Human Resources Privacy Policy
Issued by: HR / Data Privacy Officer
Applicable to: OLX Group
Effective Date: July 1st, 2020
Next Review date: Q3, 2021
Valid Version: Version 3
Contacts: [email protected] / [email protected]
1. Introduction
OLX Global B.V., Gustav Mahlerplein 5, 1082 MS Amsterdam, the Netherlands (“OLX”) and its direct and indirect subsidiaries and controlled affiliates[1] (each an “OLX Group Company” and together “OLX Group”, “we”, “us”, “our”) recognize that many countries regulate the collection and use of personal data relating to employees. This Human Resources Data Privacy Policy (“this Policy”) describes a baseline set of common principles governing the handling of Human Resources personal data within the OLX Group. Where country-specific additions to this Policy are warranted to assure local compliance, they will be permitted and should be communicated by the relevant OLX Group Company to its employees, as required by law. This approach ensures that OLX Group has implemented a Board-approved compliance policy in the context of Human Resources personal data protection.
Within OLX Group, OLX as the parent entity is the principal data controller responsible for the processing of your personal data as described below. The OLX Group Company which you are employed with or to which you provide your services to is also considered a data controller, acting as the local data controller. To learn more about your local data controller you can review your employment or service contract with the respective OLX Group Company.
[1] Where OLX owns more than 50 per cent of the voting rights or has the right to control the entity.
2. What this policy covers
This Policy applies to all personal data about past, present and prospective employees, temporary and permanent employees, contractors, consultants and trainees (“you”) that is collected, maintained or used by directors, officers, managers and employees of OLX Group as part of an actual or prospective employment relationship. This Policy shall not apply to candidates applying for a role with OLX Group. The talent acquisition privacy statement can be found at https://www.olxgroup.com/privacy-statement.
Personal data collected, maintained or used outside of the employment relationship, such as personal data arising from using our consumer products or commercial offerings, is not covered by this Policy.
We may amend this Policy from time to time as required and notify you about respective updates.
3. Our approach
We value our employees and appreciate the importance of treating personal data as confidential. In this Policy we outline our global standards for Human Resources personal data privacy practices so that you have an opportunity to understand our approach.
We require any directors, officers, managers and employees entrusted with your personal data as part of their job responsibility to treat it as confidential and in conformity with this Policy.
We will also seek to ensure that any third-party service providers we use to administer our Human Resources programs, as described in Section 7 below, are bound to maintain confidentiality when handling your personal data on our behalf, in a manner that is consistent with this Policy and applicable data protection and other laws, including the European Union’s General Data Protection Regulation (“GDPR”).
4. Personal data categories
We generally process the following personal data about you over the course of employment:
- Your biographical information, including your name, gender, date of birth, details of family members, previous job history, education details, nationality;
- Your contact information, including your home and postal address, telephone number, email address, country of residence;
- Your identification numbers, including government-issued identification number or passport information;
- Your performance information, including management metrics, appraisals, feedback;
- Communications and internet information like your correspondence and details of internet use held on or made through OLX systems subject to relevant restrictions under applicable law;
- Payroll information, including your salary details and bank account information;
- Your photos or images.
We generally collect personal data about you directly from you in the course of your application and employment. In certain situations, we may also use other sources, subject to restrictions under applicable law, to assist in obtaining relevant personal data about you. For example, we might receive certain information from public bodies such as tax authorities, collect feedback from your manager or co-workers or, if necessary, might rely on third parties’ help to support reference and background checks, investigations of possible employee wrongdoing, and to help us locate former employees and beneficiaries for purposes of administering certain benefits plans.
Our Human Resources programs require personal data about you to function properly. In limited circumstances some programs may involve certain sensitive health information (e.g. medical certificates submitted to us or other health-related benefits processes), financial data (e.g. payroll) or data about race or religion when mandated by local laws. Such sensitive personal data will be treated with the utmost care and in accordance with special requirements set out in applicable data protection and other laws, including the GDPR and local laws where applicable. Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation are afforded special protection by the GDPR (“Special Categories of Personal Data”). Special Categories of Personal Data will be processed for employment-related purposes only if it is necessary to exercise rights or comply with legal obligations derived from labor law, social security and social protection law. Special Categories of Personal Data will not be processed if we have reason to believe that you have an overriding legitimate interest in not processing the data.
We will endeavor to collect only the minimum amount of personal data required to administer our programs and to comply with applicable employment and other relevant laws.
5. Lawfulness
Generally, OLX Group Companies process your personal data because it is necessary to do so to implement an employment agreement between you and the company, and where our legal duties as an employer require it. In other circumstances, we may process your personal data where it is necessary for us to defend, prosecute or make a claim in a court of law. We may also process personal data for something called “legitimate interests” under European law. In practice, this means that we must put in place appropriate privacy safeguards to ensure that we are respecting your interests, as well as your fundamental rights. Where we take this latter approach, it is our policy to document the assessment we have made and the privacy measures that are in place so that you can review these upon request. Finally, we may seek your explicit consent for an activity from time to time, which you may decline if we ask, or revoke even after you have previously agreed, by contacting us.
