Candidate Privacy Notice

Last Updated: November 27, 2023

Welcome to the Bitrix24 Privacy Notice for Job Candidates (hereinafter ‘Notice’). Bitrix24 respects your privacy and is committed to protecting your personal data. This privacy notice aims to give you information on how Bitrix24 collects and processes the personal data of its Job Candidates (hereinafter ‘personal data’).

This privacy notice is issued on behalf of BITRIX24 LIMITED registered at Frema House, office 102, No. 9, Konstantinou Paparigopoulou Str., 3106, Limassol, Cyprus. So when we mention "we", "us" or "our" in this privacy notice, we are referring to the relevant Bitrix24 company responsible for processing your data.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to personal data processing matters. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO at privacy@bitrix24.eu.


The data we collect about you


In order to perform our hiring and job interview process with you we will collect, use, store and transfer several kinds of personal data about you which we have grouped together as follows:
  • Identity Data includes first name, maiden name, last name, title, date of birth and gender, copies of your identity documents, work and residence permission, proof of address;
  • Contact Data includes email address and telephone numbers, residence address, as well as voluntary information provided by you such as place of birth, photos or skype or other messengers address;
  • CV information;
  • Education information: education history, degrees, certificates, qualifications, language proficiencies;
  • Work Experience information: current and former employments including job title and position, employer and its type of business, main responsibilities, job function;
  • Other information and documents: e.g., current notice periods / availability; salary expectations; application letters; certificates; mobility (preferred job locations).
If you do not provide us with the required personal data, we may not be able to perform your job application. We will inform you when providing your personal data is necessary and what the impact will be on our relationship if you do not provide it.

We, in general, do not process special categories of personal data, such as health or disability related data, unless you disclose such information voluntarily to us, e.g., because you want us to respect specific statutory obligations such as, e.g., applicable to the employment of persons with handicap conditions. Otherwise, we will not process such data for the application process.


Sources of personal data


We may obtain personal data from the sources listed below:
  • directly from you, such as through your data input into our application database;
  • through our activities in the course of the review of your application, including our internal decision-making procedures; and
  • from third parties, including former employers, online social networks (e.g., LinkedIn), online job boards, and employment recruitment agencies, subject to the requirements of applicable law.


Legal basis for processing


Under applicable European data privacy laws including, but not limited to, the General Data Protection Regulation 2016/679 (“GDPR”) and national laws specifying GDPR (hereinafter ‘Data Privacy Laws’), we are the data controller with respect to the personal data of the candidates. We use several legal basis for processing of your personal data. We are entitled to process your personal data, in each case according to the relevant purpose, including our contractual, (i.e. the establishment, administration and termination of the employment contract according to Art. 6 (1) lit. b GDPR, and legal obligations (Art. 6 (1) lit. c GDPR), as well as its legitimate business interests (Art. 6 (1) lit. f GDPR), as well as in some cases when we have asked specifically for your consent (Art. 6 (1) lit. a GDPR). These purposes form the legal basis under the Data Privacy Laws for the data processing described in this Notice. For example, the legal basis to keep your data optionally in an applicant database for future positions is your consent (Art. 6 (1) lit. a GDPR).

Our legitimate interests or those of a third party include our requirements to use your personal data in litigation or for other legal purposes involving our and/or any affiliate of us within Bitrix24 group, verification of experience and qualifications and our business interests and may also include the need to transfer your personal data to third countries without adequate data protection laws. In this event, we will take reasonable steps to protect your personal data as required by the Data Privacy Laws.


Purposes for processing personal data


We process your personal data for purposes of processing your job application, facilitating job interviews, carrying out additional research if required, finding our internal decisions on your application as well a potential employment with us and administrating our applications and communicating with you. We are committed to the lawful processing of your personal data in accordance with data protection laws which require us to have a valid legal basis to do so. In most circumstances, we rely on our legitimate interests (where they are not overridden by your interests or fundamental rights and freedoms), for the performance of a contract with you (or in order to take steps prior to entering into a contract with you) or to comply with our legal obligations. In certain circumstances, we may rely on your consent, which may be implied (e.g., where you have volunteered information for use by us) or express (in accordance with applicable law). Where we rely on your consent as a legal basis, you may withdraw your consent at any time for any processing activities that we conduct based solely on your consent.


