Imprint
Terms of Service
November 20, 2024
Privacy Policy
March 12, 2025
Curved arrow
Customers
Curved arrow
Website Visitors
Curved arrow
Applicants
Curved arrow
Employees
Data Processing Agreement
March 12, 2025

Privacy Policy

Privacy Policy for customers and interested parties

This privacy policy deals with the data processing related to our existing or potential customers. If you are visiting our website (including https://app.nextmatter.com/), the website privacy policy applies additionally.

1. Name and contact details of the responsible party

Responsible for the data processing and “controller” in terms of the GDPR is:
Next Matter GmbH,
Gormannstraße 14,
10119 Berlin,
Germany
E-mail: info@nextmatter.com
www.nextmatter.com

2. Contact details of the data protection officer

The designated data protection officer is:
DataCo GmbH
Sandstraße 33,
80335 Munich,
Germany
Phone: +49 (0) 89 7400 458 40
E-mail: datenschutz@dataguard.de
www.dataguard.de

3. Data processing agreement; processing of customer data as a processor
Data Processing as a Processor

In providing the SaaS service Next Matter GmbH („we“ or “us”), we act as a data processor on behalf of our customers pursuant to Art. 28 GDPR. A data processing agreement (“DPA”) is part of our customer agreements. The DPA can be found here

The DPA covers all data and processing activities within the SaaS service (e.g. “customer content” like your workflow data).

Specific privacy policy for Google Users
If you authorize Next Matter to access your Google account, we process your email address and any data you choose to sync with your Next Matter account strictly to enable services such as integrations with Google Workspace. All data processing activities comply with Google's Limited Use Requirements, meaning we do not use your data for advertising, profiling, or any purposes outside the scope of providing the requested services. The data is stored only as long as necessary to fulfil the requested service or as required by applicable legal or contractual obligations. Upon termination of the service or revocation of access, data will be securely deleted in accordance with our data retention policies.

As a data processor, we do not control or determine the content of the data you upload or sync. While we do not intentionally process sensitive data in accordance to Art. 9 GDPR, it is possible that such data may be uploaded by users. We strongly recommend avoiding the upload of sensitive data unless strictly necessary. In cases where sensitive data is inadvertently uploaded, we process it solely to provide the requested service and implement robust safeguards to ensure its confidentiality and security.
You retain full control over your data and may revoke Next Matter’s access to your Google account at any time through your Google account settings. Upon revocation, we will cease processing your data immediately.

The processing of data is carried out in full compliance with the requirements of Article 28 GDPR. This includes adherence to all obligations applicable to data processors, as outlined in our Data Protection Agreement (DPA). The technical and organisational measures implemented to ensure data security are specified in Annex 3 of the DPA.
Where necessary to provide the requested service, data may be shared with authorised sub-processors listed in Annex 4 of the DPA. All sub-processors are contractually bound to comply with stringent data protection requirements that meet the standards of Article 28 GDPR.

In cases where data is transferred to a third country, such transfers are carried out in accordance with Chapter V of the GDPR, using appropriate legal mechanisms, such as adequacy decisions or Standard Contractual Clauses (SCCs), to ensure an adequate level of data protection.

Data Processing as a Controller

This privacy policy solely covers data processing we perform for our own purpose as a controller (and not on your behalf as a processor), e.g. contract management, billing and invoicing etc.

