PRIVACY POLICY
AND
RULES FOR THE USE OF WORK E-MAIL
Effective as of 21th of April, 2020
The privacy of Your personal data is important to Xolo. This Policy describes the rules according to which Xolo processes the personal data of its employees, candidates, interns and board members.
Additionally, the Policy gives an overview about the rules established for the use of work e-mail.
Xolo is entitled to unilaterally amend this Policy from time to time. Upon amending the Policy, Xolo will notify You about the terms by e-mail. In case the new terms refer to processing Your personal data for any new purpose, which requires Your consent, then Xolo will not process Your personal data for such new purpose, before it has Your consent.
-
General Definitions
XoloXolo OÜ, registry code 12844111, address Paju 1a, 51013, Tartu, or its affiliateYouXolo’s employee, candidate, intern or board memberGDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such dataPolicyThis privacy policyPersonal DataAny information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data processed by Xolo is described under Section 2ProcessingAny operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionControllerA person who alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The Controller of Your Personal Data is Xolo OÜ or its affiliate. -
PERSONAL DATA AND SOURCES
Xolo Process the following Personal Data about You:
- Basic Data – name, personal identification number, date of birth, residential address, e-mail address, telephone number;
- Application Data – information which is provided in Your CV and which are not covered by Basic Data, profile picture, motivation letter, recommendations;
- Contractual Data – employment/service agreement with any annexes or any other agreements enter into with Xolo, Your position, length of service, place of employment, information relating to breach of obligations (e.g. warnings), basis of the termination of employment;
- Remuneration Data – salary, applicable bonuses or benefits, bank account number;
- Tax Data – data on any taxes and other payments declared and/or paid in connection with the employment;
- Working Time Data – data on vacation days, sick days and other absences, working hours;
- Workplace Health Data – data concerning accidents at work and occupational diseases, the results of Your workplace safety health checks;
- Work e-mails – e-mail correspondence held using Your e-mail address given to You by Xolo;
- Document Data – data proving the legality of your employment (e.g. copy of residence permit);.
- Family Data – number of kids, their names and age;
- Log Data – data on Your activity in Xolo’s information system.
In case You are a candidate applying for a vacant position in Xolo, then Xolo is Processing only Personal Data necessary to assess Your suitability for the position. During the recruitment Process, Xolo is Processing Basic Data and Application Data.
The majority of the Personal Data Processed by Xolo in the course of recruitment as well as during Your employment is collected directly from You. Xolo may collect Your Personal Data from third parties, e.g. from Your previous employer in case You have made such references in Your CV. In any case, Xolo will inform You about the third party, purposes and legal grounds for such data Processing.
Xolo does not Process any of Your Personal Data for automated decision making or profiling.
Please be informed that there is no statutory obligation for You to provide Xolo Your Personal Data. However, Xolo as Your employer is subject to statutory obligations which oblige Xolo to Process Your Personal Data. Failure to provide data may result in adverse consequences, such as Xolo's inability to comply with employer’s obligations under law or employment contract. You may enquire Xolo of the requirement to provide specific Personal Data and of the consequences of the failure to provide it at the time that You are requested to provide the Personal Data.
-
PROCESSING PURPOSES AND LEGAL GROUND
Xolo is relying on the following legal grounds when Processing Your Personal Data:
- Processing is necessary for the performance of an employment contract (GDPR article 6 (1) (b));
- Processing is necessary for compliance with a legal obligation to which Xolo is subject (GDPR article 6 (1) (c))
- Processing is necessary for the purposes of the legitimate interests pursued by Xolo (GDPR article 6 (1) (f));
- You have granted a consent to the Processing of Your Personal Data (GDPR article 6 (1) (a)).
The categories of Personal Data, Processing purpose and legal ground for the Processing activity has described more specifically in the schedule below.
