Privacy policy

Privacy policy for independent consultants and entrepreneurs

This privacy information explains how we handle personal data when we approach you for an assignment on a project, when we place you in a project, and how we process your personal data in order to be able to contact you in general. The following describes how we collect, use, and process your personal data and how we thereby comply with our legal obligations. Protecting data is important to us, and we assure you that we protect and uphold your data protection rights.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

GP+S Consulting GmbH
Schaberweg 28 a
61348 Bad Homburg v.d.H.
Telephone: +49 6172 49556 0
E-mail:

2. Contact details of the Data Protection Officer

You can reach the Data Protection Officer at:

Proliance GmbH
www.proliance.ai
Data Protection Officer
Leopoldstr. 21
80802 Munich
E-mail: 

When contacting the Data Protection Officer, please state the company to which your enquiry relates. Please also refrain from attaching sensitive information to your enquiry, such as a copy of an ID document.

3. General information on data transfers to third countries

The processing of your data may also take place, where applicable, in countries outside the European Union (EU) and the European Economic Area (EEA).

For data transfers to certain third countries, an adequacy decision of the EU Commission pursuant to Art. 45(1) GDPR may exist. Such a decision establishes that an adequate level of data protection exists in the third country. A list of the existing adequacy decisions can be viewed at the following link: Data protection adequacy for non-EU countries.

The scope of an adequacy decision may additionally be restricted to a specific group of recipients or be tied to the fulfilment of further conditions.

For example, the adequacy decision for data transfers to the USA applies only with regard to companies certified under the EU-U.S. Data Privacy Framework. The certification status of a participating company can be viewed at the following link: Participant Search (dataprivacyframework.gov).

If your data is transferred to recipients in third countries for which no adequacy decision exists, there is a risk that authorities in those countries may access your data for security and surveillance purposes without you being informed or being able to seek legal remedies.

We therefore ensure, in order to safeguard an adequate level of data protection when transferring your data to recipients in such third countries, that appropriate safeguards within the meaning of Art. 46 GDPR exist.

As a rule, either we or the service providers we use enter into standard data protection clauses of the European Commission pursuant to Art. 46(2)(c) GDPR. These require the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) – European Commission. If you require further information on the modules of the standard contractual clauses concluded by us in individual cases or on supplementary measures, we will be happy to provide you with a copy. In this case, simply contact us using the contact details stated above under “Controller”.

For certain recipients, data transfers may also be based, pursuant to Art. 46(2)(b) GDPR, on binding corporate rules (BCR) approved by supervisory authorities. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard contractual clauses or binding corporate rules are not sufficient to ensure the level of protection, additional technical, contractual, and/or organisational measures are taken to safeguard the data transfer. In addition, it is regularly reviewed and assessed whether these additional measures continue to ensure an adequate level of data protection or whether further supplementary measures may need to be taken.

Further information on data transfers to third countries can be found, in the relevant cases, below in the sections on data processing or services used under “Data processing in third countries”.

4. General information on the use of Artificial Intelligence

Artificial Intelligence (AI) may be used in the context of processing your data.

4.1. Types of AI systems

If we use AI, AI systems, assistants, services, and functions may generally be used in various forms.

This may involve either AI with a general-purpose use (i.e., not predetermined for specific tasks) or AI with a processing-specific purpose that is used only for certain tasks.

These may be standalone AI systems or AI solutions integrated into operating systems or Office software solutions.

Services or platforms may also be used that enable us to use various AI systems or models (multi-AI platforms).

Finally, AI systems, agents, functions, extensions, or models integrated into other software solutions and services may also be used to fulfil certain tasks.

We will inform you below about the scope of the specific AI usage in our company.

4.2. Use of AI systems and assistants with a general purpose

At present, no AI systems, assistants, or multi-AI platforms with a general purpose are used.

4.3. Use of AI systems and assistants with a specific purpose

AI systems with a specific purpose may be used in certain data processing operations or when using certain services and software solutions. Such AI systems, agents, functions, extensions, or models always perform only specifically defined tasks. They may also be integrated into software or a service that we use as part of one of the data processing operations described here.

If we use specific, purpose-bound AI agents, functions, extensions, or models for certain data processing operations or when using certain services and software solutions, we will provide separate information below in the respective section about the specific use, its purpose, and the type and scope of data processing.