4. Data processed in connection with customer relationships

In the context of existing or potential customer relationships, we collect and process in particular the following data for our own purpose as a controller:

  • Company name and address
  • Main contact name, job title, email address and phone number
  • Payment and billing information such as credit card or bank account details, billing address and company tax ID
5. Legal basis of data processing

a) Processing for the purpose of performing the contract with you
The legal basis for the processing of personal data for pre-contractual and contractual purposes is Art. 6(1)(b) GDPR if you yourself are our contractual partner or Art. 6(1)(f) GDPR if your employer is our contractual partner. This applies to the data processing in respect of a contract between you or your employer and us and includes, without limitation, the initiation of the contractual relationship, contract processing, implementation and support as well as performance of the pre- and post-contractual obligations. 

b) Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, your personal data will be processed on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with Art. 5, 7 GDPR. Art. 5, 7 GDPR. 

c) Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 para. 1 sentence 1 lit. f GDPR if our legitimate interests exist, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is also our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. 

d) Processing for the fulfilment of a legal obligation
Insofar as the processing of your personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR serves as the legal basis. Our legal obligation to process data arises from retention obligations under commercial and tax law, in particular from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung).

6. Purposes of data processing

We also process your data for our or third parties’ legitimate interests (Art. 6(1)(f) GDPR). This may be necessary in particular:

  • When you enter into a contract with us we collect the following contact and account data provided by you: your company name and address, main contact name, job title, email and phone number, and payment/billing information. Mandatory data is marked as such in forms and is required to proceed with a contract. We also process general contract-related data, for example your contract-related correspondence with us, the contract terms, invoices and payment information etc.
  • To process your enquiry as an interested party and potential customer. When you contact our customer support, we collect your inquiries and the related contact data, your name and e-mail address to process your inquiry.
  • To provide you, our customer, with the best possible service. This includes, in particular, communicating with you by e-mail or phone.
  • To add your contact details to our customer database.
  • To prepare and carry out pre-contractual measures - this includes, for example, the preparation and sending of an individual offer or individual agreement and transmission of contractual terms with the aim of concluding a contract.
  • For the fulfilment of post-contractual measures.
  • To fulfil our contractual obligations arising from the contractual terms with you. For this purpose, we pass on your personal data to forwarding agents, among others, in order to ensure smooth delivery of the goods.
  • For sales and marketing purposes. To provide you with the best possible information about our products and services. This also includes sending our newsletter, if you have registered, and advertising by e-mail or post. If required we collect your consent for the use of your data for marketing purposes (e.g. newsletter subscriptions) pursuant to Art. 6(1)(a) GDPR. You can withdraw such consent at any time.
  • To ensure smooth billing of the services provided. For this purpose, your personal data will be processed in order to be able to issue invoices. In addition, we forward your personal data to our external payment service provider in order to complete the billing process.
  • To fulfil our legal obligations. This includes, for example, the transfer of your personal data to the tax office.
  • To enforce our rights and for the assertion, exercise or defence of legal claims.
  • For ensuring IT security and IT operations.
  • To carry out internal quality controls.
  • To optimize our products, services and offerings. We collect anonymous, statistical data about the use of our SaaS service. Such statistical data never includes customer content or personal data, only aggregated statistical information. Usage statistics are also generated via tracking tools embedded in the website. Such tracking requires your prior consent, given (or rejected) via the cookie banner. You can revoke your consent at any time via the cookie banner. You will find the corresponding link at the bottom left of each page ("privacy settings"). Please see the website privacy policy for more information.
7. Retention periods

We delete your personal data as soon as they are no longer required for the above-mentioned purposes.  

We take appropriate measures to ensure that your personal data is only processed under the following conditions:

  • For the duration that the data is used to provide you with a service.
  • Personal data may be retained for the period during which claims can be asserted against us or by us (statutory limitation period of three or up to thirty years).
  • In addition, we store your personal data to the extent that we are required to do so by law. Corresponding obligations to store data result in particular from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung). Accordingly, the storage periods are generally up to six or ten years. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

If required, we will be pleased to provide you with further information on the duration of data storage in relation to the specific purpose. 

Please note that customer content (e.g. your workflow data) stored within the SaaS system will be deleted as agreed in the data processing agreement, usually upon termination or expiration of the contract.

