Protecting your personal data is very important to our Company and we value the privacy of the Applicants highly. This document describes the principles on the basis of which the Company processes the personal data of job applicants. The privacy policy is applied if the applicant applies for a position advertised by the Company and after the end of the application process in compliance with effective legislation.

The terms used in the privacy policy have the following meaning:

  • Company means Auve Tech OÜ, Auve Production OÜ, AS Silberauto.
  • Applicant means a person applying for a job in the Company.
  • Personal Data means any information relating to an identified or identifiable Applicant.
  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Third Party means any person who is not an Applicant, the Company, an employee of the Company or a Processor.
  • Processing means any operation performed with Personal Data (including collection, storage, retention, alteration, systematisation, granting access, use, making queries, transfer, deletion, etc.) irrespective of the manner in which the operation is performed or the tools used.
  • Processors means service providers (both natural persons and legal entities) who process Personal Data on behalf of the Controller.
  • Controller means the Company that determines the purposes and means of Personal Data Processing. 
  1. General principles
    1. When carrying out the recruitment process, the Company collects and processes the Personal Data of Applicants in order to assess the suitability of the Applicants for the position offered by the Company. Personal Data Processing in the Company takes place in accordance with the GDPR and applicable legislation and in order to protect the privacy of Applicants upon Personal Data processing.
      The Company ensures the confidentiality of Personal Data within the framework of applicable legislation and applies the relevant technical and organisational measures for protecting Personal Data from unauthorised access, unlawful Processing or disclosure, accidental loss, alteration or destruction.
    2. The Company may use Processors for Personal Data Processing. In such cases, the Company ensures that Personal Data is Processed in accordance with the Company’s instructions and in accordance with applicable law, and that the Processors apply appropriate security measures.
  2. Legal grounds for personal data processing 
    1. In summary, the Personal Data of an Applicant are Processed on the following legal grounds:
    2. performance of legal obligations
    3. application of measure preceding entry into the employment contract
    4. on the basis of the Applicant’s consent
    5. in or for the protection of the legitimate interests of the Company
  3. Categories of personal data
    1. The categories of Personal Data that the Company collects and that are Processed are as follows (this list is not exhaustive): contact details (e.g. name, address, telephone number, e-mail address), date of birth, photo of the Applicant (if submitted by the Applicant), gender, data of the course and level of education, data of prior work experience (e.g. information included on the CV or the cover letter), data on the Applicant’s achievements and personal characteristics (including references from previous employers), communication data (e.g. data collected during communication by e-mail), other Personal Data indicated pm the CV or submitted by the Applicant to the Company in another manner.
    2. As a rule, the Company collects Personal Data directly from Applicants and via recruitment portals. If necessary, the Company may use Third Parties or the services of Processors for collecting the Personal Data of Applicants, for example, through recruitment agencies, the Personal Data disclosed by the Applicant themselves (e.g. on social media) or published online or in another public source (e.g. in a public register) on the basis of law or collect Personal Data from non-public sources, primarily to contact the providers of the Applicant’s references and the Applicant’s acquaintances in order to obtain important information about the suitability of the Applicant for the position.
  4. Objectives of and legal grounds for personal data processing
    1. The Company mainly processes the Personal Data of Applicants in order to:
      1. assess the suitability of the Applicant for the position offered by the Company, which is based on:
        1. applying pre-contractual measures; and 
        2. in the case of information collected with the Applicant’s consent and from non-public sources in the case of the Company’s legitimate interest, primarily contacting the providers of the Applicant’s references and the Applicant’s acquaintances in order to obtain important information about the suitability of the Applicant for the position if the respective information has not been noted in the CV submitted by the Applicant;
        3. draw up the employment contract if an employment contract is entered into with the Applicant, which is based upon the application of pre-contractual measures;
        4. enter, retain and process further the Applicant’s contact details in the Company’s information system for the purpose of the future recruitment of the Applicant, which is based on the Applicant’s consent; and
        5. resolve potential claims and disputes (primarily discrimination disputes), which is based on the performance of a legal obligation.
  5. Profiling
    1. Profiling is the automatic Processing of Personal Data, which is used to assess the personal characteristics, capability and/or interests of the Applicant. Profiling may be used in the selection of new employees from among the Applicants as an additional way to assess the suitability of the Applicant for the position via testing the personal characteristics and mental capability of the Applicant. However, the decision to hire an Applicant is not made only on the basis of automated processing based on profiling, but the final decision on hiring or preliminary selection is made by a human. Profiling is based on the legitimate interest of the Company.
  6. Transmission of personal data
    1. The Company transfers Personal Data to the following recipients:
      1. The HR Department of AS Silberauto, unless AS Silberauto is the Company looking for an employee.
      2. Employees authorised for this in the Company. The number of employees of the Company who have access to Personal Data is limited. Access to Personal Data has only been granted to the Company’s employees who need to process Personal Data in accordance with the objectives set out in point 5. If necessary, the Company may transfer Personal Data within the Company.
      3. The Company may transfer the Personal Data of the Applicant to the Processors who provide services to the Company (e.g. recruitment agency and manpower portal) or Process Personal Data for the assessment of the suitability of the Applicants – e.g. testing service providers.
      4. Authorities (e.g. law enforcement agencies, bailiffs, notary’s offices, tax authorities, supervisory authorities and financial intelligence units) to the extent arising from effective legislation.
