Changan Recruitment Privacy Statement
Introduction
For the purpose of this Privacy Statement (“Statement”), the terms and definitions in Appendix shall apply.
This Statement provides information about Personal Data which are processed by Changan Automobile Europe Holding B.V. (“we”, “us”, or “our”) in relation to individuals who apply to work for, or who attend a recruitment event or undertake an assessment with us (“Applicants”). This includes prospective employees, interns and contractors. This Statement explains what Personal Data we, other Changan group companies and/or any third-party recipients as set out in the Statement may process about you, what and how your Personal Data is used, and who your Personal Data would be shared with. It also sets out your rights in relation to your Personal Data under applicable laws and regulations and who you can contact for more information or queries.
For individuals who are successful in their application for employment, internship or engagement as a contractor, the separate privacy statements will apply.
We may collect Personal Data directly from you, through third parties or other means such as from social media or third-party sites or through technology (including the use of technology like cookies).
Some systems, databases, websites, applications (collectively, “Solutions”) provided or made accessible through us, and/or third parties may have separate privacy statements that differ from this Statement. Please refer to the relevant privacy statements for those Solutions, to understand how Personal Data is processed and the rights entitled by individuals (“Data Subjects”).
Please see detailed information in the relevant sections below and contact dpo@changaneurope.com if you have any questions on this Statement.
1. Data Controller
2. Legal Bases and Purposes of Processing of Personal Data
3. Categories of Personal Data
4. Classes of Transferees/Categories of Recipients
5. Security of Personal Data
6. Retention of Personal Data
7. Your Rights to Personal Data
8. Contact Us
9. Children
10. Changes to this Statement
11. Appendix - Terms and Definition
12. Acceptance of this Statement
1. Data Controller
Generally, the Changan Automobile Europe Holding B.V. that contacts you for employment or engagement as the case maybe, is the Data Controller for the purpose of this Statement, details as below:
[Changan Automobile Europe Holding B.V.]
Email contact: [dpo@changaneurope.com]
Address for postal contact: [De Entree 201, 1101 HG Amsterdam]
2. Legal Bases and Purposes of Processing of Personal Data
When we use your Personal Data, we take care to ensure that it is used in an appropriate way. Use of Personal Data under applicable data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the grounds in respect of each use in this Statement. An explanation of the grounds can be found here.
These are the principal legal grounds that justify our use of your Personal Data:
|
Consent: where you have consented to our use of your Personal Data (you may withdraw your consent )).
|
|
Contract performance: where your Personal Data is necessary to enter or perform our contract with you.
|
|
Legal and regulatory obligation: where we need to use your Personal Data to comply with our legal and regulatory obligations.
|
|
Legitimate interests: where we use your Personal Data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
|
|
Legal claims: where your Personal Data is necessary for us to defend, prosecute or make a claim against you, us or a third party.
|
Generally, where we are processing your Personal Data in a recruitment context, we process your Personal Data on the basis that it is necessary to do so in connection with your individual contracts of Employment/Contractual Relationship and where our legal duties as an employer necessitate it.
More specifically, we justify our use of your Personal Data in the manner set out in section 3 of the Statement as follows.
i. Performing and managing the resource planning and recruitment process
Use justification: legal obligations and legitimate interests (e.g., to enable us to effectively perform resource planning and assess their fitness for work)
ii. Managing our business activities
Use justification: legal obligations, legal claims, and legitimate interests (e.g., to enable us to cooperate with law enforcement and regulatory authorities and to allow us to operate and change our business)
iii. Administration of IT systems and applications
Use justification: legal obligations, legitimate interest (e.g., to ensure the security and the smooth operation of our IT infrastructure, and to assist with the prevention of crime and fraud)
iv. Compliance with applicable laws, regulations, policies, and industry and professional rules
Use justification: legal obligations, legitimate interests (e.g., to enable us to achieve a consistent approach to compliance across our business)
Pre-screening of Applicants
We carry out screening of all Applicants who we intend to make an offer of Employment or Contractual Relationship (as the case may be) and prior to any offer being confirmed for the purposes of:
• verifying the information that an Applicant provides during the screening/interview process. This will include verifying information with current/previous employers and educational institutions. No steps will be taken in this respect until the Applicant confirms the verification can take place;
• screening Applicants against publicly available or government issued sanctions lists and media sources. This is to comply with legal and regulatory obligations, to protect us assets and employees/contractors and specifically to ensure that we can comply with trade control, anti-money laundering and/or bribery and corruption laws and other regulatory requirements.
