Principles of Processing Candidates´ Personal Data
valid as of 2nd of June 2020
Principles of Processing Candidates’ Personal Data (hereinafter – the Principles) describe how Swedbank processes the Personal Data of Candidates. As an employer, Swedbank needs to store and process information about Candidates for employment commencement and maintenance purposes and to enable it to run its business effectively, lawfully and appropriately. Swedbank is the controller of processed personal data.
Candidate means any natural person who is applying/applied for a position at Swedbank.
Data Protection Legislation means the applicable EU and national data protection legislation that Swedbank is subject to, for example, Regulation (EU) 2016/679 (General Data Protection Regulation or the GDPR).
Personal Data means any information directly or indirectly related to a Candidate.
Data Controller means anyone who alone or jointly with others determines the purposes and means of the Processing of Personal Data. For the Processing of Personal Data described in these Principles, Swedbank is the Data Controller.
Data Processor means anyone who Processes Personal Data on behalf of the Data Controller.
Recipient means a natural or legal person, public authority or another body, to whom Swedbank is entitled to disclose Personal Data. See the categories of Recipients in Section 5 of the Principles.
Processing means any operation or set of operations performed regarding Personal Data (such as collection, recording, storing, erasure, sharing).
Regulatory Legislation means the applicable legal acts that Swedbank is subject to, for example, relating to anti-money laundering, banking secrecy, commercial activity, data protection, taxes, bookkeeping, credit, consumer credit, payment, payment services, insurance, leasing, investment and financial business.
Swedbank means any legal entity or branch belonging to Swedbank Group whose registered office is in Sweden/Estonia/Latvia/Lithuania. The list of Swedbank Group companies is available on website: Swedbank Group in Sweden: www.swedbank.se / Swedbank Group in Estonia: www.swedbank.ee / Swedbank Group in Latvia: www.swedbank.lv / Swedbank Group in Lithuania: www.swedbank.lt
Swedbank Group means Swedbank AB (publ.), a public limited liability banking company incorporated in Sweden, and all legal entities which Swedbank AB (publ.) either directly or indirectly controls (the subsidiaries).
Third person means a person with whom the Candidate may be in close relations (such as relatives) that can lead to conflict of interests at Swedbank, as well providers of feedback (such as the Candidate’s former colleagues, cooperation partners, managers).
2.1 This document describes how Swedbank Processes Personal Data of Candidates. Detailed information on the Processing of Candidates’ Personal Data might be additionally described in job advertisement and other documents related to the advertisement and application, as well as on website of placement of the job advertisement
2.2 Within the framework of Data Protection Legislation, Swedbank ensures the confidentiality of Personal Data. Swedbank has implemented appropriate technical and organisational measures to safeguard Personal Data from unauthorized access, unlawful disclosure, accidental loss, modification, destruction or any other unlawful Processing.
2.3 Swedbank engages Data Processors for Processing of Personal Data and takes necessary steps to ensure that Processing of Candidates’ Personal Data by Data Processors takes place under a contract or Regulatory Legislation and according to documented instructions of Swedbank.
3. Categories of Personal Data
Personal Data is collected directly from a Candidate, through the activities performed and systems used by the Candidate and from external sources such as public and private registers or other third parties and Third persons. Personal Data categories which Swedbank collects and processes are:
Identification data such as name, personal identification number, data regarding identification document; Contact details such as address, telephone number, email address, language of communication.
Data about relationships with legal entities, such as data submitted by the Candidate or obtained from public data bases or third-party service providers.
Professional data such as education, professional career and duration, job title, licenses, training certificates.
Financial data such as debt commitments, income, solvency.
Data about trustworthiness, such as data about regarding possible conflicts of interest, incl. data about Candidate’s business activities, data related to anti-money laundering, counter terrorist financing or financial sanctions or organized crime, damage caused to Swedbank or any third party.
Communication and device data such as the data contained in messages, emails, visual images, video and/or audio recordings, as well as other conversations and interactions, collected when the Candidate participates in job interview, from Candidate’s application and/or activities in Swedbank communication tools.
Demographic data such as country of residence, citizenship.
Data about habits, preferences and satisfaction, such as Candidate satisfaction.
Sensitive data such as Special categories of Personal Data (for example, data concerning health) and Data about criminal convictions and offences such as data about absence of criminal convictions or existence of conviction for willful crime against the state, property or administrative order, or willful crime of economic nature or in state authority service, or for commitment of such a crime which is connected with terrorism and conviction for that is not expunged or extinguished; or about convictions for breach of international or national sanctions or anti-money laundering and counter terrorist financing legislation and at least one year has not passed since the day of imposition of the sanction.
Special categories of Personal Data can also be processed based on Swedbank legitimate interests, for example, to exercise a legal claim, or based on a legal obligation that Swedbank is subject to.
