Data Protection Policy
1.1. Alvotech hf. (“Alvotech“) is committed to protecting the privacy and security of your personal data.
1.2. This data protection policy describes how we collect and use personal data about you in relation with your job application. We may collect and use personal data about you during the job application process, and if you get hired we may collect and use the personal data about you during and after your working relationship with us.
1.3. It applies to all job applicants who apply for a position at Alvotech.
2.1. Alvotech is a “data controller”. This means that we are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the information contained in this data protection policy.
2.2. This policy applies to all job applicants who apply for a position at Alvotech. We may update this policy at any time.
2.3. It is important that you read and retain this policy, together with any other privacy policies we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
3. Data protection principles
We will comply with data protection law, which means that the personal data we hold about you must be:
(1) Used lawfully, fairly and in a transparent way.
(2) Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
(3) Relevant to the purposes we told you about and limited only to those purposes.
(4) Accurate and kept up to date.
(5) Kept only as long as necessary for the purposes we have told you about.
(6) Kept securely.
4. The kind of information we hold about you
4.1. We may collect, store and use one or more of the following categories of personal data about you:
(1) Personal contact details such as name, addresses, telephone numbers and email addresses.
(2) Date of birth.
(4) Emergency contact.
(5) ID number.
(6) Copy of driving license or other identification.
(7) Recruitment information (including copy of right to work documentations, references, and other information included in a CV or cover letter or as part of the application process).
4.2. We may also collect, store and use the following “special categories” of more sensitive personal data:
(1) Trade union membership.
5. How is your personal data collected?
5.1. We collect personal data about job applicants through the application and recruitment process, either directly from candidates or sometimes from employment agencies. We may sometimes collect additional information from third parties including former employers, credit reference agencies, social media or other background check agencies.
5.2. If we recruit you, we will collect additional personal data in the course of job-related activities through the period of you working for us. This will be subject to a separate data protection policy.
6. How we will use information about you
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
(1) Where we need to prepare a contract we will enter with you.
(2) Where we need to comply with a legal obligation.
(3) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal data in the following situations, which are likely to be rare:
(1) Where we need to protect your interests (or someone else’s interests).
(2) Where it is needed in the public interest or for official purposes.
7. Situations in which we will use your personal data
7.1. We need all the categories of information in the list above primarily to allow us to perform and prepare our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal data to pursue legitimate interest of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal data are listed below:
(1) Making a decision about your recruitment or appointment.
(2) If recruited, preparing the contract we have entered into with you.
(3) Assessing qualifications for particular jobs or task.
(4) Dealing with legal disputes involving you.
(5) Ascertaining your fitness to work.
(6) Complying with health and safety obligations.
(7) Preventing fraud.
(8) Monitoring equal opportunities.
7.2. Some of the above grounds for processing overlap and there may be several grounds which justify our use of your personal data.
8. If you fail to provide personal data
If you fail to provide certain information when requested, we may not be able to hire you, or we may be prevented from complying with our legal obligations.
9. Change of purpose
9.1. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
9.2. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
10. How we use particularly sensitive personal data
10.1. “Special categories” of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We have in place an appropriate policy document and safeguards which we are required by law to maintain when we process such data. We may process special categories of personal data in the following circumstances:
(1) In limited circumstances, with your explicit written consent.
(2) Where we need to carry out our legal obligations or exercise rights in connection with your possible employment.
(3) Where it is needed in the public interest and required or permitted by law.
10.2. Less commonly, we may process this type of information where it is needed in relation to legal claims where it is needed to protect your interest (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
11. Our obligations as employer
We will use your particularly sensitive personal data (if applicable) in reviewing your job-application and making a decision regarding your potential hiring.
12. Do we need your consent?
12.1. We do not need your consent if we use special categories of your personal data in accordance with our policy to carry out our legal obligations or exercise specific rights in the field of employment law.
12.2. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive personal data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it not a condition to your hiring that you agree to any request for consent from us.
13. Information about criminal convictions
13.1. We may only use information relating to criminal convictions where the law allows us to do. This will usually be where such processing is necessary to carry our obligations and provided we do so in line with this data protection policy.
13.2. We will only collect information about criminal convictions (for example criminal records) if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we may collect information about criminal convictions as part of the application or requirement process.
14. Data sharing
14.1. We may have to share your data with third parties, including third-party service providers and other entities in the group.
14.2. We require third parties to respect the security of your data and to treat it in accordance with the law.
14.3. We may transfer your personal data outside the EU. If we do, you can expect a similar degree of protection in respect of your personal data.
14.4. We will share your personal data where required by law, where it necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
14.5. “Third Parties” includes third-party service providers (including employment agencies) and other entities in our group.
14.6. Furthermore, we may share your personal data with our service providers in relation to day to day operations, including IT services and data storage in the cloud. In such cases, we shall ensure that our service providers are internationally certificated IT enterprises.
14.7. All our third-party providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
14.8. We may share your personal data with other third parties, for example in the context of the possible sale or reconstructing of the business. In this situation we will, so far as possible, share anonymized data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
14.9. We may also need to share your personal data with a regulator or to otherwise comply with the law. This may include reports or disclosures to tax authorities or shareholders.
15. Data security
15.1. We have put in place measures to protect the security of your information.
15.2. Third parties will only process your personal data on our instruction and where they have agreed to treat the information confidentially and keep it secure.
15.3. We have put in place appropriate security measures to prevent your information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction, and they are subject to a duty of confidentiality.
15.4. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
16. Data retention
16.1. We will only retain your personal data contained in your job application and related documentation/information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
16.2. To determinate the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from an unauthorized use or disclosure of your personal data, the purpose for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
16.3. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
16.4. Once the application process is completed and if your job application is not accepted, then the following will apply: we will usually destroy your personal data within 120 days from the non-acceptance of the job application, in accordance with our data retention policy and applicable laws and regulations.
16.5. Once the application process is completed and if your job application is accepted, then the following will apply: we are required by law to retain accounting information for 7 years. Additionally, we will store personal data gathered by electronic monitoring no longer than 90 days, in accordance with applicable laws. Other personal data will be retained according to our retention policies and in accordance with the data protection legislation.
17. Your duty to inform us of change
It is important that the personal data we hold about you accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
18. Your rights
18.1. Under certain circumstances, by law you have the right to:
(7) Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
(8) Request correction of the personal data we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
(9) Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
(10) Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
(11) Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
(12) Request the transfer of your personal data to another party.
18.2. If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us.
19. What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is security measure to ensure that personal data is not disclose to any person who has no right to receive it.
20. Data Protection Officer – Communication
We have appointed a data protection officer (“DPO”) to oversee compliance with this data protection policy.
If you have any questions about this data protection policy or how we handle your personal data, please contact the DPO via the following email address: firstname.lastname@example.org.
You have the right to make a complaint at any time to the Icelandic Data Protection Authority (Persónuvernd).
21. Changes to this data protection policy
We reserve the rights to update this data protection policy at any time, and we will provide you with a new data protection policy when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.