Disclosures of your personal data


We may share your personal data with the parties set out below for the following purposes:
  • External Third Parties such as our service providers including for information storage, human resource administration and similar purposes;
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Notwithstanding the above disclosures, we will disclose the personal data we collect from you under the following circumstances: (i) when required or permitted by law or government agencies, (ii) when required valid requests by law enforcement, (iii) for purposes relevant to corporate policies or litigation of us to the extent permitted under applicable law or when it is prescribed in the applicable legislation.


International transfers


We may share your personal data within Bitrix24 companies (hereinafter ‘Bitrix24 group’) since Bitrix24 group operates as a functional structure where employees are grouped together according to their area of specialization, regardless of their location or location of their immediate manager or employer within Bitrix24 group. Therefore, the positions advertised may be either global or regional positions.

Within Bitrix24 group your personal data is accessible only by those authorized personnel within Bitrix24 group who need access to your personal data to perform their duties for the purposes listed above. If required for the decision-making of your employment and maintaining of the global intra-group recruitment and related HR processes within Bitrix24 group, we are also entitled to share your application with authorized personnel of our affiliated companies.

We may use third-party service providers to process personal data on its behalf, including for information storage, human resource administration and similar purposes. We will exercise appropriate due diligence in the selection of its third party service providers, and require that such providers maintain adequate technical and organizational security measures to safeguard your personal data, and to process your personal data only as instructed by us or a member of Bitrix24 group and for no other purposes.

Notwithstanding the above disclosures, we will disclose the personal data we collect from you under the following circumstances: (i) when required or permitted by law or government agencies, (ii) when required valid requests by law enforcement, (iii) for purposes relevant to corporate policies or litigation of us to the extent permitted under applicable law or when it is prescribed in the applicable legislation.

Due to the multinational character of Bitrix24, some of the affiliated companies and other recipients listed in this Notice may be located in countries that do not provide a level of data protection equivalent to that set forth by the law in your home country.  We will take appropriate steps to make sure that such recipients act in accordance with applicable law.


Data transfers outside of the EU:

To the extent that we transfer the personal data to recipients which are located outside the European Union or the European Economic Area, we will provide an adequate level of protection of your personal data, including appropriate technical and organizational security measures and through the implementation of appropriate contractual measures to secure such transfer, in compliance with applicable law.  To the extent required, we have appropriate agreements on data protection in place (for example, controller-to-controller or controller-to-processor data transfer agreements, or data processor agreements).

For these international data transfers, we use standard contractual clauses in the form approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. For more information, please visit further explanations of the European Commission of the Standard Contractual Clauses with links to English.

You are entitled, by sending your request to our Data Protection Officer using the above contact information, to receive a copy of the contract including the appropriate safeguards (for example, Standard Contractual Clauses) that have been taken to protect your personal data during such transfer.


Data security


We have put in place appropriate physical, technical, and organizational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


Data retention


We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.


Your legal rights


Under certain circumstances, you have rights under data protection laws in relation to your personal data, such as:
  • Request to obtain confirmation as to whether or not your personal data is being processed by us, and where that is the case, access to such personal data (and related details);
  • Request correction of your personal data;
  • Request erasure of your personal data, where applicable;
  • Object to processing of your personal data, where applicable;
  • Request restriction of processing your personal data, where applicable;
  • Receive your personal data in a structured, commonly used and machine-readable format and to transmit such data to another controller where feasible;
  • Know about the existence of automated decision-making and to not be subject to automated decision-making;
  • Withdraw your consent to processing your personal data at any time, without affecting the lawfulness of processing of your personal data based on consent before its withdrawal. We may, however, have other legal grounds to continue to process your personal data;
  • Lodge a complaint with your local supervisory authority;
  • Obtain additional information about the suitable safeguards and means we rely upon with regard to international transfer of personal data.
You will not be discriminated against for exercising any of your rights described in this Notice. Please note that these rights may be subject to further conditions, limitations and/or exemptions under applicable data protection laws. If any of the rights listed above are not provided under law for your jurisdiction, we have absolute discretion in providing you with these rights.


If you wish to raise concerns with us or to exercise any of the rights set out above, please contact us at privacy@bitrix24.eu.