8. Data recipients

Within our company, only those persons and departments receive your personal data that need them to fulfil their tasks with regard to the above-mentioned purposes. In the course of our activities, we sometimes also have to transfer data to external third parties and use external service providers. In particular, we may transfer your personal data to the following categories of recipients:

  • External employees / freelancers
  • Technical service providers, such as IT and hosting service providers, telecommunication service providers.
  • Commercial service providers, auditors, tax consultants and lawyers
  • Contractual partners (insofar as necessary, e.g., for the execution of contracts)
  • Authorities e.g. tax offices, courts, trade supervisory office

Insofar as we use services whose providers are partly located in third countries outside the European Economic Area or process personal data there and the EU Commission has not issued an adequacy decision for these countries pursuant to Art. 45 GDPR, we have taken appropriate precautions to ensure an adequate level of data protection. These include, among others, the standard contractual clauses of the European Union (SCC) or binding corporate rules (BCR). Where this is not possible, we base the data transfer on your express consent. 

Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed. 

Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.

9. Rights of the data subject, right to lodge complaints, right to object

According to the General Data Protection Regulation, in addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR), erasure or restriction of processing (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR). 

You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, E-Mail: mailbox@datenschutz-berlin.de

Website Privacy Policy

This privacy policy deals with the data processing related to our website. If you are using our SaaS service as a customer, our privacy policy for customers and the data processing agreement (DPA) apply additionally.


1. Name and contact details of the responsible party

Responsible for the data processing and “controller” in terms of the GDPR is:
Next Matter GmbH,
Gormannstraße 14,
10119 Berlin,
Germany
E-mail: info@nextmatter.com
www.nextmatter.com


2. Contact details of the data protection officer

The designated data protection officer is:
DataCo GmbH
Sandstraße 33,
80335 Munich,
Germany
Phone: +49 (0) 89 7400 458 40
E-mail: datenschutz@dataguard.de
www.dataguard.de

3. Legal basis of data processing

a) Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, your personal data will be processed on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with Art. 5, 7 GDPR. Art. 5, 7 GDPR.

b) Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 para. 1 sentence 1 lit. f GDPR if our legitimate interests exist, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is also our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

c) Processing for the fulfilment of a legal obligation
Insofar as the processing of your personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR serves as the legal basis. Our legal obligation to process data arises from retention obligations under commercial and tax law, in particular from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung).

4. Purposes of Data Processing

a) Automatically generated website visitor information
We collect information and data that is automatically transmitted or generated by your browser each time you visit our website. Such information includes the IP address, the geographic location, the URLs of the site you visited before accessing our website (“referrer”), the browser used, the browser language, the operating system and user interface, the access device used, date and time of your access, the pages viewed on our website, and the time you spend on the website.  

Legal basis for the processing of such log data is Art. 6(1)(f) GDPR due to our following legitimate interest:

  • to facilitate your access to and visit of the website,
  • to improve our website and services and adapt them to the needs of our users,
  • to perform internal quality checks,
  • to prevent, detect, process and investigate malfunctions, incidents, fraudulent or other illegal activities, or mitigate the risk of occurrence of the aforementioned events,
  • to create statistics on access channels and the use of our website.

b) Contact and inquiries
You can contact us e.g. via contact forms or chat functions on the website or by e-mail if you are interested in our services. In our contact forms, we usually ask you about your contact details (name, email address, company). The legal basis for the data processing is Art. 6(1)(b) GDPR insofar as your information is required to answer your inquiry or to initiate or execute a contract, otherwise your and our legitimate interest in answering your current or future inquiry, improving service quality, training staff, or for establishing, exercising, or defending legal claims pursuant to Art. 6(1)(f) GDPR.


c) Blog Newsletter
On our website you can subscribe to our blog newsletter. In this case, we will use the contact data you have provided for sending the newsletter with news, product updates and information by e-mail. The data processing is based on your consent pursuant to Art. 6 (1)(a) GDPR. 

You can revoke your consent at any time, e.g. by using the “unsubscribe” link, which you will find at the end of each newsletter e-mail. 

