Job applicant Privacy Notice
This Privacy Notice explains how we collect, use, store and protect personal data about candidates in connection with recruitment.
Last updated June 2022
Personal data means any information that can, directly or indirectly, identify you. This means that information that can directly identify you, such as your name. and information that can indirectly identify you, such as your address, is personal data.
Who is the data controller for the processing of your personal data?
The NCC company that is recruiting for the position is responsible for the use of your personal data. In this Notice "we", "us" and "our" refer to the relevant company that is responsible for the use of your personal data.
Where do we collect personal data from?
We collect personal data from the following sources:
- Yourself. We collect the personal data you provide to us in your application and CV.
- Reference persons. We normally carry out reference checks as a part of the recruitment process and collect the personal data that reference persons share with us about you.
- Group companies. The companies within the NCC group cooperate with each other and can share personal data with each other
- Publicly available sources. We can also collect personal data about you from publicly available sources.
- Recruitment agencies. We use, when applicable, various recruitment agencies to help us recruit for certain positions and we collect, in such a case, the personal data that they share with us.
What personal data do we process about you?
We only process the information that we need depending on the position you have applied for and how you interact with us. We process and use the following categories of personal data:
- Contents of communications with us. e.g., e-mails
- Identity information. Information that makes it possible to identify you, such as your name and, where applicable, social security number or equivalent.
- Contact information. Personal data which makes it possible to contact you.
- Information on qualifications. Personal data about your qualifications such as education, work experience, professional certifications and driver’s license.
- Profile information. Information regarding your profile, for example your gender and age, current position, employment history with NCC or other employers.
- Test information. Personal data from test results that you have completed as a part of the recruitment process, e.g., type of test, date of test and test result.
For what purposes do we process your personal data and what is the legal basis for it?
We process personal information of applicants for the overall purposes described in this section. Please not that not all processing activities may apply to you, it might vary depending on how you interact with us and what position you have applied for.
Manage the recruitment process.
We use personal data to manage the recruitment process for example to collect and review your application (including resume and cover letter) and to evaluate your application and communicate with you during the recruitment process.
Personal data |
Legal basis |
|
Performance of a contract. The processing is necessary to take steps at your request prior to entering into a potential employment agreement. Legitimate interest. To the extent that you have not requested a specific measure the processing is necessary in order to satisfy our legitimate interest of managing the recruitment process. Processing of your personal identification number is necessary for the purpose in question, i.e. to manage the recruitment process and to verify your identity. |
Carry out reference checks
We use personal data for candidates and reference persons to carry out reference checks, for example to communicate and verify the candidate's qualifications and learn more about the candidate's background, experience, and skills.
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of contacting you in in order to obtain an opinion about the candidate in connection with the recruitment process. |
Carry out pre-employment tests
Where applicable, we carry out pre-employment tests (for example screening tests) as a part of the recruitment process. If pre-employment tests are necessary, we will inform you of this and obtain your approval to participate in such checks and tests.
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of carrying out and assessing the results of pre-employment tests. |
Evaluating background checks results
We receive and evaluate the results from background checks carried out by external background check agencies. The background check will include different verification points depending on the position you have applied for. The legal basis for the processing is our legitimate interest of receiving and analyzing results from background checks.
The background check agency will inform you in detail of the sources for the personal data. NCC and the background check agency will ask for your approval for such background checks to be carried out.
Follow up and evaluate the recruitment process
We use personal data to follow-up on and evaluate the recruitment process, for example to create reports and statistics on the number of applicants for a position. Information around the candidate experience can be collected through a voluntary survey.
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of following-up and evaluating the recruitment process. |
Establish, exercise and defend legal claims
If needed, we use your personal data to establish, exercise and defend legal claims for example in connection with a dispute or court proceeding. For this purpose, we will share personal data with various recipients, please see below.
Personal data |
Legal basis |
Only the categories of personal data needed for managing and defending a legal claim in the individual case. |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of establishing, exercising and defending legal claims. |
Fulfil legal obligations
We use personal data, if needed, to fulfil legal obligations and to comply with law, for example to satisfy employment and data protection obligations.
Personal data |
Legal basis |
Only the categories of personal data are necessary for fulfilling the relevant legal obligation. |
Legitimate interest. The processing is necessary in order to fulfil legal obligations that we are subject to. |
How do we protect your personal data?
