UpMee — Recruitment Privacy Notice

GDPR · Recruitment

Recruitment Privacy Notice

Last Updated: July 2023

This Recruitment Privacy Notice ("Notice") explains how UpMee Group OÜ ("UpMee", "we", "our", or "us") collects, uses, stores, shares and protects personal data of individuals applying for employment opportunities, contract engagements, freelance assignments or recruitment services through our website, recruiters, referral partners, business clients or other communication channels.

This Notice applies to all candidates, prospective employees, contractors, freelancers, consultants, interns and other individuals participating in recruitment processes organized or managed by UpMee Group OÜ.

This Notice has been prepared in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR);
  • Estonian Personal Data Protection Act (Isikuandmete kaitse seadus);
  • applicable legislation of the Republic of Estonia;
  • guidance published by the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

By submitting your application, curriculum vitae (CV), résumé, cover letter or other recruitment-related information, you acknowledge that your personal data may be processed in accordance with this Notice.

Data Controller

The controller responsible for processing your personal data is:

UpMee Group OÜ
UpMee Group OÜ
Registry Code:
16707575
Registered Office:
Suur tn 12-1420307 NarvaIda-Viru CountyRepublic of Estonia

For any questions regarding this Notice or your personal data, you may contact us using the contact details above.

Scope of this Notice

This Notice applies whenever UpMee processes personal data during recruitment or talent acquisition activities, including but not limited to:

  • applications submitted through our website;
  • applications submitted by email;
  • CVs received from recruitment platforms;
  • LinkedIn applications;
  • referrals;
  • recruitment events;
  • career fairs;
  • direct sourcing;
  • executive search;
  • freelance recruitment;
  • contractor placements;
  • temporary staffing;
  • permanent recruitment;
  • international recruitment projects.

This Notice also applies where we process candidate information on behalf of our clients, subject to applicable contractual arrangements and Article 28 GDPR where UpMee acts as a processor.

Categories of Personal Data We Collect

Depending on the recruitment process, we may collect the following categories of information.

Identification Data

This may include:

  • full name;
  • date of birth (where required);
  • nationality;
  • residence country;
  • work authorization;
  • immigration status;
  • photograph (if voluntarily provided);
  • government-issued identification where legally required.

Contact Information

Including:

  • email address;
  • telephone number;
  • mailing address;
  • LinkedIn profile;
  • GitHub profile;
  • portfolio websites;
  • professional social media accounts.

Professional Information

Such information may include:

  • CV or résumé;
  • employment history;
  • education;
  • professional certifications;
  • licenses;
  • technical skills;
  • programming languages;
  • spoken languages;
  • project experience;
  • salary expectations;
  • preferred employment type;
  • availability date;
  • notice period;
  • relocation preferences;
  • remote work preferences.

Recruitment Process Information

During recruitment we may create or receive:

  • interview notes;
  • recruiter assessments;
  • hiring manager feedback;
  • technical interview results;
  • coding challenge results;
  • communication history;
  • scheduling information;
  • references;
  • recommendation letters;
  • assessment reports.

Information Collected Automatically

When visiting our website, we may automatically collect:

  • IP address;
  • browser information;
  • operating system;
  • language preferences;
  • device identifiers;
  • pages visited;
  • session duration;
  • cookies;
  • analytics information;
  • security logs.

Such processing is further described in our Privacy Policy and Cookie Policy.

Sources of Personal Data

Personal data may be collected directly from you or from third parties where permitted by law.

Sources include:

  • your application;
  • your CV;
  • your cover letter;
  • our website;
  • LinkedIn;
  • GitHub;
  • job boards;
  • recruitment agencies;
  • publicly available professional profiles;
  • employee referrals;
  • client referrals;
  • professional networking platforms;
  • publicly available business websites.

Where personal data is collected from third-party sources, UpMee will provide information required under Articles 14 GDPR where applicable.

Purposes of Processing

We process candidate data only for legitimate recruitment-related purposes.

These include:

Recruitment Activities

  • reviewing applications;
  • evaluating qualifications;
  • arranging interviews;
  • communicating with candidates;
  • conducting recruitment processes;
  • matching candidates with suitable vacancies;
  • verifying work eligibility where legally required.

Client Recruitment Services

Where UpMee performs recruitment services for business clients, personal data may be processed to:

  • identify suitable candidates;
  • present candidate profiles;
  • arrange interviews;
  • coordinate recruitment processes;
  • negotiate employment offers;
  • facilitate hiring decisions.

Talent Pool

Subject to your consent where required, we may retain your information for future recruitment opportunities that may better match your qualifications.

You may withdraw such consent at any time.

