1    Introduction

1.1    About this Privacy Notice

Employer Solutions Nordic AB ("Employer Solutions" or "we" in any form) offers, under the umbrella of Eproved, online ability tests within finance, where candidates may be tested for the use of Employer Solutions, for customer's use as well as for the candidate's own use. 

We protect privacy and are, as other companies, obliged under applicable data protection laws to provide information regarding how we process personal data. We will in this Privacy Notice inform you about how we process personal data. You are always welcome to contact us should you have any questions. 

This Privacy Notice contains information regarding how we process personal data when we act as a so called data controller, including

(i)    what personal data we collect, 

(ii)    why we process your personal data and 

(iii)    when we share your personal data with third parties. 

1.2    To whom is this Privacy Notice directed? 

This Privacy Notice is applicable to those individuals that are candidates, customers, suppliers, other stakeholders and visitors of www.eproved.org (hereinafter the "website") or other to Employer Solutions' websites as well as individuals participating in an event, subscribing to our newsletter and you that otherwise has been in contact with us or that follows us on social media. Different parts of this Privacy Notice will be relevant to you based on the relationship that you have with us.

1.3    Definitions

1.3.1    Active customer relationship

Within this Privacy Notice will we use the term active customer relationship. An active customer relationship is considered to exist from the time you used our services or otherwise interacted with us, e.g. by contacting our customer service, visiting our website or registering for or visiting one of our events. 

1.3.2    Applicable Data Protection Laws

"Applicable Data Protection Laws" means all legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time applies to this Privacy Notice, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR") as well as laws and regulations supplementing the GDPR.

1.3.3    Terms in the GDPR

Unless otherwise stated, terms defined in the GDPR, such as "personal data" and "processing", shall have the same meaning in this Privacy Notice. 

Accordingly, "personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2    From where do we collect your personal data? 

We may collect your personal data from:

·    Yourself, e.g. when you are using our website, our services or contact our customer service.

·    Public sources, e.g. public registers for addresses.

·    Suppliers of information, when and to the extent it is needed to conduct controls in order to comply with our obligations to prevent money laundering. 

·    Credit information companies, when we conduct credit checks.

·    Other external companies, e.g. our partners.

·    Purchases made via a payment provider 

3    Why and when do we process your personal data

3.1    Customers

3.1.1    Managing the customer relationship, including communicating with you 

We process your personal data to manage the customer relationship with you, including communicating with you.

(a)    Categories of personal data

Identity data, Correspondence data, Contact data, Customer segment, Sales and order history, Order- and payment data and Profile data.

(b)    Legal basis

The processing of personal data is necessary to fulfil the contract we have with you (GDPR article 6.1 point b).

(c)    Retention period

Your personal data is stored for this purpose for as long as necessary to manage the customer relationship.

(d)    Categories of recipients

We may share your personal data with our service providers such as carriers, payment service providers, credit information companies and providers of information service.

3.1.2    To manage and fulfil agreements regarding services

We process your personal data to manage and fulfil agreements entered into with you regarding our services and to communicate with you in connection with the fulfilment of the agreement.

(a)    Categories of personal data

Identity data, Correspondence data, Contact data, Order- and payment data. 

(b)    Legal basis

The processing of personal data is necessary to fulfil the contract we have with you (GDPR article 6.1 point b).

(c)    Retention period

We will store your personal data for this purpose as long as we have an active customer relationship with you.

(d)    Categories of recipients

Service providers, including carriers and payment service providers.

3.1.3    Documentation of sales and purchases of services

We process your personal data to document your purchases and sales of services, including to give you access to purchase history and receipts. The purpose of this is to give you a good customer experience.

(a)    Categories of personal data

Identity data, Correspondence data, Contact data, Order- and payment data and Profile data.

(b)    Legal basis

The processing of personal data is necessary for the purpose of our legitimate interest to document the purchases made by you and sales, in order to give you the best customer experience possible (GDPR article 6.1 point f).

(c)    Retention period

We store your personal data for this purpose during the time that we have an active customer relationship, and thereafter to when you decide to object to your personal data being stored for this purpose.  

(d)    Categories of recipients

We may share your personal data with our service providers.

3.1.4    Customer records

Employer Solutions maintains a customer record, used to manage and fulfil agreements with you, e.g. to manage your purchases, sales, handle payments and delivered, and to communicate with you in connection with the fulfilment of the contract. 

(a)    Categories of personal data

Identity data, Contact data, Customer segment or profile, Purchase, sales and order history, Order- and payment data and Profile data.

