GDPR INFORMATION CLAUSE FOR CANDIDATES (RECRUITMENT PROCESS)

[EN] INFORMATION ON PERSONAL DATA PROCESSING AND PROTECTION BY MAXIMA EUROPE SP. Z O.O. (GDPR)

KLAUZULA INFORMACYJNA RODO DLA KANDYDATÓW (PROCES REKRUTACJI)

Due to the obligations arising from the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, we are presenting the rules for processing applicants' data during the recruitment process.

[Personal Data Controller]

The controller of personal data is Maxima Europe sp. z o.o. with its registered seat in Kraków (30-305), Wasilewskiego Street 20/6, KRS No. 0000589963 (hereinafter referred to as Controller). We build a database of candidates'  data by recruiting for our purposes (internal recruitment) as well as external recruitment, i.e. looking for candidates to work for third parties (hereinafter referred to as the Clients).


If you have any concerns regarding the processing of your data in the recruitment process, you may contact us by email at: [email protected].

[Sources of Personal Data]

Recruitment may be initiated by you, e.g. by sending your CV via the application form provided at https://careers.maximaconsulting.com/#/. Applications can also be submitted via LinkedIn (LinkedIn's privacy policy is available at https://pl.linkedin.com/legal/privacy-policy?_l=pl_PL#collect. The provision of personal data is voluntary but necessary for the recruitment process.

The Controller may also initiate recruitment on his own, which involves the obtaining of personal data from other sources. The Controller searches for publicly available data in business-related social networks (e.g. LinkedIn), e.g. with regard to work experience, positions held, education, publications, and knowledge of foreign languages. After searching for your profile, the Controller may contact you and present you with a proposal for cooperation. 

We may also obtain your personal data of candidates from our employees or contractors by the referral system. The Controller may also obtain personal data on the basis of a contract with a recruitment agency.

[Purposes of processing personal data]

Candidates’ personal data will be processed for the following purposes:

  1. contacting for the purpose of the recruitment process (internal or external recruitment);

  2. assessing the qualifications of abilities and skills and to work in the applied position (at the Client’s or Controller’s);

  3. to select the most suitable person to work for the Controller or the Client.

Personal data will not be profiled or subjected to automated (non-human) decision-making processes.

[The basis for processing personal data]

Employment contract with the Controller:

The legal basis for the processing of personal data of candidates for employment under the employment contract is:

  1. the provision of the law (Article 22(1) § 1 of the Polish Labour Code) and the processing needed for the conclusion of the employment contract – in terms of the following data: name and surname; date of birth; contact details indicated by the job candidate, education; professional qualifications; course of previous employment (Article 6 item (1) point I of the GDPR);

  2. the necessity of the processing for the conclusion of a contract of employment and the data are processed at your request (Article 6 item (1) point (b) of the GDPR);

  3. consent to the processing of the data provided in your CV and cover letter, in a broader scope than that provided by the Polish Labour Code, i.e. other than: first and last name; date of birth; contact details indicated by the job candidate, education; professional qualifications; past employment (Article 6 item (1) point (a) of the GDPR). Providing these personal data is voluntary (not necessary to participate in the recruitment process), but they may be taken into account in the assessment of the candidacy;

  4. the legitimate interest of the Controller in connection with the assertion or defense against claims (Article 6 item (1) point (f) of the GDPR);

  5. the Controller’s legitimate interest in personal data collected from other sources (e.g. LinkedIn database) as part of recruitment initiated by the Controller (Article 6 item (1) point (f) of the GDPR);

  6. consent to the processing of data for the purposes of future recruitment, as well as for the purpose of building the Controller’s own database (Article 6 item (1) point (a) of the GDPR).

Other contract with the Controller (commission, b2b):

The legal basis for the processing of personal data of job candidates under a contract other than a contract of employment (e.g. B2B) is:

  1. the necessity of the processing for the conclusion of the contract, in which case the data are processed at your request (Article 6 item (1) point (b) of the GDPR);

  2. the legitimate interest of the Controller with regard to personal data collected from other sources (e.g. from the LinkedIn database) as part of recruitment initiated by the Controller, including in connection with ongoing correspondence using tools provided by LinkedIn, as well as undertaking its own marketing activities (Article 6 item (1) point (f) of the GDPR);

  3. the legitimate interest of the Controller in connection with the investigation or defense against claims (Article 6 item (1) point (f) of the GDPR);

  4. consent to the processing of data for the purposes of conducting future recruitment, as well as building its own database of candidates (Article 6 item (1) point (a) of the GDPR).

