Data protection

Privacy Policy — FerienjobGermany
🔒 Data Protection

Privacy Policy

Information on the processing of your personal data pursuant to Art. 13 and 14 GDPR (EU General Data Protection Regulation / Datenschutz-Grundverordnung — DSGVO)

🏢 SHB Personalservice GmbH 📅 Last updated: ⚖️ GDPR compliant
🏢
Section 1
Controller (Art. 4 No. 7 GDPR)

The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

CompanySHB Personalservice GmbH
AddressStockholmer Platz 1, 70173 Stuttgart, Germany
DirectorRon Waldkönig
RegisterHRB 790619, Amtsgericht Stuttgart (Local Court Stuttgart)
ℹ️ No Data Protection Officer appointed SHB Personalservice GmbH is not currently required to appoint a Data Protection Officer (DPO). For all data protection enquiries, please contact us directly at the email address above.
📋
Section 2
Personal Data Collected & Purposes of Processing

We process personal data exclusively for the purposes set out in this Privacy Policy. The following categories of data are collected and processed in connection with the FerienjobGermany programme:

Data CategorySpecific DataPurposeLegal Basis
Identity Data First name, last name, birth name, date of birth, place of birth, gender, nationality, passport number, passport status Identification, work permit application (ZAV), visa application Art. 6(1)(b) GDPR
Contact Data Email address, WhatsApp number, home address (street, postcode, city, region, country) Communication, programme coordination, emergency contact Art. 6(1)(b) GDPR
Academic Data University, field of study, expected graduation date, semester break dates, enrolment status Verification of eligibility, ZAV application Art. 6(1)(b) GDPR
Application Documents Passport copy, student ID, Immatrikulationsbescheinigung (enrolment certificate), enrollment certificate, CV, academic calendar, police clearance certificate, certificate of residence Application processing, ZAV work permit application, visa application Art. 6(1)(b) GDPR
Visa & Permit Data Visa appointment date, tracking number, visa validity period, visa scans, work permit (ZAV), permit validity period Programme administration, status tracking, employer obligations Art. 6(1)(b) GDPR / Art. 6(1)(c) GDPR
Travel Data Arrival/departure dates and times, airport, flight ticket, travel insurance certificate Arrival coordination, accommodation planning, on-site support Art. 6(1)(b) GDPR
Bank Details IBAN, BIC, name of bank Salary payment by the employer (Abax) Art. 6(1)(b) GDPR
Body Measurements T-shirt size, shoe size, trouser size Provision of personal protective equipment and work clothing Art. 6(1)(b) GDPR
Language Skills English proficiency level, German proficiency level Assignment planning, matching with placement sites Art. 6(1)(b) GDPR
T&C Acceptance Confirmation of Programme Terms (timestamp, full name, IP address, user agent, version) Evidence of consent, legal compliance Art. 6(1)(c) GDPR
Technical Data IP address, browser type, operating system, page views, session duration (if analytics are used) Website operation and security Art. 6(1)(f) GDPR
Communication Data Email correspondence, WhatsApp messages (programme-related), contact form submissions Participant support, programme coordination Art. 6(1)(b) GDPR
⚖️
Section 3
Legal Bases for Processing

We process your personal data on the following legal bases pursuant to Art. 6 GDPR:

📄 Art. 6(1)(a) — Consent
For the sending of information about future Ferienjob programmes and job opportunities, where you have given your explicit prior consent.
📋 Art. 6(1)(b) — Contract Performance
Primary legal basis: Processing necessary for the performance of the application process, programme participation, and employment relationship (pre-contractual and contractual measures).
🏛️ Art. 6(1)(c) — Legal Obligation
Transfer to the ZAV (Federal Employment Agency) for the work permit application; tax and social insurance obligations under German law.
⚡ Art. 6(1)(f) — Legitimate Interests
Website operation and security, fraud prevention, statistical analysis to improve our services, enforcement of legal claims.
⚠️ Right to Withdraw Consent (Art. 7 GDPR) Where we process your data on the basis of consent, you may withdraw that consent at any time with effect for the future — without giving reasons. The lawfulness of processing carried out prior to withdrawal remains unaffected. To withdraw consent, please email: datenschutz@ferienjobgermany.de
🤝
Section 4
Recipients & Transfer of Personal Data

We only transfer your data where this is necessary for the operation of the Ferienjob programme, required by law, or where you have consented. Specifically:

RecipientData TransferredLegal Basis / Purpose
Zentrale Auslands- und Fachvermittlung (ZAV)
Federal Employment Agency, Germany
Identity data, academic data, application documents, passport data, semester break dates Legally required work permit application under § 14 para. 2 BeschV (Art. 6(1)(c) GDPR)
Abax Personaldienstleistungen GmbH
Mannheim, Germany (Employer)
Identity data, contact data, bank details, body measurements, language skills, visa/permit data, travel data Contract performance: establishment and execution of the employment relationship, payroll (Art. 6(1)(b) GDPR)
Placement Sites (Einsatzbetriebe)
Companies where students are deployed (logistics, production, hospitality, etc.)
Name, arrival data, contact information, language skills, body measurements (for work clothing), permit validity period Contract performance: deployment planning and coordination, required operational onboarding (Art. 6(1)(b) GDPR). Only the data strictly necessary for each placement is shared.
German Embassies / Consulates
In the participant's home country
Work permit documents and ZAV approval letter (presented by the participant personally at the visa appointment) Visa application: The participant submits documents directly. SHB does not transmit data to embassies directly.
Processors (IT / Infrastructure)
Hosting, WordPress, email (details in Section 7)
Depending on the service: all data processed on the website Data processing agreement (DPA) pursuant to Art. 28 GDPR concluded or in preparation
ℹ️ No disclosure to unspecified third parties Your personal data will not be disclosed to any third parties not listed in this Privacy Policy — except where required by law or with your explicit consent.
🌍
Section 5
Transfers to Third Countries (Art. 44 et seq. GDPR)

Some services we use process data in countries outside the European Union (EU) and the European Economic Area (EEA). We ensure that an adequate level of data protection is maintained in all such cases:

ServiceCountrySafeguard
Google (Sheets, Drive, Workspace) USA (Google LLC) EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR; Google is certified under the EU-U.S. Data Privacy Framework
Make.com USA / EU (Celonis SE) EU Standard Contractual Clauses (SCC); EU server locations available and preferred (Frankfurt, Germany)
Mistral AI France (EU) — Mistral AI SAS Headquartered in the EU; GDPR applies directly. No third-country transfer.
Botpress Canada (Botpress Inc.) EU Standard Contractual Clauses (SCC). Canada holds an EU adequacy decision for commercial transfers.
⚠️ Note on US-based services Despite existing safeguards, US authorities may in certain circumstances obtain access to data processed by US companies. We take all available technical and organisational measures to minimise this risk and only use US-based services where necessary for the operation of the programme and where no equivalent EU alternative is available.
⏱️
Section 6
Retention Periods & Deletion

We retain your personal data only for as long as necessary for the respective processing purpose or as required by statutory retention obligations.

Data CategoryRetention PeriodReason
Application and programme documents 10 years after programme end Commercial law retention obligation (§ 257 HGB), tax law (§ 147 AO, German Fiscal Code)
Employment contracts, payroll records 10 years § 147 AO, employment law obligations
T&C acceptance record (evidence of consent) 10 years Evidence of agreement; statutory limitation periods (§ 195 BGB)
ZAV work permit application documents 10 years Tax and social insurance law retention obligations
Contact data (for future job notifications) Until withdrawal of consent; max. 5 years after last programme participation Consent-based (Art. 6(1)(a) GDPR); annual review
Website log data (IP, technical data) 7 days Security and fraud prevention; legitimate interest
Contact form enquiries 3 years after closure of correspondence General limitation period for claims (§ 195 BGB)
✓ Deletion on request Where no statutory retention obligation applies, we will delete your data on request prior to the expiry of the standard retention period. Please contact: datenschutz@ferienjobgermany.de
Services & Technologies Used
🔧
Section 7
Services, Tools & Data Processors

7.1 — Website Infrastructure (WordPress)

Our website is built on WordPress and hosted on a server located in Germany / the EU. WordPress itself is open-source software and does not transfer data to third parties. The hosting provider processes technical access data (IP address, timestamps, URLs accessed) under a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

7.2 — Google Sheets & Google Drive

We use Google Sheets and Google Drive (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for internal management of applicant data and programme documents. Google processes data as a data processor acting on our instructions. Transfers to the USA are safeguarded by EU Standard Contractual Clauses (SCC); Google is also certified under the EU-U.S. Data Privacy Framework. Google Privacy Policy: policies.google.com/privacy

7.3 — Make.com (Automation Platform)

We use Make.com (Celonis SE / Make, Speditionstraße 1, 40221 Düsseldorf, Germany) to automate processes — in particular for email notifications and the synchronisation of applicant data. Make.com processes personal data as a data processor; a DPA pursuant to Art. 28 GDPR is in place. EU server locations are available and preferred. Make Privacy Policy: make.com/en/privacy-notice

7.4 — Mistral AI (Digital Assistant "Sophia")

Our digital assistant "Sophia" is powered by technology from Mistral AI (Mistral AI SAS, 15 rue des Halles, 75001 Paris, France). Mistral AI is headquartered in the EU (France) and is directly subject to the GDPR. In the context of the chat assistant, conversation content and any information entered by the user may be transmitted to Mistral AI. We strongly advise against entering particularly sensitive personal data into the chat assistant. Mistral AI Privacy Policy: mistral.ai/privacy

7.5 — Email Communications

Email notifications to programme participants are sent via WordPress (wp_mail) and, where applicable, via Make.com workflows. The recipient's name and email address are processed for this purpose. Email content is not shared with third parties.

