Privacy Notice for Candidates and HR
Effective Date: August 2022
Privacy notice for employees and job applicants – GDPR
Purpose of the Document
Contentstack Inc. is committed to protect the privacy and security of your personal data.
This privacy statement is issued on behalf of Contentstack and its subsidiaries, "we", "us" or "our" in this privacy statement, we are referring to the relevant company irresponsible for processing your data. We are the “data controller”. This means that we are responsible for determining how we hold and use personal information about you. According to the General Data Protection Regulation (EU 2016/679) (“GDPR”) we, as data controller, are required to notify you of the information contained in this privacy notice.
This privacy notice describes why and how we collect and use personal information about you during and after your working relationship with us, with whom we might share it and how long we usually keep it. This also makes you aware of your rights under the GDPR.
In general, GDPR applies to all employees that are citizens of the European Union, European Economic Area, United Kingdom or Switzerland (collectively referred to as the “EU”) located in the EU, or whose personal data is being processed by Contentstack with legal entity based in the US, but processing EU personal Data for the purpose of hiring in the EU.
This notice applies to potential, current and former employees, workers and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will inform you and provide an updated copy of this notice on Contentstack site. It is important that you read and understand this notice. If you have questions or do not understand it fully, please seek additional information from your local Personal Data Protection (PDP) Coordinator in HR, Data Protection Officer.
Personal information we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We will collect, store, and use the following categories of personal information about you as listed below.
Basic personal information:
- personal contact details such as name, title, addresses
telephone numbers, and personal email addresses
- date of birth
- emergency contact information
- marital status and dependents (if required by law)
- government-issued identification numbers, such as national ID, drivers’ license or passport number
- number or national insurance number
- bank account details
- copy of your passport or identity card
Data related to employment relationship or potential employment relationship:
- work contact details
- type of contract, contract details, employment ID number (if any)
- title, position description, working history and records, working location, years of services
- salary, benefits, tax and pension-related information and historical records
- performance-related data, such as your objectives, performance discussions and assessment records, feedback and tests results
- qualifications and personal development related data, such as records of development discussions and competence assessments, learning and development records, certificates, licenses and vocational records, records of career and succession planning
- information about working hours, vacation and absences
- recruitment history – resume details, previous work experiences and educational background, certificates, licenses and vocational records, information of general interests, membership to associations, any information you have provided us during the interviews, information gathered from reference persons whose contact details you have provided to us .
- your employment history as contained in your resume
- should you no longer be employed, the date of notice and of termination.
- copy of drivers’ license (if relevant for your position)
- information related to immigration, right-to-work and residence status
- travelling and travel expenses related data as well as user account details
- information relating to any misconduct and disciplinary actions, background check reports and security data
- data related to incident reporting, including time and place of accident and “near misses” at work, description of the respective incident including information relating to the persons involved in such incidents and the effects the incidence has had on these persons (including also limited health related data), consequences of the incident including data relating to insurance reports and other proceedings
- information relating to specific assignments (e.g. meeting records, project reports etc.)
- user logs and access control related information, including physical access to Contentstack premises
- CCTV footage and other information obtained through electronic means such as swipe card records
- information about your use of our information and communications systems and other Contentstack’s assets, (e.g. outlook, computers, servers, etc.)
- Your work-related communication on company owned accounts or devices
We may also collect, store and use the following “special categories” of more sensitive personal information which will be collected and used only if and to extent a local legislation requires.
Sensitive data we may collect about you:
- information about your religion
trade union or guild membership
information about your health, including any medical condition, health records, including:
- where it is needed for determination of working capacity based on health conditions
- records of regular health examination
- sick-leave records
- where you leave employment and the reason for leaving is determined to be ill- health, injury or disability, the records relating to that decision
- where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions, 401k, benefits, and permanent health insurance purposes biometric data
- information from criminal background checks
Grounds for collecting and using your data
We primarily based our processing of your personal data (see categories of personal information in “The kind of information we hold about you” above) in order for us to perform our contract obligations as an employer (“Contractual obligations”) and to enable us to comply with legal obligations (“Legal obligations”).
