General Data Protection for Job Applicants

It is a given that we will process your personal data in connection with your job application. “Personal data” refers to any and all information that relates, indirectly or directly, to natural persons (for example, names and addresses).  

It is very important to us—voestalpine AG, voestalpine-Strasse 1, A-4020 Linz, Austria, and its subsidiaries—to protect the personal data of our job applicants. We are obligated to protect your data and we take this requirement very seriously.

The particular voestalpine entity to which you applied is responsible for processing your personal data in connection with a job application. The name and contact information of a data privacy officer, if any, is available at ( (hereinafter “we,” “us,” “our,” or “voestalpine”). 

Below please find a summary of how job applicants’ personal data are processed.

1.Categories of data, purpose of the processing, and legal framework

To process and carry out the job application procedure, voestalpine processes the following categories of personal data for the following purposes:

User accounts

A user account is established as soon as you apply in response to a job announcement or send an unsolicited job application. At minimum, this user account contains the following information:

  • First name
  • Last name
  • Email address
  • User name

If you voluntarily decide to register for social media when creating your user account, a link will be created to your social media account and we will process the account data for this external social media platform. This data will be used to import your profile details and to register you with the voestalpine job portal.

Data related to the job application

In particular, we process the following data that you disclose to us in connection with your job application:

  • Name
  • Qualifications, awards, professional experience, educational credentials
  • Email address
  • Private contact data (phone number, fax number, home address, etc.)
  • Consent to the use of your personal data
  • Letter regarding your reasons for applying to us
  • Desired salary
  • Consecutive number
  • Other personal data that are transmitted to us in connection with your job application when you complete our questionnaires (which are designed to be country specific), including text documents, if any, that are prepared and archived using automated means (e.g. correspondence). 

If you voluntarily select the option of using the profile details from one of your social media accounts, then we will process the account data from your external social media platform. This data will be processed for the purpose of importing your profile details into the voestalpine job portal.

We must process your personal data for the purpose of achieving the aforementioned goals, but also for the purpose of fulfilling contractual requirements in connection with employment or pre-employment activities.

Unless expressly specified otherwise, Art. 6 (1) letter a or Art. 6 (1) letters b and f of the General Data Protection Regulation (GDPR) provide the legal framework for the processing of personal data:

  • your consent
  • the data must be processed to fulfil a contract to which the affected person is a party or to carry out pre-employment activities and
  • the data must be processed to safeguard the legitimate interests of the controller or a third party.

Where you have made available to us special categories of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and data concerning health, etc., this data will be processed on the basis of your express consent.

Any failure to make the aforementioned personal data available at all or not in the required scope and/or any inability on the part of voestalpine to collect the given data will make it impossible to fulfil the specific purposes described above and/or to process the job application.

2.Transmission and sharing of personal data

voestalpine may transmit personal data as necessary within statutory limits to other voestalpine Group companies (

If you are responding to a particular job announcement (direct application), your data will be made available to the department publishing the job vacancy as well as the relevant human resources (HR) department.

If you send us an unsolicited job application that is unrelated to a specific opening at a specific site, your personal data will be made available to the HR and other appropriate departments of the voestalpine Group companies located at the site in question, provided any vacancies at these companies match your applicant profile.

By agreeing for your application to be kept in the voestalpine Group applicant pool, your personal data may be circulated worldwide, including in countries with lower levels of data protection, within the voestalpine Group; the circulation, processing, and use is restricted to the purposes of searching for personnel and personnel administration.

If you apply simultaneously to several job announcements in more than one voestalpine Group company, the given HR departments to which you submitted your application may become privy to all of your simultaneous applications.

Moreover, voestalpine assigns the processing of personal data to service providers (for example, in connection with an IT support contract). These service providers are contractually bound to comply with the requirements of the GDPR.

The recipients described in this item 2 may be domiciled in countries outside the European Union (“Non-EU Countries”), where applicable law may not provide the same level of data protection and privacy as in your home country. In this case, data are transmitted in accordance with statutory requirements solely if the European Commission has issued an “Adequacy Decision” subject to which appropriate guarantees have been stipulated with the recipient (e.g., EU Standard Contractual Clauses have been agreed); if the recipient participates in an approved certification system (e.g., the EU-US Privacy Shield); if binding internal data protection and privacy requirements pursuant to Art. 47 GDPR have been put in place; or if an exemption has been granted under Art. 49 GDPR (for example, because you expressly consented to the proposed transmission of your data after having been informed of the potential risks to you of such data transmission absent an adequacy decision and appropriate guarantees). Please see the contact information in item 6 for further information as well as a copy of the measures that have been put in place.

3. Retention periods 

  • Application process: unless statutory retention obligations for applicant data preclude data anonymization or deletion, the period during which application-related data submitted during the course of an application are retained is six (6) months from the completion of the given application process. Data anonymization erases the personal nature of the data set.
  • Applicant pool: where you have agreed for your application to be entered into the applicant pool, your application-related data will be processed for a period of three (3) months from the time at which you gave consent for entry into the applicant pool. This period will be extended for an additional three (3) months each time you consent to such an extension.
  • User account: In principle, the user account is deactivated after 6 months from activation of the user account. This period is extended by a further 6 months subject to your consent. If a current application appears in your user account on the day before the six-month period expires, your user account will be extended by a further 30 days - without any separate consent on your part.  
    The data in your user account will be permanently deleted or anonymized after deactivation. You will then no longer be able to access the data of the deactivated account.
  • If the job application is submitted through a personnel services agency, the retention period for applicant-related data shall be six (6) months.

4. Right to information, rectification, and deletion of your personal data; right to restrict the processing of your personal data; right to object; right to data portability as well as right to withdraw previously given consent: 

  • Under Art. 15 GDPR, you have the right to request confirmation of whether your personal data are being processed by the controller and the right to request information about the given data.
  • Under Art. 16 GDPR, you have the right to request immediate rectification of any inaccuracies in your personal data and/or the right to request that any incomplete data be completed.
  • Under Art. 17 GDPR, you have the right to request deletion of your personal data.
  • Under Art. 18 GDPR, you have the right to request restrictions on the processing of your personal data.
  • Under Art. 20 GDPR, you are entitled to the portability of your personal data.
  • Under Art. 21 GDPR, you have the right to object to the processing of your personal data.
  • Finally, you also have the option of filing a complaint with the relevant regulatory agency.
  • If your personal data are being processed with your consent, you have the right to withdraw such consent at any time, but doing so shall not affect the lawfulness of the processing of your personal data until such time.

In order to ensure efficient responses to such requests, we ask that you contact us using the contact information set forth below; we also ask that you always submit proof of your identity, for example, by transmitting an electronic copy of your identity document.

5. Protection of your personal data

We are particularly concerned with protecting your personal data. We take the following steps, among others, to protect your personal data against abuse and loss as well as unauthorized access, modification, or disclosure:

  • We limit access to our offices/sites (access controls)
  • We implement access authorization protocols and protect data media (access and sharing controls)
  • We utilize network security protocols such as anti-virus software, firewalls, security updates, etc. (network controls)

We also transfer our security policies to service providers that we engage and oblige them to comply with the same or equivalent security precautions.

6. Contact

If you have any questions about data protection and privacy, and if you want to exercise your aforementioned rights, you may reach us at

  • We also transfer our security policies to service providers that we engage and oblige them to comply with the same or equivalent security precautions.

This Privacy Policy Notice may be amended from time to time.

As of: 01-08-2023