Use of Special Categories of Personal Data
In limited circumstances in which we may need to process your Special Categories of Personal Data, e.g., in connection with criminal records checks, such use of your Special Categories of Personal Data will generally be justified on the legal obligations or legal claims ground (as indicated above). Where this is not the case, we will generally ask for your consent unless we can rely on another legal ground, in which case we will inform you of such ground.
3. Categories of Personal Data
Throughout the course of your recruitment process, we may process your Personal Data, including the following data:
|
Categories of Personal Data
|
The purpose of processing
|
Legal basis (where applicable)
|
|
Information on your CV
|
Carrying out the recruitment process
|
Performance of contract: processing is necessary for entering an employment contract (Article 6 para. 2 lit. a GDPR or UK GDPR)
|
|
Name, Nationality, Educational Background, Employment Period, Work Location, Proposed Position, Reporting to, Educational Experience, Work Resume, Main Achievements, Background Introduction, Main Duties and Responsibilities, Salary, Conflict of Interest Check, Background Check
|
Administration of onboarding process
|
Performance of contract: processing is necessary for entering an employment contract (Article 6 para. 2 lit. a GDPR or UK GDPR)
|
Personal Data requested and provided by Applicants are required in order to fulfil legal requirements and/or which is required for entering into a contract with you (or in the case of a contractor your employer/service provider). Failure to provide us with the information requested which is limited to that required for these purposes will negatively affect your chances of being selected for any potential employment, engagement or internship.
You may voluntarily provide us with additional Personal Data, which will help us to meet the purposes as set out in this Statement or for purposes notified at the point of collection.
Where you provide Personal Data of other individuals (e.g., your emergency contact, family members, friends, etc.), you warrant that you have informed him/her of the categories of Personal Data and purpose(s) for which we require his/her Personal Data and all other relevant arrangement described in this Statement relating to the processing of Personal Data, and that he/she has consented to your disclosure of his/her Personal Data for processing by us after being informed of all of the above.
4. Classes of Transferees/Categories of Recipients
The Personal Data described in Sections 2 and 3 above may be processed by us to meet the purposes described in this Statement or notified purposes at the point of collection. Such Personal Data may be processed (including transfer/disclose and storage as defined) by the following classes of transferees/categories of recipients:
4.1 Changan group companies
As Changan is an international enterprise, operating globally, your Personal Data may be processed by other Changan group companies (and their respective subsidiaries and affiliates), outside the country/region where you are located. Each Changan group company is a separate legal entity. This includes countries and territories outside your location that may not have laws that provide specific protection for Personal Data.
Other Changan group companies may process your Personal Data on behalf of the Data Controller for the same purposes as set out herein.
4.2 Third-party service providers and other transferees
We may transfer or disclose your Personal Data to third-party service providers, contractors, subcontractors, agents, suppliers, government and regulatory authorities whether local or overseas in relation to any of the purposes described in this Statement.
Your Personal Data shared with us, or transferred to other Changan group companies (pursuant to Section 4.1 above) may also be transferred to service providers that are not part of Changan group (“Third-party Service Providers”) to process on our/their behalf. Third-party Service Providers and other transferees may include government authority (e.g., immigration and tax authority), and service providers for pre-employment activities (e.g., reference and background checks). Such transferees provide services with respect to the operation of our business.
The third-party providers may use their respective subsidiaries and affiliates, and their own third-party subcontractors that have access to Personal Data (sub-processors). It is our policy to use only third-party providers that flow those same obligations down to their sub-processors.
Our/other Changan group companies’ service providers, their sub-processors, and other transferees set out in this Section 4 are bound to maintain appropriate levels of security and confidentiality, to process Personal Data only as instructed by us/other Changan group companies and under our/their supervision and comply with applicable laws and regulations.
You may be asked to provide Personal Data (where necessary) direct to our/other Changan group companies’ authorized service providers or sub-processors or other transferees set out in this Section 4 that we engage in connection with the above purposes.
