Information on the Processing of Personal Data
in Connection with Recruitment
It is important to us that you feel safe in how we handle your personal data. Therefore, we take various measures to ensure that your personal data is protected during the time we manage it. In this privacy notice, you will find details on how we handle personal data in connection with a recruitment process.
SECTIONS
WHO IS RESPONSIBLE FOR HANDLING YOUR PERSONAL DATA?
WHO DOES THIS PRIVACY NOTICE APPLY TO?
WHAT PERSONAL DATA DO WE COLLECT?
WHERE DO WE COLLECT PERSONAL DATA FROM?
WHERE DO WE STORE PERSONAL DATA?
Who is responsible for handling your personal data?
Elfa International AB, company registration number 556516-2012, ("we," "our," "us") is the data controller responsible for the processing of your personal data in connection with the recruitment process.
Contact Information
Elfa International ABLilla Nygatan 7, 211 38 Malmö
dataprotectionofficer@elfa.com
Who does this privacy notice apply to?
This privacy notice is intended for candidates (those applying for a position with us) and potential reference persons, i.e., those whom the candidate has provided as references.
What personal data do we collect?
We only collect information necessary for conducting the recruitment process. The type of data collected depends on the position applied for, your communication preferences with us, and whether you are a candidate or a reference person.
We collect and process the following categories of personal data:
- Contact Information: Details for contacting you, such as your name, phone number, email address, or home address.
- Identification Information: Data used to identify you, such as name or photograph.
- CV Information: Details about your qualifications, including education, level of education, grades, work experience, skills, certifications, and language proficiency.
- Profile Information: Information about your profile, including gender, age, marital status, and details about current and previous employers.
- Communication and Meetings: Information from communication with us, such as details in email messages and notes from job interviews.
- Test Data: Information from personality tests and skill assessments, including results and the timing of the tests.
We do not have a need to process sensitive personal data (e.g., information revealing ethnicity, political opinions, religion, or health). If you choose to share such data with us as part of the recruitment process (e.g., in your cover letter or CV), we will process it with appropriate security measures to uphold your fundamental rights and interests.
Where do we collect personal data from?
The source of your personal data depends on whether we conduct the recruitment process internally or engage a recruitment agency.
Most of the necessary and relevant personal data for the recruitment process is collected directly from you. We also collect data from the reference persons you have provided in your application and, if applicable, from others providing information about you.
In some cases, we may use publicly available sources such as public registers and social media platforms to gather information in connection with a recruitment process.
When we engage a recruitment agency to handle all or parts of the recruitment process, we also collect personal data shared by the recruitment agency.
How do we use personal data?
The collected personal data is used to conduct the recruitment process, evaluate and follow up on it, and to comply with legal requirements and regulations in the field. The following section provides an overview of how we use personal data in various situations related to recruitment. For a more detailed description, we refer to the table at the end of this privacy notice.
Please note that not all the processing activities listed below may apply to you. Our need to process personal data depends on the position applied for, your communication preferences, and whether you are a candidate or a reference person.
Performing Background Checks: For certain positions, we may conduct background checks. Ask us if you want to know more about this process.
Conducting the Recruitment Process: We use your personal data to manage the recruitment process, such as receiving and reviewing your application documents (e.g., CV and cover letter), evaluating the application, and communicating during the recruitment process.
Reference Checking: We process personal data in connection with reference checks within the framework of a recruitment process, such as communicating and collecting your opinion about the candidate.
Personality and Skill Tests: As part of the recruitment process for certain positions, we conduct personality and skill tests. If applicable, we will inform you separately and request your consent.
Monitoring and Evaluating the Recruitment Process: We use your personal data to evaluate and follow up on the recruitment process, such as comparing different candidates or generating statistics on the number of applications per position.
Managing Legal Claims: We use your personal data when necessary to manage legal claims, such as in connection with legal proceedings. For this purpose, we may share certain information with other recipients, as detailed below.
