Data Protection and Privacy Policy in the Skillspark Group
Pursuant to Article 13 clauses 1−2 and Article 26 clause 2 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter the “GDPR “, please be informed that:
1. Joint Controllers
Your personal data are controlled by the following companies from the Skillspark capital group:
1. Skillspark AB, a Swedish limited liability company with Reg. No. 559328-2824 and registered address: Västergatan 22, 211 21 Malmö, Sweden, hereinafter “Skillspark AB”,
2. Skillspark SWEDEN AB, a Swedish limited liability company with Reg. No. 559380-5095 and registered address: Västra Trädgårdsgatan 15, 111 53 Stockholm, Sweden, hereinafter “Skillspark Sweden AB”,
3. Skillspark spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw at ul. Wspólna 70, 4th floor, 00-687 Warsaw, registered in the register of businesses kept by the District Court for Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number: 0000925766, having tax identification number NIP (Tax Identification Number): 5252879508, REGON (Statistical Number): 520132992, hereinafter “Skillspark sp. z o.o.”,
4. Skillspark Aps with its registered office in C/O Baker Tilly Revisionspartnerselsk. Poul Bundgaards Vej 1, 1. 2500 Valby, Denmark; CVR Number: 43002074, hereinafter “Skillspark Aps”,
5. Skillspark LTD., a limited liability company with Reg. No. 14028947 and registered address: 6th Floor 2 London Wall Place, London, United Kingdom, EC2Y 5AU, hereinafter “Skillspark LTD”,
hereinafter referred to jointly as “Joint Controllers” and each of the individually as the “Data Controller”.
Due to the fact that the said companies jointly decide on the purposes and means of data processing, they have decided to enter into a joint controller agreement, becoming the Joint Controllers of personal data subject to processing in each of the said companies. This enables all Joint Controllers to establish a coherent data protection system.
2. Contact details of the Joint Controllers
You may contact each Data Controller in any matters related to data processing, including but not limited to submitting requests relating to your rights, via the following communications channels:
1. Skillspark AB:
by letter to: Västergatan 22, 211 21 Malmö, Sweden;
by e-mail to: gdpr@skillspark.com.
2. Skillpark Sweden AB:
by letter to: Västra Trädgårdsgatan 15, 111 53 Stockholm, Sweden;
by e-mail to: gdpr@skillspark.com.
3. Skillspark sp. z o.o.:
by letter to: ul. Wspólna 70 suite 4, 00-687 Warsaw, Poland;
by e-mail to: gdpr@skillspark.com.
4. Skillspark Aps:
by letter to: Poul Bundgaards Vej 1, 1. 2500 Valby, Denmark;
by e-mail to: gdpr@skillspark.com.
5. Skillspark LTD.:
by letter to: 6th Floor 2 London Wall Place, London;
by e-mail to: gdpr@skillspark.com.
3. Contact point
Additionally, the Joint Controllers have established a joint contact point which you may also contact in matters related to data protection using the e-mail address: gdpr@skillspark.com.
4. The essence of the arrangement between the Joint Controllers
The joint controller agreement entered into by the Joint Controllers determines the roles relating to the performance of the obligations under the GDPR, determining in particular that:
-
Each Joint Contoller is obliged to meet the GDPR’s disclosure requirements with regard to provision of information referred to in Articles 13 and 14 of the GDPR (initial and secondary disclosure requirement).
-
Each Joint Contoller keeps all records concerning joint controllership to the extent to which they pertain to the data subjects of that Joint Controller.
-
Each Joint Contoller ensures data protection and applies the data protection measures referred to in Article 32 of the GDPR.
-
The Joint Controllers ensure that the persons allowed to process personal data have been previously trained in the data protection rules and regulations, as well as consequences of their breach, including but not limited to the procedure for safeguarding personal data.
-
The entity obliged to notify a data breach to the supervisory authority is the Joint Controller within the scope of whose operation the breach occurred. If the data breach may result in a high risk to the rights and freedoms of natural persons, the relevant Joint Controller obliged to notify the data breach to the supervisory authority will without undue delay notify the data subject of such a breach.
