PERSONAL DATA PROTECTION RULES FOR CANDIDATES
Important information about how we collect, use and store information about Job Offer Subscribers, Interns, Recommended Candidates and Candidates (including Candidates to the Supervisory Council) and relatives of Candidates (including Supervisory Council members)
1. What is the purpose of these Personal Data Protection Rules for Candidates?
These Personal Data Protection Rules for Candidates (hereinafter, the Rules) provide information on how Šiaulių Bankas AB (registration No. 112025254, head office address: Tilžės g. 149, Šiauliai) (hereinafter, the Bank) and, in the relevant cases, Gyvybės Draudimo UAB SB Draudimas (registration No. 110081788, head office address: Laisvės pr. 3, Vilnius) (hereinafter, SBD) and/or SB Asset Management UAB (registration No. 306241274, head office address: Gynėjų g. 14, Vilnius) (hereinafter, SBAM) (hereinafter SBD and SBAM are collectively referred to as Group Companies), (hereinafter collectively referred to as Bank Group or Bank), process personal data of candidates received from:
- the Teamtailor Candidate Management System on the Bank’s website, after a candidate’s account has been created (hereinafter, the Candidate);
- the Teamtailor Candidate Management System on the Bank’s website, after subscribing to job and/or internship offers for Candidates;
- the Bank Group employees or a company providing recruitment services under a contract with the Bank, once a candidate has been recommended for a vacancy and/or internship (hereinafter, the Recommended Candidate);
- LinkedIn and other professional social networks after the Candidate search;
- the assessment carried out in the selection of Candidates for the positions of employees of the Bank Group, including members of the Board (hereinafter, the Employee), members of the Supervisory Council;
- the assessment carried out in the selection of Candidates for an internship (hereinafter, the Intern);
- employment contract-based relationship with Employees;
- external information systems, for the purposes of ensuring compliance with the mandatory requirements for Employees and members of the Supervisory Council;
- other external systems, for other purposes set out below.
All of the following persons whose data are processed by the Bank Group in accordance with applicable law, including the General Data Protection Regulation (GDPR), are referred to below as Individuals.
2. What is personal data?
Personal data is any information collected by the Bank Group about an Individual that can be used to identify, directly or indirectly, the Individual and is processed either automatically (e.g., by collecting personal data via the Bank’s website, etc.) or in non-automatically structured files (e.g., in paper files, etc.).
3. Creating an account in the Teamtailor Candidate Management System on the Bank’s website
The recruitment and selection of staff and interns is carried out using the Teamtailor Candidate Management System available on the Bank’s website. Job Offer Subscribers, Candidate Interns create an account to use this system.
What are the purposes of the processing? |
What categories of data do we collect? |
What is the legal basis that allows us to collect this information about you?[1] |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|---|
Creating an account |
Name(s), surname(s), email address, mobile or other telephone number |
GDPR Article 6 (1)(a) |
We do not transfer these data to other controllers
|
12 months from the date of consent |
[1] GDPR Article 6(1) (a) your consent; (b) performance of the employment contract or other agreement concluded with you; (c) compliance with our legal obligations; (f) legitimate interests of the Bank Group or other persons.
4. Job offer subscription
Individuals have the right to subscribe to job and/or internship offers from the Bank Group on the Bank’s website (hereinafter, Job Offer Subscriber). The data of the Job Offer Subscribers are processed for the purpose of subscribing to job and/or internship offers with the Bank Group.
What are the purposes of the processing? |
What categories of data do we collect? |
What is the legal basis that allows us to collect this information about you? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|---|
Job offer subscription |
Email address, the field(s) of work and/or internship with the Bank Group that you have chosen |
GDPR Article 6 (1)(a) |
We do not transfer these data to other controllers
|
12 months from the date of consent |
Defending legal claims[1] |
Information about your consent |
GDPR Article 6 (1)(f) the Bank Group’s legitimate interest to defend legal claims |
Courts, public dispute resolution bodies, litigants, lawyers and other legal service providers |
12 months from the date of consent |
Ensuring that the Bank’s website is accessible to your computer |
IP address |
GDPR Article 6 (1)(f) the Bank’s legitimate interest to ensure the accessibility of the Bank’s website |
We do not transfer these data to other controllers |
12 months |
[1] In the event of a dispute between the Bank Group and you regarding the lawfulness of the processing of your personal data, the Bank Group, in accordance with Article 5(2) of the GDPR, has the burden of proving the lawfulness of the processing of your personal data.
5. Finding Candidates on LinkedIn and other professional social networks
To improve the efficiency of the Candidate search process by finding the right Candidate for the Bank Group more quickly, Candidate searches are conducted on LinkedIn and other professional social networking sites.
