Processing of (personal) data by the entity in charge of the online application process
In view of Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation; GDPR) and considering the rules of the Swiss data protection legislation (FADP) we would like to inform you as follows about certain matters associated with our data processing operations in connection with recruitment at the Nevis group.
If you have any questions about this Privacy Policy or our privacy practices, or if you have a disability and need to access this notice in a different format, please contact us by mail at:
Name of DPO: Akos Kovacs
E-Mail of DPO: privacy@nevis.net.
Privacy notice in connection with the usage of our website: https://www.nevis.net/privacy-policy.
Privacy notice in connection with the technical operation of our carrier site by Personio (information on logs and cookies): https://www.personio.com/privacy-policy/.
General information
a) Data controllerWith respect to recruitment, the companies of Nevis group act as joint data controllers, as they determine the purposes and means of data processing jointly.
The primary data controller and first contact shall be the Nevis company to which the applicant has applied for a vacant position.
Name and contact details of the Nevis companies:
Nevis Security AG (address: CH-8003 Zürich, Birmensdorferstrasse 94., phone: +41 43 215 29 09, e-mail: switzerland@nevis.net)
Nevis Security GmbH (address: Dingolfinger Strasse 15, 81673 Munich, phone: +49 89 120 85 368, e-mail: germany@nevis.net)
Nevis Security Kft. (address: HU-1083 Budapest, Bókay János utca 44-46., registration number: 01-09-352470, phone: +36 1 700 9049, e-mail: hungary@nevis.net)
(Nevis group companies or the relevant Nevis company hereinafter: Nevis or data controller)
b) This Privacy Statement is in line with the FADP and the GDPR. The term "personal data" in this Privacy Statement shall mean any information that identifies or could reasonably be used to identify any person.
c) The basic purpose of the processing of personal data is to assess your professional suitability in connection with the advertised position, as well as to contact you in the course of the recruitment process.
d) The source of the data is the applicant directly. In some cases, the data may be transmitted to us by an employment agency or obtained through an online job portal. In such cases, this notice will also apply.
e) Please do not provide any information in your CV or motivation letter that is not relevant to the establishment of the employment relationship. Please do not disclose special categories of personal data in your application (eg. racial or ethnic origin, political opinions, religious beliefs, data concerning health, sexual orientation).
f) The data controller will process your personal data for the purposes listed in this statement and to the extent necessary to achieve such purposes. The data controller will process your data in full compliance with the applicable regulations. The data controller does not make decisions on the basis of automated processing and does not carry out profiling.
g) Please note that the primary data controller when applying to Nevis is the company to which you have applied, and the rights in this notice may be exercised primarily against the respective Nevis company, as data controller (however, this does not affect the applicant's right to enforce his or her rights against other Nevis companies as well). In view of the joint processing of personal data, personal data may be accessed or stored by other Nevis companies on account of the unified IT system, carrier website and the sharing of certain recruitment tasks by shared HR services.
Key information on data processing
The following key information apply to the data processing relating to our recruitment process:a) Data subjects
Job seekers who applies to a Nevis company through our carrier website, e-mail, or in any other way.
b) The purpose of processing
The purpose of the data processing carried out until the evaluation of the application: to keep contact, to identify the applicant, to assess the professional suitability of the applicant in relation to the advertised position. Where the collection of specific personal data has a different purpose, it is explicitly indicated below.
The purpose of the data processing after the evaluation of the application: direct inquiries by the data controller in order to inform the applicant on additional job opportunities, if the data subject has consented to this.
In the event of a potential claim: protection of Nevis' legal interests.
c) Data processed
Name, place and date of birth, nationality, permanent address, place of residence,
Telephone number, e-mail address (purpose of data management: contact),
Details of the position applied for,
Education data,
Data on professional experience,
Data on language skills,
Wage demand,
Public profile of a community site (eg LinkedIn, XING, GITHUB) if the information disclosed here provides information relevant to the position applied for,
As required: CV and data included in it,
photo, if included in the CV,
As required: motivation letter and its content,
If applied: testing skills necessary to fulfill the position (numerical, verbal and logical test and accuracy test, depending on the nature of the position to be applied for).
d) Legal basis
consent (Article 6(1) a) of the GDPR),
taking steps prior to the entering into a contract (Article 6(1) b) of the GDPR),
legitimate interest (Article 6(1) c) of the GDPR).