-
Providing personal data to Skillspark LTD complies with the GDPR, since in the light of the decisions of the European Commission of 28 June 2021 with ref. no. C(2021) 4800 and C(2021) 4801 – the United Kingdom of Great Britain and Northern Ireland offers an adequate level of data protection, as referred to in Article 45 clause 2 of the GDPR.
-
Personal data are transferred to entities from outside of the European Economic Area based on the relevant safeguards, including e.g. standard data protection clauses adopted pursuant to the decision of the European Commission.
-
The Lead Joint Controller is Skillspark sp. z o.o., thus the lead supervisory authority is President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa, Poland.
5. Data Protection Officer
None of the Joint Controllers have designated a Data Protection Officer.
6. Purposes of data processing.
Your personal data may be processed for the purpose of:
-
Conducting or concluding the recruitment process as part of which you submitted your application;
-
Conducting or concluding future recruitment processes – only if you agreed to the processing of your personal data for such a purpose;
-
Your performance of an employment contract, contract of mandate, contract for specific work, service contract or any other contract entered into between you and the Joint Controller;
-
Entering into or properly performing the agreement concluded between the Joint Controller and your employer/entity which you represent or the entity with respect to which you act as a partner, associate, adviser or subcontractor, including documenting its execution and identifying persons authorised to perform the tasks set out in the said agreement;
-
Performing the Data Controller’s legal obligation, e.g. providing HR and payroll services, ensuring occupational safety and health;
-
Protecting Data Controller’s property;
-
Pursuing internal administrative and reporting objectives of the Joint Controllers;
-
Conducting direct marketing activities in respect of Joint Controllers’ own products and services;
-
Establishing, asserting or defending oneself against claims.
7. Legal basis for the processing of your personal data:
We ensure that the personal data is deleted when it is no longer relevant for the processing purposes as described above. We also retain personal data to the extent that it is an obligation from applicable law, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of personal data, please contact the email mentioned at the bottom of this Policy.
8. Source of data
The Data Controller obtained your data directly from your employer/entity which you represent.
If you are a subcontractor of the Data Controller’s business partner, the Data Controller obtained your data from their business partner, from you directly or from generally accessible sources (registers, records).
9. Recipients of your personal data
Your personal data may be accessed by:
-
Duly authorised employees or associates of the Joint Controllers who are obliged to keep them confidential and not to use them for purposes other than those for which they were obtained;
-
Entities with which the Joint Controllers cooperate in their ongoing business, such as providers of ICT/IT services, providers of legal, financial, accounting and advisory services, banks, postal operators and courier companies, subcontractors of the Joint Controllers;
Moreover, your personal data may be disclosed to:
-
Entities authorised under legal regulations (e.g. public authorities: offices, courts, public prosecutor’s office or the police); in such an event information is provided only if there are suitable legal grounds to do so;
-
Joint Controller’ clients, if you provide your services to such entities;
10. Transferring personal data to third countries
Your personal data may be transferred to the United Kingdom of Great Britain and Northern Ireland which – pursuant to the decisions of the European Commission of 28 June 2021 with ref. no. C(2021) 4800 and C(2021) 4801 – offers an adequate level of data protection, as referred to in Article 45 clause 2 of the GDPR.
Due to the fact that the Data Controller or Data Controller’s business partners – e.g. providers of legal, fiscal or audit services – use modern technologies, such as e.g.cloud services, and due to the fact that the clients of the Joint Controllers may have their registered seat outside of the European Economic Area, your personal data may be transferred to countries from outside of the European Economic Area. In each such event the Data Controller ensures appropriate safeguards including e.g. standard data protection clauses adopted pursuant to the decision of the European Commission. You have the right to obtain a copy of the indicated safeguards concerning provision of personal data – in order to obtain them you should contact the Data Controller using the communication channels referred to in point 2 or point 3 above.
