Processing of Personal Data

Data Controller

The personal data collected is controlled and processed by the Data Controller. In addition, personal data may be processed or jointly controlled by the Data Controller’s partners.

This policy regarding the processing of personal data applies to (1) our candidates and recipients of our career management services, (2) our customers, whom we engage or assign one of our candidates to, (3) users of our websites and apps (“Sites”)**, and (4) representatives of our business partners, customers, and suppliers. This policy on the processing of personal data does not apply to our internal employees or consultants.

This policy on the processing of personal data outlines the types of personal data or personal information that we collect, how we use such data, how we process and protect the data we collect, how long we store these, with whom we share these, to whom we transfer these, and the rights that individuals can exercise regarding our use of their personal data. We also specify how you can contact us about our procedures for processing personal data and the exercise of your rights. Our procedures for processing personal data may differ between the countries we operate in to reflect domestic practice and legal requirements, and you can review specific domestic conditions by visiting local websites.

The Data Controller is Estranged AB, including its subsidiaries*, with registered headquarters in Sweden.

Information We Collect

We may collect personal information about you in several different ways, for example, through our sites and social media channels; at our events; over the phone; through job applications; in connection with recruitment; or in connection with our cooperation with customers/vendors and suppliers. We may collect a range of personal data depending on the nature of the relationship, which includes but is not limited to (as permitted under Swedish law):

• contact information (such as name, mailing address, email address, and phone number);

• username and password when you register on our sites;

• information you provide about individuals you would like us to contact. (The Data Controller assumes that this person has previously consented to such communication); and

• other information that you provide us, such as in surveys or through the “Contact Us” section on our sites.

If you are a job candidate and apply for a job or create an account to apply for a job, with your consent we may collect the following types of personal data (as permitted under Swedish law):

• employment and education history

• language skills and other work-related skills;

• Personal identification number, national identification, or other government-issued identification number;

• date of birth;

• gender;

• bank account information;

• citizenship and work permit status

• benefit-related information;

• tax-related information;

• information provided by references; and

• information covered by your resume or CV, information you provide about your professional interests, and other information regarding your competence for employment

• and possibly sensitive personal data in the event explicit consent for this has been provided by you as prescribed by law:

• disability and health-related information;

• results of drug tests, criminal record checks, and other background checks.

We may also collect information that you provide to us about other people, such as emergency contact information.

How We Use the Information We Collect

The Data Controller collects and uses the data collected for the following purposes:

a) to find workforce solutions and match candidates with our customers with the aim of getting people into work;

b) to create and manage online accounts;

c) to process payments;

d) to manage our relationships with customers/vendors and suppliers;

e) where permitted by law and consistent with our cookie policy (to send marketing materials, messages regarding available services, and other notifications;

f) where permitted by law to notify and manage participation in, specific events, advertising, programs, offers, surveys, competitions, and market research;

g) to respond to individual inquiries and requirements;

h) to conduct, evaluate and improve our business (which includes developing, enhancing, reviewing and improving our services; managing our communications; conducting data analysis; and carrying out accounting, auditing, and other internal tasks);

i) to protect against, identify, and attempt to prevent fraud and other illegal activity, claims, and other liabilities; and

j) to comply with and enforce applicable legal requirements, relevant industry practices, contractual obligations, and our policies.

All processing will be carried out based on legal grounds as follows:

a) consent or specific consent (when collecting sensitive personal data) from the data subject, where required by applicable law;

If you are a job candidate, we will request consent for the following processing of personal data for the following purposes:

• to provide you with job offers and work;

• to provide you with HR services, including benefits management, payroll, performance management, and disciplinary actions;

• to provide you with additional services, such as training, career guidance, and career transition services;

• to assess your suitability as a job candidate and your qualifications for job positions; and

• to perform data analysis, such as (i) analysis of our job candidate and consultant database; (ii) assessment of individual performance and skills, including scoring of job-related skills; (iii) identification of knowledge gaps; (iv) use of information to match individuals with potential opportunities, and (v) analysis of pipeline data (trends regarding hiring practices).

We may also use data in other ways when we send specific notice in connection with or before the time of collection.

b) to ensure our compliance with a legal or contractual requirement, or a requirement necessary to enter into a contract, for example with our customers and suppliers.

c) it is essential and necessary based on the Data Controller’s legitimate interest.

The Data Controller may process personal data for specific legitimate business purposes, which include some or all of the following:

• where the processing enables us to enhance, modify, personalize or otherwise improve our services/communication for the benefit of our customers, candidates, and suppliers;

• to identify and prevent fraud;

• to enhance the security of our network and information systems;

• to better understand how people interact with our websites;

• for direct marketing purposes;

• to send you postal mailings that we think would be of interest to you;

• to determine the effectiveness of promotional campaigns and advertising

In cases where we process data for these purposes, we ensure that your rights are respected and considered. You have the right to object to such processing. Follow this link if you wish to do so. Please note that exercising your right to object may affect our ability to assist you with the provision of our services and service.

