Privacy Policy
The protection of your personal data is very important to us.
When you visit our website or contact us for other reasons – for example, when you write to us, apply for a position with us, or enter into a contractual relationship with us – we process your personal data. The following information explains the purposes for which we process your data and the manner in which this is carried out, as well as informing you of your rights as a data subject.
We kindly ask you to take a moment to familiarise yourself with our privacy policy. If you have any questions, please do not hesitate to contact us.
1. Data controller
The data controller within the meaning of data protection laws is:
pico engineering GmbH
Hannoversche Str. 99
D-30916 Isernhagen
Germany
Telephone: +49 511 165 911-0
Email: info@pico-engineering.de
2. Data Protection Officer
If you have any questions about data protection, you can contact our company data protection officer at any time at the following email address:
pico engineering GmbH
Data Protection Officer
Hannoversche Str. 99
D-30916 Isernhagen
Germany
Email: datenschutzbeauftragter@pico-engineering.de
3. Purposes and legal bases of data processing
We process data from data subjects on one of the following legal bases:
-
If you have consented to the processing of your data, we process your personal data on the basis of Art. 6 (1) (a) GDPR. You may withdraw any consent you have given at any time with effect for the future and without any negative consequences.
-
If your data is required for the performance of a contract or for the implementation of pre-contractual measures, we process it in accordance with Art. 6 (1) (b) GDPR;
-
If the processing of personal data is necessary to comply with a legal obligation to which we are subject, we process this data on the basis of Art. 6 (1) (c) GDPR.
-
If data processing is necessary to safeguard our legitimate interests or those of a third party, we process your data in accordance with Art. 6 (1) (f) GDPR, provided that the rights or interests of the data subjects do not override these interests.
You will find more detailed information on the relevant legal basis in each individual case in the following data protection information.
4. Recipients of personal data
Within our company, only those individuals who are entrusted with processing your data and who require it solely for the performance of their duties have access to it.
However, in the context of our data processing activities, access by external service providers acting on our behalf cannot be excluded. These service providers are expressly bound by confidentiality obligations and must comply with data protection regulations.
Recipients of your data may include IT service providers, software providers, hosting and cloud service providers, and web agencies responsible for maintaining our website.
We will only disclose data to public authorities or government institutions where we are legally obliged to do so. If data is transferred to third countries, such transfers will be carried out in accordance with the requirements of Article 44 of the GDPR.
5. Storage period and deletion of personal data
Unless a specific retention period is stated in this privacy policy, we process your personal data until the intended purpose has been fulfilled or until further storage is no longer necessary due to statutory retention requirements, after which the data will be deleted.
We will delete data processed on the basis of your consent if you withdraw that consent or if the data is no longer required for the purposes we pursue, unless longer retention is required by law. In the event that you object to the processing of data that we process on the basis of our legitimate interests, we will delete your data unless further processing is still permitted or required by law.
6. Data processing on our website
We process your data in various ways. When you visit our website, our system automatically collects data that is technically necessary. Our website also uses technically essential cookies that record and store your language preferences. You provide us with additional personal data when you contact us, apply for a position at our company, or interact with us in other ways.
6.1 General processing of data from our website visitors
When you visit our website, we collect, among other things, the following technically necessary data (server log files):
-
The Internet browser you are using;
-
Your operating system;
-
date and time of access;
-
your IP-address;
-
URL and subpages accessed;
-
Amount of data retrieved;
-
Referrer URL.
We use this information to provide our website, ensure the best possible user experience, and protect it from attacks. This data is not combined with other sources.
Technically necessary data is processed to protect our legitimate interests under Article 6(1)(f) GDPR and to maintain website security. It is stored for up to eight weeks and then automatically deleted.
6.2 Hosting
We host the content of our website in data centers within the European Union provided by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.
When you visit our website, IONOS collects various log files, including your IP address. For details, please refer to the IONOS privacy policy:
https://www.ionos.de/terms-gtc/terms-privacy
The use of IONOS is based on Art. 6 (1) (f) GDPR. We have a legitimate interest in maintaining the infrastructure, stability, and availability of our website. We have entered into an agreement with IONOS for contract processing, which ensures that the service provider processes data from our website visitors solely in accordance with our instructions and in compliance with the GDPR.
