Privacy Statement for Job Candidates

Table of Contents
IntroductionFAQsAmendments and Contact Details

Introduction

At Toggl, we stand for your right to privacy and we are committed to handling the information you provide us with due care and in compliance with applicable laws. For this reason, we have prepared this information how Toggl handles your personal data when you apply for a role with us.

FAQs

What is personal data?

When we speak of “Personal Data”, we mean any information about a living individual from which that person can be identified (the proper legal definition of personal data’ is “any information relating to an identified or identifiable natural person”, with the person to whom the information relates being referred to as the ‘data subject’). Personal Data do not include information from which no individual can reasonably be identified, that is to say, anonymous information or Personal Data rendered anonymous in such a manner that the individual is not, or no longer is, identifiable (de-identified or anonymised information). This Privacy Statement for Candidates does not apply to such information.

Who is the controller of my Personal Data?

The controller of your Personal Data is Toggl OÜ, an Estonian private limited company with its registered seat at Tornimäe 5, 2nd floor, Tallinn 10145, Estonia (registration number: 11346813). In order not to overcomplicate things, in the following part of the document it will be referred to as "Toggl", "we", or "us".

In order not to overcomplicate things, in the following part of the document both of these entities will be referred to as “Toggl”, “we”, or “us”.

What Personal Data do you process during the recruitment process?

When you apply for a job role at Toggl, we will collect, use and disclose certain information directly from you as well as from third party sources. We make sure that we only process data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The data may (but not always have to) include:

  • your name (first, middle, last, given, maiden, etc.);
  • residence and/or business address;
  • relevant registration numbers (such as ID or passport number, tax ID, VAT ID, or similar statistical IDs);
  • contact details (such as an e-mail address) and social profile URLs;
  • date of birth and gender;
  • education history, skills, training and professional experience, including assessment tests or tasks in the course of recruitment at Toggl;
  • current and past employment details, information about your current notice period;
  • financial details (salary expectations, preferred method of payment);
  • other job preferences;
  • interview details, and outcomes of any recruiting assignments you complete;
  • if you're being referred, we process information that the person referring you provides about you;
  • information about your eligibility to be hired under one of possible agreements under Estonian law;
  • usage and anti-cheating information, which includes actions performed by you (copying, pasting, time spent) in the test (usually collected on our behalf by the tools we use over the course of the recruitment — see sectionWho will you share my Personal Data with?);
  • other information in your CV, resume, or otherwise voluntarily provided by you over the course of the recruitment process, which may include answers you provide to us during the interview in response to our specific questions, which may be recorded in note-form by our interviewers.

We generally do not collect any special categories of Personal Data (such as racial or ethnic origin, religious, political, or philosophical beliefs, or trade union membership; genetic data; biometric data for the purposes of unique identification; or information concerning your health, sex life, or sexual orientation), nor do we need you to share them with us.

However, we may sometimes be required by law to process such information. If you believe that sharing such information may be beneficial in order to accommodate to your needs in the recruitment process or in the subsequent job role (keep in mind that we are a fully remote team!), you may voluntarily submit them with us. If this is the case, we undertake to treat them with utmost confidentiality and solely for the purposes of your recruitment.

Where do you have my Personal Data from?

We collect your data in a variety of ways, but in most cases, we collect it directly or indirectly from you over the course of the recruitment process.

For instance, if you apply through LinkedIn or GitHub, from there we will collect contact information and any other information that you have uploaded to that site or provided to them to register, such as a summary of your public profile. We may use the LinkedIn Recruiter tool to communicate with you. We may also receive your information from recruitment agencies, job platforms, and similar entities, where you entered your Personal Data. Each time, they assure us that they had collected your information lawfully.

Where allowed by law, we may also research information regarding your skills, experience or qualifications on social networking sites, as well as use other external sources of publicly available information, such as business registers.

Prior to entering into a contractual relationship with us, we may ask you to present a copy of a valid national ID document, passport, tax certificate, excerpt from a commercial or a business registry — this will depend on the type of contract offered and may vary in each individual case. Whenever we do that, we are asking for the least amount of data in order to achieve recruitment purposes (usually to verify whether you are eligible for a particular type of contract and to prevent fraudulent transactions).

We may also collect Personal Data about you from other individuals - for instance, if you are referred for a role at Toggl by someone else, as permissible.

Why do you process my Personal Data and on what legal grounds?

We process your data, because you applied to work with us as an employee, contractor, or a mandatary.

