Information about data processing

V2 (022024)

Merkur Versicherung AG uses the onlyfy one service (by XING) to process job applications. This Privacy Policy will inform you about the processing of your data by the onlyfy one service and by Merkur Versicherung AG.

Shared responsibility

With regard to interaction within the company account of Merkur Versicherung AG, Merkur Versicherung AG and New Work SE have shared responsibility pursuant to Article 26 GDPR, as they jointly determine the purposes and means of processing pursuant to Article 4 (7) GDPR. The current version of the agreement on shared responsibility pursuant to Article 26 GDPR, which New Work SE concludes with companies that use onlyfy one, can be viewed here https://www.xing.com/terms/onlyfy-one to gain information on the key aspects of the agreement.

Data processing by New Work SE

onlyfy one is part of the extensive XING service operated by New Work SE, which pursues the aim of improving and simplifying users’ working lives with a variety of applications (onlyfy one, as well as the XING social and jobs network, kununu, etc.), and creates a more fulfilling working world of work for individuals while boosting the performance of companies. As part of the extensive XING service, onlyfy one is an online platform on which or through which talent and companies meet.

With regard to data processing for which New Work SE is solely responsible or is responsible within the scope of the shared responsibility with Merkur Versicherung AG, detailed information is available in the XING Privacy Policy at https://privacy.xing.com/en/privacy-policy. You will also find contact details for New Work SE, as well as for the New Work SE data protection officer there.

Job applications with onlyfy one

When submitting an application, you enter into a user relationship with New Work SE for the purpose of processing applications. In addition, you will receive support and New Work SE can present you with other opportunities in support of your career. A public profile will not be automatically created for you on the XING social and jobs network. The legal basis for New Work SE processing your data is, in particular, Article 6 (1)(b) GDPR (processing necessary for the performance of a contract).

Pausing your online application

You can pause the creation of your online application at any time and continue at a later point. Cookies are used for this purpose. The data you provide to create the user account, as well as any uploaded documents, are recorded in the company account of Merkur Versicherung AG in onlyfy one. The data remains recorded even if an application is paused and/or not completed. In this case, your application is flagged as incomplete and the data remains visible to Merkur Versicherung AG only.

Visibility of your data

The data you have provided as part of the online application can be read, edited, or updated in your candidate profile at any time.

Notes on the special functions of onlyfy one

Calendar function

If the calendar function is used, your data is processed during and for the purpose of setting appointments within the application process. The legal basis is Article 6 (1)(f) GDPR. The calendar function is provided by an IT service provider (Cronofy Ltd., United Kingdom). The United Kingdom is classified as a secure third country based on the adequacy decision of the European Commission. Further information on data protection at Cronofy is available here: https://www.cronofy.com/gdpr/ and https://docs.cronofy.com/policies/privacy-notice/

WhatsApp application

If you use the apply using WhatsApp function, your consent, which can be withdrawn at any time, forms the legal basis for communication (Article 6 (1)(a) GDPR). When applying via WhatsApp, all required applicant information is requested during a WhatsApp chat. The data is then sent directly to onlyfy one through a service provider, and is processed further there as part of and for the purpose of the normal application process.

The apply via WhatsApp function is provided by an IT service provider (PitchYou) that can gain access to your data for this purpose. More information is available here: https://www.pitchyou.de/en/pitchyou-gdpr. Candidate data from apply via WhatsApp are transferred to onlyfy one via an interface. Immediately after this transfer, candidate data are deleted from the apply via WhatsApp infrastructure in PitchYou. Further processing then takes place exclusively in onlyfy one.

Please note that you use your personal WhatsApp account for applications, and therefore we cannot rule out that messages will be transferred, to the USA in particular. WhatsApp data protection information, such as its processing or exercising of data protection rights with regard to WhatsApp is available here: https://www.whatsapp.com/legal/privacy-policy-eea.

Subject to your consent, your application will be sent from WhatsApp via the PitchYou infrastructure to onlyfy one. You have the right to withdraw your consent to this at any time. Either way, your application data will be deleted from the PitchYou infrastructure once transferred to onlyfy one, meaning that PitchYou will not process your data any further.