Fulfilling Legal Obligations: In some cases, we need to process personal data to fulfill a legal obligation, such as the Employment Protection Act (1982:80 “LAS”) and the Discrimination Act (2008:567).
Where do we store personal data?
We always strive to process your personal data within the EU/EEA. If it becomes necessary to transfer your personal data, we will ensure the protection of your data as described below.
For transfers to the USA, either (i) adequacy decisions from the EU Commission for third parties that have joined the EU-US Data Privacy Framework (available [here](article 45 in GDPR)), or (ii) EU Commission's standard contractual clauses (available [here](article 46 in GDPR)) are applied for other third parties in the USA. For transfers to other countries outside the EU/EEA, we include EU Commission's standard contractual clauses (available [here](article 46 in GDPR)). We take additional technical and organizational security measures as needed, such as encryption and pseudonymization.
Who do we share personal data with?
General
To conduct the recruitment process and comply with laws and regulations, we sometimes need to share your personal data with others. Below is an overview of the actors with whom we share your personal data.
Suppliers and Partners
To carry out the recruitment process and fulfil our legal obligations, we share your personal data with our suppliers and partners:
IT Suppliers:
Companies managing essential operations, technical support, and maintenance of our IT solutions may, in certain situations, access your personal data during their work.
Suppliers and Partners:
e.g., providers of services/systems used in the recruitment process, such as recruitment agencies and IT support/systems for personality and skill tests, background checks, and candidate databases. When suppliers and partners process personal data on our behalf and according to our instructions, they are data processors to us, and we are responsible for the handling of your personal data. They are not allowed to use your personal data for their own purposes, and they are obligated by law and contract with us to protect your data.
Other/External Companies and Third Parties
We may also share your personal data with other companies and third parties:
Trade Unions: For example, to fulfill legal obligations and manage and respond to legal claims (e.g., in case of a dispute or legal process).
Government Authorities: e.g., the Police, the Swedish Authority for Privacy Protection (IMY), and other authorities when required by law or in case of suspected crime/violation.
Courts: In case of disputes or other legal proceedings.
Other External Parties: e.g., legal advisors, banks, and auditors. Your personal data may also be disclosed to potential buyers and sellers and their advisors if necessary for a restructuring, merger, acquisition, or sale of all or part of our assets.
Your Rights
General
We always strive to process your personal data in a legal, transparent, and open manner, ensuring that your information is accurate and up-to-date. You have certain rights regarding our processing of your personal data. If you wish to exercise any of your rights, you can contact us using the contact details above.
We will respond to you as quickly as possible, and at the latest within one month, from receiving your request. If we cannot answer your request or need more time, we will explain why
You can learn more about your individual rights on the Swedish Authority for Privacy Protection's (IMY) website (www.imy.se).
Right of Access
You have the right to know if we process personal data about you. If we do, you also have the right to receive information about which personal data we process and how we process it. You also have the right to receive a copy of the personal data we process about you.
If you are interested in specific data, please specify it in your request. For example, you can specify if you are interested in a certain type of data or if you want information about data from a specific period.
Right to Rectification
If any of the personal data we process about you is incorrect, you have the right to have it corrected. You also have the right to supplement incomplete personal data with additional information needed to make the data accurate. After we have corrected or supplemented your personal data, we will inform those to whom we have disclosed your data about the updated information, provided it is not impossible or too burdensome. If you request it, we will also inform you about those to whom we have disclosed your data.
Right to Erasure (Right to be Forgotten)
- In certain cases, you have the right to request that we delete the personal data we have registered about you. You have the right to have your data deleted if:
- The data is no longer needed for the purposes for which it was collected or otherwise processed.
- You object to the processing of the personal data carried out with the support of our legitimate interest, and we cannot demonstrate that our reasons for processing outweigh your interests.
- The personal data is processed unlawfully.
- We have a legal obligation to delete the personal data.
If we delete your data after you have requested it, we will also inform those to whom we have disclosed your data about the deletion, provided it is not impossible or too burdensome. If you ask us, we will also tell you about those to whom we have disclosed your data.
