Privacy Policy
Last updated 08.05.2023
Who we are and what does this Privacy Notice cover?
For the purpose of the General Data Protection Regulation (“GDPR”) the Data Controller is Amby AS, a Norwegian company registered in the register of the Norwegian Central Coordinating Register for Legal Entities under number 997901916 (“Amby” or “we” or “us” or “our”). As a recruitment company, we are committed to protecting the privacy of our candidates, clients, and users of our website.
This Privacy Policy explains what we do with your personal data, whether we are in the process of introducing ourselves to you, helping you to find a job, continuing our relationship with you once we have found you a role, providing you with a service, receiving a service from you, or when you are visiting our website www.amby.com and all its subdomains, including any other media form, media channel, mobile website, or mobile application related or connected thereto (collectively, the “site”). Please read this privacy policy carefully.
Amby may change and update this policy from time to time to comply with any governmental or legal changes, as well as company policies. Any changes or modifications will be effective immediately upon posting the updated Privacy Policy. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes.
To learn more about the processing of personal data of our website and app users, please get familiar with our Website Privacy Policy.
What kind of Personal Data do we collect?
As a recruitment agency, employer, and service provider, in order to undertake our core business, we collect a range of personal data on prospective and placed candidates, clients, users of our websites and apps, service providers, employees, and consultants.
Prospective Candidates
We collect information including your name, contact details, work experience, education, acquired credentials, and skills, obtainable from publicly available sources such as Linkedin and other websites holding information on potential candidates. We may also obtain the aforementioned information through a referral from another candidate, consultant, client, or employer.
Candidates
We collect information that you provide when you apply for a role. This includes information provided through an online job site, via email, in person at an interview, and/or by any other method.
In particular, we process personal details such as name, personal identifiers, online identifiers, Internet Protocol address, account name, email address, home address, telephone number, date of birth, qualifications, experience, information relating to your employment history, current job title, salary, earnings and benefits, transcript of grades, references, your resume, communications created, stored or transmitted for professional or job-related purposes using our networks, as well as your video in case you conduct your interview using the Video Interview feature.
If you contact us, we may keep a record of that correspondence. We may also collect details of your visits to Workable’s Website including, but not limited to, traffic data, location data, weblogs, and other communication data, the site that referred you to Workable’s Website, and the resources that you access.
Where permitted by law, we may also collect information regarding your gender, health, race, ethnicity, sexual orientation, and religion, notably for the purposes of equal opportunity monitoring, as well as details of any criminal record, if required by the client or by the role for which we are recruiting.
We may also collect information about you from third parties, including ATS systems such as Workable, personality and ability test platforms such as mapTQ from Aon, educational institutions, former employers and referees, systems that hold public information about candidates such as Linkedin, and clients who have entered the recruitment process with you or who have sent us feedback on your application.
Clients and Suppliers
We collect information regarding your name, contact details, position, and function held in the organization allowing us to potentially establish and continue a business relationship with you or your company. We may also keep a record of communications we have had with you.
How and why do we process your Personal Data?
Prospective Candidates
We process your personal data to determine whether you are interested in or can benefit from our services. Your name and contact details will allow us to contact you in respect of the recruitment process.
Candidates
We may use your personal data to:
- consider your application in respect of a role for which you have applied;
- consider your application in respect of other roles;
- communicate with you in respect of the recruitment process;
- enhance any information that we receive from you with information obtained from third-party data providers;
- find appropriate candidates to fill our and our clients’ job openings;
- help our service providers (such as Workable and its processors and data providers) and partners (such as the job sites through which you may have applied) improve their services;
Automatic decision-making/profiling
We may use Workable’s technology to select appropriate candidates for us to consider based on criteria expressly identified by us, or typical in relation to the role for which you have applied. The process of finding suitable candidates is automatic, however, any decision as to who we will engage to fill the job opening will be made by our staff.
Clients and Suppliers
We process your personal data to:
- provide our services to you;
- fulfill our other contractual obligations;
- communicate with you;
- establish, exercise, or defend legal claims.
What is our legal basis for Personal Data processing?
Legitimate interest
As long as our interests are not overridden by your interests or fundamental rights and freedoms, we rely on legitimate interest as the lawful basis on which we collect and use your personal data. Our legitimate interests are the recruitment of staff for our business. The exchange of personal data of our candidates and client contacts is a basic, essential part of this process.
In order to support the career aspirations of our candidates and the staffing needs of our clients, we need a database of candidates' and clients' personal information. In order to maintain, expand and develop our business, we need to record the personal information of potential candidates and client contacts.
We may also process your data to assert possible claims or defend against claims, which is our legitimate interest.
Consent
Where you apply for a job opening through the Indeed Apply functionality or by sending us your resume/candidate information, we rely on your consent, which is freely given by you during the application process, to disclose your personal data to Indeed on the basis described below.
In certain other circumstances, we may also ask for your consent to process your personal data. If you are contacting us about a specific job offer, we may also ask you for consent to process your personal data in order to search for some other appealing job opportunity. You have the right to withdraw your consent for data processing at any time without affecting the lawfulness of the processing which was made on the basis of consent before its withdrawal.
Compliance with a legal obligation
In case we need to process your personal data to comply with legal or regulatory obligations.
