Data Protection Statement

I. Name and address of the responsible party

In the sense of the basic data protection regulation and other national data protection laws of the member states, as well as other data protection regulations, the responsible party is:

Heinrich & Coll. Gesellschaft für Personalberatung mbH
Bavariaring 38
80336 München
+49(0)89 7 41 18 08-0
+49(0)89 7 41 18 08-29

Executive Director:
Philipp Ruoff
Daniel Stockenberger

II. Contact details for the data protection officer

The data protection officer Tanja Glietenberg can be reached at:

III. General Information about Data Processing

  1. As a basic principle, we process the personal data of our users only to the extent necessary to provide a functional website, as well as our content and services. The processing of our users’ personal data regularly takes place only with the consent of the user. There is an exception for cases in which obtaining prior consent is not possible for practical reasons and the data processing is permitted by law. 
  2. Insofar as we obtain the consent of the data subject for the processing of personal data, the EU General Data Protection Regulation (GDPR) Article 6(1)(a) serves as the legal basis. When processing personal data that is necessary to fulfill a contract to which the data subject is a party, GDPR Article 6(1)(b) serves as the legal basis. This also applies to processing operations that are required to carry out pre-contractual measures. Insofar as the processing of personal data is required to fulfill a legal obligation that our company is subject to, Article 6(1)(c) serves as the legal basis. In the event that vital interests of the data subject or any other natural person require the processing of personal data, GDPR Article 6(1)(d) serves as the legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, then GDPR Article 6(1)(f) serves as the legal basis for the processing.
  3. The personal data of the data subject will be deleted or restricted, as soon as its retention is no longer required. In addition, data may be retained if provided for by the European or national legislator in EU regulations, laws or other regulations to which the responsible party is subject. Restriction or deletion of the data will also take place if a storage period prescribed by the mentioned standards expires, unless there is a need for further storage of the data for a contract conclusion or a contract fulfillment.

IV. Provision of the website and creation of log files

  1. Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. The following data is collected here:​
    • Date and time of access,
    • IP address of the requested host,
    • IP address of the requesting client,
    • Port number,
    • Command method,
    • URI Stem and URI Query,
    • Protocol status,
    • Win32 status,
    • Timing, browser type / version
    • Type of computer
    • Created DomainServer Code (200 for content found and delivered)
    • Operating system used

      The data is also stored in the log files of our system. Storage of this data together with the user’s other personal data does not take place.

  2. The legal basis for the temporary storage of data and the log files is GDPR Article 6(1)(f).
  3. The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. 
  4. Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. 
  5. For these purposes, our legitimate interest in the processing of data is in accordance with GDPR Article 6(1)(f).
  6. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. When collecting data for the purpose of providing the website, this is the case when the respective session is completed. When storing the data in log files, this is automatically the case after seven days at the latest. 
  7. The collection of the data for the provision of the website and the storage of the data in log files is absolutely essential for the operation of the website. Consequently, there is no possibility for the user to object. 

V. Application via the homepage / email

  1. On our website, we offer users the opportunity to submit their personal information on our homepage to apply to certain vacancies. This data is entered into an input mask, transmitted to us and stored. Permission to transmit the data is obtained from the user before they submit their application. The following data is collected during the registration process:

    • First and last name
    • Potentially, academic degree
    • Date and place of birth
    • Contact information (address, email, telephone and/or mobile number)
    • Application documents (motivation letter, CV, certificates)
    • Language ability, skills.

    In addition, there is additional personal data that the user communicates to us later in the application process or rather in the further course of the application process, such as notice period, current salary and salary expectations, readiness for mobility (relocation, secondary residence in a position outside the current place of residence), willingness to travel , professional goals, change motivation. These and the data transmitted to us via the homepage will be stored in our application management system, "Meffert," after actively obtaining the required approval. (See 2.)

    At the time of sending the application via the homepage, the following data is also stored:

    • The IP address of the user
    • Date in the access log file
    • Date and time of sending the application
    • Mr. / Ms. / Mrs.
    • First and last name 
    • Title 
    • Current position
    • Telephone 
    • Selected vacancy
    • Curriculum vitae
    • Confirmation of permission to collect data

    In this context, data is not disclosed to third parties. The data is used exclusively for processing the conversation. The processing of personal data from the input mask serves only to process the application. In the case of an application by email, this also includes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the applicant management system and to ensure the security of our information technology systems.

    Alternatively, users can apply via email using the provided email address. In this case, the user's personal data transmitted by email will be stored.

  2. As part of the application process via the homepage and / or by email, consent is obtained from the user / candidate / applicant for the processing of the above-mentioned data. This is done via our online service, which is integrated into our internal application management system "Meffert". Each candidate will receive an acknowledgment of receipt via email, including an individualized link to receipt of the application or curriculum vitae. Permission is actively obtained from the candidate / applicant to store their personal data, to pass on the curriculum vitae within Heinrich & Coll Personalberatung, as well as to pass on information to clients (after prior consultation). In addition, the user / candidate / applicant grants permission to contact them with job offers via email. This approval can also be granted for only specific areas. The storage of personal data will take place until permission is revoked.

