PRIVACY POLICY FOR RECRUITMENT
ENERTIS APPLUS
1. GENERAL
It is important that the possible candidates using the Service ("Users”) feel safe with and are informed about how their User's personal data is handle in the recruitment process in order to maintain the highest possible standard regarding the protection of personal data. This document is the Privacy Policy for the process, manage, use, and protect User's Personal Data ("Privacy Policy").
1.1. Data Controller
Enertis Solar, S.L.U. (hereinafter, “Enertis Applus” or the "Data Controller”) is the Data Controller in accordance with current privacy legislations.
1.2. Main Purpose
The Users’ personal data is processed with the purpose of managing and facilitating recruitment of employees to Enertis Applus business.
Enertis Applus is responsible for the processing of the personal data that Users provide to Enertis Applus, or personal data that Enertis Applus in other ways collects in connection with the Application Traking System (“ATS”).
1.3. When and how we collect personal data
Enertis Applus collects personal data from Users when they:
• submit an application through the ATS or otherwise by adding personal data about themselves, either personally or by using a third-party source such as Facebook or LinkedIn;
• use the ATS to connect with Enertis Applus’ staff by adding personal data about themselves, either personally or by using a third-party source such as Facebook or LinkedIn.
• provide identifiable data in the chat (provided through the website used by the ATS and such data is relevant to the application procedure.
Enertis Applus collects data from third parties, like trough job portal such as Infojobs or LinkedIn, social networks, professional associations, educational centres, employment services, associations, foundations, recruitment consultancies, outplacement companies, employment agencies, employment promotion programmes, and through other public sources. This is called “sourcing” and can be done manually by our employees or automatically in the ATS.
In some cases, existing employees can make recommendations about potential applicants. Such employees will add personal data about such potential applicants. When this is done, the potential applicant is considered a User in the context of this Privacy Policy and will be informed about the processing.
1.4. The types of personal data collected and processed
The categories of personal data that can be collected through the ATS are:
a) Personal data and contact information: first name(s), surname(s), personal email address, telephone number, home address, date of birth, tax identification number/ NIE/Passport/driving license and photograph, gender and hobbies;
b) Family information, children, children’s age, marital status;
c) Remuneration data (banks details, basic salary, bonuses, benefits, social security number and tax code);
d) Work and employment history: current job description, position, salary schedule, salary level, department, location, supervisor(s) and subordinate(s), employment history and work history report, and registration with the “Servicio Público de Empleo”;
e) Talent, recruitment and application data, education and training data (data included in cover letters and CVs, references, educational history, academic record, academic qualifications or school completion certificates, professional qualifications, languages and other relevant competencies, data on performance management qualifications, development plan and transfers;
f) In the case of language and/or psychometric tests, the results of such tests;
g) Special categories of data:
o Degree and certificate of disability, to the extent that you voluntarily submit the information to Enertis Applus. Please note Enertis Applus does not ask for information that may be considered “sensitive data” (e.g. degree of disability). However, if you decide, at your own discretion, to voluntarily submit such information in order for Enertis Applus to take it into consideration when assessing your application, such information will be used for this purpose. By submitting such information to Enertis Applus, you consent to the collecting and processing such “sensitive data” for these purposes.
o Psycho-technical test results, as provided by the service provider appointed for this purpose by Enertis Applus.
Only data that is relevant for the recruitment process is collected and processed.
1.5. Purpose and lawfulness of processing
The purpose of collecting and processing personal data is the management of recruitment. The lawfulness of the processing of personal data is our legitimate interest to simplify and facilitate recruitment.
The purpose is to assess your application in relation to ongoing recruitment processes, as well as in the context of future processes in relation to any vacancies that Enertis Applus needs to fill taking into account the particularities of the specific position and your suitability for it, on the basis of Enertis Applus legitimate interest in this regard. In order to be able to rely on this basis to carry out a balancing test to ensure that Enertis Applus’ legitimate interest does not override your interest or fundamental rights and freedoms.
Enertis Applus will also process your personal data to ensure an optimal level of compliance with the applicable legal obligations to which Enertis Applus is subject under, among others, labour and occupational risk prevention legislation, as well as to cooperate with regulators and law enforcement agencies when necessary.
Personal data that is processed with the purpose of aggregate analysis or market research is always made unidentifiable. Such personal data cannot be used to identify a specific User. Thus, such data is not considered personal data.