7.6 — Botpress (Chatbot Infrastructure)

For the interactive chat assistant (Sophia) on ferienjob26.de, we use Botpress (Botpress Inc., Montreal, Canada). Botpress processes conversation data to provide the chatbot functionality. A DPA has been concluded; processing is based on EU Standard Contractual Clauses. Canada holds an EU adequacy decision for commercial data transfers. Botpress Privacy Policy: botpress.com/privacy

7.7 — Complianz (Cookie Consent Management)

We use Complianz (Complianz B.V., Groningen, Netherlands) to manage cookie consent. Complianz stores your cookie preferences locally in your browser and does not process personal data for its own purposes. Complianz Privacy Policy: complianz.io/privacy-statement/
🍪
Section 8
Cookies & Tracking Technologies

Our website uses cookies and similar technologies. Cookies are small text files stored on your device. We use the following categories:

CategoryPurposeLegal BasisRetention
Strictly Necessary Session management, login state (WordPress), CSRF protection, cookie consent status No consent required (§ 25(2) TDDDG / ePrivacy) Session / up to 1 year
Functional Language preferences, user settings Art. 6(1)(a) GDPR (Consent) Up to 1 year
Analytics Statistical analysis of website usage (if enabled) Art. 6(1)(a) GDPR (Consent) Up to 2 years
You can adjust or withdraw your cookie preferences at any time via our Cookie Banner. Further information is available in our Cookie Policy. You may also disable cookies in your browser settings — please note that this may affect the functionality of the website.
📬
Section 9
Newsletter & Future Ferienjob Notifications

With your explicit consent, we retain your contact details (name, email address) after the conclusion of your programme participation in order to inform you about future Ferienjob programmes, new job opportunities, and other programme-related information.

Legal basis: Art. 6(1)(a) GDPR (Consent). Consent is obtained either during programme registration (opt-in checkbox) or by separate request. Without your explicit consent, we will not contact you for marketing purposes.
Right to withdraw: You may withdraw your consent at any time and without giving reasons — by clicking the unsubscribe link in any email, by emailing datenschutz@ferienjobgermany.de, or via the privacy settings in your account. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Retention: Your contact data held for this purpose will be retained for a maximum of 5 years after your last programme participation, unless you withdraw consent earlier. An annual review is conducted.
🛡️
Section 10
Your Rights as a Data Subject (Art. 15–22 GDPR)

As a data subject, you have the following rights in relation to SHB Personalservice GmbH. To exercise your rights, please contact: datenschutz@ferienjobgermany.de

📋 Right of Access (Art. 15)
You have the right to obtain information about the personal data we process about you, including its origin, recipients, and purposes.
✏️ Right to Rectification (Art. 16)
You have the right to request the correction of inaccurate or incomplete data without undue delay.
🗑️ Right to Erasure (Art. 17)
You have the right to request the deletion of your data where no retention obligation applies ("right to be forgotten").
⏸️ Right to Restriction (Art. 18)
You may request that processing be restricted, for example while the accuracy of your data is under review.
📤 Right to Data Portability (Art. 20)
You have the right to receive your data in a structured, machine-readable format and to transfer it to another controller.
🚫 Right to Object (Art. 21)
You may object to the processing of your data on the basis of legitimate interests (Art. 6(1)(f)) at any time — in particular in relation to direct marketing.
⚠️ Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR) You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR.

Competent authority for Baden-Württemberg, Germany:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
📞 +49 711 / 615541-0 · 🌐 www.baden-wuerttemberg.datenschutz.de
We respond to requests to exercise data subject rights within 30 days of receipt. In the case of complex or multiple requests, this period may be extended by a further two months; we will notify you in advance in such cases.
🔐
Section 11
Data Security (Art. 32 GDPR)

We implement appropriate technical and organisational measures (TOMs) to protect your data in accordance with Art. 32 GDPR, including:

  • Encrypted data transmission via HTTPS/TLS (SSL certificate)
  • Access controls: only authorised staff and processors have access to personal data
  • Secure storage of uploaded documents outside the publicly accessible web directory (wp-uploads/fjg-docs)
  • Password hashing and hardened WordPress installation
  • Regular security updates and software patches
  • Role-based access control in the content management system
  • Nonce-based protection of all sensitive AJAX operations

In the event of a personal data breach posing a high risk to your rights and freedoms, we will notify you without undue delay pursuant to Art. 34 GDPR. Notifiable breaches will be reported to the competent supervisory authority within 72 hours (Art. 33 GDPR).

🔄
Section 12
Changes to this Privacy Policy

We reserve the right to update this Privacy Policy as necessary — in particular where legal requirements change or new services are introduced. The current version is always available at ferienjobgermany.de/datenschutz/.

In the event of material changes affecting your rights, registered users will be notified by email. The date of the most recent update is shown at the bottom of this page.

Version of this Policy: · Version 1.0
This Privacy Policy applies to ferienjobgermany.de and all associated sub-pages and services.