    The user / applicant / candidate has the option to partially or completely revoke permissions granted via data protection approval and to ask for the deletion of their personal data at any time in accordance with GDPR 17. The legal basis for data processing in the presence of the consent of the user is GDPR Article 6(1)(a). The legal basis for processing data transmitted in the course of sending an email is GDPR Article 6(1)(f). If the email contact aims to conclude a contract, then GDPR Article 6(1)(b) serves as additional legal basis for the processing.

    We use the personal data provided by you within the framework of the legal requirements of our decisions in the application process. For example, we will use your professional qualifications to decide whether to consider you in the shortlist or to give us a personal impression in a job interview to decide whether to forward your data to one of our clients with your prior consent. The necessary approval for this takes place via

    For the data collected during the application process to fulfill a contract or to carry out pre-contractual measures, the purpose of the collection is achieved when the data for the implementation of the contract is no longer required. Even after the conclusion of the contract, there may be a need to store personal data of the contracting party in order to comply with contractual or legal obligations. 

    The user has the ability to revoke their consent to the processing of personal data or to withdraw their application at any time. The applicant / candidate can either withdraw via the link sent to them after the application has been submitted for data protection approval or send their revocation by email to the data protection address All personal data saved during the application will be deleted in this case.

    If the data is necessary for the fulfillment of a contract or for the execution of pre-contractual measures, early deletion of the data is only possible, as far as contractual or legal obligations do not preclude deletion.

    Special types of personal data, such as data on health, religious beliefs, or political beliefs are not processed. We therefore explicitly ask you not to send us such data. An application containing such data will not be accepted by us. We delete these in our system and ask the user / candidate / applicant to send us a new application. 

    Personal data will only be forwarded to suitable clients with the prior consent.

VI. Cookies

Our website uses cookies. Cookies are text files that are stored in the internet browser or, rather, by the Internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened. 

  1. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break. 

    The following data is stored and transmitted in the cookies:

    (1) Language setting
    (2) Log-in information

  2. In addition, we use cookies on our website that allow an analysis of users' browsing behavior. 

    In this manner, the following data can be transmitted:

    (1) Search terms entered
    (2) Frequency of page views
    (3) Use of website functions

    The user data collected in this way is pseudonymized through technical precautions. Consequently, any assignment of the data to the calling user is no longer possible. The data will not be stored together with the user’s other personal data.

    When accessing our website, users will be informed by an information banner about the use of cookies for analysis purposes and referred to this privacy policy. In this context, there is also information about how the storage of cookies can be prevented in the browser settings.

    When accessing our website, the user will be informed about the use of cookies for analysis purposes and their consent for the processing of the personal data used in this context is obtained. In this context, there is also a reference to this privacy policy.

    The legal basis for the processing of personal data using cookies is GDPR Article 6(1)(f). The legal basis for the processing of personal data using cookies that are for necessary technical purposes is GDPR Article 6(1)(f). The legal basis for the processing of personal data using cookies for analysis purposes with the consent of the user is GDPR Article 6(1)(a).

    The purpose of using cookies for necessary technical purposes is to simplify the use of websites for users. Some features of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page break.

    We require cookies for the following purpose:

    (1) Maintaining language settings

    The user data collected by cookies necessary for technical purposes will not be used to create user profiles.

    The use of the analysis cookies is for the purpose of improving the quality of our website and its contents. Through the analysis cookies we learn how the website is used and so we can constantly optimize our offer.

    For these purposes, our legitimate interest in the processing of personal data is covered by GDPR Article 6(1)(f).

  3. Cookies are stored on the computer of the user and transmitted by this on our side. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to the full.

VII. Hyperlinks/ Social Media Link / Share-Buttons / Google Maps

On our recruiting website, there are so-called hyperlinks which lead to the websites of other providers and to the social networks, LinkedIn, and Xing. These (inactive) "Social Media Buttons" are integrated in such a way that no contact with the respective social network is established without activation of the link. If you click on the social media button and activate the link, a new window will open, through which you can log in to the social network to, for example, recommend or share the selected page. Without the activation of the link by you, we will never transmit data about you to social networks.

We cannot be held responsible for the way your data is handled on these external websites because we have no control over how these companies process your information. For information on the handling of your personal data by these companies, please inform yourself directly on their websites.

Google Maps is integrated into our website for you. This service is offered by the Google company.

In order to increase the protection of your data when visiting our website, Google Maps is restricted and only integrated into the site using an HTML link. This will ensure that when you visit our website, you will not be connected to Google's servers and your information will not be transmitted to Google. Your browser establishes a direct connection to the servers of Google only when you activate the plugins and thus give your consent to data transmission, so that you can plan your route to us. Functionally, the integration of Google Maps is a hyperlink, so that neither we, nor Google, collect website data from you.

For details on the purpose and scope of the data collection, the further processing and use of the data by Google, as well as your rights and setting options for the protection of your privacy, please refer to the privacy policy of Google at (link is external)

VIII. Your rights as an affected person

If personal data from you is processed, then you are an affected person as understood in the GDPR and have the following rights with respect to the responsible party.  You can exercise your rights by email at datenschutz@heinrich-personalberatung.comor by mail at the address listed under I.

