Privacy notice
This Privacy Notice (the “Notice”) applies to the recruiting-related processing activities conducted by EveryMatrix Group through the use of the software tool offered by TeamTailor.
As part of any recruitment process, EveryMatrix Group (“Controller”, “EM”, “we” “us”) collects and processes personal data relating to job applicants. For these reasons, EM is committed to being transparent about how it collects and processes that data and to meeting its data protection obligations.
The Controller is a group of companies which are incorporated and operate in different jurisdictions around the globe. Therefore, candidates should check EM’s locations worldwide in order to better understand their personal data flow and processing since this would depend on the actual relevant EM’s entity bearing the post a candidate has applied to. EM’s locations can be retrieved as follows:
Our Offices | EveryMatrix
Notwithstanding the foregoing, and without prejudice to HR local teams across the jurisdictions where EM operates, the central HR administration for EM’s group is run in Romania by the following EM’s entity:
- EveryMatrix SRL, Strada Tudor Arghezi 4, București 020944, Romania.
As already elucidated above, the recruiting process from EM’s end is carried out through the use of TeamTailor’s software.
- Teamtailor AB is a Swedish-based company having its a registered office in Östgötagatan 16. SE-116 25 Stockholm.
In order for TeamTailor to provide its services and to fulfil its obligations in accordance with the agreement between TeamTailor and us, candidates’ personal data (as further specified below) will be shared between TeamTailor and EM throughout the lifetime of the said agreement.
TeamTailor’s privacy policy is available at:
Privacy Notice | Teamtailor
What Personal Data will be processed during the recruiting stages?
Candidates’ personal data categories which may be needed have been grouped as per the following breakdown:
i. Identifying:
Information that uniquely or semi-uniquely identifies a candidate (i.e. name, user name, unique identifier, government-issued identification, tax and social security identifiers, picture);
ii. Demographic:
Information that describes a candidate’s characteristics shared with others (e.g. age ranges, income brackets, geographic);
iii. Contact:
Information that provides a mechanism for contacting a candidate (i.e. email address, physical address, telephone number);
iv. Professional:
Information about a candidate’s educational or professional career (i.e. job titles, salary, work history, school attended, еmployee files, employment history, evaluations, memberships, references, interviews, certifications, disciplinary actions), named referees who have provided consent for their contact information and feedback to be shared;
v. Ethnicity:
Information that describes a candidate’s origin (i.e. nationality and languages spoken);
vi. Criminal:
Criminal information about a candidate’s criminal activity (i.e. convictions, charges, pardons);
vii. Family:
Information about a candidate’s family and relationships (i.e. family structure, siblings, offspring, marriages, emergency contacts);
viii. Medical and Health:
Information that describes a candidate’s health, medical conditions or health care (i.e. physical and mental health, drug test results, disabilities);
ix. Location:
Information about a candidate’s location (i.e. country, city, registered address);
x. Financial:
Information that identifies a candidate’s financial account and other financial-related items (i.e. bank account details, salary expectations);
xi. Communication:
Information communicated from or to a candidate (e.g. email, phone calls and chats);
xii. Historical:
Information about a candidate’s personal and professional history.
The personal data EM collects for reference checks is obtained from the following sources:
• Candidates’ application and resume.
• Named referees who have provided consent for their contact information and feedback to be shared.
• Third-party background verification services and social media platform (LinkedIn), if applicable.
EM may be subject to legal obligations regulating the field of employment, or otherwise impacting its operations and working environment; for such purposes, EM may be required to conduct specific assessments concerning candidates’ health, criminal conduct etc. EM reserves the right to conduct or ensure the conduct of these assessments or request any such information when required to fulfil these obligations. Should this be the case, candidates will be informed and guided accordingly by EM in full transparency.
Failure to disclose to or share with EM any of the above candidates’ personal data can lead to consequences in terms of candidates being prevented from entering into an employment relationship with EM.
Each candidate can choose not to disclose his/her personal information by not applying for an existing job application.
What are the legal bases for processing?
- Candidates’ consent materializes as soon as a candidate decides to submit a job application;
- EM’s legitimate interest in assessing the suitability of candidates;
- Legal obligations (when information is required by law, especially labour law)
Notably, candidates can withdraw their consent at any time. However, withdrawal of consent will affect neither the processing of personal data by EM and TeamTailor up to the moment the consent has been withdrawn nor any potential further processing of candidates’ personal data by EM based on the latter’s legitimate interest not overridden by candidates’ rights.
Who candidates’ personal data is shared with?
Besides TeamTailor, the Controller may share candidates’ personal data with:
- Internal personnel involved in the hiring process, including HR personnel and relevant hiring managers;
- Third-party reference check providers;
- Legal and compliance authorities, if required by law;
- EM Group Companies
As specified above, the Controller has a global footprint; therefore candidates’ personal data may be processed in the locations where the Controller has its offices.
