This privacy notice (the "Notice") explains how we collect, use, store and protect your personal data in connection with recruitment. It also describes your rights and how to exercise them.
Personal data means any information that can, directly or indirectly, identify you. This means information that can directly identify you, such as your name and information that can indirectly identify you, such as your address, is personal data.
1. WHO ARE COVERED BY THIS NOTICE?
This Notice covers our use of personal data about candidates and reference persons to candidates in connection with recruitment.
2. WE ARE RESPONSIBLE FOR THE USE OF YOUR PERSONAL DATA
In this Notice "we", "us" and "our" refer to CAKE 0 Emission AB, corp. reg. 559014-2682, with registered address Hammarby Fabriksväg 43, 120 30 Stockholm, which is the controller of personal data.
3. PERSONAL DATA THAT WE COLLECT ABOUT YOU
We only collect the information that we need. The information that we collect depends on how you interact with us and depending on whether you are a candidate or a reference person.
We collect and use the following categories of personal data:
· Communication. Contents of communications with us, e.g. contents of e-mails.
· Contact information. Personal data which makes it possible to contact you, e.g. your e-mail address.
· Identity information. Personal data which makes it possible to identify you, e.g. your name and picture.
· Information on qualifications. Personal data about your qualifications, e.g. education, work experience and certifications.
· Profile information. Information regarding your profile, for example your gender and age, current position and employer, and information on marital status.
· Test information. Personal data about tests that you have completed as a part of the recruitment process, e.g. type of test, date of test and test result.
4. FROM WHERE DO WE COLLECT PERSONAL DATA
We collect personal data from the following sources:
· Yourself. We collect the personal data that you provide yourself to us, e.g. in your application and CV.
· Recruitment agencies. We use, where applicable, various recruitment agencies to help us recruit for certain positions and we collect in such a case the personal data that they share with us.
· Reference persons. We normally carry out reference checks as a part of the recruitment process and collect the personal data that reference persons share with us about you.
· Group companies. The companies within the group of companies cooperate with each other can share personal data with each other for example in connection with communication.
· External persons. We can also collect personal data about you that external persons share with us for example in connection with communication.
· Publicly available sources. We can also collect personal data about you from publicly available sources, for example social networking platforms or public records.
5. WHY WE NEED YOUR PERSONAL DATA
We use your personal data to for example manage the recruitment process, follow-up and evaluate the recruitment process, to manage and defend legal claims and to comply with the law.
Below we further explain the purposes with our use of personal data and provide examples of processing activities carried out for respective purposes. Please note that not all processing activities may apply to you. Which processing activities that you are covered by depend on how you interact with us.
For more information regarding which categories of personal data, which legal basis that we rely on for the use of your personal data for each purpose and for how long your personal data is stored, please see the detailed information on our use of personal data.
IF YOU ARE A CANDIDATE
Manage the recruitment process
We use personal data to manage the recruitment process, for example to collect and review your application (including resume and cover letter) and to evaluate your application and communicate with you during the recruitment process.
Future recruitment
If you give your approval, we will store your application documents for future recruitment, for example to contact you if we have a recruitment need for a position that suits your profile.
Carry out reference checks
We use personal data to carry out reference checks, for example to communicate and verify the candidate's qualifications and learn more about the candidate's background, experience, and skills.
Carry out background checks and pre-employment tests
Where applicable, we carry out background checks (for example verification of your education history and your identity and review of your credit information where relevant to the role you have applied for) and pre-employment tests (for example personality tests) as a part of the recruitment process. If pre-employment tests are necessary, we will inform you of this and obtain your approval to participate in such checks and tests.
Follow-up and evaluate the recruitment process
We use personal data to follow-up on and evaluate the recruitment process, for example to create reports and statistics on the number of applicants for a position.
IF YOU ARE A REFERENCE PERSON
Carry out reference checks
We use personal data to carry out reference checks, for example to communicate and verify the candidate's qualifications and learn more about the candidate's background, experience, and skills.