1.6. The consent of the data subject
The User consents to the processing of his/her personal data for the purpose of the Data Controller’s handling recruiting. The User consents to the collection of personal data through the Service, when Users:
• submit a request through the ATS, adding personal data about themselves, either personally or by using a third-party source as Xing or LinkedIn, and that the Data Controller may use external sourcing-tools to add additional information; and
• when you use the Service to connect with the Data Controller’s recruitment department by adding personal data about themselves, either personally or by using a third-party source such as Xing or LinkedIn.
The User also consents to the Data Controller collecting publicly available information about the User and compiles them for use in recruitment purposes.
The User consents to the personal data being collected in accordance with the above a) and b) to be processed according with the following sections 1.7 Storage and transfer and 1.8 How long the personal data will be processed.
The User has the right to withdraw his or her consent at any time, by contacting the Data Controller using the contact details set out in section 8. However, the use of this right may mean that the User may not be able to apply for a specific job or otherwise use the Service.
1.7. Storage and transfers
The personal data collected through the ATS is stored and processed inside the EU/EEA, or in a third country that is considered by the European Commission to have an adequate level of protection, or are processed by suppliers that have sign binding agreements that fully comply with the legality of third country transfers (such as Privacy Shield) or to other supplies where adequate safeguards are in place to protect the rights of the data subjects whose data is transferred. To obtain documentation regarding such adequate safeguards, contact us using the Contact details listed in 9.
1.8. How long the personal data will be processed
If a User does not object, in writing, to the processing of their personal data, the personal data will be stored and processed by the Data Controller as long as the Data Controller deems it necessary with regards to the purposes stated above. Note that an applicant (User) may be interesting for future recruitment and for this purpose the Data Controller may store Users’ Personal Data until they are no longer of value as potential recruitments. If you as a User wish not to have your Personal Data processed for this purpose (future recruitment) please contact the Data Controller using the contact details in paragraph 8.
The Data Controller will keep the Users’ Personal Data for a period of five (5) years from the time the Data Controller receives it. The Data Controller will only keep the Users’ Personal Data for more than five (5) years if the Data Controller is required to do so by Law, if there is pending complaint or claim that makes the conservation of the Users’ Personal Data necessary or if the User gives consent to this effect.
2. USERS’ RIGHTS
Users have certain rights in relation to their Personal Data, without prejudice to the rights established by law.
In particular, Users have the right to have confirmation as to whether or not their Personal Data is being used by the Data Controller and, in if so, to request access to their Personal Data and also to information regarding the treatment (e.g., purposes, Personal Data categories and recipients, etc.) (right of access). Furthermore, the User has the right to request the rectification of inaccuracies of their Personal Data (right of rectification), as well as the deletion of their Personal Data when, among other reasons, they are no longer necessary for the purposes for which they were requested (right of deletion). In certain circumstances (e.g., when the User request the rectification of inaccuracies of their Personal Data, while the accuracy of the Personal Data is being verifies), the User may ask that the processing of their Personal Data be restricted and processed only for the exercise or defence of claims (right to limitation of processing). Finally, Users have the possibility to exercise their right to data portability, that is, to receive Personal Data in a structure commonly used and machine-readable form, and to transmit it to another data controller without the hindrance from the latter, in the legally foreseen scenario (right to data portability).
Users have the right to request information about the Personal Data that is processed by the Data Controller, by notifying in writing, using the contact details below under paragraph 8 below. Users have the right to one (1) copy of the processed Personal Data which belongs to them without any charge. For further demanded copies, the Data Controller has a right to charge a reasonable fee on the basis of the administrative costs for such demand.
The User has the right to revoke any consent to processing that has been given by the User to the Data Controller. However, the use of this right may mean that the User may not be able to apply for a specific job or otherwise use the Service.
User has the right to lodge a complaint to the supervisory authority regarding the processing of their Personal Data, if the User considers that the processing of personal data infringes the legal framework of privacy law.
Users can exercise all of the above rights by using the contact details given in paragraph 8 below.
3. SECURITY
The Data Controller prioritizes the personal integrity and therefore works actively so that the User’s Personal Data is processed with utmost care. The Data Controller takes the measures that can be reasonably expected to the make sure that the User’s Personal Data and others are processed safely and in accordance to this Privacy Policy and the GDPR-regulation.
The Data Controller has technical and organisational measures in place to ensure an adequate level of security for the processing of the Personal Data. The purpose of this measures is to guarantee the continued integrity of the Personal Data and confidentiality. The Data Controller evaluates these measures on a regular basis to guarantee the safety of the processing.
However, transfers of information over the Internet and mobile networks can never take place without any risk, so all transfers are made at the risk of the person transferring the data. It is important that Users also take responsibility to ensure that their data is protected. It is the User’s responsibility to ensure that their login information is kept secret.