How we process and protect personal information

Our processing of collected personal data takes place for the purposes stated above and for a specific period of time, which is in line with our internal deletion routines, in order to ensure that personal data is not retained longer than necessary and no longer than permitted under the GDPR.

We maintain administrative, technical and physical security measures designed to protect the personal data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, disclosure or use. To ensure appropriate security and privacy regarding personal data, we take the following security measures:

• Encryption of data in transit;

• Rigorous controls regarding user authentication;

• Enhanced network infrastructure;

• IT security solutions.

How long we store the data we collect

We store the personal data we collect in our systems in a way that only makes it possible to identify the registrants for the time deemed necessary considering the purposes for which the data was collected, or for which the data is further processed.

We determine this specific time period by considering:

• The need to retain collected personal data stored in order to provide services established with the user;

• In order to ensure the legitimate interest of the Data Controller as stated in the purposes;

• The existence of specific legal obligations that make processing and related storage necessary for specific periods of time.

Information we share

We only share personal data that we collect about you in the ways stated in this personal data processing policy or in separate notices provided in conjunction with specific activities. We may share personal data with vendors who perform services on our behalf based on our instructions. We do not authorize these vendors to use or disclose the data except where it is necessary to perform services on our behalf or comply with legal requirements. We may also share your personal data with (i) our subsidiaries and partners; (ii) if you are a job candidate, with /customers who might have available job offers or interest in hiring our job candidates; and (iii) with others we work with, such as recruitment advisors and subcontractors, in order to find work for you.

We may also share your personal data (i) if we are required to do so by law or legal process; (ii) to law enforcement authorities or other government officials based on a lawful request for sharing; and (iii) when we believe sharing is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity. We also reserve the right to transfer personal data that we have about you in the event we sell or transfer all or part of our business or assets (including in the event of reorganization, dissolution, or liquidation).

Transfers of personal data

We may also transfer the personal data we collect about you to countries outside the country where the data was originally collected. Such countries may lack the data protection legislation that the country where you originally provided the personal data has. When we transfer your data to other countries, we protect the data as stated in this personal data processing policy and such transfers take place in compliance with applicable law.

The countries to which we may transfer the personal data we collect about you may include:

• Within the European Union

• Outside the European Union

When we transfer personal data within the EU to countries or international organizations outside the EU, the transfer takes place on the basis of:

a) Adequacy decisions by the European Commission.

b) In the absence of an adequacy decision, other legal bases allowed (a) legally binding and enforceable documents between public authorities or bodies; (b) binding corporate rules; (c) standard clauses regarding data protection (formerly known as the Standard Clauses) adopted by the Commission, etc.

Your rights

When applicable law allows, the registered individual can exercise the following specific rights in accordance with Articles 15 to 22 of the General Data Protection Regulation (GDPR):

a) Right of access: The registered individual has the right to access their personal data to verify that such personal data is being processed in accordance with the law.

b) Right to rectification: The registered individual has the right to request rectification of any incorrect or incomplete data about him or her, in order to ensure the accuracy of such data and adapt them to the processing of personal data.

c) Right to erasure: The registered individual has the right to request the Data Controller to remove data about him or her and no longer process such data.

d) Right to restriction of processing: The registered individual has the right to request the Data Controller to limit the processing of his or her data.

e) Right to data portability: The registered individual has the right to request data portability which means that the registered individual can obtain the originally provided personal data in a structured and commonly used format or that the registered individual can request the transfer of data to another Data Controller.

f) Right to object: The registered individual providing personal data to the Data Controller has the right to object to the processing of personal data at any time on several grounds as stated in the GDPR, without having to justify their decision.

g) Right not to be subject to automated individual decision-making: The registered individual has the right not to be subject to a decision based solely on automated processing, including profiling, if such profiling causes a legal effect concerning the registered individual or similarly significantly affects him or her.

h) Right to lodge a complaint with a supervisory authority: All registered individuals have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where he or she has his or her habitual residence, place of work or where the alleged infringement took place if the registered individual considers that the processing of personal data relating to him or her infringes the GDPR.

When processing is based on consent as per Article 7 of the GDPR, the registered individual can, at any time, withdraw his or her consent.

Please see the “Contact us” section below if you need more information about the processing of your personal data.

Updates to our Personal Data Processing Policy

This Personal Data Processing Policy (including any amendments) may be regularly updated to reflect changes in our data protection practices and legal updates. In the case of significant changes, we will notify you by posting a prominent notice on our sites with information at the top of each notice about when it was last updated.