ROCHE SERVICES (EUROPE) LTD. DATA PRIVACY NOTICE FOR CANDIDATES

Transcription

1 ROCHE SERVICES (EUROPE) LTD. DATA PRIVACY NOTICE FOR CANDIDATES 1. General Provisions and Contacts Roche Services (Europe) Ltd. ( Company ) processes information related to persons ( Candidate(s) ) applying for positions published on the website ( Website ) or otherwise, or applying in any other form in particular via , letter, phone or personally qualified as personal data under Article 4 (1) of Regulation (EU) 2016/679 called General Data Protection Regulation ( GDPR ). The present data privacy notice ( Notice ) shall provide information about the processing of such personal data and the rights and remedies available to Candidates related to data processing. If the application is not submitted to the Company, the processing of personal data shall be governed by the data protection notice of the company to which the application has been submitted, either in physical format or electronically (including other Roche companies, such as F. Hoffman-La Roche Ltd Grenzacherstrasse 124, CH-4070 Basel, Switzerland). Contacts of the Company: Registered office of the Company: 1068 Budapest, Dózsa György út 84. b. Company registration number: , The Company is registered by the Company Registration Court of the Metropolitan Court of Justice Phone number of the Company: address of the company: budapest.admin.ba1@roche.com Website of the Company: Name and contacts of the data privacy coordinator of the Employer: Martina Zsólyom, SHE Deputy & Data Privacy Coordinator (phone number: +36-1/ , / ; martina.zsolyom@roche.com) The Notice may be available on the website electronically and in the offices of the Company in paper format. In addition, the Company is eager to provide information on the rights and remedies available to data subjects on the above contact details. 2. Job applications and processing of personal data concerning the applications By submitting his/her job application and the data therein, the Candidate shall warrant that (i) such information concerns exclusively his/her personal data, or (ii) it has proper and informed consent or other legal basis for providing the personal data. Should the Company become aware that the data of the data subject have been disclosed without the consent of the data subject or an appropriate legal basis, the Company shall immediately delete all data, and the data subject shall be entitled to enforce his/her rights and remedies under this Notice. The Company shall not be responsible for the violation of the above commitment by the Candidate or any damages, losses or injuries potentially arising therefrom. The Company may receive the data related to the Candidate from external companies. Such external company may be: Reed Magyarország Kft. (recruitment), Monster Magyarország Kft. (recruitment), Hays Hungary Kft. (recruitment), Profession.hu, (recruitment), Focus Consulting Kft. (recruitment), Arthur Hunt Kft. (recruitment), MIND-DIÁK Iskolai szövetkezet (provision of school cooperative services), MŰISZ Iskolaszövetkezet (provision of school cooperative services). For data processing carried out by external companies, the data protection policy of the relevant company shall govern, over which the Company does not exercise control. The Company provides the following information on the processing of job applications and personal data contained therein.

2 Object and purpose of data processing Legal Basis of data processing Processed data Duration of data processing Processing of the personal data of Candidates in order to perform recruitment for the positions for which Candidates have applied, as well as documentation of the selection process. Article 6 (1) a) of the GDPR (voluntary consent). The Candidate may grant his/her consent to the processing of his/her personal data by submitting his/her application to the Company (such as by sending his/her application to the address of the Company or any of its employees, or by submitting his/her CV personally in the office of the Company). The consent covers the processing of personal data related to the clarification of the content of the submitted job application, the professional expectations and needs mentioned by the Candidate during the job interview, as well as eventual professional questions, tasks and competence. If the Candidate submits his/her job application outside the Website, in another manner (such as personally or in ), his/her consent to the processing of his/her personal data shall also be considered as granted. The consent shall be voluntary, however, job applications may not be Name, contact details (address, phone number, address, LinkedIn or other social media profile, if applicable, link to professional website) of Candidates, content of the CV and cover letter, attached profile picture (photo), foreign language skills, professional experience, work place(s), data concerning qualifications, skills and studies, preferred professional field, references, expected monthly salary (if applicable). CVs and applications may include the personal data of the Candidates provided by them voluntarily, such as: place and date of birth, mother s maiden name, citizenship. Such data are received by the Company either directly by the Candidate, or from a third party transferring the data of the Candidate (such as recruiters). In the latter case, data processing shall also be governed by the data processing policy of the third party. In addition to the above, the Company may keep internal records related to In accordance with Section 6:22 of Act V of 2013 on the Civil Code ( Civil Code ), the data retention time shall be 3 years after the conclusion of the application (that is the selection of the successful Candidate), in order to ensure the possibility of defense in the event of litigation or official proceedings initiated by the Candidate (data may be processed until the final decision of the proceedings). In this case, the legal basis for data processing is Article 6 (1) f) of the GDPR (legitimate interest of the Company). In accordance with the above, originally the Candidate has granted his/her consent to the data processing, and the data processing is necessary for pursuing the legitimate interests of the Company, that is the participation in proceeding(s) related to the enforcement of claims, and the presentation of the Company s defense. During the above period, the Company may check within the framework of an internal audit whether the most competent

