Privacy policy
Controller
NYAB AB
Varvsgatan 39
972 32 Luleå
privacy@nyabgroup.com
Processing of Personal Data
NYAB processes personal data in accordance with the General Data Protection Regulation (GDPR) as well as national data protection laws and guidelines. The central focus of data protection work is to ensure the privacy of the data subjects and safeguard their rights. NYAB is committed to processing personal data in accordance with data protection principles:
- Lawfully, fairly, and transparently from the data subject’s perspective.
- Confidentially and securely.
- Personal data is collected and processed only for specific, explicit, and lawful purposes.
- Personal data is collected only to the extent necessary for the purposes of processing.
- Personal data is updated as needed, inaccurate and incorrect information is promptly corrected or deleted.
- Personal data is retained in a form that allows the data subject to be identified only for as long as necessary for the purposes of data processing.
This statement explains how NYAB processes personal data of its customers, website visitors, and job applicants.
Terms
- Personal data refers to any information relating to an identified or identifiable natural person or other data as defined in data protection legislation.
- Data controller means a natural person, legal entity, authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data, or any other data controller as defined in data protection legislation.
- Data subject is a person whose personal data is collected, stored, or processed.
- Data processor means a natural person or legal entity, authority, agency, or other body which processes personal data on behalf of the data controller.
- Data protection legislation refers to the General Data Protection Regulation (GDPR, 679/2016) of the European Union and other applicable data protection laws, as well as orders and guidelines from data protection authorities.
- Processing means any operation or set of operations performed on personal data or on sets of personal data, by automated means or manually, such as collection, recording, organization, structuring, storage, adaptation or alternation or any other processing of personal data as defined in data protection legislation.
Legal Basis for Processing of Personal Data
The processing of personal data always requires a legal basis found in the law. The chosen legal basis significantly affects the rights that the data subject has in relation to the data controller.
Consent
Consent is used as a legal basis for processing in situations such as:
- Processing job applicant data in the recruitment process.
- Communication with customers, maintaining customer relationships, and marketing with specific consent.
- Processing feedback.
Contract
Contract is used as a legal basis for processing in situations such as:
- Implementing an employment contract or conducting pre-contractual measures related to employment.
Where is the data collected from?
Personal data is primarily collected directly from the job applicant or the customer themselves. The information processed about the job applicant consists of the data provider in their job application or CV. With the consent of the data subject, personal data may also be collected from other sources, such as referees whose contact information the job applicant has voluntarily provided.
Customer data can be collected when subscribing to newsletter via the website’s subscription form or in other situations where the customer voluntarily provides their information.
Cookies are used on the website to store information about the user.
What data is processed?
NYAB processes only such personal data of job applicants which are necessary for the recruitment process and are related to the rights and obligations of the parties to the employment or potential employment relationship.
Regarding customers, only data necessary for managing the customer relationship is processed.
Among others, the following information is processed about the data subject:
- Basic information, such as name, email address, and phone number.
- Information related to customer relationship or services, such as details of ordered services and any changes to them.
- The IP address of the internet connection.
- Essential information for recruitment provided by the job applicant, such as details of work experience and education, a description of skills and suitability for the position, and salary expectations.
- Personal data collected through the feedback channel, provided by the data subject themselves.
Transfers and disclosures of personal data and transfers outside the EU/EEA area
Customer or job applicant data is not routinely disclosed to other parties. Information may be published to the extent agreed with the customer.
This website uses Google Analytics, an analytics service provided by Google. It uses cookies, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including IP addresses) will be transmitted to and stored by Google on servers located also in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services relating to website activity and internet usage.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.
Automated decision making and profiling
Automated decision making or profiling based on processing of personal data described on this privacy notice is not conducted.
Deletion of Personal Data
Personal data is processed only for as long as necessary for the purpose for which it was collected or as required by law and regulations.
Examples of retention periods:
- Recruitment announcements: 5 years from their publication.
- Job applications and attachments related to them: 2 years from the date of submission.
- Suitability test results: 3 years from their completion.
- Security clearance: 2 years from their completion.
- Any personal data potentially collected as part of feedback survey will be deleted 2 years after its receipt.
Rights of the Data Subject
The rights of the data subject are determined based on the legal basis for processing of personal data.
- The data subject has the right to know whether the data controller is processing their personal data.
- If the data controller processes personal data of data subject, the data subject has the right to obtain a copy of the processed personal data.
- The data subject has the right to request the data controller to correct any inaccurate personal data.
- The data subject has the right to request the data controller to delete their personal data when the processing is based on consent.
- The data subject has the right to object to the processing of their personal data when it is based on legitimate interest.
- In certain situations, data subjects have the right to request the restriction of processing of their personal data.
- If the data subject believes that the processing of their personal data is unlawful, they have the right to lodge a complaint to the supervisory authority.
Processing of personal data related to employment situations often relies on legal obligations or contact performance, so the right to erasure or objection to processing cannot be applied.
Data Security
Personal data is protected by access control measures and other necessary technical means. Only individuals authorized based on their job responsibilities are allowed to process personal data. The retention, archiving, and disposal of personal data are determined based on legislation and organizational guidelines.
Changes to the Privacy Notice and Contact Channel
For any questions related to the processing of personal data and situations regarding the exercise of your rights, please contact us at privacy@nyabgroup.com
This privacy notice may be subject to occasional changes as required by changes in data protection laws or changes in the processing of personal data.