Know what´s inside:

Privacy policy

The following data protection notices inform you how GBA Holding GmbH and its subsidiaries handle your data. We inform you about the collection, storage and use of personal data, the legal basis for processing and your rights with respect to us.

We have taken technical and organizational measures to ensure that data protection regulations are observed both by us and by our technical partners and service providers.

On our homepage, only the personal and business data necessary for our service offer are recorded. All other information is voluntary. Furthermore, we assure you that we will not pass on your data stored with us to third parties or use it for any other purpose, e.g. for advertising by third parties, without your consent.

The following statements apply to all anonymous and registered, logged in users who have read-only access. Only a few specific GBA Group employees have write access. Other internal rules apply to them.

We attach great importance to the sensitive handling of all data provided by you and assure you of comprehensive data protection.

With regard to the definition of terms such as "personal data" or "processing" we refer to Article 4 GDPR.

Get there faster

1. Name and contact details of the person responsible

Those responsible for the website in accordance with Article 4 paragraph 7 of the EU Data Protection Regulation (GDPR) are

GBA Holding GmbH
Goldtschmidtstraße 5
21073 Hamburg,

represented by the CEO Steffen Walter.

This data protection information also extends to our Group companies. Each Group company is a responsible party in the sense of data protection law.

The names and contact persons of the responsible data protection officers can be found here.

You can contact the data protection officer of GBA Holding GmbH at

2. Provision of the website and log files

Description and scope of the data processing

Whenever our website is called up, our system, i.e. the web server, automatically records information from the calling computer or end device of the user. If you only use our website for information purposes (i.e. no registration or other transmission of information), we only collect the personal data that your browser sends to our server. We collect the following data:

  • information about the browser type and version used
  • the operating system of the user's end device
  • the Internet service provider of the user
  • the IP address of the user
  • date and time of access
  • form data

This data will not be stored together with other personal data of yours. The data serves the purpose of user-friendly, functional and secure delivery of our website to you with functions and contents as well as their optimization and statistical evaluation.

The legal basis for the temporary storage of this data and the log files is Article 6 paragraph 1 (f) GDPR (our legitimate interests as a responsible website operator).

Purpose of the data processing

The temporary storage of the user's IP address by our system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must necessarily remain stored for the duration of the session.

The storage of the above-mentioned data in the log files is done to ensure the functionality of our website. In addition, this data serves us to optimize the website and to ensure the security of our information technology systems (e.g. to detect attacks). An evaluation of the data for marketing purposes does not take place in this context.

Duration of storage

To ensure the error-free functionality of our website, we store this data in server log files for a period of 190 days for security reasons. After this period has elapsed, they are automatically deleted, unless we need to keep them for evidence in case of attacks on the server infrastructure or other legal violations.

Normally there is no access to these log files, but if errors occur, they are used to investigate the cause.

3. Cookies

Description and scope of the data processing

We use so-called cookies when you visit our website. Cookies are small text files that your internet browser places and stores on your computer. When you visit our website again, these cookies provide information to automatically recognize you.

Our website uses session cookies, persistent cookies and third- party cookies:

Session cookies: We use so-called cookies to recognize multiple use of an offer by the same user (e.g. if you have logged in to determine your login status). When you visit our site again, these cookies provide information to recognize you automatically. The information obtained in this way serves to optimize our offers and to make it easier for you to access our site. When you close the browser or log out, the session cookies are deleted.

Persistent cookies: These are automatically deleted after a predetermined period of time which may vary depending on the cookie. You can delete or block the cookies at any time in the security settings of your browser.

Third-party cookies: You can configure your browser settings according to your wishes and, for example, refuse to accept third- party cookies or all cookies. However, we would like to point out at this point that you may then not be able to use all functions of this website. Please read more about these cookies in the respective privacy statements of the third-party providers we use.

The legal basis for the processing is our legitimate interest (Article 6 paragraph 1 (f) GDPR) for essential cookies or your - at any time revocable - consent pursuant to Article 6 paragraph 1 (a) GDPR.

