1. Data Controller and data transfer

1.1 Data controller and contact

We would like to inform you below about the data processing in connection with your application and our online application tool.

The data controller within the meaning of the General Data Protection Regulation (“GDPR”) for the processing of applicant data is

TIER Mobility SE (“TIER”),c/o Mindspace, Friedrichstraße 68, 10117 Berlin, Germany.

You can reach our data protection officer at dpo@ tier.app or at the above postal address ("Attn: Data Protection Officer"). We expressly point out that when using the email address, the content of your communication is not exclusively noted by our data protection officer. Therefore, if you wish to exchange confidential information solely with our data protection officer, please first contact us directly via this email address.

1.2 Data transfer within the TIER group

Depending on your residence and the future location of your prospective position, TIER will share your data within the TIER group and especially with your potential future employing entity.

In case you become a TIER employee, the data controller will be your employer.

2. Data collection, purpose of processing and legal basis

2.1 Data collection and Processing

You can provide us with your personal data through different channels during the application process. We collect data that you make available to us via our website and online application management tool Greenhouse, in applicant questionnaires, uploaded documents, such as cover letters, CV, certificates, transcripts and in interviews. In addition, we collect data that we have legitimately obtained in the context of fairs, from publicly accessible sources, such as LinkedIn, from recruiters, from the employment agency, or on the basis of a recommendation.

Depending on the position you have applied to, we might also perform background checks on you and you will find more information below.

2.2 Types of personal data collected and processed

When you apply for a position, we require the following information from you to manage recruiting :

• Name (title, first name, surname, name affixes) and, if available, photo,
• Contact details (telephone number, mobile number, e-mail address, fax number, street, house number, address and additions if applicable, postcode, city, country),
• Date and place of birth,
• Gender,
• Nationality
• Channel through which you heard about us,
• Training and education,
• Work Experience, history of the applicant in other companies, job title, workplace,
• References,
• Salary expectations,
• Existence of work permit,
• Existence of driver’s license if applicable,
• Information on health status as far as necessary,
• Information on the status of the current employment relationship including notice period,
• if applicable, criminal records and other information,
• ID or passport information with regards to our ID verification process.

2.3. Purpose and legal basis of the processing

The purpose of the processing of your personal data is the execution of the application process. The legal basis for the processing is Article 6 (1) (a) and (b) GDPR. Special categories of personal data are only processed if and insofar as the requirements of Art. 9 GDPR are met and the processing serves the fulfillment of our legal obligations or the consent of the applicant is given.

Only authorized HR staff will have access to your personal data and the employees and/or interviewers involved in your hiring process.

2. Storage period

2.1 General storage period

In case you do not receive or accept an offer from us your data will be restricted and stored for 6 months after the completion of the application process. After that, the data will be deleted. We may retain data for more than 6 months if this is necessary for our defense against legal actions.

Should you be offered and accept a position with us during the application process, we will store the personal data collected as part of the application process for at least the duration of your employment.

2.2. Talent pool

If you have given consent to add your data to our internal talent pool, we may store your data for 12 months after the end of the application process in order to identify any other vacancies that may be of interest to you.

After these 12 months, we may ask for your consent again to retain your data for another extended period of time.

3. ID verification

3.1 Verification process

For compliance reasons, all our candidates go through an ID check to verify their identity at the final stage of the interview process. This is to ensure that your personal details match your previously provided data, that the correct personal details end up on your employment contract, to ensure that you are allowed to work in your country of residence and in general to prevent potential fraud attempts.

If you do not feel comfortable with an automated ID verification, you are also free to ask your recruiter for a manual verification.

You take photos of the front and back of your ID card or another appropriate identification document with your (smartphone) camera. These photos need to include the following information (photo, name, birthday, ID card number or document ID, issuing country, expiration date, date of issue).

An identity check is then performed to determine whether the person depicted on the ID document corresponds to you. For this purpose, you take pictures of your face (so-called “video selfie”) which are compared with the photo on the ID document.

While you are taking pictures of your face, it is also checked if your picture is of a live person. For this purpose, a 3D model of your face is created, which is matched with the photo on your ID document.

If any problems occur, the data may be verified manually within 24 hours. You will be notified about any necessary manual verification and about the result. If the verification fails for any reason, you can always contact your recruiter.

The images of your ID document and face will be automatically deleted no later than 14 days after successful completion, failure or cancellation of the verification process. Unless you applied for a position in the United Kingdom where the images will be stored for the duration of the employment.

As part of the verification of your document and after the 14 days have lapsed, we will only store the following data:

• your official name.

We use IDnow GmbH, Auenstraße 100, 80469 Munich, Germany, as a service provider for the verification process. IDnow GmbH receives personal data exclusively to perform its services for us.