5. Privacy information for self-employed consultants and entrepreneurs

5.1. Collection of data on professional social media platforms (LinkedIn and XING) and adding a contact

Description of the data processing and purpose

We place self-employed consultants and entrepreneurs in a wide variety of client projects. In order to find suitable candidates for placement, we conduct research on professional social media platforms. We then contact individuals who are of interest to us.

For this purpose, we collect personal data that you may publish in your profiles on professional social media platforms. In particular, this may include the following data:

Information about you:

• First and last name,
• title (if applicable),
• pronouns used,
• location (country, region, postal code),
• date of birth.

Contact details:

• E-mail address,
• telephone number,
• website,
• usernames of instant messaging services.

Professional information:

• current position held or job title,
• information about the industry in which you work,
• information about your previous professional experience and/or previous project experience,
• information about education and training as well as qualifications/degrees,
• information about skills, knowledge, qualifications, and certifications,
• recommendations,
• other data you may publish in your profile.

The purpose of the data processing and our legitimate interest is to find interesting and suitable self-employed consultants and entrepreneurs whom we can place with our clients for project assignments.

Legal basis for data processing

The data processing is carried out pursuant to Art. 6(1) sentence 1 lit. f GDPR on the basis of our legitimate interest stated above.

Source

We collect the above-mentioned personal data on the professional social media platforms you may use, operated by the following platform providers:

• LinkedIn Ireland Unlimited Company, Wilton Plaza, Gardner House 4, 5, 6, Dublin 2, Ireland,
• New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

Recipients

In the course of data processing, your data are transferred to the following categories of recipients or recipients that we use for data processing in order to achieve the purposes stated:

• software service providers that provide us with solutions for internal and external communication, for creating and editing documents, and for managing data inventories,
• IT support and administration service providers.

These include, in particular, the following recipients:

• Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland,
• Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA,
• Salesforce.com Germany GmbH, Erika-Mann-Straße 31–37, 80636 Munich, Germany,
• Salesforce Inc., 15 Mission St FL 3, San Francisco, CA 94105, USA,
• SNC – IT Service & Consulting GmbH, Berner Straße 28, 60437 Frankfurt.

Data processing in third countries

Your data is transferred to recipients in third countries. For data transfers to the USA, an adequacy decision of the EU Commission exists with regard to companies certified under the EU-U.S. Data Privacy Framework. Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework.

Supplementary information on this and further links can be found above in the section “General information on data transfers to third countries”.

Storage period

We process the data collected initially until the end of the initial contact.

We then delete your data from our operational systems, unless processing is still permitted for another purpose stated in this notice and on the basis of an appropriate legal basis.

5.2. Inclusion of your profile in our placement database

Description of the data processing and purpose

After we have contacted you, we store the data researched about you via the social media platforms (see above under section 4.1) and, where applicable, additional information from a CV/resumé transmitted to us by you and/or other documents you may provide, in a profile about you in our database.

In doing so, we may process additional data contained in your CV and other documents, such as:

• photograph,
• information about your professional qualifications and project experience,
• information about professional training/further education and school education,
• information about your nationality,
• further information that you consider relevant in connection with a project assignment, as well as
• information about your project experience with us and about successful project placements by us.

The purpose of the data processing and our legitimate interest are to create, update, and continuously maintain a database of suitable self-employed consultants and entrepreneurs in order to be able to efficiently find suitable candidates for client projects in the future. In addition, the data processing also serves your interest in promoting placement in suitable future client projects.

Legal basis for data processing

The data processing is carried out pursuant to Art. 6(1) sentence 1 lit. f GDPR on the basis of our legitimate interests stated above as well as yours.

Recipients

In the course of data processing, your data is transferred to the following categories of recipients or recipients that we use for data processing in order to achieve the purposes stated:

• software service providers that provide us with solutions for internal and external communication, for creating and editing documents, and for managing data inventories,
• IT support and administration service providers.

These include, in particular, the following recipients:

• Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland,
• Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA,
• Salesforce.com Germany GmbH, Erika-Mann-Straße 31–37, 80636 Munich, Germany,
• Salesforce Inc., 15 Mission St FL 3, San Francisco, CA 94105, USA,
• SNC – IT Service & Consulting GmbH, Berner Straße 28, 60437 Frankfurt.

Data processing in third countries

Your data is transferred to recipients in third countries. For data transfers to the USA, an adequacy decision of the EU Commission exists with regard to companies certified under the EU-U.S. Data Privacy Framework. Microsoft Corporation and Salesforce Inc. are certified under the EU-U.S. Data Privacy Framework.