Legal Compliance

Personal data may also be processed to:

  • comply with legal obligations;
  • respond to lawful requests from authorities;
  • prevent fraud;
  • maintain recruitment records;
  • establish, exercise or defend legal claims.

Legal Basis for Processing

UpMee Group OÜ processes personal data only where there is a valid legal basis under Article 6 of the General Data Protection Regulation (GDPR).

Depending on the circumstances, we process personal data on one or more of the following legal grounds:

Performance of Pre-Contractual Measures

Article 6(1)(b) GDPR

Processing is necessary in order to take steps at your request prior to entering into an employment contract, contractor agreement or other engagement.

This includes:

  • reviewing applications;
  • scheduling interviews;
  • assessing qualifications;
  • communicating regarding recruitment opportunities;
  • negotiating employment terms.

Legitimate Interests

Article 6(1)(f) GDPR

UpMee has legitimate interests in conducting efficient recruitment activities and providing recruitment services to clients.

These legitimate interests include:

  • identifying suitable candidates;
  • evaluating professional experience;
  • communicating with applicants;
  • preventing recruitment fraud;
  • maintaining recruitment records;
  • improving recruitment processes;
  • protecting legal rights;
  • ensuring information security.

Where processing is based on legitimate interests, we always balance those interests against the rights and freedoms of candidates.

Consent

Article 6(1)(a) GDPR

Where required by law, or where we wish to retain your CV for future opportunities beyond the current recruitment process, we will rely on your consent.

Consent may also be requested for:

  • inclusion in our talent pool;
  • future recruitment opportunities;
  • receiving recruitment newsletters;
  • participation in optional surveys.

You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

Compliance with Legal Obligations

Article 6(1)(c) GDPR

Certain processing activities are necessary for compliance with legal obligations under applicable European Union and Estonian legislation, including employment, tax, accounting, anti-discrimination and immigration laws.

Special Categories of Personal Data

During recruitment we generally do not require candidates to provide special categories of personal data as defined in Article 9 GDPR.

Candidates are requested not to include information relating to:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data used for identification;
  • health information;
  • information concerning sex life;
  • sexual orientation.

If candidates voluntarily disclose such information, UpMee will process it only where permitted under Article 9 GDPR and applicable Estonian law.

Where necessary, such data may be processed:

  • to comply with employment legislation;
  • to provide reasonable workplace accommodations;
  • to satisfy legal obligations;
  • with explicit consent;
  • for the establishment, exercise or defence of legal claims.

Automated Decision-Making and AI-Assisted Recruitment

UpMee may use modern recruitment technologies, including AI-assisted tools, to improve recruitment efficiency.

These tools may assist recruiters by:

  • organizing applications;
  • identifying relevant skills;
  • matching candidate profiles to job requirements;
  • detecting duplicate applications;
  • assisting with scheduling;
  • supporting candidate communication.

AI tools are used solely as decision-support mechanisms.

No candidate is rejected solely on the basis of automated processing producing legal or similarly significant effects within the meaning of Article 22 GDPR.

Final recruitment decisions are always made by qualified human recruiters or hiring managers.

Sharing of Personal Data

Personal data may be shared only where necessary and only with appropriate safeguards.

Recipients may include:

Our Recruitment Clients

Where you apply for a position managed by UpMee, your information may be shared with the prospective employer after assessing your suitability.

Service Providers

We may use trusted service providers for:

  • cloud hosting;
  • applicant tracking systems (ATS);
  • communication services;
  • email providers;
  • video interview platforms;
  • document management;
  • cybersecurity;
  • analytics.

All such providers are contractually required to comply with GDPR and applicable data protection legislation.

Professional Advisors

Where necessary, information may be shared with:

  • legal advisors;
  • accountants;
  • auditors;
  • insurance providers.

Public Authorities

Personal data may be disclosed where required by:

  • applicable law;
  • court order;
  • governmental authority;
  • law enforcement agency.

International Data Transfers

As an international recruitment company, UpMee may transfer candidate data outside the European Economic Area (EEA).

Where transfers occur, appropriate safeguards will always be implemented in accordance with Chapter V GDPR.

These safeguards may include:

  • European Commission Adequacy Decisions;
  • Standard Contractual Clauses (SCCs);
  • Binding Corporate Rules where applicable;
  • additional contractual and technical safeguards.

Whenever possible, candidate data is stored within the European Economic Area.

Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes described in this Notice.

Unless a longer retention period is required by law:

  • recruitment records are generally retained for up to 24 months following the conclusion of a recruitment process;
  • talent pool records are retained until consent is withdrawn or the retention period expires;
  • records required for legal compliance may be retained for the period prescribed by applicable legislation.

