Privacy notice for job applicants

Thank you for your interest in ECFR, we are very pleased you are considering applying for a position in our organization. Please take a moment to review the following information on processing of your personal data in connection with your application.

Who is responsible for the processing of your personal data?

This information applies to the entire pan-European ECFR organization, which is formed of five legal entities as detailed below. Since all ECFR legal entities operate in a highly integrated manner, they are jointly responsible for the processing of your personal data according to article 26 of the GDPR and UK GDPR.

The ECFR legal entities, as joint controllers according to Art. 26 GDPR and UK GDPR have amongst themselves agreed that European Council on Foreign Relations (ECFR) e.V. will take primary responsibility for complying with GDPR and UK GDPR obligations, in particular transparency obligations and individuals’ rights.

You can find further information about ECFR, the details of authorized representatives and other contact details in the imprint on our website.

Our data protection officer

European Council on Foreign Relations (ECFR) e.V. has appointed a data protection officer (DPO). In case of any queries you may contact the DPO by using the contact details above and adding “attn of the DPO” or via e-mail: [email protected]

How can you send us your application?

We kindly ask you to send your application by using the online form. Your data will then be transferred through encrypted channels. To enter your data and documents in the online form, you will be asked to provide your e-mail and a password. You can use these details to review, complete, amend or delete your application later.

Recruiting platforms

If you apply for a position through a recruitment website where we have posted a job ad, such as Indeed, Stepstone or LinkedIn, then we will receive your application from this platform. With regard to personal data processed by the recruitment platform in the context of your LinkedIn or Stepstone profile, the recruitment platform is responsible for this. Please refer to the privacy notice of these platforms for more information on how they process your personal data. The platform will only share such data with us as authorized by you. Any further processing on our behalf for the purposes mentioned below will take place on servers provided by our service providers.

What personal data will we process and for which purposes?

We will process any information sent by you in connection with your job application to assess your suitability for the position (or any other open position within ECFR) and to carry out the subsequent screening and selection process. This includes your name, gender, e-mail, password and application documents.

Primarily, our legal basis for the processing of your personal data with regards to any application procedure is Article 6 (1) b GDPR. Thereafter, any processing of data which is necessary in connection with our decision to enter in an employment relationship with you shall be permitted.

Besides art. 6 (1) b GDPR, the legal basis for the processing of your personal data by one of our other ECFR legal entities may follow from relevant national data legislation, including:

  • the UK GDPR and the DPA 2018 in the UK,
  • the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales in Spain,
  • the French Data Protection Act in France and
  • the Italian Privacy Code in Italy.

In those cases where we keep your application even after the position has been filled, the legal basis is art. (6) a GDPR.

Should any data be necessary for legal prosecution after completion of the application process, data may be processed based on the requirements of art. 6 DSGVO, in particular to safeguard our legitimate interests pursuant to art. 6 (1) 1 lit. f GDPR, these interests being the assertion of or defense from any claims.

How long will we store your personal data?

If you are successful and we offer you a position within ECFR, we will transfer your personal data from our application process over to our human resources department.

Should your application be rejected, we will delete your personal data within six months after the decision being made, unless you have consented to being added to the applicant pool. In this case we will store your application for another twelve months and contact you in case of any future suitable openings within ECFR.

If you are sending a spontaneous application to work at ECFR, we will keep your personal data for a year, unless you specify otherwise via e-mail. This will allow us to contact you with any other openings that could match your profile, including internships positions.

Who will receive your personal data?

Upon receiving your application, it will be reviewed by our HR department as well as any staff responsible for deciding on the position you are applying for. As a matter of principle, only ECFR staff who are directly involved in the handling of your application will be provided with access to your personal data.

We use a service provider based in Switzerland, with whom we have signed a data processing agreement (DPA) to store and manage all application data.

In certain cases we may also store your application on servers provided by Microsoft, with whom we have signed a data processing agreement (DPA).

Where will your personal data be processed?

Your personal data will be processed mainly on servers provided by our service provider within the European Union.

Microsoft is currently hosting our data in the UK, for which an EU adequacy decision exists, but it is possible that some data may be processed on Microsoft servers in the US. Microsoft has integrated standard data protection clauses into the DPA (data processing addendum) to guarantee safe processing of your personal data even in the US, which is considered an unsafe third country by the EU commission when it comes to the protection of your personal data. One of the potential risks of processing personal data in the US might be that US authorities could access this personal data. Strictly speaking, this is possible even when Microsoft hosts our data on EU servers. Microsoft has undertaken to seek legal recourse for any access requests by public authorities and we have no reason to believe Microsoft is not able to comply with the standard data protection clauses and sufficiently safeguard your personal data.

Your rights

You have the right to information about the personal data processed by us about your person.

In the case of a request for information which is not made in writing, we may ask you to provide us with further proof of identity.

Furthermore, you have the right to correction, deletion, or restriction of the processing of your personal data to the extent to which you are legally entitled to such rights.

You also have the right to object to the processing of your personal data within the scope of the statutory provisions.

You have a right to data portability, again with the scope of the statutory provisions.

To exercise your rights, we kindly ask you to address any queries to European Council on Foreign Relations (ECFR) e.V., using the contact details provided above.

Right to complain

Lastly, you have the right to complain to the data protection supervisory authorities about our processing of your personal data.