V2 (022024)
GATX Rail Europe uses the onlyfy one service (by XING) to process job applications. This Privacy Policy will inform you about the processing of your data by the onlyfy one service and by GATX Rail Europe.
With regard to interaction within the company account of GATX Rail Europe, GATX Rail Europe and New Work SE have shared responsibility pursuant to Article 26 GDPR, as they jointly determine the purposes and means of processing pursuant to Article 4 (7) GDPR. The current version of the agreement on shared responsibility pursuant to Article 26 GDPR, which New Work SE concludes with companies that use onlyfy one, can be viewed here https://www.xing.com/terms/onlyfy-one to gain information on the key aspects of the agreement.
onlyfy one is part of the extensive XING service operated by New Work SE, which pursues the aim of improving and simplifying users’ working lives with a variety of applications (onlyfy one, as well as the XING social and jobs network, kununu, etc.), and creates a more fulfilling working world of work for individuals while boosting the performance of companies. As part of the extensive XING service, onlyfy one is an online platform on which or through which talent and companies meet.
With regard to data processing for which New Work SE is solely responsible or is responsible within the scope of the shared responsibility with GATX Rail Europe, detailed information is available in the XING Privacy Policy at https://privacy.xing.com/en/privacy-policy. You will also find contact details for New Work SE, as well as for the New Work SE data protection officer there.
When submitting an application, you enter into a user relationship with New Work SE for the purpose of processing applications. In addition, you will receive support and New Work SE can present you with other opportunities in support of your career. A public profile will not be automatically created for you on the XING social and jobs network. The legal basis for New Work SE processing your data is, in particular, Article 6 (1)(b) GDPR (processing necessary for the performance of a contract).
You can pause the creation of your online application at any time and continue at a later point. Cookies are used for this purpose. The data you provide to create the user account, as well as any uploaded documents, are recorded in the company account of GATX Rail Europe in onlyfy one. The data remains recorded even if an application is paused and/or not completed. In this case, your application is flagged as incomplete and the data remains visible to GATX Rail Europe only.
The data you have provided as part of the online application can be read, edited, or updated in your candidate profile at any time.
If the calendar function is used, your data is processed during and for the purpose of setting appointments within the application process. The legal basis is Article 6 (1)(f) GDPR. The calendar function is provided by an IT service provider (Cronofy Ltd., United Kingdom). The United Kingdom is classified as a secure third country based on the adequacy decision of the European Commission. Further information on data protection at Cronofy is available here: https://www.cronofy.com/gdpr/ and https://docs.cronofy.com/policies/privacy-notice/
If you use the apply using WhatsApp function, your consent, which can be withdrawn at any time, forms the legal basis for communication (Article 6 (1)(a) GDPR). When applying via WhatsApp, all required applicant information is requested during a WhatsApp chat. The data is then sent directly to onlyfy one through a service provider, and is processed further there as part of and for the purpose of the normal application process.
The apply via WhatsApp function is provided by an IT service provider (PitchYou) that can gain access to your data for this purpose. More information is available here: https://www.pitchyou.de/en/pitchyou-gdpr. Candidate data from apply via WhatsApp are transferred to onlyfy one via an interface. Immediately after this transfer, candidate data are deleted from the apply via WhatsApp infrastructure in PitchYou. Further processing then takes place exclusively in onlyfy one.
Please note that you use your personal WhatsApp account for applications, and therefore we cannot rule out that messages will be transferred, to the USA in particular. WhatsApp data protection information, such as its processing or exercising of data protection rights with regard to WhatsApp is available here: https://www.whatsapp.com/legal/privacy-policy-eea.
Subject to your consent, your application will be sent from WhatsApp via the PitchYou infrastructure to onlyfy one. You have the right to withdraw your consent to this at any time. Either way, your application data will be deleted from the PitchYou infrastructure once transferred to onlyfy one, meaning that PitchYou will not process your data any further.
The FADP applies to circumstances which have an impact on Switzerland, even if said circumstances are initiated outside of Switzerland. Correspondingly, this privacy policy applies to information in line with the EU GDPR and the FADP. Here, EU GDPR terminology is used in favour of FADP terminology. However, FADP terminology is used if the FADP applies and the terminology differs from EU GDPR terminology in a given language. The About this site section on XING contains the name and address of our representative in Switzerland.