Most commonly, we will process your data on the following legal grounds:

  • we need to perform an agreement you have with us or it is necessary to take pre-contractual steps at your request before entering into such an agreement (Art. 6(1)(b) GDPR — “Contractual”)
  • we need to comply with a legal obligation, e.g., one arising from a law or regulation concerning taxation, accounting, financial reporting, prevention of terrorism or money laundering, or judicial or administrative process (Art. 6(1)(c) GDPR — “Legal”)
  • it is warranted by our legitimate interests or those of a third party and such interests are not overridden by yours or your fundamental rights and freedoms (Art. 6(1)(f) GDPR — “Interest”)
  • we have your unambiguous consent before processing your Personal Data in that specific situation (Art. 6(1)(a) GDPR — “Consent”)
PurposeGrounds
assessing your skills and qualifications, making sure you are suitable for the roleInterest
communicating with you about the recruitment processInterest
deciding whether to enter into a contract with you and negotiating itInterest, Contractual
entering into test week agreementsContractual
keeping records related to our hiring processesInterest
complying with legal and fiscal obligations or other regulatory requirementsLegal
remunerating you for the test week period Contractual
conducting background checks, solely to the extent permitted by the applicable lawInterest
preventing illegal working and fraudulent transactions, checking your eligibility to workLegal, Interest
ensuring the safety and security of our systemsInterest
carrying out equal opportunities monitoringInterest
establishing, exercising, and defending legal claims related to the recruitment processInterest
avoiding repeated, abusive, or otherwise excessive applicationsInterest
considering you for future recruitments and reaching out to you about relevant future rolesConsent
analysing, understanding, and improving our recruitment processInterest
if you were referred, informing the referrer of the status and final outcome of your applicationInterest
accommodating to your needs in the recruitment process or in the subsequent job roleConsent

Whilst we employ modern technologies during our recruitment process (for instance skills tests by Toggl Hire), our recruitment processes are never based solely on automated decision-making and there are always humans involved in every decision.

How long will you store my Personal Data?

We only store your Personal Data for as long as necessary in the light of, or compatible with, the purposes for which the data were collected and such additional period as may be required by law.

Legal retention periods vary depending on the type of Personal Data concerned and the purposes, for which we are processing your Personal Data. Even if you are not successful, we may still keep your Personal Data after the recruitment process is over for numerous purposes (see sectionWhy do you process my data and on what legal grounds?).

We will generally hold your Personal Data for a period not longer than 6 months after the respective recruitment process, except where applicable law requires us to store such data for a longer period. For instance, Personal Data relevant to our accounting or taxation (e.g. settling your test week agreement) must be retained for at least seven years after the primary purpose for their processing ceases to apply (e.g. seven years following the financial year when our business relationship with you terminated and the last transaction between us occurred). If you opt-in to be considered for future job openings, we will process your Personal Data for that purpose until you withdraw your consent. In case of Personal Data processed for the purpose of complying with legal obligations or defending and asserting legal claims related to the recruitment process, your Personal Data will not be processed longer than it is necessary to achieve those purposes of processing, i.e. until we are no longer legally obliged to process them or until the expiry of the statute of limitation of possible legal claims.

At the end of any applicable retention period, as well as if you withdraw your consent (where applicable) or file a justified objection (if we process your Personal Data based on Interest), your data is deleted or destroyed.

If you are accepted for a role at Toggl, your Personal Data collected during the recruitment will be processed in accordance with applicable laws, the agreement you will be signing, and any internal data protection policy that may be in force, a copy of which will be provided to you when you are on-boarded. Personal data gathered during the recruitment process will be transferred to your personnel file and retained during your engagement at Toggl.

Who will you share my Personal Data with?

We only disclose your personal information outside Toggl if the disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.

Your information will be shared internally for the purposes of the recruitment exercises. This includes, among others, members of the Talent Acquisition team, interviewers involved in the recruitment process, other recruitment decision-makers, referrers, and systems administrators at Toggl.

We may also share your Personal Data with our corporate subsidiaries and affiliates, as well as and outside accountants, legal counsels, and auditors.

If we engage in or are subject to a merger, acquisition, division, transformation, public offering of our securities, obtaining financing, divestiture of all or substantially all of our assets or a significant part of such assets, transfer of the enterprise or a part of the enterprise to which your agreement with us pertains, or a similar transaction or proceeding, or if we take steps in contemplation of such activities (e.g., submit to due diligence), your Personal Data may, subject to standard confidentiality arrangements, be shared with, or transferred to, our counterparties or other relevant participants in the respective transaction or proceeding.

We have engaged and will continue to use third-party service providers to assist us in providing, maintaining, developing, protecting and promoting our recruitment processes. We may, for example, use such parties for auxiliary services, sending out messages to candidates, performing analyses related to the recruitment process, or for processing payments.

We may also store Personal Data in locations outside our direct control, e.g., on third-party cloud infrastructure or platforms (IaaS/PaaS) or cloud infrastructure whose operation we have entrusted to other parties. These service providers may have access to your Personal Data for the limited purpose of providing the service we have engaged them to provide. Importantly for you as a ‘data subject’, our use of such service providers may involve transmitting your Personal Data to jurisdictions other than the one you reside in, and these jurisdictions may have data protection laws that are different, and potentially less protective, than the laws of your own country.