Supplementary information on this and further links can be found above in the section “General information on data transfers to third countries”.

Storage period

We process the data collected and processed in your database profile for as long as this is necessary to achieve the purposes stated, generally for a maximum of 10 years after our last contact with you.
We then delete your data from our operational systems, unless processing is still permitted for another purpose stated in this notice and on the basis of an appropriate legal basis.

5.3. Matching your database profile with client projects and preparing a placement proposal

Description of the data processing and purpose

Based on client specifications and requirements, we search for suitable consultants and entrepreneurs for projects.

For this purpose, we compare the data stored by you in our profile database to the extent described above—particularly your qualifications, your professional and project experience, your skills, knowledge and qualifications, and your education and further training data—with the requirements profile of the client project.

Information on the specific data processed in the profile can be found above under section 4.2. In individual cases, additional data required for a specific project may be requested from you.

The purpose of the data processing and our legitimate interest are, on the one hand, to place consultants and entrepreneurs with our clients who match the requirements of their project. On the other hand, a project placement that corresponds to your qualifications and skills is also in your interest.

Legal basis for the data processing

The data processing is carried out pursuant to Art. 6(1) sentence 1 lit. f GDPR on the basis of our and your legitimate interests stated above.

Use of Artificial Intelligence

Artificial Intelligence (AI) is used in the course of processing your data.

In order to significantly increase the efficiency of matching your profile with the requirements of the client project and preparing a placement proposal for our clients compared to purely manual matching, our employees are supported by an AI system.

The AI system “ChatGPT” provided by OpenAI OpCo, LLC, located at 1960 Bryant Street, San Francisco, California 94110, USA, is used.

In the European Union (EU) and the European Economic Area (EEA), the AI function is offered by OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland.

We use “ChatGPT” exclusively for the automated comparison (matching) of data about you and your professional data—particularly your qualifications, your professional and project experience, your skills, knowledge and qualifications, your education and further training data, and, where applicable, other project-specific data—with the requirements profile of the client project.

Your data are processed within the AI in so-called prompts, i.e., inputs or instructions. The outputs of the AI system are then used by our employees in a supporting manner for matching and placement.

The purpose of data processing using AI and our legitimate interest are, on the one hand, to significantly increase the efficiency and accuracy of our placement process compared to manual allocation by assigning consultants and entrepreneurs to client projects who match our clients’ requirements profiles. On the other hand, the aim of using AI is to carry out project placements even more accurately and efficiently in line with the skills of the consultants and entrepreneurs working with us.

Data processing using the AI system is carried out pursuant to Art. 6(1) sentence 1 lit. f GDPR on the basis of our and your legitimate interests stated above.

Additional information can be found above in the section “General information on the use of Artificial Intelligence”.

Recipients

In the course of data processing, your data is transferred to the following categories of recipients or recipients that we use in order to achieve the purposes stated:

• software service providers that provide us with solutions for internal and external communication, for creating and editing documents, and for managing data inventories,
• providers of AI systems, services, and agents,
• IT support and administration service providers.

These include, in particular, the following recipients:

• Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland,
• Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA,
• Salesforce.com Germany GmbH, Erika-Mann-Straße 31–37, 80636 Munich, Germany,
• Salesforce Inc., 15 Mission St FL 3, San Francisco, CA 94105, USA,
• OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland,
• OpenAI OpCo, LLC, 1960 Bryant Street, San Francisco, California 94110, USA,
• SNC – IT Service & Consulting GmbH, Berner Straße 28, 60437 Frankfurt.

Data processing in third countries

Your data are transferred to recipients in third countries. For data transfers to the USA, an adequacy decision of the EU Commission exists with regard to companies certified under the EU-U.S. Data Privacy Framework. Microsoft Corporation and Salesforce Inc. are certified under the EU-U.S. Data Privacy Framework.

For data transfers to the USA where the recipient is not certified under the EU-U.S. Data Privacy Framework, there is no adequacy decision of the EU Commission; therefore, to ensure an adequate level of data protection, standard contractual clauses are concluded and further measures are taken to safeguard the data transfer.

Supplementary information on this and further links can be found above in the section “General information on data transfers to third countries”.

Storage period

We process the data collected for as long as this is necessary to achieve the purposes stated, typically until completion of the matching process. We then delete your data from our operational systems, unless processing remains permissible for another purpose stated in this notice and on the basis of an appropriate legal basis.