Right to Restriction
Restriction means that the personal data is marked so that it can only be processed for certain defined purposes in the future. The right to restriction applies:
- When you believe that the personal data is incorrect and you have requested rectification. Then you can also request that the processing be restricted while we investigate whether the data is correct or not.
- If the processing is unlawful, and you do not want the data to be deleted.
- When we no longer need to process the data for the purposes for which we collected it, but you need it to be able to establish, exercise, or defend legal claims.
- If you have objected to processing based on our legitimate interest, you can request that we restrict processing while we investigate whether our interest in processing your data outweighs your interests.
Even if you have requested a restriction on processing, we have the right to use the data for storage, to establish, exercise, or defend legal claims, or to protect someone's rights. We may also process the data for reasons related to an important public interest. When the restriction is lifted, we will inform you. If we restrict the processing of your data, we will also inform those to whom we have disclosed your data, provided it is not impossible or too burdensome. If you ask us, we will also tell you about those to whom we have disclosed your data.
Right to Object
You have the right to object to our processing of your personal data based on our legitimate interest. If you object to the processing, we will, based on your specific situation, evaluate whether our interests in processing the data outweigh your interests in not having the personal data processed for that purpose. If we cannot demonstrate compelling legitimate grounds that outweigh yours, we will cease the processing that you object to—provided that we do not need to process the data to establish, exercise, or defend legal claims.
You always have the right to object to the processing of your personal data for direct marketing purposes. In that case, we no longer have the right to process your personal data for direct marketing. If you object to the processing, you also have the right to request restriction while we investigate the matter.
Right to Withdraw Consent
If we process your personal data based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out before the consent was withdrawn.
Right to Data Portability
Data portability means that you have the right to receive the data we have collected about you, from you, in a structured, commonly used, and machine-readable format. You also have the right to transfer this to another data controller. The right to data portability only applies to data:
- Collected from you, about you.
- If the use is to fulfil a contract with you or is based on your consent.
- If the processing is automated.
Right to Lodge a Complaint
Please, contact us if you are dissatisfied with how we process your personal data, and together we can try to resolve your issue (see our contact details above).
You also have the right to lodge a complaint with the supervisory authority. The Swedish Authority for Privacy Protection (IMY) is the Swedish supervisory authority for our use of your personal data. You also have the right to file a complaint with the supervisory authority in the country where you reside or work or in the country where you believe a violation of the regulations has occurred.
Changes to the privacy notice
We reserve the right to change and update the privacy notice regularly. In the case of significant changes, we will inform you appropriately.
Why are we processing personal data? |
Categories of personal data |
Legal basis for processing |
Retention period |
Perform background checks
|
|
Legitimate interest The processing of personal identification numbers is necessary for the current purpose, i.e., to ensure your identity during the execution of a background check through our background check service provider. |
Information about the background check itself is not retained. Information indicating that a background check has been conducted is retained as long as the person is employed or, if employment does not become applicable, for a maximum of two years after the completion of the background check. |
Conduct the recruitment process |
|
Fulfillment of contract Legitimate interest |
The personal data is stored for a maximum of two years after the completion of the recruitment process. |
Personality and skills tests |
|
Legitimate interest |
The personal data is stored for a maximum of two years after the completion of the recruitment process to meet our legitimate interest in defending ourselves against potential legal claims. |
Handling legal claims |
The data that is necessary to handle the legal claim. |
Legitimate interest |
The personal data is retained for the duration necessary to handle the legal claim. |
Fulfil legal obligations |
The data that is necessary to handle the legal claim. |
Fulfil legal obligations |
The personal data is retained for the duration necessary to fulfill the legal obligation. |
Future recruitment |
|
Legitimate interest The processing of personal identification numbers is necessary for the current purpose, i.e., to contact you in the future with job offers and ensure your identity. |
The personal data is retained for a period of one year after the completion of the recruitment process and thereafter for the duration you have approved. |