This notice explain show OpenPayd Group of companies collects and uses personal data during the recruitment and selection process.
This notice covers the following:
WHO IS THE CONTROLLER OF YOUR DATA?
WHAT DATA DO WE COLLECT?
HOW DO WE COLLECT PERSONAL DATA?
HOW DO WE USE YOUR PERSONAL DATA?
WHAT IS THE LEGAL BASIS FOR PROCESSING OF YOUR PERSONAL DATA?
WHAT HAPPENS IF YOU DO NOT PROVIDE THE PERSONAL DATA THAT WE REQUEST?
HOW DO WE SHARE YOUR PERSONAL DATA?
DATA SECURITY
INTERNATIONAL TRANSFERS
DATA RETENTION
YOUR RIGHTS
Contact:PeopleTeam
Email: [email protected]
Contact: OpenPayd Data Protection Officer
Email: [email protected]
Our office locations: https://www.openpayd.com/legal/
Whenever dealing with one of the OpenPayd Group companies (the “Company”), the data controller of your data will be the Company that have jobs openings and decides how and why your data is processed for the purposes of the recruitment and selection process.
More information about OpenPayd Group companies is available at https://www.openpayd.com/legal/openpayd-group-overview/.
Where this Privacy Notice refers to “we”, “our” or “us”, this shall mean the particular Company that is the controller of your data during the recruitment and selection process.
We may collect data that you provide us with through the recruitment and selection process via various channels, including social media, talent acquisition platforms, referrals, email or otherwise. Such data may include:
Identification information (e.g. name, surname, title, gender, date of birth, photo).
Contact details (e.g. postal address, personal e-mail address, phone number).
Recruitment information (including copies of right to work documentation, qualifications, references and other information in your resume or cover letter or otherwise provided as part of the application process).
Information in relation to video and on-site interviews and responses to given tasks and case studies.
Pre-employment screening checks in case your application has been approved.
We collect personal data about you directly from you when you contact us directly through the application and recruitment process.
We may also collect your information when we approach you directly and you decide to share your resume and related information with us.
We may obtain your data from external sources, for example from social media, job boards or other available sources – some publicly available and others not. We may receive your personal data from a third party who recommends you as a candidate for a specific job opening or for our business more generally or through recruitment agencies we work with.
We may also obtain your data when we check references or carry out pre-employment checks – if we do this we will inform you during the recruitment process of the exact checks that are carried out.
This Privacy Notice applies to any of these data.
We use your personal data for the following purposes:
To make decisions about your recruitment and appointment.
To check you are legally entitled to work in the country where the job is located.
To assess your qualifications for a particular job or task.
To conduct data analytics studies to review and better understand job application rate and to conduct candidate experience analytics to review and better understand candidate interview experience based on aggregated and anonymized data.
To carry out equal opportunities monitoring.
For fraud and crime prevention purposes.
To deal with legal disputes.
We do not take automated decisions about you using your personal data or use profiling in relation to you.
Under data protection legislation we are only permitted to use your personal data if we have a legal basis for doing so as set out in the data protection legislation. This means, as applicable, the EU General Data Protection Regulation (Regulation 2016/679) (as may be amended, superseded or replaced) (” EU GDPR”), the UK GDPR, the UK Data Protection Act 2018, the Maltese Data Protection Act (Chapter 586 of the Laws of Malta), the Bulgarian Personal Data Protection Act (“PDPA”), the Turkish Personal Data Protection Law numbered 6698 (“PDPL”), and all other supplemental or implementing laws relating to data privacy in the relevant European Union member state, United Kingdom, Turkey, etc., including where applicable the guidance and codes of practice issued by the relevant supervisory authority, and/or all applicable analogous privacy laws of other countries and jurisdictions.
We rely on the following legal bases to use your personal data for recruitment and selection process:
Where we need your personal data to enter into an employment contract with you.
Where we need to comply with legal obligation we are subject to.
Where it is necessary for our legitimate business interests(or those of a third party where applicable) and your interests and fundamental rights do not override those interests.
Some personal data is classified as“sensitive” or as “special categories of personal data” under data protection legislation. This includes information relating to health, racial or ethnic origin, religious or philosophical beliefs, sex life, political opinions, biometric data, genetic data, sexual orientation, and trade union membership. This personal data is more sensitive and we need to have further justifications for collecting, storing and using this type of personal data. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data. We may process special categories of personal data and information obtained as part of the background checks in limited circumstances when the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Company or of you, as a data subject in the field of employment.
