Terms of Service

Welcome to the Helaina Inc. website. Everything displayed on our website is proprietary and information protected by copyright or trademark and may not be used for any purpose except as provided herein or with the prior written permission of Helaina Inc. Nothing contained on this website grants, or should be construed as granting, a license to any of Helaina’s trademarks, copyrights or any of its other intellectual property rights. Any rights not expressly granted herein are expressly reserved.

Policy Statement Regarding Processing of Candidate Data

Last Updated July 30, 2021

BACKGROUND, SCOPE AND STRUCTURE

  1. In furtherance to Helaina Inc.’s (“we” or “our”) compliance with the EU General Data Protection Regulation 2016/679 (the “GDPR”), we are providing this policy statement to define and explain our collection, use and processing of personal identifiable information (“PII”) of individuals, namely, citizens of the European Union and other jurisdictions subject to the GDPR who apply for a position with our company or who are identified as potentially qualified candidates (“Candidate”).

  2. Our vendor, Lever, Inc. (“Lever”), provides a talent cloud management software platform (“Platform”) accessible to users via a web interface. Candidates providing PII to our company will generally either (a) navigate to our website and submit a job application through our website which will flow into our instance of the Platform or (b) navigate to a third-party website (like LinkedIn or Indeed) and submit a job application through our website which will flow into our instance of the Platform. When a Candidate provides PII through our website that flows into the Platform, our privacy policy will govern the interaction between the Candidate our company.

  3. The Platform manages the applicant process, providing functionality to manage the interaction between us and the Candidate, track the Candidate through application stages, seek feedback from our employees regarding a Candidate, make hiring decision and send an offer letter.

  4. We may use other integrations into the Platform to enable additional functionality with systems such as email, background checks, employee onboarding, and HRIS (human resources information systems). Processing by Lever integrations is not included in the scope of this policy statement.

  5. We are the GDPR data controller, and Lever acts as a GDPR data processor for our company and provides comprehensive GDPR related product functionality to allow us to best meet our compliance needs. Lever is certified under EU-U.S. and Swiss-U.S. Privacy Shield framework to fulfill GDPR requirements for safe data transfers outside of the EEA to Lever’s hosting facilities contracted with Amazon Web Services in Oregon, USA.


PERSONAL DATA PROCESSING

  1. Under the GDPR, “personal data” (or PII) is defined as “any information relating to an identified or identifiable natural person (called a data subject, or for our purposes, a “Candidate”).

  2. Due to the nature of the Platform, we may retain PII of data subject categories necessary and common to the process of fielding job applications and processing employment applications, including Candidates, our employees and Candidate employment references. For Candidates in the Platform, we commonly store: first name; last name; email address; telephone number; employment history; education; location; salary; job position; publicly available trade union memberships and other information that may be requested by us or submitted by a Candidate as part of a hiring process. We request only as much information that is required during the candidate evaluation process in keeping with data minimization efforts as required under GDPR Article 5, section 1(c). We also store our own employees’ name, email address who use the Platform.

  3. We do not request sensitive PII such as health data, legal data, credit card or bank account information as part of a hiring process.

  4. A Candidate may choose to provide information other than what we request. By choosing to provide additional or different information, the Candidate consents to the Processing of the information submitted as described in Section 3 below. In the event that a Candidate provides information that was not requested by us, a Candidate may still reach out to us through the Platform or as described in our Privacy Notice to request removal of the PII.

NATURE AND PURPOSES OF PROCESSING

  1. “Processing” of PII under the GDPR is defined as “any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. For instance, both the collection of PII from a Candidate, as otherwise publicly available, and the displaying PII through the Platform constitute different processing activities under the GDPR.

  2. On our behalf and based on our instructions, the Platform processes PII and other data for the purpose of enabling the candidate relationship management, administering hiring and managing candidate evaluation processes.

  3. PII will be subject to the following basic processing activities: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  4. We may collect and store other data subject categories and will notify Candidates upon collection of the data and where appropriate, obtain Candidates’ consent.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

  1. According to Article 45 GDPR, a transfer of personal data to a third country (i.e. a country which is not a member of the EU or the European Economic Area) may take place without requiring any specific authorization where the EU Commission has decided that the third country ensures an adequate level of protection. For instance, the United States has implemented Privacy Shield, which is a framework of protections for data transfers from the EU to the United States. Under Privacy Shield, the EU recognizes that any United States organization that joins Privacy Shield is deemed to have an adequate level of protection. Consequently, if a receiver of personal data is certified under Privacy Shield, no safeguards under Article 46 GDPR are necessary. If the receiving country is not deemed ensure an adequate level of protection, the transferring party has to implement appropriate safeguards, as listed in Article 46 GDPR. As set forth above, our processor, Lever, maintains the Privacy Shield certification. We have entered into a Data Protection Agreement with Lever as the lawful basis for transfer under Privacy Shield.

  2. Article 46(c) GDPR allows for transfer to a third country if standard data protection clauses adopted by the EU Commission are applied. These clauses can be made part of an agreement.

  3. Lever may utilize sub-processors to assist in the lawful transfer of PII. As a condition of any transfers, Lever requires its sub-processors to comply with privacy and confidentiality obligations through contracts with each sub-processor. Further, sub-processors are subject to review and audit by Lever. Lever has provided the list of sub-processors on its website located at: https://www.lever.co/subprocessors/ .

DATA PROCESSING PURPOSES

  1. Under Article 5 of the GDPR, PII may only be processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Our purpose is to establish a potential employment relationship with Candidates and efficiently manage and track the hiring process for each Candidate.

  2. A processing activity can have several different purposes. Each such purpose requires its own legal ground (as further described below) and all legal requirements (including but not limited to the obligation to inform the Candidates of each purpose set forth above) must be fulfilled for each purpose. Further, Article 25 GDPR sets out that only PII which is necessary for each specific purpose shall be processed (data protection by default).

  3. Article 5 of the GDPR sets out that PII shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (data minimization). We have configured the Lever platform to minimize the PII collected and processed solely to the information required to consider a job applicant for employment.