PRIVACY POLICY
FOR XOLO CANDIDATES

The privacy of Your personal data is important to Xolo. This Policy describes the rules according to which Xolo processes the personal data of the candidates.

Xolo is entitled to unilaterally amend this Policy from time to time. In case the new terms refer to processing Your personal data for any new purpose, which requires Your consent, then Xolo will not process Your personal data for such new purpose, before it has Your consent.

1. GENERAL DEFINITIONS

   Xolo

   Xolo OÜ, registry code 12844111, address Paju 1a, 51013, Tartu, or its affiliate
   You

   Xolo’s job candidate
   GDPR

   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
   Policy

   This privacy policy
   Personal Data

   Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data processed by Xolo is described under Section 2
   Processing

   Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
   Controller

   A person who alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The Controller of Your Personal Data is Xolo OÜ or its affiliate.

2. PERSONAL DATA AND SOURCES

   Xolo Process the following Personal Data about You:

   1. Basic Data – name, personal identification number, date of birth, residential address, e-mail address, telephone number;
   2. Application Data – information which is provided in Your CV, motivation letter, recommendations and other supplementary documentation You, and which is not covered by Basic Data, such as profile picture, previous job details;
   3. Progress Data – a record of your progress through any hiring process that Xolo may conduct, including assessments, and any documents or work samples submitted as part of practical tasks or the evaluation process.
   4. Video Call Data – Xolo may conduct video call interviews as well as process transcripts generated from interviews conducted using our note-taking tools. Xolo does not record video calls.
   5. Correspondence Data – If you contact Xolo, Xolo may keep a record of that correspondence;
   6. Document Data – data proving the legality of your employment (e.g. copy of residence permit).

   As You are a candidate applying for a vacant position in Xolo, then Xolo is Processing only Personal Data necessary to assess Your suitability for the position.

   The majority of the Personal Data Processed by Xolo in the course of recruitment is collected directly from You. Xolo may collect Your Personal Data from third parties, e.g. from Your previous employer in case You have made such references in Your application. In any case, Xolo will inform You about the third party, purposes and legal grounds for such data Processing.

   Xolo does Process some of Your Personal Data for automated decision making in cases when Xolo assesses your work eligibility.

3. PROCESSING PURPOSES AND LEGAL GROUND

   Xolo is relying on the following legal grounds when Processing Your Personal Data:

   1. Processing is necessary for compliance with a legal obligation to which Xolo is subject (GDPR article 6 (1) (c));
   2. Processing is necessary for the purposes of the legitimate interests pursued by Xolo (GDPR article 6 (1) (f));
   3. You have granted a consent to the Processing of Your Personal Data (GDPR article 6 (1) (a)).

   The categories of Personal Data, Processing purpose and legal ground for the Processing activity has described more specifically in the schedule below.

   CATEGORY OF PERSONAL DATA	PURPOSE OF PROCESSING	LEGAL GROUND FOR PROCESSING	THIRD PARTIES
   Basic Data	to consider Your candidacy in the recruitment process	Legitimate Interest	Cloud Storage provider
   Application Data	to assess Your suitability for the vacant position	Legitimate Interest	Employment information management service provider
   Progress Data	to assess Your suitability for the vacant position	Legitimate Interest	Employment information management service provider
   Video Call Data	to assess Your suitability for the vacant position	Legitimate Interest	IT Service Provider, Employment information management service provider
   Correspondence Data	to assess Your suitability for the vacant position and provide any support	Consent Legitimate Interest	Email and Ticketing service provider
   Document Data	to ascertain that You are eligible to work for Xolo	Legal Obligation	Tax and Custom Board

4. RIGHT TO WITHDRAW THE CONSENT

   1. Please be aware that if the Processing is conducted under Your consent then You are entitled to withdraw Your consent at any time by sending Xolo a respective e-mail at valentin.zigalkin@xolo.io.
   2. If Xolo is Processing Your Personal Data in the course of the recruitment process, then the submission of the application to Xolo is considered as consent to Process Your Personal Data.
   3. The withdrawal of Your consent does not affect the legality of Processing Your Personal Data prior to the withdrawal of Your consent.
   4. If Xolo would want to Process Your Personal Data for any new purpose, which requires Your consent, then Xolo will not Process Your Personal Data for such a new purpose, it has received Your consent for such Processing.

