Data Processing

Effective date: April 3, 2023

Data protection is paramount to all shipzero activities. Transparency is very important to us with regard to how we process personal data. Below you will find a description of how personal data is processed at shipzero.

A detailed description of our data processing can be found at:
https://shipzero.com/privacy

For better legibility, we refrain from using specific gendered language. The terms they/them are intended to include all genders.

I. General information (applicable to all data processing activities)

Responsibility

The following party is responsible for all data processing described here:

shipzero GmbH
St. Annenufer 2
20457 Hamburg
Germany

E-mail: info@shipzero.com

The data protection officer can be reached at:
DataCo GmbH
Sandstrasse 33
80335 München
Germany

Phone: +49 89 452459 900
E-mail: datenschutz@dataguard.de
Website: www.dataguard.de

Legal basis

Processing of applicants’ data

  • Art. 88 GDPR in conjunction with § 26 BDSG (Federal Data Protection Act)
  • Art. 6 para. 1 lit. a GDPR
  • Art. 6 para. 1 lit. b GDPR

Processing of data of interested parties

  • Art. 6 para. 1 lit. a GDPR
  • Art. 6 para. 1 lit. b GDPR
  • Art. 6 para. 1 lit. f GDPR

Processing of client data

  • Art. 6 para. 1 lit. b GDPR
  • Art. 6 para. 1 lit. f GDPR

Processing of supplier and service provider data

  • Art. 6 para. 1 lit. b GDPR
  • Art. 6 para. 1 lit. f GDPR

Rights of the data subject

If your personal data is processed, you have the following rights:

  • Right of access
    You have the right to receive information about your personal data stored by the controller
    (Art. 15 GDPR).
  • Right to rectification
    You have the right to request correction of inaccurate personal data
    (Art. 16 GDPR).
  • Right to erasure, restriction, and objection
    You may request deletion or restriction of processing and object to processing
    (Arts. 17, 18, and 21 GDPR), provided legal requirements are met.
  • Right to data portability
    If processing is based on consent or a contract and carried out by automated means,
    you may request data portability
    (Art. 20 GDPR).
  • Right to withdraw consent
    You may withdraw your consent at any time with effect for the future.
    The lawfulness of processing prior to withdrawal remains unaffected.
  • Right to lodge a complaint
    You have the right to lodge a complaint with a supervisory authority
    (Art. 77 GDPR).

II. Processing of applicants’ data

As part of the shipzero application process, the following personal data is collected via the upload function on the careers page:

  • First name and surname
  • Salutation
  • E-mail address
  • Phone number
  • Availability
  • Expected salary
  • All personal data included in the application,
    such as curriculum vitae, cover letter, and certificates

Applicants’ data is collected through:

  • Direct application via the shipzero careers page
  • Application by e-mail addressed to a shipzero employee
  • Postal application
  • LinkedIn Easy Apply

The personal data is processed for the following purposes:

  • Implementation of the application process
    and decision on the justification of an employment contract
  • Communication
    via telephone, e-mail, or video conferencing
  • Implementation of pre-contractual measures
    relating to employment initiation
  • Inclusion in an applicant pool,
    subject to consent
  • Assertion, exercise, or defence of legal claims
    arising from the application process

Access to applicants’ data is restricted internally to authorised employees only.

Service providers involved in applicant data processing

Personio GmbH – Munich, Germany

shipzero uses Personio as its central applicant lifecycle management system. Applicant data is stored and processed in German data centres only. A data processing agreement has been concluded.

  • Deletion period:
    Applicant data is deleted within 10 weeks if the application is withdrawn or rejected.
  • Applicant pool:
    With consent, applicant data may be stored longer. Consent is renewed annually by e-mail.

If an applicant is hired, data continues to be processed as part of the employment relationship.

Microsoft Inc. – Redmond, USA

Office 365 (including Microsoft Teams and Outlook) is used for interviews and communication.

  • A data processing agreement with standard contractual clauses has been concluded.
  • Personal data related to video calls is deleted within three weeks.

LinkedIn Inc. – Sunnyvale, USA

LinkedIn Easy Apply allows direct submission of applications.

  • A data processing agreement with standard contractual clauses is in place.
  • shipzero has no influence on LinkedIn’s own data retention periods.

III. Processing of data of interested parties

Interested parties are individuals who express interest in shipzero services.

The following data may be processed:

  • First name and surname
  • Salutation
  • E-mail address
  • Position within the company
  • Phone number

Data is collected via:

  • Contact form requests
  • Messages to shipzero employees
    (e-mail, LinkedIn, XING, and similar platforms)
  • Trade fairs and events
  • Individual research
    in business directories, websites, and professional networks
  • Direct appointment bookings

Data is processed for the following purposes:

  • Provision of information about shipzero services
  • Quote generation
  • Processing of enquiries
  • Pre-contractual measures
  • Establishment and implementation of contractual relationships
  • Inclusion in the contact database
  • Direct contact
    via e-mail or telephone

Processing is initially based on legitimate interest, with a documented balancing of interests. Consent is obtained during further communication and stored in the CRM system.

Service provider for interested party data

HubSpot Inc. – Cambridge, USA (EU subsidiary in Ireland)

HubSpot is used as the central CRM and marketing tool.

  • A data processing agreement with standard contractual clauses has been concluded.
  • Data is deleted immediately upon objection or withdrawal of consent.
  • Inactive data is deleted after 12 months, unless continued contact occurs.
  • Blacklist entries retain only minimal data to prevent further contact.

IV. Processing of client data and data of client service providers

shipzero primarily processes client-related personal data within its internally developed data protection management platform.

The following data may be processed:

  • First name and surname
  • Title and academic degree
  • Gender
  • E-mail address
  • Position within the company
  • Phone number
  • User role and authorisations
  • Personal data exchanged during client communication

Data is collected via:

  • Direct provision by the data subject
  • Transfer by client employees
  • Entry by administrative assistants
  • Service providers acting on behalf of clients

Processing purposes include:

  • Client management and support
  • Direct marketing
    via telephone or e-mail
  • Invoicing
  • Post-contractual measures
  • Assertion, exercise, or defence of legal claims
  • Contract establishment, execution, and termination

Processing is based on contractual necessity and legitimate interest, with an ongoing balancing of interests.

Service provider for client data

Microsoft Inc. – Redmond, USA

Office 365 services are used for communication and audit calls.

  • A data processing agreement with standard contractual clauses is in place.
  • Data is deleted once the processing purpose no longer applies.

V. Processing of supplier and service provider data

shipzero processes personal data of suppliers and service providers as required for business operations.

The following data may be processed:

  • First name and surname
  • Title
  • Gender
  • E-mail address
  • Phone number

Data is collected via:

  • Direct contact by suppliers
  • Direct contact by shipzero
  • Business directories and websites
  • Third parties

Processing purposes include:

  • Order performance
  • Process review and optimisation
  • Creditworthiness assessments
  • Market and opinion research,
    unless an objection has been raised
  • Assertion, exercise, or defence of legal claims
  • Business management and product development

Processing is based on contractual necessity and legitimate interest.

Service provider for supplier data

Microsoft Inc. – Redmond, USA

Outlook and related services are used to store and manage supplier contact details.

  • Data is used exclusively for communication.
  • A data processing agreement with standard contractual clauses is in place.