Privacy Notice

Introduction

This Privacy Notice has been prepared by Cybernetica AS (registered in the Republic of Estonia with registry code 10140133, located at Mäealuse tn 2/1, 12618 Tallinn, Republic of Estonia; hereinafter “Cybernetica”, “we”, “us” or “our”) to inform the candidate (hereinafter “Data Subject”, “you” or “your”) about the processing of personal data when recruiting staff.

In the Privacy Notice we explain:

• what personal data we process when recruiting staff;
  
• the purposes for which the processing takes place;
  
• what are the candidate’s rights in relation to the personal data we process.
  

Cybernetica as the Controller

Cybernetica shall request from the Data Subject and, if necessary, from other sources, only such personal data in the extent necessary to find a suitable employee (hereinafter referred to as the “Purpose”) and for the processing of which there is a legal basis.

This includes:

• processing for pre-contractual measures at the request of the Data Subject and processing on the basis of a legitimate interest – in order to reach a contractual relationship with you, we must assess your qualifications and suitability for the position you are applying for in advance. We will only ask you for information that is necessary in the recruitment decision phase and that we have a legitimate interest in as your potential employer in relation to the nature of the specific employment relationship and the requirements of the position to be filled. We may also view information that has been disclosed under the law, including public records, court decisions, official notices and journalistic texts, and information that you yourself have disclosed as the Data Subject on publicly available social networks (such as LinkedIn), blogs or elsewhere on the Internet. We may also contact you to gather feedback on the recruitment process.
  
• processing with the consent of the Data Subject – depending on the specifics of the position or specific job, in some cases it may be necessary to request information about you from non-public sources, such as the criminal records database or your former employer, in which case we will ask for your consent. If you do not give your consent, it should be taken into account that we may be unable to enter into an employment contract (or other contract) with you. We may also ask for your consent so that we can analyse the data collected about you during the recruitment process, to find suitable positions for you when they are vacated or created in the future, if you are not selected this time.
  

Cybernetica refrains from:

• the processing of specific types of personal data which reveal one’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health data and data concerning one’s sexual life and sexual orientation. Processing may be unavoidable to a certain extent if the data in question is obvious and has been disclosed by the Data Subject, but Cybernetica follows all of the principles governing the processing of personal data.

Recipients

Processors – Cybernetica, as the controller, may, if necessary, grant the right to use personal data to processors who have the right to use the data only for the purpose of performing the contract with Cybernetica (e.g. recruitment companies). If Cybernetica decides to use processor on a permanent basis, it shall list the processor in Cybernetica’s Register of Personal Data Processing Operations, to which the Data Subject shall be ensured access.

Rights of the Data Subject

Data subjects have certain rights concerning their personal data and controllers have an obligation to enable these rights to be exercised. In situations where Cybernetica decides how and why personal data is processed, Cybernetica is the controller and must provide further information on the rights of data subjects and the use thereof.

• Access to personal data – the Data Subject has the right to access his or her personal data that is being held by Cybernetica as the controller.
  
• Correction of personal data – the Data Subject has the right to request the correction of his or her personal data that is being held by Cybernetica as the controller. Once Cybernetica has been informed that the personal data it is processing in its capacity as controller is no longer up-to-date and that changing that data is practically possible, Cybernetica will make corrections, if necessary, on the basis of the updated information provided to Cybernetica.
  
• Deletion of personal data – the Data Subject has the right to request the deletion of his or her personal data if this is justified due to a specific situation. In such a case, Cybernetica will delete the personal data, unless it demonstrates that there is a valid legal basis for processing or imposing, using or protecting legal requirements.
  
• Restrictions on or the submitting of objections to the processing of personal data – The Data Subject has the right to restrict or object to the processing of his or her personal data at any time, if this is justified by a specific situation. In such a case, Cybernetica shall refrain from the further processing of personal data or shall restrict the processing of personal data, unless it is able to demonstrate that there is a valid legal basis for the processing or the establishment, use or protection of legal requirements.
  
• Information on the transfer of personal data – The Data Subject has the right to request information on the possibility of transferring his or her personal data in a structured, commonly used, machine-readable and interoperable format. If this is technically feasible, the Data Subject has the right to transfer personal data directly from one controller to another; however, it should be borne in mind that controllers are not obliged to adopt or maintain technically compatible data processing systems.
  
• Withdrawal of consent – If Cybernetica is processing personal data with consent, the Data Subject shall have the right to withdraw his or her consent at any time.
  

If the Data Subject wishes to submit a request to Cybernetica to exercise the above right(s), please send a relevant e-mail to the address data-protection@cyber.ee.

Complaints

If the Data Subject wishes to submit a complaint to Cybernetica regarding the use of his or her personal data, please send a relevant e-mail to the address data-protection@cyber.ee.

In addition, the Data Subject always has the right to file a complaint with the Estonian Data Protection Inspectorate or apply to a court.

Safeguards

Organizational, physical and IT security measures have been implemented to protect personal data in accordance with ISO/IEC 27001:2013 requirements to protect data from unintentional or unauthorized processing, disclosure or destruction. These measures cover the entire organization, including people, information, infrastructure and equipment.

Data Retention

Cybernetica retains personal data until the necessary purpose has been achieved or until the statute of limitations for any legal claim has expired.

Contact Data

The contact persons for the processing of personal data are Head of HR, Head of IT and the lawyer. Supervision shall be performed by the Head of Information Security.

If you have questions about the Privacy Notice or how and why we process personal information, please contact us:

• Address: Mäealuse 2/1, 12618 Tallinn, Estonia
  
• E-mail: data-protection@cyber.ee
  
• Telephone: +372 639 7991