5.4. Placement for a project assignment

Description of the data processing and purpose

If your profile matches a client project and you have been selected by our employees for placement with a specific client, we will contact you and provide you with further details about the client company and the project.

If you are interested in the placement, we will forward relevant profile data to our client. In doing so, our client will receive relevant information about you, contact details, and professional information, in particular:

• first and last name,
• title (if applicable),
• photographs,
• current position held or job title,
• information about the industry in which you work,
• information about your previous professional experience and/or previous project experience,
• information about education and further training as well as qualifications/degrees,
• information about skills, knowledge, qualifications, and certifications,
• information about project-related requirements.

The purpose of the data processing is to successfully place you with a client for a project assignment, i.e., to carry out pre-contractual measures that are aimed at the formation, performance, and fulfilment of a contract.

Legal basis for the data processing

The data processing is carried out pursuant to Art. 6(1) sentence 1 lit. b GDPR.

Recipients

In the course of data processing, your data are transferred to the following categories of recipients or recipients that we use in order to achieve the purposes stated:

• software service providers that provide us with solutions for internal and external communication, for creating and editing documents, and for managing data inventories,
• IT support and administration service providers,
• client companies.

These include, in particular, the following recipients:

• Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland,
• Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA,
• Salesforce.com Germany GmbH, Erika-Mann-Straße 31–37, 80636 Munich, Germany,
• Salesforce Inc., 15 Mission St FL 3, San Francisco, CA 94105, USA,
• SNC – IT Service & Consulting GmbH, Berner Straße 28, 60437 Frankfurt.

Data processing in third countries

Your data are transferred to recipients in third countries. For data transfers to the USA, an adequacy decision of the EU Commission exists with regard to companies certified under the EU-U.S. Data Privacy Framework. Microsoft Corporation and Salesforce Inc. are certified under the EU-U.S. Data Privacy Framework.

Supplementary information on this and further links can be found above in the section “General information on data transfers to third countries”.

Storage period

We process the data collected for the duration of our business relationship, which in particular also includes the initiation and handling of a contract and/or for the fulfilment of contractual purposes.

We then delete your data from our operational systems, unless processing remains permissible for another purpose stated in this notice and on the basis of an appropriate legal basis.

5.5. Data processing activities to ensure compliance with data protection requirements

Description of the data processing and purpose

To the extent that you provide us with a declaration of consent, we process your personal data regarding the circumstances and the time at which it was given (if applicable, signature, e-mail address, telephone or fax number, or IP address) in order to be able to demonstrate, within the scope of the accountability obligation incumbent upon us under Art. 5(2) GDPR, that you consented to the respective data processing. The same applies to the withdrawal of your consent.

To the extent that you exercise your data subject rights under the GDPR vis-à-vis us, we also process your personal data in order to be able to demonstrate, within the scope of the accountability obligation pursuant to Art. 5(2) GDPR, that we complied with the GDPR when handling your request.

Legal basis for the data processing

Processing is carried out in each case on the basis of Art. 6(1) sentence 1 lit. c GDPR in conjunction with Art. 5(2) GDPR, or Art. 6(1) sentence 1 lit. f GDPR. Our legitimate interest is to be able to document compliance with the requirements of the GDPR within the scope of our accountability obligation.

Recipients

In the course of data processing, your data are transferred to the following categories of recipients or recipients that we use to achieve the purposes stated:

• external data protection officers,
• software service providers that provide us with solutions for internal and external communication, for creating and editing documents, and for managing data inventories.

These include, in particular, the following recipients:

• Proliance GmbH, Leopoldstr. 21, 80802 Munich, Germany,
• Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland,
• Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA.

Data processing in third countries

Your data are transferred to recipients in third countries. For data transfers to the USA, an adequacy decision of the EU Commission exists with regard to companies certified under the EU-U.S. Data Privacy Framework. Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework.

Supplementary information on this and further links can be found above in the section “General information on data transfers to third countries”.

Storage period

We store your data for as long as this is necessary to achieve the purpose stated above. Data relating to consent given are generally stored until the expiry of 3 years from the end of the year in which we last relied on it. Data that we process in connection with the implementation of data subject rights are generally stored for a period of 3 years from the end of the year in which you exercised your data subject right.

We then delete your data unless further processing—possibly also in other systems—continues to be permitted on the basis of another legal basis or is mandatory for us (e.g., in the event that statutory retention obligations apply).

5.6. Compliance with other legal obligations, in particular retention obligations

Description of the data processing and purpose

We process personal data insofar as this is necessary to comply with a legal obligation. The scope of the data to be processed results from the legal obligation with which we must comply.