Should this be the case, EM makes sure to protect candidates’ personal data through the use of adequate legal means (e.g. for EU/EEA residents, the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council).
Unless we are required to do otherwise by applicable law, candidates’ personal data will not be shared with anyone else.
What is the retention period for candidates’ personal data?
EM retains candidates’ personal data in compliance with the principles of data minimization and storage limitation, ensuring that the duration of storage is proportionate to the processing carried out during the recruitment process.
Upon receipt of a candidate’s application, EM shall assess whether the candidate was not reviewed or has undergone only minimal screening, or whether the candidate has been subject to substantive evaluation through interviews, assessments, or other meaningful selection procedures. Based on this assessment, the retention period is determined as follows:
- Personal data of candidates who have not been subject to a substantive review or have undergone only basic eligibility checks shall be retained for a period not exceeding one (1) year from the date of the most recent communication.
- Personal data of candidates who have undergone a substantive assessment, including but not limited to interviews, evaluations, or other selection procedures, shall be retained for a period not exceeding two (2) years from the date of the most recent communication.
During the applicable retention period, EM may retain personal data to the extent strictly necessary to pursue its legitimate interests, including:
- Establishing a talent pipeline of candidates who have expressed interest in EM to facilitate future recruitment opportunities.
- Expediting the recruitment process by providing timely access to previously screened profiles, particularly for time-sensitive roles.
- Analyzing historical recruitment data to identify trends, skills, and competencies, thereby supporting a more targeted recruitment strategy and an improved work environment.
During this retention period, EM may contact relevant candidates regarding future roles for which they are deemed suitable. Candidates may withdraw their consent to the processing of their personal data at any time by sending an email to dpo@everymatrix.com. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Candidates retain the right to request the erasure of their personal data at any time, unless such retention is required by applicable law or necessary for EM to exercise or defend its legal rights. Any retention based on legitimate interests shall remain proportionate, strictly limited to the purposes outlined above, and shall not exceed the maximum retention periods specified.
Upon the expiration of the retention period, candidates’ personal data shall be irreversibly deleted or anonymized, unless the candidate is subsequently hired, in which case the data shall be processed in accordance with EM’s employee data retention rules. Personal data may also be retained for a longer period where required by applicable law, without prejudice to EM’s overarching obligations under data protection legislation.
What is the security employed to protect candidates’ personal data?
We are an ISO 27001-certified organization and prioritize personal integrity and therefore work actively so that the personal data of the candidates is processed with utmost care. We take the measures that can be reasonably expected to make sure that the personal data of candidates and others are processed safely and in accordance with this Notice and the applicable law.
However, transfers of information over the Internet and mobile networks can never occur without any risk, so all transfers are made on the own risk of the person transferring the data. It is important that candidates also take responsibility to ensure that their data is protected. It is the responsibility of the candidates that their login information is kept secret.
What are candidates’ rights with respect to their personal data?
A candidate has the right to:
- make subject access requests regarding the nature of information held and to whom it has been disclosed;
- prevent processing likely to cause damage or distress;
- prevent processing for purposes of direct marketing;
- be informed about the mechanics of the automated decision-taking process that will significantly affect a candidate;
- have significant decisions that will affect candidates taken solely by an automated process;
- sue for compensation if a candidate suffers damage by any contravention of the applicable law;
- take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data;
- request the supervisory authority to assess whether any provision of applicable law has been contravened;
- have personal data provided to him/her in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller; and
- object to any automated profiling that is occurring without consent.
A candidate may exercise any of the rights described in this section by sending an email to dpo@everymatrix.com. Please note that we may ask candidates to verify their identity before taking further action on candidates’ request. Additionally, kindly note that TeamTailor offers user-friendly functionalities which enable the candidates to automatically perform requests of erasure, and consent management (by way of illustration); this is possible through Data & Privacy – EveryMatrix (www.teamtailor.com).
Changes
We have the right to, at any time, make changes or additions to the Privacy Notice. The latest version of the Notice will always be available through the use of TeamTailor’s software.
How to get in touch with EM or EM’s Lead Supervisory Authority for data protection?
For questions, further information about our handling of personal data or for contact with us in other matters, please use the below stated contact details:
- dpo@everymatrix.com; or
- EveryMatrix Software Ltd. (to the attention of the Group DPO), Reg. no: C51832, Address: Piazzetta Business Plaza, Office 12, Level 10, Ghar il – Lembi, Tas-Sliema, Malta (EM Group entity responsible for the administration of legal affairs).
Candidates have the right to lodge any complaint they may have toward EM to EM’s Lead Supervisory Authority for data protection-related matters:
The National Supervisory Authority For Personal Data Processing
(in Romanian 'Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal' or 'ANSPDCP')
28 30 Magheru Blvd
District 1, Bucharest
T +40 318 059 211
F +40 318 059 602
www.dataprotection.ro