Purpose of the data processing

The information obtained in this way serves the purpose of optimizing our web offers technically and economically and enabling you to access our website more easily and securely. When you visit our website, you have the option of actively agreeing to the use of cookies for statistical and marketing purposes. Technically necessary cookies ("essential cookies") are needed to provide the functionalities of our website.

Duration of storage

he cookies are stored for different lengths of time. For more information, see the privacy settings in the cookie configuration panel.

General information on cookies

You can generally prevent cookies from being stored on your hard disk by selecting "do not accept cookies" in your browser settings. However, this can result in a functional limitation of our offers. You can object to the use of third-party cookies for advertising purposes by opting out using this American website (
or this European website (

4. Contact by e-mail or contact form

Description and scope of the data processing

When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions.

On our homepage you have the possibility to fill out our online application form and send it to us. We assure you that we will use the personal data you entrust us with when filling out the application form exclusively in connection with your application. Your data will not be passed on to third parties.

Data on applicants who apply to the GBA Group for an advertised position will be stored in our systems for six months after completion of the vacancy and then deleted. Data of candidates who submit unsolicited applications will be checked and deleted if no suitable vacancy exists. If there is a suitable position available, this data will be used within the application process, especially for making contact. No applicant data will be passed on to third parties or transferred to a third country. You will find further information on this in our data protection.

The legal basis for the processing of these data, which are transmitted in the course of a request, is Article 6 paragraph 1 (f) GDPR (our legitimate interests as the responsible party). In this case, our legitimate interest is a commercial interest, such as answering your enquiry, acquiring customers or similar.

If necessary, Article 6 paragraph 1 (b) GDPR (fulfilment of contract) can be an additional legal basis for the processing, as we can only come back to you and your request if we know a way to contact you. We use these data exclusively to be able to get back to you regarding the communicated concern.

Purpose of the data processing

The processing of this personal data serves us solely to process the contact.

Duration of storage

The above-mentioned data will be deleted as soon as they are no longer necessary for the purpose of their collection. For personal data sent by e-mail or contact form, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified.

6. Tracking using Google Analytics

Description and scope of data processing

We use the search function of the provider Algolia Inc. on our website to search for and index content. By using Algolia, your IP address and your search query are transmitted to Algolia's servers and stored there for 90 days for statistical purposes. Please note the terms of use of Algolia and the privacy policy of the provider.

The legal basis for the processing of these data, which are transmitted in the course of a request, is Article 6 paragraph 1 (f) GDPR (our legitimate interests as the responsible party). In this case, our legitimate interest is a presentable and user-friendly usability of our website.

Purpose of the data processing

The use of Algolia is for the purpose of making the information contained on our website easier to find and thus ensuring user- friendliness.

Duration of storage

The data is stored on the server of Algolia for a period of 90 days.

6. Tracking durch Google Analytics

Description and scope of the data processing

We use the tracking tool Google Analytics on our website. In Google Analytics, the interactions of the user of our website are primarily recorded and systematically evaluated by means of cookies. If individual pages of our website are called up, the following data are stored:

  • three bytes of the IP address of the user's calling system (anonymized IP address)
  • the website accessed
  • the website from which the user accessed the page of our website (referrer)
  • the subpages that are accessed from the visited page
  • the time spent on the website
  • the frequency of access to the website

The software is set up so that the IP addresses are not stored completely, but the last octet of the IP address is masked (e.g.: 192.168.79.***). In this way, it is no longer possible to assign the shortened IP address to the calling computer or end device of the user.

In the event that IP anonymization is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other states which are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on the website activities and to provide further services to the website operator in connection with the use of the website and the internet.

This website also uses Google Analytics for analyzing the flow of visitors across multiple devices. This is performed by means of a user ID. You can deactivate the cross-device analysis of your usage by adjusting the settings in your Google customer account, under “My Data” and “Personal Data.”

The legal basis for the processing of users' personal data is Article 6 paragraph 1 (a) GDPR, the consent of the user. This consent can be revoked at any time. The data processing carried out up to the revocation remains unaffected by this. Google has submitted to the EU-US Privacy Shield which legally legitimizes the transfer of personal data to the USA:

Purpose of the data

The processing of the user's personal data using Google Analytics enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to constantly improve our own website and its user- friendliness.