CANDIDATES AND REFERENCE PERSONS
Manage and defend legal claims
If needed, we use your personal data to manage and defend legal claims for example in connection with a dispute or court proceeding. For this purpose, we will share personal data with various recipients, please see section 6 below.
Fulfil legal obligations
We use personal data, if needed, to fulfil legal obligations and to comply with law, for example to satisfy employment and data protection obligations.
Ensure technical functionality and security of our IT systems
We use personal data to ensure the technical functionality and security of our IT systems, for example when troubleshooting, in connection with incidents and for security logging, error handling, and backups.
6. SHARING OF YOUR PERSONAL DATA
Below we describe which recipients that we share your personal data with. Which recipients we share your personal data with depends on how you interact with us. Unless we have stated otherwise below the recipient is responsible for its own use of your personal data.
To read more about why and based on which legal basis we share your personal data with different recipients, please see our detailed information on our use of personal data.
We share personal data with:
Service providers
To process personal data for the purposes described in this Notice, we share personal data with service providers that we have engaged. These service providers provide, for example, IT services to us. When the service providers process personal data on our behalf, they act as data processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.
Recruitment agencies
Where we use recruitment agencies to manage the recruitment process, we share personal data with them for the same purpose. To the extent they act as data processors for us, we are responsible for the processing of your personal data.
Trade unions
In certain situations, for example to manage and defend a legal claim, we share personal data with trade unions.
Group companies
The companies within the group collaborate and therefore share personal data with each other, for example in connection with communication between employees and external persons.
Other recipients
If needed, we share your personal data with other recipients for the following purposes:
· to manage a merger or sale of the business,
· to manage and defend legal claims and rights,
· to fulfil legal obligations,
· to respond to a request, and
· to protect and ensure the safety of our staff.
Examples of recipients are external advisors, public authorities, courts, law enforcement, and potential buyers and sellers should we sell the business.
7. TRANSFER OF PERSONAL DATA TO OTHER COUNTRIES
We endeavour to store your personal data within the EU. However, where we transfer personal data outside the EU/EEA, for example to service providers engaged by us, we will ensure that there are adequate safeguards in place to protect your personal data in light of the laws of the receiving country. Normally we rely on the EU Commission's Standard Contractual Clauses for transfers of personal data to recipients outside the EU/EEA.[JS1] [JS2]
For more information about which non-EU/EEA countries to which we transfer personal data and the safeguards that we have taken to protect your personal data, please contact us using the contact details below.
8. YOUR RIGHTS
You always have the following rights in relation to your personal data:
· The right to access your data and to be informed: You always have the right to understand what personal information we collect and share. You have the right to ask us for supplementary information on why we process your data, what data we process, how long we store your data (or what criteria we use for determining the storage period), how we protect your data, who we share your data with, and whether your data is transferred to countries outside of the European Economic Area. You also have a right to receive a copy (“data extract”) of data that CAKE processes about you. Through the data extract you will receive information about what personal data CAKE holds about you, and how we process it.
You also have the right to request restriction of your personal data if you have objected to our use of your personal data and during the period, we verify whether we have a compelling reason to continue to use your personal data.
If the use of your personal data has been restricted, we are normally only allowed to store your personal data and not use them for any other purpose than to manage, defend or exercise legal claims and rights.
· Right to have personal data deleted (“right to be forgotten”): In some cases you have the right to have us delete personal data about you. For example, you can request us to delete such personal data that we i) no longer need for the purpose that it was collected for, or ii) that we processed based on your consent and you revoke your consent. There are certain situations where CAKE is unable to delete your data, for example when the data is still necessary to process for the purposes for which the data was collected, CAKE’s interest to process the data overrides your interest in having it deleted, if the personal data is needed to exercise, manage, and defend legal claims, or because we have a legal obligation to keep it.