4. TRANSFER OF PERSONAL DATA TO THIRD PARTY
4.1. Whitin the EU
The Data Controller will not sell or otherwise transfer Users’ Personal Data to third parties.
The Data Controller may transfer Users’ Personal Data with third parties in the following cases:
(a) Third entities outside Enertis Applus Group such as:
i. University and non-university teaching centres and/or vocational training schools, with a view to signing appropriate agreements and/or agreements for the proper management of the incorporation of trainees.
ii. Enertis customers in the context of the selection process.
The aforementioned transfers shall be carried out on the basis of prior consent.
(b) Other Enertis Applus entities other than the ones identified above, where there may be a vacancy that matches the characteristics, for evaluating purposes as part of a selection process, subject to the Users prior consent.
(c) Services Providers. The Data Controller authorises recruitment, selection, evaluation, administration, IT and training services¡ providers to access the User’s Personal Data in order to process the necessary data to support the purposes describe in Clause 2. The Data Controller shall sign a written agreement binding the service provider to refrain from making any unauthorised communication of the Personal Data, to use the Personal Data only for provision of the services and in accordance with Enertis Applus’ written instructions, to retain only the Personal Data necessary to comply with the purpose of protecting its interests and to keep appropriate and adequate safety measures.
(d) Public Administrations, regulatory authorities, law enforcement agencies, courts and other third parties with the authority to bind, to the extent necessary to comply with a legal or regulatory obligation, or to otherwise protect their own or third parties’ rights.
We will only transfer Users’ personal data to third parties that we have confidence in. We carefully choose partners to ensure that the User’s personal data is processed in accordance to current privacy legislations. We cooperate with the following categories of processors of personal data; Teamtailor, who supplies the ATS (Application Tracking System), server and hosting companies, e-mail reference companies, information-sourcing companies, analytical service companies and other companies with regards to suppling the ATS.
Considering that the Data Controller operates as a global business, the parties mentioned above may be located outside the User’s jurisdiction, including countries outside the EU, which the User may consider do not provide an adequate safety of data protection security. In this case, please got to “International Data Transfer”.
4.2. Outside of the EU. International Data Transfer
User’s Personal Data may be communicated, stored, process in a country which does not provide an adequate data protection safety level under the UE Law.
In this regard, we have implemented appropriate safeguards (such as contractual commitments), in accordance with applicable legal requirements, to ensure that data are adequately protected, on the basis of the standard contractual clauses approved by the European Commission, which can be consulted at:
• Standard contractual clauses for the transfer of personal data from the Community to third countries (transfers between controllers): Decision 2004/915/CE.
• Standard contractual clauses for the transfer of personal data to processors established in third countries: Decision 2010/81/EU
For more information on the appropriate warranties applied, please contact us using the contact details in clause 8 below.
5. AGGREGATED DATA (NON-IDENTIFIABLE PERSONAL DATA)
The Data Controller may share aggregated data to third parties. The aggregated data has in such instances been compiled from information that has been collected through the ATS and can, for example, consist of internet traffic statistics or the geological location for the use of the ATS. The aggregated data does not contain any information that can be used to identify individual persons and is thus not personal data.
6. COOKIES
When Users use the ATS, usage information may be stored as cookies. Cookies are passive text files that are stored in the internet browser on the User’s device, such as computer, mobile phone or tablet, when using the Service. The Data Controller uses cookies to improve the User’s use of the ATS and to collect information about, for example, statistics on the use of the ATS. This is done to secure, maintain and improve the ATS. The information that is collected through cookies may, in some cases, be personal data and, in such instances, is regulated by our Cookie Policy.
Users can disable the use of cookies at any time by changing the local settings in their devices. Disabling cookies can affect the ATS experience, for example, by disabling some functions in the Service.
7. CHANGES
The Data Controller has the right to, at any time, make changes or additions to the Privacy Policy. The latest version of the Privacy Policy will always be available through the ATS. A new version is deemed to have been communicated to the Users when the User has either received an email informing the User of the new version (using the e-mail stated by the User in connection to the use of the Service) or when the User is otherwise informed of the new Privacy Policy.
8. CONTACT
Enertis Applus is the data controller regarding the personal data that we process in connection with this Policy.
For questions, further information about our handling of personal data or to contact us on other matters, please use the contact details: Enertis Applus dataprivacy@enertis.com
Enertis Applus is committed to work with the User to resolve any complaints or concerns regarding the privacy of the Personal Data in the best possible way. However, if the User considers that Enertis Applus has not been able to help with the complaint or the doubt, the User has the right to file a complaint before the Spanish Data Protection Agency “Agencia Española de Protección de Datos” through its website: www.agpd.es.
