GORDON Candidate and Recruitment - Privacy Notice
Version 2024:2
Last updated: 2024-09-13
1. Introduction
On this page, we explain how GORDON Processes your Personal Data. We respect your privacy and are committed to ensuring that you understand how and why we Process your Personal Data. This includes providing clear information about the types of data we collect, the purposes for which we use it, and your rights regarding your Personal Data.
When we refer to "GORDON," "we," "our," or "us" in this privacy notice, we mean Gordon Services AB or a subsidiary within the GORDON Group that Processes Personal Data as a Controller. However, only an individual company within the GORDON Group can be and is, the Controller for each individual Processing of Personal Data. For details regarding each company within the GORDON Group, please see section 15 (Contact details) below.
1.1 GORDON as a Controller
We are the Controller regarding all Processing of Personal Data performed by us or on our behalf when we determine the means and purpose of the Processing (in accordance with the principle of accountability). Unless otherwise stated herein, we are the Controller for the Processing described.
1.2 Categories of Data Subjects
The Processing of Personal Data covered by this privacy notice applies to the following categories of Data Subjects:
“Visitors”: Individuals who visit our Career Site or other Websites.
“Connecting Candidate”: Individuals who connect with us via our Career Site, to create a profile with us and receive information about current or future vacancies with us.
”Applying Candidate”: Individuals who apply for a position at GORDON, via our Career Site, phone, chat, social media, email or a third party service.
“Sourced Candidate”: Individuals whom we may actively approach to collect information about from other parties, sites and services, since we believe your profile is of interest for our current or future vacancies.
“Referred Candidate”: Individuals whom we receive information about from our employees or partners, since they believe your profile is of interest for our current or future vacancies.
“Reference”: Individuals who we receive information about from a Candidate, who lists you as their reference.
When we use the term “Candidate” in this privacy policy, we are referring to each of Connecting Candidates; Applying Candidates; Sourced Candidates; and Referred Candidates, unless it’s stated otherwise.
1.3 Other Privacy Notices
Your privacy matters to us, and we strive to ensure that you fully understand how we Process your Personal Data. Depending on the nature of your relationship with us, we provide additional details through our privacy notices mentioned in our “External Privacy Notice”.
Should any inquiries or concerns arise about our privacy notices, we encourage you to communicate with us directly. You may reach us via email at privacy@gordondelivery.com.
2. Definitions
In this privacy notice, we use definitions that are defined in article 4 of the GDPR and our “External Privacy Notice”.
3. How do we access the Personal Data that we Process?
We may access Personal Data in various situations, for example, but not limited to the following when:
3.1 All individuals
A Visitor visits our Career Site, we collect technical and statistical information about how you use the Career Site, and information from your device.
You contact us in any other way.
3.2 References
A Reference is listed by a Candidate during the recruitment process.
3.3 Candidates
You submit a job application or connect with us directly by email or through a third-party platform such as Teamtailor or LinkedIn.
You disclose your Personal Data when interacting with our personnel.
We perform the recruitment process, we may collect information about your application and profile created by us, or in cooperation with you, including notes from interviews, assessments, and tests conducted.
We collect information about you from your References.
We may collect publicly available information about you from third-party sources, such as Facebook, LinkedIn and other publicly available channels. This Process, known as "Sourcing," is manually conducted during the recruitment process.
In some cases, GORDON employees or external partners (such as recruitment service providers) may make recommendations in our recruitment system if they believe your profile is of interest to our current or future vacancies. The information we receive from third parties depends on the Data Subjects and our respective relationships with the third parties, as well as their policies. In such cases, the potential Candidate is considered a Data Subject under this privacy notice and will be informed about the Data Processing.
You can always choose not to provide us with certain information. However, some Personal Data is necessary in order for us to Process your application or provide you the information you request to get from us.
4. What information do we Process?
We only Process Personal Data that is adequate, necessary and relevant to fulfil the purposes for which it was collected (in accordance with the principle of data minimisation).
We mainly Process the following categories of Personal Data:
Identity: First name, last name, date of birth, nationality, national identification number, visual media (such as pictures and videos), voice recordings, driver's licence, government-issued ID or other relevant information requested for identity verification.