3 Object and purpose of data processing Legal Basis of data processing Processed data Duration of data processing evaluated appropriately without the data. In the event of application for a position which requires the establishment of an employment relationship, Article 10 (1) of Act I of 2012 on the Labour Code shall be governing. In accordance with the Act, data and data sheets necessary for the establishment of an employment relationship may be requested before the establishment of an employment relationship. In the event of a successful application, the Company shall notify recruitment companies on the admission and the initial salary of the Candidate in accordance with the data protection policy of the recruitment company to allow the company to calculate the commission to be paid after a successful recruitment. In the above case, the legal basis for data transfer shall be Article 6 (1) f) of the GDPR (legitimate interests pursued by the Company and the recruiter). the job applications on the professional competence of the Candidate and related assessment criteria. Candidate has been selected or not. Considering the above criteria, after the completion of the application process, the Company shall store the job applications in its own closed system and locked office (and in the absence of the above mentioned litigation or official proceeding, shall not carry out data processing activities outside data storage), and shall irretrievably delete the data after the expiry of the 3-year period. Should the Candidate cancel his/her application before the end of the application process at one of the contacts of the Company, the Company shall immediately delete the data of the Candidate after the cancellation. The Company shall consider the cancellation of the application, as if the Candidate has expressed that he/she did not wish to enforce any claims with respect to the application. During the period of data processing, the Candidate s job applications and personal data therein may be accessed by the person responsible for the job application within the Company and the competent employees of the

4 Object and purpose of data processing Legal Basis of data processing Processed data Duration of data processing Company s HR Department, and in the event of the initiation of the above mentioned litigation or official proceedings, the competent employees of the Company s Legal Department. Assessment of the Candidate s professional competence for the job (data processing related to the competence test and test sheets) after the revision of the job applications depending on the nature of the job the Candidate has applied for. The professional competence test and the assessment carried out with the involvement of an expert may take place exclusively in the cases previously specified by the Company, if it is necessary for filling the post, in which cases the Company shall notify the Candidates before carrying out the test. Competence tests are usually carried out with tests assessing foreign language skills and financial knowledge. Competence tests may also include the so-called Assessment Center. Assessment Center or AC is a method applied during the selection of Candidates which aims to assess the expected competence of the Candidate. During the AC, Candidates Article 6 (1) f) of the GDPR (the legitimate interest of the Company). Candidates may ask questions related to the competence test at the place of the competence test, before and during the test. The interest assessment test related to the data processing based on the Company s legitimate interest is included in the table attached to this Notice. Answers provided during the following forms of the competence test, professional skills. Questions related to the assessment of competence may exclusively aim to assess the competences absolutely necessary for filling the published position. The test shall be carried out by an expert subject to the obligation of secrecy who is employed or appointed by the Company. During the test, the expert shall evaluate the answers provided by the Candidate in the test sheets / on the online surface / during the personal interview. The criteria of the assessment shall be made available on the test sheets / online surface before the completion of the test, or shall be communicated to the Candidate before the start of the personal interview. None of the above methods for assessing professional competence are channeled towards the private life of The Company shall store the personal data in accordance with the criteria specified at the section entitled: Processing of the personal data of Candidates in order to perform recruitment for the positions for which Candidates have applied, as well as documentation of the selection process. Answers provided by Candidates during the competence test and their assessment (professional competence) may only be accessed by the person competent within the Company for the area related to the post in question, as well as competent employees of the Company s HR Department and the expert employed or appointed by the Company.

