Privacy policy for the nextlane employer branding and recruitment

1. Introduction and Scope

Nextlane group and its affiliated companies (collectively referred to in this Privacy Policy as “Nextlane”, “we”, “us”, or “our”) manage the Group’s employer branding and recruitment processes through our online career portal (the “Career Site”) and a connected applicant tracking system.

The Nextlane Group currently includes the following entities:

NEXTLANE GROUP

COUNTRY

ENTITY

LUXEMBOURG

Asti Luxco Sarl

SPAIN

Nextlane Spain S.L.

Instituto de Marketing Aplicado, S.L.

PORTUGAL

Nextlane Portugal, S.A.

FRANCE

Nextlane France SAS

Tele Mercure Services SAS

KAR Sarl

GERMANY

Nextlane Holding GmbH

Nextlane Germany GmbH

AUSTRIA

Nextlane Austria GmbH

DENMARK

Nextlane Denmark Holding ApS

Carswip ApS

HOLLAND

Nextlane Netherlands B.V.

SWITZERLAND

Nextlane Switzerland AG

SLOVAKIA

Nextlane Slovakia s.r.o

SWEDEN

Nextlane Sweden Holding AB

Nextlane Sweden AB

Depending on the position and the country of recruitment, each of these entities may act as a data controller or a joint controller of your personal data, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national data-protection laws.

Unless otherwise specified, references in this Privacy Policy to “Nextlane” mean the relevant entity or entities within the Group responsible for the recruitment process.

You can contact our Data Protection Officer (DPO) at dpo@nextlane.com for any questions regarding this Privacy Policy or the exercise of your data-protection rights.

This Privacy Policy explains how we collect, use, store, and protect your personal data in the following situations:

1. Visitor – when you browse or interact with our Career Site.
2. Connecting Candidate – when you create a profile or subscribe to receive information about current or future job opportunities at Nextlane.
3. Applying Candidate – when you apply for a specific position through our Career Site or a third-party recruitment platform.
4. Sourced Candidate – when we obtain professional information about you from publicly available sources or external partners because we believe your profile may fit a current or future opportunity.
5. Referred Candidate – when one of our employees or business partners shares your profile as a potential fit for a Nextlane role.
6. Reference – when you are listed by a Candidate as a professional reference.

This Privacy Policy also explains your rights under data protection law and how you can exercise them. Unless otherwise stated, the term “Candidate” in this Privacy Policy collectively refers to Connecting, Applying, Sourced, and Referred Candidates.

2. About the Processing of Personal Data

“Personal data” means any information that can directly or indirectly identify a living individual. Examples include your name, email address, phone number, postal address, identification number, or IP address.

“Processing” refers to any activity involving personal data, whether it is done automatically or manually. This includes collecting, recording, organizing, storing, adapting, consulting, using, sharing, combining, restricting, deleting, or destroying personal data.

The use of personal data is governed by data protection laws that set out how organizations may handle this information. Within the European Economic Area (EEA), the main applicable law is the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which defines how companies collect, use, and protect personal data.

Under the GDPR, the data controller is the organization that determines why and how personal data is processed. A data processor is a third party that processes personal data only on behalf of the controller and according to its documented instructions.

For the purposes described in this Privacy Policy, the relevant Nextlane entity or entities listed in Section 1 act as the data controller responsible for the processing of your personal data in connection with recruitment and employer-branding activities. Teamtailor AB acts as our data processor, providing the recruitment platform and related technical services on our behalf.

3. What Personal Data We Process

Depending on your interaction with our Career Site and your participation in our recruitment process, we may process different categories of personal data about you. These categories are grouped below for clarity.

A. Data processed about all individuals (visitors and candidates)

Device and usage data
When you visit our Career Site, we collect information about your device and browsing behavior, such as your IP address, browser type and version, operating system, screen resolution, language preference, session duration, referring URL, traffic source, and approximate geographic location.

Technical and statistical data
We collect aggregated technical information about how you use our Career Site. This includes which pages you visit, navigation paths, click activity, and interactions with features of the site. This information helps us improve our platform and ensure its security and functionality.