Legal basis for the data processing

In these cases, the legal basis for processing your data is Art. 6(1) sentence 1 lit. c GDPR in conjunction with the respective legal provision that imposes such an obligation on us.

This may include, for example, provisions of the German Fiscal Code (Abgabenordnung, AO), e.g., Section 147 AO, the German Commercial Code (Handelsgesetzbuch, HGB), e.g., Section 257 HGB, or the German Code of Criminal Procedure (Strafprozessordnung, StPO).

Recipients

In the course of data processing, your data are transferred to the following categories of recipients or recipients that we use to achieve the purposes stated:

• tax advisors,
• auditors,
• tax or investigative authorities,
• lawyers/attorneys,
• experts,
• courts.

This includes, in particular, the following recipient:

• Busche & Hendler PartmB Steuerberatungsgesellschaft, Mühlstrasse 22, 65843 Sulzbach.

Storage period

We store your data to the extent necessary for as long as this is required to achieve the purpose stated above. The storage period results from the specific statutory provisions that oblige us to retain or process data for up to 10 years, whereby the specific start of the retention periods results from the respective specific law.

We then delete your data unless further processing—possibly also in other systems—continues to be permitted on the basis of another legal basis.

5.7. Establishment, exercise, or defence of legal claims

Description of the data processing and purpose

In addition, in individual cases we process your data for the purpose and in the interest of asserting legal claims—for example, to enforce our claims arising from unpaid invoices—if your data are relevant to a legal dispute.

In addition, in individual cases we process your data for the purpose and in the interest of defending against legal claims asserted against us—for example, in the context of the assertion of warranty claims for defects—if your data are relevant to a legal dispute.

Legal basis for the data processing

The legal basis for processing your data is Art. 6(1) sentence 1 lit. f GDPR.

Recipients

In the course of data processing, your data are transferred to the following categories of recipients or recipients that we use to achieve the purposes stated:

• tax advisors,
• auditors,
• tax or investigative authorities,
• lawyers/attorneys,
• experts,
• courts.

This includes, in particular, the following recipient:

• Busche & Hendler PartmB Steuerberatungsgesellschaft, Mühlstrasse 22, 65843 Sulzbach.

Storage period

In individual cases, we store your data to the extent necessary for as long as this is required to achieve the purpose stated above. We then delete your data unless further processing—possibly also in other systems—continues to be permitted on the basis of another legal basis or is mandatory for us (e.g., in the event that statutory retention obligations apply).

6. Your Rights

Below you will find information on which data subject rights the applicable data protection law grants you vis-à-vis the controller with regard to the processing of your personal data:

• The right, pursuant to Art. 15 GDPR, to request information about your personal data processed by us. In particular, you may request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data (if they were not collected from you), and the existence of automated decision-making, including profiling, and—where applicable—meaningful information about the details thereof.
• The right, pursuant to Art. 16 GDPR, to request without undue delay the rectification of inaccurate personal data stored by us or the completion of your personal data.
• The right, pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defence of legal claims.
• The right, pursuant to Art. 18 GDPR, to request the restriction of processing of your personal data insofar as the accuracy of the data is contested by you, the processing is unlawful but you oppose the erasure, and we no longer need the data but you require them for the establishment, exercise, or defence of legal claims, or you have objected to processing pursuant to Art. 21 GDPR.
• The right, pursuant to Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request transmission to another controller.
• The right, pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of the federal state of our registered office stated above, or, where applicable, that of your habitual residence or place of work.
• The right to withdraw consent granted, pursuant to Art. 7(3) GDPR: You have the right to withdraw consent to the processing of data at any time with effect for the future. In the event of withdrawal, we will delete the data concerned without undue delay, unless further processing can be based on a legal basis that permits processing without consent. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent up to the time of withdrawal.

Right to Object

If your personal data are processed by us on the basis of legitimate interests pursuant to Art. 6(1) sentence 1 lit. f GDPR, you have the right, pursuant to Art. 21 GDPR, to object to the processing of your personal data insofar as this is based on reasons arising from your particular situation. Where the objection relates to the processing of personal data for the purposes of direct marketing, you have a general right to object without the need to state a particular situation.

If you wish to exercise your right of withdrawal or objection, please contact us using the contact details stated above under “Controller”.

7. Status of the Privacy Policy

This privacy policy was last amended on 01. April 2026.