  1. Right to information

    You can contact Heinrich & Coll. ask for confirmation as to whether personal data concerning you is processed by us. If such processing exists, you can contact Heinrich & Coll. to request information about the following:

    (1) the purposes for which the personal data are processed;
    (2) the categories of personal data being processed;
    (3) the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
    (4) the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the retention period;
    (5) the right of rectification or erasure of personal data concerning you, a right to restriction of processing by the responsible party or a right to object to such processing;
    (6) the existence of a right of appeal to a supervisory authority;
    (7) all available information on the source of the data if the personal data are not collected from the data subject;
    (8) the existence of automated decision-making including profiling under GDPR Article 22 (1) and (4) and - at least in these cases - meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.

    You have the right to request information about whether personal data concerning you has been transmitted to a third country or to an international organization. In this regard, you can request the appropriate information in connection with this transfer in accordance with GDPR Article 46.

  2. Right to rectification

    You have a right to rectification and / or completion, if the personal data being processed is incorrect or incomplete. The responsible party must make the correction without delay.

  3. Right to limitation of processing

    You may request limitation of the processing of your personal data under the following conditions:

    (1) if you contest the accuracy of your personal information, for a period of time that enables the responsible party to verify the accuracy of your personal information;
    (2) the processing is unlawful and you decline the deletion of the personal data and instead request the restriction of the use of the personal data;
    (3) the responsible party no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims; or
    (4) if you objected to the processing pursuant to GDPR Article 21(1) and it is not yet certain whether the legitimate reasons of the person responsible prevail over your reasons.

    If the processing of your personal data has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.

    If the restriction on processing has been restricted in accordance with the requirements above, you will be notified by the person responsible before the restriction is lifted.

  4. Right to deletion

    You may require the responsible party to delete your personal information without delay, and the responsible party is required to delete that information immediately if one of the following is true:

    (1) Your personal data is no longer necessary for the purposes for which they were collected or otherwise processed.
    (2) You revoke your consent to the processing in accordance with GDPR Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for processing.
    (3) You object to processing in accordance with GDPR Article 21(1) and there are no prior justifiable reasons for the processing, or you object to processing in accordance with GDPR Article 21(2). 
    (4) Your personal data has been processed unlawfully.
    (5) The deletion of your personal data is required to fulfill a legal obligation under European Union law or the law of the member states to which the responsible party is subject.
    6) Your personal data was collected in relation to information society services offered pursuant to GPDR Article 8(1).

    If the responsible party has made your personal data public and is required, in accordance with GDPR Article 17(1) to delete that data, then they must inform the responsible parties who processed your data that you have requested the deletion of any links to such personal data or copies or replications of such personal data, taking due account of the technology available and the implementation costs, including appropriate technical measures. 

    The right to deletion does not exist if the processing is necessary:

    (1) to exercise the right to freedom of expression and information;
    (2) to fulfill a legal obligation which requires processing under European Union or member state law to which the responsible party is subject or for the performance of a task of public interest or in the exercise of official authority conferring on the controller has been;
    (3) for reasons of public interest in the field of public health pursuant to GDPR Article 9(2)(h) and (i), as well as Article 9(3);
    (4) for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes in accordance with GDPR Article 89(1), in so far as the law referred to in (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
    (5) to assert, exercise or defend legal claims.

  5. Right to information

    If you have the right of rectification, deletion or restriction of processing with respect to the responsible party, then they are obliged to notify all recipients of your personal data, that it has been corrected or deleted or that processing has been restricted, unless this proves to be impossible or involves a disproportionate effort.

    You have the right to be informed about these recipients

  6. Right to data portability

    You have the right to receive personally identifiable information you provide to the responsible party in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that

    (1) the processing is based on consent as laid out in GDPR Article 6(1)(a) or Article 9(2)(a) or on a contract as laid out is GDPR Article 6(1)(b) and
    (2) the processing is done by automated means.

    In exercising this right, you also have the right to ensure that your personal data is transmitted directly from one responsible party to another, as far as this is technically feasible. Freedoms and rights of other persons may not be affected.

    The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

  7. Right of Objection

    You have the right at any time, for reasons that arise from your particular situation, to object to the processing of your personal data, pursuant to GDPR Article 6(1)(e) or (f). This also applies to profiling based on these provisions. 

    The responsible party will no longer process your personal data, unless they can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.

    Directive 2002/58/EC notwithstanding, you have the option, in the context of the use of information society services, of exercising your right to opt-out by means of automated procedures that use technical specifications.

  8. Right to revoke the data protection consent declaration

    You have the right to revoke an issued data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

  9. Right to complain to a supervisory authority

    Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the member state of your place of residence, employment or the place of the alleged infringement, if you believe that the processing of your personal data infringes on your rights under the GDPR. 

    The supervisory authority to which the complaint has been submitted will inform you of the status and results of the complaint, including the possibility of a judicial remedy pursuant to GDPR Article 78.