6.3 Cookies
Our website uses cookies. Cookies are small data packets stored on your device that collect information about your usage. This data includes details about your preferences, interactions, and settings associated with your visit to our website.
Our website only uses cookies that are technically necessary to provide basic website functions and ensure smooth operation. The legal basis for data processing is our legitimate interest under Article 6(1)(f) GDPR and §25(2) No. 2 TDDDG, in the secure, stable, and user-friendly provision of our online services.
Cookies are deleted from your device no later than 12 months after being set.
You can configure your browser to restrict or completely block the setting of cookies. You can also enable automatic deletion of cookies when you close your browser. Further information on deleting cookies in the most common browsers and adjusting cookie settings can be found here, among other sources:
Google Chrome: Link
Mozilla Firefox: Link
Apple Safari: Link
Microsoft Edge: Link
Disabling cookies may limit the functionality of our website.
pll_language
We use the pll_language cookie to store language preferences on our website. This cookie is set by us as the website operator and allows us to recognise your preferred language and display the site accordingly. The cookie retains your language selection for 12 months, ensuring that the website is displayed in the same language on your next visit.
It is a functional cookie set by us that communicates exclusively with our servers, meaning that no data is transferred to third parties.
The legal basis for processing this data is our legitimate interest under Article 6(1)(f) GDPR and §25(2) No. 2 TDDDG. Our legitimate interest is to enhance your user experience by displaying the website in your preferred language and enabling seamless use during repeat visits.
6.4 Links to social media
Our website contains icons linking to our social media accounts. No data is automatically transferred to the respective social media providers when you visit our website. Personal data is only transmitted when you click on an icon, thereby opening the stored link and accessing the respective social media site. Please note the following data protection information regarding our social media accounts
7. Data processing relating to applicants
We offer applicants the opportunity to apply to us in the following ways:
Application via email
Applicants can submit their application documents by email to bewerbung@pico-engineering.de. Access to the applicant mailbox is restricted to a small group of authorised individuals responsible for managing the application process.
Applying via StepStone
We also publish our job advertisements on the StepStone online platform, which allows you to apply directly for advertised positions with us.
If you submit your application via the StepStone platform, we share joint responsibility with the platform operator, StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, in accordance with Article 26 GDPR. To this end, we have entered into a joint responsibility agreement with StepStone, which is available at the following link:
Within the scope of our joint responsibility, StepStone is responsible for sending and processing applications in our StepStone employer portal, while we are responsible for processing applicant data once applications have been received in the portal.
Please note that if you use the StepStone platform, whether or not you apply to us via the platform, StepStone also processes your personal data independently for its own purposes. We have no control over this data processing. Further information on StepStone’s data processing practices can be found in their privacy policy
:https://www.stepstone.de/e-recruiting/rechtliches/datenschutzerklarung/
If your rights as a data subject are exercised against the platform operator, we will forward your request to StepStone.
General information on data processing in the application process
We will process your personal data as part of the application process for the purpose of assessing your suitability for the advertised position, conducting the selection process, and potentially establishing an employment relationship, regardless of the method by which you apply to us.
Providing your data is necessary to assess your suitability as an applicant. Without it, we cannot consider your application. Your data is processed on the basis of Article 6(1)(b) GDPR (implementation of pre-contractual measures). During the application process, your application documents may be stored in our applicant pool for consideration for future vacancies. Application documents will only be stored in the applicant pool with your consent. If you have given your consent, processing is carried out on the basis of Article 6(1)(a) GDPR. You can revoke your consent for data processing at any time with future effect by contacting us using the details provided above.
If a new employee is sought for a specific customer project and an applicant is considered for this project, it may be necessary to create a competency profile of the applicant and make it available to the customer. This profile does not include any personal data such as name or contact details, but only professional competencies, so the applicant cannot be identified by the customer. From the customer’s perspective, the competency profile is therefore considered anonymous.
The processing of personal data in connection with creating and transmitting a competency profile to our customers is based on our legitimate interest in efficiently and effectively filling open project positions, in accordance with Article 6(1)(f) GDPR. This includes assessing whether an applicant is suitable for a specific customer project. By anonymising competency profiles, we ensure that the interests, fundamental rights, and freedoms of data subjects are protected. Personal data will only be disclosed if necessary in the further course of the process, for example, to invite the applicant to an introductory meeting with our customer. We will inform you in good time about any such meeting and the associated lifting of anonymisation.