We store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The legal basis is our legitimate interest pursuant to Art. 6 (1)(f) GDPR in proving the proper registration for the newsletter. 

In order to determine when our emails are opened and how they are used, we record and analyze the interactions with the newsletter or the accruing access data (e.g. opening rate or click rate) using standard market technologies provided to us by our newsletter service provider. For this purpose, our e-mails contain so-called web beacons (see Sec. 4 below). This allows us to determine whether and when an e-mail was opened by you. We also learn which of the links contained in the e-mails you click on. We use this access data for the continuous improvement of our offer, our content and customer communication as well as for statistical purposes. If you do not want this analysis of usage behavior, you can unsubscribe from the newsletters or deactivate graphics in your e-mail client. The legal basis is our legitimate interest in usage analysis pursuant to Art. 6(1)(f) GDPR.

d) Cookies
We use cookies, web beacons and suchlike when you visit our websites or use our services.
Cookies are small text files that are stored by your browser on your computer or mobile device and which allow re-identification of your computer or mobile device, potentially across numerous websites. These cookies contain no personal data. Some of the cookies we use are deleted again upon expiry of the session, that is, when you close your browser (these are referred to as session cookies). Other cookies remain stored on your device and allow us, or our business partners to recognize your browser during subsequent visits (persistent cookies).  

You may prevent cookies by configuring your browser software accordingly. However, please note that certain areas of the websites or certain services may then not work as intended (such as the SaaS service). 

Web beacons are small graphics files (pixels) that may be embedded in our website for the purposes of recording user behavior. Similar methods include, for example, flash cookies, HTML5 cookies or other local (browser or device) storage methods that – in a similar way to cookies – allow data to be saved to your browser or device so that your browser or device can be recognized during subsequent visits or during a session. 

We use cookies that are required for the provision of certain functionality of our website (e.g. the SaaS service). Some of our service providers may also use cookies, in particular for web analysis and marketing purposes (see below).

Legal Basis for Cookies

We use tools and cookies necessary for website operation based on your and our legitimate interest pursuant to Art. 6(1)(f) GDPR in the operation of the website and pursuant to § 25 (2) No. 2 TDDDG. Tools and cookies necessary for the provision of the SaaS service are based on Art. 6(1)(b) GDPR, § 25(2) No. 2 TDDDG. 

We use other tools, in particular for analysis and marketing purposes based on your consent pursuant to Art. 6(1)(a) GDPR and pursuant to § 25(1) TDDDG, which is obtained via the cookie banner (see below). If you have given your consent to use certain tools, we may also transfer the data processed when using the tools to third countries on the basis of this consent. 
When you visit our website for the first time and at any time later, you have the choice of whether you permit the setting of cookies or which individual additional functions you would like to select.
You can revoke your consent at any time via the cookie banner. You will find the corresponding link at the bottom left of each page ("privacy settings").

Some browsers offer a “Do Not Track” (DNT) setting. In compliance with applicable legal requirements, we respect DNT signals where technically feasible and legally required. Additionally, we provide a GDPR-compliant consent management mechanism that allows you to accept or reject non-essential cookies at any time. You can manage your preferences through our cookie banner, where you can modify your choices at any time and learn more details on the types of cookies we use and their purposes.

Additional information
You can find more information about the external tools and cookies in the cookie banner, including:

  • the tools and their purpose
  • the name and address of the service provider and the processing locations
  • the technologies used (e.g. cookies, tracking pixel)
  • cookie retention periods

You will find the corresponding link at the bottom left of each page ("privacy settings").

5. Data recipients

We may use third party service providers, and disclose to such service providers personal data as required for the provision of the services. We use in particular technical service providers for the hosting and operation of the website. Third party service providers also include providers of external tools embedded in the website, as listed in the cookie banner (see Sec. 2.2 above). 