· Right to object against our processing: You have the right to object to processing of your personal data which is based on legitimate interest (Article 6(1)(f) GDPR), by referencing your personal circumstances. If we cannot show a compelling reason to continue to use your personal data, we will stop using your personal data for the relevant purpose. You can also always object to our use of your personal data for direct marketing purposes. If you inform us that you no longer want to receive direct marketing from us, we will turn off marketing for you and stop sending it to you.
· The right to data portability: When technically possible, you have the right to get your data transferred to another service provider. This means that you can request a copy of the personal data that CAKE holds in a machine readable format. This will allow you to use it somewhere else, for example to transfer it to another controller. The right to data portability under this privacy policy only applies, however, to personal data that we handle for the performance of an agreement with you (Article 6.1 (b) of the GDPR) or based on your provided consent (Article 6.1 (a) of the GDPR).
· Right to withdraw consent: When we process your personal data based on consent you have the right to revoke it at any time. When you revoke such consent we will stop processing your data for such purposes.
· Right to lodge a complaint: If you have a complaint against CAKE’s processing of your data you may lodge a complaint with the Swedish Authority for Privacy Protection (https://www.imy.se), which is the Swedish supervisory authority for CAKE’s processing, or your national data protection authority.
· Additional right available to you in France, Spain and Italy - post-mortem right to your personal data: You have the right to give, or designate a person authorized to give instructions relating to the retention, erasure and communication of your personal data after your death.
You may exercise your rights described above by sending a request to privacy@ridecake.com. We will respond to your request within 30 days. However, if your request is complicated or if you have submitted several requests, we may need additional time to handle your request. We will in such a case notify you and the reasons for the delay. If we cannot, wholly or in part, comply with your request we will notify you and the reasons for this. We are always committed to handle any request, complaint, or concern that you may have about our use of your data in a lawful, fair, and transparent way. You can read more about your rights at www.imy.se.
9. COOKIES
Users can at any time disable the use of cookies by changing the local settings in their devices. Disabling of cookies can affect the experience of the Service, for example disabling some functions in the Service.
10. ANY QUESTIONS?
If you have questions about our use of personal data or if you wish to exercise your rights, please contact the HR department on contact details below.
If you are not satisfied with our response you have the right to lodge a complaint with the relevant data protection authority in your country (in Sweden the supervisory authority is the Swedish Authority for Privacy Protection (IMY), www.imy.se.
Company
Contact details
CAKE 0 EMISSION AB
hr-support@ridecake.com
CORP. REG.: 559014-2682
ADDRESS: HAMMARBY FABRIKSVÄG 43, 120 30 STOCKHOLM, SWEDEN
Detailed information on our use of personal data
WHY AND HOW WE USE PERSONAL DATA
Please find below detailed information regarding our use of personal data, including the categories of personal data used, the legal basis for the use and for how long the personal data is stored.
Purpose
Personal data
Legal basis
Storage period
Manage the recruitment process (Candidates)
· Communication
· Contact information
· Identity information
· Information on qualifications
· Profile information
Performance of a contract, article 6.1 b) of the GDPR. The processing is necessary to take steps at your request prior to entering into a potential employment agreement.
Legitimate interest, article 6.1 f) of the GDPR. To the extent that you have not requested a specific measure the processing is necessary in order to satisfy our legitimate interest of managing the recruitment process.
Processing of your personal identification number is necessary for the purpose in question, i.e. to manage the recruitment process and to verify your identity.
Personal data is stored during the recruitment process and for a period of 26 months thereafter for the purpose of satisfying our legitimate interest of managing and defending legal claims.
Carry out reference checks
(Candidates and Reference Persons)
· Communication
· Contact information
· Identity information
· Profile information
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of contacting you in order to obtain an opinion about the candidate in connection with the recruitment process.
Personal data is stored during the recruitment process and for a period of 26 months thereafter for the purpose of satisfying our legitimate interest of managing and defending legal claims.