Where third parties collect data directly from you either on our behalf or otherwise in connection with recruitment, you are encouraged to review such third parties’ privacy practices (for example any privacy notices they include on their websites or data collection forms) before disclosing any Personal Data. You acknowledge that, unless the relevant third parties are acting as our authorized agents, we shall have no responsibility for the appropriateness of their privacy practices.
4.3 Disclosures to law enforcement, regulatory and other government agencies, professional bodies and other third parties
We may disclose Personal Data to law enforcement, regulatory and other government agencies and professional bodies and other third parties (which may locate outside the country/region where you are located), as required by and/or in accordance with, applicable laws and regulations. We may disclose certain Personal Data without your consent where an exemption applies under applicable laws and regulations. This may include disclosure directly related to national security, national defense, prevention or detection of crime, public security, public health, and major public interests. Personal Data may be disclosed outside the country you are located. We may also review and use your Personal Data to determine whether the disclosure is required or permitted.
4.4 Other disclosures
We may also disclose Personal Data to third parties pursuant to applicable laws and regulations under the following circumstances:
• when explicitly requested by you;
• when required to deliver publications or reference materials as requested by you;
• when required to facilitate conferences or events hosted by a third party or co-hosted with a third party which you have registered for, Personal Data may be collected via event registration forms and the type of information collected will vary. We may share such information with third parties for purposes connected to the events;
• when we are involved in a merger, acquisition, or sale of all or a portion of its assets; and/or
• as otherwise, set out in this Statement
4.5 Cross-border transfers
As Changan is an international enterprise, operating globally, your Personal Data may be transferred to, accessed from or stored outside the country/region where you are located in accordance with requirements under applicable laws and regulations. We, other Changan group companies, and/or service providers and sub- processors that we or other Changan group companies engage may use servers and other resources in various countries and territories to process your Personal Data.
We will only transfer your Personal Data to the recipients who meet our standards and comply with applicable laws and regulations. While data protection laws differ among countries, we ensure consistent protection described in this Statement for your Personal Data regardless of its location and only transfer your Personal Data pursuant to legally valid mechanisms.
[Could be omitted where employee isn’t in the EEA, If you’re in the EEA, we’ll transfer your Personal Data to Changan group companies, and/or service providers and sub- processors outside the EEA only:
if the recipient is in a country (or a specified sector within a country – e.g. an organisation under the EU-U.S. Privacy Shield) that the European Commission recognises as ensuring an adequate level of protection for Personal Data.
under standard data protection clauses adopted by the European Commission or other safeguards meeting the requirements of the European General Data Protection Regulation for transfers of Personal Data outside the EEA.]
5. Security of Personal Data
We have implemented generally accepted standards of technology and operational security including standards required under applicable laws and regulations, in order to protect Personal Data against accidental, unauthorised or unlawful access, use, processing, alteration, disclosure, transfer, erasure, loss of the Personal Data. Our personnel follow a security policy. Only authorized persons are provided access to Personal Data and such persons are obliged to ensure confidentiality.
Although we use appropriate security measures once we have received your Personal Data, the transmission of data over the Internet (including by e-mail) is never completely secure. We endeavor to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us. We will be responsible for any failure of our physical systems, technology or management error that result in any unauthorized disclosure or compromise of your Personal Data.
Where a Personal Data security incident arises, we shall respond to the incident, assess the likely impact of the incident, and take necessary actions to bring the incident under control. We will let you know in accordance with applicable laws and regulations if a breach occurs that may have compromised the privacy or security of your Personal Data.
We will assess the Personal Data security impact regularly to comply with basic principles for Personal Data security under applicable law and when new requirements are effective and legally binding and take appropriate actions to protect Personal Data.
6. Retention of Personal Data
It is our policy to retain Personal Data only for as long as is for the fulfilment of the purposes for which the data are or are to be used, or as required by laws, regulations, or industry and professional rules and in order to establish, exercise or defend our legal rights.
We retain Personal Data of unsuccessful Applicants for 2 years after the recruitment process or assessment has been completed.
If you are successful in your application, the Personal Data gathered through the recruitment process will be retained in line with separate privacy statements.
7. Your Rights to Personal Data
If you have any questions in relation to our use of your Personal Data, please contact us through dpo@changaneurope.com.