(b)    Legal basis

The processing of your personal data is necessary for the purpose of our legitimate interest to manage our common customer record (GDPR article 6.1 point f).

(c)    Retention period

We will store your personal data for this purpose as long as we have an active customer relationship with you.

(d)    Categories of recipients

We may share your personal data with our service providers.

3.2    Candidates

3.2.1    To manage and fulfil contracts for services

We process your personal data in order to manage and fulfil contracts with you regarding our services and to communicate with you in connection with the fulfilment of the contract. 

(a)    Categories of personal data

Identity data, Correspondence data, CV (including the data that you provide in the CV), Contact data

(b)    Legal basis

The processing of personal data is necessary to fulfil the contract we have with you (GDPR article 6.1 point b).

(c)    Retention period

We will store your personal data for this purpose as long as we have an active customer relationship with you.

(d)    Categories of recipients

Service providers, including carriers and payment service providers.

3.2.2    To manage test results in Eproved's ability tests

To manage and fulfil agreements with you or our customers or partners regarding Eproved's ability tests and to communicate with you in connection with the fulfilment of the agreement we process your personal data. 

(a)    Categories of personal data

Identity data, Correspondence data, Contact information, Test results. 

(b)    Legal basis

The processing of personal data is necessary to fulfil the agreement we have with you (GDPR article 6.1 point b).

(c)    Retention period

We will store your personal data for this purpose for as long as the test results are actively used. For long-term use, we only save test results at an aggregated level that do not contain personal data. 

(d)    Categories of recipients

Customers, partners and service providers.

3.2.3    To manage Anti-Cheating (Proctoring) via Constructor Technology

To ensure the integrity and fairness of our online knowledge tests, Employer Solutions (EPROVED) utilises an advanced Anti-Cheating system provided by Constructor Technology (the 'Proctoring Provider'), an external, independent provider specialising in secure online assessments. Constructor Technology independently processes personal data to detect and prevent cheating or unauthorised behaviour. 

(a)    Categories of personal data

• Photograph of the Candidate
• Photograph of the Candidate’s identification document (including personal identification number and other personal details)
• Video and audio recordings of the Candidate during the test session
• AI-generated 'Probability Cheating Score'
  
  These recordings may also include biometric data (e.g., facial recognition data) processed independently by Constructor Technology to verify Candidate identity.

 
(b)    Legal basis

The processing is based on the Candidate’s explicit consent (GDPR Article 6.1 point a). Candidates explicitly consent to Constructor Technology’s Terms & Conditions and Privacy Notice before starting the Anti-Cheating setup process.

(c)    Retention period

Video recordings: temporarily stored for 30 days by Constructor Technology, after which they are automatically deleted. Consequently, videos will be automatically deleted from Employer Solutions’ platform simultaneously.

PDF Anti-Cheating report: retained by Employer Solutions until manually deleted by the Customer via their login, or automatically according to the Customer’s chosen account settings.

(d)    Categories of recipients

Constructor Technology, Employer Solutions (EPROVED), and Customers accessing the Anti-Cheating results via the platform.

(e)    Responsibility and roles regarding personal data

Employer Solutions acts as Data Controller for personal data processed in connection with providing and delivering the Eproved service. This includes collection of Candidate’s name and email for test invitations, generating test content, test results, and AI-based analysis (via third-party processors, including OpenAI/ChatGPT, who strictly act under Employer Solutions' instructions).

Customers independently act as Data Controllers for personal data processed following test completion. Customers manage, store, delete or otherwise process Candidates’ data via the platform. Employer Solutions assumes no liability for the Customer’s independent processing.

Constructor Technology independently acts as Data Controller regarding personal data collected during the Anti-Cheating sessions, including biometric data, photographs, and recordings. Employer Solutions has no influence over Constructor Technology’s processing methods, assessments, or retention policies. Constructor Technology deletes recordings within 30 days, but Employer Solutions and its Customers may retain PDF reports summarising test session irregularities for a longer period as determined independently by the Customers. Candidates consent separately to Constructor Technology’s own terms and policies, which include their Proctoring System Terms and Conditions, Terms of use, and Privacy notice.

3.3    Marketing

3.3.1    Generic and personalised marketing of our services.

We process your personal data in order to offer and market our services. In order for you to receive information about services that are of interest to you, we may adapt the marketing in our e-mails and in advertisements on social media. This adaptation may take place, for example, by analysing how you have interacted with our websites and in our digital channels. 