Communication data
We keep records of the communications you have with us. This may include the content of emails, messages exchanged through the Career Site or social media, notes from calls or video interviews, feedback surveys, or other correspondence.

Identification and contact details
When you create a profile, contact us, or apply for a position, we collect your name, email address, phone number, and, if applicable, your postal address or other contact details you choose to share.

B. Data processed about candidates

Application and profile information
We process the information you include in your job application or account, such as your résumé (CV), cover letter, education and training details, work experience, language skills, work samples, or portfolio links.

Recruitment process data
We collect information generated during the recruitment process, such as interview notes, assessment results, test outcomes, availability, and salary expectations.

Information from public professional sources
We may review professional information about you available in public sources, for example your LinkedIn profile, public professional networks, or your current employer’s website, when relevant to the position.

Information provided by references or referrers
We process the information we receive from individuals who refer you to us (for example, a Nextlane employee or partner) or from the professional or personal references you list in your application.

C. Sensitive or special categories of data

As a general rule, we do not intentionally collect or request any special categories of personal data (such as health data, racial or ethnic origin, political opinions, or religious beliefs) unless this is strictly necessary for the recruitment process and permitted by applicable law. If such information is provided voluntarily, it will be processed in accordance with Article 9 of the GDPR and protected with enhanced safeguards.

4. Where We Obtain Your Personal Data

Depending on your interaction with us and your role in the recruitment process, we may obtain your personal data from several different sources. These are grouped below for transparency.

A. All individuals

From our Career Site
When you visit our Career Site, we automatically collect certain technical and statistical information through cookies and similar technologies. This includes details about your device, browser, IP address, and how you interact with the site.

Directly from you
Most of the personal data we process is provided directly by you. For example, when you create a candidate profile, submit an application, send us an email, or otherwise communicate with us. You can always choose not to provide optional information, although some data is necessary for us to review your application or respond to your inquiry.

B. References

From the candidate who listed you as a reference
If you have been listed as a reference by a candidate, we will receive your name and contact information from that candidate so that we can contact you in connection with their application.

C. Candidates

From public professional sources
We may collect professional information about you from publicly available sources, such as LinkedIn, professional networks, or your current employer’s public website, when this is relevant to an open or future role.

From internal or external referrers
We may receive information about you from Nextlane employees, business partners, or recruitment agencies who refer you to us because they believe your profile may be a good match for a position at Nextlane.

From the professional or personal references you provide
If you share references as part of your application, we may contact them to obtain information about your professional experience and qualifications.

Data created by Nextlane during the recruitment process
We may also create information about you during the recruitment process, either independently or together with you. This includes notes from interviews, results of assessments or technical tests, and evaluations made by the hiring team. Such information is used only for recruitment-related purposes.

5. For What Purposes We Process Your Personal Data

We process your personal data only for specific, explicit, and legitimate purposes, and always in accordance with applicable data-protection laws. The table below explains each purpose, the categories of individuals affected, the types of personal data used, and the corresponding legal basis under the GDPR.

Purpose of Processing

Categories of Individuals Affected

Categories of Personal Data Used

Legal Basis (GDPR)

1. Manage and evaluate job applications – review profiles, assess qualifications, organize interviews, communicate with candidates, and make recruitment decisions.

Connecting Candidates; Applying Candidates

Identification and contact details; Application and profile information; Recruitment process data; Communication data

Article 6(1)(b) – processing necessary to take steps prior to entering into a contract; Article 6(1)(f) – legitimate interest in managing the recruitment process

2. Maintain candidate profiles and communicate about current or future opportunities – provide job alerts, updates, and relevant information.

Connecting Candidates

Contact details; Communication data

Article 6(1)(a) – consent (subscription to job alerts); Article 6(1)(f) – legitimate interest in maintaining talent pipelines

3. Identify and contact potential candidates (sourcing and referrals) – evaluate profiles obtained from public sources, employees, partners, or agencies.