11. Personal data retention period
Your personal data will be processed for the following periods:
-
In order to conduct and conclude a recruitment process – until the end of the recruitment process;
-
In order to conduct and conclude future recruitment processes – by the time you withdraw your consent to the processing of your personal data for the purposes of future recruitment processes;
-
In order to perform the contract referred to in point 6.3) or the contract referred to in point 6.4) and protect Data Controller’s property – for the term of the said contract;
-
Personal data processed for the purpose of performing the Data Controller’ legal obligation (e.g. providing HR and payroll services, ensuring occupational safety and health) – for a period necessary to perform the legal obligation;
-
Personal data processed for the purpose of direct marketing activities in respect of own services – by the time the data subject objects to it;
-
Personal data processed based on a separate consent – by the time the data subject revokes it;
In order to establish, assert or defend oneself against claims – for the period of 3 full years following the end of the last of the said periods, subject to situations where there are proceedings pending before a Court, bailiff, police, public prosecutor’s office or any other authority, in which case data will be processed until the end of the year following conclusion of the last of such proceedings.
12. Your rights in relation to data processing
In relation to the processing of personal data by the Data Controller, you have the right to request access to personal data, rectification, erasure or restriction of processing, as well as the right to object to the processing and the right to data portability.
You may also at any time withdraw your consent to data processing given to the Data Controller, if any. The withdrawal of the consent does not affect the lawfulness of processing based on your consent before its withdrawal.
You may also lodge a complaint with the competent supervisory authority, i.e.:
-
In the case of a complaint against data processing by Skillspark AB: Swedish Authority for Privacy Protection, to: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden or by e-mail to: imy@imy.se;
-
In the case of a complaint against data processing by Skillpark Sweden AB: Swedish Authority for Privacy Protection, to: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden or by e-mail to: imy@imy.se;
-
In the case of a complaint against data processing by Skillspark sp. z o.o.: President of the Personal Data Protection Office, to: ul. Stawki 2, 00-193 Warszawa or by e-mail following the instructions published at www.uodo.gov.pl;
-
In the case of a complaint against data processing by Skillspark Aps: The Danish Data Protection Agency, to: Carl Jacobsens Vej 35, 2500 Valby or by e-mail to: dt@datatilsynet.dk;
-
In the case of a complaint against data processing by Skillspark LTD.: Information Commissioner’s Office by e-mail following the instructions published at https://ico.org.uk/global/contact-us/.
13. Obligation of data provision
In the event of possible execution of a contract based on an employment contract, providing: full name, date of birth, contact details, information about educational background, professional qualifications, history of employment is required under the Labour Code. Failure to provide such information may prevent the processing of your application.
In the event of possible execution of a contract based on a civil-law contract, data provision is voluntary, but failure to provide your full name, date of birth, contact details, information about educational background, professional qualifications, history of employment may prevent the processing of your application.
If you enter into an agreement with the Data Controller, some data subject to processing in relation to the executed agreement are required under legal regulations and without them the Data Controller will not be able to perform the agreement or their legal obligations.
Providing data subject to processing in relation to the agreement entered into between the Data Controller and the entity whose employee or associate you are or which you represent, with respect to which you act as a partner, associate, adviser or subcontractor, is voluntary, but required in order for the Data Controller to be able to perform the said agreement or their legal obligations. Providing such data may also constitute a condition for you to be permitted to perform the tasks under the said agreement.
14. Automated decision-making, including profiling
The Data Controller will not make decisions, including profiling, by automated means, based on your personal data.
Data Protection and Privacy Policy of Skillspark IT Consultancy
Pursuant to Article 13 clauses 1−2 and Article 26 clause 2 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter the “GDPR “, please be informed that:
1. Data Controller
Your personal data are controlled by Skillspark IT Consultancy with Trade License No. 1016037 and registered office at Ubora Towers, office 506, Business Bay, Dubai, UAE, hereinafter referred to as the “Data Controller”.
2. Contact details of the Data Controller
You may contact the Data Controller in any matters related to data processing, including but not limited to submitting requests relating to your rights by letter to: Ubora Towers, office 506, Business Bay, Dubai, UAE or by e-mail to: gdpr@skillspark.com.