When retention is no longer necessary, personal data is securely deleted or anonymised.

Data Security

UpMee implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Such measures include, where appropriate:

  • encrypted communications;
  • secure cloud infrastructure;
  • access controls;
  • role-based permissions;
  • authentication procedures;
  • staff confidentiality obligations;
  • regular software updates;
  • vulnerability management;
  • incident response procedures;
  • secure backups.

Despite these measures, no method of electronic transmission or storage can be guaranteed to be completely secure.

Candidates should also take reasonable steps to protect their own devices and login credentials.

Your Rights Under the GDPR

As a data subject, you have the rights granted under Regulation (EU) 2016/679 (General Data Protection Regulation). Depending on the circumstances, these rights include:

Right of Access

Article 15 GDPR

You have the right to request confirmation as to whether UpMee processes your personal data and, where that is the case, obtain access to such data together with information regarding the processing activities.

Right to Rectification

Article 16 GDPR

You may request the correction of inaccurate personal data or the completion of incomplete information without undue delay.

Right to Erasure ("Right to be Forgotten")

Article 17 GDPR

You may request the deletion of your personal data where:

  • the data is no longer necessary for the purposes for which it was collected;
  • you withdraw your consent and no other legal basis applies;
  • you successfully object to processing;
  • the processing is unlawful;
  • deletion is required by applicable law.

This right is subject to statutory exceptions, including situations where retention is required to comply with legal obligations or to establish, exercise or defend legal claims.

Right to Restriction of Processing

Article 18 GDPR

You may request that processing of your personal data be temporarily restricted where:

  • the accuracy of the data is contested;
  • processing is unlawful but you oppose deletion;
  • UpMee no longer requires the data but you need it for legal claims;
  • you have objected to processing pending verification of legitimate interests.

Right to Data Portability

Article 20 GDPR

Where processing is based on consent or a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format and, where technically feasible, request its transfer to another controller.

Right to Object

Article 21 GDPR

You may object at any time to processing based on UpMee's legitimate interests.

Where you object, we will cease processing unless compelling legitimate grounds override your interests, rights and freedoms or the processing is necessary for legal claims.

Right Not to Be Subject to Automated Decision-Making

Article 22 GDPR

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

As stated above, UpMee does not make hiring decisions solely through automated systems.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

Exercising Your Rights

Requests concerning personal data may be submitted by contacting:

UpMee Group OÜ
UpMee Group OÜ
Address:
Suur tn 12-1420307 NarvaIda-Viru CountyRepublic of Estonia

We may request additional information to verify your identity before responding to your request.

Requests will generally be answered within one month, in accordance with Article 12 GDPR.

Where legally permitted due to complexity or the number of requests, this period may be extended by up to two additional months.

Complaints

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with the competent supervisory authority.

For UpMee Group OÜ, the competent supervisory authority is:

Estonian Data Protection Inspectorate
Estonian Data Protection Inspectorate(Andmekaitse Inspektsioon)
Address:
Tatari 3910134 TallinnRepublic of Estonia
Telephone:
+372 627 4135

You may also bring proceedings before a competent court in accordance with Articles 77–79 GDPR.

Third-Party Websites

Our website may contain links to third-party websites, recruitment platforms or external services.

This Recruitment Privacy Notice applies solely to personal data processed by UpMee.

We are not responsible for the privacy practices, content or security of third-party websites. We encourage users to review the privacy policies of any external services they visit.

Changes to this Recruitment Privacy Notice

UpMee may amend this Recruitment Privacy Notice from time to time to reflect:

  • changes in legislation;
  • changes in recruitment practices;
  • implementation of new technologies;
  • regulatory guidance;
  • improvements to our services.

The latest version will always be published on our website.

Where required by applicable law, we will provide appropriate notice of material changes.

Applicable Law

This Recruitment Privacy Notice shall be governed by and interpreted in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation);
  • the Personal Data Protection Act of the Republic of Estonia (Isikuandmete kaitse seadus);
  • other applicable legislation of the Republic of Estonia.

Nothing in this Notice limits any statutory rights available to data subjects under applicable law.

Contact Information

If you have any questions concerning this Recruitment Privacy Notice or the processing of your personal data, please contact:

UpMee Group OÜ
UpMee Group OÜ
Registry Code:
16707575
Address:
Suur tn 12-1420307 NarvaIda-Viru CountyRepublic of Estonia
General enquiries:
[email protected]
Privacy enquiries:
[email protected]
Effective Date

Notice in force

Effective from: July 2026

This Recruitment Privacy Notice replaces all previous recruitment privacy notices published by UpMee Group OÜ.