PRIVACY NOTICE FOR JOB APPLICANTS IN EUROPE
Effective as of June 28, 2023.
1. Purpose
As part of its recruitment process relevant to employment or other individual engagement, Sawtooth Software Inc., Sawtooth Software UK Limited, and affiliates (collectively referred to as “Sawtooth”) receive, use, store, and transfer job candidates’ personal information. Sawtooth may also share the information with others in certain specific situations (see below).
By registering and submitting your application for a role with Sawtooth, either directly or via an authorized third party, Sawtooth will collect, process, and transfer personal information about you in the United States (US). This GDPR Candidate Privacy Notice and its addendum (the “Privacy Notice”) contains details of Sawtooth’s policies and practices regarding the collection and processing of your personal information and the rights and choices you have.
In the event that you have any questions or concerns about the information provided, please contact Sawtooth using the information at the end of this Privacy Notice.
Sawtooth will process and transfer candidate data in accordance with this Privacy Notice, unless in conflict with requirements of applicable law, in which case, the applicable law will prevail.
To ensure all personal data is processed and transferred in accordance with its data protection policies, Sawtooth can only accept applications or expressions of interest in a role at Sawtooth through its careers portal, which can be accessed at https://sawtoothsoftware.com/jobs.
2. What Information Does Sawtooth Collect about You
Except as otherwise set forth in the addendum to this Privacy Notice, Sawtooth may collect, use, share, and store personal information about you during the recruitment process, which includes but is not limited to:
- Application data: Your resume, name, residential address, email address, phone number, academic and professional qualifications, diversity profile (age, gender etc.), citizenship, compensation details, and any other information you choose to include in your resume and cover letter;
- Assessment data: Candidate testing (such as technical, behavioral tests), interviews, and any other information collected to evaluate your candidacy;
- Pre-employment screening data: date of birth, personal identification, bank account information, criminal record, employment, citizenship/residency status, individual location information, and dependents details.
Information Collection Sources
Sawtooth may collect personal information that you directly provide on its website or directly to Sawtooth personnel. In addition, Sawtooth may collect your personal information from other legitimate sources such as public databases, search engines, and information from third parties that you have chosen and consented to disclosing information about you. Examples of such third parties may include recruiters, online professional networks, or vendors in connection with pre-employment screening data.
3. Why Does Sawtooth Collect and Use Your Personal Information
The Recruitment Process
Sawtooth has a legitimate interest in processing your personal information during its recruitment process. Processing personal information from job applicants allows Sawtooth to manage the recruitment process, assess, and confirm a candidate’s suitability for employment or other engagement, and decide when an offer of employment or other engagement should be extended.
Legal Obligation
In some cases, Sawtooth needs to process your personal information to ensure that Sawtooth is complying with its legal, regulatory, and corporate governance obligations.
Consent
Some of the information Sawtooth may obtain from or about you might be sensitive. Except as otherwise set forth in the addendum to this Privacy Notice, Sawtooth generally only keeps sensitive information if you expressly consent to it, and/or if it is necessary to carry out its obligations or exercise its legal rights (or enable you to exercise your legal rights).
4. How Sawtooth Shares Your Personal Information
Sawtooth may disclose your personal information if required to do so by law, court of law, or as requested by a governmental or law enforcement authority.
Aside from this, Sawtooth generally only shares your personal information with others where it is a necessary part of its recruitment process. For example, Sawtooth may share your personal information with other members of the Sawtooth group of companies where it is relevant to your application.
Sawtooth may also share your personal information with a select group of third-party service providers that carry out certain recruitment-related activities on its behalf, such as background checking agencies and companies that help Sawtooth with storing data.
Sawtooth expects the entities with which Sawtooth shares your personal information (both group companies and non-affiliated third parties) to protect the confidentiality and security of your information and to use it only for its intended purposes.