If you are our customer, we may also process information about your purchase, sales and order history for this purpose.

You can read more about how we use cookies and similar technologies in our cookie policy on our website.

(a)    Categories of personal data

User-generated data, Identity data, Correspondence data, Contact data, Customer segment or profile, Purchase, sales and order history, Order and payment data and Profile data.

(b)    Legal basis

Legitimate interest (GDPR article 6.1 point f). The processing of your personal data is necessary for the purpose of our legitimate interest to offer and market our services, including personalising them, in order for you to receive marketing that is of interest to you. You can always opt out of future marketing.

Consent (GDPR article 6.1 point a). When required, we obtain your consent.

(c)    Retention period

If you have an active customer relationship: We will store your personal data for this purpose for as long as we have an active customer relationship with you, provided that you have not declined direct marketing during this time. 

If you're not a customer with us: We will store your personal data for this purpose for a period of twelve (12) months from your last activity, such as opening emails. This is provided that you have not opted out of receiving direct marketing during that time. Read more about cookies in our cookie policy.

(d)    Categories of recipients

We may share your personal data with our service providers, social media platforms (e.g. Facebook and Instagram (Meta Platforms Ireland Limited)) and platforms and networks for marketing.

We may automatically share personal data with Facebook through the use of cookies and similar tracking technologies. In such cases, we and Facebook are jointly responsible for the collection and transfer of your personal data, but are solely and separately responsible for the subsequent processing of your personal data. Information on Facebook's use of your personal data, including their legal framework for processing and how you can exercise your rights against Facebook can be found in their Privacy Notice.

We have entered into an agreement with Facebook that describes the roles and responsibilities we and Facebook have for the use of your personal data, which you can read here.

3.3.2    Analyse the use of Eproved's ability tests

We process your personal data to analyse the use of Eproved's ability tests in order for to understand how our tests are used. You can read more about how we use cookies and similar technologies in our cookie policy on our website.

(a)    Categories of personal data

User generated data and Identity data

(b)    Legal basis

The processing of your personal data is necessary for the purpose of our legitimate interest to analyse the use of the website and our digital channels (GDPR article 6.1 point f).

The processing is based on your consent where so is required according to law, e.g. for the use of cookies.

(c)    Retention period

Please see our cookie policy for information regarding for how long your personal data is retained. High-level reports that do not contain personal data and statistics are retained indefinitely.

(d)    Categories of recipients

We may share your personal data with our service providers.

3.4    Marketing and newsletters from our business, monitoring and evaluation of marketing activities

We process your personal data to advertise us, our business and our services in various channels, e.g. to inform you about things happening in our business (via e-mail and other digital channels). You always have the opportunity to unsubscribe to receive marketing and in each sendout there is the opportunity to unsubscribe from future send outs.

(a)    Categories of personal data 

Identity data, Contact data, Customer segment or profile and Profile data.

(b)    Legal basis

The processing of your personal data is necessary for the purpose of our legitimate interest to market our business and our services (GDPR article 6.1 point f).

(c)    Retention period

We retain your personal data for this purpose for the period that is necessary for the purpose, but at most:

If you have an active customer relationship: We will store your personal data for this purpose as long as we have an active customer relationship with you, provided that you have not declined direct marketing during this time. 

If you're not a customer with us: During a period of twelve (12) months from when we collected your personal data, provided that you have not declined direct marketing during this time.

If you have registered to receive information: Until further notice and until you unsubscribe from our newsletters.

(d)    Categories of recipients

If necessary to communicate about our business and services we may share personal data with our service providers.

3.5    Fulfil legal obligations

We process your personal data when it is necessary to fulfil our legal obligations, such as requirements under the Swedish Book-keeping Act (1999:1078), the Swedish Act (2017:630) on measures against money laundering and terrorist financing (the Money Laundering Act) and the GDPR with supplementary legislation, e.g. the Swedish Data Protection Act (2018:218).

(a)    Categories of personal data

All data necessary to fulfil the legal obligation.

(b)    Legal basis

The processing of your personal data is necessary to fulfil our legal obligations (GDPR article 6.1 point c).

(c)    Retention period

Personal data is retained for the time necessary for us to fulfil our legal obligations. E.g. data included in accounting information is retained for at least seven (7) years after the calendar year in which the financial year ended, in accordance with the Swedish Book-keeping Act (1999:1078). Personal data collected to fulfil customer due diligence requirements under the Money Laundering Act (2017:630) is retained for five (5) years from the time of collection.