Duration of storage

The data stored by tracking is deleted as soon as it is no longer needed for our recording purposes. This is the case with us after 26 months.

Right of objection

With the help of a browser add-on for deactivating Google Analytics JavaScript (ga.js, analytics.js, dc.js), the user can prevent Google Analytics from using their data on our website.

If the user wants to deactivate Google Analytics, they can download and install the add-on for the web browser they use. The add-on for deactivating Google Analytics is compatible with the current versions of Chrome, Internet Explorer, Safari, Firefox and Opera. For the add-on to work it must be loaded and run correctly in the browser. In Internet Explorer, third-party cookies must also be activated.

You can find more detailed information at

7. Integration of Google Maps

Description and Scope

This site includes an interface to the map service Google Maps, provided by Google Limited Ireland.
In order to use the functions Google Maps, it is necessary to store your IP address. This information is generally transferred to a Google server in the USA and stored there. The provider of this website has no influence over this data transfer.
The usage of Google Maps is based on our legitimate interest in presenting our online offerings in an appealing way and to enable users to easily find the locations indicated on our website. This constitutes a legitimate interest in the context of the GDPR Art. 6 (1) f. Before loading the map, however, in order to protect your personal data, we ask for your consent according to Article 6 para. 1 lit. a GDPR, which is revocable at any time.
More information about how user data is handled by Google can be found in Google’s privacy policy:

The integration of this service, Google Maps, is necessary in order to meet the demands of our website design. This is also our legitimate interest in accordance with GDPR Art. 6 (1) f (our legitimate interest as the responsible party), the actual loading of the map is conducted based upon your consent (GDPR Art. 6 (1) a).

Further Information on Data Processing Google Limited Ireland is responsible for further data processing. For more information on how Google handles your data, please see

8. Newsletter

Pharma, ABF, Pharmacelsus GmbH, LKF)

Description and scope of data processing

When you sign up for one of our newsletters, we require at least your email address, because otherwise we cannot send you the newsletter. You confirm your registration by means of a double opt-in; that means, after you register for the newsletter, you receive an email from us notifying you of this including a confirmation link. Only after you click on the confirmation link is your email address actually added to the newsletter mailing list. We utilize this process in order to ensure that you are actually the one who has entered your email address and that you actually want to receive the newsletter. Additionally, we as a company have the obligation to provide proof. In order to fulfill this obligation, we log your registration to the newsletter. For this purpose, we log the date and time of your registration and confirmation.

You have the possibility to cancel your registration at any time, even after registering for the newsletter. There is an opt-out link provided in each issue of the newsletter.

Further information

We use the US-American service provider Mailchimp for our newsletter. For the purpose of data protection, when data is processed in a non-EU state such as the USA, an appropriate level of data protection must be provided. In the case of Mailchimp, this is ensured using the “Privacy Shield” framework.

We process your personal data that you provide in the context of registering for the newsletter based on Article 6, par. 1, let. b of the GDPR: for the purpose of fulfilling the contract and/or based on Article 6, par. 1, let. a of the GDPR: your consent, which can be revoked at any time.

We process the data concerning the opt-in process on the legal basis of Article 6, par. 1, let. f of the GDPR, since we have a legitimate interest in being able to provide proof of your registration for the newsletter in the potential event of a legal dispute. There is no obvious legitimate interest on your part for us not to process this data that might outweigh our legitimate interest. Moreover, the double opt-in process is also in your interest, because that is the only way to ensure that no unauthorized third party undertakes the registration process for you.

Purpose of the data processing

The purpose of processing the data is in order to be able to send company news and information.

Duration of storage

We save the data that you provide us with in the newsletter form until you revoke your consent and/or you cancel your subscription to our newsletter. Furthermore, the log data from the opt-in process is stored as long as legal claims could potentially be made against us, i.e. for a maximum of three years.

9. RDV log-in (valid only for customers of LKF)

Description and scope of the data processing

Customers of LKF receive log-in data with which they can gain access to a secured log-in area.

The legal basis for temporarily saving this data is Article 6, par. 1, let. f of the GDPR (legitimate interest). The legitimate interest is to enable the access to results for the customers, monitors, and doctors sending information, in order to facilitate communication and provide an overview. If the contractual partner is a natural person, the legal basis is Article 6, par. 1, let. b of the GDPR.

