Privacy Notice for recruitment
The service for handling recruitments and simplifying the hiring process (the "Service") is provided by Bisnode as Controller (see Controllership below) and using Teamtailor as a service-provider and Processor. It is important that the persons using the Service ("Users”) feel safe with, and are informed about, how we handle User's personal data in the recruitment process. We strive to maintain the highest possible standard regarding the protection of personal data. We process, manage, use, and protect User's Personal Data in accordance with this Privacy Notice.
Bisnode act as a Group of companies where the Parties are part of the same Group, owned by Bisnode AB in Sweden. The Parties have a close cooperation in product development as well as Group Functions. Since the Parties will jointly determine the purposes and means of the processing of personal data in Group Products and other Group activities (including but not limited to Group Functions), the Parties has agreed to enter into a joint controllership agreement as per GDPR article 26 meaning that Parties, jointly are considered responsible for the processing of personal data.
1. Lawfulness of processing
Bisnode collects and relies on GDPR Art 6 (1) (b) necessary for the performance of a contract (precontractual requirement) for all processing of personal data related to the application of a specific post. Where there is a requirement under employment and discrimination laws to retain Personal Data used in the recruitment process, Bisnode will rely on GDPR Art 6 (1) (c) compliance of legal obligation. Bisnode collects and relies on GDPR Art 6 (1) (a) Consent where candidates submit their CV and cover letter for Bisnode to consider in future posts.
2. Collection of personal data
Bisnode is responsible for the processing of the personal data that the Users contribute to the Service and for the personal data that we in other ways collect with regards to the Service.
When and how we collect personal data
We collect personal data about Users from Users when Users;
- Submit an application for a specific job posting through the Service or otherwise, adding personal data about themselves either personally or by using a third-party source such as Facebook or LinkedIn; and
- Use the Service to connect with us so that we may consider the applicant in a future relevant application, adding personal data about themselves either personally or by using a third-party source such as Facebook or LinkedIn.
- Provides identifiable personal data in the chat (provided through the website that uses the Service) and such data is of relevance to the application procedure;
- Bisnode can generate aggregated analysis of the usage of our recruitment tool. The information collected for aggregated analysis statistical (unidentifiable). We may collect data from third parties, such as Facebook, Linkedin and through other public sources. “Sourcing” through these channels can be done manually by our employees or automatically in the Service.
In some cases, existing employees can make recommendations about potential applicants. Employees will be able to provide personal data about such potential applicants. In such a case, the potential applicant is considered a User in the context of this Privacy Notice and will be informed about the processing.
The types of personal data collected and processed
The categories of personal data that may be collected include: names, address, telephone number, civil status, e-mails, pictures and videos, information from Facebook and LinkedIn-accounts, answers to questions asked through the recruiting, titles, education and other information that the User or others have provided through the Service. Only data that is relevant for the recruitment process is collected and processed. We ask candidates not to share with us Special Categories of Personal Data, including: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation.
Purpose and lawfulness of processing
The purpose of the collecting and processing of personal data is to manage recruiting. A review of candidate’s suitability is necessary before Bisnode can enter into an employment contract with a prospect candidate
A precontractual requirement
Bisnode will collect and process applicant’s personal data based on GDPR Art 6 (1) (b) necessary for the performance of a contract (precontractual requirement) when candidates apply for a specific post. You may ask to have your application retracted if we have not commenced the processing of your application. If your application has been reviewed, we may be required by employment and discrimination law to retain your personal data in order to prove that we have handled your application according to applicable employment and discrimination laws. Where we are required to retain your data by law, Bisnode will rely on GDPR Art 6 (1) (c) compliance of legal obligation. Your personal data will be automatically deleted according to employment and discrimination laws.
Bisnode collects and relies on GDPR Art 6 (1) (a) Consent where candidates submit their CV and cover letter for purpose of matching it against future job opportunities and offerings with in Bisnode company that we believe match your profile. We will store your data for 1 year after which, you will be requested to renew or withdraw your consent.
You have the right to contact Bisnode to withdraw your consent at any time and request Bisnode to remove the data here (LINK). Using this right may however, mean that the User can not apply for a specific job or otherwise use this part of the Service. You may also ask Bisnode to correct any faulty information or to give you a copy of the data.
Please Note that if we consider your application for a specific role, then the legal basis for processing your data changes to pre contractual as notes above. The User consents to the personal data being collected in accordance with the a) above and b) will be processed according to the below sections Storage and transfer and How long the personal data will be processed.
Storage and transfers
The personal data collected through the Service maybe stored and processed outside the EU/EEA. The data transfer is done using recommended transfer mechanisms such as Privacy Shield and EC Standard Contractual Clauses. To obtain documentation regarding such adequate safeguards, contact us using the Contact details below.
How long will Bisnode process and keep your data for
Where data is used in a recruitment process, the data is retained for as long as it is legally required by relevant employment and discrimination laws. Where we process your Personal Data based on Consent, we will renew this Consent according to the table below. We will delete your Personal Data if you object to the renewal of your Consent.