4. Legal Basis and Purpose of Personal Data Processing
Swedbank Processes Candidate’s Personal Data primarily for the purposes described below:
4.1 Managing Candidate selection for vacancies
Swedbank Processes Candidate’s Personal Data within the recruitment process in order to administer Candidate’s identification, evaluation and selection for Swedbank vacancies.
Legal basis for Personal Data Processing:
Sweden & Lithuania: Swedbank legitimate interest
Estonia & Latvia: Pre-contractual agreement
4.2 Managing Candidate personal data to establish employment
Swedbank Processes Candidate’s Personal Data within the recruitment process to conclude employment contract.
Legal basis for Personal Data Processing: Performance of agreement, Swedbank legal obligation and/or legitimate interest.
4.3 Suitability assessment
Swedbank Processes Candidate’s Personal Data in order to assess the suitability of a Candidate for a certain job position. Personal data of Third persons (such as name, job role, contact information or relationship type) can be processed for this purpose.
Legal basis for Personal Data Processing:
Sweden & Estonia: Performance of agreement and legal obligation
Latvia & Lithuania: Swedbank legitimate interest and legal obligation.
4.4 Managing Candidate for future job opportunities
Swedbank Processes Candidate’s Personal Data to save Candidate’s personal data for future job opportunities.
Legal basis for Personal Data Processing: Candidate´s consent
4.5 Candidate surveys
Swedbank Processes Candidate’s Personal Data to evaluate Candidate’s satisfaction about recruitment process.
Legal basis for Personal Data Processing:
Sweden & Latvia: Swedbank legitimate interest
Lithuania & Estonia: Candidate’s consent
4.6 Managing compliance, internal audit and fulfilling statutory duties
Swedbank Processes Candidate’s Personal Data to interpret, set compliance tests, monitor and check activities related to regulatory requirements, reporting and communication, as well as to conduct reviews and controls for providing opinion to Swedbank management concerning governance and internal control.
Legal basis for Personal Data Processing: Swedbank legitimate interests or legal obligation.
4.7 Establishing, exercising and defending legal claims
Swedbank Processes Candidate’s Personal Data to establish, exercise and defend legal claims, handle complaints and requests, as well as to retain information for this purpose.
Legal basis for Personal Data Processing: Swedbank legitimate interest and legal obligation.
5. Recipients of Personal Data
To be able to provide the recruitment process, Swedbank may share the Candidates’ Personal Data with the Recipients. These Recipients are in general:
5.1 Authorities (such as law enforcement authorities, tax authorities, supervisory and control authorities, and financial investigation authorities).
5.2 Legal persons and their branches belonging to Swedbank Group.
5.3 Auditors, legal advisors, and other Personal Data processors approved by Swedbank (recruitment management systems, recruitment agencies).
5.4 Third parties maintaining registers (e.g. Punishment Register, Insolvency Register, Population Register, and other registers which contain Personal Data or through which Personal Data is shared).
5.5 Judicial and extrajudicial dispute settlement institutions.
5.6 Other persons or entities related to provision of services to Swedbank, incl. archiving, postal service providers.
5.7 Providers of feedback concerning the previous professional career of the Candidate.
Swedbank will not share Candidates’ Personal Data more than necessary for the particular purpose of Processing.
Recipients may Process the Personal data as Data Processors and/or as Data Controllers. When the Recipient is Processing Candidates’ Personal Data on its own behalf as a Data Controller, the Recipient is responsible for providing information to data subjects on such Processing of Personal Data. In such case Swedbank advise the Candidate to contact this Recipient for information on the Processing of Personal Data by the Recipient.
6. Geographical Area of Processing
6.1 As a general rule, Personal Data is processed within the European Union/European Economic Area (hereinafter – EU/EEA) but in some cases can be transferred to and Processed in countries outside of the EU/EEA.
6.2 The transfer and Processing of Personal Data outside the EU/EEA can take place provided there is a legal basis, for example, performance of legal obligations, conclusion of employment contract or pursuant to Candidate’s consent, and appropriate safeguards are in place:
- The EU Standard Contractual Clauses or other approved clauses, codes of conduct, certifications approved in accordance with the GDPR.
- The country outside of the EU/EEA where the Recipient is located has adequate level of data protection as decided by the EU Commission.
- The Recipient is certified under the Privacy Shield (applies to Recipients located in the United States).
6.3 Upon request, the Candidate can receive further details on sharing Personal Data with countries outside the EU/EEA.
7. Camera Suriveillance
With the purpose of conducting video-surveillance as part of Swedbank safety measures, Swedbank is using video-surveillance at Swedbank premises. The video-surveilled areas are marked with informative signs.
Personal Data Processed when Swedbank conducts video-surveillance are contained in visual images and video recordings.
Swedbank carries out video-surveillance based on legitimate interests to ensure the security of Swedbank visitors, employees (as well Candidates), premises and assets; defend Swedbank legal claims and legitimate interests; detect and prevent unlawful activities.