Purpose of the data processing

The purpose of the data processing is the provision of laboratory values and study documentation.

This data is evaluated exclusively for the purpose of analyzing performance and errors, in the context of customer service, as well as in order to reproduce actions that have been executed. The data is not analyzed in this context for the purpose of marketing.

Duration of storage

Using the RDV log-in involves the one-time placement of a cookie. IP addresses are not logged.

In the context of studies, only names and e-mail addresses are saved. Those who receive access are provided passwords by us.

10. Google Marketing Platform incl. Ads Conversion and DoubleClick

Description and Scope of the Data Processing

We use the service Google Marketing Platform, a product of the service Google Ireland Limited (registered number: 368047), located at Gordon House, Barrow Street, Dublin 4, Ireland, in order to bring attention to our website by placing advertisements on the websites of third parties. If you click on one of our Google ads, a cookie will be saved on your device that is valid for about 30 days and is not meant to identify you personally.

Afterwards, if you access our website, both we and Google can evaluate whether you have visited our website before, and which pages you have visited. Google compiles statistics based on this data. The complete scope of this data processing is not known to us. As for ourselves, we do not collect or process any personal data in association with the advertising processes described here. We merely receive a statistical evaluation of this data from Google. Based on this evaluation, we can recognize which the advertisements that we utilize are particularly effective. There is no possibility for us to identify individual users in this way.

The data that is collected could potentially also be transmitted to the USA and analyzed there. The European Court of Justice has determined that the USA is a country with insufficient data protection according to EU standards. In particular, there is the risk that your data could be processed by US agencies for the purpose of surveillance, possibly without the opportunity for legal remedy.

If you are logged in with a Google account, the data can be linked to your account through the ads. If you do not want this to occur, you must log out of your Google account before you visit our website. There is also the possibility that the provider can view and save your IP address.

Further information on Google’s data protection and privacy policies can be found here:

The legal basis for processing this data is Article 6 paragraph 1, letter f of the GDPR, our legitimate interest. Our interest is economic in nature.

The integration of Google Ads into our website is performed by Google Tag Manager. The data is merged with Google Analytics, as long as you have provided us with your consent to use Google Analytics, which you can revoke at any time (see also point 6).

Purpose of Data Processing

This data is processed for the purpose of displaying user-based advertisements and shaping our website in a way that is targeted toward specific interests.

Duration of Data Storage

The cookies that are placed on your device via this website are saved for a duration of 30 days or until you undertake measures either to change your browser settings or manually delete the cookies.

Further Information

You can stop participating in this tracking process in a variety of ways: a) By selecting the corresponding settings in your browser software. In particular, blocking third-party cookies makes it so you will not receive any advertisements from third-party providers. b) By installing the plug-in provided by Google at the following link: c) By deactivating the targeted ads from individual providers that take part in the self-regulation campaign “About Ads,” which you can read about here: However, these settings will be deleted if you delete your cookies. d) By permanently deactivating them in your browsers, e.g., Firefox, Internet Explorer, or Google Chrome. Read more here: . e) By adjusting your cookie settings.

We would like to point out that if you choose this option, you may not be able to use the full scope of functionality of our online services.

11. LinkedIn Insight Tag

Description and scope of data processing

The LinkedIn Insight tag is a JavaScript code snippet that we have embedded on our website, which allows us to perform detailed campaign reporting and provides information about website visitors. The Insight tag allows us to track conversions, retarget our website visitors, and gain aggregate demographic information about LinkedIn members viewing our ads.

The LinkedIn Insight tag places a cookie in the user's browser. In addition, LinkedIn collects, among other things, data such as.

  • URL
  • Referrer URL
  • Device and browser properties
  • IP address

We, as site operators using the Insight tag, only receive aggregate reports about the demographics of our target audience and the performance of our ads. In doing so, we receive information on various criteria, such as industry, job title, company size, career level and location of visitors to our website.

Setting technically non-essential cookies is prohibited. The legal basis for the use of the LinkedIn Insight tag is your consent (which can be revoked at any time) pursuant to Art. 6, para. 1 (a) of the GDPR.