We may find ourselves in a situation where we are legally obliged to disclose some or all of your Personal Data or where we reasonably believe that we are so obliged. This may be the case if we receive an information request from an authority or there is a law or regulation that requires us to make a disclosure without specific request (e.g., to comply with national or international measures against terrorism or money laundering). We may also be compelled to disclose your Personal Data by a judicial, arbitral, administrative or otherwise mandatory order or judgment. Where any of the foregoing applies, we shall make the disclosure, and we may not be permitted to tell you that your Personal Data have been disclosed.

There may also be situations where we find the disclosure of your Personal Data to be necessary in order to exercise, enforce or defend our rights, freedoms or legitimate interests or to protect the rights, freedoms or legitimate interests of a third party.

We shall not transfer your Personal Data from countries participating in the European Economic Area (“EEA”) to those which do not, or from the EEA to international organisations, unless the recipient country or the particular person or entity receiving the data ensures an adequate level of protection for the data received, or, if it does not, then without applying such safeguards as legally required and/or without the transfer being subject to such other conditions as the law provides for these kinds of transfers.

For instance, if we are to transfer your Personal Data from the EEA to an infrastructure provider (or another service provider necessary for the conducting of the recruitment process) in the United States (which is likely to occur in our use of some of the service providers mentioned below), we shall make sure that our provider ensures an adequate level of protection for the Personal Data received. In case our provider is located in the US, we implement, where possible, Standard Contractual Clauses included in service agreements between us and the service providers. Those agreements stipulate that the service provider must ensure a level of protection of Personal Data that is equivalent to the GDPR. This does not influence technological protection measures that are in place at any time. In case our providers have implemented standard terms of data processing, we do our best to choose service providers that promise to ensure an adequate level of Personal Data protection according to GDPR. In addition to this, the risk for us to be subject to FISA or other US law enforcement related acts is relatively low as the main purpose of those acts is related to communication data.

List of recruitment-relevant Processors:

ProcessorResource/service providedLocation of entity
Toggl OÜtalent acquisition and operations servicesEstonia
Zoom Video Communications, Inc.video telephony softwareUnited States
PandaDoc, Inc.contract management softwareUnited States
Slack Technologies, Inc.Instant messaging services United States
Bamboo HR, LLC HR management software United States
Google, Inc.cloud infrastructure, analytics, productivity and collaboration tools United States
Google Cloud EMEA Limitedcloud infrastructure, analytics, productivity and collaboration toolsIreland
GitHub, Inc.data collection in recruitment United States
Workable Software Limitedapplicant tracking and recruitmentUnited Kingdom
Calendly, LLCbusiness communication and scheduling platformUnited States
LinkedIn Ireland Unlimited Companydata collection in recruitmentIreland
Notion Labs, Inc.documentation and organisation of the recruitment processesUnited States
How do you look after my Personal Data?

Toggl takes the security of your data seriously. We are committed to ensuring that your Personal Data is safe and take all steps reasonably and commercially necessary to ensure that your data is treated securely and in accordance with this Privacy Statement for Candidates.

We shall maintain adequate technical and organisational measures to ensure such level of security in our processing of Personal Data as appropriate in the given circumstances. Upon assessing whether a measure is adequate and which level of security is appropriate we consider the nature of the Personal Data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing of your Personal Data, the state of the art, the costs of implementation and such other matters as may be relevant in the particular circumstances.

However, please be aware that no security measure is perfect. Our efforts notwithstanding, we cannot guarantee that your Personal Data, during transmission over the internet or while stored in our systems or those of our service providers or while otherwise in our care, will be absolutely safe from unauthorised or unlawful processing or accidental loss, alteration or destruction, or that they will indeed be intact and confidential at all times or shortly available after any incident. Note also that we cannot control, and are not responsible for, the actions of other parties with whom you share (or instruct us to share) your Personal Data.

What are my rights?

‘Data subjects’ in the EEA have certain statutory rights under the GDPR concerning the Personal Data that we have on them. This part of the Privacy Statement for Candidates aims to give you a general understanding of these rights and we encourage you to deepen this understanding by studying the GDPR yourself. To facilitate this, we have, in relation to each of the rights noted below, provided a reference to the specific provision of the GDPR from which that right arises.

Specifically then, and subject to such statutory exceptions as may apply in your particular case, your ‘data subject’ rights include the following:

Right of access / GDPR Article 15
You have the right to enquire and get a confirmation from us as to whether or not we process any of your Personal Data. Where we do, you may request access to those data and have us give you a copy of them.