This notice provides you with information on how the GATX Rail Europe group, in particular, the GATX Rail Europe entity you are in contact with (“we”) will process your personal data in connection with your job application.
1. Purposes for which we process your personal data
We will process the personal data set out in point 2 for the following purposes:
• to approach potential employees actively through different means as well as through commissioned personnel consultants (recruitment);
• to plan and manage human resources on a global level, including but not limited to ensuring appropriate staffing;
• planning and administration of potential employee skills;
• to process applications received via different communication methods (e.g. via e-mail or Social Media);
• to organize the application process;
• to execute assessment centers and to carry out aptitude tests;
• for the establishment, exercise or defense of legal claims;
• to be able to consider former job applicants for new job opportunities (e.g. Candidate Pool); and
• ensuring the health and safety of our employees and visitors.
We collect your personal data in the course of your application process either (i) through public sources, (ii) personnel consultants, (iii) from you when you provide your personal data to us (e.g. by sending your résumé via e-mail or via employee profile registration on Success Factors, or (iv) by taking notes during your job interview.
The provision of personal data is voluntary. However, if you do not provide your personal data, it will not be possible to complete the job application process.
2. Processed data categories and legal basis of the processing
We process the following personal data on the basis of our prevailing legitimate interest according to Article 6(1)(f) General Data Protection Regulation ("GDPR"), which is to guarantee an efficient application process and to ensure that we fill our vacancies with suitable job applicants:
• name;
• prefix (Mr./Mrs./etc.) including academic titles;
• suffix;
• photo (if provided);
• gender;
• address;
• date/place of birth;
• driving license (yes/no);
• e-mail address;
• telephone number;
• civil status and children;
• citizenship;
• residence permit / work permit;
• position you apply for;
• type of application (e.g., e-mail, LinkedIn, speculative application yes/no);
• earliest date of entry;
• notice period;
• desired salary;
• résumé;
• military service/civilian service;
• education (school, university, courses);
• previous professional experience;
• personal skills and competences;
• signature;
• certificates and reports;
• notes regarding the job interview;
Page 2
• informative disclosures (e.g. provided by third parties);
• communication data (including e-mail traffic);
• video recordings provided by you as well as evaluations thereof (1-5 stars and explanations, if any) by HR managers, responsible managers or other decision makers;
• evaluation and assessment data in the course of the application process (e.g. assessment reports, reports resulting from aptitude tests); and
• any other data provided by you during the job application process.
In some cases we may ask you in a separate process to provide your consent (Article 6(1)(a) GDPR).
3. Transfer of personal data
As far as necessary for the purposes set out above, we will transfer your personal data to the following recipients:
• recruitment agencies that we use;
• providers of aptitude tests that we use;
• IT service providers that we use; and
• companies that are part of our corporate group.
Some of the recipients referred to above are located in or process personal data outside of your country. The level of data protection in another country may not be equivalent to that in your country. However, we only transfer your personal data to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC). Such agreements are accessible upon request from GDPR@gatx.eu.
4. Retention periods
We will retain your personal data either for the duration of the application process or in case you consent to us holding on to your application for future consideration until you revoke your consent. In any case, we will retain your data as long as there are statutory retention obligations or potential legal claims are not yet time-barred.
5. Your rights in connection with your personal data
Under applicable law, you have, among others, the rights (under the conditions set out in applicable law): (i) to check whether and what kind of personal data we hold about you and to request copies of such data, (ii) to request correction, supplementation or deletion of your personal data that is inaccurate or processed in non-compliance with applicable requirements, (iii) to request us to restrict the processing of your personal data, (iv) in certain circumstances, to object for legitimate reasons to the processing of your personal data or to revoke consent previously granted for the processing, (v) to request data portability, (vi) to know the identities of third parties to which your personal data are transferred, and (vii) to lodge a complaint with the competent authority. Withdrawing your consent does not affect the lawfulness of processing based on your consent before your withdrawal.
6. Our contact details
Please address your requests and any other questions concerning this notice to your contact person at GATX or GDPR@gatx.eu.