Privacy policy for recruitment using Teamtailor
1. General
For the purpose of identifying, attracting, interviewing, selecting, and hiring employees, Visma uses a recruitment solution (the “Solution”) powered by Teamtailor AB, which is processing personal data relating to you (“User”, “Users”). It is the Visma company that you submit your job application to that is the controller in relation to the personal data processed in the Solution (the “Visma”, “Controller”, “we”, “us”, etc.).
This privacy policy (the “Privacy Policy”) describes how your personal data is processed in the Solution. For information about how and to what extent we are processing your personal data outside the Solution, please see the privacy policy for the Visma company you are applying to work for, available on the respective company’s website, or contact privacy@visma.com.
2. Collection of personal data
We are responsible for the processing of the personal data that the Users contribute to the Solution and the personal data that we in other ways collect with regards to the Solution.
When and how we collect personal data
We collect personal data about Users directly from Users when Users:
submit an application through the Solution or otherwise, adding personal data about themselves either personally or by using a third-party source such as Facebook or LinkedIn;
use the Solution to connect with our staff, adding personal data about themselves either personally or by using a third-party source such as Facebook or LinkedIn
We may collect data from third parties, such as Facebook, LinkedIn and through other public sources. This is referred to as “Sourcing” and can be manually performed by our employees or automatically in the Solution. This personal data, in addition to our internal evaluations and notes, might be processed together with the personal data collected through the Solution.
In some cases, existing employees can make recommendations about potential applicants. Such employees will add personal data about such potential applicants. In the cases where this is made, the potential applicant is considered a User in the context of this Privacy Policy and will be informed about the processing.
The categories of personal data collected and processed
The categories of personal data that can be collected through the Solution are names, e-mails, pictures and videos, information from Facebook and LinkedIn-accounts, answers to questions asked through the recruiting, titles, education, and other information that the User or others have provided through the Solution. Only personal data that is relevant for the recruitment process is collected and processed.
Personal data that is processed with the purpose of aggregated analysis or market research is always made unidentifiable. Such data cannot be used to identify a certain User. Thus, such data is not considered personal data under the privacy legislation.
The legal basis for processing of personal data
For the purpose of reviewing submitted documentation and information, conducting interviews, and carrying out additional investigations, for example, reviewing publicly available information related to you, we are relying on GDPR Article 6 (1) letter f, pursuant to which we may process personal data necessary for the purpose of our pursued legitimate interests in so far as such interests are not overridden by your interest or fundamental rights and freedoms. Our legitimate interest is to find the right candidate.
For candidates that we elect to move forward with and offer a job, we will process certain personal data, including your contact information and other specific personal data you request us to process, for the purpose of entering into a contract pursuant to Article 6(1) (b), which relates to processing necessary to perform a contract or to take steps at your requests, before entering a contract.
While you do not have to provide special categories of personal data in your application or in interviews, you may choose to do so. If you provide us with special categories of personal data, for example health, religious, or ethnicity information, we will process this personal data on the basis of GDPR Article 9(2) letter b, which relates to our obligations in employment and the safeguarding of your fundamental rights.
Under certain circumstances we may process personal data on the basis of your consent pursuant to GDPR Article 6(1) letter a, for example if we want to contact specific referees. If the processing requires your consent, we will provide you with specific information about the particular processing before providing you with the opportunity to consent to the processing. You may, at any time, withdraw your consent by contacting us at privacy@visma.com, in which case we will cease the processing of personal data based on your consent.
Storage and transfers
The personal data collected through the Solution is mainly stored and processed within the EU/EEA or third countries that are considered by the European Commission to have an adequate level of protection. All, if any, transfers of personal data to a country outside the EU/EEA, that is not considered to have an adequate level of protection by the European Commission, are subject to the European Commission’s latest version of the standard contractual clauses. In addition, Visma undertakes to implement supplementary measures, such as encryption and pseudonymisation of the personal data if required to ensure an adequate level of protection of the personal data.
How long the personal data will be processed
If a User does not object to the processing of their personal data or withdraw his or her consent, in writing, the personal data will be stored and processed by Visma for as long as deemed necessary with regards to the purposes stated above. Visma generally anonymises or deletes the personal data in accordance with the following deletion policy:
Inactive candidates will be deleted after 180 days of inactivity. An activity on a candidate profile is defined as any action that appears in the activity feed like writing a note, moving the candidate in a job process, sending a message etc. It does not count automatic job emails sent to Connected candidates.