Consent and preferences: Marketing and communication preferences, work filed of interest, communication consent, cookie preferences.
Contact: Email address, telephone number, population registration address.
Online identifiers: IP-address, browser type and version, session behaviour, traffic source, screen resolution, preferred language, geographic location, operating system and device settings/usage.
Interview data: Interview notes, assessments and tests, salary requirements, etc.
Public information: Information derived from social media profiles, interactions, posts, likes’s and comments or information from the website of your current employeer.
Recruitment data: CV, cover letter submissions, references, background checks.
Reference data: information we receive from our employees or partners who refer you to us, or by the persons you have listed as your references.
Technical and statistical data: URLs you visit, activity on the site.
Other Personal Data: Any additional Personal Data provided by the Data Subject or a third party, such as educational background and responses to recruitment-related inquiries.
5. Legal basis and purpose of the Processing
We only Process Personal Data for particular explicitly stated and justified purposes (in accordance with the principle of purpose limitation).
We mainly Process Personal Data to:
Manage and facilitate the recruitment of employees to GORDON.
Enter into employment contracts with successful Candidates.
We Process Personal Data primarily on one of the following legal bases:
Consent: The Processing is necessary based on the Data Subject’s consent for one or more specific purposes (Article 6(1)(a) GDPR).
Contract: The Processing is necessary to perform a contract to which the Data Subject is a party or take steps at the Data Subject's request before entering into a contract (article 6(1)(b) GDPR).
Legal obligation: The Processing is necessary for compliance with a legal obligation to which the Controller is subject (article 6(1)(c) GDPR), as stipulated by relevant laws, such as acts regarding discrimination and requirements to address and defend against discrimination claims.
Legitimate interest: The Processing is necessary for the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require protection of Personal Data (article 6(1)(f) GDPR).
The provision of your Personal Data is not a statutory or contractual requirement. However, it is a requirement necessary to apply for a job to work with us and to enter into an agreement with us. Nevertheless, you are not obligated to provide your Personal Data, but the possible consequences of not providing such information are that we will not be able to Process your job application.
When we Process your Personal Data based on your consent, you can withdraw it at any time without affecting the lawfulness of Processing based on consent before its withdrawal.
When we conduct a Processing of Personal Data in our capacity of Controller, based on the legal basis of Legitimate interest, we assess that the Processing does not constitute an infringement of your right to privacy and integrity. After carefully weighing the impact of the Processing on your interests and right to privacy against our or a third party's legitimate interest in the matter, we have arrived at this conclusion. However, we never Process any Personal sensitive Data based on legitimate interest as the legal basis.
Below you can read more about the legal basis we rely on for a particular Processing activity and the purpose of our Processing of your Personal Data that we conduct in our capacity as the Controller. Where appropriate, we have also identified what the legitimate interests are.
6. Our specific Processing activities
6.1 When you use or visit our Websites or digital channels
Purpose We may collect and Process your Personal Data if you are a Visitor to our Career Site or other digital channels for the following purposes:
Analyse how the Career Site and its content are being used and performed to get statistics and improve operational performance.
Maintain, develop, test, and ensure the security of the Career Site.
Categories of Personal Data
Below is a summary of the Personal Data we may Process for the purposes mentioned above:
Device information, technical and statistical data, cookies, and tracking technologies.
You can find detailed information about how we process your Personal Data in our "External Privacy Notice" available on our website.
6.2 When you apply for a job to work with us
Purpose
We may collect and Process your Personal Data for the following purposes if you are a Candidate in a GORDON recruitment process when we:
Manage and maintain contact and communication with you throughout the recruitment process.
Conduct, review and facilitate the scheduling of profiles and their job applications sent to us, interviews, assessments and other recruitment-related activities.
Analyze job applications by classifying received CVs and cover letters to assess Candidates' qualifications, skills, and experience, thereby identifying the most suitable Candidates.
Maintain a register of potential Candidates for a limited time after the recruitment process concludes.
Collect and evaluate your professional profile on our initiative, including communicating with you regarding your profile.
Conduct background checks or verification processes as necessary to complete the recruitment process.
