Data protection at haystax

1. Introduction

As a recruitment company, haystax works with personal data every day. For this reason, we have always prioritised the protection and confidentiality of data. We feel this way about all types of data, regardless of whether it concerns applicants, customers, contract partners, employees or service providers. Our company and all haystax sites collect personal data only to the extent necessary to do our job. Under no circumstances do we sell (or for any reason share) to third parties the personal data that you entrust to us.

Our guidelines comply with the latest data protection legislation, especially the German Data Protection Act (BDSG), the German Telemedia Act (TMG) and, effective 25 May 2018, the EU General Data Protection Regulation (GDPR).

In this document, we describe how we ensure the protection of data and define for which purposes we collect which types of data. If you have any questions regarding the storage and use of your personal data, please see our website for ways to contact us directly.

2. Purpose

With its five independently operating offices, haystax is a leading headhunting company for hotels, the restaurant industry and related sectors. There are no standardised guidelines in our work with customers and applicants, as each haystax managing director and every haystax site customises its own solutions. At every haystax office, the entire recruitment process – from placement of an order to the final interview – is tailored to the unique needs of applicants and customers.

If you register with us and send us your application documents, then we will enter your personal data into our database of candidates. Our database allows us to match applicants with potential employers and, to the best of our ability, place a qualified candidate with the ideal company. Our database is independent of, i.e. not connected to, our website.

3. Collection and processing of personal data

3.1 Registration

By registering in our database of candidates, you consent to haystax entering your personal data and further information into our database. To ensure that you can use our service without restrictions and to help our employees best handle your application, we ask that you provide important CV information on our registration form. By registering, you consent to haystax entering and storing your personal data into our applicant database, and you select the period after which your data will be deleted.

In addition to your application documents (CV, cover letter, educational certificate[s], employer letter[s] of reference), we store the following pieces of personal data in connection with your job search: full name, address, phone number, mobile phone number, email address, photo, gender, nationality, date of birth, marital status, education, additional qualifications and language skills. Once you yourself and we have entered your data into our system, one of our managing directors or employees will ask you for additional information on your professional background. This can include, but is not limited to, information regarding your salary, training, career and further skills.

With the exception of your address, contact details, date of birth, marital status and education as well as the latest version of your CV, any additional information you provide is on an entirely voluntary basis. However, haystax cannot guarantee that you will be able to benefit from the full range of our services if you choose not to provide all the above-mentioned pieces of personal data in connection with your job search.

We will treat your personal data with the strictest confidence and not make it available to any third party without your consent. Only haystax managing directors and authorised haystax employees are able to access and process your data.

3.2 Determination of the retention period

As haystax also wants to support you in your future career planning, your data is retained after the application process is completed so that we can also contact you about future vacancies. However, you can set your own retention period – at the end of our data sharing form simply specify the period after which your data should be deleted from the database.

3.3 Homepage

We do not use our website to collect or process data. This is why our website does not have an online reply form. You can instead contact us by email, phone or fax.

4. Disclosure of personal data

haystax processes an applicant’s personal data in accordance with the provisions in data protection regulations. Afterwards, haystax collects, processes and uses personal data only within the scope necessary to establish and maintain the application framework as well as to place applicants with customer companies. haystax will transfer an applicant’s personal data to a customer only with the applicant’s express consent and only if doing so is necessary to place the candidate with the customer.

Whether or not this is deemed necessary will depend on the job profile and the skill set that you have specified in cooperation with haystax – provided it seems probable that haystax can place you with one of its customers. All of our clients are contractually obligated to treat all data that we transfer to them with the strictest confidence. In addition, we inform all haystax customers that the respective client must permanently delete a rejected applicant’s documents.

We hereby emphasise that haystax has customers in countries that do not have adequate data protection measures in place that meet the requirements of EU data protection legislation. If you register in our database, it is possible that we will provide your data to interested customers outside the European Union. Please notify us by email if you want us to refrain from providing your data to customers in certain countries.

5. Processing and deletion of your data

When you consent to data sharing, you have the right to determine a specific time for the deletion of all your personal data from our database. However, you can also request the deletion of the data at any time before the specified date by sending us an informal email.

You furthermore have the right to information about your personal data stored on drives or servers. You also have the right to information about the source of stored data as well as the reason for storing your personal data and the recipients or categories of recipients to whom your data has been disclosed. In addition, you may exercise your right to rectification if any incorrect data has been stored.

