KIRKBI A/S - Privacy policy for candidates
Thank you for your application for a job with KIRKBI A/S (“KIRKBI”, “we” or “us”).
In connection with recruitments with KIRKBI A/S, we process your personal data as stated in this policy in order to assess if you qualify as a candidate for a vacancy with us.
We recommend that your application does not contain civil registration number (CPR) or any sensitive personal data such as information that reveals racial or ethnic background, religious beliefs, trade union membership, sexuality, health information etc. If a position, in exceptional cases, requires a specific health condition, we will, if required, following a specific assessment, ask for your consent to process such information, cf. Article 7 and 9(2)(a) of the General Data Protection Regulation (GDPR) and Section 11(2)(2) of the Danish Data Protection Act (databeskyttelsesloven).
See below for further information about the personal data we process when you apply for a position with us.
1. Contact information
KIRKBI A/S is the data controller in respect of the personal data collected and processed in connection with the processing of your application. Contact us here.
KIRKBI A/S
Att.: HR Shared Service Center
CVR-no. 18591235
Koldingvej 2
DK-7190 Billund
+45 75 33 88 33
SSC@KIRKBI.com
2. Processing of your application
We process any information, including personal data, contained in your application and CV to evaluate your application.
This will typically be the following information: Name, address, photo, date of birth, gender, telephone number, e-mail address, marital status, education and training, career history, driver’s license information, and recommendations/references.
If you are invited for a job interview, we will receive more information about you during this interview that we will use in the further recruitment process.
We use Article 6(1)(b) of the GDPR as our basis, as in this case, your personal data are processed prior to the conclusion of an employment contract. In addition, we process your information on the basis of Article 6(1)(f) of the GDPR with a view to pursuing our legitimate interest in conducting the recruitment process.
3. Information from Recruitment Agencies, publicly available information, social media, etc.
As part of our recruitment process, we may receive information about relevant candidates for a position from external Recruitment Agencies and/or Head-hunters, if the Recruitment Agency and/or Head-hunter is entitled to share the information with us. We may also search the Internet for relevant and publicly available information, including content in public registers, media archives, on social media such as LinkedIn, Facebook, Twitter, Instagram, etc. We typically look for information about your previous employment, activities, competences and performance.
We use the provision on legitimate interest stipulated in Article 6(1)(f) of the GDPR as our basis for obtaining information about candidates from Recruitment Agencies and/or Head-hunters, social media, etc. We do this to be able to assess whether you have a profile that fits our company and the specific position.
4. Information from personality tests, skills tests, etc.
During the recruitment process for the position that you have applied for, you may be asked to complete a personality test, a skills test or similar, you will be informed once we have processed your application. We always assess whether it is relevant for the specific position.
The purpose of the tests are to assess your competences and qualifications as a potential employee, and if your profile fits the company and the specific position.
We process your personal data collected as part of the test on the basis of Article 6(1)(f) of the GDPR, as we have a legitimate interest in finding the most suitable candidates for the position. We will, however, use your consent under Article 6(1)(a) of the GDPR as our basis, if the relevant test contains sensitive personal data. You may withdraw your consent at any time. You do this by contacting us using the contact information above. If you withdraw your consent, such withdrawal does not take effect until the date of withdrawal. It therefore does not affect the legality of our data processing up to the time when you withdraw your consent.
5. Criminal record and child protection certificate
5.1 Criminal record
When we obtain a criminal record, the aim is to ensure that you have not previously been convicted of a crime that may be relevant to your access to information about values, economic or financial positions, administration of valuables or equivalent.
We use consent under Article 6(1)(a) of the GDPR as well as Sections 8(3) and 11(2)(2) of the Danish Data Protection Act as our basis when we obtain criminal records. You may withdraw your consent at any time. You do this by contacting us using the contact information above. If you withdraw your consent, such withdrawal does not take effect until the date of withdrawal. It therefore does not affect the legality of our data processing up to the time when you withdraw your consent. If it is a requirement for employment in the position that you can present us with a satisfactory criminal record, your withdrawal of consent before such a record is obtained may imply that you will not be considered for the position, or that the offer of employment will be withdrawn.
5.2 Child protection certificate
For some positions, we have to obtain a child protection certificate, if the position involves an opportunity to get in direct contact with children and young people under the age of 15, cf. Section 2(1) of the Act on the retrieval of a statement of previous convictions in respect of children on the appointment of staff (børneattestloven). We always assess whether it is necessary to obtain a child protection certificate based on the relevant position. The aim is to ensure that the candidate we hire has not previously been convicted under the provisions of the Danish Criminal Code (straffeloven) relating to sexual relations with children under the age of 15.
We only obtain a child protection certificate if you have been offered a position with us. In this connection, we will first ask for your consent for such processing.
We use consent under Article 6(1)(a) and Article 7 of the GDPR, Sections 8(3) and 11(2)(2) of the Danish Data Protection Act as well as Section 3 of the Act on the retrieval of a statement of previous convictions in respect of children on the appointment of staff as our basis when we obtain child protection certificates. You may withdraw your consent at any time. You do this by contacting us using the contact information above. If you withdraw your consent, such withdrawal does not take effect until the date of withdrawal. It therefore does not affect the legality of our data processing up to the time when you withdraw your consent. If employment in the relevant position requires that you can present us with a clean child protection certificate, your withdrawal of consent before such a certificate is obtained may imply that you will not be considered for the position, or that the offer of employment will be withdrawn.
