3Commas’ Recruitment Privacy Notice
Version 1.0
This Privacy Notice is effective as of 09.08.2023.
This 3Commas’ Recruitment Privacy Notice (“Privacy Notice”) is to inform you about how 3Commas Technologies OÜ (“3Commas”, “us”, “we”, “our” as applicable), as a potential employer, processes your personal data in the recruitment process with regard to your role as a prospective employee, trainee, contractor, member of the board, or person working for 3Commas on another basis (“you”, “your” as applicable).
If you provide us with personal data of third parties (e.g., in a letter of recommendation, contact details of the referee, etc.), you undertake to provide them with the relevant notices and, where necessary, this Privacy Notice. Additionally, you must ensure to have an appropriate legal basis for disclosing such personal data to us.
1. The controller
For the purpose of the General Data Protection Regulation 2016/679 (“GDPR”), 3Commas Technologies OÜ, a private limited company based in Estonia, is the data controller of your personal data. Our registered office is Laeva tn 2, Tallinn 10111, Estonia, and our company registry code is 14125515.
2. Personal data collected as part of your application process
Personal data means any information related to an identified or identifiable natural person. This includes information such as, for example, your name, address, telephone number, but also data relating to your specific career etc., by reference to which you can be identified with reasonable effort. However, information which cannot be (in)directly associated with your real-life identity is not personal data.
We generally collect and process similar information from all our applicants. However, depending on the specific position at hand and the channel of application, we may collect different pieces of personal data.
3. Processing purposes, legal bases and sources of personal data
Most of the personal data about you that we process as part of the application process is personal data we collect directly from you. This data is collected through any channel that you choose to use to share your information with us, including but not limited to electronic application channels (i.e. via our online form or through other digital channels) and interviews. Additionally, we may also collect personal data about you from a limited number of third party sources.
Electronic application
Via our online form: By submitting an application via our dedicated recruitment website at https://careers.3commas.io/, which is powered by Learning Technologies Group Plc. (a processor acting under the name of ‘Breezy’ as further detailed below), you express your interest in taking up work with us. We process this information in adherence to Article 6.1(b) of the GDPR, which allows for the handling of data necessary to perform a contract or to engage in actions at the request of an individual before entering into a contract. Such data is used and stored exclusively for the purpose of supporting your job search and managing the application process.
In particular, the following personal data is collected during this process: name (first and last names), e-mail address, and desired salary.
Furthermore, you can choose to provide more information, for example your phone number, address, work history, education, including uploading additional documents such as your CV, which may contain more of your personal data.
You may also submit your resume from ‘Indeed’ or apply using your LinkedIn profile and we may receive the data from your profile. In such cases you’ll also be subject to those services’ privacy notices as independent controllers.
Via e-mail, social media, or other electronic means: You may provide us with your personal information when you apply directly for a position with us. This could be through direct contact via a 3Commas-affiliated email address (i.e. @3commas.io), or through our outreach on social media platforms, or other digital means. The personal information you provide may include, but is not limited to, your full name, email address, photographic image, and additional data included in your CV.
In this case, the legal basis for the processing of your data is Article 6.1(b) of the GDPR, which allows for the processing of data necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.
Additional information during the recruitment process: During the recruitment process, additional information can be collected from you and about you. For example communication data, notes, results from assignments, results of personality tests, etc. We process such data based on Article 6.1(b) of the GDPR.
Interviews: During interviews, whether they take place face-to-face or electronically, we may collect additional personal data directly from you. This could include, for example, your professional experience, your skills and qualifications, or your answers to interview questions. The legal basis for this processing is Article 6.1(b) of the GDPR, as this data is necessary for us to assess your suitability for the role you've applied for.
Information from third party sources: We may use various third-party sources to gather additional data about you. This can include social media platforms where we can access certain public information you've shared, such as your name, photograph, and email address. Additionally, for recruitment purposes, we may use these sources to acquire contact information to reach out to potential candidates. We may also seek feedback from your previous employers. The legal basis for these processing activities is our legitimate interest in ensuring the integrity of our recruitment process and securing qualified candidates (Article 6.1(f) GDPR).
Information from the use of video surveillance equipment: If you participate in a face-to-face interview or otherwise visit our office, we may have security cameras, which may record you. The legal basis is our legitimate interest in ensuring your, and the safety of our employees, property and premises (Article 6.1(f) GDPR).
In addition, we back up data and store information containing personal data in our backup systems based on our legitimate interest in ensuring the continuity and security of data processing operations (Article 6.1(f) GDPR).
4. Retention of your personal data
We will retain your Personal Data as long as reasonably necessary to attain the objectives stated in Section 3 of this Privacy Notice, or until any legal obligation stipulates that we do so.
In determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the personal data, we take into account the need to resolve disputes and enforce the contract between us, or anonymize your personal data and retain this anonymized information indefinitely. In case of anonymization, the data will only be available to us in the form of so-called metadata, without any direct personal reference, for statistical analysis (for example, share of male and/or female applicants, number of applications per specified period of time, etc.).
