Job applicant Privacy Notice

This Privacy Notice explains how we collect, use, store and protect personal data about candidates in connection with recruitment.

Last updated June 2022

Personal data means any information that can, directly or indirectly, identify you. This means that information that can directly identify you, such as your name. and information that can indirectly identify you, such as your address, is personal data.

Who is the data controller for the processing of your personal data?

The NCC company that is recruiting for the position is responsible for the use of your personal data. In this Notice "we", "us" and "our" refer to the relevant company that is responsible for the use of your personal data.

Where do we collect personal data from?

We collect personal data from the following sources:

  • Yourself. We collect the personal data you provide to us in your application and CV.
  • Reference persons. We normally carry out reference checks as a part of the recruitment process and collect the personal data that reference persons share with us about you.
  • Group companies. The companies within the NCC group cooperate with each other and can share personal data with each other
  • Publicly available sources. We can also collect personal data about you from publicly available sources.
  • Recruitment agencies. We use, when applicable, various recruitment agencies to help us recruit for certain positions and we collect, in such a case, the personal data that they share with us.

What personal data do we process about you?

We only process the information that we need depending on the position you have applied for and how you interact with us. We process and use the following categories of personal data:

  • Contents of communications with us. e.g., e-mails
  • Identity information. Information that makes it possible to identify you, such as your name and, where applicable, social security number or equivalent.
  • Contact information. Personal data which makes it possible to contact you.
  • Information on qualifications. Personal data about your qualifications such as education, work experience, professional certifications and driver’s license.
  • Profile information. Information regarding your profile, for example your gender and age, current position, employment history with NCC or other employers.
  • Test information. Personal data from test results that you have completed as a part of the recruitment process, e.g., type of test, date of test and test result.

How do we protect your personal data?

We take steps to ensure that the personal data we process is always protected and that our processing of it is in accordance with the applicable data protection rules and our internal guidelines and procedures. Information security and ensuring appropriate protection of personal data is vital for us. We strive to implement security measures according to the international standard security framework ISO 27000 to set appropriate level of protection of information and to prevent and detect disclosure of personal data to unauthorized parties.

With whom do we share your information?

When necessary, we share your personal data with different recipients for different reasons. Which recipients we share your personal data with depends on how you interact with us. Unless we have stated otherwise below the recipient is responsible for its own use of your personal data.

Service providers

To process personal data for the purposes described in this Notice, we share personal data with service providers that we have engaged. These service providers provide, for example, IT services to us. When the service providers process personal data on our behalf, they act as data processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.

Recruitment agencies

Where we use recruitment agencies to manage the recruitment process, we share personal data with them for the same purpose. To the extent they act as data processors for us, we are responsible for the processing of your personal data.

Purpose

Personal data

Legal basis
Manage the recruitment process
  • Communication
  • Contact information
  • Identity information
  • Information regarding qualifications

Legitimate interest. To the extent that you have not requested a specific measure the processing is necessary in order to satisfy our legitimate interest of managing the recruitment process.

Background check agencies

When we use background check agencies to carry out background checks (see above), we share your basic information with them in order for them to carry out the background check and report the result back to us. The result from the background check is only retained 14 days after communicated result to the candidate.

Purpose

Personal data

Legal basis
Identification of you in connection with background checks
  • Identity information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of getting help with carrying out background checks.

Group Companies

Companies within the NCC group collaborate with each other and therefore we may share personal data between them.

Purpose

Personal data

Legal basis
Communication between employees
  • Communication
  • Contact information
  • Identity information
  • Information on qualifications
  • Profile information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of our employees.

Other recipients

If needed, we share your personal data with other recipients for the following purposes:

  • to manage a merger or sale of the business,
  • to manage and defend legal claims and rights,
  • to fulfil legal obligations,
  • to respond to a request, and
  • to protect and ensure the safety of our staff.
Purpose

Personal data

Legal basis
Manage a merger or sale of the business

Only the personal data that is necessary for this purpose is shared with the recipient.

Legitimate interest. The processing is necessary in order to satisfy our and the buyer's legitimate interest of completing the sale or merger.

Establish, exercise and defend legal claims

Only the personal data that is necessary for this purpose is shared with the recipient

Legitimate interest. The processing is necessary in order for us to satisfy our legitimate interest of establishing, exercising and defending legal claims.

Fulfil legal obligations

Only the categories of personal data needed for fulfilling the legal claim in the individual case.

Legal obligation. The processing is necessary to fulfil legal obligations, e.g. in the area of employee co-determination rights.

Respond to a request

Only the personal data that is necessary for this purpose is shared with the recipient.

Legitimate interest or to fulfil a legal obligation. To the extent that we are obligated to respond to a request, personal data is used to fulfil this legal obligation.

Otherwise, the processing is based on a balance of interests where it is necessary to satisfy our and the requester's legitimate interest in responding to the request.

Where do we process your personal data?

We always strive to process your personal data within the EU/EEA area, but your personal data may in some cases be transferred to and processed in a country outside the EU/EEA area by our service providers. In these cases, a data protection agreement is used to protect and safeguard the personal data transferred. We will ensure that there are adequate safeguards in place to protect your personal data in light of the laws of the receiving country. Normally we rely on the EU Commission's Standard Contractual Clauses for transfers of personal data to recipients outside the EU/EEA.

Information about the countries to which we, where appropriate, transfer your personal data and the safeguards implemented can be obtained upon request.

How long do we store your personal data?

We store your personal data only as long as we need to in order to fulfil our purpose for processing it and to meet any applicable legal requirement. We will then safely erase or anonymise your data so that it can no longer be linked to you. The main principles for assessing the retention period for personal data we apply are:

  • the period which the recruitment process in on-going,
  • the period we need to retain personal data in order to fulfil legal requirements (e.g. in the area of employee co-determination),
  • the period which personal data may be needed in order to establish, exercise and defend legal claims (i.e. with reference to statutory and other periods of limitation) and
  • the period which we have another legitimate business purpose to store the personal data (e.g. to evaluate the recruitment process).

Personal data processed in background checks will only be processed during the recruitment process and will not be documented or stored.