Sourced Candidates; Referred Candidates

Identification and contact details; Information from public sources; Information from referrers

Article 6(1)(f) – legitimate interest in identifying qualified professionals for recruitment

4. Contact references to verify information provided by candidates.

References

Contact details; Communication data

Article 6(1)(f) – legitimate interest in verifying a candidate’s background

5. Conduct interviews, assessments, and record interviews when necessary for evaluation purposes.

Candidates

Communication data; Recruitment process data

Article 6(1)(b) – steps prior to entering into a contract; Article 6(1)(f) – legitimate interest in ensuring fair and efficient evaluation

6. Conduct satisfaction or feedback surveys regarding the recruitment process.

Candidates

Communication data; Contact details

Article 6(1)(f) – legitimate interest in improving recruitment processes

7. Manage and secure the Career Site – maintain, test, and ensure system performance, integrity, and data security.

Visitors

Device data; Technical and statistical data

Article 6(1)(f) – legitimate interest in ensuring security and functionality of our systems

8. Analyze website usage and performance – improve our Career Site and user experience.

Visitors

Device data; Technical and statistical data

Article 6(1)(a) – consent for cookies and tracking technologies; Article 6(1)(f) – legitimate interest in improving user experience

9. Comply with legal obligations and respond to lawful requests from authorities.

All categories of individuals

All categories of personal data as necessary

Article 6(1)(c) – compliance with legal obligations

10. Protect our rights and interests or those of others – manage disputes, legal claims, or regulatory investigations.

All categories of individuals

All categories of personal data as necessary

Article 6(1)(f) – legitimate interest in establishing, exercising, or defending legal claims

11. Manage corporate transactions – share necessary information in case of mergers, acquisitions, financing, or sale of assets.

All categories of individuals

All categories of personal data as necessary

Article 6(1)(f) – legitimate interest in managing corporate reorganizations or business transitions

6. Whom We Share Your Personal Data With

We share personal data only when necessary for the purposes described above and in compliance with applicable data-protection laws. All recipients are bound by confidentiality and data-processing obligations consistent with the GDPR.

A. Service providers (data processors)

We share your personal data with carefully selected third parties that provide services supporting our recruitment and employer-branding activities, such as:

• Teamtailor AB (recruitment platform provider)
• Assessment and testing providers
• Cloud hosting and IT infrastructure suppliers
• Email and communication system providers

Each service provider acts as a data processor and may only process personal data on behalf of Nextlane under documented instructions and subject to appropriate technical and organizational security measures.

B. Other companies within the Nextlane Group

Your personal data may be shared with other Nextlane Group entities (listed in Section 1) when necessary for internal administrative purposes, recruitment collaboration across countries, or to provide shared IT and HR services.

C. Third-party cookie providers

If you consent to cookies and tracking technologies, certain data may be collected directly by third parties through our Career Site. These providers process data according to their own privacy policies, as described in our Cookie Policy.

D. Public authorities and regulators

We may disclose personal data to public authorities, courts, or regulators when required by law or when necessary to respond to lawful requests, investigations, or proceedings.

E. Legal proceedings and protection of rights

We may share personal data with legal counsel, courts, law enforcement, or other relevant parties if necessary to protect or defend our rights or the rights of others, including in cases of discrimination claims or labor disputes.

F. Corporate transactions

In the event of a merger, acquisition, restructuring, or sale of assets, we may share personal data with potential or actual acquiring entities and their advisers. Such sharing is limited to what is necessary for the transaction and subject to confidentiality obligations.

7. On What Legal Bases We Process Your Personal Data

Under the General Data Protection Regulation (GDPR), every processing activity must rely on a valid legal basis. A legal basis is the justification that allows us to collect and use your personal data in a lawful and fair manner.

