Policy GDPR

People Impact’s privacy policy in accordance with the General Data Protection Regulation (GDPR)

People Impact is engaged in Executive Search, Personal Assessment, Second Opinion and Leadership Development. Our GDPR policy is described below. The aim of the policy is to protect the privacy of all individuals who interact with People Impact, in every respect. All employees of People Impact and our partners are familiar with the policy and compliance requirements.

Personal data controller
People Impact Sverige AB, company registration no. 556683–1151, (“People Impact”), whose principal place of business is Kärleksgatan 2A, 211 45 Malmö, Sweden, is the data controller in respect of processing of your personal data. The data controller is responsible for ensuring that personal data is processed in compliance with GDPR, which took effect on 25 May 2018. Please contact us by email to info@peopleimpact.se with any questions concerning processing of personal data by People Impact.

Personal data processed by People Impact
People Impact processes personal data found in candidates’ CVs (curriculum vitae) and preparatory documents related to interviews and tests.

How long do we store your personal data?
Personal data will be accessible while a recruitment process or other assignment that involves personal data is ongoing. After a recruitment process is closed, CVs and preparatory documents for interviews are stored for two years as reference documentation in the event of an appeal under the Swedish Discrimination Act.

Personal data that is not permitted to be stored or processed
Personal data of a particularly sensitive nature must not be included in any form in registers kept by People Impact. This is information that could violate personal privacy, such as the individual’s race, ethnicity, sexual orientation, political views and religious or philosophical beliefs.

Data security
Personal data must be protected against e.g. unauthorised or prohibited processing and against accidental loss, destruction or harm. People Impact ensures that how and when information in our registers has been processed and communicated can be traced. Everyone who works for or with People Impact is required to encrypt all data kept on hard disks and telephones.

Consent
When an individual chooses to participate in a recruitment process or other assignment that involves personal data, People Impact obtains written consent to obtain and process the individual’s personal data.

Access to your personal data
We share your personal data with the managers who are recruiting personnel and the HR departments of our clients.

In addition, your personal data may be shared with third parties that process personal data on our behalf (data processors). For example, our IT and system suppliers may be granted access to your personal data. We have contracts with our personal data processors that ensure that they process data in compliance with GDPR.

Your rights
In accordance with GDPR, you have the right to know what personal data concerning you that we process and the right to ask for correction of your personal data.

You also have the right to request erasure or restriction of your personal data and the right to obtain the personal data that you have provided to us in a structured, commonly used and machine-readable format, and the right to transmit the data to another data controller.

You have the right to withdraw consent for the processing of your personal data at any time, effective immediately upon your withdrawal.

If you have any complaints regarding our processing of your personal data, you have the right to file a complaint with the Swedish Data Protection Authority (Datainspektionen) or another authorised supervisory authority that supervises the company’s processing of personal data.

Incident response
People Impact reports all breaches of personal data, such as unauthorised access, destruction, loss, alteration or other unlawful interference to the Swedish Data Protection Authority within 72 hours. An incident report is written, which describes the nature of the incident, the approximate number of data subjects affected, the likely consequences and an action plan. Depending upon the scope of the breach and the sensitivity of the information, individuals affected by the incident may also be informed.