(d)    Categories of recipients

We may share your personal data with public authorities, such as the Police and the Swedish Tax Agency and external advisors, such as auditors.

3.6    Managing requests from public authorities

In addition to complying with the legal obligations set out above, we may also have to respond to requests from authorities, such as the Swedish Prosecution Authority, the Police, the Swedish Tax Agency or any other authority.

(a)    Categories of personal data

All categories of personal data necessary to answer and evaluate the request in each case. These are typically Identity data, Contact data, Picture and audio material, Order and payment data, and Purchase, sales and order history.

(b)    Legal basis

Legal obligation (GDPR article 6.1 point c). The processing of your personal data is necessary for us to fulfil our legal obligations, e.g. under the Swedish Tax Procedural Act (sw: skatteförfarandelagen (2011:1244). 

Legitimate interest (GDPR article 6.1 point f). If there is no legal obligation for us to respond to a request from a public authority, but where we still consider that we have a legitimate interest to respond to the request, the processing is based on our legitimate interest if we consider in the individual case that our legitimate interest to respond to the request outweighs your right not to have your personal data processed for this purpose.

(c)    Retention period

We save your personal data for the time necessary to respond to the request, and for a period of ten (10) years thereafter to document and demonstrate that the request has been answered.

(d)    Categories of recipients

Public authorities, including the Swedish Prosecution Authority, the Police and the Swedish Tax Authority.

3.7    Establish, exercise or defend legal claims

We process your personal data when it is necessary for the establishment, exercise or defence of legal claims, e.g. in the context of a dispute or court proceedings.

(a)    Categories of personal data

All personal data necessary for the establishment, exercise or defence of legal claims. This would typically include Identity data, Contact data, Correspondence data, Customer segments, Profiles, Order and payment data and Sales and order history.

(b)    Legal basis

The processing is necessary for the purpose of our legitimate interest to establishing, exercising or defending legal claims (GDPR article 6.1 point f).

(c)    Retention period

We store personal data for the time you have an active customer relationship with us, or when the processing for this purpose began, and for a period of ten (10) years thereafter.

(d)    Categories of recipients

We may share your personal data with our service providers, public authorities (e.g. the Swedish Prosecution Authority, the Police or the Swedish Tax Agency), courts, external advisors (e.g. legal representatives) and counterparties in a dispute.

3.8    Ensure the functionality and security of our IT systems

We process your personal data to ensure the functionality and security of our website and IT systems, e.g. in connection with access control and error management.

(a)    Categories of personal data

All personal data necessary to ensure the functionality and security of our website and IT systems.

(b)    Legal basis

The processing is necessary for the purpose of our legitimate interest to ensure the technical functionality and security of our IT systems (GDPR article 6.1 point f).

(c)    Retention period

Personal data in logs are kept for troubleshooting and incident management purposes for a period of 13 months from the time of the log event.

(d)    Categories of recipients

We may share your personal data with our service providers.

3.9    Sale or restructuring of the business

If all or parts of our business were to be sold, otherwise transferred (e.g. through a merger) or restructured, we may need to process your personal data.

If a buyer were to take over all or part of our business, your personal data in our customer database would be transferred and disclosed to the buyer. The company that has taken over the business would then be responsible for its processing of your personal data, which, where applicable, could take place for the purposes set out in this Privacy Notice, unless you receive other information in connection with the transfer.

In the event that we were to take over all or part of any business, we would need to process personal data, as applicable, to the extent necessary for the purposes set out in this Privacy Notice.

(a)    Categories of personal data

All personal data that is necessary to enable us to implement changes to our operations, e.g. sale or merger of the business or investments in general, alternatively to continue to conduct the business in an appropriate manner when taking over a business.

(b)    Legal basis

The processing of personal data is necessary for the purpose of our legitimate interest to implement changes to our business and to manage our business after an acquisition (GDPR article 6.1 point f). 

(c)    Retention period

Personal data will be stored during the time necessary to handle the sale or restructuring at hand, alternatively the integration of a new operations into our existing operations.

(d)    Categories of recipients

We may share your personal data with our service providers, buyers and acquirers of the whole or part of our operations and external advisors (e.g. legal advisors).

4    Transfer of personal data outside of the EU/EEA

In case Employer Solutions transfers your personal data to a recipient in a country outside of the EU/EEA ("third country") we will ensure that appropriate safeguards have been implemented (such as entering into the EU Commission's standard contract clauses). Where deemed necessary, such appropriate safeguards will be complemented by supplementary measures for ensuring an essentially equivalent level of data protection to that found under the GDPR.  