The main legal bases we rely on when processing your personal data for the purposes described in this Privacy Policy are the following:

a. Legitimate interest (Article 6(1)(f) GDPR)
Most of the personal data we process is necessary for our legitimate interest in identifying, attracting, and recruiting qualified talent for Nextlane. Before relying on this legal basis, we carefully assess that:

• the processing is necessary to achieve our recruitment and employer-branding objectives,
• our legitimate interest is balanced against your privacy rights and freedoms, and
• the processing is proportionate to its purpose.
  You can contact us at dpo@nextlane.com if you would like to obtain additional information about how this balancing test was carried out.

b. Contractual necessity (Article 6(1)(b) GDPR)
When you apply for a specific position or communicate with us regarding a potential employment relationship, the processing of your personal data is necessary to take steps at your request before entering into a contract.

c. Legal obligation (Article 6(1)(c) GDPR)
In certain cases, we may need to process or disclose your personal data to comply with legal or regulatory requirements, such as reporting obligations or responding to lawful requests from public authorities.

d. Consent (Article 6(1)(a) GDPR)
In specific situations, we process your personal data only after obtaining your explicit consent. This may occur, for example, if we ask to record an interview or to keep your profile in our talent pool for future opportunities. You may withdraw your consent at any time by contacting us at dpo@nextlane.com, without affecting the lawfulness of processing carried out before withdrawal.

8. International Transfers of Personal Data

We always strive to process your personal data within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers or their parent companies operate in countries outside the EU/EEA, which means your personal data may be transferred to or accessed from those locations.

When personal data is transferred outside the EU/EEA, we ensure that it remains protected by implementing one of the safeguards recognized by the GDPR:

a. Adequacy decisions
We rely on decisions adopted by the European Commission confirming that a non-EU/EEA country provides an adequate level of data protection equivalent to the GDPR. In particular, we may rely on:

• the EU-US Data Privacy Framework for transfers to certified organizations in the United States, and
• the adequacy decision for the United Kingdom.

b. Standard Contractual Clauses (SCCs)
When no adequacy decision applies, we enter into the European Commission’s Standard Contractual Clauses with the recipient of the data. These clauses ensure that your personal data continues to receive the same level of protection as within the EU/EEA.

c. Additional safeguards
Depending on the nature of the transfer, we may also apply additional technical and organizational security measures, such as encryption, pseudonymization, access restrictions, or internal data-minimization controls. These measures are designed to prevent unauthorized access or disclosure.

d. Transfers within the Nextlane Group
When personal data is shared among entities of the Nextlane Group (as listed in Section 1) located outside the EU/EEA, those transfers are governed by intra-group data-transfer agreements based on the EU Standard Contractual Clauses and subject to the same high level of protection.

You can request further details about the safeguards we apply to international transfers by contacting our Data Protection Officer at dpo@nextlane.com.

9. How Long We Keep Your Personal Data

We retain personal data only for as long as it is needed for the purposes described in this Privacy Policy or as required by law. Retention periods may differ depending on the type of data and the context in which it was collected.

All individuals
If we process personal data to protect or enforce our legal rights, we keep it until the relevant matter has been fully and finally resolved.

Visitors
We keep visitor-related data for up to one (1) year for security and auditing purposes. Retention periods for cookies and similar technologies are specified in our Cookie Policy. Usage data collected for analytics is stored for as long as we maintain a profile of your interaction with our Career Site or as long as required for security monitoring.

Connecting Candidates
If you create a profile or subscribe to receive updates about job opportunities, we keep your data until you unsubscribe or delete your profile, or for a maximum of twenty-four (24) months after your last interaction, whichever occurs first.

Applying, Sourced, and Referred Candidates
We retain application-related data for as long as necessary to assess your candidacy for the position you applied for. If you are not selected, we may keep your data for up to twenty-four (24) months to consider you for future opportunities, unless you ask us to delete it sooner.

Hired Candidates
If you are hired, your data becomes part of your employee file and will be processed in accordance with Nextlane’s employee privacy policy.

References
We keep the personal data of a reference for as long as we retain the candidate’s data for whom the reference was provided.

After the relevant retention period expires, personal data is securely deleted or anonymized so it can no longer be linked to an identifiable individual.

10. Your Rights and How to Exercise Them

Under the GDPR, you have several rights regarding how we process your personal data. Some rights apply only in certain circumstances, depending on the legal basis used.

You can exercise your rights in the following ways:

• By visiting the Data & Privacy section on our Career Site;
• By logging in to your candidate account and using the available privacy settings; or
• By contacting our Data Protection Officer directly at dpo@nextlane.com.