CATEGORY OF PERSONAL DATA PURPOSE OF PROCESSING LEGAL GROUND FOR PROCESSING THIRD PARTIES Basic Data to consider Your candidacy in the recruitment process Consent Cloud Storage provider to enter into employment agreement with You Contract Xolo’s payment service provider
Xolo’s auditors and/or legal counselsto register Your employment in the employment register Legal Obligation Tax and Custom Board as registrar of the employment register to analyze and optimise business processes Legitimate Interest Data Visualization Tool Application Data to assess Your suitability for the vacant position Consent N/A Contractual Data to conclude and perform Your employment agreement Contract Xolo’s auditors and/or legal counsels
Cloud Storage providerRemuneration Data to make remuneration payment Contract Xolo’s payment service provider to calculate the bonus (if applicable) Contract Xolo’s payment service provider Tax Data to maintain accounting records Legal Obligation Xolo’s payment service provider, auditors and/or legal counsels and Tax and Custom Board to declare, withhold and/or pay taxes, or other payments in connection with Your employment Legal Obligation Tax and Custom Board Working Time Data to make remuneration calculations Contract Xolo’s auditors and/or legal counsels to keep track of Your working hours, vacation days, sick days Contract Xolo’s auditors and/or legal counsels Workplace Health Data to ensure Your health and workplace safety Legal Obligation Xolo’s auditors and/or legal counsels to investigate and register occupational accident or disease Legal Obligation Labor Inspectorate Work e-mails (incl. Slack correspondence) to obtain information if You are unavailable Legitimate Interest N/A to carry out internal investigation Legitimate Interest Xolo’s auditors and/or legal counsels Document Data to ascertain that You are eligible to work for Xolo Legal Obligation Tax and Custom Board Family Data to provide statutory benefits for employees with kids in certain age (requires Your request) to make a Christmas present Consent Xolo’s auditors and/or legal counsels Log Data to carry out internal investigation Legitimate Interest Xolo’s auditors and/or legal counsels -
RIGHT TO WITHDRAW THE CONSENT
- Please be aware that if the Processing is conducted under Your consent then You are entitled to withdraw Your consent at any time by sending Xolo a respective e-mail at [valentin.zigalkin@xolo.io].
- If Xolo is Processing Your Personal Data in the course of the recruitment process, then the submission of CV to Xolo is considered as consent to Process Your Personal Data.
- The withdrawal of Your consent does not affect the legality of Processing Your Personal Data prior to the withdrawal of Your consent.
- Also, please be aware that if You do not grant Xolo a consent to Process Your Family Data, then Xolo can not provide statutory benefits for You or make presents for Your kids.
- If Xolo would want to Process Your Personal Data for any new purpose, which requires Your consent, then Xolo will not Process Your Personal Data for such a new purpose, it has received Your consent for such Processing.
-
TRANSFER OF THE PERSONAL DATA AND SECURITY MEASURES
As You can see above, Xolo may need to transfer Your Personal Data to third parties, such as legal and regulatory authorities, accountants, auditors and lawyers. However, Xolo may need to transfer Your Personal Data also to third parties whose services is Xolo using in Processing of Your Personal Data but who are not expressly mentioned under Section 2 (e.g. employment information management service provider, performance management, IT systems suppliers and support; data analysis or other outsourcing providers). Xolo may also transfer Your Personal Data to its affiliates.
Upon transferring Your Personal Data to third parties, Xolo will apply the following safeguards:
- Xolo enters into a data processing agreement with the relevant third party;
- Xolo makes sure that such third party undertakes to implement appropriate technical and organizational measures ensuring the Processing of Your Personal Data in accordance with this Policy and applicable law;
- Xolo makes sure that (a) the third party is established in a jurisdiction which the European Commission has recognized as ensuring an adequate level of Personal Data protection, or (b) the Processing of Your Personal Data is subject to other appropriate safeguards stipulated in the GDPR.
-
RETENTION OF THE PERSONAL DATA
Xolo will retain Personal Data for the period required or permitted by applicable law, but no longer than it is reasonably necessary in order to achieve the purposes for which the Personal Data was collected, e.g. until the expiry of Your potential claims against us.
If Xolo is Processing Your Personal Data in the course of recruitment process, then Xolo will retain Your Personal Data for the period required or permitted by applicable law, but no longer than one (1) year as of the refusal decision or until the termination of Your employment with Xolo, whichever is the latter.
Xolo takes reasonable steps to ensure that the Personal Data being Processed is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described herein.
-
YOUR DATA PROTECTION RELATED RIGHTS
In connection with the Processing of Your Personal Data, You have the following rights:
- Request information - Xolo has provided all information which You have the right to receive in this Policy. In case You have any questions in relation to the data Processing terms provided herein or You wish to clarify any matter herein, then You are welcome to contact Xolo.
- Right to access - You have the right to ask Xolo to provide You with a copy of Your Personal Data which Xolo Processes.
- Right to Rectification - You have the right to ask Xolo to rectify Your Personal Data in case the data is incorrect or incomplete.
- Right to Erasure - You have the right to ask Xolo to erase Your Personal Data, unless Xolo is obliged to continue Processing Your Personal Data under law or under a contract between You and Xolo, or in case Xolo has other lawful grounds for the continued Processing of Your Personal Data. In accordance with Section 6, however, Xolo will, in any case, delete Your Personal Data as soon as it no longer has lawful grounds for Processing Your Personal Data.