Employer Solutions transfers personal data to the following countries outside of the EU/EEA: USA. 

According to the GDPR you have the right, upon request, to receive a copy of the documentation demonstrating that the necessary safeguards have been put in place to protect your personal data when transferred to a third country. 

If you want to know more about the processing of your personal data and whether your personal data is transferred to a third country, please contact us via the contact details set out at the end of the Privacy Notice.

5    Your Rights 

In connection with our processing of your personal data, you may under the GDPR exercise the following rights. If you wish to exercise any of your rights can you contact us via the contact information as set forward in section 6 of the Privacy Notice. 

5.1    Right to access

You can request confirmation of whether or not your personal data is being processed. If it is being processed, you may request access to your Personal data and additional information such as the purpose of the processing. You also have the right to receive a copy of the personal data that is processed. If the request is submitted electronically, the information will also be obtained in a commonly used electronic form unless you request otherwise.

The right to access does not apply to personal data that we are not allowed to disclose to you according to law or other legislation or according to a decision issued in accordance with such legislation. The right to access does furthermore not apply to information that would have been classified by an authority according to the Public Access to Information and Secrecy Ac (2009:400) (Sw: Offentlighets- och sekretesslagen).

The right to access does not apply to personal data in plain text that is not in its final form when the request was made or that constitutes a memory note or the like, unless the personal data (i) has been disclosed to third parties or (ii) has been processed for longer than a year in plain text that is not in its final form.

5.2    Right to rectification

If you notice that personal data about you is inaccurate or incomplete, you have the right to have your personal data rectified or completed.

5.3    Right to object to specific processing

5.4    Right to erasure

    You can have your personal data erased under the following circumstances;

·    If the personal data is no longer necessary in relation to the purposes for which it were collected or otherwise is processed;

·    If our processing of the personal data can only be carried out based on your consent; if you withdraw such consent;

·    If our processing is based on legitimate interest, you object to the processing are no overriding legitimate grounds for the processing, and if you object to the processing for direct marketing purposes;

·    If your personal data has been unlawfully processed.

·    If your personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.

The right to erasure does not apply when our processing of your personal data is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires the processing; or for the establishment, exercise or defence of legal claims.

5.5    Right to restricting of processing

Under the following circumstances, you can request that we restrict the processing of your personal data to only involve the storage of your personal data:

·    If you contest the accuracy of the personal data, we will restrict processing for the time required to verify its' accuracy.

·    If the processing is unlawful, you may oppose the erasure of the personal data and request that its' use is instead restricted.

·    If we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, you have the right for the processing to be restricted.

·    If you have objected to processing, you have a right to restriction pending the verification of whether our legitimate grounds override your interests.

We may, however, still process your personal data if you consent to such processing or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

5.6    Right to withdraw consent

To the extent that the processing of personal data is based on your consent, you always have the right to withdraw your consent. If there is no other legal ground for the processing, you have the right to have the relevant personal data erased in accordance with the above (see above Right to erasure). 

5.7    Right to data portability

You have the right to request a machine-readable copy of the personal data processed based on your consent or when the processing is necessary to fulfil an agreement with you as well as when personal data has been obtained from you (data portability), and to request that the information be transferred to another data controller (if possible).

5.8    Complaints to a supervisory authority

You are welcome to contact us with questions or complaints regarding the processing of your personal data on the contact details set out below. However, you also have the right to lodge a complaint regarding the processing of your personal data to the Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten). Further information regarding how to contact the Swedish Authority for Privacy Protection can be found on their website, www.imy.se.

6    Contact information

If you have any questions regarding the processing of your personal data or if you wish to exercise any of your rights under the Applicable Legislation, please contact us via the contact information below.

Controller: 

·    Employer Solutions Nordic AB, organisational number 559003-5878.

Contact information:

Address: Jungfrugatan 18, 114 44 Stockholm
Att: Personuppgiftsansvarig

E-mail address: gdpr@eproved.se  

Telephone number: 08-502 352 40

7    Updates to the Privacy Notice

Employer Solutions reserves the right to adjust and update this Privacy Notice from time to time. The latest update of the Privacy Notice is indicated at the top of this Privacy Notice. If we make any changes to the Privacy Notice, we will publish those changes on the website. You are therefore advised to regularly read this Privacy Notice to be aware of any changes.