IDC Candidate Privacy Policy (EU & UK)

We are committed to conducting our business in accordance with best practices of personal data protection. This Candidate Privacy Policy (EU & UK) (“Privacy Policy”) will inform you how IDC (hereinafter “IDC” or “we”) acquires, stores, and processes your personal data in connection with the recruitment process, as well as how it handles and protects your personal data. Personal data are any information pertaining to an identified or identifiable natural person who applies for a job position (hereinafter “you” or the “candidate”). This Privacy Policy applies to the extent the processing of your personal data is subject to the GDPR or the UK GDPR.

The purpose of this Privacy Policy is to inform you of (i) how we collect, process, and protect your personal data, (ii) what your rights are, and by what means you can exercise them.

We recommend that you carefully familiarize yourself with this Privacy Policy.

For CEMA region:

The controller of your personal data is IDC CEMA s.r.o., with registered office at Malé náměstí 11, 110 00 Praha 1, Czech Republic, identification number 26482347.

For WE region:

The controller of your personal data is IDC UK LTD with registered office at 5th Floor, Ealing Cross 85 Uxbridge Road, London, W5 5TH, identification number 960665.

Contact details for all matters relating to processing of personal data of candidates:

IDC’s Privacy Compliance Officer

Email address: privacy@idc.com

1. Purposes and Legal Bases of Processing

   We only process your personal data within the scope necessary for the fulfillment of our contractual or statutory obligations, based on our legitimate interests, or on the basis of consent granted by you for the purposes as set out below:

   1. We process your personal data for the purposes of the recruitment process for a specific job position, as this data will form the basis of a potential employment relationship.

      Such data processing is necessary for the conclusion of a contract between you and us. For that reason, we process your personal data until the recruitment process relating to you is concluded.

   2. Following the recruitment process, we may also process your personal data based on our legitimate interests. IDC’s legitimate interests include determination, defense, and exercise of our legal rights or the resolution of any potential disputes.

      In such cases, we will continue to process your personal data, at maximum for the duration of such legitimate interests; this period will typically not exceed the period of one year following the conclusion of the recruitment process.

   3. In the event that you grant us your consent, we will also process your personal data for the purposes of contacting you in regard to other job openings in our company and in the IDC group and the realization of potential future recruitment processes for such job positions.

      In such cases, we will continue to process your personal data, at maximum for the period defined in the consent; this period will typically not exceed the period of three years from the time when consent was granted.

2. Scope of Processing

   We process your personal data within the following scope: data that you provide in your resume and during the recruitment process, specifically your name and surname, address, email address, telephone, acquired education, current employment position, acquired work experience and skills, photograph, and any other personal data contained in your resume or otherwise provided to us.

1. Recipients of Personal Data

   Some categories of the personal data that we collect in the manners set out above may be shared by us with third parties that are either independent controllers or that provide certain services to us (as our processors) relating to the recruitment process. In particular, we may share personal data with:

   1. entities from the IDC group, a full and updated list of which can be found here, namely for the purpose of realization of the recruitment process in the particular company, or for the purpose of administration support and organization of recruitment process in our company
   2. entities administering our IT systems and providing IT services utilized for the purpose of administration and organization of the recruitment process
   3. entities providing recruitment services and advertising of job positions
   4. public authorities or other third parties for the fulfillment of obligations in accordance with legal regulations
2. Safeguards

   We have entered into agreements on processing of personal data with the processors of personal data, as per the previous paragraph (with the exception of cases where the conclusion of such agreement is not obligatory; for example, when transferring personal data to public authorities), which we have verified to ensure at least the same level of protection thereof as this Privacy Policy.

With regard to the possible impending risk to you as the data subject, we have implemented and maintain appropriate technical and organizational measures, internal controls, and information security processes in accordance with best business practices. At the same time, we take into consideration the state of technological development with the goal of protecting your personal data from accidental loss, destruction, alterations, and unauthorized disclosure or access. Such measures may, among other things, include taking reasonable steps to ensure the liability of relevant employees who have access to your data, training of employees, regular backups, procedures for data renewal and management of incidents, and software protection for devices on which personal data are stored.

If you exercise any of your rights according to this article or other applicable legislation, we will inform each recipient to whom your data has been provided according to Article 5 of this Privacy Policy of the measures taken or of the erasure of your personal data or of the restriction of processing in accordance with your request, if such a notification is possible and/or does not involve disproportionate effort.

If you wish to exercise such rights and/or obtain detailed information, please contact us via the contact details set out in Article 3 of this Privacy Policy.

1. What Can You Request?

   In accordance with applicable legislation, you have the right to request access to: your personal data that we, as a personal data controller, are processing; the right to their rectification, erasure or portability (e.g., the portability of your personal data to another controller on the basis of your request); the right to object to the processing of your personal data; as well as the right to request restriction of processing conducted by us. You can also withdraw consent to the processing of certain personal data at any time, if you have granted us such consent.

2. Rectification of Your Personal Data

   According to applicable legislation, you have the right to rectify your personal data that we are processing if you find that it is inaccurate or incomplete.

3. Erasure of Your Personal Data

   You can request erasure of your personal data at any time. If you contact us and make this request, we will erase all your personal data that we have without undue delay, unless we need it for the fulfillment of contractual or statutory obligations.

   Further, if you withdraw your consent, we will also erase all your personal data (and ensure erasure thereof by the processors that we engage).

4. Withdrawal of Consent

   Granted consent to the processing for the purposes described above can be withdrawn at any time without giving a reason. For such purpose, please contact us via the contact details set out in Article 3 above. We will erase your personal data within 30 days from the withdrawal of your consent.

   Please note that the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

5. Access to and Portability of Your Personal Data

   You have the right to obtain confirmation as to what personal data we process or do not process with respect to you. Should you request it, we can send some of your personal data (namely the data that we process on the basis of performance of measures taken before conclusion of contract and/or your consent) directly to a third party (i.e., another data controller) whom you specify in your request, provided that it is technically feasible and does not affect the rights and freedoms of other persons.

6. Objection to Processing

   If we process some of your personal data on the basis of our legitimate interest, you have the right to object at any time, to the processing of personal data. If significant legitimate interests for processing — that override the interests or rights and freedoms of the data subject — are not proven on our part, or further processing is not necessary for the establishment, exercise or defense of our legal claims, we will cease processing of your personal data.

7. Restriction of Processing

   If you request restriction of processing of your personal data (e.g., in the event that you question the accuracy or lawfulness, or our need to process your personal data), we will restrict the processing of your personal data to the necessary minimum (storage), and we may only process it for the establishment, exercise or defense of legal claims, or on grounds of the protection of the rights of another natural person or legal entity or other reasons prescribed by applicable legislation. If a restriction of processing is lifted and we continue to process your personal data, we will inform you without undue delay.

8. Complaint to the Office for Personal Data Protection

   You have the right to lodge a complaint pertaining to our processing of your data with the competent data protection authority if you believe that your rights regarding our use of your personal data have been violated.

   • For all processing of personal data carried out by IDC subject to the GDPR, the competent data protection authority is the Czech Office for the Protection of Personal Data (in Czech: Úřad pro ochranu osobních údajů), with registered office at Pplk. Sochora 27, 170 00 Praha 7, Czech republic; website: www.uoou.cz
   • For all processing of personal data carried out by IDC subject to the UK GDPR, the competent data protection authority is the Information Commissioner’s Office, with registered office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; website: https://ico.org.uk

We may modify or update the Privacy Policy from time to time. Any changes to this Privacy Policy shall become effective with publication of the update.

This Privacy Policy was last updated on May 30, 2023.