Country - Bisnode entity - Permission to keep data expires after # months
Austria - Bisnode D&B Austria GmbH and Bisnode Austria GmbH - 6
Belgium - Bisnode Belgium NV/SA and Swan Insights NV - 24
Croatia - Bisnode d.o.o. Croatia - 3
Czech Republic - Bisnode Česká republika, a.s. - 6
Denmark - Bisnode Danmark A/S - 6
Estonia - Bisnode Estonia AS - tbc
Finland - Bisnode Finland OY - 12
Germany - Bisnode Deutschland GmbH and Bisnode D&B Deutschland GmbH - 6
Hungary - Bisnode Magyarország Kft. and Bisnode D&B Magyarország Kft. - 12
Latvia - SIA Datu Serviss - tbc
Norway - Bisnode Norge AS - 12
Poland - Bisnode Polska Sp z.o.o - 3
Serbia - Bisnode d.o.o. Serbia - 3
Slovakia - Bisnode Slovensko s.r.o - 3
Slovenia - Bisnode Slovenia d.o.o - 1
Sweden - Bisnode Sverige AB and Bisnode AB - 24
Switzerland - Bisnode D&B Schweiz AG - 6
3. Users’ rights
The GDPR provides you with the following’s rights enlisted below. In accordance with GDPR, your request will be processed within 30 days of us receiving the necessary information. If your request is complex, this period can be extended by a maximum of two months, but we will inform you beforehand.
You have the right to know when your personal data is processed by us. You should be notified when your data is collected or used for the first time. You also have an ongoing right of access which means you can request information about the processing of your data whenever you want to. We will also inform you about the categories of recipients we shared your data with.
Also, in certain cases, like for example if a data breach (or similar) occurs on our end, you can expect to receive special information from us.
The information we provide to you is free of charge and in written or electronical format. It is our obligation to explain why we process your data and on what legal basis.
- (2) Right to rectification
You have the right to ask us to correct all inaccurate information about you. You also have the right to add any missing data that is relevant for us to have. We are responsible for keeping the data correct and up to date.
You have the right to request that your data are completely removed from our database in the cases listed below:
- Data is no longer needed for our purpose
- The consent for processing the data has been withdrawn by you
- Your data is used illegally
- The erasure of data is needed to meet a legal obligation
If you request your data to be deleted, we will have to inform the recipients of this data about this deletion, where applicable. You also have the right to know who we have shared your data with.
There are some exceptions to the right to erasure and the right to inform others; when it is important to protect other fundamental rights such as the freedom of speech, to meet a legal obligation, to perform a task within the public interest or in exercise of authority.
- (4) Right to restriction of processing
You have the right to request that the processing of your personal data is restricted for certain purposes. This means that, going forward, we will no longer use your data for the restricted purposes.
Right to restriction is valid, for example, when you find records that are incorrect, and you have asked us to correct these. In such cases, you have the right to require that we do not process the data while its quality is being verified.
When the data has been corrected and validated, you will be informed, and the restriction can be removed.
- (5) Right to data portability
In certain situations, your data has been provided by you directly. For this kind of data, you have the right to extract this data from our databases. At Bisnode, we very seldom collect data directly from you.
You have the right to object to certain types of data processing. If you do so, we will not be allowed to process your data unless it is required for reasons such as legal claim or tasks of public interest.
- (7) Automated decision-making, including profiling
You have the right to request not to be a part of automated decision making, including profiling. Automated decision making can be allowed if it is necessary for fulfilling an agreement between yourself and a company (our customers).
Automated decisions can be made with or without profiling. Profiling can be used without it leading to an automated decision. Profiling refers to every form of automated processing of personal data for the purpose of providing information about personal characteristics. The aim is to analyze or predict a person's work performance, reliability, behavior, city of residence or movements.
If you think that we are processing your data without the right to do so, you have the right to file a complaint to your national Data Protection Authority (DPA).
The DPA will receive your complaint and investigate what should be done in the next step. If a supervision is initiated, you will be notified within three months. In case you do not receive a notification within this time, you can turn to the court in order to require an answer.
We prioritize the personal integrity and therefore works actively so that the personal data of the Users are processed with utmost care. We take the measures that can be reasonably expected to the make sure that the personal data of Users and others are processed safely and in accordance to this Privacy Information and the GDPR-regulation.
However, transfers of information over the internet and mobile networks can never occur without any risk, so all transfers are made on the own risk of the person transferring the data. It is important that Users also take responsibility to ensure that their data is protected. It is the responsibility of the User that their login information is kept secret.
5. Transfer of personal data to third party
We will not sell or otherwise transfer Users’ personal data to third parties. We may transfer Users’ Personal Data to;
- our contractors and sub-contractors, acting as our Processors and Sub-Processors in accordance with our instructions, for the provision of the Service (for example TeamTailor platform and their sup-processor and recruitment firms);
- authorities or legal advisors in case criminal or improper behavior is suspected; and
- authorities, legal advisors or other actors, if required by us according to law or authority’s injunction.
We will only transfer Users’ personal data to third parties that we have confidence in. We carefully choose partners to ensure that the User’s personal data is processed in accordance to current privacy legislations. We cooperate with the following categories of processors of personal data; Teamtailor, who supplies the Service, server and hosting companies, e-mail reference companies, video processing companies, information-sourcing companies, analytical service companies and other companies with regards to suppling the Service.
6. Aggregated data (non-identifiable personal data)
We may share aggregated data with third parties. The aggregated data has in such instances been compiled from information that has been collected through the Service and can, for example, consist of statistics of internet traffic or the geological location from the use of the Service. The aggregated data does not contain any information that can be used to identify individual persons and is thus not personal data.
Only strictly necessary cookies are set by default.
We have the right to, at any time, make changes or additions to the Privacy Notice. The latest version of the Privacy Notice will always be available through the Service. A new version is considered communicated to the Users when the User has either received an email informing the User of the new version (using the e-mail stated by the User in connection to the use of the Service).
For questions, further information about our handling of personal data or for contact with us in other matters, please use the forms in Teamtailor, read more here or contact firstname.lastname@example.org.