NOTICE ON PROCESSING APPLICANTS' PERSONAL DATA
ARTICLES 13 & 14 OF EU GDPR REGULATION 2016/679
Metal Work Sverige AB, with registered office at Modemgatan 7 - 235 39 Vellinge - Sweden - Tel. 040 42 07 00 - VAT SE556333564401 VAT number 03472820178, email: email@example.com, in its capacity as Data Controller, recruits personnel in accordance with an equal opportunities policy that complies with legislation.
Data collection methods and categories
The Data Controller collects and processes personal contact details relating to employment and previous experience, professional qualifications, the contractual agreement and background, such as forename, surname, date and place of birth, tax code, address, gender, telephone numbers, educational qualifications, work experience and anything else applicants include in their CV.
The personal data is provided by applicants via delivery in person, post, e-mail, on forms on the company website, or via other parties, such as recruitment agencies and job centres, in order to obtain employment in the Data Controller's organisation.
People may apply as follows:
- voluntary application;
- responding to staff recruitment drives published by the Data Controller or via recruitment agencies, job centres, in newspapers or other national and foreign publications;
- responding to job vacancies displayed on the company website.
Data processing strictly involves purely personal data concerning requirements, aims and actions relating to staff recruitment.
Data subjects should not therefore provide specific categories of data, such as data that reveals political, philosophical or religious beliefs, membership of unions or political parties, state of health or sexual orientation, genetic or biometric data, unless strictly related to seeking employment (e.g. as a member of a protected category for the purposes of recruitment).
Purposes and legal basis for processing
The sole aim of processing the personal data is to seek, assess and select personnel for the company. If necessary, data will be processed if a right needs to be ascertained, exercised or defended in legal proceedings.
Providing personal data is necessary for staff recruitment activities, and targeted/compulsory employment procedures. Refusing to provide the data will prevent the Data Controller from carrying out these activities, making it impossible to consider such an application.
The legal basis is the need to execute contracts or carry out precontractual activities involving data subjects.
Data processing methods
Personal data will be processed in line with principles of fairness, lawfulness and transparency. We guarantee that data processed will be sufficient, pertinent and not excessive with regard to meeting the purposes of the processing (data minimisation principle).
Data will be processed manually on paper and electronically with tools designed to guarantee data security and confidentiality, in accordance with the requirements of the GDPR.
Processing may be carried out using automated tools designed to store, manage and transmit the data, in accordance with the regulations.
Your data will be processed via the collection, logging, organisation, structuring, storage, modification, extraction, consultation, use, transmission, circulation of the data, or any other type of distribution, comparison, interconnection, restriction, deletion or destruction operations.
The Data Controller will use suitable security measures to ensure the confidentiality, integrity and availability of your personal data, and require third-party suppliers and data processors to adopt similar security measures.
Personal data will be stored in paper, electronic and remote archives situated in countries where the GDPR applies (EU countries).
Storage and destruction timescales
Personal data will be processed for 12 months, after which it will be destroyed using secure destruction methods (overwriting, wiping, document shredding).
In the event of legal defence requirements, personal data will be stored for the duration of the proceedings, until the timescales for appeal proceedings and/or legal protection have lapsed.
Your personal data will not be circulated, and will only be processed by employees from company departments appointed and authorised to carry out the aforementioned purposes, who will receive suitable work instructions. Data may also be communicated to third parties in their capacity as individual or joint Data Controllers, or external data processors in accordance with article 28 of the GDPR, under a specific contract containing the processing methods and security measures to be adopted when handling and storing personal data for which the company is the Data Controller.
Transfer of data to countries outside the EU:
Your data will not be transferred to countries outside of the EU.
Rights of data subjects (articles 15-22 of the GDPR)
At any time you have the right to obtain confirmation of the existence of your personal data, understand its origin, check its accuracy or ask for it to be supplemented, updated or amended.
To do this please submit a request in writing, with the date and your signature, and send it by e-mail or registered post with acknowledgement of receipt.
We will respond to your request within one month, except in particularly complex cases, when a response could take up to a maximum of 3 months. We will however provide an explanation if a longer response time is expected, within one month of receiving your request.
The outcome will be sent in writing or electronically. If you request an amendment, deletion or restriction of processing, we undertake to communicate the outcome of your request to each of the recipients of your data, except where this is impossible or requires disproportionate effort.
We remind you that withdrawing consent will not affect the legitimacy of the processing based on consent given prior to the withdrawal request.
With regard to processing the aforementioned data, you have the right to obtain the following:
- confirmation of the existence of your personal data, its communication in an intelligible format, understanding of its origin, and the logic at the basis of its processing;
- deletion of your personal data within a reasonable timescale, its transformation to make it anonymous, or block data processed in breach of legislation;
- have data updated, supplemented or amended;
- confirmation that the operations referred to in 2) and 3) above were made known to parties to whom the data was communicated, except where this is impossible or involves disproportionate methods;
- to have your personal data amended or deleted, or its processing restricted;
- the right to withdraw consent to processing which is optional and is not related to executing the contract agreed with the Data Controller.
You also have the right to object to your data being processed, even if it is relevant for the purpose it was collected, request data portability, exercise your right to be forgotten, and to contact legal authorities and the Supervisory Authority for the protection of personal data to report any alleged breach. For Sweden it is the Swedish Data Protection Authority, by www.datainspektionen.se.
Automated decision-making processes:
The Data Controller does not use automated decision-making processes, including profiling defined by the GDPR as any type of automated data processing to use the data to assess personal aspects relating to individuals, in particular for analysing or predicting aspects relating to professional performance, financial situation, health, personal preferences, interests, reliability, conduct, location or movements regarding these individuals.