PRIVACY NOTICE

 

Personal data of job applicants and recruits

03/29/2023

 

1. General notes

This privacy notice (the “Notice”) aims at providing current and former job applicants and potential recruits for Xogito EOOD (“Xogito”) with information related to the scope and purposes of the processing activities carried out by Xogito in terms of their personal data, as well as their rights in relation to such processing. If you are applying for work at Xogito and/or have been notified by Xogito that your personal data as a job applicant/recruit is being processed by Xogito, this Notice is for you.

This Notice is prepared on the grounds of Article 13 and Article 14 of Regulation (ЕU) 2016/679 (General Data Protection Regulation or GDPR). In order to avoid unnecessary transpositions of GDPR provisions into this Notice, in certain cases where it is not of utmost relevance for you in light of the data processing activities carried out by Xogito, or of the grounds for such processing, this Notice includes only references to the relevant provisions of the GDPR.

Here you can find any information relating to what personal data we collect, where we collect such data from, how and for what purposes we use those data, to whom we disclose the data, what your rights as a data subject are, as well as how you can contact us or the data protection supervisory body.

2. About Xogito

Xogito EOOD, UIC (ЕИК) 202973525, is your personal data controller. You can contact Xogito in writing, via phone or e-mail on any matters related to the processing of your personal data, as follows:

Address: 16 Gen. Y. V. Gurko Str., floor 6, office 10A, Sredets District, Sofia 1000

Email: data_privacy_bg@xogito.com

Contact Person: Zlatina Stoeva

3. Sources of personal data

The personal data undergoing our processing, are collected directly from you or from other sources:

Data collected from you. We have collected the following categories of personal data directly from you:

  1. data which we received directly from you when you apply for a job under a specific job advertisement of Xogito;
  2. information which you in your sole consideration have provided to us and not in relation with a given job advertisement of Xogito, thus expressing your interest and willingness to work for us.

Data collected from other sources. We have collected the following categories of personal data from the sources listed below:

  1. data gained as a result of our own researches of professional information disclosed in the social networks (Facebook, LinkedIn, etc.) for persons who can be eligible for the jobs offered by us;
  2. information disclosed by you on web pages for searching jobs/career pages, etc.;
  3. recommendations of third persons.

Save for the above, we do not collect and process your personal data from other sources.

4. Personal data which we process, purposes and legal grounds for processing

4.1 Categories of personal data undergoing processing

The personal data relating to you which we collect and process, are the data disclosed by you in the job application documents (CV, recommendations of former employers, course certificates, certificates evidencing newly obtained knowledge and skills, etc.). Those data are disclosed voluntarily by you and in your own consideration, and can include: names, date of birth, address, personal telephone, personal e-mail, educational background, data relating to professional qualification and experience, work for former employees and the positions occupied, specific knowledge and skills.

4.2. Purposes for processing

We process the mentioned data for the purpose of identifying you as a job applicant or a potential recruit for our team, entering into contact with you (for the purpose of carrying out interviews and discussions in the process of selection of job applicants, eventually clarifying certain issues in terms of your application, etc.), assessing whether your qualities and experience meet our requirements and expectations for the performance of the work for which you apply.

4.3. Grounds for processing

The legal ground for processing of the above-mentioned categories of personal data is different depending on the source of your personal data:

    1. While processing personal data received by you and you have consented to such processing, we process such data on the grounds of your consent in as far as you solely consider whether to disclose such data or not in the job application process,
    2. While processing your data from other sources, the ground for such processing is our legitimate interest to employ the personnel we are in need who are most eligible and meeting our expectations for professional and personal qualities to perform the job positions offered by us.

5. Personal data disclosed by you

The personal data processed by Xogito are disclosed voluntarily by you and in your own consideration, since it is you to decide whether to apply for a job with us or not. If you do not provide such categories of data, you will not be able to participate in the process of selecting job applicants and eventually to start working for us.

6. Your personal data disclosed to third parties

Xogito discloses or may disclose personal data to third parties only to the persons and categories of persons listed below.

6.1. Data recipients within Xogito

For the sake of completing the purpose for processing of your personal data the latter are disclosed before and processed by the following persons and categories of persons within Xogito:

      1. A human resources expert is provided an access to and processes your personal data in order to carry out selection of applicants in the job application procedure for the relevant position, to carry out interviews, etc.
      2. A system administrator who supports Xogito software systems where the data in electronic form are stored, and who in the process of performance of his/her obligations can access such data.
      3. Xogito management.

6. 2. Data recipients outside Xogito

Outside Xogito we can provide your data only to data processors (persons who process personal data under the authority and instructions of Xogito) within the following categories:

      1. Suppliers of software solutions where the information provided by Xogito is stored (hosted) on a server (including cloud) provided by the supplier of such solution. Any personal data categories automatically processed by Xogito can be provided to that category of data processors.  The disclosure of your personal data for storing and processing to such persons does not automatically mean that these persons are entitled to access your data.
      2. Persons carrying out technical maintenance of Xogito software systems.  Such categories of processors are not purposefully provided with personal data and it is possible that such persons gain incidental access to Xogito data bases while carrying out technical maintenance.
      3. Other data processors if such are needed in Xogito discretion.

7. Use of personal data

We use your personal data in line with the above-specified purposes. It is possible that we incidentally receive from you personal data which are not subject to processing by us (e.g. your personal email can include additional information for your correlation with a given organization which information is not relevant for the purposes of the data processing carried out by us, etc.). We do not take into consideration such specifics and we do not carry out any additional analysis or any other processing of such data incidentally disclosed to us for the purpose of profiling you, extracting additional information, placing you in any categories or taking of automated decisions, etc. which can have legal implications for you or impact you in any other way.