All related data to job applications that have been rejected will be deleted 180 days after the rejection.
Candidates without an active purpose of storing their data will be deleted 180 days after being rejected. The active purposes are: Candidate applied to a job, Candidate is Connected, or Candidate opted in (consented) to be considered for future jobs. Such consent is valid for 3 months, and the Candidate will receive an email to extend the consent after those 3 months has passed.
Candidates who submit removal requests will be deleted 14 days after submitting the request.
Candidates with missing or expired permission will be deleted 14 days after receiving a warning regarding this.
Under certain circumstances, Visma may deviate from the above deletion policy if it is necessary to process the personal data for a longer period than set out above. Visma may, for example, be required to retain certain personal data for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
3. Users’ rights
Under the data protection legislation, you have a set of rights with respect to our processing of your personal data:
Right to access. You have the right to ask us for copies of your personal information.
Right to rectification. You have the right to ask us to rectify information you think is inaccurate.
Right to erasure. You have the right to ask us to erase your personal information in certain circumstances.
Right to restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances
Right to object. You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
Right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
Please note that the above rights are subject to certain limitations, which we will make you aware of upon your request of invoking any such rights.
You can easily exercise your rights by contacting us as set out in section 9. We will not charge you anything for such requests and undertake to answer your request within one month.
You are also entitled to lodge a complaint to the local data protection authority. You can find the contact information to the relevant data protection authority on this page.
4. Security
We prioritize personal integrity and therefore work actively so that the personal data of the Users are processed with utmost care. We take the measures that can be reasonably expected to make sure that the personal data of Users and others are processed safely and in accordance with this Privacy Policy and the GDPR.
However, transfers of information over the internet and mobile networks can never occur without any risk, so all transfers are made at the own risk of the person transferring the data. It is important that Users also take responsibility to ensure that their data is protected. It is the responsibility of the User that their login information is kept secret.
5. Sharing of personal data to third party
We may share Users’ personal data to:
our processors and sub-processors, which process personal data in accordance with our instructions, for the provision of the Solution;;
authorities or legal advisors, in case criminal or improper behaviour is suspected;
authorities, legal advisors or other actors, if required by us according to law or authority’s injunction; and
subsidiaries in the Visma Group.
We will only share Users’ personal data to third parties that we have confidence in. We carefully choose partners to ensure that the User’s personal data is processed in accordance with current privacy legislations. We cooperate with the following categories of processors of personal data: Teamtailor, which supplies the Solution, server and hosting companies, e-mail reference companies, video processing companies, information-sourcing companies, analytical Solution companies, and other companies with regards to supplying the Solution. For more information about the data processors processing your personal data, please see the privacy policy for the Visma company you are applying for a job at, or contact us on privacy@visma.com.
We will not sell or otherwise share Users’ personal data to other third parties.
6. Aggregated data (non-identifiable personal data)
We may share aggregated, fully anonymised, data to third parties. The aggregated data has in such instances been compiled from information that has been collected through the Solution and can, for example, consist of statistics of internet traffic or the geological location for the use of the Solution. The aggregated data does not contain any information that can be used to identify individual persons and is thus not personal data.
7. Cookies
When you use the Solution, Teamtailor will store cookies that store information on and collect information from your device. While Teamtailor is acting as the controller with respect to most of the processing of personal data through these cookies, certain cookies are stored to gather statistics about the usage of the Solution on behalf of Visma. You can read more about the use of cookies in our Cookie Policy, which also explains in more detail when Visma is processing personal data relating to you through cookies.
Cookies that are not strictly necessary for the functioning of the Solution will only be stored on your device if you consent to this. You may, at any time, withdraw your consent by changing the local settings on your device. However, doing so may affect your experience in the Solution.
8. Changes
We will, from time to time, make changes or additions to the Privacy Policy. The latest version of the Privacy Policy will always be available in the Solution. Please make sure to revisit this page to check if there are any updates to the Privacy Policy.
9. Contact
For questions, further information about our handling of personal data or for contact with us in other matters, please use the below stated contact details.
Visma Group and its subsidiaries
Head Office: Karenslyst allé 56, 0277 Oslo, Norway
Telephone number: +47 46 40 40 00
Email: privacy@visma.com