Please note that you are not required to give your consent. However, if you do not consent to the processing of data for the purpose of recruitment, we will not be able to process your application or inform you about further job opportunities. If you have given your consent, you may withdraw it at any time without giving any reason, but the withdrawal shall not affect the lawfulness of the processing operations carried out before the withdrawal.
If we retain personal data for 1 year after the application due to a claim or potential claim by the applicant, the legal basis for our data processing is our legitimate interest in enforcing our rights properly and in fulfilling our burden of proof in any proceedings.
In the event of an unsuccessful application, 90 days after the period for examining the job application, if the applicant has not given his or her consent to further inquiries.
If the applicant has agreed to further data processing after the application has been rejected, or if the applicant has not applied for a specific job, the data of the applicant will be stored for one year and used to communicate other relevant job opportunities with the applicant.
In the event of a claim brought by the applicant, the data will be kept for 5 years after the closure of application the procedure. If for any reason there is a possibility to enforce a claim in connection with an application, our legal department will keep the data for 1 year after the application has been processed. In this case, the data will not be considered for further recruitment purposes, therefore the data processing will be restricted, based on our legitimate interests.
In case of a successful application, the data controller will further process the data required for the establishment and maintenance of the employment relationship, according to the separate information to be provided to the employees.
The provision of data is voluntary. However, in case you do not provide your data, you may be excluded from the selection procedure or your suitability may not be assessed for the position.
Providing the following data are preconditions of applying to a position via our career website: name, e-mail, phone number, location, available from, birthday, CV.
Acknowledgement of this fair processing notice is also a precondition of your application.
Categories of recipients, data transfers
a) Nevis companies
As mentioned above, personal data may be accessed by other Nevis group companies as they are joint data controllers. HR matters are administered, and our carrier website is managed at our Swiss headquarter.
In case of Nevis AG, the data is transferred to Switzerland. We inform you that the data transfer based on the adequacy decision of the European Commission 2000/518/EC.
The adequacy decision is available under the following link: https://publications.europa.eu/en/publication-detail/-/publication/ee76f93d-4545-4878-87cb-7750d7f59987/language-hu.
b) Data processors
Further recipients may be our data processors with whom the data controller has entered into a data processing contract in accordance with Article 28 of the General Data Protection Regulation (GDPR) (eg our partners providing IT services).
Our recruitment website is operated by Personio GmbH, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is Nevis, carrying out the online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between Nevis and Personio. In addition, Personio GmbH processes further data, some of which may be personal data, to provide its services, in particular for operating the recruitment website (for the privacy statement of Personio, visit: https://www.personio.com/privacy-policy/)
Contact details of Personio:
Personio GmbH
Rundfunkplatz 4
80335 München
Phone: +49 / 89 1250 1005
Commercial register entry number: HRB 213189
Registration Court: Amtsgericht München (Munich Local Court)
Data Protection Officer contact: datenschutz@personio.de
c) Other recipients
There might be other recipients as well on a case by case basis. For instance, in the event of a claim enforcement by or against Nevis or other legal dispute, data may be transferred to a law firm or other consultant engaged by Nevis.
Besides the cases expressly mentioned herein (data transfer to Nevis AG), the data controller will not transfer your personal data to third countries (i.e. countries that do not qualify as EU Member States).
Your rights
Right to information: You can use the above contact details to contact the controller at any time and request information about processing involving your personal data; request the controller to rectify or erase your data or restrict the processing of your data; or object to such processing.
Right of access: At your request, the controller will inform you whether your data is being processed. If yes, you will be entitled to gain access to your personal data that are processed by the controller, and to information concerning the recipients or categories of recipient to whom the personal data have been or will be disclosed, the proposed period of the processing or the criteria used to determine that period, and the sources of the data.
At your request, the controller will provide to you a copy of the personal data undergoing processing. The controller may charge a reasonable fee, based on administrative costs, for any further copies you request. If you make the request by electronic means, the information will be provided in a commonly used electronic form, unless you request otherwise.
Right to rectification: You have the right to request rectification of any inaccurate data and completion of any incomplete data.
Right to withdraw consent: You have the right to withdraw your consent to the future processing of your personal data. The withdrawal of your consent will not affect the lawfulness of processing that is performed on the basis of your consent before its withdrawal.