6. Notes on external links

In its “liability for links” ruling (312 O 85/98) on 12 May 1998, Germany’s Hamburg Regional Court stated that a website operator could be held partially responsible for the content on an external website to which the operator provides a link. The operator can absolve itself from this liability only by expressly distancing itself from the content on external websites. We hereby expressly distance ourselves from all content on all websites to which we provide links on our website. We also expressly assume no responsibility for content on linked websites. These statements in Section 6 are valid for all links that appear on this website.

7. Data security

haystax has taken the technical and organisational measures necessary for protecting personal data in order to ensure compliance with the provisions of the German Data Protection Act (BDSG). haystax pays particular attention to the monitoring objectives specified in the appendix to Section 9 of the German Data Protection Act (BDSG). These objectives are meant to protect against inadvertent loss and against unauthorised access, use, alteration or disclosure.

All systems and operations are checked continuously to ensure that the above-mentioned data protection measures are implemented and updated consistently. In this context, each haystax managing director is responsible for training their employees on how to use IT systems and software as well as how to handle personal data. The use of checklists and progress reports ensures that the monitoring of data protection remains transparent and easy to understand at all times. Each managing director must also regularly check their data protection strategy and update it as necessary to ensure compliance with the latest legislation.

In addition, our customers and our applicants alike can view their data at any time and request information on the current use of their data.

8. Notes on data protection and contacting haystax

If you send us an email, then we will electronically store the personal contact details in your email and use this data to communicate with you. As a rule, we will not sell or rent out your data to third parties. Only if you consent to us doing so will we transfer data to third parties – especially if this is necessary to provide services for you or if we are permitted by law to transfer data to third parties.

9. Data protection provisions about the application and use of Google Analytics (with anonymisation function)

On this website, the controller has integrated the component of Google Analytics (with anonymisation function). Google Analytics is a web analytics service. Web analytics is the collection, gathering and analysis of data about the behaviour of visitors to websites. Among other things, a web analytics service collects data about the website from which a data subject has come (referrer), which subpages of the website were accessed, and how often and for how long a subpage was viewed. Web analytics are mainly used for the optimisation of a website and in order to carry out a cost-benefit analysis of Internet advertising.

The operator of the Google Analytics component is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

For the web analytics through Google Analytics the controller uses the application “_gat. _anonymizeIp”. By means of this application, the IP address of the Internet connection of the data subject is abridged by Google and anonymised when accessing our websites from a Member State of the European Union or another Contracting Party to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyse the traffic on our website. Google uses the collected data and information, inter alia, to evaluate the use of our website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our website for us.

Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. With the setting of the cookie, Google is enabled to analyse the use of our website. With each call-up to one of the individual pages of this website, which is operated by the controller and into which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through the Google Analytics component for the purpose of online advertising and the settlement of commissions to Google. During the course of this technical procedure, Google gains knowledge of personal information, such as the IP address of the data subject, which serves Google, inter alia, to understand the origin of visitors and clicks, and subsequently create commission settlements.

The cookie is used to store personal information, such as the access time, the location from which the access was made, and the frequency of visits to our website by the data subject. With each visit to our website, such personal data, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America.

As stated above, the data subject may prevent the setting of cookies by our website at any time by activating a web browser setting which permanently refuses the setting of cookies. Adjusting the browser’s setting in this way would also prevent Google from placing a cookie on the information technology system of the data subject. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.

Furthermore, the data subject has the option to object to the collection of data generated by Google Analytics and related to the use of this website as well as to the processing of this data by Google and to prevent such processing. To do so, the data subject must download and install a browser add-on from the link This browser add-on informs Google Analytics via JavaScript that no data and information about website visits may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google as an objection.

If the information technology system of the data subject is deleted, formatted or reinstalled at a later point in time, the data subject must reinstall the browser add-on in order to disable Google Analytics. If the browser add-on was uninstalled by the data subject or any other person who is attributable to their sphere of competence, or it is disabled, it is possible to execute the reinstallation or reactivation of the browser add-on.

Further information and the applicable data protection provisions of Google can be found at and Google Analytics is explained in more detail at

Explanations under Point 9 are from the German Society for Data Protection’s Privacy Policy Generator, in cooperation with the media law lawyers at WILDE BEUGER SOLMECKE | Rechtsanwälte.