
- Deutsche Telekom Cloud Services s.r.o., with its registered seat at Ružová dolina 6, 821 08 Bratislava, Slovak Republic, ID No.: 48 129 178;
- Deutsche Telekom Cloud Services Kft., with its registered seat at 1117 Budapest, Inforpark sétány 3, Hungary, ID No.: 01-09-271999;
- Deutsche Telekom Cloud Services EPE, with its registered seat at 9 Fragkoklisias Str., 15125 Marousi of Attica, Greece, ID No.: 134112901000 / 300378;
- Deutsche Telekom Cloud Services S.R.L., with its registered seat at B-dul, Dimitrie Pompei nr. 9-9A, Iride Business Park Cladirea 20, etaj 3, Sector 2, Bucharest, Romania, ID No.: J40/4603/2016; or
- Deutsche Telekom Cloud Services d.o.o., Radnička cesta 21, 10000 Zagreb, Croatia ID No: 080987135.
Deletion of CCTV data
Your data processed through CCTV systems of DTCS will be stored for 3 days and then automatically erased.
Additional sub-processors
DTCS may share your personal data with its suppliers who support DTCS in recruiting processes or provide DTCS with partial services, e.g. recruitment agencies, physical security services, legal, tax and audit services, IT support services and technical subcontractors, HR services, etc. DTCS shares your data within group of DTCS companies and with affiliates of Deutsche Telekom Group AG as mentioned above.
DTCS involves additional sub-processors to support its recruiting processes:
- HireVue Inc., 10876 S River Front Pkwy Ste 600 South Jordan, Utah 84095, United States (to conduct online assessments)
Complaints
If you would like to file a complaint about how DTCS processes your personal data, you can contact DTCS Data Protection Officer (see contact details below) and your suggestions and requests will be reviewed. If you are not satisfied with the response or you believe that DTCS processes your data unfairly or unlawfully, you have the right to lodge a complaint with a supervisory authority. Depending on which DTCS company is the controller responsible for the protection of your personal data, the supervisory authority
- for Deutsche Telekom Cloud Services s.r.o. is the Office for Personal Data Protection of the Slovak Republic, www.dataprotection.gov.sk.;
- for Deutsche Telekom Cloud Services Kft. is the National Authority for Data Protection and Freedom of Information, www.naih.hu;
- for Deutsche Telekom Cloud Services EPE is the Hellenic Data Protection Authority, www.dpa.gr;
- for Deutsche Telekom Cloud Services S.R.L. is the National Supervisory Authority for Data Processing, www.dataprotection.ro;
- for Deutsche Telekom Cloud Services d.o.o. is the Agency for Protection of Personal Data, www.azop.hr.
Contact to DPO
pan-net.privacy@eu.telekom.com
T-Systems ITC Iberia
Data privacy information last revised: 19.09.2023