1. Who we are and how to contact us
2. What personal data we collect and why
Category of Data SubjectPersonal data collectedPurposes of processingLegal basisRetention periodJob candidatesIdentification and contact data, professional experience, qualifications, educational background, references, personality test results and interview notesEvaluation of applications, management of the recruitment process, and communicationPre-contractual measures (Art. 6.1.b), consent (Art. 6.1.a)6 months after the vacancy closes, or 2 years if consent is givenJob candidates (and website visitors)IP address, cookies, browsing data, device informationAnalytics, site security, user experience optimization, and Employer Branding data (tracking visits, referral sources)Legitimate interest (Art. 6.1.f - for security and basic functional analytics), Consent (Art. 6.1.a - typically required for non-essential/tracking cookies and detailed analytics)13 months for analytics data (cookies/browsing). 30-90 days for security logs (IP address)
When we process data based on legitimate interest, our legitimate interests include:
- Application fraud and security protection
- Website performance
3. Source of personal data
We may collect your personal data from the following sources:
- Directly from you (CV, application forms, interviews, and the data generated through any psychological, personality or skills assessments that could be used during the recruitment process)
- Professional networking platforms (e.g., LinkedIn), when you make your profile publicly accessible
- Recruitment platforms and job boards where you have published your CV
- References provided by you
When we obtain your data from sources other than directly from you, we will inform you within one month of obtaining your data, or at the time of first communication with you.
4. Obligation to Provide Personal Data
The provision of personal data is necessary to evaluate your application and participate in the recruitment process. If you choose not to provide the requested information (name, contact details, professional experience, qualifications), we will not be able to assess your application or proceed with your candidacy.
Certain additional information (such as references or specific certifications) may be requested only when relevant for the specific role and will be clearly indicated as optional or mandatory depending on the position requirements.
5. Consent for Future Recruitment Processes
When you apply for a specific position, we process your data based on pre-contractual measures (Art. 6.1.b GDPR) for the duration of that recruitment process. Your data will be retained for 6 months after the vacancy closes.
If you wish us to retain your data for future recruitment opportunities, we will request your separate, optional consent. This consent is:
- Completely voluntary and will not affect your current application
- Specifically for the purpose of being considered for future vacancies
- Valid for up to 2 years from the date given
- Withdrawable at any time by contacting gdpr@formalize.com
You can provide this consent through a follow up email.If you do not provide this consent, your data will be deleted 6 months after the specific recruitment process concludes.
6. Our data protection principles
We process your data based on these fundamental principles:
- Lawfulness and transparency: All processing has a legal basis and is conducted fairly, with clear information about how we use your data.
- Purpose limitation: Data is collected for specific, explicit, and legitimate business purposes and is not processed in a way that is incompatible with those purposes.
- Data minimization: We only process data that is necessary and relevant for the stated purposes.
- Accuracy: We keep data accurate, complete, and up-to-date, and rely on you to inform us of any changes.
- Storage limitation: Data is retained only as long as necessary to fulfill processing purposes and comply with legal obligations.
- Security: We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or damage.
- Accountability: We demonstrate compliance with these principles and maintain records of our processing activities.
7. With whom we share your personal data
We may share your data with the following categories of recipients:
- Applicant Tracking Systems (ATS) providers
- Cloud storage providers (for secure data storage)
- Internal hiring managers and relevant team members who are involved in the recruitment process
All external processors are bound by data processing agreements that ensure GDPR compliance. We maintain a list of all authorized sub-processors, available at: gdpr@formalize.com
8. Use of Artificial Intelligence and Automated Decisions
We use a third party Artificial Intelligence (AI) exclusively to process the CV you submit, to extract and summarize key, relevant information. This helps our recruiters efficiently review applications.
No Automated Decisions: The AI tool acts solely as a support mechanism. It generates summaries or highlights key data; it does not automatically accept or reject candidates.
Human Intervention: All final hiring or rejection decisions are made by our Human Resources personnel after a thorough human review of the original application documents and the AI-generated summaries.
Data Processed: The data processed includes personal data contained within the CV (e.g., name, contact details, professional experience, and qualifications).
Legal Basis for Processing: The processing of your personal data is based on your consent, which you provide by submitting your application.
9. International data transfers
Formalize may transfer personal data between Group entities within the European Economic Area (Denmark, Spain, Italy) under appropriate intra-group agreements.
For transfers outside the EEA, we ensure your data remains protected. These transfers are exceptional and are subject to the safeguards required by the GDPR, such as Standard Contractual Clauses (SCCs) or an adequacy decision from the European Commission.
10. Your data protection rights
As a candidate, you have the following rights regarding your personal data under the General Data Protection Regulation (GDPR), which you may exercise at any time using this link:
- Right of Access: You may request a copy of your personal information processed by us.
- Right to Rectification: You may request the correction of inaccurate or incomplete data.
- Right to Erasure (‘Right to be Forgotten’): You may request the deletion of your data under certain circumstances, unless we are legally obliged to retain it.
- Right to Restriction of Processing: You may ask us to temporarily limit how we use your data in specific cases.
- Right to Object: You may object to certain types of processing, such as direct marketing or processing based on our legitimate interests.
- Right to Data Portability: You may request your data in a structured, commonly used, and machine-readable format, and have the right to transmit it to another controller.
- Right not to be subject to automated decision-making (including profiling): You may request human intervention, contest decisions made solely by automated means, and obtain information on the logic involved.
When our processing is based on your consent, you have the right to withdraw it at any time. This withdrawal will not affect the lawfulness of processing that occurred before you withdraw your consent.
To exercise your rights, please contact our DPO at dpo@sixtus-compliance.dk . We respond to requests within one month, extendable to three months for complex requests.
11. Data breach management
We maintain coordinated incident response procedures. Breaches are assessed for risk and, where required, reported to supervisory authorities within 72 hours and to affected individuals without undue delay.
12. Policy updates
This policy may be updated to reflect legal changes or operational improvements. If we intend to process your personal data for a purpose other than that for which it was collected, we will provide you with information about that new purpose and any other relevant information before carrying out such processing, as required by Article 13(3) GDPR.
Updates are communicated through our website and appropriate channels.
13. Complaints
You can lodge complaints with a supervisory authority in your country of residence, place of work, or where you believe an infringement occurred.
For Denmark:
Datatilsynet
Carl Jacobsens Vej 35
DK-2500 Valby, Denmark
Tel: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
For Spain:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Tel: +34 912 66 35 17
Email: internacional@aepd.es
Website: www.aepd.es
For Italy:
Garante per la Protezione dei Dati Personali
Piazza Venezia 11
00187 Roma, Italy
Tel: +39 06 696771
Email: protocollo@gpdp.it
Website: www.garanteprivacy.it
14. Our Commitment to Security
We maintain ISAE 3000 certification for assurance engagements related to data privacy and control environments, providing independent verification of our protection measures. Additionally, we are ISO 27001 certified, a global standard for information security management.
To uphold these commitments, we have implemented robust protection measures, including data encryption in transit and at rest, strict access controls based on the principle of least privilege, and periodic security audits. We are committed to a proactive approach to risk management and continuous improvement in data protection.