- Right to Restriction - You have the right to ask Xolo to restrict the Processing of Your Personal Data in case the data is incorrect or incomplete or in case Your Personal Data is Processed unlawfully.
- Right to Data Portability - You have the right to ask Xolo to provide You or, in case it is technically feasible, a third party, Your Personal Data, which You Yourself have provided to Xolo and which is Processed in accordance with Your consent or a contract between You and Xolo.
- Right to Object - You have the right to object to Processing Your Personal Data in case You believe Xolo has no lawful grounds for Processing Your Personal Data. For any Processing conducted in accordance with Your consent, You can always withdraw Your consent by following the instructions set out in Section 4.
- Right to File Complaints - You have the right to file complaints regarding Processing Your Personal Data as further described in Section 9.
You can exercise Your rights referred herein by sending a respective request to [valentin.zigalkin@xolo.io].
According to the article 12(3) of GDPR, Xolo is obligated to respond to Your application within 1 month. However, Xolo will make its best efforts to respond to Your request within 1 week.
-
RULES FOR THE USE OF WORK E-MAIL ADDRESS
In order to fulfill Your employment duties, You shall be provided with an e-mail account with Xolo’s domain name. In course of using the work e-mail account, You are required to obey the following rules:
- Work e-mail can be used only in regard to the employment duties. For avoidance of doubt, work e-mail cannot be used for personal purpose. Xolo presumes that all the e-mails in Your mailbox are work related.
- You are obliged to secure the access to Your work-related mailbox with password and not to allow unauthorized persons to access to Your mailbox.
- Outgoing e-mails shall contain a message according to which the e-mail address is work related and that all incoming information shall be Processed in accordance to the internal rules.
-
Xolo is entitled to have access to all work-related e-mails in Your mailbox. Xolo has the right to examine Your mailbox under following circumstances:
- You are not available and Xolo is in need for urgent information and there is no other way to receive the information.
If any personal related e-mail is opened in the course of examination, then such e-mail shall be immediately closed, and You are going to be informed about such incident;
- Xolo has reasonable doubt to believe that You have breached an employment duty (e.g. damaged Xolo’s reputation, breached non-disclosure or non-compete obligation or any other duty) provided that there are no other ways to receive the necessary information.
Where relevant, You are invited to participate in the monitoring, unless this may prejudice the objects of the monitoring (incl. situation where Xolo has a reason to believe that informing You priory may cause deletion of necessary information or otherwise prevent the collection of necessary information).
- Regardless of the ground for monitoring, Xolo will monitor Your mailbox only if there are no alternative approaches to receive the information or the alternative approaches are not that efficient. The monitoring is conducted only for the purpose determined before the monitoring and by using searching criteria which support the achievement of the purpose. Searching criteria can be such as date, time period, name, subject matter, project name, etc.
- Upon termination of Your employment, Xolo will archive Your e-mails necessary for Xolo’s business activities and thereafter deletes Your e-mail address. You are entitled to delete any personal correspondence in Your mailbox prior the archiving it. However, You understand that it is strongly prohibited to delete business related correspondence.
- In order to ensure the transfer of Your tasks to another employee to be as smooth as possible, Xolo is entitled to leave Your e-mail open for one month as of Your departure. After the expiration of that period, Your e-mail address will remain active only if You have consented it, otherwise the e-mail address will be deleted. If You agree to leave Your e-mail address active, then Xolo will inform You about the terms of such Processing, e.g. who is entitled to enter to Your mailbox, the grounds for entering to Your mailbox, etc.
- Please be informed that if You have granted a consent under which Your e-mail address will remain active after Your departure, then You can always withdraw Your consent by following the instructions set out in Section 4.
-
INQUIRIES, REQUEST AND COMPLAINTS
In case You have inquiries, requests or complaints regarding the Processing of Your Personal Data, You may forward them to [valentin.zigalkin@xolo.io].
In case You have complaints regarding the Processing of Your Personal Data, You may file them with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
You may contact Xolo's data protection officer at [valentin.zigalkin@xolo.io].
-
CONFIRMATION
By signing this Policy, I confirm that I have read the Policy and I understand and acknowledge that Xolo is collecting and processing my Personal Data as described in this notice.
Name -Signature -Date -
Version Control
Version DateVersionBrief Summary of Change21/04/20201.01Document Created31/03/20211.02Added new Purpose of Processing2024/02/291.03Added new contact address of Data Controller