  7. Geographic region of processing
    1. As a rule, Personal Data are Processed within the borders of the European Union/European Economic Area (EU/EEA), and should there be a need to do so, such data are transferred only on the condition that appropriate protective measures are applied. Appropriate protective measures are, for instance, the following:
      1. The level of data protection in the country outside the EU/EEA where the recipient is located is sufficient according to the respective decision of the European Commission.
      2. The existence of a valid agreement that includes the standard terms and conditions of the agreement developed by the EU or approved codes of conduct, certifications, etc. that comply with the GDPR.
      3. The recipient is certified on the basis of the Privacy Shield data protection framework (applicable to recipients located in the United States).
    2. If there are no appropriate protective measures in place, the Company has the right to transmit Personal Data outside of the EU/EEA in situations where:
      1. the Applicant has given explicit consent for this and been informed of the absence of protective measures;
      2. it is necessary for the pre-contractual measures to be applied on the basis of the application of the Applicant; 
      3. it is necessary to enter into or perform a contract between the Company and another natural person or legal entity in the interests of the Applicant;
      4. it is necessary for the establishment, exercise or defence of legal claims; 
      5. it is necessary to protect the significant interests of the Applicant or other persons if the Applicant is physically or legally incapable of granting consent; 
      6. the transfer is made from a register that, under Union or Member State law, is meant for informing the public and is open for examination either to the wider public or to everyone who is able to prove legitimate interest, but only to the extent to which the conditions for examination prescribed by the law of the Union or Member State have been fulfilled in the specific case; and
      7. the transfer is not repeated, concerns only a limited number of Applicants, is necessary in order to protect the Applicant’s legitimate interests that are not outweighed by the interests, rights or freedoms of the Applicant and if the Company has assessed all of the circumstances related to the transfer of data and established, on the basis of this assessment, suitable protective measures for the protection of the personal data. The Company informs the supervisory authority of the transfer.
    3. The Applicant may contact the Company for more detailed information about the transfer of Personal Data outside the EU/EEA.
  8. Personal data retention periods
    1. The Company will not Process Personal Data for longer than is necessary for the achievement of the objectives related to Personal Data, including for the performance of the statutory data retention obligation. 
    2. As a rule, the Personal Data of Applicants are retained until the end of the recruitment process and deleted after the end of the expiry period of the possible claims arising from the recruitment process provided by law (especially in the case of discrimination disputes – a claim will expire within one year of the day when the injured person became or should have become aware of the damage), unless the Applicant has granted their consent for the entry of their data in the Company’s information system for future recruitment purposes.
    3. If you send your CV to the Company with the intention of providing your data for future recruitment, we will retain your CV for 1 (one) year as of that date on which you granted your consent.
  9. Rights of applicant
    1. An Applicant has the following rights in relation to the Processing of their Personal Data:
      1. To obtain information about the Processing of their Personal Data.
      2. To request the correction of their Personal Data if they have changed or are otherwise inaccurate.
      3. To object to the Processing of their Personal Data if the Personal Data Processing is based on legitimate interest and profiling.
      4. To request the deletion of their Personal Data, e.g. if the Company does not have the right to Process such data or if Personal Data Processing is carried out with their consent and they have withdrawn the consent. This right does not apply (or apply to this extent) if the Personal Data whose deletion is requested is also processed on other legal grounds, e.g. for the performance of legal obligations.
      5. To request the restriction of the Processing of their Personal Data, e.g. at a time when the Company assesses whether the Applicant has the right to the deletion of their Personal Data.
      6. To receive the Personal Data that they have submitted to the Company and that are Processed on the basis of their consent electronically in a commonly used machine-readable format and, if technically possible, transfer the data to another employer (right to data portability).
      7. To withdraw their consent for the Processing of their Personal Data. Upon withdrawal of their consent, the Company will no longer Processes the Personal Data of the Applicant for the purpose for which the respective consent had been given. The consent is valid until withdrawn.
      8. To file, at any time, a complaint with the Company, the Data Protection Inspectorate (website: www.aki.ee) or a competent court if they find that the Processing of their Personal Data breaches their rights and interests.
      9. The Applicant can exercise their rights by contacting the Company at gdpr@mb.ee. The Company will respond to the submitted application without delay, but no later than within one (1) month of receipt of the request. If any additional circumstances need to be identified before replying to the request, the Company may extend the term for replying by informing the Applicant thereof in advance. 
  10. Responsible persons (Controllers) and their contact details
    1. The contact details of the companies responsible for Personal Data Processing are as follows:
      1. Auve Tech OÜ: registry code 14635771, address Vabaõhumuuseumi tee 1, 13522, Tallinn, e-mail: gdpr@auve.tech
      2. Auve Production OÜ: registry code 14796764, address Piirimäe 14, 76406, Tallinn, e-mail: gdpr@mb.ee
      3. AS Silberauto: registry code 10097392, address Vabaõhumuuseumi tee 1, 13522, Tallinn, e-mail: gdpr@mb.ee
    2. The Company has a group-wide HR Department for the purpose of more efficient internal organisation, which is why the Personal Data of the Applicant are processed by the HR employee of AS Silberauto.
    3. Applicants may contact the Company in relation to queries and cancellation of consents and also demand the exercise of their rights upon Personal Data Processing and file complaints about the use of Personal Data.
  11. Term of and amendments to Privacy Policy