Your contact and application data will be stored for a maximum period of 1.5 years after the application process has been concluded. This is usually done to fulfill legal requirements and/or defend against potential legal claims. With your prior consent (Article 6.1(a) GDPR), we may store your data for a period beyond the application process has been concluded for the purpose of adding it to our Talent Pool in order to identify any other vacancies that may be of interest to you.
Should you be offered and accept a position with us during the application process, we will store the personal data collected during said process as part of managing the employment relationship with you.
Following the retention period or if we no longer need the respective personal data for the purposes specified in Section 3 of the Privacy Notice, we will destroy the respective personal data within a reasonable time, unless the retention of personal data is required to perform duties or requirements arising from the legislation or to protect against ongoing or threatened disputes.
5. Disclosure of data to third parties
During your application via our dedicated recruitment website (https://careers.3commas.io/), the data associated with your application is transferred using TLS encryption and stored in a secure database. This database is operated by Learning Technologies Group Plc. (trading under the name 'Breezy'), a provider of applicant management software solutions. Within this framework, Learning Technologies Group Plc. acts as our processor in accordance with Article 28 of the GDPR. The processing activity is grounded in a contract between us, as the data controller, and Learning Technologies Group Plc., as our designated data processor.
Furthermore, we may share your personal data with other selected third parties. These can include, but are not limited to, our group entities or subsidiaries, public sector authorities, supervisory or law enforcement authorities, professional advisers and our legal successors and/or potential acquirers of our business, and service providers, for example recruitment service providers, or our Contract Lifecycle Management provider for potential contract management requirements.
Where personal data is disclosed to third parties, appropriate safeguards are implemented to ensure that the data is protected appropriately. We only permit service providers engaged in the processing of personal data on our behalf to process your personal data for specified purposes and in accordance with our instructions.
Should you wish to know more about specific third-party data disclosures related to your personal data, please feel free to contact us at dpo@3commas.io
6. Where we process your personal data
The personal data that we collect from you is processed by us mainly within the European Economic Area (“EEA”). Depending on your method of application however, your personal data may be transferred to and processed at a destination outside the EEA which may not be subject to an adequacy decision by the European Commission. In such a case we ensure that both ourselves and our partners take adequate and appropriate technical, physical and organizational security measures to protect your data. We also ensure a level of data protection at least equivalent to the one prevailing in the EEA by relying on the safeguards established in the GDPR (e.g., standard contractual clauses). Should you wish to find out more about specific safeguards, please feel free to contact us at dpo@3commas.io.
7. How we protect your personal data
While we strive to ensure the utmost protection of your personal data, we cannot guarantee the absolute security of your data during transmission, and any such transmission is undertaken at your own risk. Upon receipt of your personal data, we employ stringent internal protocols and robust security measures to prevent unauthorized access.
Access to your personal data is limited to 3Commas’ authorized HR staff and/or staff involved in your application process. We continuously educate and train our staff about the importance of confidentiality and maintaining the integrity of personal data.
3Commas adheres to the principles and regulations outlined in the GDPR and the Personal Data Protection Act of Estonia in our commitment to uphold the highest standards of data privacy and security.
8. Your data protection rights
As the data subject you have certain rights under the GDPR, depending on the legal basis and the purpose of the processing, which you may exercise at any time:
Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent that you have given us at any time;
Right to access: you have the right to request access to the personal data we process about you and to get a copy of it.
Right to rectification: you have the right to request that we correct your personal data that you deem inaccurate, incorrect, or out of date. You also have the right to request us to complete information that you believe is incomplete;
Right to erasure: you have the right to request your personal data to be erased if there are valid grounds for doing so and it is subject to applicable law;
Right to restrict processing: under certain conditions you have the right to request us to restrict the processing of your personal data;
Right to object to processing: under certain conditions you have the right to object to the processing of your personal data;
Right to data portability: you have the right to request us to transfer your personal data to another organization or to you in a structured, commonly used and machine-readable format;
Right not to be subject to a decision based solely on automated processing: We do not currently make automated decisions about any data subject, but you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you;
Right to contact the supervisory authority: if you are not satisfied with our response to your request in relation to personal data processing or you believe we are processing your personal data not in accordance with the law, you can submit your claim to the data protection authority (in Estonia the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at info@aki.ee (https://www.aki.ee/).
If you decide to enforce any of your data protection rights, please contact us at dpo@3commas.io. We have one month (which can be extended to two further months where necessary) to respond to you starting from the receipt of your request.
9. Amendments to this Privacy Notice
3Commas keeps this Privacy Notice under regular review and thus may amend or modify it from time to time. The most recent version of the Privacy Notice will be published on this page.
This Privacy Notice was last updated on the date specified on the header of this page.
10. How to contact us
If you have a question about our Privacy Notice, the data we hold on you, or you would like to exercise any of your rights, please do not hesitate to contact us:
Email us: dpo@3commas.io
Write to us: 3Commas Technologies OÜ, Laeva tn 2, Tallinn 10111, Estonia.