We use a processor to communicate with applicants via email, host applicant data, and provide the applicant management platform. This processor handles your data according to our instructions and is bound by confidentiality and data security obligations.
We store the data of rejected applicants for the statutory period of six months and then delete it, unless you have provided consent for longer-term storage. Application documents in our applicant pool are deleted after a maximum of two years, unless you provide renewed consent to extend the storage period.
Anonymised applicant data remains in our system for statistical purposes. Anonymised data does not allow any conclusions to be drawn about you as an individual.
If an employment relationship is established, we store your data for the duration of the employment and in accordance with the applicable retention periods.
Data processing in the context of travel expense reimbursement
If we invite you to a personal on-site interview, you may be reimbursed for any travel expenses incurred, subject to certain conditions. Reimbursement will be made in accordance with statutory provisions.
To process any travel expense reimbursement, we require certain personal data, such as your bank account details and, where necessary, relevant supporting documents (e.g., tickets, receipts). To record your data securely and protect it during transmission, we provide the travel expense report as a password-protected file.
Your data will be processed solely for the purpose of reimbursement and will be stored in accordance with the applicable statutory retention periods once the process is complete. Tax-related documents are retained in line with legal requirements for eight years following the annual financial statements and the end of the respective calendar year, after which they are deleted.
8. Data processing for customers, business partners, and interested parties
Within the scope of existing or initiated business relationships with customers and business partners, as well as when contacting potential clients, we process your personal data for the purpose of initiating, establishing, and executing contracts. Data processing is carried out in accordance with Article 6(1)(b) GDPR (performance of a contract and implementation of pre-contractual measures).
In addition, we process your personal data to maintain and sustain our business relationships. This includes, for example, communicating with you outside of specific contractual relationships and maintaining contact information. This processing is based on our legitimate interest under Article 6(1)(f) GDPR. Our legitimate interest lies in the efficient organisation and maintenance of sustainable business relationships and in ensuring proper operational communication.
Furthermore, your data may be processed to fulfil legal obligations to which we are subject. In this case, processing is based on Art. 6(1)(c) GDPR.
Providing your personal data is necessary for the establishment and execution of the business relationship. Without this data, we cannot fulfil the contract. There is, however, no legal obligation to provide your data. The provision of additional, non-mandatory information is voluntary.
Within our company, only those individuals and departments entrusted with processing contractual services and business operations have access to your data.
We store your personal data until the purpose has been fulfilled and in accordance with applicable statutory retention periods.
If you have a contractual relationship with us, we will store your contract data for the duration of the contract and beyond, in line with statutory retention periods, for six years after the end of the contract in accordance with §257 HGB (German Commercial Code) and §147 AO (German Fiscal Code). Tax-relevant documents are retained in accordance with statutory requirements for eight years following the annual financial statements and the end of the relevant calendar year.
If no contract is concluded with you, we will store your data for up to three years in line with the general civil law limitation period.
After the expiry of the respective periods, your data will be deleted, provided that no further legal obligations or legitimate interests prevent deletion.
9. Enquiries by email or telephone
If you contact us by email or telephone, your enquiry, including all resulting personal data (such as your name, contact details, and the content of your enquiry), will be stored and processed by us for the purpose of handling your request. We will not pass this data on to third parties without your consent.
Such data is processed in accordance with Article 6(1)(b) GDPR, where necessary for the performance of a contract or the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries addressed to us, in accordance with Article 6(1)(f) GDPR.
The data you provide via a contact request will be retained until the purpose for which it was stored no longer applies (for example, once your request has been processed). Mandatory legal provisions, in particular statutory retention periods, remain unaffected.
10. Data processing in connection with our social media presence
We maintain company profiles on various social media platforms to communicate with customers, interested parties, and users, and to provide information about our company and services.
When you visit our profiles on these platforms, personal data is processed. This is carried out both by us and by the respective platform operator for their own purposes. Please note that we have no control over the data processing conducted by the platform operators. In such cases, processing is carried out in accordance with the respective data protection policies of the platforms.
For details on data processing by the platform operators, please refer to the terms of use and privacy information of the respective social media portals.