Carry out background checks and pre-employment tests (Candidates)
· Identity information
· Test information
· Credit Information
· Educational history
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of carrying out background checks and pre-employment tests
Personal data is stored during the recruitment process and for a period of 26 months thereafter for the purpose of satisfying our legitimate interest of managing and defending legal claims.
Follow-up and evaluate the recruitment process (Candidates)
· Identity information
· Information on qualifications
· Profile information
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of following-up and evaluating the recruitment process.
Personal data is stored during the recruitment process and for a period of 12 months thereafter for this purpose. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Manage and defend legal claims (Candidates and Reference Persons)
· Only the categories of personal data needed for managing and defending a legal claim in the individual case
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of managing and defending legal claims.
Personal data is stored for the period required in order for us to manage and defend the legal claim in the individual case.
Fulfil legal obligations (Candidates)
· Only the categories of personal data are necessary for fulfilling the relevant legal obligation.
Fulfil legal obligation, article 6.1 c) of the GDPR. The processing is necessary in order to fulfil legal obligations that we are subject to, for example obligations under the Employment Protection Act (1982:80).
Personal data is stored for such period that is necessary in order for us to fulfil each legal obligation that we are subject to.
Ensure technical functionality and security of our IT systems (Candidates and Reference Persons)
· Relevant categories of personal data.
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of ensuring technical functionality and security of our IT systems.
Personal data is stored for the same period as stated in relation to each relevant purpose of the processing. Personal data in logs is retained in order to satisfy our legitimate interest of troubleshooting and incident management for a period of 13 months from the date and time of the log entry. Personal data in backups are stored for a period of 13 months from the date of the backup.
WHY AND WITH WHOM WE SHARE PERSONAL DATA
Please find below detailed information regarding which categories of personal data we share with other recipients and the legal basis for the transfer.
Recipient
Purpose
Personal data
Legal basis
Recruitment agencies (Candidates and Reference Persons)
Manage the recruitment process
· Communication
· Contact information
· Identity information
· Information on qualifications
· Profile information
Legitimate interest, article 6.1 f) of the GDPR. To the extent that you have not requested a specific measure the processing is necessary in order to satisfy our legitimate interest of managing the recruitment process.
Trade unions (Candidates)
Manage and defend legal claims and fulfil legal obligations
· Only the categories of personal data needed for managing and defending a legal claim in the individual case
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of managing and defending legal claims
Fulfil a legal obligation, article 6.1 c) of the GDPR, concerning employment consultation and information obligations.
Group companies (Candidates and Reference Persons)
Communication between employees and external persons regarding recruitment
· Communication
· Contact information
· Identity information
· Information on qualifications
· Profile information
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order to satisfy our legitimate interest of our employees and external persons communicating regarding recruitment.
Other recipients (Candidates)
Purpose
Personal data
Legal basis
Manage a merger or sale of the business (Candidates)
Only the personal data that is necessary for this purpose is shared with the recipient.
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order for us to satisfy our and the buyer's legitimate interest of completing the sale or merger.
Manage and defend legal claims (Candidates and Reference Persons)
Only the personal data that is necessary for this purpose is shared with the recipient.
Legitimate interest, article 6.1 f) of the GDPR. The processing is necessary in order for us to satisfy our legitimate interest of managing and defending legal claims.
Fulfil legal obligations (Candidates)
Only the personal data that is necessary for this purpose is shared with the recipient.
Fulfilling a legal obligation, article 6.1 c) of the GDPR. The processing is necessary in order for us to comply with our legal obligations.
Respond to a request (Candidates)
Only the personal data that is necessary for this purpose is shared with the recipient.
Legitimate interest, article 6.1 f) of the GDPR or to fulfil a legal obligation, article 6.1 c) of the GDPR. To the extent that we are obligated to respond to a request, personal data is used to fulfil this legal obligation. Otherwise, the processing is based on a balance of interests where it is necessary to satisfy our and the requester's legitimate interest in responding to the request.