In some cases we process your personal information based on our legitimate interests (“Legitimate interests”), when your interests and fundamental rights do not override those interests. Our main and general legitimate interest is to continue to develop our business, both qualitatively and quantitatively, and improve the performance of Contentstack. We have listed purposes and grounds for processing your personal data in the table below.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
Basis for Use
Entering or performing employment contract, determine the terms on which you work for Contentstack, management of employment contract, amendment agreements, appendixes and other contracts related to employment relation.
Checking if you are legally entitled to work in the country where we operate and your resident status.
Payments of agreed compensation (salary, bonuses) and as applicable deducting tax, mandatory social contributions and national insurance contributions in accordance with local legislation.
Making decisions about salary reviews and compensation package based on Contentstack salary review processes and best practices
Providing the contractually agreed bonuses and benefits or complementary benefits awarded to you according to company policy.
Inviting you to participate in long term incentives provided by a group company, if applicable.
Enrolling you in a pension arrangement in accordance with statutory automatic enrolment duties. Liaising with your pension provider and any other provider of employee benefits
Attendance monitoring, vacation, absence and sick/leave administration.
Determining performance requirements, setting individual targets, conducting regular performance reviews and assessments, managing performance records and analytics in accordance with Contentstack performance and development processes.
Assessment of qualification and competences in the role you are signed for and for talent and succession management, including decisions about career and promotions according to our HR routines.
Employees development - composition of overall and individual development programs, arrangement of trainings and development activities, including on-boarding trainings, certification and licenses administration according to Contentstack’s performance and development processes.
Your participation in recruitments – conducting recruitment process, arranging interviews and testing, making a decision on appointment according to Contentstack recruitment policy.
Travel management – arrangement of accommodation and flights, managing travel expenses reports and payments, arranging visa invitations and/or visas.
Processing the termination of employment - making arrangements for the termination, administration of relevant documents, reporting to relevant authorities if required by local legislation
Assurance of network and information security, including access management to prevent unauthorised access to our computers and electronic communications systems and preventing malicious software distribution.
Assurance of security of Contentstack s facilities and assets, and Contentstack’s employees personal belongings via monitoring swipe card records (or biometric data readers) and surveillance cameras (CCTV).
Equal opportunities monitoring and to prevent discrimination.
To prevent fraud or other criminal activities (especially anti- bribery).
Legal obligations Legitimate interests
Gathering evidence for possible grievance or disciplinary hearings.
Making decisions about your continued employment or engagement.
Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
To conduct data analytics studies to review and better understand employee retention and turnover rates.
To carry out our contractual obligations with customers and suppliers. (e.g. personal data included in purchase orders, quality documentations, email correspondences and contracts between us and a customer).
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to comply with contractual obligations and perform the contract we have entered into with you (such as paying you, reporting your taxes, or providing benefits), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
How personal information is collected
Contentstack Employees based in the EU
We collect personal information about you during your contracting employment relationship.
We collect personal information about you also through the application and recruitment process either directly from you, or from a recruitment service providers or consultants if they were involved. We sometimes collect additional information from third parties including former employers, authorities or other information providers. To get further information on how we collect information please contact the DPO or HR at your Contentstack entity.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us. Subject to the applicable laws, information may be obtained through background checks, security clearances and other similar information sources deemed necessary due to the nature and security requirements related to the open position in question.
We collect personal information about you from the agency or company you are working for. If the situation so requires, we collect certain data from you directly, (e.g. bank details, data needed in relation with work incidents etc.)
For further information, please contact the DPO or HR at the Contentstack entity.
Subject to the applicable laws, information may be obtained through background checks, security clearances and other similar information sources deemed necessary due to the nature and security requirements related to the open position in question.
Automated decision making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making. There will always be human intervention into decisions based on automated processing, including automated analytics, testing, profiling.
However, if this position changes, or there is a need and lawful base to do so, we will notify you in writing.
Personal information sharing
We share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or restructuring exercise, for system maintenance support and hosting of data.
We share your personal information with different governmental authorities, institutions or agencies (or similar), or insurance companies where required by law for the purpose of their regulatory tasks. We may also need to share your personal information with a regulator or to otherwise comply with the law.