Contract
To comply with our obligations under a contract we enter into with you or your employer, it might be necessary for us to process your personal data. In this case, our legal basis for processing activities will be the performance of a contract. This applies to each stage of the contractual life cycle including pre-contractual processing, the performance of the contract, and termination of the contract.
Processing of Special Categories of Personal Data
We might, if necessary, process Special Categories of Personal Data such as physical limitations and special needs, gender, marital status, health, race, ethnicity, nationality, sexual orientation, and religion.
We will process this type of data if processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by applicable law providing for appropriate safeguards for the fundamental rights and the interests of the data subject, processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent, processing relates to personal data which are manifestly made public by the data subject, processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of applicable law or pursuant to contract with a health professional and subject to the conditions and safeguards.
In other cases, where required by law, we will obtain your express written consent to our processing of your Special Categories of Personal Data.
With whom do we share your Personal Data?
We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy policy. Affiliates include our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
We may also disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal processes, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
If you are a candidate who has applied or agreed to participate in a specific recruitment process, we may share your data with the employer assigned to that process. If you have agreed to participate in future recruitments conducted by Amby, your data will also be shared with other potential employers.
As set out above, we might also pass your information to our third-party service providers, including Workable, who use it only in accordance with our instructions and as otherwise required by law.
Where you have applied for a job opening through the Indeed Apply functionality, and where you have consented to this disclosure, we will disclose to Indeed certain personal data that we hold, including but not limited to a unique identifier used by Indeed to identify you, and information about your progress through our hiring process for the applicable job opening, as well as tangible, intangible, visual, electronic, present, or future information that we hold about you, such as your name, contact details and other information involving analysis of data relating to you as an applicant for employment (collectively “Disposition Data”). Indeed’s Privacy Notice in respect of Indeed’s use of the Disposition Data is available on Indeed’s website.
Where you have applied to a job opening through another service provider, we may disclose data similar to the Disposition Data defined above to such service provider. The service provider shall be the data controller of this data and shall therefore be responsible for complying with all applicable laws in respect of the use of that data following its transfer by us.
Your personal information can be transferred and processed in one or more other countries, in or outside the European Union. We shall only transfer your data outside the EU to countries that the European Commission believes offers an adequate level of protection to you, or where we have put in place appropriate safeguards to seek to preserve the privacy of your information. Those countries include the United States of America.
Where do we store your Personal Data?
Where we store your personal data in our own systems, it is stored in Norway.
The data that we collect from you and process using third-party service providers for employment or business-related administrative purposes may be transferred to, and stored at, a destination outside of the country in which you are located or outside of the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfillment of your orders, the processing of your payment details, and the provision of support services. Some recipients located outside the EEA are certified under the EU-U.S. Privacy Shield and others may be located in countries for which the European Commission has issued adequacy decisions. In each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective. Where necessary we establish (e.g. by implementing Standard Contractual Clauses) that recipients of Employee Data located outside the EEA provide an adequate level of data protection for the Employee Data and that appropriate technical and organizational security measures are in place to protect Employee Data. By submitting your personal data, you agree to this transfer, storage, or processing.
In particular, your data may be accessible to i) Workable’s staff in the USA or ii) may be stored by Workable’s hosting service provider on servers in the USA as well as in the EU. The USA does not have the same data protection laws as the United Kingdom and EEA. A Data Processor Agreement has been signed between Workable Software Limited and its overseas group companies, and between Workable Software Limited and each of its data processors. These data processor agreements are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal data.
If you would like further information please contact us (see ‘How to contact us?’ below). We will not otherwise transfer your personal data outside of the United Kingdom or EEA or to any organization (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
How long do we store your Personal Data?
We generally keep your personal data only as long as needed to fulfill the purpose we collected it for, which may be an ongoing purpose and/or for our essential business purposes such as complying with our legal obligations, resolving disputes, and maintaining the performance of our services.
The retention period for all the data in our organization is 60 months. We hold your personal data compliant with the legal retention periods or, if applicable, the duration of your engagement. We will retain your information as necessary to comply with legal, accounting, or regulatory requirements.
Safety and Security
We take appropriate measures to ensure that all personal data is kept secure including security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorized way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means, therefore any transmission remains at your own risk.
What are your rights?
Under the General Data Protection Regulation, you may have a number of important rights free of charge. Those include rights to:
- withdraw consent to processing at any time (where relevant);
- request access to your personal data and to certain other supplementary information;
- request correction of the personal data that we hold about you;
- request erasure of your personal data in certain situations;
- object to the processing of your personal data in certain situations, including where we are relying on legitimate interest;
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
- object at any time to processing of personal data concerning you for direct marketing;
- request the restriction of processing of your personal data in certain situations;
- receive personal data that we hold about you, in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations;
- claim compensation for damages caused by our breach of any data protection laws.
If you would like to exercise any of these rights, please contact us using our contact information below and let us know what information your request concerns.
How to contact us?
All questions, comments, and requests regarding your rights, our processing of your personal data, and this Privacy Notice should be addressed to dpo@amby.com.
How to contact a supervisory authority?
We hope that we can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred. The supervisory authority in Norway is the Norwegian Data Protection Authority who may be contacted at https://www.datatilsynet.no/en/about-us/contact-us/.
Amby AS
Thorvald Meyers gate 7
0555 Oslo, Norway