We may make personal data available to our service providers for the fulfillment of their activities, if necessary. In doing so, we will of course also comply with all data protection requirements and oblige our service providers to do so to the extent necessary. The service providers may process the personal data exclusively on our behalf and not for their own purposes and must treat the data confidentially.  To this end, we have concluded commissioned processing agreements in accordance with Art. 28 GDPR. 

Insofar as we use services whose providers are partly located in third countries outside the European Economic Area or process personal data there and the EU Commission has not issued an adequacy decision for these countries pursuant to Art. 45 GDPR, we have taken appropriate precautions to ensure an adequate level of data protection. These include, among others, the standard contractual clauses of the European Union (SCC) or binding corporate rules (BCR). Where this is not possible, we base the data transfer on your express consent. 

Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed. 

Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.

6. Retention periods

We delete your personal data as soon as they are no longer required for the above-mentioned purposes.  

We take appropriate measures to ensure that your personal data is only processed under the following conditions:

  • For the duration that the data is used to provide you with a service.
  • Personal data may be retained for the period during which claims can be asserted against us or by us (statutory limitation period of three or up to thirty years).
  • In addition, we store your personal data to the extent that we are required to do so by law. Corresponding obligations to store data result in particular from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung). Accordingly, the storage periods are generally up to six or ten years. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

If required, we will be pleased to provide you with further information on the duration of data storage in relation to the specific purpose.

7. Rights of the data subject, right to lodge complaints, right to object

In addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR). 

You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason. 

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, E-Mail: mailbox@datenschutz-berlin.de

Privacy Policy for the processing of applicant data

Thank you for your interest in working with Next Matter. We would like to inform you below about the processing of your personal data provided by you as part of the application process and, if applicable, collected by us, and your rights in this regard.

1. Name and contact details of the responsible party

Responsible for the data processing and “controller” in terms of the GDPR is:

Next Matter GmbH,

Gormannstraße 14,

10119 Berlin,

Germany

E-mail: info@nextmatter.com

www.nextmatter.com

2. Contact details of the data protection officer

The designated data protection officer is:

DataCo GmbH

Sandstraße 33,
80335 Munich,

Germany

Phone: +49 (0) 89 7400 458 40

E-mail: datenschutz@dataguard.de

www.dataguard.de

3. Data processed in relation to the application process

We use your personal data that you provide to us throughout the application process for example in cover letters, resumes, references, applicant questionnaires, applicant interviews. In addition, we may process personal data that we have lawfully obtained from publicly available sources (e.g. professional social networks), from recruiters or contact with references. This may include:

  • your personal details, for example your name, date of birth, gender, marital status, nationality, personal contact details, identification documentation;
  • professional qualifications and any personal data contained in your CV plus cover letter and references etc.;
  • work-related details, for example work contact details (corporate email address and telephone numbers), staff number, photograph, job title, job description, reporting lines, primary work location and other terms and conditions of your employment;
  • remuneration and benefits data, for example, details of your pay and benefits package;
  • special categories of personal data that you have voluntarily provided to us such as health data, religious affiliation, incapacity data relating to accommodations in the workplace or in relation to an operational integration management (“Betriebliches Eingliederungsmanagement”). We ask you to refrain from providing such information in the application if possible.
4. Purpose of data processing

The data processing is carried out in accordance with Art. 88 GDPR, § 26 para. 1 p. 1 BDSG for recruiting purposes. This includes the following purposes:

  • Conducting the application process and deciding on the establishment of the employment relationship
  • Communication (telephone, e-mail, video call)
  • Implementation of pre-contractual measures (initiation of the employment relationship)
  • Inclusion of applicant data in an applicant pool
  • Assertion, exercise or defense of legal claims arising from the application process

We do not carry out any automated decision-making or profiling pursuant to Art. 22 GDPR.