5 Object and purpose of data processing are faced with tasks related to the respective position, and evaluators try to conclude from their reaction how they would succeed in the position. Tasks may include among others: simulation exercises, presentation exercises, tests, interviews. Legal Basis of data processing Processed data Duration of data processing the Candidate or the personal characteristics irrelevant to the assessment of competence. The above expert may disclose to the Company exclusively the results of the assessment: (i) whether the Candidate complies with the criteria for the job or not, or (ii) whether further conditions for filling the job shall be ensured by the Company, such as: further professional training, in the case of managing positions provision of management training). Retention of the Candidate s CV and other job application documents (such as cover letter) in order to allow the Company to contact the Candidate directly with job offers in the future (for example in the event of a job vacancy). Article 6 (1) a) of the GDPR (voluntary consent). The company may request the Candidate to grant his/her consent to the retention of his/her job application after the completion of the selection procedure, even in the absence of a vacancy or a published job offer, in order to directly contact the Candidate with eventual future job offers (such as: currently, there is no vacancy in the field for which the Candidate has applied, but in the future, it may occur). Personal data originally provided by the Candidate. 3 years after the conclusion of the selection criteria. This is the period during which the data necessary for the purposes of the data processing may be up-to-date and accurate in the opinion of the Company. For example, if the Candidate s experience is not sufficient at the time of application, but he/she may become eligible at a later date for a future a position. Candidates may request the Company to delete their data at any time during the above period. Candidates right to the above shall also cover data recorded during eventual competence tests. In the above case, Candidates shall acknowledge that in the event of the submission of a new job

6 Object and purpose of data processing Legal Basis of data processing Processed data Duration of data processing application, another competence test may become necessary. The person competent in the field related to the relevant job application within the Company, as well as the competent employees of the Company s HR Department may access the job application materials of the Candidates and the personal data therein during the period of data processing.

7 3. Data security measures taken by the Company The Company shall organize compulsory data protection training for its employees and partners. Such training shall be: privacy awareness training knowledge of regulations related to the protection of personal data (such as GDPR, rights related to data processing) and management of data breaches, information security end user awareness training work outside the office, remote access, password management, communication ( , sending messages), social engineering, prevention of data breaches The Company shall provide technical data security by monitoring access to the system, encryption, firewalls, using anti-virus and anti-malware software and data-loss prevention software (e.g. blocking data subtraction from the systems, s containing certain data types, USB-s) and a strong password policy. The Company shall ensure organizational data security with the following measures: locked rooms, restriction of access to the rooms of the HR department and to server rooms, internal rules and policies regarding information security, clean desk policy, data classification, management of data breaches. 4. Data protection rights and remedies available to Candidates and other data subjects 4.1 Data protection rights and remedies Data protection rights and remedies available to data subjects, including Candidates and other persons listed in Section 2 (such as in the event of submitting an application in someone else s name) are set forth in the relevant provisions of the GDPR (in particular Articles 15-19, 21, and 82). The following summary contains the most important provisions, and the Company provides information to the Candidate and other data subjects on their rights and remedies related to data protection in accordance with this Notice. The Company hereby informs the Candidates that the online or paper-based test sheets completed during competence tests, as well as answers given to the oral questions and data contained therein may only be processed by the expert subject to the obligation of secrecy employed or appointed by the Company. With respect to such personal data, data subjects may contact the above expert at the above contact details or the Company, which shall transfer such requests to the expert. The Company undertakes to fulfill such requests exclusively if it does not result that the Company may become aware of the content of the relevant test sheets or evaluation of the oral questions and the personal data contained therein without the consent of the data subject, otherwise such requests shall be fulfilled on behalf of the Company by the expert employed or appointed by the Company. The Company shall provide information on action taken on a request related to the data subject s exercise of rights to the data subject without undue delay and in any event within one month of receipt of the request. Taking the complexity of the request and the number of requests into consideration, such term may be extended by two months if necessary. The Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. The Company shall provide information requested by the data subject in writing or in the case of requests submitted electronically electronically. The information may be provided orally, provided that the identity of the data subject is proven to the Company.