Visual images and video recordings containing Personal Data are shared with relevant Recipient in case the recorded material is needed for criminal investigation, or with a Recipient that maintains and services the video-surveillance systems on behalf of Swedbank.
8. Retention period
Personal Data will be retained for the period which depends on the particular purpose of Processing for which these data are collected. Retention period is as long as the recruitment process activities (application, evaluation and selection) take place. After the end of the recruitment process, Swedbank will retain Personal Data during a maximum period of limitation according to the Regulatory Legislation. In cases when the processing of Personal Data takes place based on the Candidate’s consent, the Personal Data will be retained as long as the consent is valid. Other deadlines may be applicable when the Personal Data is Processed for purposes based on Swedbank legitimate interest, for example, for the establishment, exercise or defence of legal claims. In all cases, Swedbank limits the Processing of Personal data to a minimum.
Personal Data Processed in regard to video-surveillance carried out by Swedbank will be retained no longer than necessary, with a maximum retention period of 90 (ninety) days from the moment of recording, unless there is another purpose of Processing (for example, in connection with criminal investigation).
9. Rights of Candidates as Data Subjects
Under the Data Protection Legislation, the Candidate has rights of a data subject regarding Processing of Personal Data. Such rights are:
- Receive confirmation if the Candidate’s Personal Data is being Processed by Swedbank and, if so, then to access it.
- Require the Candidate’s Personal Data to be corrected if it is inadequate, incomplete or incorrect.
- Require the erasure of the Candidate’s Personal Data.
- Restrict the Processing of the Candidate’s Personal Data.
- Object to Processing of the Candidate’s Personal Data if processing is based on Swedbank legitimate interests.
- Object to Processing of the Candidate’s Personal Data for direct marketing.
- Receive the Personal Data that is provided by the Candidate and is being Processed based on consent or performance of an agreement in a structured, commonly used electronical format and, were feasible, transmit such data to another Controller (right to data portability).
- Withdraw the consent to Process the Candidate’s Personal Data.
Answer to the data subject’s request will be provided not later than within one month of receipt of the request; when necessary, this period can be extended by two further months.
The Candidate can exercise access right and right to erasure by submitting respective request on websites: jobs.swedbank.com / jobs.sweden.swedbank.com / jobs.estonia.swedbank.com / jobs.latvia.swedbank.com / jobs.lithuania.swedbank.com under section “Data & Privacy”.
In all cases the Candidate can exercise the rights of a data subject also by sending Swedbank an identified request to: Sweden: firstname.lastname@example.org / Estonia: email@example.com / Latvia: firstname.lastname@example.org / Lithuania: email@example.com
If the Candidate considers that the Processing of the Candidate’s Personal Data infringes the Candidate’s rights and interests under the Data Protection Legislation, the Candidate can lodge a complaint pertaining to the Processing of Personal Data by Swedbank to the data protection supervisory authorities in Sweden: www.datainspektionen.se / Estonia: www.aki.ee / Latvia: www.dvi.gov.lv / Lithuania: www.vdai.lrv.lt.
10. Contact details
The Candidate may contact Swedbank with any request, withdrawal of consent, data subject rights or complaint regarding the Processing of Personal Data.
Contact details of Swedbank are available on website: Sweden: www.swedbank.se / Estonia: www.swedbank.ee / Latvia: www.swedbank.lv / Lithuania: www.swedbank.lt.
Swedbank’s Data Protection Officer:
The Candidate may contact the appointed Data Protection Officer in Swedbank Group in Sweden: by sending a letter by post to: Data Protection Officer (DPO), 105 34, STOCKHOLM / Swedbank Group in Estonia: by sending email to firstname.lastname@example.org or sending letter by post to: Liivalaia 8, Tallinn 15040, signed „Andmekaitsespetsialist / Swedbank Group in Latvia: by sending email to: email@example.com or sending a letter by post to: Balasta dambis 15, Riga, Latvia, LV-1048, marked for “Data protection officer” / Swedbank Group in Lithuania: by sending email to: firstname.lastname@example.org or Konstitucijos av. 20A, 03502 Vilnius, marked “Data Protection Officer”.
11. Validity and amendments of Principles
Swedbank is entitled to unilaterally amend these Principles at any time, in compliance with the Regulatory Legislation, by notifying the Candidates of any amendments on websites: jobs.swedbank.com / jobs.sweden.swedbank.com / jobs.estonia.swedbank.com / jobs.latvia.swedbank.com / jobs.lithuania.swedbank.com not later than one month prior to the amendments entering into force.
These Principles are drafted in English and translated into Swedish, Estonian, Latvian and Lithuanian. In the event of disputes, arguments or claims of linguistic nature or concerning interpretation, the version of these Principles in local language is legally binding.
Principles enter into force on 2nd of June, 2020, and their latest version is available on websites: jobs.swedbank.com / jobs.sweden.swedbank.com / jobs.estonia.swedbank.com / jobs.latvia.swedbank.com / jobs.lithuania.swedbank.com.