5. Legal basis for data processing

a) Processing based on consent

If you have given your consent to data processing, for example by submitting an application, your data will be processed according to Art. 6 para. 1 p. 1 lit. a DS-GVO in connection with Art. 7 DS-GVO. Art. 7 DS-GVO, in conjunction with. Art. 26 para. 2 BDSG

b) Processing of special categories of personal data

Insofar as special categories of personal data are processed that you have obviously made public, your data will be processed pursuant to Art. 9 (2) lit e DS-GVO. If you have given your consent to the processing of non-public special categories of personal data, such as health data, religious affiliation or nationality, your data will be processed in accordance with Art. 9 (2) lit. a DS-GVO.

c) Decision on the establishment of the employment relationship

We process your data in order to make a decision on the establishment of the employment relationship. In the event of employment in our company, your data will be processed for the purpose of implementing and terminating the employment relationship. Separate information on the processing of your personal data on the basis of employment relationship has been provided in our Privacy Policy for Employees. Processing based on legitimate interest – Art. 6 Para. 1 f GDPR

d) Processing for the purpose of asserting, exercising or defending legal claims or in the case of acts of the courts

As far as necessary, your data will be processed for the purpose of asserting, exercising or defending legal claims or in case of actions of the courts according to Art. 6 para. 1 p. 1 lit f DS-GVO, Art. 9 para. 1 lit f DSGVO.

f) Processing on the basis of legitimate interest

Insofar as the processing is carried out to protect a legitimate interest of us or a third party and their interests or fundamental rights and freedoms do not outweigh the first-mentioned interest, Art. 6 (1) p. 1 lit. f DS-GVO serves us as the legal basis for the data processing. Our legitimate interest arises in particular from the following reasons:

  • The proper implementation and optimization of the application process.
  • Assertion, exercise or defense of legal claims
6. Data recipients

Within Next Matter GmbH, only those persons and positions (e.g. People department, hiring management, interviewers) receive your personal data that need them to fulfill their respective tasks and contractual and legal obligations.

We may engage external service providers who act exclusively on our behalf in accordance with Art. 28 GDPR and are not permitted to process data for their own purposes, and may transfer personal data for these purposes to the external service providers, for example assessment centers, recruiters and personnel consultants, external consultants in the case of an aptitude diagnostic procedure, lawyers in the event of a dispute, if applicable.

If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding corporate rules or EU standard contractual clauses) are in place.

Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.

Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.

7. Retention period

Upon your express consent, we will retain your data beyond the end of a specific application process for a period of 12 months so that we can contact you later if you are considered for another position (inclusion in our “applicant pool”). If you apply for another position, the period starts again. Before the period expires, we will contact you by email to ask whether you agree to further storage. The legal basis for this data retention is Art. 6 para. 1a GDPR.

You can withdraw your consent to be included in the applicant pool at any time, e.g. by sending an e-mail to info@nextmatter.com.

We delete your data as follows:

  • If you have registered in our applicant pool, automatically after 12 months or before if you withdraw your consent; however, in connection with a specific application not before completion of the application process;
  • If you have not registered in our applicant portal, after completion of the application process.

An application process is completed when the period has expired in which lawsuits for violation of the AGG (Allgemeines Gleichbehandlungsgesetz, German General Equal Treatment Act) can still be expected (usually six months after the rejection has been sent, if no lawsuit or assertion according to § 15 para. 4 AGG has been received by then).

If your application is successful, your data will be transferred to the personnel file, insofar as this is necessary and permissible. Separate information on the processing of your personal data on the basis of employment relationship has been provided in our Privacy Policy for Employees. Processing based on legitimate interest – Art. 6 Para. 1f GDPR.

8. Rights of the data subject, right to lodge complaints, right to object

In addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).

You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, E-Mail: mailbox@datenschutz-berlin.de

Privacy Policy for the processing of employee data

We would hereby like to inform you about the processing of your personal data by Next Matter GmbH as your employer and the rights to which you are entitled under data protection law.

