1. DATA CONTROLLER
The data controller in accordance with the applicable data protection law is Stoneridge. Stoneridge is responsible for ensuring that Employee personal data is processed in compliance with this Policy and applicable data protection laws. The primary contact person for privacy matters in employment is:
IT Business Solution Manager
Orebro, Sweden, EU
46 10 482 2552
Alternatively, inquiries can be made to email@example.com.
2. LEGAL BASIS AND PURPOSE OF PROCESSING PERSONAL DATA
Personal data is collected and processed for the purpose of recruitment. Stoneridge processes personal data of job applicants in order to recruit new employees or reassign current employees and manage other administrative duties related to the recruitment process. The legal basis for processing personal data related to the recruitment is to review qualifications of candidates, enable communication about candidates, and take other applicable recruitment steps prior to entering into an employment contract.
2.2 Performance of employment contract
The primary legal bases for processing Employee personal data are performance of the employment contract between Stoneridge and Employee and fulfilment of Stoneridge’s related legal obligations. Stoneridge processes Employee personal data for the purpose of managing Stoneridge's Human Resources (“HR”) and employment matters to enforce Stoneridge’s legal and contractual rights and obligations and all actions related thereto, such as:
- to determine content and terms of employment;
- to pay salaries and benefits;
- to organise occupational health care where applicable;
- to monitor working hours and absences;
- to manage work-related travel and reimbursement;
- for termination of employment.
Stoneridge uses access control and camera monitoring at premises for the purposes of protecting Stoneridge's property, preventing unauthorized access to premises, and increasing safety of Employees and visitors. Stoneridge has the legitimate interest to ensure the safety of Stoneridge's premises and Employees.
Stoneridge maintains information technology (“IT”) security measures to safeguard business information and business assets, avoid criminal activities, and ensure availability of the IT services. Stoneridge has the legitimate interest to ensure network and information security and to safeguard Stoneridge's important business information and assets. The information security measures are not used for the sole purpose of monitoring of individual employees.
2.4 Providing IT-related services
Stoneridge provides some employees with access to company email and other electronic communications systems.
2.5 Administering the Employee Helpline
Stoneridge provides a third-party Helpline in order for Employees to ask questions or make reports of potential violations of Stoneridge’s Code of Conduct, Compliance Policies, or the law. The Helpline is a means of reporting which is confidential and anonymous, where permitted by local law.
2.6 Processing of personal data internally within Stoneridge
Employee personal data may be processed within the Stoneridge group of companies. Processing of personal data is based on the legitimate interest to organize and manage internal administrative matters within Stoneridge in an appropriate and practical way.
3. COLLECTION OF DATA
Stoneridge collects Employee personal data as explained below:
3.1 Necessary personal data for recruitment purposes, such as:
- Basic personal data, such as name, postal address, phone number, date of birth;
- Current job description, such as tasks, title, part-time or full-time employment;
- Current education, examination, language proficiency, other qualifications;
- Aptitude tests and security clearances, where applicable;
- Job application, CV, other relevant qualifications or certificates attached.
This personal data is typically collected directly from job applicants. References may also be collected from previous employers when named in the application. If recruitment is outsourced to a third party service provider, personal data related to an applicant's professional qualifications may be provided by that party.
3.2 Necessary personal data for the performance of the employment contract
Stoneridge’s contractual and legal rights and obligations related to the employment relationship require collection of certain personal data, which could include:
- Basic personal data, such as employee name, postal address, personal email address, date of birth, gender, personal identity code, nationality;
- Passport and work permit (if needed);
- Work-related contact information, such as employee number and ID, work email, phone number and address, photograph;
- Work-related devices provided by Stoneridge, such as phone;
- Information concerning employment relationship and qualifications, such as job description, title, employment history at Stoneridge, employment start and end date;
- Education, examination, language proficiency, other qualification, aptitude tests;
- Payroll information, such as salary, benefits, bank account details, data for calculations and payment, travelling expenses, bank related data, tax class;
- Leave, attendance and absence records, such as working hours, annual leaves, family leaves;
- Data concerning health, such as information about sick leaves and medical certificates;
- Data concerning Union and Work Council membership;
- Information concerning professional development, such as assessment records, competence development data, talent planning data;
- Information concerning disciplinary matters, reason for end of employment;
- Records about work-related accidents;
- Emergency contact details, such as name, address, and phone number.
Stoneridge may process sensitive data if required by applicable law to meet the above listed purposes.
As a rule, Employee personal data is collected directly from Employees. However, personal data related to Employee's professional development and potential disciplinary matters may be collected from other sources, such as from the immediate superior, other employees, and witnesses.
