SAP Logo LeanIX is now part of SAP

Applicant Privacy Policy

Name and Contact details of Data Controller

LeanIX GmbH (“LeanIX”)
Friedrich-Ebert-Allee 37-39
53113 Bonn

Data Collection and Processing

The following application data is collected and processed within the scope of the online application:

  • first name (mandatory field)
  • surname (mandatory field)
  • e-mail (mandatory field)
  • Phone (mandatory field)
  • Desired salary
  • Available form
  • Where did you find us? (channel) (mandatory field)
  • Application documents (letter of application, curriculum vitae, references etc.)

In addition, technical information might be transmitted to us from your web browser when you visit our pages. This includes, for example, information about the browser you are using, information about the operating system, the time and date of your visit and, if applicable, the referrer URL. This data will be processed solely as necessary to enable the technical delivery of the online application to your device, and be deleted thereafter, except as necessary to protect us against attacks on our web server or misuse of our online application (based on our legitimate interests in ensuring the effective and secure online application process according to Art. 6(1) lit. f) GDPR). It is not possible for us to combine this data with data from your online application.

Application Channel

Applications for job advertisements of LeanIX GmbH are possible in the following way:
via online application
via e-mail to
via mail to HR, LeanIX GmbH, Friedrich-Ebert-Allee 37-39, 53113 Bonn

If you apply via email or mail, we will collect and process the personal data that your reveal to us in the context of your application. Please ensure that you do not reveal any sensitive personal data about your person in the context of your application (such as health data, racial or ethnic origin, political opinions, religious beliefs, trade union membership or sexual orientation) since we do not require such information for deciding on your application.

Purpose of Processing and Legal Basis

Your personal application data is collected and processed exclusively for the purpose of processing your application and deciding on the establishment of an employment relationship with you. To the extent necessary to process your application, such as where the position is with another group company or the relevant personnel overseeing your position or deciding on your application are employed with another group company, LeanIX will also share your personal data with the relevant group companies (subject to our intra-group data transfer agreement).
If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws have to be observed (e.g. applicant background screening in accordance with local law).

If you receive a contract offer, your data will be used after completion of the application procedure for the preparation of the contract offer and for the organization of the training.
Legal basis for the processing of your personal application data for the purposes of establishing the employment are Art. 6 para. 1 lit. b) GDPR and Section 26 para. 1 sentence 1 Federal Data Protection Act (“BDSG”).

Retention Period of Application Data

Personal data may only be stored for as long as it is necessary for the purpose for which the data is being processed. This means that personal data will be deleted or anonymized as soon as the purpose of its processing has been fulfilled or otherwise lapses. The maximum storage period is 120 days upon formal ending the recruiting process, unless documentation or retention obligations continue to apply, the data is necessary for the protection of our legitimate interests in the establishment, exercise or defense of legal claims, or you provide respective consent (such as in case you would like us to further store your personal data in our talent database for potential future job opportunities).

Data Security

We have taken various technical and organizational precautions to protect the data collected in the context of your application against manipulation and unauthorized access. In particular, the transmission of your online application is encrypted in accordance with the current technical state of the art.

Disclosure of Data

Your personal data will be stored in our applicant management system. The stored data is only made available to the employees within LeanIX and the relevant group of companies that need to know the data for the above recruitment purposes (see section on purposes).
The application management system is a software-as-a-service solution of a specialized provider. The data protection requirements with regard to the transfer are fulfilled. The data transmitted as part of your application is transferred in a secure way (e.g. TLS encryption) and stored in a database. This database is operated by Greenhouse Software, Inc. (“Greenhouse”) which offers personnel administration and applicant management software ( In this context, Greenhouse is our processor according to Art. 28 GDPR. The basis for the processing here is a data processing agreement on the basis of the EU Standard Contractual Clauses between us as the controller and Greenhouse as processor since Greenhouse is based in the United States of America and will be processing your personal data in the United States of America.

Transfer of Personal Data to Third Countries

A transfer of personal data to countries outside the European Union or the contracting states of the European Economic Area (so-called “third countries”) is generally not intended, but may occur especially when personal data is forwarded to our affiliated group companies, as necessary for recruitment purposes. The laws of third countries outside the EU/EEA may not provide for the same level of data protection as considered adequate within the European Union. However, we have – to the extent legally required – put into place appropriate safeguards and guarantees (such as contractual commitments on the basis of the EU Standard Contractual Clauses and the implementation of supplementary safeguards) to ensure that your personal data will always be protected in accordance with legal requirements. To the extent your personal data is transferred to our affiliated companies in third countries, such as in the USA or India, we have entered into an intra-group data transfer agreement on the basis of the EU Standard Contractual Clauses. For more information on the appropriate safeguards in place, and in order to receive a copy of them (as applicable), please contact us at the contact details set out in this Data Privacy Notice.

Your Rights

To the extent you are affected by the data processing carried out by LeanIX, you have the right subject to applicable legal provisions:

  • to obtain information on the personal data processed concerning you and to obtain a copy of such data (right of access, Art. 15 GDPR);
  • to obtain the rectification of any inaccurate personal data and, having regard to the purposes of the processing, the completion of incomplete personal data (right to rectification, Art. 16 GDPR);
  • if there are legitimate reasons, to request the deletion of your personal data (right to erasure, Art. 17 GDPR);
  • to request the restriction of the processing of your personal data, if the legal requirements are met (right to restriction of processing, Art. 18 GDPR);
  • if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by LeanIX (right to data portability, Art. 20 GDPR); and
  • not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met. An automated decision making process is not carried out by LeanIX.

If the processing of personal data is based on your consent, you have the right to revoke this data protection consent in accordance with Art. 7 para. 3 GDPR. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data based on consent before the withdrawal.

To the extent that the processing of your personal data is carried out in accordance with Art. 6 para. 1 lit. f. GDPR in order to safeguard legitimate interests, you have the right, according to Art. 21 GDPR, to object to the processing of such data at any time on grounds relating to your particular situation. LeanIX will then no longer process this personal data unless LeanIX can demonstrate compelling legitimate grounds for the processing. These reasons must override your interests, rights, and freedoms, or the processing must serve to establish, exercise, or defend legal claims.

If you have any questions about the collection, processing or use of your personal data or to exercise your rights, please refer to or contact us via other means at the contact details set out in this Data Privacy Notice.

Right to lodge a complaint with the Supervisory Authority

You have the right of lodge a complaint with a data protection supervisory authority if you believe that the processing of personal data concerning you violates applicable data protection law (in particular the EU General Data Protection Regulation).

Consequences of Assignment/Change in Control

In the event that LeanIX sells or transfers all or part of its business to a different entity, we may transfer your data to such new entity as part of such transaction, merger/acquisition.


If you require further information regarding the processing of your personal data, please contact LeanIX at the contact details set out at the beginning of this Data Privacy Notice or via email to the data protection team at

You can also contact our external data protection officer, Mr. Andreas Schmidt, at our postal address with the addition "personally" to the data protection officer or via email to

If you are located in the United Kingdom and have questions about your personal data or would like to request to access, update or delete it, you may contact our representative at:

Bird & Bird GDPR Representative Services UK
12 New Fetter Lane
United Kingdom

Main point of contact:Vincent Rezzouk-Hammachi