In limited circumstances, we may ask you to provide your explicit consent as part of the recruitment and selection process such as for example if you would prefer us to keep your information for future opportunities after the job posting has been closed.
As part of the recruitment and selection process we do not collect and process information about your physical and mental health or disability status.
As part of the recruitment and selection process we do not collect and process information about your race or ethnic origin, religious or philosophical beliefs, your sexual life or sexual orientation to ensure meaningful equal opportunity monitoring and reporting.
We need some of your personal data in order to conduct the recruitment and selection process. If you do not provide such personal data, we may not be able to continue with the recruitment process or offer you employment/engagement.
We share your personal data in the following ways:
Where we use third party services providers who process personal data on our behalf in order to provide services to us relating to the recruitment and selection process. This includes local advisors, recruitment agents, talent acquisition platforms and other technology providers.
We may share your personal data with third parties, such as regulators, auditors, supervisory authorities where we are required to do so by law or to comply with our regulatory obligations.
With other entities in our group as part of our regular reporting activities and in the context of a business reorganization or group restructuring exercise.
If we sell any part of our business and/or integrate it with another organisation your details may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers.
Where we share your personal data with third parties we ensure that we have appropriate measures in place to safeguard your personal data and to ensure that it is solely used for legitimate purposes in line with this privacy notice.
To prevent unauthorized access, distortion, or disclosure of your personal data we have put in place appropriate physical, technical, and organizational measures. Some of our security measures include:
All data is managed and maintained in our secure data centres, which are accredited with the required security standards.
We conduct an annual audit of our security controls, in addition we conduct security self-assessments and report findings to our Risk Committee.
We only use an external cloud based providers which are compliant with all required security standards.
We have a documented suite of IT policies, including both our Information Security Policy and Acceptable Use Policy.
We have a Data Protection Policy and a Business Continuity Plan in place and review them regularly.
We ensure that access to personal data is restricted to employees working within our group on a need to know basis and need to have. Training will be provided to any employees working within the group who need access to your personal data to ensure it is secured at all times.
The personal data we collect for you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) or the UK, as it may be processed within OpenPayd Group of companies, or by our third party service providers when they are located outside of the EEA or the UK.
When personal data is transferred to countries outside of the EEA and UK and those countries may not offer an equivalent level of protection for personal data to the laws in the UK and EEA. Where this is the case we will ensure that appropriate safeguards are put in place to protect your personal data.
Transfers within the OpenPayd Group of companies
Where personal data is transferred between between OpenPayd Group of companies to office and locations which the European Commission has not deemed to have ‘adequate’ protection, we have put in place the EU Standard Contractual Clauses and UK International Data Transfer Addendum. These are specific contracts approved by the European Commission and the UK ICO, and are part of OpenPayd’s Intragroup Data Transfer Agreement.
Transfers to third parties
Where needed for the purposes of the recruitment and selection process, we may use service providers located outside the EEA or the UK For example an employment matter we have been advised on may require advice from local advisors or input from local experts. When we transfer personal data to such service providers it will usually be on an ad hoc basis.
Depending on the circumstances we may also need to transfer personal data to other kinds of third parties, for example local regulators, third parties involved in the recruitment process, such as agents, or technology providers, such as recruitment platforms.
Where the recipient is located in a country which has not been deemed by the European Commission or the UK ICO to have adequate laws in place to protect it, we transfer the personal data using the following measures:
We carry out third country assessments.
We have a data processing or a data sharing agreement in place.
We sign the appropriate form of EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable.
Please contact us you would like further information on the specific mechanism used by us when transferring your personal data.
As a general rule we keep your personal data for as long as necessary to fulfil the purposes for which we collected and continue to process it, and to satisfy any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For example, if you are successful candidate, some personal data may become part of your employment records. Unsuccessful applicants’ information is deleted, unless you agree that we keep your data with us for a longer period. For this, we will ask for your explicit consent.
We keep unsuccessful applicants’ information no longer than the below defined period from the date the job posting has been closed.
United Kingdom – 6 months
Malta – 4 months
Bulgaria – 6 months
Turkey – 2 years
France – 2 years
Where here we have statutory obligations to keep personal data for a longer period or where we may need your personal data for a longer period in case of a legal claim, then the retention period may be longer.
If you would like more information on our retention of the different aspects of your personal data, please contact us.
Data protection legislation provides you with several rights. These rights apply to processing of your personal data carried out by any of OpenPayd Group of companies as a data controller during the recruitment and selection process.