3.3 Necessary personal data for the purpose of security, such as:
- Information needed for access control to Stoneridge's premises, such as user ID and access right group;
- Security camera footage at Stoneridge's premises; and
- Technical data related to use of work devices, such as log data and IP address.
3.4 Other data
In addition, Stoneridge may also collect other personal data when Employee voluntarily consents and provides the data to Stoneridge.
4. SHARING OF PERSONAL DATA
Stoneridge may disclose Employee personal data to third parties:
- When permitted or required by law, such as to tax authorities, insurance companies, pension institutions, occupational health care institutions and other equivalent authorities;
- To trusted services providers, such as outsourced payroll or global travel agency, for the purposes listed above. However, at all times, the trusted service providers act on Stoneridge's behalf and Stoneridge will control and be responsible for the use of personal data by trusted services providers;
- If Stoneridge is involved in a merger, acquisition, or sale of all or a portion of its assets;
- When Stoneridge believes in good faith that disclosure is necessary to protect Stoneridge's rights, protect Employee safety or the safety of others, investigate fraud, or respond to a government request.
5. TRANSFER OF PERSONAL DATA OUTSIDE OF EU/EEA
Stoneridge may transfer Employee personal data outside the EU/EEA under the following circumstances:
5.1 Intra-company transfers
As some of the Stoneridge group of companies are located outside of the EU/EEA, personal data may be transferred outside of EU/EEA, such as to the United States. Stoneridge's personnel may also have role-based access to Employee personal data from one of the Stoneridge companies located outside the EU/EEA. In this case, these persons are required to access Employee personal data because of their legitimate work-related duties, and access to personal data is managed with limited access rights.
Stoneridge provides appropriate safeguard mechanisms for international data transfers as required by applicable data protection laws. For intra-company transfers, Stoneridge has ensured appropriate safeguards for the protection of personal data by using Standard Contractual Clauses as approved by the European Commission.
5.2 Trusted service providers located outside of EU/EEA
Stoneridge's trusted service providers may process personal data outside of EU/EEA. To the extent personal data is transferred to a country outside of the EU/EEA, Stoneridge will use the required established mechanisms that allow the transfer to service providers in those thirds countries, such as the Standard Contractual Clauses approved by the European Commission.
6. RETENTION OF PERSONAL DATA
Stoneridge retains Employee personal data as follows:
Personal data related to non-selected job applicants shall be retained for a maximum of six (6) months from the announcement of recruitment decision, unless a different retention period is required by local law. In such case, Stoneridge will follow local requirements.
6.2 Employment relationship
Personal data related to the employment relationship will be retained only for as long as necessary to fulfill the purposes defined in this Policy. Most employment-related data will be retained during the course of employment or as required by retention periods per applicable local law. When personal data is no longer required by law or rights or obligations by either party, Stoneridge will remove Employee personal data.
Exceptionally, Stoneridge may retain personal data for a longer period if Stoneridge has a legitimate reason or an obligation to retain such data for the purposes of criminal investigation or corresponding reason.
7. PRIVACY RIGHTS
Employees have a right to access personal data Stoneridge holds about them. Employees may update, correct, or remove their personal data at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Policy and may also be required by law, such as personal data relating to the employment contract. Therefore, the deletion of such data may not be allowed by the applicable law, which prescribes mandatory retention periods. A request to delete personal data during a recruitment process means a suspension of the recruitment process.
Employees have a right to object for processing that is based on legitimate interest of Stoneridge provided that they can demonstrate compelling legitimate grounds. To the extent required by applicable data protection law, employees have a right to restrict data processing.
Employees have a right to data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law.
Employees have a right to make inquiries or file a complaint to the national data protection authority in the EU/EEA or local data protection authorities.
Alternatively, requests can be made to firstname.lastname@example.org.
Stoneridge maintains reasonable security measures, including physical, electronic and procedural, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, Stoneridge limits access to this information to authorized employees and contractors who need to know that information in the course of their job description and third party service providers who may only process data in accordance with Stoneridge provided instructions.
Sensitive data, including but not limited to health-related data, may only be processed by persons who prepare, make or implement decisions concerning the employment contract.
Please be aware that, although Stoneridge endeavours to provide reasonable security measures for personal data, no security system can prevent all potential security breaches. In the event of a data breach, Stoneridge will take all appropriate response measures as required by law and Stoneridge policy.
9. CONTACT STONERIDGE
Reneé Rourke Lena Ericsson
Director of Compliance IT Business Solution Manager
Novi, Michigan, USA Orebro, Sweden, EU
001 248 829 2095 46 10 482 2552
Alternatively, inquiries can be made to email@example.com.