Right to rectification / GDPR Article 16
If the Personal Data we have about you is incorrect, you have the right to request that we correct those data, and, in some circumstances, you may have the right to require that your incomplete Personal Data be completed (but in each of these cases we may need to verify the accuracy of the information you provide to us).

Right to erasure (right to be forgotten) / GDPR Article 17
You have the right to request that we delete or remove the Personal Data we have on you where there is no good reason for us continuing to process them. Please note that we may not always be able to comply with your request as there may be specific legal reasons which warrant the processing. Should this be the case, we shall inform you accordingly at the time of your request.

Right to object / GDPR Article 21
You have the right to object to our processing of your Personal Data where the processing is based on Interest and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts your interests or fundamental rights and freedoms. There may, however, be occasions where we demonstrate that we have compelling legitimate grounds to process your Personal Data (i.e., that our legitimate interests or those of a third party override yours and your fundamental rights and freedoms) and thus dismiss your objection. In case we are processing your Personal Data for direct marketing purposes, you may object to that processing at any time and we shall no longer process your Personal Data for such purposes.

Right to restriction of processing / GDPR Article 18
You have the right to request that we suspend the processing of your Personal Data where any of the following applies: (a) you have contested the accuracy of the data and the same needs to be verified; (b) the processing is unlawful but you do not want us to erase the data that we are processing; (c) you need us to maintain the data even though we no longer require them as they are necessary for your establishment, exercise or defence of legal claims; or (d) you have objected to processing but we need to verify whether we have overriding legitimate grounds for processing.

Right to data portability / GDPR Article 20
If our processing of your Personal Data which you have provided us is based on a Contractual ground or on Consent and the processing is carried out by automated means, you are entitled to have us make those data available to you in a structured, commonly used and machine-readable format so that you could transmit them to someone else (another ‘controller’). You may also ask us to transmit these data to that other ‘controller’ directly, and we shall do so, if technically feasible.

Right to withdraw consent / GDPR Article 13(2)(c)
If we are processing your Personal Data based on Consent, you may withdraw that consent at any time (but this will not affect the lawfulness of any processing activities carried out based on your consent before its withdrawal).

In order to exercise your rights, please contact our Talent Acquisition department to get in touch with us and we shall do what we reasonably can to facilitate the exercise of your rights.

We aim to respond to any legitimate request within a month of its receipt but it may take us longer if your request is particularly complex or you have made several requests. If that is the case, we shall let you know and keep you updated.

We shall not charge you any fee for exercising the above rights unless your requests are clearly unfounded or excessive (e.g., because of their repetitive character), in which case we may charge a reasonable fee. Alternatively, we may decline your request in such circumstances.

In case you believe that we are processing your Personal Data in violation of the GDPR, you have the right to lodge a complaint with the ‘supervisory authority’ located in the EEA country where you reside or work or where the alleged infringement took place or you can lodge the complaint with our ‘supervisory authority’ whose details are below:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
19 Väike-Ameerika St, Tallinn, 10129, Estonia
Tel: +372 6274 135
Email: info@aki.ee
Web: www.aki.ee/en

What if I don’t provide my Personal Data?

You are under no statutory or contractual obligation to provide Toggl with your Personal Data during the recruitment process. However, the provision of Personal Data is essential for the participation in the recruitment process. The participation itself is not obligatory, and there are no costs associated therewith.

Failure to provide Personal Data or provision of inaccurate or false Personal Data may result in the impossibility to participate in the recruitment, exclusion therefrom, or otherwise missing the corresponding benefits.

Where we need to collect your Personal Data under the terms of a test week agreement we may seek to enter into with you, and you fail to provide those data when requested, we may have to cancel the recruitment process.

Amendments and Contact Details

At Toggl, we stand for your right to privacy and we are committed to handling the information you provide us with due care and in compliance with applicable laws. For this reason, we have prepared this information how Toggl handles your personal data when you apply for a role with us.

This notice may be amended by Toggl at any time in our sole and absolute discretion. You can always find the latest version of this notice on our website.

We may revise this Data Privacy Statement for Candidates from time to time. We shall post the revised version on the same webpage where we published this present version or on such other webpage as we then may habitually use for publishing similar materials. We may also notify candidates of such changes. The revised version will be effective when posted as described unless the document itself specifies a later time for its entry into force.

Feel free to get in touch with us if you have any questions about this Data Privacy Statement for Candidates or our data processing practices or if you would like to exercise any of your ‘data subject’ rights with respect to the Personal Data we maintain on you.

Email us: privacy@toggl.com
Call us: +372 712 1144
Write to Toggl OÜ: Tornimäe 5, 2nd floor, Tallinn 10145, Estonia
DPO: dotlaw Skrzywanek Stępniowski i Wspólnicy sp. k. - damian@dotlaw.co or legal@toggl.com

Last updated: Nov 22nd 2024

More legal documents

OTHER