3. Data Protection Officer
Currently, the Data Controller has not appointed a Data Protection Officer.
4. Purposes of data processing
Your personal data may be processed for the purpose of:
-
Conducting or concluding the recruitment process as part of which you submitted your application;
-
Conducting or concluding future recruitment processes – only if you agreed to the processing of your personal data for such a purpose;
-
Your performance of an employment contract, contract of mandate, contract for specific work, service contract or any other contract entered into between you and the Data Controller;
-
Entering into or properly performing the agreement concluded between the Data Controller and your employer/entity which you represent or the entity with respect to which you act as a partner, associate, adviser or subcontractor, including documenting its execution and identifying persons authorised to perform the tasks set out in the said agreement;
-
Performing the Data Controller’s legal obligation, e.g. providing HR and payroll services, ensuring occupational safety and health;
-
Protecting Data Controller’s property;
-
Pursuing internal administrative and reporting objectives of the Data Controller;
-
Conducting direct marketing activities in respect of Data Controller’s own products and services;
-
Establishing, asserting or defending oneself against claims.
5. Legal basis for the processing of your personal data
We ensure that the personal data is deleted when it is no longer relevant for the processing purposes as described above. We also retain personal data to the extent that it is an obligation from applicable law, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of personal data, please contact the email mentioned at the bottom of this Policy.
6. Source of data
The Data Controller obtained your data directly from your employer/entity which you represent.
If you are a subcontractor of the Data Controller’s business partner, the Data Controller obtained your data from their business partner, from you directly or from generally accessible sources (registers, records).
7. Recipients of your personal data
Your personal data may be accessed by:
-
Duly authorised employees or associates of the Data Controller who are obliged to keep them confidential and not to use them for purposes other than those for which they were obtained;
-
Entities with which the Data Controller cooperate in their ongoing business, such as providers of ICT/IT services, providers of legal, financial, accounting and advisory services, banks, postal operators and courier companies, subcontractors of the Data Controller;
Moreover, your personal data may be disclosed to:
-
Entities authorised under legal regulations (e.g. public authorities: offices, courts, public prosecutor’s office or the police); in such an event information is provided only if there are suitable legal grounds to do so;
-
The Data Controller’s clients, if you provide your services to such entities;
8. Transferring personal data to third countries
Your personal data may be transferred to the United Kingdom of Great Britain and Northern Ireland which – pursuant to the decisions of the European Commission of 28 June 2021 with ref. no. C(2021) 4800 and C(2021) 4801 – offers an adequate level of data protection, as referred to in Article 45 clause 2 of the GDPR.
Due to the fact that the Data Controller’s business partners – e.g. providers of legal, fiscal or audit services – use modern technologies, such as e.g.cloud services, and due to the fact that the clients of the Data Controller may have their registered seat outside of the European Economic Area, your personal data may be transferred to countries from outside of the European Economic Area. In each such event the Data Controller ensures appropriate safeguards including e.g. standard data protection clauses adopted pursuant to the decision of the European Commission. You have the right to obtain a copy of the indicated safeguards concerning provision of personal data – in order to obtain them you should contact the Data Controller using the communication channels referred to in point 2 above.
9. Personal data retention period
Your personal data will be processed for the following periods:
-
In order to conduct and conclude a recruitment process – until the end of the recruitment process;
-
In order to conduct and conclude future recruitment processes – by the time you withdraw your consent to the processing of your personal data for the purposes of future recruitment processes;
-
In order to perform the contract referred to in point 4.3) or the contract referred to in point 4.4) and protect Data Controller’s property – for the term of the said contract;
-
Personal data processed for the purpose of performing the Data Controller’ legal obligation (e.g. providing HR and payroll services, ensuring occupational safety and health) – for a period necessary to perform the legal obligation;
-
Personal data processed for the purpose of direct marketing activities in respect of own services – by the time the data subject objects to it;
-
Personal data processed based on a separate consent – by the time the data subject revokes it;