5. TRANSFER OF THE PERSONAL DATA AND SECURITY MEASURES

   As You can see above, Xolo may need to transfer Your Personal Data also to third parties whose services Xolo is using in Processing of Your Personal Data but who are not expressly mentioned under Section 2 (e.g. employment information management service provider, IT systems suppliers and support; data analysis or other outsourcing providers). Xolo may also transfer Your Personal Data to its affiliates.

   Xolo uses Workable, an online application provided by Workable Software Limited, to assist with the recruitment process. Xolo uses Workable to process personal information as a data processor. Workable is only entitled to process your personal data in accordance with Xolo’s instructions.

   Upon transferring Your Personal Data to third parties, Xolo will apply the following safeguards:

   1. Xolo enters into a data processing agreement with the relevant third party;
   2. Xolo makes sure that such third party undertakes to implement appropriate technical and organizational measures ensuring the Processing of Your Personal Data in accordance with this Policy and applicable law;
   3. Xolo makes sure that (a) the third party is established in a jurisdiction which the European Commission has recognized as ensuring an adequate level of Personal Data protection, or (b) the Processing of Your Personal Data is subject to other appropriate safeguards stipulated in the GDPR.

6. RETENTION OF THE PERSONAL DATA

   As Xolo is Processing Your Personal Data in the course of recruitment process, Xolo will retain Your Personal Data for the period required or permitted by applicable law, but no longer than one (1) year as of the refusal decision or until the termination of Your employment with Xolo, whichever is the latter. Xolo may extend the retention period by an additional 12 months if You provide consent to.

   Xolo takes reasonable steps to ensure that the Personal Data being Processed is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described herein.

7. YOUR DATA PROTECTION RELATED RIGHTS

   In connection with the Processing of Your Personal Data, You have the following rights:

   1. Request information – Xolo has provided all information which You have the right to receive in this Policy. In case You have any questions in relation to the data Processing terms provided herein or You wish to clarify any matter herein, then You are welcome to contact Xolo.
   2. Right to access – You have the right to ask Xolo to provide You with a copy of Your Personal Data which Xolo Processes.
   3. Right to Rectification – You have the right to ask Xolo to rectify Your Personal Data in case the data is incorrect or incomplete.
   4. Right to Erasure – You have the right to ask Xolo to erase Your Personal Data, unless Xolo is obliged to continue Processing Your Personal Data under law or under a contract between You and Xolo, or in case Xolo has other lawful grounds for the continued Processing of Your Personal Data. In accordance with Section 6, however, Xolo will, in any case, delete Your Personal Data as soon as it no longer has lawful grounds for Processing Your Personal Data.
   5. Right to Restriction – You have the right to ask Xolo to restrict the Processing of Your Personal Data in case the data is incorrect or incomplete or in case Your Personal Data is Processed unlawfully.
   6. Right to Data Portability – You have the right to ask Xolo to provide You or, in case it is technically feasible, a third party, Your Personal Data, which You Yourself have provided to Xolo and which is Processed in accordance with Your consent or a contract between You and Xolo.
   7. Right to Object – You have the right to object to Processing Your Personal Data in case You believe Xolo has no lawful grounds for Processing Your Personal Data. For any Processing conducted in accordance with Your consent, You can always withdraw Your consent by following the instructions set out in Section 4.
   8. Right to File Complaints – You have the right to file complaints regarding Processing Your Personal Data as further described in Section 8.

   You can exercise Your rights referred herein by sending a respective request to valentin.zigalkin@xolo.io.

   According to the article 12(3) of GDPR, Xolo is obligated to respond to Your application within 1 month. However, Xolo will make its best efforts to respond to Your request within 1 week.

8. INQUIRIES, REQUEST AND COMPLAINTS

   In case You have inquiries, requests or complaints regarding the Processing of Your Personal Data, You may forward them to valentin.zigalkin@xolo.io.

   In case You have complaints regarding the Processing of Your Personal Data, You may file them with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or Your any local Data Protection Authorities.

   You may contact Xolo’s data protection officer at valentin.zigalkin@xolo.io.