Continuously improve the recruitment process based on feedback and evaluation of the collected data.
Below is a summary of the Personal Data we may Process for the purposes mentioned above:
Documentation of interviews conducted between Candidates and our employees, information provided by you in interviews, email communication, phone calls, first name, last name, email address, home address, salary expectations, CV, cover letter submissions, references, interview notes, background checks, information we receive from our employees or partners who refer you to us, or by the individuals you have listed as your References.
We have concluded that we possess a legitimate and justifiable interest in handling your Personal Data for the above purposes and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the Personal Data Processing: Legitimate interest.
6.3 When you provide a Reference for a Candidate
Purpose
We may collect and Process your Personal Data for the following purposes if you provide a Reference to a Candidate in a recruitment process when we:
Manage and maintain contact and communication with you to gather and verify information about the Candidate during the recruitment process.
Collect and document the information you provide about the Candidate, including scheduling and conducting reference calls to gather a comprehensive assessment of their qualifications and suitability.
Analyze and assess the collected information to evaluate the Candidate’s qualifications, skills, and suitability for the position at GORDON.
Verify the accuracy and completeness of the reference information by cross-checking your feedback with the applicant’s profile and other provided data.
Categories of Personal Data
Below is a summary of the Personal Data we may Process for the purposes mentioned above: First name, last name, email address, phone number, reference data, interview data, public information.
Legal Basis
We have concluded that we possess a legitimate and justifiable interest in handling your Personal Data for the above purposes and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the Personal Data Processing: Legitimate interest.
6.4 When you enter into an employment agreement with GORDON
If you are offered an employment at GORDON, Processing Personal Data is necessary in order for us to fulfil the employment agreement with you.
The following types of Personal Data may be Processed: name, email address, phone number, address, compensation details (such as agreed salary information), personal identify number, nationality, country of residence, visa and immigration status.
Legal basis for the Processing of Personal Data: Contract.
6.5 When we manage our relationship with you
We may ask you to take a survey or leave a review regarding the recruitment process and if you consent to do so, the following types of data are Processed: name and email (if provided), time, date, answers to the survey and/or the written review. Legal basis for the Processing of Personal Data: Consent.
Suppose we are obliged by the applicable law to notify you about changes to our privacy notice. The following types of Personal Data may be Processed: first name, last name and email address. Legal basis for the Processing of Personal Data: Legal obligation.
6.6 When you contact us or receive email communication from us
If you are a Connecting Candidate, we may provide you with updates or contact you directly about future vacancies with us. To do so, the following categories of Personal Data are used: first name, last name, email address and work field of interest. Legal basis for the Processing of Personal Data: Consent.
You can find detailed information about how we Process your Personal Data when you contact us in our "External Privacy Notice" on our website.
6.7 Other purposes for our Processing of Personal Data
Purpose
Based on our legitimate interest, we Process Personal Data for the following purposes:
Quality Assurance: to broadly enhance the quality of our recruitment process.
Statistical analysis: to compile statistics, reports and other investigations regarding our recruitment process, which help us understand trends and insights.
Categories of Personal Data
Below is a summary of the Personal Data we may Process for the purposes mentioned above:
Technical and statistical data about your use of the site, such as information about which URLs you visit, and your activity on the site, information provided by you in comments, surveys, feedback.
Legal Basis
We have concluded that we possess a legitimate and justifiable interest in handling your Personal Data for the above purposes and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the Personal Data Processing: Legitimate interest.
7. Where do we Process the Personal Data?
We always strive to Process Personal Data within the European Union (EU) or the European Economic Area (EEA). However, in certain situations, Personal Data may be transferred to and Processed in countries outside the EU/EEA.
In cases where another recipient of your personal data (as described in Section 5 above) is based outside the EU/EEA, this will also mean that your personal data is transferred outside the EU/EEA.
When we, or one of our suppliers, transfer your personal data outside the EU/EEA, we will ensure that a safeguard recognized by the GDPR is used to enable the transfer. We use the following safeguards:
A decision by the EU Commission that the country outside of the EU/EEA to which your personal data is transferred has an adequate level of protection, which corresponds to the level of protection afforded by the GDPR. In particular, we rely on the EU Commission’s adequacy decision for the US via the so-called EU-US Data Privacy Framework, and the adequacy decision for the UK.