We share your personal data with third-party service providers processing data on behalf of Contentstack. To get further information on how we collect information please contact the DPO or HR. In such cases your personal data are safeguarded by Data Processing Agreements, committing outsourced service providers to process your personal data for specified purposes and in accordance with our instructions, comply with GDPR and apply appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes.
We may share your personal information with other third parties, such as, but not limited to service providers, benefits administrators, suppliers, customers and business partners to fulfil our contractual obligations. In such cases we limit personal data shared to absolute minimum required.
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and hosting of data. In this situation we will, so far as possible, share anonymized data with the other parties before the transaction is completed.
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymized data with the other parties before the transaction is completed. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
Transferring information outside the EU
As a US company, we will transfer the personal information we collect about you outside the EU.
If you are a part of our management team, sales organization or sourcing organization, we will your transfer name, email address, telephone number, job position, place of work, country and other business related data, such as personal data included in purchase orders, quality documentations, email correspondences, contracts and other agreements between the customer/supplier and Contentstack. contract with such customers or suppliers.
We ensure that appropriate safeguards are in place which provide adequate levels of protection of your personal data as required by applicable data protection laws. All transfers outside the EU not made to countries which are considered by the European Commission to provide an adequate level of protection of personal information are safeguarded with agreement based on Standard Contractual Clauses based approved by European Commission or such other mechanisms as have been recognized or approved by the relevant authorities from time to time. If you have questions about the transfer, please contact our data protection officer.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
We limit access to your personal data to those employees, agents, contractors and other third parties on a need-to-know basis, i.e. who need the access in order to fulfil the tasks and duties relating to service provision. All service providers are permitted to process your personal data based on our instructions, they are subject to a duty of confidentiality, and they are required to be compliant and demonstrate the compliance with Personal Data Protection.
Our IT systems are protected against unauthorized access with various level of controlled and password protected access rights.
When transferring or disclosing your personal data, the safety measures vary based on the sensitivity of the data and may include, but are not limited to strong identification of the recipient, logging transfer, access controls, two factor authentication and encryption of the transferred information.
Any sensitive information (such as health-related information or any sensitive data required by local legislation) will usually be used separately from other personal data, and access rights to such sensitive personal data are granted only with weighty reasons to persons making decisions, usually HR representatives, direct manager and direct manager’s manager.
We have implemented procedures to deal with any actual or suspected data security breach and will notify you and any applicable authority about breach where we are legally required to do so.
We prefer to avoid personal data collection and usage in paper format. If so required, the paper documents and copies will be stored in locked-up premises.
Our IT organization together with our DPO monitor the safety and integrity of the personal data protection on regular basis and have implemented technical measures to prevent and detect any safety breaches that may threaten your personal data.
We only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Details of retention periods for different aspects of your personal information are available in our retention policy which is available
on www.contentstack.com. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.
Your rights in connection with personal information
Under certain circumstances, you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are collecting and using it lawfully.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to use it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of collecting and using your personal information. This enables you to ask us to suspend the usage of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the data portability of your personal information to another party.
- Right to lodge a complaint to supervisory authority.
- Right to withdraw the consent. In circumstances where you have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
Here’s how you can exercise your rights:
- to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer your basic personal information to another party or withdraw the consent, please contact with our DPO in writing.
- to lodge the complaint to supervisory authorities, please contact directly the Data Protection Authority of your location country.
We may need to confirm your identity or request specific information. Please note that, in order to meet your request we may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Exercising your rights is free of charge. However, we have right at our sole discretion to refuse to fulfil or charge a reasonable fee for fulfilling of several similar consecutive requests or requests that are manifestly unfounded or excessive. We are also entitled to decline requests on statutory grounds in which cases we will inform you of such decline including the grounds for the decline.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.
How to contact us
If you have any questions about how we process your personal data, please feel free to contact our Data Protection Officer by email firstname.lastname@example.org.
Contentstack Inc. is a Delaware limited liability company with its main office located at 49 Geary St. Suite 238, San Francisco, CA 94108.