Right to be informed
You have the right to receive clear and transparent information about how we use your personal data. This Privacy Policy and any updates published on our Career Site serve that purpose.

Right of access
You can request confirmation of whether we process your personal data and receive a copy of the information we hold about you, together with an explanation of how it is used.

Right to data portability
When processing is based on your consent or on a contract with you, you can request a copy of your personal data in a structured, commonly used, machine-readable format or ask us to transfer it directly to another controller, when technically feasible.

Right to rectification
You can ask us to correct inaccurate personal data or complete information you believe is incomplete.

Right to erasure (“right to be forgotten”)
You can request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when you object and there are no overriding legitimate grounds for continued processing.

Right to object
You may object to processing based on our legitimate interests at any time by explaining your particular situation. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to restrict processing
You may ask us to limit processing of your personal data while we verify its accuracy, assess an objection, or if the processing is unlawful and you prefer restriction instead of deletion. When processing is restricted, we will store your data but not use it except as required by law or to defend legal claims.

Right to withdraw consent
When processing is based on your consent, you can withdraw that consent at any time by emailing dpo@nextlane.com. Withdrawal does not affect processing carried out before the withdrawal.

Right to lodge a complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You can contact the Commission Nationale de l’Informatique et des Libertés (CNIL) in France or your local data-protection authority in the EU. A list of EU authorities is available here. If you are located in the UK, you can contact the Information Commissioner’s Office (ICO) at ico.org.uk.

11. How to Contact Us

If you have questions, comments, or concerns about how Nextlane processes your personal data, or if you wish to exercise any of your data-protection rights, please contact our Data Protection Officer (DPO) at:

• Email: dpo@nextlane.com

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect new processing activities, clarify information, or comply with changes in applicable law. When significant updates are made, we will notify you through our Career Site before the changes take effect.

The date of the latest revision appears at the top of this page. We encourage you to review this Privacy Policy regularly to stay informed about how we protect your personal data.

Date of publication: 07-06-2024

We at nextlane manage our employer branding and recruitment process through our career site (the “Career Site”), and by using a related applicant tracking system.

In this privacy policy, we explain how we process your personal data if:

1. You visit our Career Site (you being a “Visitor”)
2. You connect with us via our Career Site, to create a profile with us and receive information about current or future vacancies with us (you being a “Connecting Candidate”)
3. You apply for a position with us, via our Career Site or a third party service (you being an ”Applying Candidate”)
4. We collect information about you from other parties, sites and services, since we believe your profile is of interest for our current or future vacancies (you being a “Sourced Candidate”)
5. We receive information about you from our employees or partners, since they believe your profile is of interest for our current or future vacancies (you being a “Referred Candidate”)
6. We receive information about you from a Candidate, who lists you as their reference (you being a “Reference”).

This privacy policy also describes what rights you have when we process your personal data, and how you can exercise these rights.

When we use the term “Candidate” in this privacy policy, we are referring to each of Connecting Candidates; Applying Candidates; Sourced Candidates; and Referred Candidates, unless it’s stated otherwise.

1. About processing of personal data

Personal data is all information that can be directly or indirectly linked to a living, physical person. Examples of personal data are: name, e-mail address, telephone number and IP address. Processing of personal data is any automated use of personal data - such as collecting, creating, analyzing, sharing, and deleting personal data.

There are laws and regulations on how companies may process personal data, so-called data protection laws. Different data protection laws apply to different types of use of personal data, and in different parts of the world. An example of a data protection law that is relevant for our use of your personal data, as described in this privacy policy, is the EU Data Protection Regulation (2016/679, “GDPR”).

Most obligations under the GDPR apply to the so-called data controller. A data controller is the entity that decides for which purposes personal data will be processed, and how the processing will be executed. The data controller can use a so-called data processor. A data processor is an entity that is only allowed to process personal data as instructed by the data controller, and may not use the personal data for its own purposes.

We are the data controller when we process your personal data as described in this Privacy policy.