1. Name and contact details of the responsible party

Responsible for the data processing and “controller” in terms of the GDPR is:

Next Matter GmbH,

Gormannstraße 14,

10119 Berlin,

Germany

E-mail: info@nextmatter.com

www.nextmatter.com

2. Contact details of the data protection officer

The designated data protection officer is:

DataCo GmbH

Sandstraße 33,
80335 Munich,

Germany

Phone: +49 (0) 89 7400 458 40

E-mail: datenschutz@dataguard.de

www.dataguard.de

3. Data processed in relation to employment relationships

The categories of personal data processed include:

  • your personal details, for example your name, date of birth, gender, marital status, nationality, personal contact details, identification documentation;
  • professional qualifications and any personal data contained in your CV plus cover letter and references etc.;
  • work-related details, for example work contact details (corporate email address and telephone numbers), staff number, photograph, job title, job description, reporting lines, primary work location and other terms and conditions of your employment;
  • remuneration and benefits data, for example, details of your pay and benefits package, bank account details, social security number, tax information and third party benefit recipient information;
  • leave data, for example your holiday, sickness and family related leave records;
  • incapacity data, for example, any personal data contained in your absence records, medical forms, reports or certificates and records relating to accommodations or adjustments of your workplace or in relation to an operational integration management (“Betriebliches Eingliederungsmanagement”);
  • health and workplace safety data, for example from audits, risk assessments and accident reports;
  • training and development data, performance appraisals, training carried out or training needs;
  • monitoring data, for example identifiable images contained in CCTV footage, system and building login and access records;
  • nformation on the use of business applications or equipment, for example login data, itemized bills for company phones.

Your personal data is generally collected directly from you as part of the recruitment process or during the employment relationship.

It is also possible that we receive personal data from a third party, for example from clients through a feedback program, training providers and trainers about your participation in trainings, travel service providers in the context of creating travel plans.

In certain circumstances, your personal data will also be collected from third parties due to legal requirements. This includes, in particular, event-related queries of tax-relevant information from the relevant tax office and information about periods of incapacity for work from the relevant health insurance. In addition, we may have received data from third parties (e.g. job placement agencies).

4. Purpose of data processing

We process your personal data for recruitment decisions, establishing, performing and terminating the employment relationship. This will include the following purposes:

  • recruitment decisions;
  • payment of your salary and provision of benefits such as bonuses;
  • identification of training and development needs;
  • performance evaluations and talent development;
  • granting IT and building access rights;
  • documentation of working hours;
  • ensuring health and safety at work and report on incidents;
  • responding to any concerns that may arise in the course of your employment;
  • termination of employment;
  • enforcement of and defense against legal claims.

We do not perform any automated decision-making - including profiling - to bring about a decision on the establishment, performance or termination of an employment relationship.

5. Legal basis for data processing

We process your personal data based on the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws (e.g. BetrVG, ArbZG, etc.).

a) Processing for the performance of the employment contract

Primarily, our data processing serves the purpose of establishing, performing and terminating the employment relationship. The primary legal basis for this is § 26 (1) BDSG in conjunction with. Art. 6 par (1)(b) GDPR.

b) Processing for compliance with legal obligations

We also process your data in order to fulfill our legal obligations as an employer, in particular in the area of tax and social security law. This is based on Art. 6 (1)(c) GDPR in conjunction with § 26 BDSG.

c) Processing on the basis of legitimate interest

In individual cases, we process your data in order to protect legitimate interests of us or of third parties (e.g. authorities). This applies in particular to the investigation of criminal offences (legal basis Art. 6 (1)(f) GDPR in conjunction with § 26 para. 1 p. 2 BDSG).

d) Processing on the basis of collective agreements

The processing is justified if provided for in a collective agreement or a works agreement (Article 88 GDPR, Sec. 26 (1) FDPA).

e) Processing on the basis of consent

If the processing of your data in individual cases is based on consent pursuant to Art. 6 (1)(a) GDPR, you have the right to revoke the consent at any time with effect for the future. In the event of revocation of your consent, a data processing operation may still be permissible on the basis of a legal provision, such as one of the aforementioned.