Applicability of the Swiss Federal Data Protection Act (FADP)

The FADP applies to circumstances which have an impact on Switzerland, even if said circumstances are initiated outside of Switzerland. Correspondingly, this privacy policy applies to information in line with the EU GDPR and the FADP. Here, EU GDPR terminology is used in favour of FADP terminology. However, FADP terminology is used if the FADP applies and the terminology differs from EU GDPR terminology in a given language. The About this site section on XING contains the name and address of our representative in Switzerland.


Data Protection Information

Below you will find information regarding the data processing for which Merkur Versicherung AG is single controller or is responsible within the framework of joint controllership with New Work SE.

Responsible for data processing

Merkur Versicherung AG, Conrad-von-Hötzendorf-Straße 84, 8010 Graz, Austria

Phone: +43 316 8034-0

Email address (general): merkur@merkur.at

If you have any questions about the processing of your data, please contact our Data Protection Officer at the above address, adding “Data Protection Officer” - or by email to: datenschutz@merkur.at

Categories of processed data

The following data is collected and processed for the automated processing of your application:

First name, surname, email address and, if applicable, address / place, date of birth, salutation, title, telephone number, citizenship, marital status

Additional questions depending on the respective advertisement (e.g. driver's license), curriculum vitae, in particular information on professional experience and training, skills (e.g. Photoshop, MS Office), application photo (if included), qualifications, awards and language skills, cover letter, uploaded files and documents.

We save the written, electronic communication that takes place between you and Merkur Versicherung AG. We also process comments and appraisals that are made about you in the course of your application process.


Origin of Data

Your personal data is usually collected directly from you as part of the application process.

In certain cases, your personal data will also be collected from other bodies based on legal provisions. We may also have received data from third parties (such as recruiters).

Purposes and legal basis for processing personal data

The purpose of processing is to carry out a personnel selection process and to examine the possible establishment of an employment relationship with Merkur Versicherung AG or with group companies of the Merkur Group. The legal basis for this is Art. 6 Abs. 1 lt. b GDPR.

If the processing of your data is necessary for the assertion, exercise or defence of legal claims in the context of the application process, we process your data on the basis of a legitimate interest in accordance with Art. 6 Abs. 1 lit. f GDPR.

If you have given us your voluntary consent, this consent forms the legal basis for the processing of this data.

In the following cases, we process your personal data on the basis of your consent:

·         For longer data storage for our company, i.e. we store the application documents in our company account beyond the current application procedure for consideration in later application procedures of our company (keeping records in the application pool);

You can withdraw your consent at any time using the above-mentioned contact details for Merkur Versicherung AG (datenschutz@merkur.at). Such a withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

Categories of recipients

If you are applying for a position at a Merkur Versicherung AG group company, we would point out that the data are first transmitted to Merkur Versicherung AG, which forwards them to the relevant group company for further processing.

We use New Work SE as an external service provider. New Work SE, Strandkai 1, 20457 Hamburg operates onlyfy one. More information about onlyfy can be found above.

Storage period (deletion periods)

We store your personal data for as long as this is necessary for the decision on your application. If no employment relationship is established, we will store your data for seven months from the rejection of your application, in accordance with the retention obligations and the limitation period stipulated in §§ 15 Abs. 1 and 29 Abs. 1 GlBG.

If you withdraw your application before the end of the application process, the stored data will be blocked for the duration of the ongoing application process and deleted seven months after the end of the application process.

If you consent to the further storage of your data (retention of records in the application pool), we will store your data until you withdraw your consent, but for a maximum of three further years.

Rights of data subjects

Provided that the necessary requirements are met, you have the following rights:

Right to information, correction, deletion, Right to restriction of processing and data portability.

If the processing is based on consent, you have the right to withdraw this at any time. Such a withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

If you believe that we are using your data in an impermissible manner, you have the right to lodge a complaint with the Austrian data protection authority (Barichgasse 40-42, 1030 Wien, T +43/1/52 152-0, dsb@dsb.gv.at).