Purpose of the data processing

We use the LinkedIn Insight tag to optimize and target our marketing activities to specific groups.

Storage duration

Direct identifiers of members are removed within seven days to pseudonymize the data. This remaining pseudonymized data is then deleted within 180 days.

12. Cookiebot

Description and scope of data processing

When you visit our website, we inform you about the types of cookies we use and give you the option to consent to the setting of technically non-essential cookies in order to better adapt our website to your preferences. For this purpose, we use the cookie consent technology of Cookiebot to obtain your consent within the meaning of Art. 6 (1) p. 1 lit. a GDPR to store certain cookies in your browser and to document this in accordance with data protection law. The provider of this technology is Cookiebot - Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter Cookiebot).

When you visit our website, a Cookiebot cookie is stored in your browser, which documents the consents you have given or the revocation of these consents.

The setting of technically non-essential cookies is prohibited. The legal basis for the use of a cookie consent manager is Art. 6 para. 1 p. 1 lit. c GDPR.

Purpose of the data processing

The use of Cookiebot cookie consent technology is done in order to obtain the legally required consents for the use of cookies.

Storage duration

The key and consent status are stored in the browser for 12 months using the cookie "CookieConsent". This preserves your cookie preference for subsequent page requests. With the help of the key, your consent can be proven and traced.

13. Polyfill

Description and scope of data processing

We use the service of "The Financial Times Ltd." based in London, England. The EU Commission has issued an adequacy decision for the United Kingdom, certifying that the level of data protection is equivalent to that in the EEA. Polyfill allows us to render content in the best possible quality even on older browser versions. When you load a website that uses the Polyfill service, your browser downloads all the necessary Polyfill files to display the website successfully or optimized in your browser. In order to provide the Polyfills, the service receives certain technical information from your browser, including browser details, connection data (such as your IP address), and the URL of the website that made the request to the service. The information is used to determine which Polyfills are required by your browser.

The legal basis for this processing is Art. 6 (1) lit. f GDPR. The processing is based on our legitimate interest in enhancing your user experience and for the general optimization of our website.

Purpose of the data processing

The purpose of the data processing is the optimization of our website as well as the displayability - especially in older browsers.

Storage duration

The data is deleted as soon as the purpose of its collection has been fulfilled. For more information on the handling of transferred data, please refer to's privacy policy.

You can prevent the collection as well as the processing of your data by by deactivating the execution of script code in your browser or by installing a script blocker in your browser (you can find this, for example, at or

14. Mouseflow

Description and scope of data processing

Mouseflow is a heatmap that allows us to see how users move around our website in order to optimize our offer and the user experience in this way. For this purpose, user activities are recorded and analyzed. The data collected in this way is stored anonymously. Keystrokes are not recorded.

By using the service, the following data is collected anonymously:

  • Clicks and mouse movements
  • Use of scroll wheel and scroll bar
  • Use of form fields or feedback tools
  • Visitor type (first-time visitors/recurring visitors)
  • Browser, operating system and medium desktop, tablet or mobile
  • Navigation (URLs visited) and referrer URL
  • Screen resolution
  • Page content (HTML)
  • ISP and location (city, state/region, country)
  • Individual tags and variables

The data is collected by means of cookies.

Mouseflow ApS is a Danish company based in Copenhagen. For more information about Mouseflow's data processing, please visit
You can disable Mouseflow at any time at or by making the appropriate settings in our cookie configuration panel.

Setting technically non-essential cookies is prohibited. The legal basis for the use of the Mouseflow service is your consent (which can be revoked at any time) pursuant to Art. 6 (1) p. 1 lit. a DSGVO. The required legal basis for the use of cookies and similar technologies for this tool is Art. 25 TTDSG para. 1 (consent).

Purpose of data processing

We use the service of Mouseflow to optimize our offer and the user experience.

Storage period

The non-personal data will be deleted as soon as they are no longer needed for the processing purposes.