Processing of special categories of personal data

a) Processing for compliance with legal obligations

Insofar as special categories of personal data are processed pursuant to Art. 9 (1) GDPR, this serves the exercise of rights or the fulfillment of legal obligations from labor law, social security law and social protection within the framework of the employment relationship (e.g. disclosure of health data to the health insurance, recording of severe disability due to additional leave and determination of the severely disabled levy). This is done on the basis of Art. 9 (2)(b) GDPR in conjunction with § 26 (3) BDSG.

b) Processing on the basis of consent

In addition, the processing of special categories of personal data may be based on consent pursuant to Art. 9 (2)(a) GDPR in conjunction with § 26 (2) BDSG (e.g., company health management). You have the right to revoke the consent at any time with effect for the future. In the event of revocation of your consent, a data processing operation may still be permissible on the basis of a legal provision, such as one of the aforementioned.

If we want to process your personal data for a purpose not mentioned above, we will inform you in advance.

6. Data recipients

Within Next Matter GmbH, only those persons and positions (e.g. People department, management, supervisors) receive your personal data that need them to fulfill their respective tasks and contractual and legal obligations.

In addition, we sometimes use external service providers to fulfill our contractual and legal obligations. The contractors and service providers we use act exclusively on our behalf in accordance with Art. 28 GDPR and may not process data for their own purposes.

In addition, we may transfer your personal data to other recipients to the extent necessary to fulfill our contractual and legal obligations as an employer, in particular:

  • entities in order to be able to pay out the asset-related benefits,
  • bank of the employee (SEPA payment medium),
  • acceptance offices of the health insurance companies,
  • pension insurance institutions, data service for professional pension institutions,
  • clearing office of the tax office (ELSTAM reports and wage tax certificates),
  • offices to be able to guarantee claims from occupational pension schemes,
  • (Family) courts in the event of an ordered pension equalization in the case of a divorce,
  • third-party debtors in the event of wage and salary garnishments,
  • insolvency administrators in the event of private insolvency,
  • tax consultants, auditors and lawyers,
  • other bodies to whom declarations must be made on the basis of statutory obligations.

If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding corporate rules or EU standard contractual clauses) are in place.

Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.

Since 11 July 2023, there has been an adequacy decision for the USA in accordance with Art. 45 para. 3 GDPR for certified providers. We would like to point out that data transfer involves the above mentioned risks despite the existence of an adequacy decision.

7. Retention period

We delete your personal data as soon as it is no longer required for the above-mentioned purposes. After termination of the employment relationship, your personal data will be stored as long as we are legally obliged to do so. This regularly results from legal obligations to provide proof and to retain data, which are regulated, among other things, in the German Commercial Code and the German Fiscal Code. The storage periods are then regularly ten years.

In addition, personal data may be retained for the period during which claims can be asserted against us (statutory limitation period of three or up to thirty years). In addition, the data required for the company pension benefits will be processed until the end of your claims and will also be stored thereafter for as long as we are legally obliged to do so for the above reasons.

8. Rights of the data subject, right to lodge complaints, right to object

In addition to the right to revoke your consent given to us, if applicable, you have the right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).

You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, E-Mail: mailbox@datenschutz-berlin.de

Get operations strategy and automation hacks delivered to your inbox – every week!
Subscribe to the Next Matter blog
We've added you to the Next Matter newsletter!
Oops! Something went wrong while submitting the form.
Platform
Product OverviewIntegrationsUse CasesPricingSecurity & PrivacySystem Status
Customers
IndustriesCustomer Stories
Resources
CX PodcastBlogExternal link icon
Help Center
External link icon
FAQ
External link icon
API Documentation
Company
About usCareersCareers FAQNewsSend an email
ImprintTerms of ServicePrivacy PolicyData Processing
©2025 Next Matter GmbH. All rights reserved.
LinkedIn logoXing logo