Entering into the EU Commission’s standard clauses with the recipient of the personal data outside the EU/EEA. This means that the recipient guarantees that the level of protection for your personal data afforded by the GDPR still applies, and that your rights are still protected.
When your personal data is transferred outside the EU/EEA, we also implement appropriate technical and organizational safeguards, to protect the personal data in case of a disclosure. Exactly which protective measures we implement depends on what is technically feasible, and sufficiently effective, for the particular transfer.
If you want more information about the cases in which your personal data is transferred outside the EU/EEA you can contact us using the contact details in Section 9 and 10 below.
8. How long do we store the Personal Data?
We will only retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal obligations, accounting, or reporting requirements, in line with the principle of storage limitation. The exact duration of the retention period varies depending on the categories of Personal Data, the Data Subject and the purpose for its collection.
When Personal Data is no longer required, it is either erased or anonymised. We may also erase Personal Data at the request of the Data Subject, unless we need to Process the Personal Data to fulfil our contractual or legal obligations. Deleted information may remain in our backups for a limited period before being permanently erased.
If you are a Connecting Candidate, we will retain your Personal Data for as long as you remain connected with us.
We will not retain and Process a Candidate’s and Reference’s Personal Data for longer than it is necessary after a completed recruitment process or for the burden of proof in case of a legal claim from the recruitment process brought against us. We may further retain your Personal Data after the abovementioned minimum period, in case there is a relevant job offering for which you will be a fitting Candidate until you request the data to be erased or we decide to delete it. During this period, we will maintain the necessary measures to ensure the security and confidentiality of the Personal Data in accordance with applicable data protection regulations.
If GORDON hires you, the data will be retained throughout your contractual relationship with GORDON and subsequently, until the legal prescription and retention period expires.
In the event of a claim against us, we may retain the Personal Data until the statutory limitation period expires. Similarly, in the case of an ongoing dispute, relevant Personal Data will be retained until the dispute is resolved.
9. Who may we share the Personal Data with?
We prioritise the protection of the Personal Data we Process and do not disclose it to unauthorised third parties. However, to operate and conduct our business effectively, we may disclose Personal Data to our third party recruitment partners or government authorities to achieve the purposes set out in this privacy notice.
When you visit our Career Site, certain cookies may be set by companies other than us, provided you give your consent. These third-party cookies collect data in accordance with their own privacy policies. For detailed information about which cookies are used and how they are managed, please refer to our Cookie Policy.
10. Subsidiaries and employees within the GORDON Group
In certain cases, sharing Personal Data among our subsidiaries and employees within the GORDON Group may be necessary for business purposes. We may share Personal Data for various reasons, including, but not limited to:
Enable effective communication and collaboration between different teams and departments involved in the recruitment process.
Enable cross-functional evaluation and consideration of Candidates for various roles within the organisation.
Streamline administrative tasks related to Candidate data management.
Facilitate a seamless transition for selected Candidates into their respective roles within the GORDON Group.
Improve overall recruitment efficiency and effectiveness through shared resources and expertise within the GORDON Group.
Centralise the Candidate information by consolidating Candidate data within the GORDON Group, we can have a unified and organised repository of information, making it easier to manage and access Candidate records.
However, we will only share Personal Data required for the specific purpose as permitted by applicable data protection laws and when necessary to fulfil a legitimate business purpose.
When we share or otherwise Process Personal Data within GORDON Group, we ensure that appropriate safeguards are in place to protect the data. These measures are designed to prevent unauthorised access to, or disclosure, alteration or destruction of your Personal Data. This means we have internal policies, procedures and controls to safeguard Personal Data and ensure that it is Processed in compliance with applicable data protection laws.
The Processing of Personal Data for the purposes stated above is justified under the legal basis of our Legitimate interests (article 6(1)(f) GDPR).