8 4.2 Right of access of data subjects (1) The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed. If such data processing is in progress, the data subject shall have the right to obtain access to the personal data and the following information: a) purpose of data processing; b) categories of personal data involved; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed by the Company, in particular recipients in third countries or international organisations; d) if applicable, the planned duration of storing the personal data or if this is not possible, the aspects of determining this period of time; e) the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) right to file complaint to a supervisory authority; and g) if the data was not collected from the data subject, all available information about the source thereof; (2) If the personal data is transferred to a third country, the data subject shall have the right to obtain information about the sufficient guarantees related to the transfer. (3) The Company shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information shall be provided in a widely used electronic format except if the data subject requests otherwise. (4) If a data processing purpose is required for the enforcement of the legitimate interest of the Company or any third party, the interest assessing test used to determine the legitimate interest shall be made available by the Company in case of request submitted to any of he contacts above. 4.3 Right of rectification The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall also have the right to request the completion of defective personal data amongst others via a supplementary declaration. 4.4 Right of erasure ( right to being forgotten ) (1) The data subject shall have the right to obtain from the Company the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Company; b) the data subject withdraws its consent constituting the basis of data processing and there is no other legal basis of data processing; c) the data subject objects to the processing of its data and there is no prevailing legal cause for data processing in the given case; d) personal data was unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject; f) personal data was collected in relation with offering services related to the information society. (2) Paragraph 1 shall not apply to the extent that processing is necessary, among others:

9 a) for the purpose of exercising right to expressing opinions and obtaining information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject; c) for the purpose of public interest archiving, scientific and historical research or statistical purpose if the right mentioned in paragraph (1) would probably make it impossible or seriously threaten such data processing; or d) for establishing, enforcing or defending legal claims. 4.5 Right of restriction of data processing (1) The data subject shall have the right to obtain from the Company restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data; b) the data processing is unlawful and the data subject objects to the deletion of data and requests the restriction of the use thereof instead; c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pending the verification whether the legitimate grounds of the Company override those of the data subject. (2) If the data processing is restricted on the basis of paragraph (1), such personal data shall only be processed - apart from storage - with the consent of the data subject for the establishment, enforcement or defense of legal claims or in order to protect the rights of other natural persons or legal entities or for important public interests of the European Union or a Member State. (3) A data subject who has obtained restriction of processing shall be informed by the Company on the lifting of such restriction before the restriction of processing is lifted. 4.6 Liability of notification related to the rectification of personal data or the restriction of data processing The Company shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company shall inform the data subject about those recipients if the data subject requests it. 4.7 Right to data portability (1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company, where: a) data processing is based on consent or contract; and b) data processing is automated. (2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another(that is the Company and another data controller), where technically feasible. (3) The exercise of the above right may not infringe the provisions concerning the right to erasure ( right to be forgotten ), and this right shall not adversely affect the rights and freedoms of others.

10 4.8 Right to object (1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. (2) If the personal data is processed for scientific and historical research purposes of statistical purposes, the data subject shall have the right to objects against the processing of personal data of the data subject for reasons related to its own situation except if the data processing is required for performing a task due to reasons of public interest. 4.9 Right to lodge a complaint with a supervisory authority The data subject shall have the right to file a complaint at the supervisory authority in the member state of its usual residence, workplace or the place of the assumed injury in particular if according to the assumption of the data subject the processing of personal data of the data subject violates the provisions of GDPR. Competent supervisory authority in Hungary: Hungarian National Authority for Data Protection and Freedom of Information (website: address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c; postal address: 1530 Budapest, Pf.: 5.; phone number: ; fax: ; ugyfelszolgalat@naih.hu) Right for effective remedy at the court of justice against the supervisory authority (1) The data subject shall have the right for effective remedy at the court of justice against the legally binding decisions of the supervisory authority applicable for the data subject. (2) The data subject shall have the right for effective remedy at the court of justice if the competent supervisory authority fails to deal with the complaint or fails to inform the data subject about the progress of the proceedings in relation with the complaint or the outcome thereof within three months. (3) Proceedings against the supervisory authority shall be filed at the court of justice competent in the member state of the registered seat of the supervisory authority Right for Effective Remedy at the Court of Justice against the Company or the Data Processor (1) The data subject shall have the right for effective remedy at the court of justice without prejudice to its administrative and out of court remedies available, including complaint at the supervisory authority if the data subject assumes that its rights under the GDPR were violated due to the improper processing of its personal data. (2) Proceedings against the Company or the data processor shall be brought before the courts of the Member State where the Company or the data processor has an establishment. Such proceedings may be brought before the court of the Member State where the data subject resides. For further information on the competence and contact details of the court please refer to the following website:

11 Attachment: Balancing test concerning the competence test carried out by the Company The following table contains the test for the balance of interests related to data processing based on the legitimate interest of the Company with respect to the processing of the Candidate s data, which presents why the legitimate interests of the Company related to the completion of the competence test override the interests or fundamental rights or freedoms of the data subjects which require the protection of the personal data. 1. Is absolutely necessary to perform a competence test in the case of Candidates submitting job application to certain posts? Are there any alternative solutions with the application of which the planned purpose may be reached without the processing of personal data? 2. Legitimate interest of the Company There is no alternative data processing solution which affect the personal data of data subjects less and are efficient enough to ensure that data processing objectives are met. Considering the nature of the activities performed by the Company (shared service center provision of financial, HR and IT services in a foreign language), compliance with the required quality of services, as well as rules on safety of persons and property, health and safety provisions, with respect to certain posts, it is absolutely necessary to carry out a competence test during the job interviews, which assesses the professional competence required by the post. Legitimate interests of the Company are as follows: - performance of activities related to the services provided by the Company in a continuous, safe and compliant manner and at a high level; - compliance with legal provisions, industry regulations related to the quality of services, the safety of persons and property, health and safety provisions; - with respect to the above, in managing positions and in other critical areas specified by the Company, it is absolutely necessary to assess the professional competence necessary for the post. 3. What is the purpose of data processing? In addition to what data processing purposes, and what kind of personal data shall be processed in accordance with the legitimate interest of the Company? The purpose of data processing is the assessment of the professional competence of the Candidate to the post for which he/she applied. The Company shall process the results of the competence tests exclusively within the scope of competence necessary for the position (post) in question, and it has already been aware of this circumstance before drafting the questions asked during the competence test. Answers provided by the Candidate on the online surface / in test sheets / during personal observation are assessed by an expert employed or appointed by the Company. The expert employed or appointed by the Company shall process the results of the competence test and related documentation until the performance of the assessment, and after that, shall immediately transfer them to the Company.

12 The Company processes the results of the competence tests and related documentation (including primarily the completed test sheets) during the period specified in Sections 2 and 3. The Company informs Candidates of the necessity to carry out a test, the assessment of professional competence and the process of the test, as well as rights and remedies available to them in all cases before the start of the competence test. 4. What are the interests of data subjects with respect to data processing? Protection of the Candidates individual rights, rights and freedoms related to personal data, which has been taken into consideration already at the elaboration of the competence test, as well as at the selection of the expert employed or appointed by the Company and at the conclusion of contract with him/her, before the actual performance of the competence test to the extent possible. 5. Why does the Company s legitimate interest restrict the rights and freedoms of data subjects proportionately? - the Company performs competence tests exclusively in the case of certain posts; - the Company informs Candidates of the necessity to carry out a test, the assessment of professional competence and the process of the test, as well as rights and remedies available to them in all cases before the start of the competence test; - Candidates are entitled to ask questions to the Company and to the expert employed or appointed by the Company before and during the competence test; - during the assessment of test sheets and answers provided, exclusively the answers are taken into consideration, other characteristics and circumstances (such as hand writing) are not; - the Company processes the results of competence tests and the fact whether an Candidate is suitable for the position (post) or not, and whether it is necessary to provide additional condition(s) for the filling of the position, as well as related documentation exclusively in order to assess competence for the position (post) in question; - answers provided by Candidates during the competence test and their assessment (professional competence) may only be accessed by the person competent within the Company for the area related to the post in question, as well as competent employees of the Company s HR Department and the expert employed or appointed by the Company.