We take steps to ensure that the personal data we process is always protected and that our processing of it is in accordance with the applicable data protection rules and our internal guidelines and procedures. Information security and ensuring appropriate protection of personal data is vital for us. We strive to implement security measures according to the international standard security framework ISO 27000 to set appropriate level of protection of information and to prevent and detect disclosure of personal data to unauthorized parties.
With whom do we share your information?
When necessary, we share your personal data with different recipients for different reasons. Which recipients we share your personal data with depends on how you interact with us. Unless we have stated otherwise below the recipient is responsible for its own use of your personal data.
Service providers
To process personal data for the purposes described in this Notice, we share personal data with service providers that we have engaged. These service providers provide, for example, IT services to us. When the service providers process personal data on our behalf, they act as data processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.
Recruitment agencies
Where we use recruitment agencies to manage the recruitment process, we share personal data with them for the same purpose. To the extent they act as data processors for us, we are responsible for the processing of your personal data.
Purpose |
Personal data |
Legal basis |
Manage the recruitment process |
|
Legitimate interest. To the extent that you have not requested a specific measure the processing is necessary in order to satisfy our legitimate interest of managing the recruitment process. |
Background check agencies
When we use background check agencies to carry out background checks (see above), we share your basic information with them in order for them to carry out the background check and report the result back to us. The result from the background check is only retained 14 days after communicated result to the candidate.
Purpose |
Personal data |
Legal basis |
Identification of you in connection with background checks |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of getting help with carrying out background checks. |
Group Companies
Companies within the NCC group collaborate with each other and therefore we may share personal data between them.
Purpose |
Personal data |
Legal basis |
Communication between employees |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of our employees. |
Other recipients
If needed, we share your personal data with other recipients for the following purposes:
- to manage a merger or sale of the business,
- to manage and defend legal claims and rights,
- to fulfil legal obligations,
- to respond to a request, and
- to protect and ensure the safety of our staff.
Purpose |
Personal data |
Legal basis |
Manage a merger or sale of the business |
Only the personal data that is necessary for this purpose is shared with the recipient. |
Legitimate interest. The processing is necessary in order to satisfy our and the buyer's legitimate interest of completing the sale or merger. |
Establish, exercise and defend legal claims |
Only the personal data that is necessary for this purpose is shared with the recipient |
Legitimate interest. The processing is necessary in order for us to satisfy our legitimate interest of establishing, exercising and defending legal claims. |
Fulfil legal obligations |
Only the categories of personal data needed for fulfilling the legal claim in the individual case. |
Legal obligation. The processing is necessary to fulfil legal obligations, e.g. in the area of employee co-determination rights. |
Respond to a request |
Only the personal data that is necessary for this purpose is shared with the recipient. |
Legitimate interest or to fulfil a legal obligation. To the extent that we are obligated to respond to a request, personal data is used to fulfil this legal obligation. Otherwise, the processing is based on a balance of interests where it is necessary to satisfy our and the requester's legitimate interest in responding to the request. |
Where do we process your personal data?
We always strive to process your personal data within the EU/EEA area, but your personal data may in some cases be transferred to and processed in a country outside the EU/EEA area by our service providers. In these cases, a data protection agreement is used to protect and safeguard the personal data transferred. We will ensure that there are adequate safeguards in place to protect your personal data in light of the laws of the receiving country. Normally we rely on the EU Commission's Standard Contractual Clauses for transfers of personal data to recipients outside the EU/EEA.
Information about the countries to which we, where appropriate, transfer your personal data and the safeguards implemented can be obtained upon request.
How long do we store your personal data?
We store your personal data only as long as we need to in order to fulfil our purpose for processing it and to meet any applicable legal requirement. We will then safely erase or anonymise your data so that it can no longer be linked to you. The main principles for assessing the retention period for personal data we apply are:
- the period which the recruitment process in on-going,
- the period we need to retain personal data in order to fulfil legal requirements (e.g. in the area of employee co-determination),
- the period which personal data may be needed in order to establish, exercise and defend legal claims (i.e. with reference to statutory and other periods of limitation) and
- the period which we have another legitimate business purpose to store the personal data (e.g. to evaluate the recruitment process).
Personal data processed in background checks will only be processed during the recruitment process and will not be documented or stored.