11. Government authorities
We may disclose Personal Data to government authorities, such as law enforcement, police, or tax authorities if we are legally obligated to do so. For example, such disclosures may be necessary for compliance with anti-money laundering and terrorist financing measures. The Processing of Personal Data for the purposes stated above is justified under the legal basis of our Legal obligation (article 6(1)(c) GDPR).
Personal Data may also be disclosed to government authorities when necessary to prevent, detect or investigate criminal activities. This disclosure is carried out to safeguard the property, interests and safety of GORDON and other relevant parties. The Processing of Personal Data for the purposes stated above is justified under the legal basis of our Legitimate interests (or, if applicable, a third party’s legitimate interest, as the case may be)(article 6(1)(f) GDPR).
12. Third-party service providers
We may share Personal Data with third-party service providers based on the legal basis of our Legitimate interests (article 6(1)(f) GDPR). Some of these service providers may act as our Processors, strictly following our instructions and implementing appropriate security measures. Disclosure of Personal Data may be conducted for the following purposes:
Safeguarding our legitimate interests.
Fulfilling our contractual and legal obligations.
Detecting and preventing technical, operational, or safety issues.
Providing, improving, and maintaining our platforms, applications, and websites (software maintenance).
Before we disclose any Personal Data to a Processor, we enter into a Data Processing Agreement with them in accordance with the provisions of the GDPR.
13. Other third parties
In connection with or during negotiations of a transfer of company assets, merger, sale, financing or acquisition of all or part of our business, Personal Data data may be disclosed to the prospective buyer or seller involved in such transactions, including their personnel/contractors. Such Processing will thus be conducted based on Legitimate interests (article 6(1)(f) GDPR) as the legal basis.
In some cases, we may share certain Personal Data with a third party, if the third party in question has a Legitimate interest (article 6(1)(f) GDPR) in Processing such Personal Data. It is important to note that in such cases, the third party is considered an independent Controller with respect to the Processing of the shared Personal Data, and the third party is responsible for complying with all relevant data protection legislation regarding the Processing of the Personal Data, including informing the Data Subjects’ about their Processing activities.
14. Data Subject’s rights according to the GDPR
As a Data Subject under the GDPR, you have certain privacy rights. These rights include:
Right to information: you have the right to be informed about the collection and use of your Personal Data. This includes details about the purposes of Processing, the categories of Personal Data involved, and any third parties with whom your Personal Data may be shared. Additionally, certain situations require specific information to be provided to you, such as in the event of a Personal Data Breach where there is a risk of identity theft or fraud.
Right of access: you have the right to access your Personal Data held by us. You can request information about the Processing of your Personal Data, obtain a copy of the Personal Data in a machine-readable format (provided no applicable exception to the right of access applies), and be informed about safeguards for cross-border transfers. This allows you to verify the accuracy and lawfulness of the information. The right to receive a copy of your Personal Data does not always imply the right to obtain the document containing your Personal Data.
Right to rectification: you can request the correction of inaccurate or incomplete Personal Data about you that we Process. If we Process Personal Data about you that is inaccurate or incomplete, we will, at your request or on our initiative, complete, rectify, or delete the Personal Data in question. If the Personal Data is corrected at your request, we will inform those to whom the Personal Data has been disclosed that the information has been updated, unless it proves impossible or involves a disproportionate effort. You also have the right to request information about the recipients of the Personal Data.
Right to erasure: In certain circumstances, you have the right to request that your Personal Data be erased by contacting the Controller. This applies, for example, if the Personal Data is no longer necessary for the purpose it was collected, or if you withdraw your consent and there is no other legal basis for the Processing. However, legal obligations may prevent us from immediately deleting parts of the Personal Data. These obligations may stem from, for example, accounting and tax legislation, banking and money laundering legislation, and consumer law. If Personal Data is erased at your request, we will also inform those to whom the Personal Data has been disclosed about the erasure, unless it proves impossible or involves a disproportionate effort.
Right to restriction: you have the right to request the restriction of Processing your Personal Data in certain cases. Restriction means that the Personal Data is marked so that it can only be Processed for specific limited purposes in the future. The right to restriction applies, among other things, when you believe the information is inaccurate and request rectification. In such cases, you can also request that the Processing of the Personal Data be restricted while the accuracy of the information is being investigated. When the restriction is lifted, we will inform you.