By maintaining our social media presence, we have a legitimate interest in externally presenting our company, interacting with customers, interested parties, and business partners, and providing information about our products and services. Related data processing is carried out on the basis of Article 6(1)(f) GDPR.
Data processing initiated by social networks may be based on different legal grounds, which must be specified by the operators of the respective networks.
You can exercise your rights as a data subject (including access, correction, deletion, restriction of processing, data portability, and objection) both with us and with the operator of the respective social media portal.
Data collected directly by us via our social media presence will be deleted from our systems once the purpose for its storage no longer applies, or if you revoke your consent. Mandatory legal provisions, in particular statutory retention periods, remain unaffected.
We have no control over the storage period of your data held by social network operators for their own purposes.
10.1 LinkedIn
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter LinkedIn).
As the operator of our LinkedIn company page, we receive aggregated statistics from LinkedIn about visitors and visitor behavior within our LinkedIn presence. We also use LinkedIn for targeted advertising campaigns. In doing so, LinkedIn processes user data in order to display personalised advertising. In connection with our advertising, we receive anonymized data on the performance and reach of advertisements, including target group analysis and interaction rates.
With regard to the processing of this insights data, there is joint responsibility between us and LinkedIn in accordance with Art. 26 GDPR. To this end, we have concluded a joint responsibility agreement LinkedIn, which is available at the following link:
https://legal.linkedin.com/pages-joint-controller-addendum
LinkedIn assumes primary responsibility for data processing.
The processing of this data is based on our legitimate interest in accordance with Article 6(1)(f) GDPR. Our legitimate interest includes, in particular, analysing and optimising marketing measures, targeted advertising, and using statistical insights to improve our offerings and the user experience.
LinkedIn processes your data for its own purposes and also uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
LinkedIn transfers data to third countries. In doing so, the platform provider complies with the requirements of Art. 44 et seq. GDPR. You will find more detailed information on data transfer at:
https://www.linkedin.com/help/linkedin/answer/a1343190/?lang=de-DE.
You can ask the platform provider directly which of your data LinkedIn processes. The following link explains how you can obtain a copy of your LinkedIn data:
If you exercise your rights as a data subject with the platform operator, we will forward your request to LinkedIn.
For detailed information on how LinkedIn processes your data, including information on your rights as a data subject, please refer to LinkedIn’s privacy policy:
https://www.linkedin.com/legal/privacy-policy
10.2 Xing
We have a profile on Xing. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.
Both we and New Work SE process personal data independently of each other via our Xing profile.
Data processing by New Work SE
Details on how New Work SE handles your personal data can be found in Xing’s privacy policy:
https://privacy.xing.com/de/datenschutzerklaerung
You can find out directly from the platform provider which data New Work SE processes about you. The following link provides information on the options available to you for requesting information from New Work SE:
https://faq.xing.com/de/einstellungen/datenauskunft-ueber-deine-gespeicherten-daten
Xing transfers data to third countries. In doing so, the platform provider complies with the requirements of Art. 44 et seq. GDPR.
How we process data
As the owner of a company profile on Xing, the platform operator provides us with various aggregated data and statistics that offer insights into interactions with our profile. We receive anonymised information that does not allow us to identify individual persons, including the number of visits to our profile, the number of our followers, and how often our published content is commented on or shared.
The legal basis for processing this anonymised data is our legitimate interest under Article 6(1)(f) GDPR. We have a legitimate interest in analysing the reach and effectiveness of our company’s presence to optimise our information offering and interaction with users.
Personal information about you is transmitted to us by New Work SE only to the extent that you actively provide it via the message function or through forms containing information about your profile. We process this information on the basis of our legitimate interest under Article 6(1)(f) GDPR to respond efficiently to your enquiries and to contact interested parties, customers, and applicants.
Please note that we have no control over the processing of data you provide to us by New Work SE.
If you exercise your rights as a data subject with the platform operator, we will forward your request to New Work SE.
11. Microsoft Teams
We use the “Microsoft Teams” tool to conduct conference calls, online meetings, video conferences, and/or webinars (hereinafter: “Online Meetings”). “Microsoft Teams” is a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, or Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Please note the following:
When you visit the Microsoft Teams website, the provider of Microsoft Teams is responsible for data processing. However, visiting the website is only necessary for using Microsoft Teams in order to download the software for using Microsoft Teams.