8. Storing and destruction of personal data

Unless a longer period of data storing is provided for by the applicable law, Xogito will erase/destroy your personal data following completion of the job applicants’ selection procedure you take part in and in case you are not the selected candidate whom we will offer to sign an employment/civil/services agreement or upon your refusal to participate in the procedure if we have contacted you.

When processing personal data not received by you and not under a specific job advertisement, we will duly notify you therefor. In such cases we will continue processing your personal data until you object to such processing.

If you have provided your personal data not under a specific job advertisement but in your own initiative, following your consent to such processing, we will process your personal data until you withdraw your consent thereto.

9. You rights while processing your personal data

As a data subject you have a number of rights that you can exercise towards Xogito as your data controller. Such rights and the procedure to exercise them are specified herebelow in this section.

Any and all rights are to be exercised by filing a written notification with Xogito in person or through an explicitly authorized by you person, unless otherwise provided for in a specific law. The notifications are addressed to the contact person of Xogito, specified in item 3 above. If the notification is filed electronically, it needs to be signed with a qualified electronic signature.

9.1 Right to access to your personal data

You have the right to be informed by Xogito whether Xogito processes personal data relating to you and if so, to be granted such access to such data, as well as to be informed about:

      1. the categories of personal data concerned;
      2. the purposes of processing;
      3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, more specifically the data recipients in third countries or international organizations;
      4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
      5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of your personal data or to object to such processing;
      6. the right to lodge a complaint with a supervisory body;
      7. where the personal data are not collected from you, any available information as to their source;
      8. the existence of automated decision-making, including profiling, as well as meaningful information in this respect, if provided for by the law.

Xogito will provide free-of-charge copy of your personal data undergoing processing, as well as the information, specified in the foregoing paragraph, within one month as of filing of your request. For any further copies requested by you, Xogito may charge a reasonable fee based on the administrative costs incurred for such additional copy.

9.2. Right to rectification

If you consider that your personal data processed by us is inaccurate, you have the right to request from Xogito to rectify without undue delay such inaccurate data. If your data are incomplete, you have the right to have incomplete personal data completed, taking into account the purposes of processing.

9.3. Right to withhold consent

While processing your personal data based on the consent given by you, you have the right to withhold such consent at any time. Following withdrawal of your consent Xogito will cease the processing activities relating to your personal data based on your consent, whereby the withdrawal of your consent will not affect the lawfulness of processing based on such consent prior to its withdrawal. Without prejudice to the above, Xogito can continue processing the personal data concerned if another ground (other than consent) for processing of these data/or any of the exceptions under item 9.5.2., is in place.

9.4. Right to object to processing

You have the right to object to the processing of your personal data on the grounds of public interest or legitimate interest of Xogito when you deem that in your case at hand such processing does not comply with the protection of your interests, rights and freedoms. In such cases, if Xogito fails to prove that there are sound legitimate grounds for processing which override your interests, rights and freedoms or that the processing is needed for establishing, exercising and defence of legal claims, Xogito will cease processing such data.

9.5. Right to erasure of personal data

9.5.1 General rule. You have the right to obtain from Xogito the erasure of personal data concerning you without undue delay and Xogito has the obligation to erase such personal data without undue delay where one of the following grounds applies:

      1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
      2. you have withdrawn your consent on which the processing is based and where there is no other legal ground for the processing;
      3. you have objected to the processing pursuant to item 9.4 and Xogito does not have any legitimate grounds for such processing, overriding your interests, rights and freedoms;
      4. your personal data have been processed unlawfully;
      5. the personal data are to be erased in order for Xogito to comply with a legal obligation.

9.5.2 Exceptions from the general rule. Your right to request that your data be eased will be disregarded, respectively Xogito will not be obliged to erase your data, to the extent such processing is necessary for:

      1. exercising the right of freedom of expression and information;
      2. compliance with a legal obligation of Xogito which requires processing or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Xogito;
      3. reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of GDPR;
      4. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the erasure of data is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
      5. the establishment, exercise or defense of legal claims.

9.6. Right to restriction of processing

You have the right to obtain from Xogito restriction of any other processing of your personal data, save for their storing, in the cases listed below:

      1. when you contest the accuracy of your personal data – for a period enabling Xogito to verify the accuracy of your personal data;
      2. when the processing is unlawful but you oppose to the erasure of the personal data and request the restriction of their use instead;
      3. when Xogito no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
      4. when you have objected to processing pursuant to item 9.4 pending the verification whether the legitimate grounds for processing by Xogito override your interests.

In any of the above-listed cases Xogito can process the personal data concerned, other than their storage, only based on your consent or for the establishment, exercise, defence of legal claims or for the protection of the rights of another natural person or for reasons of important public interest for the Republic of Bulgaria or for the European Union.

9.7. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to Xogito, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from Xogito, where:

      1. Xogito processes your data based on your consent or when the processing of such data is needed for the performance of any obligation under an employment/civil/services contract; and
      2. the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have the personal data transmitted directly from Xogito to another controller, where technically feasible.

9.8. Right to lodge a complaint with the supervisory body

If you find that the processing of your personal data by Xogito is in breach of any of the provisions of the applicable legislation, including but not limited, the GDPR and the Personal Data Protection Act, you have the right lodge a complaint with the supervisory body of the Member State of the European Union as per your habitual residence, place of work or place of the alleged infringement.

The Commission for Personal Data Protection is the competent supervisory body in the Republic of Bulgaria.