Right to erasure: You can request the erasure of your personal data from the controller if:
a) the personal data are no longer necessary in relation to the purposes for which they were processed,
b) you withdraw your consent and there is no other legal ground for the processing,
c) the conditions for making an objection apply,
d) the data processing is unlawful,
e) the erasure is necessary for compliance with a legal obligation to which the controller is subject,
f) you are a minor under the age of 16.
The controller will erase your data on the basis of such request, except if further processing is necessary
a) to ensure compliance with a relevant legal obligation to which the controller is subject, or
b) for the establishment, exercise or defence of legal claims.
Right to restriction of processing: At your request, the controller will restrict processing, if:
a) you contest the accuracy of the personal data, in that case the restriction will apply for a period while the accuracy of the data can be verified,
b) the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead,
c) the controller no longer requires the data for processing, but you need them for the establishment, exercise or defence of legal claims,
d) you have objected to the processing, in which case the restriction will apply for a period while it is verified whether the legitimate grounds of the controller override yours.
If the processing is subject to restriction in accordance with the above, the relevant personal data may, with the exception of storage, only be processed with your consent, or for the establishment, exercise or defence of legal claims, for the protection of the rights of another person or for reasons of important public interest of the European Union or of a Member State. The controller will inform you before the restriction of processing is lifted.
You and all other persons to whom your data have been transferred will be informed about any rectification, erasure or restriction. The controller will not provide such information if this is impossible or involves a substantial effort. If the controller has made the personal data public and is obliged to erase the personal data, it will, in the light of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers that are processing the personal data about your request that they should erase any links to, or copy or replication of, those personal data.
Right to object: You can object to the processing of your personal data if:
a) it is done on the basis of a legitimate interest; in that case the processing may not be continued, unless there are compelling and legitimate reasons for the processing that override your interests, rights and freedoms, or reasons that are related to the establishment, exercise or defence of legal claims,
b) it is done for, or is related to, direct marketing purposes; in that case the processing may not be continued for such purpose.
Right to data portability: You can request the controller to provide your data to you in a structured, commonly used and machine-readable format, if this is technically feasible, so that you can transmit such data to another controller, or you can request the controller to perform such transmission directly.
Right to lodge a complaint: If you believe that your rights associated with your personal data have been violated, please inform the controller or the data protection officer about your complaint by using any of the contact details stated above.
You can also file your complaint with the competent authority (please find contact details in Annex A).
Review of requests
The controller will, within one month of the receipt of your request made in accordance with the above, inform you about the actions taken pursuant to the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller will inform you about the extension within one month of the receipt of your request, together with the reasons for the delay. If the controller receives the request electronically, the information will also be provided electronically if possible and unless you have requested otherwise. If, in in our judgment, no action is needed pursuant to your request, we will inform you without delay but in no event later than within one month after the receipt of your request about the reasons for not taking any action and about your option of lodging a complaint with the data protection authority and seeking a judicial remedy.
Requests are performed free of charge; however, if a request is manifestly unfounded or excessive, in particular because of its repetitive character, the controller may charge a reasonable fee in view of the administrative costs incurred due to the request or may refuse to act on it.
If there is any doubt about the identity of a person who submits a request, additional information may be requested from them as required for their identification.
Should you have any questions on the above, please contact us at any of our availabilities.
Kind regards,
Nevis Group
Annex A
Contact details of national data protection authorities.
Switzerland
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH - 3003 Berne
Telefon: +41 (0)58 462 43 95 (mon.-fri., 10-12 am)
Telefax: +41 (0)58 465 99 96
E-mail: info@edoeb.admin.ch
Germany
Die Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit
HusarenstraBe 30 53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
e-mail: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/
Hungary
Nemzeti Adatvédelmi és Információszabadság Hatóság (National Data Protection and Freedom of Information Authority)
Address: Budapest, Falk Miksa u. 9-11, 1055
Mailing address: 1530 Budapest, Postafiók: 5
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
If you believe that the processing of your data is unlawful, you may also file a lawsuit in a civil court. The court will have the authority to adjudicate the lawsuit. You may file the lawsuit in the court that has jurisdiction over your residential address (please follow the link below to see a list of the courts and their contact details: http://birosag.hu/torvenyszekek).