2. What personal data do we process?

All individuals

• Device information - If you visit our Career Site, we will collect information about your device, such as IP address, browser type and version, session behaviour, traffic source, screen resolution, preferred language, geographic location, operating system and device settings/usage.
• Technical and statistical data - If you visit our Career Site, we will collect technical and statistical data about your use of the site, such as information about which URLs you visit, and your activity on the site.
• Communications data - We will collect and store your communication with us, including the information you provided in the communication. This may include the content of emails, video recordings, messages on social media, the information you add to your account with us, surveys, etc.
• Contact details - Such as your name, email address, telephone number and physical address.

Candidates

• Data from interviews, assessments and other information from the recruitment process - Such as notes from interviews with you, assessments and tests made, salary requirements.
• Information in your application - Such as your CV, cover letter, work samples, references, letters of recommendation and education.
• Information in your public profile - Meaning the information we collect about you from public sources related to your professional experience, such as LinkedIn or the website of your current employer.
• Information provided by references - Meaning the information we receive from our employees or partners who refer you to us, or by the persons you have listed as your references.

3. Where do we receive your personal data from?

All individuals

• From the Career Site. If you visit our Career Site, we collect technical and statistical information about how you use the Career Site, and information from your device.
• Directly from you. Most of the information we process about you, we receive directly from you, for example when you apply for a position with us or connect with us. You can always choose not to provide us with certain information. However, some personal data is necessary in order for us to process your application or provide you the information you request to get from us.

References

• From the person for whom you are a reference. If a Candidate lists you as their reference, we will collect your contact details from the candidate to be able to contact you.

Candidates

• From public sources. We may collect personal data about you from public sources, such as LinkedIn or the website of your current employer.
• From our references. We may receive information about you from our employees or partners (such as recruitment service providers), when they believe your profile is of interest for our current or future vacancies.
• From your references. If you provide us with references, we may collect information about you from them.
• Data we create ourselves or in cooperation with you. Information about your application and profile is usually created by us, or by us in cooperation with you, during the recruitment process. This may for example include notes from interviews with you, assessments and tests made.

4. For what purposes do we process your personal data?

Protect and enforce our rights, interests and the interests of others, for example in connection with legal claims.

Affected individuals: The individual(s) affected by the legal issue - this may include persons from all categories of individuals listed above.

Categories of personal data used: All the categories of personal data listed above can be used for this purpose.

Share your personal data with other recipients, for the purposes mentioned in Section 5 below.

Affected individuals: Varies depending on the purpose of the sharing, see Section 5 below.

Categories of personal data used: All the categories of personal data listed above may be used for this purpose.

Collect information about your use of the Career Site, using cookies and other tracking technologies, as described in our Cookie Policy.

Affected individuals: Visitors.

Categories of personal data used: Device information.

Maintain, develop, test, and otherwise ensure the security of the Career Site.

Affected individuals: Visitors.

Categories of personal data used: Device information; Technical and statistical data.

Analyse how the Career Site and its content is being used and is performing, to get statistics and to improve operational performance.

Affected individuals: Visitors.

Categories of personal data used: Device information; Technical and statistical data.

Provide you with updates about vacancies with us.

Affected individuals: Connecting Candidates.

Categories of personal data used: Contact details; Communications data.

Review profiles and applications sent to us. This also includes communicating with you about your application and profile.

Affected individuals: Connecting Candidates; Applying Candidates.

Categories of personal data used: All the categories of personal data listed above may be used for this purpose.

Collect and evaluate your professional profile on our own initiative. This also includes communicating with you regarding your profile.

Affected individuals: Sourced Candidates; Referred Candidates.

Categories of personal data used: All the categories of personal data listed above may be used for this purpose.

Contact you directly about specific, future vacancies with us.

Affected individuals: Candidates.

Categories of personal data used: All the categories of personal data listed above may be used for this purpose.

Record the interview(s) with you.

Affected individuals: Candidates.

Categories of personal data used: Communications data.

Contact you to ask for your participation in surveys

Affected individuals: Candidates.