Right to data portability: you can receive and transfer your Personal Data to another Controller where technically feasible. Another prerequisite is that Processing Personal Data is based on your consent or for fulfilling a contract. This right also only applies to Personal Data that you have provided yourself.
Right to object: you have the right to object to our Processing of your Personal Data. The right to object applies when Personal Data is Processed based on a legitimate interest. If you object to the Processing, we may only continue Processing the Personal Data if we can demonstrate compelling legitimate grounds for the Processing that override your interests, rights, and freedoms or if the Processing is necessary to establish, exercise, or defend legal claims. However, you always have the right to object to the use of your Personal Data for direct marketing. Such objections can be made at any time. If an objection is raised against direct marketing, the Personal Data may no longer be Processed for such purposes, and we will inform you when we have deleted the Personal Data if you request it.
Right not to be subject to automated decision making: you have the right not to be subjected to decisions based solely on automated Processing, including profiling, if these decisions significantly affect you. Exceptions apply in cases where the decision is necessary for the performance of a contract or is authorised by law. If an automated decision has been made, with or without profiling, you can request that it be reviewed or contested. We do not conduct any automated decisions, either with or without profiling.
15. How to exercise the rights
Suppose you want to invoke any of your rights as a Data Subject regarding your Personal Data that we Process as Controller. In that case, you are welcome to contact us through email: privacy@gordondelivery.com. However, it is important to note that the rights mentioned above are subject to certain limitations and conditions under the GDPR.
Exercising the rights is free of charge, provided that your requests are not exaggerated, repeated or unfounded. In such cases, we have the right to charge a reasonable fee to Process your request or refuse the execution of your request.
Before we Process or respond to your request, we may request additional information from you if necessary to enable us to verify your identity.
We will inform you of our Processing of your request without delay and no later than one (1) month after we receive the request. If the request is complex or if, for example, we have received many requests, this period can be extended by another two (2) months. In such cases, we will notify you of the extension within the first month after we receive your request.
Suppose we cannot comply with your request due to applicable law or other exceptions. In that case, we will inform you why we cannot comply with your request with the limitations imposed by law.
16. Cookies
When you use our recruitment system or visit our Career Site, cookies may be set to collect information about your usage. Cookies are passive text files that are stored in the internet browser on the User’s device, such as computer, mobile phone or tablet that helps us improve your experience by gathering statistics and usage data. This is done to secure, maintain and improve the recruitment process.The information that is collected through the cookies can, in some instances be Personal Data and is, in such instances, regulated by our Cookie Policy.
Certain cookies are necessary for the proper functioning of the recruitment system, while others are non-essential and are used based on your consent. Non-essential cookies, which include those used for analytics or marketing purposes, collect data in accordance with the third parties’ privacy policies. For detailed information about these cookies and how they are used, please refer to our Cookie Policy.
You have the option to disable non-essential cookies by adjusting the settings on your device. Please be aware that disabling cookies may impact your experience with the Service, potentially affecting certain functionalities within the recruitment system.
17. Changes to this privacy notice
We review the contents of this privacy notice at least once a year to ensure that the information is accurate and up to date. The contents of this privacy notice may be updated if necessary, with or without prior notice. For example, if we need to provide clarification due to changes, new legislation or any modifications in our Processing of Personal Data.
You are responsible for reading the contents of the at any time applicable privacy notice and keeping up to date on any changes. We will notify you if we make material changes provided that such notification is mandatory according to applicable law.
The applicable version of this privacy notice is always available on our Career site.
18. Questions or complaints
If you have any questions about this privacy notice, our Processing of Personal Data or are dissatisfied with our Processing of your Personal Data, you can contact us by email: privacy@gordondelivery.com.
You also have the right to file a complaint with the relevant supervisory authority if you are dissatisfied with how we Process your Personal Data. Each company within GORDON Group has a supervisory authority, as stated in the table in section 153 (Contact details) below.
Depending on your country of residence, you may contact different supervisory authorities regarding concerns or complaints about our Processing of your Personal Data. You can find the Supervisory Authority of each EU Member State through the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en