Privacy Policy for Lendo Group Employer Branding and Recruitment
Publication date: 07-06-2024
At Lendo Group, we manage our employer branding and recruitment process through our career sites (the “Career Site”) and by using a related applicant tracking system.
In this privacy policy, we explain how we process your personal data if:
You visit our Career Site (a “Visitor”)
You connect with us via our Career Site, create a profile, and receive information about current or future job opportunities (a “Connected Candidate”)
You apply for a position with us, via our Career Site or through a third-party service (an “Applicant”)
We collect information about you from other parties, websites, or services because we believe your profile may be relevant for current or future openings (a “Sourced Candidate”)
We receive information about you from our employees or partners because they believe your profile may be relevant for current or future openings (a “Referred Candidate”)
We receive information about you from a Candidate who lists you as a reference (a “Reference”)
This privacy policy also describes your rights when we process your personal data and how you can exercise those rights.
When we use the term “Candidate” in this privacy policy, we refer to Connected Candidates, Applicants, Sourced Candidates, and Referred Candidates, unless stated otherwise.
1. About the processing of personal data
Personal data is any information that can be directly or indirectly linked to a natural person. Examples include name, email address, phone number, and IP address. Processing of personal data means any use of personal data—such as collection, creation, analysis, sharing, and deletion.
There are laws and regulations governing how companies may process personal data (“data protection laws”). Different data protection laws apply depending on the type of processing and the region. One example that is relevant to the processing described in this privacy policy is the EU General Data Protection Regulation (2016/679, “GDPR”).
Most obligations under GDPR apply to the “data controller.” A data controller is the entity that decides the purposes and means of processing personal data. The controller may use a “data processor,” which may only process personal data on the controller’s instructions and may not use the data for its own purposes.
We are the data controller when we process your personal data under this privacy policy.
2. What personal data do we process?
All individuals
Device information – If you visit our Career Site, we collect information about your device, such as IP address, browser type and version, session behaviour, traffic source, screen resolution, preferred language, geographic location, operating system, and device settings/usage.
Technical and statistical data – If you visit our Career Site, we collect technical and statistical data about your use of the website, such as which URLs you visit and your activity on the site.
Communication data – We collect and store your communications with us, including the information you provide. This may include the content of emails, video recordings, social media messages, information you add to your account, surveys, etc.
Contact details – Such as your name, email address, phone number, and physical address.
Candidates
Data from interviews, assessments, and other recruitment process information – Such as interview notes, assessments and tests, and salary expectations.
Application information – Such as your CV, cover letter, work samples, references, recommendation letters, and education.
Information in your public profile – Information we collect from public sources related to your professional background, such as LinkedIn or your current employer’s website.
Information provided by references – Information received from employees or partners who refer you, or from individuals you list as references.
3. Where do we get your personal data from?
All individuals
From the Career Site – If you visit our Career Site, we collect technical and statistical information about how you use it, as well as device information.
Directly from you – Most of the data we process comes directly from you, for example when you apply or connect with us. You may always choose not to provide certain information, but some personal data is necessary for us to process your application or provide requested information.
References
From the person who listed you as a reference – If a Candidate lists you as a reference, we collect your contact details from the Candidate so we can contact you.
Candidates
From public sources – We may collect personal data from public sources such as LinkedIn or your current employer’s website.
From our referrers – We may receive information from employees or partners (such as recruitment service providers) when they believe your profile is relevant.
From your references – If you provide references, we may collect data about you from them.
Data we create ourselves or together with you – Data about your application and profile is often created by us, or by us together with you, during the recruitment process (e.g., interview notes, test results, assessments).
4. For what purposes do we process personal data?
To protect and uphold our rights and interests, and the rights and interests of others, for example in connection with legal claims.
Individuals concerned: The person(s) affected by the legal matter (may include any category listed above).
Data categories: All categories listed above may be used for this purpose.
To share your personal data with other recipients, for the purposes described in Section 5 below.
Individuals concerned: Varies depending on the purpose of sharing (see Section 5).
