Information on Natural Cycles’ Processing of Personal Data in connection with job applications (“Privacy Policy”)

Contents

• Introduction                                                                 
• Processing your personal data 
• Will my personal data be shared with others or transferred to countries outside the EEA? 
• How is my personal data secured? 
• How long will we store your personal data? 
• What are my rights under applicable data protection laws? 
• Questions and queries 
• Changes to this Privacy Policy 

Introduction
We know that you care how information about you is processed. This Privacy Policy outlines in detail how we collect, process, use and transfer (collectively “process”) your personal data when you apply for a position with us. Considering the volume of information that is provided to you, please refer to the content section above to identify the areas you are most interested in. The service for handling recruitments and simplifying the hiring process (the “Service”) is powered by Teamtailor on behalf of Natural Cycles (“Controller” “we” “us” etc.). 

Personal data is information that relates to an individual who can be identified from that information, whether or not in conjunction with any other information. Common examples of personal data processed by us in our day to day business include names, addresses, telephone numbers and other contact details, payroll data, attendance data, performance management data, and CCTV images.

In our capacity of a data controller (meaning that we determine how and why your personal data is processed) we are responsible for the processing of personal data of you as an applicant (referred to as “you/r” unless the context provides for a different interpretation) carried out in connection with your application to work with us.
Our processing of your personal data is always performed in compliance with applicable data protection laws and regulations as well as this Privacy Policy.

By sending us your application , you agree to the processing of your personal data as described in this Privacy Policy. It is therefore important that you read this Privacy Policy carefully and understand it in its entirety.

Processing your personal data

How and why do we process your personal data?

Our routines for processing personal data have been construed with the purpose of minimizing the amount of personal data being processed at any time.
The personal data we collect from you or through our systems help us managing your application, but also to comply with our legal obligations or for the conduct of our business. The personal data we collect, the basis of processing and the purposes of processing are detailed below. Sometimes, these activities are carried out by third parties, including other members of our group of companies.

Personal data

• Personnel administration data; name, photo, private contact details, gender, marital status, date of birth, data on education, professional experiences and qualifications, social security ID, certificates and diplomas, correspondence, union membership (when required by law only)

Basis of processing

• It is necessary for the handling your application, to take steps for entering into a contract with you or to achieve our legitimate interests.

Purpose of Processing

• This is required to enable us to administer your application, the set-up of an electronic personnel file. It is voluntarily for you to provide us with a photo of yourself. We will also use your contact details to request feedback. Participation in feedback surveys or similar is voluntary.

Where do we obtain your personal data from?
Most of the personal data we process is obtained from you when you apply to join us, but we also obtain personal data about you in employment applications and vetting, performance appraisals or general correspondence, or by using a third-party source such as Facebook or LinkedIn. For other data types, we may obtain it as a result of you being on our premises or using our systems (for example, CCTV footage or IT usage information).

In some circumstances, we may request your explicit consent to process (specific types of) personal data. In these circumstances, you can withdraw your consent at any time by following the instructions provided when you gave consent or at the contact details under Questions and queries below.

Will my personal data be shared with others or transferred to countries outside the EEA?
We will only share your personal data in certain circumstances and where lawful to do so. We may share your personal data with the following third parties and for the following purposes.

• Group companies, For the purposes of handling your application, complying with legal obligations, otherwise administrate the relationship and providing the group with information. Access rights between members of our company group are limited and granted only on a need to know basis, depending on job functions and roles. In addition, your business contact details, photograph, and other information that you make available on our group joint systems may be available across our company group.

• Service providers, We may use third party service providers who provide services such as hosting or “Software as a Service”. In providing the services, your personal data will, where applicable, be processed by the service provider on our behalf. We will check any third party that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your data. We will have written contracts with them which provide assurances regarding the protections that they will give to your data and their compliance with our data security standards and international transfer restrictions. Your personal data may be processed by third party service providers for us to fulfil our obligations towards you or our legal obligations.

• Third parties, Including administrative authorities (tax or social security authorities), financial institutions, insurances, police and public prosecutors as well as external advisors. For the purposes of handling your application, complying with legal obligations and otherwise to administrate our relationship.

• Buyers and potential buyers when divesting parts of Natural Cycles. For the purposes of complying with legal obligations by providing such buyers with accurate and complete information on Natural Cycles.

We may also transfer your personal data we process to a country outside the European Economic Area (”EEA”), for example, when one of our service providers use staff or equipment based outside the EEA or when one of our group companies is based outside of the EEA. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU commission’s model clauses. If you would like to see a copy of any relevant provisions, please contact us as set out in Questions and queries below.

How is my personal data secured?
We operate state of IT security systems to protect the confidentiality, integrity, and availability of your personal data. We have in particular taken appropriate security measures against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data. Access is only granted on a need-to-know basis to those people whose roles require them to process your personal data.

How long will we store your personal data?
Your personal data will only be stored for as long as it is necessary to fulfil the purposes for which it was collected (see above) and in order to comply with applicable laws and regulations. This may mean that some information is held for longer than other information. After 12 months an email will automatically be sent to the candidate informing that their personal information will be retained unless they actively opt-out.

What are my rights under applicable data protection laws?
You have various rights which you can enforce, including the right to be informed in accordance with this Information. Please find below descriptions of your rights.

Right of access

• Subject to certain conditions, you are entitled to have access to your Personal data which we hold (this is more commonly known as submitting a “data subject access request”).
• Requests for such information should be made in writing to dpo@naturalcycles.com. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.
• We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other staff.

Right of data portability

• Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format.
• Requests should be made in writing to dpo@naturalcycles.com. If possible, you should specify the type of information you would like to receive to ensure that our disclosure is meeting your expectations.
• The GDPR does not establish a general right to data portability. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. Hence, it does, as a rule, not apply to personal data that was created by Natural Cycles.

Rights in relation to inaccurate personal or incomplete data

• You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate.
• We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number, immigration status. Please always check first whether self-help tools are available. If no such tools are available, requests should be made in writing to dpo@naturalcycles.com.
• This right only applies to your own personal data. When exercising this right, please be as specific as possible.

Right to object to or restrict our data processing

• Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.
• Requests should be made in writing to dpo@naturalcycles.com.
• This right applies only if the processing of your personal data is explicitly based on our so-called “legitimate interests” (see “basis of processing” above). Objections must be based on grounds relating to your particular situation. They must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data.

Right to have personal data erased

• Subject to certain conditions, you are entitled, on certain grounds, to have your personal data erased (also known as the “right to be forgotten”), e.g. where you think that the information we are processing is inaccurate, or the processing is unlawful
• Requests should be made in writing to dpo@naturalcycles.com.
• There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of exercising or defending legal claims, or (iii) where retention periods apply by law or our statutes

Right to withdrawal

• You have the right to withdraw your consent to any processing for which you have previously given that consent.
• Requests should be made in writing to dpo@naturalcycles.com
• If you withdraw your consent, this will only take effect for the future

Questions and queries

If you have any questions or queries in relation to this Privacy Policy or otherwise regarding data protection, please contact the Recruiting department or the data protection officer by sending an email to dpo@naturalcycles.com.

Changes to this Privacy Policy
We may decide to change this Privacy Policy. If the change is indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or a change which may not be fundamental in terms of the processing operation, but which may be relevant to and impact upon you, then the updated Privacy Policy will be provided to you well in advance of the change actually taking effect. We will post the changes online or send them to you via e-mail so that you will be aware of the changes. When notifying you of such changes, we will also explain what the likely impact of those changes on you will be, if any.