5. Transferring Your Personal Information to Other Countries
The organizations with which Sawtooth may share your personal information may be located in countries outside of the European Economic Area (“EEA”), such as the UK, or a third country, such as the US, that have not been granted an adequacy decision by the European Commission. Sawtooth has put in place safeguards reasonably designed to ensure your personal information remains adequately protected when transferred, including on the terms of the European Commission Standard Contractual Clauses.
Your personal information will be transferred to the US. The US has not received a finding of “adequacy” from the European Union under Article 45 of the General Data Protection Regulation (GDPR). Consequently, Sawtooth relies on appropriate safeguards as set forth in GDPR Article 46 for the transfer of your personal information to the United States and, more specifically, through Sawtooth’s group data transfer agreement.
For more information about appropriate safeguards as set forth in GDPR Article 46, please email privacy@sawtoothsoftware.com.
The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.
Effective as of July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. The data bridge will enable the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law.
The effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023; however, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.
At this time, Sawtooth is not a participating organization in the Data Privacy Framework program. Thus, Sawtooth does not rely on the Data Privacy Framework for any of its cross-border data transfer.
6. How Long Does Sawtooth Keep Your Personal Information
If your application for employment for a specific role is unsuccessful or if you submit a general application for its consideration, then, except as otherwise set forth in the addendum to this Privacy Notice, Sawtooth will keep your information for 12 months after the end of the recruitment process pursuant to the US Code of Federal Regulations, 29 CFR Part 1602.
If your application for employment is successful, the personal information Sawtooth gathered about you during the recruitment process will be retained during your employment. The periods for which your personal information will be held will be provided to you in a separate employee privacy notice.
- How Does Sawtooth Protect Your Personal Information
Sawtooth has implemented technical, administrative, and physical security measures to protect your personal information from unauthorized access and improper use. Sawtooth has built security policies and procedures based on Sawtooth’s view of best practice frameworks and reviews these procedures in order to consider appropriate new technology and methods on an ongoing basis. Except as otherwise required by law, only those who have proper authorization will be allowed to view your personal information. In addition, Sawtooth trains its employees about the importance of confidentiality and maintaining the privacy and security of your information. Further, Sawtooth undergoes periodic security risk assessments to ensure the security of information in its possession.
8. Your Rights
Subject to certain limitations, you have the right to confirm that Sawtooth is processing your personal information, to access the personal information it keeps about you, to restrict or object to the processing of your personal information, and to rectify, erase, and port your personal information. Your rights below are subject to you exercising them in good faith and Sawtooth’s legitimate business interests or consent to continue processing your personal data, in accordance with Sawtooth’s policies and applicable law. These rights include:
Your Right of Access:
- The right to obtain confirmation that Sawtooth processes your personal information; and
- Access to the personal information Sawtooth has about you.
Your Right to Rectification:
You have the right to have factually inaccurate personal information rectified, to the extent Sawtooth has any such inaccurate personal information.
Your Right to Erasure:
You have the right to have your personal information erased if:
- Your personal information is no longer necessary for the purpose for which Sawtooth originally collected or processed it;
- You decide to withdraw your consent;
- You object to Sawtooth’s processing of your personal information, and Sawtooth has no overriding legitimate interest or other valid basis to continue the processing of your personal information;
- Sawtooth has processed your personal information unlawfully; or
- Sawtooth must erase your personal information to comply with a legal obligation.
Your Right to Restrict Processing:
You have the right to limit the way Sawtooth uses your personal information in certain circumstances:
- You contested, in good faith, the accuracy of your personal information in Sawtooth’s possession and Sawtooth is verifying the accuracy of such information;
- Sawtooth has unlawfully processed your personal information and you oppose erasure and request restriction instead;
- Your personal information is subject to destruction under Sawtooth’s data retention policy, but you need Sawtooth to keep it in order to establish, exercise, or defend a legal claim; or
- You have objected, in good faith, to Sawtooth processing your personal information, and Sawtooth is considering whether it has legitimate grounds to continue processing your personal information.