Data categories: All categories listed above may be used for this purpose.
To collect information about your use of the Career Site through cookies and other tracking technologies, as described in our Cookie Policy.
Individuals concerned: Visitors
Data categories: Device information
To maintain, develop, test, and ensure the security of the Career Site
Individuals concerned: Visitors
Data categories: Device information; technical and statistical data
To analyse how the Career Site and its content are used and perform, to produce statistics and improve operational performance
Individuals concerned: Visitors
Data categories: Device information; technical and statistical data
To provide you with updates about job openings
Individuals concerned: Connected Candidates
Data categories: Contact details; communication data
To review profiles and applications submitted to us, including communicating with you about your application and profile
Individuals concerned: Connected Candidates; Applicants
Data categories: All categories listed above may be used for this purpose
To proactively collect and assess your professional profile, including communicating with you about your profile
Individuals concerned: Sourced Candidates; Referred Candidates
Data categories: All categories listed above may be used for this purpose
To contact you directly about specific future job opportunities
Individuals concerned: Candidates
Data categories: All categories listed above may be used for this purpose
To record interview(s)
Individuals concerned: Candidates
Data categories: Communication data
To contact you to request participation in surveys
Individuals concerned: Candidates
Data categories: All categories listed above may be used for this purpose
To contact you for information about an applicant and evaluate the information you provide
Individuals concerned: References
Data categories: Contact details; communication data
5. Who do we share your personal data with?
Our service providers – Vendors providing services and functionality in our employer branding and recruitment process (e.g., recruitment services, the Career Site provider, and the applicant tracking system provider).
Our group companies – When they provide services and functionality supporting our employer branding and recruitment process (e.g., access to specific systems and software).
Companies providing cookies on the Career Site – If you consent, cookies may be placed by third parties who use the collected data in accordance with their own privacy policies. Details are available in our Cookie Policy.
Authorities and other public bodies – When we are legally required to do so.
Parties involved in legal proceedings – If necessary to protect or defend our rights (e.g., discrimination claims).
Mergers, acquisitions, etc. – In connection with a potential merger, sale of assets, financing, or acquisition of all or part of our business, we may share personal data with relevant parties involved in the process.
6. What is the legal basis for processing your personal data?
To process your personal data, we must have a legal basis under GDPR.
For the purposes described in this privacy policy, the legal basis we typically rely on is that the processing is necessary for our legitimate interest in recruiting talent with relevant skills. We have concluded that we have a legitimate interest in processing personal data for this purpose, that the processing is necessary to achieve it, and that our interests outweigh your interest in not having your data processed for this purpose.
You may contact us if you would like more information about how this assessment was made. See Sections 9 and 10 for contact details.
In certain circumstances, we will only process personal data if and when you provide consent—for example, if we propose recording an interview. See Section 9 for more information about your right to withdraw consent.
7. When do we transfer your personal data outside the EU/EEA and how do we protect it?
We always aim to process your personal data within the EU/EEA.
However, some of our service providers process personal data outside the EU/EEA. We also use suppliers whose parent company (or a subcontractor’s parent company) is based outside the EU/EEA. In such cases, we consider the risk that personal data may be disclosed to countries outside the EU/EEA, for example due to government requests.
Where another recipient of your personal data (as described in Section 5) is based outside the EU/EEA, this also means your personal data is transferred outside the EU/EEA.
When we (or our suppliers) transfer personal data outside the EU/EEA, we ensure a GDPR-recognised transfer mechanism is used. We rely on the following safeguards:
Adequacy decisions by the European Commission, meaning the destination country ensures an adequate level of protection comparable to GDPR. We rely in particular on the EU-US Data Privacy Framework and adequacy decisions for the United Kingdom.
EU Standard Contractual Clauses (SCCs) with recipients outside the EU/EEA, meaning recipients guarantee GDPR-level protection and safeguards for your rights.
We also implement appropriate technical and organisational measures to protect personal data in case of disclosure. The specific measures depend on what is technically feasible and sufficiently effective for the relevant transfer.