15. Data subject's rights

You have the following rights in relation to the personal data concerning you:

  • right to information
  • right of rectification or deletion
  • right to restrict processing
  • right to object to processing,
  • right to data portability

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us. The responsible supervisory authority for our company is the State Commissioner for Data Protection and Freedom of Information Hamburg.

A person affected has the right to revoke his data protection declaration of consent to us at any time. However, this does not affect the legality of the processing that has taken place on the basis of the consent until the revocation.

Notice of the right of objection

If a processing operation is carried out on the basis of our legitimate interests as controller (Article 6 paragraph 1 (f) GDPR), you have the right to object to this processing operation at any time. We no longer process the personal data unless we can demonstrate compelling legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or unless the processing serves to assert, exercise or defend legal claims.

Information on complaints to a supervisory authority

Without prejudice to any other administrative or judicial remedy, a data subject shall have the right to lodge a complaint with a supervisory authority - in particular in the member state of the user's place of residence, the user's place of work or the location of the alleged infringement - if the user believes that the processing of his or her personal data by us contravenes the GDPR.

16. Recipients/categories of recipients

Recipients of your data are regularly employees of our company who are entrusted with the processing of inquiries and contracts. In addition, we use contractually bound data processors and partners for various services who sometimes act as independent responsible persons.

Without your consent we do not pass on any data to third parties. Should this be the case, however, the transfer will take place on the basis of the aforementioned legal bases or due to a court order or due to a legal obligation to hand over the data for the purpose of criminal prosecution, danger prevention or to enforce intellectual property rights. The data will not be passed on for other non- commercial or commercial purposes

We use contract processors (external service providers e.g. for web hosting of our websites and databases) to process your data. If data is passed on to the processors within the framework of an agreement on order processing, this is always done in accordance with Article 28 GDPR. We select our processors carefully, check them regularly and have the right to give instructions regarding personal data. In addition, the processors must have taken suitable technical and organizational measures and comply with the data protection regulations in accordance with the Federal Data Protection Act and GDPR. Processors are not considered third parties as defined in Article 4 No. 10.

17. Transfer of data to third countries

Should the processing be carried out by services of third parties outside the European Union or the European Economic Area, they must comply with the specific conditions of Article 44 et seq. GDPR. This means that the processing is carried out on the basis of specific guarantees, such as the EU Commission's officially recognized determination of a level of data protection equivalent to that of the EU or the observance of officially recognized specific contractual obligations, the so-called "standard contractual clauses". For US companies, submission to the so-called "privacy shield", the data protection agreement between the EU and the USA, fulfils these requirements.

Without appropriate data protection guarantees, a transfer of your data to a third country is not permitted.

18. The need to provide personal data

The necessity to provide personal data results from the use of our website or our services and depends on the respective degree of use and the requested services.

If you have any questions, please send us an e-mail to

19. Existence of automated decision-making

We do not use automated decision making or profiling.

20. Data security

In order to protect all personal data transmitted to us and to ensure that the data protection regulations are observed by us and our external service providers, we have taken appropriate technical and organizational security measures. For this reason, all data between your browser and our server is transmitted encrypted via a secure SSL connection.


Data Protection Notice for Job Applicants

We are glad that you are interested in the GBA Group and that you want to apply or have applied for a position at our company. We would like to provide you with the following information about how your personal data is processed in the context of your application.

Who is responsible for processing this data?

The individual subsidiary of the GBA Group that has posted the job advertisement is responsible for processing your data. This information can be found on the right side of the job ad.

In addition to the contact info provided in the job ad, you can find further possibilities to contact each of the companies in the GBA Group here.

You can reach the individual data protection officer responsible for each company at this address:

For which purposes do we process your personal data?

We process all of the personal data that we have received from you, either directly or through a third party authorized by you (e.g. Xing, LinkedIn), in the context of your application on the job applicant portal B-ITE or during personal interviews, for the purpose of examining your suitability for the position (or potentially other open positions within the GBA Group) and conducting the application process, which includes contacting you.

Any personal information you provide is done so voluntarily. Information that is necessary for the application process is labelled as a required field in the application portal B-ITE. If you do not provide information in the required fields, we cannot accept your application and therefore cannot take you into consideration in our hiring process.