Please see more information below on your rights:
Right to object to direct marketing
You have the right to ask us not to process your personal data for marketing purposes, including profiling to the extent that it is related to direct marketing. Within a reasonable time after receipt and consideration of your objection we will no longer process your personal data for direct marketing purposes. You can exercise your right to prevent such processing by ticking certain boxes on the forms we use to collect your personal data, or by contacting us at any time.
Access to Information
Data protection legislation gives you the right to find out whether we are processing your personal data and, where that is the case, to receive a copy of the personal data we process and information on: why we are processing it; the categories of personal data we process about you; the recipients or categories of recipient to whom the personal data has been or will be disclosed; where possible, how long we plan to keep your personal data or the criteria we use to determine that period; information on your rights under the data protection legislation; information on where we received your personal data from if we did not receive it directly from you, and if we transfer your personal data outside of the EEA or the UK, details of the appropriate safeguards we have used to protect your personal data and uphold your personal data protection rights.
We will not charge you for complying with your request and providing you with a first copy. Any further copies may be subject to a reasonable administrative fee. Where your personal data is inseparable from the personal data of others, we reserve the right to redact or withhold it if it will infringe the rights of those third parties. We also reserve the right to withhold your personal data if permitted by relevant provisions in the data protection legislation.
The right to withdraw your consent to the processing of your personal data
If we process your personal data on the grounds of your consent, you have the right to withdraw your consent at any time. This will not affect the legality of our processing of your personal data up until the point at which you withdraw your consent. Please also note that we may still need to process your personal data on other grounds, for example to fulfil a contract with you or as required by law. You can withdraw your consent by contacting us.
The right to object to processing of your personal data
You have the right to object to our processing of your personal data if we are using the lawful grounds ‘legitimate interest’ or that the processing is in the public interest. When we receive your objection, we will assess our legal grounds for processing and will stop processing the personal data if we cannot demonstrate compelling legitimate grounds to continue processing the personal data.
The right to request the restriction of your personal data
You have the right to ask us to restrict our processing of your personal data if you think that it is inaccurate, that we are processing it illegally, or that we no longer need it for the purposes for which it was collected. While we consider your request, we will stop processing your personal data within a reasonable time from the date we receive your request. We will notify you of our decision and any justifications for continuing to process your personal data as soon as we can.
The right to request amendment or erasure of your personal data
You have the right to request the amendment of your personal data at any time if it is inaccurate. If it is incomplete, you have the right to have the information completed, considering the purposes of processing. You also have the right to require us to delete your personal data as soon as possible where one of the following applies: the personal data is no longer necessary for the purposes for which they were collected or otherwise processed; you withdraw your consent to us processing your personal data and we have no other legal grounds for processing it; the personal data has been unlawfully processed; the personal data must be erased for compliance with a UK or EU legal obligation on us; or the personal data relates to a child under 16.
The right to personal data portability
You have the right to receive personal data which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those personal data to another personal data controller, if we are processing it on the grounds that you have consented to that processing or because it was necessary in order to perform a contract with you, and if we have no other legal bases for processing it. This will not apply to most of our processing of your personal data, but we mention it for completeness.
The right to complain to the supervisory authority
If you feel that we have processed your personal data unfairly or unlawfully, you have the right to complain about us to the relevant supervisory authority, although please contact us first so that we can put things right.
In the UK the supervisory authority for personal data protection is the Information Commissioner’s Office. You can contact the Information Commissioner’s Officehereor on +44 (0)303 123 1113.
In Malta the supervisory authority is the Office of the Information and Data Protection Commissioner (IDPC), which can be contacted here.
In France the supervisory authority is the Commission Nationale de l’Informatique et des Libertés (CNIL), which can be contactedhereor on +33 (0)153 73 2222.
In Turkey, the Personal Data Protection authority (KVKK) can be contacted at +90 312 216 5050,www.kvkk.gov.tr.
Contacts of other supervisory authorities in the EEA could be found here.
How to exercise your rights
You can exercise your rights at any time by contacting us and providing us with the following details:
A clear statement on which rights you are seeking to enforce.
A full description of the information or type of information that you are writing about.
Details which will confirm your identity.
This is so that we can keep your personal data secure and respond to you as quickly as possible. If you are asking for a large range of personal data, we may ask you to be more specific, so that we can manage your request as quickly and efficiently as possible.
No fee usually required
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Timeframe to respond
We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
If you would like to exercise any of your rights or find out more, please contact [email protected]with a copy to [email protected].
Any changes we may make to our Privacy Notice in the future will be posted on this page or otherwise provided to you. Please check back frequently to see any updates or changes to our Privacy Notice.
Last updated: June 2023