To be able to complete the recruitment process between the candidate and PROSE, PROSE must process personal data about the candidate. The candidate is not obligated to share requested personal data with PROSE, but PROSE may then not be able to process the candidate’s application.
1.1 Personal data
Personal data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Example of personal data is:
• identification/social security number
• email address
• IP address
1.2 Sensitive personal data
Sensitive Personal Data are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Example of sensitive personal data is:
• personal letter
1.3 Employment law related data
Employment law related data contains data that PROSE need to collect, process, register and/or store in order to fulfil obligations and exert PROSEs rights within the countrys current (employment) laws and regulations. Example of employment law related data is:
• store CVs in order to fulfil obligations against local discrimination laws
• report information to local government agencies when requested
The term "processing" is very broad. It essentially means anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). Example of processing personal data:
1.5 Data subjects
A data subject is an identified or identifiable natural person. In this case the candidate is the data subjects because he or she can be identified through personal data that has been given to PROSE. For example, resumes may include the candidate’s names, physical addresses or phone numbers.
1.6 Data controllers
Data controllers means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. PROSE and recruiters who serve as PROSES main representatives to candidates determine the purpose of collecting candidate personal data. This makes PROSE the data controllers who is fully responsible for protecting candidate data and using it lawfully.
1.7 Data Processers
Data processer means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. This could be recruitment companies supporting PROSE in some recruitment processes and processes the candidate´s personal data in order to fulfil the recruitment processes.
1.8 Data Protection Officer (DPO)
The DPO should inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and to other Union or Member State data protection provisions.
The DPO should monitor compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
2.1 Why does PROSE need your personal data?
In order for PROSE to evaluate and consider if the candidate is relevant for an employment at PROSE, PROSE need to process the candidate´s personal data. Personal data in this context means such information that is connected to applications for employment, CV and personal letter, employment interviews with the candidate (oral and written) and information required to fulfill obligations in the context of employment law. This information includes aspects such as name, social security number, address and telephone number, previous work experience (including references, training courses and scores, period of employment, assignments, etc.).
2.2 How does PROSE keep your personal data secure?
PROSE uses IT-systems as well as recruitment- and IT-processes to keep the candidate´s personal data and integrity safe and secure against illegal and/or unauthorized processing as well as against physical and/or virtual attacks. PROSE´s employees that have access to candidate´s personal data, are the ones that need to process the personal data in order to fulfill the requirements mentioned in this policy.
2.3 How PROSE processes the personal data
PROSE will use the candidate’s application(s) in the recruitment process in order to evaluate if the candidate is a match for a job/an employment at PROSE. PROSE will only use the candidate´s personal data for this purpose. When the recruitment processes is finished (at longest 6 months), PROSE will delete all the personal data.
2.4 How long will PROSE store personal data?
The candidate´s application will be stored during the recruitment process (at longest 6 months) or in some cases/countries longer to fulfil obligations followed by the local countries employment laws and regulations. If PROSE would like to keep the application longer, PROSE will contact the candidate and ask for consent.
2.5 How will PROSE store your personal data?
PROSE always strives for your personal data to be processed within the EU/EEA and have all PROSE`s own IT systems available within the EU/EEA.
2.6 Who will PROSE share the information with?
PROSE will only share information about a candidate to data controllers and data processers that are working with us and that are compliant with GDPR. An example of data controller/processers is a recruitment consultant company.
2.7 The candidate`s right
The candidate can at any time send an email to PROSE´s Data Protection Officer (DPO) and ask to see what information PROSE has processed and stored about them. The candidate does also have the right to ask PROSE to correct data, to withdraw consent, to be forgotten, to restrict processing or be informed about processing. PROSE can only decline this demand if the reason is supported by law, regulations or because the personal data is required to be stored due to a legal matter.
2.7.1 The right for candidate data to be deleted on request
The candidate can at any time send an email to PROSE´s Data Protection Officer (DPO) and ask that their data should be deleted. PROSE has the right to say no and keep the personal data if there is a specific reason for that, for example if PROSE needs to fulfil obligations against local employment laws and regulations or because the personal data is required to be stored due to a legal matter.
2.8 The reasons why PROSE is storing your personal data
PROSE needs to store the candidate’s personal data during the recruitment process to be able to fulfil the process, for example contact the candidate, interview the candidate or call the candidate´s references. The data will be deleted when the recruitment process is finished (or latest 6 months after your application have reached PROSE).
2.9 Where the processing is based and where PROSE stores personal data
PROSE always strives for your personal data to be processed within the EU/EEA and have all our own IT systems available within the EU/EEA. However, the PROSE Group has offices in Switzerland and will transfer personal data to be processed there. Switzerland is a so called third country, i.e. a country outside of EU/EEA. The EU commission has decided that Switzerland meets the requirement for providing adequate protection. In those cases, the candidate´s personal data may be transferred to a country outside the EU/EEA, but within PROSE´s units and companies and in some cases to data controllers/processors who is working for PROSE. Regardless of the country, all employees within the PROSE Group are obligated to work according to PROSE´s recruitment- and IT -processes in order to protect the candidate´s personal data and integrity. If PROSE shares your personal data to a data controller/data processor, the data controller/data processor has to be compliant with GDPR. In those cases when PROSE shares personal data within the PROSE Group, but outside EU/EEA, or to a data controller/data processor PROSE would then only share information relevant for the purpose. In terms of system support and maintenance, PROSE may have to transfer the information to a country outside the EU/EEA, but we would then only share information relevant for the purpose.
Data Protection Officer