6. How we use this data
Your personal data may be used for the following employment-related purposes:
- to contact you and manage our relationship with you, oversee compliance with policies and applicable law, assess performance, for promotions and appraisals and for training purposes;
- to store emails and documents generated by you on systems that we administer and make available for employment-related purposes, which may contain personal data;
- to manage your benefits, including administering remuneration, relocation, insurance, payroll, pensions and other employee benefits and tax, including disclosure to other group companies and to others such as payroll providers, accountants, occupational health providers, insurers, pensions administrators, hosting service providers and legal advisers;
- to manage recruitment of employees, including legal eligibility for work, vetting, hires, promotion and succession planning;
- to comply with policies, including in relation to claims, disciplinary actions or legal requirements and conducting investigations and incident response, including reviewing your communications in these situations in accordance with relevant internal policies and applicable law;
- for security purposes, for providing IT support and for employee authentication;
- to manage occupational health and absence and fitness for work and notifying family members in emergencies;
- to facilitate business travel, travel-related support including conference attendance, bookings, and emergency support services;
- to conduct certain checks, such as anti-fraud checks where this is relevant to your position and in accordance with applicable law. We and other organizations engaged by us may access and use your personal data to conduct these credit checks and checks to prevent fraud and money laundering;
- to monitor equal employment opportunities, in respect of diversity categories including but not limited to age, gender, ethnicity, nationality, religion, disability, sexual orientation, and marital or family status. Such monitoring would only apply where it is either required or authorized by the specific country’s legislation, and conducted in full compliance with data protection requirements governing the use of such categories of personal data;
- for complimentary services not strictly necessary under the employment agreement such as providing you with certain work-related benefits and amenities such as providing housing to employees or providing gifts in the context of birthdays, anniversaries and similar occasions;
- to manage collective agreements for administering collective employee arrangements where these are in place;
- for internal and external auditing, assurance and risk management purposes; and for statistical analysis and research purposes in the context of employment, including predictive modeling and people planning in an aggregated manner.
7. Information sharing & transfer
Your personal data will be shared within OLX Group for the purposes described in Section 6 above to the extent necessary to carry out these purposes, and as permitted by law. To comply with our legal obligations and to change our business structure we may disclose your personal data in connection with proceedings or investigations anywhere in the world to third parties, such as public authorities, law enforcement agencies, regulators and third-party litigants. We may also provide relevant parts of your personal data to any potential acquirer of or investor in any part of OLX Group’s business for the purpose of that acquisition or investment;
We are part of a global group with a global footprint and share data not only within the OLX Group but also with Naspers Group Companies[1] on a regular basis. Note that your personal data may be processed either locally in the jurisdiction where you work or reside, or in any other jurisdiction where we or our approved third-party service providers operate, worldwide, depending on the needs of the business over the course of your tenure with us, to the extent necessary and as permitted by law. Should your personal data move outside the European Economic Area or another jurisdiction that restricts the international transfer of personal data, we use GDPR- and locally-compliant mechanisms (including intra-group data transfer agreements) to require that the same level of data protection be applied in the jurisdiction where the data is being processed.
Your personal data will only be shared outside OLX Group or Naspers Group Companies with third parties under the following circumstances: (1) where a third-party service provider retained by us is under contract to assist in administering our Human Resources activities, subject to appropriate confidentiality obligations and data processing agreements, compatible with this Policy; (2) in the event that the company, business or division in which you are employed is being considered for outsourcing or sale, and then only subject to contractual requirements to preserve confidentiality; (3) with private or government authorities only when we have determined that we are required to do so under applicable laws; (4) to investigate suspected fraud or illegality, to anticipate or defend legal claims; or to conclude a change of control of your company, business or division; or (5) where you have given us your prior permission to do so.
[1] For purposes of this Policy, a ‘Naspers Group Company’ includes Naspers Limited (‘Naspers’) and its direct and indirect subsidiaries and controlled affiliates where Naspers owns more than 50 per cent of the voting rights or has the right to control the entity including, but not limited to, Prosus Services B.V.
8. What are your data subject rights?
* SUBJECT ACCESS: You have the right to access your personal data in many circumstances, generally within 1 month of your request;
* RECTIFICATION: You can ask us to have inaccurate personal data amended;
* ERASURE: You can ask us to erase personal data in certain circumstances, recognizing that OLX must in any case respect its data retention legal obligations in the field of employment;
* WITHDRAWAL OF CONSENT: You can withdraw any consents to processing that you have given us and prevent further processing if there is no other legitimate ground upon which OLX can process your personal data;
* RESTRICTION: You can require certain personal data to be marked as restricted for processing in certain circumstances as defined in Article 18 of the GDPR;
* PORTABILITY: You can ask us to provide you with a copy of your personal data in a such a form that you can send it to a third party;
* RAISE A COMPLAINT: You can raise a complaint about our processing with the data protection regulator in your jurisdiction, with our lead supervisory authority in the Netherlands. However, before you file a complaint with any data protection authority, we would like to invite you to reach out to your respective HR partner or our Data Protection Officer first.
OBJECTION: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is processed on the basis Article 6 (1) f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling for the purposes of Article 4 (4) GDPR based on this processing. If you object, we will no longer process your personal data in the future unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend legal claims.
9. Data security
Maintaining the security and integrity of your personal data is a high priority and we endeavor to maintain appropriate administrative, technical, personnel and physical measures to safeguard personal data against loss, theft, and unauthorized use or modifications.
We expect you to contribute to the security culture of OLX Group by following appropriate security policies and procedures, completing assigned trainings, and reporting suspected incidents to relevant incident response contacts promptly.
10. Data retention
We keep records of your personal data no longer than necessary for the purpose for which we obtained them and for any other permitted compatible purposes, including compliance with legal obligations in the field of employment law. Group records management schedules document the applicable minimum retention periods required by local laws. We use these schedules to establish the retention time periods for various categories of records that contain your personal data. Relevant employment contract retention periods range from 6 months to 6 years from the date the employment contract ceases depending on the jurisdiction you are located in. These can be consulted by contacting your HR partner or our Data Protection Officer.
11. Contacts
To exercise your data subject rights, or if you have questions about this Policy, please approach your HR partner or send an email to [email protected] or to our Data Protection Officer at [email protected]. If there are any updates or changes in your personal data, please notify us by contacting your Human Resources representative so that we can maintain its accuracy.