3.2 Purpose and legal basis of the processing

The verification is a prerequisite for the conclusion and fulfillment of the employment contract pursuant to Article 6(1)(b) GDPR and regarding ensuring the prospective employee is allowed to worked in the country of residence a legal obligation of TIER pursuant to Article 6(1)(c) GDPR.

Insofar as images of your face are processed for the purpose of identity verification, the data processing is based on your consent pursuant to Article 6(1)(a) and Article 9(2) GDPR. You can revoke your consent at any time, in particular by stopping the verification procedure.

4. Background checks and international sanction lists

4.1 Performance of background checks and sanction list screenings

In case you apply for a position in the TIER Finance department which requires handling of funds, access to bank accounts, a position in the TIER Compliance or Legal Team or a position as managing director or a comparable position, TIER may perform a background check on you once you have reached an advance stage of the application process. This background check includes a reference check, a criminal background and a credit background check (in case of access to bank accounts or handling of funds). With these checks we aim to verify that TIER hiring you does not violate any applicable laws and does not entail any financial, legal or other risks. For more information, you can reach out to the respective hiring manager or dpo@tier.app.

In line with TIER’s obligations, TIER may also perform a cross check with international sanction lists.

4.2 Purpose and legal basis of the processing

The background check and sanction list screening are legal obligations of TIER in accordance with Article 6(1)(c) GDPR. Additionally, background checks in so far as they are not a legal obligation are performed to prevent fraud and limit the (financial) risks of TIER and are thus in TIER’s legitimate interest and based on Article 6(1)(f) GDPR.

5. Use of Greenhouse by us

For applications through our website we use the services of Greenhouse Software Inc. (“Greenhouse”) to manage our recruitment and application process. Greenhouse is a cloud services provider located in the United States of America.

To apply for a job offered on our website, you have to fill out the applicant questionnaire and provide us with information regarding your name, address, contact details, nationality, salary expectations and current work situation. You also need to upload your CV. If you like you can also upload other relevant documents such as cover letter and transcripts and voluntarily give additional information. We collect and process the provided information by you to contact you, to execute the recruitment process and to create the employment contract.

Information on how Greenhouse processes your personal data when you are on the Greenhouse website can be found here: https://www.greenhouse.io/priv....

6. Rights of the applicant

You have the following rights in relation to their personal data. Details can be found in Articles 7, 15-22 and 77 GDPR.

Right to revoke consent under data protection law pursuant to Art. 7 (3) sentence 1 GDPR

Consent to the processing of personal data can be revoked at any time with effect for the future. However, the lawfulness of the processing carried out until the revocation is not affected by this.

Right of access according to Art. 15 GDPR

You have the right to request confirmation as to whether the Employer is processing personal data concerning the employee. If this is the case, you have the right to be informed about these personal data and to receive further information, e.g. the purposes of processing, the categories of the processed personal data, the recipients and the planned duration of storage or the criteria for determining the duration.

Right to rectification and completion according to Art. 16 GDPR

You have the right to request the rectification of inaccurate data without delay. Taking into account the purposes of the processing, the applicant has the right to request the completion of incomplete data.

Right to deletion ("right to be forgotten") according to Art. 17 GDPR

You have a right to deletion insofar as the processing is no longer necessary. This is the case, for example, if the data is no longer necessary for the original purposes, you have revoked a consent under data protection law or the data was processed unlawfully.

Right to restriction of processing according to Art. 18 GDPR

You have a right to restrict processing, e.g. if the applicant believes that the personal data is inaccurate.

Right to data portability according to Art. 20 GDPR

You have the right to receive the personal data concerning the employee in a structured, common and machine-readable format.

Right of objection according to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of certain personal data concerning you.

In the event of direct advertising, you shall have the right to object at any time to the processing of personal data concerning the applicant for the purpose of such advertising; this shall also apply to profiling insofar as it is connected with such direct advertising.

Automated decision in individual cases including profiling according to Art. 22 GDPR

You have the right not to be subject to a decision based solely on automated processing, including profiling, except in the exceptional circumstances mentioned in Art. 22 GDPR.

Decision-making based exclusively on automated processing - including profiling - does not take place.

Complaint to a data protection supervisory authority pursuant to Art. 77 GDPR

You may lodge a complaint with a data protection supervisory authority at any time, for example if you are of the opinion that the data processing does not comply with data protection law.

7. Technical and organizational measures

We use technical and organizational security measures to protect the data you have provided from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. If your data is collected and processed, the information will be transmitted in encrypted form to prevent misuse of the data by third parties.

8. Updates and changes

We will occasionally update this privacy policy to ensure that it always reflects current legal requirements and actual circumstances (e.g. when new services or features are introduced). We recommend that you check this Privacy Notice regularly for possible changes.