Under certain circumstances, you may have the right to require us to:
provide you with a copy of your Personal Data;
provide you with further details on the use we make of your Personal Data;
update any inaccuracies of Personal Data that we hold;
delete any Personal Data that we no longer have a lawful ground to use,
right to data portability
right to not subject to automated decision making
the right to, where processing is based on consent, withdraw your consent so that we stop that particular processing;
object to any processing based on the legitimate interests ground under our reasons for undertaking that processing outweigh any prejudice to your data protection rights; or
restrict how we use your Personal Data whilst a complaint is being investigated.
Your exercise of these rights is subject to certain exemptions to safeguard public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.
If you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you have the right to lodge a complaint with a relevant supervisory authority.
Under certain circumstances permitted by applicable laws and regulations, we may refuse to accede to your requests above. In such circumstances, we will promptly notify you of the reasons for refusing to accede to your requests.
For security purposes, you may be required to provide written requests or prove your identification in other ways. We will respond to your request within the time required under applicable laws and regulations. We may charge a fee for your request to access your Personal Data, if permitted by applicable laws and regulations.
8. Contact Us
If you wish to exercise any of your rights set out in Section 6, under applicable privacy laws and regulations, or have questions about how your Personal Data is handled at any time, or to make complaints, please send your request to dpo@changaneurope.com.
When requested, and provided that it is practical and commercially feasible to comply with the request, we will reply to your request within the time frame under applicable laws and regulations.
9. Children
We are committed to protecting children’s privacy. Where Personal Data of a child (e.g., your child) is collected with the consent of his or her parents, we will process such Personal Data only when it is permitted by the child’s parent or guardian or it is necessary to do so to protect the child.
10. Changes to this Statement
We may need to update this Statement from time to time to comply with applicable laws and regulations or for other legitimate purposes. We will not make any change that will affect your rights under this Statement without first obtaining your consent as may be required by applicable laws and regulations. If we make any material changes, we will notify you of the changes and amend the revision date of this Statement. The new modified Privacy Statement will apply from that revision date. Please contact us through dpo@changaneurope.com if you want to find a copy of the most updated version of the Privacy Statement.
Appendix: Terms and definitions
Shall have the meaning given in the Applicable Data Protection Law or Regulations
|
Applicants
|
means individuals who apply to work for, or who attend a recruitment event or undertake an assessment.
|
|
Data Controller
|
means the person or organization that determines when, why and how to process Personal Data.
|
|
Data Subject
|
means the individual who is identified or identifiable from the Personal Data.
|
|
European Economic Area (“EEA”)
|
The member states of the European Union (EU) plus Iceland, Liechtenstein, Norway and Switzerland.
|
|
Employment
|
means where a Changan group company has entered into a direct employment relationship with an employee (including full time employees and part-time employees such as secondees and interns), either the Changan group company has concluded an employment contract or entered into a de facto employment relationship with the employee (although there is no employment contract in place).
|
|
Contractual Relationship
|
means engagement or appointment under a contract between you and a Changan group company to execute any work or labour (e.g., as a partner, member, shareholder, officer and director, independent contractor, consultant, and advisor) which does not constitute Employment under applicable laws, and related expression shall be construed accordingly.
|
|
Personal Data
|
Shall have the meaning given in the applicable Data Protection Laws and Regulations
EU/UK Data Privacy Laws:
"Personal Data" means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include anonymized data.
Turkey Personal Data Protection Law:
"Personal Data" means any information relating to an identified or identifiable natural person.
|
|
Special Categories of Personal Data
|
Shall have the meaning given in the applicable Data Protection Laws and Regulations
EU/UK Data Privacy Laws:
means Personal Data that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Turkey Personal Data Protection Law:
means Personal Data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.
|
|
Processing
|
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
|
|
We, us and our
|
refers to the Changan group company with whom you applied or contracted with for Employment or for establishing Contractual Relationship (as defined).
|
|
Solutions
|
Means systems, databases, websites, applications provided or made accessible through us, other Changan group companies and/or third parties.
|
|
“third party” / “third- party”
|
means any party other than Changan group companies or you, including but not limited to:
(a) providers of data related services, including data storage and processing service providers;
(b) other service providers, subcontractors, agents and other third parties acting on behalf of any Changan group company (including us);
(c) current/perspective clients, and other business contacts; and
(d) government and regulatory authorities; institutional, industry or organizational bodies; and professional bodies.
|