The legal basis for processing your data in the context of the application process is Art. 6 par. 1 (b) of the GDPR. According to these provisions, it is permitted to process data that is necessary in the context of deciding on the justification for entering an employment contract.

If the data may be required after completing the hiring process in the event of a legal dispute, then data can also be processed on the legal basis of Article 6 of the GDPR, in particular for the purpose of legitimate interests as stated in Art. 6 par. 1 (f). Our interest, in that case, is the assertion of or defense from legal claims.

If special categories of personal data within the meaning of Art. 9 GDPR are processed (e.g. health data), the legal basis is Section 26 para. 3 BDSG or Art. 9 para. 2 lit. b) GDPR in conjunction with Art. 6 para. 1 lit. b) GDPR. Art. 6 para. 1 lit. b) GDPR.

If you decide to be included in our applicant pool, we process your personal data based on your consent in accordance with Art. 6 par. 1 (a) of the GDPR so that we can consider you for further positions if appropriate. You can revoke your consent at any time and without providing any reason. If you wish to do so, you can contact

How long is the data saved?

Applicant data is saved for 3 months if the application is rejected. If you have provided your consent to allow your personal data to be stored beyond that point, we will include your data in our applicant pool. That data will be deleted after one year has expired.

If you receive and accept an offer for a position in our company as a result of the application process, the data from the applicant data system will be transferred to our personnel data system.

Who else receives your data?

We use a specialized software provider B-ITE for our hiring process. This company provides us with their services and could also potentially become aware of your data in the routine process of maintaining the system.
Additionally, within this software, we use a tool provided by a third-party that helps us evaluate reference letters from employers. However, we explicitly state that this tool is not used to make an assessment or automatic decision about an application.

After receiving your application, your applicant data is personally read by the central Human Resources department of the GBA Group. Qualified applications are then forwarded to the managers responsible for the open position and then the next steps are coordinated. Depending on the position that you are applying for, your data could be forwarded to another company within the GBA Group on whose behalf we are carrying out the application process. In the job advertisement, you can find out which company within the GBA Group your application will be directed towards.
Within the company, as well as in the GBA Group, access to your data is strictly reserved for those individuals who require it in order to execute our hiring process properly.

If necessary, we forward your data to the following recipients:

  • Tax agencies, auditors, or other authorities, if we are convinced in good faith that we are required to provide this data by law or by other regulations, or,
  • Other service providers, such as outsourced IT services and storage providers.

We have order-processing contracts (or a similar safeguard) with our external service providers in order to ensure that the data processing is conducted only at our direction and in an appropriate manner.

Where is the data processed?

The data is processed exclusively at computing centers within Germany. We do not transfer any of this data to sites outside the Member States of the European Union.

Importing Data from Professional Networks

When applying for positions using our online application tool, you have the opportunity to import data directly from your professional networks. For that you have to log in with your account and authorize the data transfer. Only then will the data be transferred. Please also read our notice about this on the application portal.

Your rights as a “data subject”

You have the right to obtain information about any of your personal data that we process. Furthermore, you have the right to have your own personal data rectified, erased, or to restrict how it is processed or transferred.
Furthermore, at any time, you have the right to object to the processing of your own personal data, on grounds relating to your particular situation.
Additionally, you also have the right to issue a complaint to the responsible supervisory authority if you see a reason to do so. For each of the companies of the GBA Group within Germany posting the job advertisement, the supervisory authority of the Federal State of the company location is responsible. For the companies of the GBA Group not located in Germany, the national supervisory authority of that location is responsible.
Here you can find a list of supervisory authorities of the German Federal States and other EU countries, as well as their respective contact information.
If you require assistance selecting the responsible authority, we will gladly help you at the following email address:

Contact Information

If you want to exercise your rights as a data subject or if you have other questions regarding the topic of data protection at the GBA Group and its subsidiaries, please contact or our data protection team at In this context, particularly when exercising your rights as a data subject, we ask for your understanding that we may request you prove that you are in fact the person who you claim to be.

© 2024 GBA Group

Follow Us

  • linkedIn GBA Group
  • xing
  • gba youtube
  • gba Instagram
ContactData PrivacyLegal NoticeTerms & ConditionsDisclosure
Phone Phone