Purpose and Scope
This policy describes how AB SEIE AB handles personal data in accordance with the GDPR, to protect candidates, employees, clients, and other stakeholders. The policy applies to all departments, including recruitment, HR, and client management.
Legal Basis for Personal Data Processing
|
Type of Data |
Examples |
Legal Basis |
|
Candidate data |
CV, Cover letter, references, social/IVO checks |
Legitimate interest (recruitment) or consent |
|
Employment data |
Personal identity number, bank details, contracts |
Legal obligation (labor law) |
|
Client data |
Contact names, emails, phone numbers |
Legitimate interest (business relationship) |
|
Follow-up data |
Client and employee surveys |
Legitimate interest (quality assurance) |
✅ Legitimate interest is used when processing personal data for recruitment and client relations.
✅ Consent is required for storing candidate profiles after a recruitment process is completed.
✅ Legal obligation applies to employment documentation in accordance with labor law requirements.
Guidelines for Personal Data Management
Collection of Personal Data
• Only necessary data is collected and documented.
• Candidates are informed at the first contact about how their data will be processed.
• Consent is obtained if data is to be stored longer than 24 months.
Storage and Deletion of Personal Data
• Candidates: Data is deleted 24 months after the last contact if no employment is offered.
• Employees: Salary and employment data are stored for at least 7 years in accordance with the Accounting Act.
• Clients: Contact details are deleted after 3 years if the business relationship ends.
Sharing of Personal Data
• Candidate data is only shared with clients after candidate approval.
• Only necessary data is shared with payroll administrators and authorities.
• Third parties (e.g. recruitment tools) must sign a Data Processing Agreement (DPA) in accordance with GDPR.
✅ Example of a GDPR-compliant clause in a candidate agreement:
“I consent to SEIE AB storing and processing my personal data for the purpose of matching me with relevant job opportunities. I may at any time request the deletion of my data by contacting [email address].”
Information Security and Access Control
|
Security Measure |
Example |
|
Technical measures |
Encryption, firewalls, two-factor authentication |
|
Organisational measures |
Access to sensitive data restricted to authorized personnel |
|
Physical security |
Locked archives for paper documents, visitor registration at the office |
✅ Only HR and recruiters have access to the candidate database.
✅ Encryption is used when storing sensitive personal data.
Procedures for Access, Rectification, and Deletion
|
Request Type |
Description |
Response Time |
|
Access request |
Candidate has the right to receive a copy of their data. |
30 days |
|
Rectification |
Incorrect data must be corrected upon request. |
30 days |
|
Deletion |
Data is deleted upon request, unless legal obligations require retention. |
30 days |
✅ Example of an access request template:
“Dear [Name], here is a summary of the personal data we have registered about you at SEIE AB:
[Data list].
Best regards,
[Contact person].”
Incident Management and Data Breaches
In case of a suspected data breach:
- The incident is immediately reported to the GDPR officer and recorded in Landax.
- An investigation is conducted and corrective measures are taken (e.g. password reset, IT security checks).
- The Swedish Authority for Privacy Protection (IMY) is informed within 72 hours in case of serious breaches.
- Affected individuals are notified of the risks and any necessary actions.
✅ Example of an internal incident report:
• Date and time: [YYYY-MM-DD]
• Type of incident: (e.g. Unauthorized access, data leakage)
• Affected data: (e.g. Candidate data, client data)
• Measures taken: [Description]
GDPR Documentation and Compliance
Mandatory GDPR documentation includes:
📂 Privacy Policy – Published on the website, informing about data protection.
📂 Data Processing Agreements – With external recruitment tools and IT providers.
📂 Records of Processing Activities – Documentation of all personal data processing.
📂 Procedures – For access requests, deletion, and data breaches.
📂 Training material – For HR and recruiters on GDPR compliance.
✅ Annual review of GDPR procedures to ensure compliance.
Summary and Action Plan
✅ Short-term actions (0–3 months):
• Conduct an internal GDPR audit.
• Update the privacy policy on the website.
• Ensure all employees receive GDPR training.
✅ Long-term actions (3–12 months):
• Implement automated deletion of candidate profiles.
• Ensure all IT systems have up-to-date security measures.
• Regularly review Data Processing Agreements with suppliers.
⚖️ This policy provides a structured GDPR compliance framework for SEIE AB, aligned with Swedish and EU regulations.