Categories of personal data used: All the categories of personal data listed above may be used for this purpose.

Contact you to ask you to provide information about a Candidate, and evaluate the information you provide.

Affected individuals: References.

Categories of personal data used: Contact details; Communications data.

5. Whom do we share your personal data with?

Our service providers. We share your personal data with our suppliers who provide services and functionality in our employer branding- and recruitment process. For example, this includes recruitment service providers and the supplier of our Career Site and related applicant tracking system.

Our group companies. We share your personal data with our group companies, when they provide us services and functionality to our employer branding- and recruitment process, such as access to particular systems and software.

Companies providing cookies on the Career Site. If you consent to it, cookies are set by other companies than us, who will use the data collected by these cookies in accordance with their own privacy policy. You can find information about which cookies this applies to in our Cookie Policy.

To authorities and other public actors - when we are ordered to do so. We will share your personal data with authorities and other public actors when we have a legal obligation to do so.

To parties involved in legal proceedings. If needed to protect or defend our rights, we share your personal data with public authorities or with other parties involved in a potential or existing legal proceeding. This can for example be in case of discrimination claims.

Mergers and acquisitions etc. In connection with a potential merger, sale of company assets, financing, or acquisition of all or part of our business to another company, we may share your personal data to other parties involved in the process.

6. On what legal bases do we process your personal data?

To be able to process your personal data, we need to have a so-called legal basis. A legal basis is a reason for processing the personal data that is justified under the GDPR.

When we process your personal data for the purposes described in this Privacy Policy, the legal basis we rely on is normally that the processing is necessary for our legitimate interest in being able to recruit talent with the relevant competence for us. We have concluded that we have a legitimate interest in being able to perform the personal data processing for this purpose; that the processing is necessary to achieve that purpose; and that our interest outweighs your right not to have your data processed for this purpose.

You can contact us for more information about how this assessment was made. See Section 9 and 10 below for our contact information.

There may be specific circumstances when the processing is only performed if and when you provide your consent to the processing. This is for example the case if we propose to record an interview with you. Please see Section 9 below for more information about your right to withdraw your consent.

7. When do we transfer your personal data outside of the EU/EEA, and how do we protect it then?

We always strive to process your personal data within the EU/EEA area.

However, some of our service providers process your personal data outside of the EU/EEA. We also use suppliers whose parent company, or whose subcontractor’s parent company, is based outside the EU/EEA. In these cases, we have taken into account the risk that the personal data may be disclosed to countries outside the EU/EEA, for example because of an authority request.

In cases where another recipient of your personal data (as described in Section 5 above) is based outside the EU/EEA, this will also mean that your personal data is transferred outside the EU/EEA.

When we, or one of our suppliers, transfer your personal data outside the EU/EEA, we will ensure that a safeguard recognized by the GDPR is used to enable the transfer. We use the following safeguards:

• A decision by the EU Commission that the country outside of the EU/EEA to which your personal data is transferred has an adequate level of protection, which corresponds to the level of protection afforded by the GDPR. In particular, we rely on the EU Commission’s adequacy decision for the US via the so-called EU-US Data Privacy Framework, and the adequacy decision for the UK.
• Entering into the EU Commission’s standard clauses with the recipient of the personal data outside the EU/EEA. This means that the recipient guarantees that the level of protection for your personal data afforded by the GDPR still applies, and that your rights are still protected.

When your personal data is transferred outside the EU/EEA, we also implement appropriate technical and organizational safeguards, to protect the personal data in case of a disclosure. Exactly which protective measures we implement depends on what is technically feasible, and sufficiently effective, for the particular transfer.

If you want more information about the cases in which your personal data is transferred outside the EU/EEA you can contact us using the contact details in Section 9 and 10 below.

8. For how long do we keep your personal data?

All individuals

If we process your personal data for the purpose of being able to protect and enforce our rights, we will keep your personal data until the relevant legal issue has been fully and finally resolved.

Visitors

We keep your personal data for one (1) year for security purposes. The retention periods for cookies are set out in our Cookie Policy. We keep your personal data to analyse the performance of the Career Site for as long as we keep personal data about you for other purposes.