If you do not want to or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. In this case, the service is also provided via the Microsoft Teams website.
Data processing operations
Various data is processed when using Microsoft Teams. The scope of the data depends on the information you provide before or during participation in an online meeting.
The following personal data is subject to processing:
-
User information includes, for example, display name, email address (if applicable), profile picture (optional), preferred language
-
Meeting metadata includes, for example, date, time, meeting ID, phone numbers, location
-
Text, audio, and video data: You may have the option to use the chat function in an Online Meeting. In this case, the text you enter will be processed in order to display it in the Online Meeting. To enable the display of video and the playback of audio, the data from the microphone of your device and from any video camera on the device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the Microsoft Teams applications.
We use Microsoft Teams to hold Online Meetings. If we want to record Online Meetings, we will inform you of this in advance and, if necessary, ask for your consent.
If necessary for the purposes of recording the results of an Online Meeting, we will log the chat content. However, this will not usually be the case.
Automated decision-making within the meaning of Art. 22 GDPR is expressly not used at any time.
Legal basis
Insofar as personal data of employees, including applicants, of pico engineering GmbH is processed, Article 6(1)(b) GDPR serves as the legal basis for data processing. If, in connection with the use of Microsoft Teams, personal data is not necessary for the establishment, implementation, or termination of the employment relationship but is nonetheless an essential component of using Microsoft Teams, Article 6(1)(f) GDPR is the legal basis for data processing. In these cases, our legitimate interest lies in the effective conduct of online meetings.
Otherwise, the legal basis for data processing when conducting online meetings is Article 6(1)(b) GDPR if the meetings are held within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Article 6(1)(f) GDPR. Here too, our interest is in the effective execution of online meetings.
If we record online meetings, the legal basis for data processing is your consent in accordance with Article 6(1)(a) GDPR. You may revoke your consent at any time with effect for the future, which will result in the deletion of the recording.
Recipients of personal data
Personal data processed in connection with participation in online meetings will not be shared with third parties unless it is specifically intended for disclosure. Please note that, as with face-to-face meetings, content from online meetings is often used to communicate information to customers, interested parties, or other third parties and is therefore intended for disclosure.
Other recipients: The provider of Microsoft Teams necessarily has access to the aforementioned data to the extent specified in our data processing agreement with “Microsoft Teams.”
Transfer of personal data to a third country
However, the data is encrypted during transport via the Internet and is therefore protected against unauthorised access by third parties. However, we cannot rule out the possibility that data may be routed via Internet servers located outside the European Union. This may be the case in particular if participants in online meetings are located in a third country.
The data is encrypted during transport via the Internet and is therefore protected against unauthorised access by third parties.
12. Rights of data subjects
As a data subject, you have rights that you can exercise against the controller.
You may request information about the processing of your personal data by us at any time in accordance with Article 15 GDPR. Provided that the legal requirements are met, you also have the right to rectification under Article 16 GDPR, the right to erasure of your data under Article 17 GDPR, and the right to restriction of processing under Article 18 GDPR. Where technically and legally feasible, you may also request data portability in accordance with Article 20 GDPR.
In cases where processing is based on our legitimate interest, you have the right to object in accordance with Article 21 GDPR.
Where processing is based on your consent, you have the right to withdraw your consent at any time with effect for the future. Please note that the withdrawal does not affect the lawfulness of data processing that took place prior to the withdrawal. After you have withdrawn your consent, we will delete the relevant data, provided there are no legal retention obligations or other legitimate reasons preventing deletion.
To exercise your rights as a data subject, you can contact us at any time using the methods described above.
13. Right to complain
If you believe that the processing of your personal data violates data protection regulations, you have the right to lodge a complaint with a data protection supervisory authority at any time.
The supervisory authority responsible for our company headquarters is as follows:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstr. 5
D-30159 Hannover
Telephone: +49 511 120 45 00
Email: poststelle@lfd.niedersachsen.de
14. Current status of this privacy policy
We reserve the right to update this privacy policy regularly in order to adapt it to changed legal requirements or changes in data processing, for example. The current version is available on our website.
Status of this privacy policy: 11/20/2025