If you would like more information about transfers outside the EU/EEA, you may contact us using the contact details in Sections 9 and 10.
8. How long do we keep your personal data?
All individuals
If we process your personal data to protect and uphold our rights, we store it until the relevant legal matter has been fully and finally resolved.
Visitors
We store your personal data for one (1) year for security purposes. Cookie retention periods are set out in our Cookie Policy. We keep personal data used to analyse Career Site performance for as long as we store personal data about you for other purposes.
Candidates
If you are a Connected Candidate (only), we store your personal data for as long as you remain connected with us.
For other types of Candidates, we store your personal data in order to assess whether you are a suitable candidate for the relevant job opening(s).
If you do not proceed in the initial recruitment process, we keep your personal data for as long as necessary to consider, and potentially contact you, for relevant future openings.
If you are hired, we will store your personal data during your employment for purposes other than those described above, and you will be informed accordingly.
References
We keep your personal data for as long as we keep the personal data relating to the Candidate for whom you acted as a reference.
9. What rights do you have and how can you exercise them?
This section explains your rights when we process your personal data. Some rights only apply when we process your data on a specific legal basis.
If you wish to exercise any of the rights listed here, we recommend that you:
Visit the Data & Privacy page on our Career Site;
Log in to your account, where you can use your account settings to exercise your rights; or
Contact us directly at johanna.romanoff@lendo.group.
Right to be informed
You have the right to be informed about how we process your personal data. You also have the right to be informed if we intend to process your personal data for a purpose other than the purpose for which it was originally collected.
We provide this information through this privacy policy, through updates on our Career Site (see also Section 11), and by responding to any questions you may have.
Right of access
You have the right to know whether we process personal data about you and to receive a copy of the data we process about you. When we provide a copy, you will also receive information about how we process your personal data.
Right to data portability
You may request a copy of personal data relating to you that we process in order to perform a contract with you or based on your consent, in a structured, commonly used, machine-readable format. This allows you to use the data elsewhere, for example to transfer it to another recipient. Where technically feasible, you also have the right to request that we transfer your data directly to another recipient.
Right to erasure (“right to be forgotten”)
In certain cases, you have the right to request that we delete your personal data. This applies, for example, if the data is no longer necessary for the purpose for which it was collected, if you withdraw consent, or if you object and there are no overriding legitimate grounds for processing. (For a separate right to object, see below.)
Right to object
You have the right to object to processing based on our legitimate interest by referring to your particular situation.
Right to restriction of processing
If you believe the personal data we process is inaccurate, that our processing is unlawful, or that we do not need the data for a specific purpose, you have the right to request restriction of processing. If you object as described above, you may also request restriction while we assess your request.
Where processing is restricted, we will (except for storage) only process the data with your consent or for the establishment, exercise, or defence of legal claims, for the protection of another person’s rights, or for reasons of important public interest.
Right to rectification
You have the right to request that we correct inaccurate data and that we complete data you consider incomplete.
Right to withdraw consent
Where we process your personal data based on consent, you have the right to withdraw that consent at any time. If you do so, we will stop processing your data for the purposes for which you withdrew consent. This does not affect the lawfulness of processing that took place before consent was withdrawn.
Right to lodge a complaint
If you have complaints about our processing of your personal data, you may lodge a complaint with the data protection authority in Norway. You can find their contact details here.
You may also lodge a complaint with your national data protection authority, which can be found in this list if you are based in the EU. If you are based in the UK, you may lodge a complaint with the Information Commissioner’s Office (ICO), here.
10. Who can you contact with comments or questions?
If you want to contact us to exercise your rights, or if you have questions, comments, or feedback about how we handle your personal data, you can reach us by emailing johanna.romanoff@lendo.group.
11. Updates to this Privacy Policy
We update this privacy policy when necessary—for example, if we start processing your personal data in a new way, if we want to make the information clearer, or if required to comply with applicable data protection laws.
We encourage you to check this page regularly for any changes. You can always see at the top of this page when this privacy policy was last updated.