Candidates

If you are a Connecting Candidate (only), we keep your personal data for as long as you remain connected with us.

For other types of Candidates, we keep your personal data to decide if you are a suitable candidate for the relevant vacancy(ies) with us.

If you don’t succeed in the initial recruitment process, we keep your personal data for as long as needed to consider, and potentially contact you, for relevant future job openings.

If you are hired, we will keep your personal data during your employment, for other purposes than those stated above, which you will be informed of.

References

We keep your personal data for as long as we keep the personal data of the Candidate for whom you acted as a reference.

9. What rights do you have, and how can you exercise them?

In this section, you will find information about the rights you have when we process your personal data. As described below, some of the rights only come into play when we process your personal data under a particular legal basis.

If you want to exercise any of the rights listed here, we suggest that you:

• Visit the Data & Privacy page on our Career Site, where we offer features to let you exercise your rights;
• Log in to your account with us, where you can use the settings in the account to exercise your rights; or
• Contact us directly at generated-manager@nextlane-demo.com.

Right to be informed

You have the right to be informed about how we process your personal data. You also have the right to be informed if we plan to process your personal data for any purpose other than that for which it was originally collected.

We provide you with such information through this privacy policy, through updates on our Career Site (see also Section 11 below), and by answering any questions you may have for us.

Right to access your personal data.

You have the right to know if we process personal data about you, and to receive a copy of the data we process about you. In connection with receiving the copy of your data, you will also receive information about how we process your personal data.

Right to access and to request a transfer of your personal data to another recipient (“data portability”).

You can request a copy of the personal data relating to you that we process for the performance of a contract with you, or based on your consent, in a structured, commonly used, machine-readable format. This will allow you to use this data somewhere else, for example to transfer it to another recipient. If technically feasible, you also have the right to request that we transfer your data directly to another recipient.

Right to have your personal data deleted (“right to be forgotten”).

In some cases, you have the right to have us delete personal data about you. This is for example the case if it’s no longer necessary for us to process the data for the purpose for which we collected it; if you withdraw your consent; if you have objected to the processing and there are no legitimate, overriding justifications for the processing. (For the separate right to object, see below.)

Right to object against our processing of your personal data.

You have the right to object to processing of your personal data which is based on our legitimate interest, by referencing your personal circumstances.

Right to restrict processing.

If you believe that the personal data we process about you is inaccurate, that our processing is unlawful, or that we don’t need the information for a specific purpose, you have the right to request that we restrict the processing of such personal data. If you object to our processing, as described just above, you can also request us to restrict processing of that personal data while we make our assessment of your request.

When our processing of your personal data is restricted, we will (with the exception of storage) only process the data with your consent or for the establishment, exercise or defence of legal claims, to protect the rights of another natural or legal person, or for reasons relating to an important public interest.

Right to rectification.

You have the right to request that we rectify inaccurate information, and that we complete information about you that you consider incomplete.

Right to withdraw your consent.

When we process your personal data based on your consent, you have the right to withdraw that consent at any time. If you do so, we will stop processing your data for the purposes you’ve withdrawn your consent for. However, it doesn’t affect the lawfulness of processing that was based on your consent before it was withdrawn.

Right to raise a complaint.

If you have complaints about our processing of your personal data, you can raise a complaint with the data protection authority in Spain. You can find their contact details here.

You can also lodge a complaint with your national data protection authority, which you can find listed here if you are based in the EU. If you are based in the UK, you can lodge a complaint with the Information Commissioner’s Office, here.

10. Where can you turn with comments or questions?

If you want to get in touch with us to exercise your rights, or if you have any questions, comments or concerns about how we handle your personal data, you can reach us by sending an email to generated-manager@nextlane-demo.com.

11. Updates to this Privacy policy

We update this privacy policy when necessary - for example, because we start processing your personal data in a new way, because we want to make the information even clearer to you, or if it’s necessary to do so in order to comply with applicable data protection laws.

We encourage you to regularly check this page for any changes. You can always check the top of this page to see when this privacy policy was last updated.