6. Information from former employer or others
For some positions, it is necessary to obtain references from former employers, colleagues, personal network or similar. If we obtain such references, we may register the information that we receive.
Since we have a legitimate interest in finding the most suitable candidates for a job, we may contact any references disclosed by you based on Article 6(1)(f) of the GDPR. However, we will obtain your consent using Article 6(1)(a) of the GDPR as our legal basis for such processing, before we contact any references that you have not disclosed. In any case, we will obtain your consent to contact references if we want to obtain information of a more subjective nature (e.g. academic or social skills), sensitive information or information about criminal matters.
7. Copies of passports and other identification documents
In connection with the recruitment process we may arrange travel bookings or similar on your behalf and in such case we may obtain information about your passport or other identification documents.
We use the rule on legitimate interest stipulated in Article 6(1)(f) of the GDPR as the basis for processing such data, as we need to process information about your passport or other identification documents in order to arrange for travel bookings on your behalf.
We use consent as stipulated in Article 6(1)(a) and Article 7 of the GDPR and Section 11(2)(2) of the Danish Data Protection Act as our legal basis if your documents contain information about your civil registration number (CPR).
8. Residence and work permit
It is a condition of appointment that you have a valid residence and work permit. To ensure this, we may ask for a copy of your passport in connection with your employment.
If, because of your citizenship, you need residence and work permits to work lawfully in Denmark, we also obtain copies of your residence and work permits via the Danish Agency for International Recruitment and Integration.
We use Article 6(1)(c) of the GDPR as our legal basis and Section 11(1)(1) of the Danish Data Protection Act when we obtain a copy of your passport and possibly work and residence permits, since we have an obligation to ensure this under Section 59(5) of the Danish Aliens Act (udlændingeloven).
9. Storage and deletion
9.1 If you are not offered a position/unsolicited applications
If you are not offered a position, we will keep your application and any other personal data collected in connection with the recruitment process, including the results of your personality test, for a period of up to 6 months after the recruitment process is finished, unless you have given your consent to longer storage of such data.
If we have obtained a copy of your criminal record or your child protection certificate in connection with the recruitment process, we will not keep this record or certificate after the end of the recruitment process.
If we have obtained information about your passport or other identification documents in connection with the recruitment process, we will delete such information when they are no longer relevant for the purpose they were obtained for.
9.2 If you are offered a position
If you are offered a position, your application as well as additional personal data collected in connection with your appointment will be part of your employee file with us.
If we have obtained a copy of your criminal record in connection with the recruitment process, we will not keep that record after the end of the recruitment process. In connection with a possible appointment, we merely register that it was presented to us.
If we have obtained a copy of your child protection certificate in connection with the recruitment process, and you are offered a position, we will register in your employee file that this certificate was presented to us. However, the child protection certificate will be deleted after such registration.
10. Other recipients that may process your data
In connection with the recruitment process, other people may receive your personal data. These can be public authorities or providers who deliver systems and assist with administrative functions, e.g.:
- Recruitment agencies
- Supplier of IT systems, including recruitment system
- Providers of personality and skills tests etc.
- Providers of background checks
- Other third parties providing relevant services under a contract with KIRKBI A/S
We may share personal data with providers of travel agencies, providing services in connection with travel bookings, administration, etc., airlines and advisors within various areas, including lawyers and accountants.
11. Transfer of personal data
In connection with the processing of your personal data for the purposes described in this policy, your personal data will be transferred to data controllers or data processors located in countries outside the EU/EEA, including LEGO Group units.
When we make such transfers, we will always take reasonable steps to ensure that your personal data are processed confidentially.
If your personal data are transferred to countries outside the EU/EEA, such transfer will take place on the following legal basis:
a. Binding Corporate Rules
b. The country has been approved by the European Commission as having an adequate level of security
c. If the country has not been approved by the European Commission as having an adequate level of security, we will ensure transfer as follows:
- By using the European Commission's standard contractual clauses
- By obtaining your consent to such transfer
We use Microsoft Office 365 with data storage within the EU/EEA. However, data may be transferred or accessed from locations in third countries. Should this be the case, the transfer basis will be the standard contractual clauses of the European Commission.
12. Your rights
12.1 Rights of the data subject
According to the General Data Protection Regulation and the Danish Data Protection Act, you have certain rights.
- You have a right of access to the information that we process about you as well as certain other information
- You have the right to have inaccurate personal data concerning you rectified
- In special cases, you have the right to have personal data about you erased before our general erasure time
- In certain cases, you have the right to restrict the processing of your personal data
- In certain cases, you have the right to object to our otherwise legitimate processing of your personal data
- In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit such personal data from one data controller to another without hindrance (data portability)
If you want to exercise your rights, please contact us using the above contact information.
12.2 Complaint to the Data Protection Agency
You can complain about our processing of your personal data to the Danish Data Protection Agency. For the Data Protection Agency's contact information, see the Agency's website: www.datatilsynet.dk.
Version 2.0, December 2021