Contract with the Client:

The legal basis for processing personal data of candidates for employment with Clients:

  1. consent to the processing of data for the purposes of conducting recruitment, as well as building its own database of candidates (Article 6 item (1) point (a) GDPR);

  2. the Controller’s legitimate interest in personal data collected from other sources (e.g. from the LinkedIn database) as part of recruitment initiated by the Controller, including in connection with ongoing correspondence using tools provided by LinkedIn, as well as undertaking its own marketing activities (Article 6 item (1) point (f) of the Controller;

  3. the Controller’s legitimate interest in connection with the assertion or defense against claims (Article 6 item (1) point (f) of the GDPR).

[Personal Data Retention Period]

Personal data will be processed until the end of the recruitment process for the position applied for. If you consent to the processing of your personal data for the purposes of future recruitment, as well as building your own database of candidates, your data will be processed for a period of three years from the moment of submitting the application. The period of personal data processing may be extended in case the processing is necessary to determine, pursue or defend against possible claims, and after that time only in the case and to the extent required by law.

[Recipients of data and transferring the data to a third countries]

Personal data will be shared with:

  1. Clients (potential employers or recipients of employee outsourcing services), based on consent - Article 6 item (1) point (a) of the GDPR). At the initial stage of the recruitment process inform what is the Client's business profile. At this step, we do not provide the Client with all the data, but only your name and surname, as well as information about your professional experience, skills. If the Client is interested in the candidacy, we will provide detailed information about the Client and ask for your consent to share the full details with the Client to further the recruitment process;

  2. companies that are affiliated by capital or personal relationship to assist us in the recruitment process: Maxima Consulting Inc. (USA) and Maxima IT Consulting India Private Limited (India), based on the Controller's legitimate interest. The Controller has entered into a tripartite agreement with these companies, based on the legal instrument provided for by the GDPR, in the form of standard contractual clauses (SCC), adopted by the European Commission based on the implementing decision of 4 June 2021. If you wish to review the agreement, please be advised that they are available for review at the Controller, which allows you to review this document, according to an internal procedure.

In addition, personal data will be shared with the IT software provider used in the recruitment process (Bullhorn Inc.). Bullhorn's servers are located in the United Kingdom. By the decisions of the European Commission dated 28 June 2021, the UK provides an adequate level of protection for personal data, equivalent to that guaranteed under the GDPR.

We also transfer personal data to IT service providers (hosting), law firms, accounting firms Personal data may also be transferred to companies running application services where we post job offers (e.g. pracuj.pl, No Fluff Jobs). The hosting of the Maxima website is provided by the company: Linode, Inc. The website servers are located in EU (Frankfurt). 

The Controller uses the Google Workspace service, based on the servers of Google Inc. As a result, personal data is transferred to a third country (USA). The transfer of personal data to a third country is based on the mechanism provided by GDPR, as the data are adequately protected using Standard Contractual Clauses (“SCC”). If you wish to review the SCCs, please be advised that they are available for review at the Controller, which allows you to review this document, according to an internal procedure.

[Rights of data subjects]

You have the following rights concerning the processing of personal data under GDPR:

  1. the right to withdraw consent to the processing of personal data at any time (to the extent that personal data are processed based on consent). Withdrawal of consent does not affect the lawfulness of the processing that was carried out based on consent before its withdrawal;

  2. the right to obtain information, access to your data, the right to request rectification of your data;

  3. the right to request the erasure of your data (the so-called ‘right to be forgotten’);

  4. the right to request the restriction of the processing of your data;

  5. the right to object to the processing of your data due to your particular situation (in cases where the Controller processes data based on the Controller's legitimate interest);

  6. the right to portability of your data, i.e. the right to receive your data from us, in a structured, commonly used IT format suitable for machine-reading (to the extent that the processing is based on a contract or consent);

  7. the right to complain to the supervisory authority: President of the Office for Personal Data Protection.

In the event of discrepancies between language versions, the Polish version of this document shall prevail.