Your Right to Object to Processing: You have the right to object to certain types of processing of your personal information, which include:
- Processing for direct marketing purposes (including profiling); and
- Processing for purposes of scientific/historical research and statistics.
Your Right to Data Portability: Under limited circumstances, you have the right to obtain from Sawtooth and reuse your personal information for your own purposes. This right allows you to move, copy, or transfer your personal information easily, without hindrance to usability. If you request it, Sawtooth may transmit your personal information directly to another organization if this is technically feasible.
To exercise any of these rights, please contact Sawtooth using the information at the end of this Privacy Notice.
9. Changes and Updates to this Privacy Notice
Sawtooth recognizes that protecting your personal information is an ongoing responsibility and so it will update this Privacy Notice as it undertakes new practices involving your personal information. Because of this, Sawtooth advises that you check this Privacy Notice from time to time in order to familiarize yourself with any updates.
10. Questions, Concerns, and Complaints
Should you wish to make a complaint about Sawtooth’s use of your personal information, you may contact Sawtooth using the methods specified at the end of this Privacy Notice. You also have the right to lodge a complaint with the appropriate regulatory body/supervisory authority, in particular in the country where you reside, place of work, or of an alleged infringement of the law.
11. How to Contact Sawtooth
If you have any questions concerning Sawtooth’s privacy practices as described in this Privacy Notice, please email privacy@sawtoothsoftware.com.
United Kingdom Addendum
This addendum to the GDPR Candidate Privacy Notice (“Privacy Notice”) describes how, in addition to the protections described in the Privacy Notice, Sawtooth complies with its obligations in relation to the processing of sensitive personal data and criminal record data relating to its United Kingdom-based candidates. For the purposes of this United Kingdom Addendum, all references to the GDPR should be construed as a reference to the UK GDPR. This addendum complies with the requirements of Part 4 of the UK Data Protection Act 2018.
1. How Sawtooth processes data lawfully and in a transparent manner.
The above Privacy Notice sets out full and specific information on how Sawtooth processes sensitive personal data concerning candidates.
2. How Sawtooth processes data for specific, explicit, and legitimate purposes and does not further process data in a manner that is inconsistent with those purposes.
Sawtooth only processes candidates’ data for the reasons set out in the Privacy Notice. If Sawtooth ever needs to use candidate data for any other reason than those already communicated to you, Sawtooth will use best efforts to communicate those purposes to you before Sawtooth does so.
3. How Sawtooth keeps data adequate, relevant, and limited to what is necessary for the purpose.
Sawtooth does not collect data in excess of what Sawtooth needs for the purposes set out in its Privacy Notice and achieves this through:
- training HR to only collect data which is needed for the purposes Sawtooth has set out in the Privacy Notice;
- adopting internal data retention requirements, which helps to limit the candidate data Sawtooth retains and the periods for which it is retained (for more information on Sawtooth’s data retention policies, please email privacy@sawtoothsoftware.com);
- maintaining relevant documentation on its processing activities, which allows it to easily review what data Sawtooth is processing and take active steps to reduce data down to only what is needed for the business; and
- ensuring its data protection documentation and processes are in line with its view of best practices and official guidance by routinely reviewing its processes and documentation.
4. How Sawtooth keeps all personal data accurate and, where necessary, up to date.
Sawtooth keeps data up to date by requiring candidates to keep it informed of any changes in their personal data.
5. How Sawtooth keeps personal data secure and protects it against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Sawtooth complies with internal policies and procedures in order to achieve this.
6. How Sawtooth processes data in line with an individual’s rights and transfers data to people or organizations situated in countries without adequate protection.
Sawtooth informs candidates of their rights in its Privacy Notice. Sawtooth only sends data to other countries where Sawtooth believes the data is adequately protected, as set out in its Privacy Notice.