What are the purposes of the processing? |
What categories of data do we collect? |
What is the legal basis that allows us to collect this information about you? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|---|
Recruitment by searching for Candidates on LinkedIn and other professional social networks |
Search criteria, name(s), surname(s), other information provided in a publicly accessible social network profile, communication with the potential Candidate via social networks or other contacts provided on social network accounts |
GDPR Article 6 (1)(f) the Bank Group’s legitimate interest to ensure efficient recruitment of staff by selecting the most suitable Candidates |
We do not transfer these data to other controllers
|
The data shall be deleted as soon as it becomes clear that the person has not accepted the offer to apply for a position offered by the Bank Group |
6. Administration of Recommended Candidates
To optimise the selection process of Candidates and Interns and to select the most suitable Employee or Intern for the Bank Group, both the Employees of the Bank and the recruitment firms with which the Bank has concluded contracts are given the opportunity to recommend persons they consider suitable as Candidates for specific positions within the Bank Group. In this case, personal data of the Candidate are processed as those of a Recommended Candidate.
What are the purposes of the processing? |
What categories of data do we collect? |
What is the legal basis that allows us to collect this information about you? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|---|
Recruitment of staff through recommendations from Bank Group employees and recruitment firms with which the Bank has concluded contracts |
Name(s), surname(s), mobile or other telephone number, email address, recommendation |
GDPR Article 6 (1)(f) the Bank Group’s legitimate interest[1] to optimise the selection of staff in order to select the most suitable Intern or Employee GDPR Article 6 (1)(a) consent[2]
|
|
|
Implementation of the Recommended Candidate’s right to be informed about the processing of personal data and the right to object to the processing of personal data |
Email address |
GDPR Article 6 (1)(c) for the performance of a legal obligation under Articles 14 and 21 of the GDPR |
|
For this purpose, the personal data shall be processed and retained until the Recommended Candidate’s right to be informed about the processing of personal data and the right to object to the processing of personal data are fulfilled |
Defending legal claims |
Information relating to the exercise of the Recommended Candidate’s rights to be informed about the processing of personal data and to object to the processing of personal data (date of notice, content of notice, date of receipt of the objection, its content) |
GDPR Article 6 (1)(f) the Bank Group’s legitimate interest to defend legal claims |
Courts, public dispute resolution bodies, litigants, lawyers and other legal service providers |
12 months from the date of exercise of the rights of the Recommended Candidate |
[1] This is the legal basis for the processing of personal data prior to the initial contact with the Recommended Candidate
[2] This is the legal basis for the processing of personal data after the initial contact with the Recommended Candidate
7. Personal data processed in the context of recruitment (for the purpose of assessing Candidates)
7.1. Selection/assessment of Candidates for employment
The data listed below are collected about Candidates for employment and, where explicitly stated, their relatives.
What categories of data do we collect? |
What are the legal grounds for collecting information about me?[1] |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|
Name(s), surname(s) |
GDPR Article 6 (1)(a), GDPR Article 6 (1)(b)
|
Not transferred (only details of the CV and identity document of a Candidate for the Management Board of the Bank are transferred to the Bank of Lithuania/European Central Bank)
|
|
National identification number |
|||
Details of the identity document (type, number, issuing authority, date of issue, expiry date) |
|||
Address (place of residence) |
|||
Mobile or other telephone number |
|||
Email address |
|||
CV information (qualifications (education, school attended and date of graduation, specialisation, qualifications, degree awarded, information on whether you are studying at the time of application), knowledge of foreign languages and skill level, ability to work with specific computer programmes, qualifications acquired in the last two years), previous jobs, personal qualities)), the information you have provided about your personality, values, expectations and interests |
|||
Assessment of the Candidate (in the case of a member of the Board in the Bank Group, the Director of Anti-Money Laundering Compliance Department in the Bank, and the designated manager – in the case of the SBD and SBAM) responsible for the implementation of anti-money laundering and anti-terrorist financing measures in the Bank Group’s activities, on the basis of which the following personal data are processed: education, additional qualification courses, experience in managing a financial market participant’s compliance – anti-money laundering and anti-terrorist financing, experience in implementing the legal requirements for a financial market participant in the areas of know-your-client, client relationships, transaction monitoring, internal investigations, analysis of suspicious transactions, experience in identifying, managing money laundering and terrorist financing compliance risks related to the activities of a financial market participant, personal qualities, language skills |
GDPR Article 6 (1)(b) GDPR Article 6 (1)(c), BoL Resolution on the Approval of Instructions to Financial Market Participants Aimed at Preventing Money Laundering and/or Terrorist Financing
|
||
Assessment of the Candidate (in the case of a member of the Board in the Bank Group) responsible for the organisation of anti-money laundering and anti-terrorist financing measures in the Bank Group’s activities, on the basis of which the following personal data are processed: education, additional qualification courses, experience in managing a financial market participant’s compliance – anti-money laundering and anti-terrorist financing, experience in implementing the legal requirements for a financial market participant in the areas of know-your-client, client relationships, transaction monitoring, internal investigations, analysis of suspicious transactions, experience in identifying, managing money laundering and terrorist financing compliance risks related to the activities of a financial market participant, personal qualities, language skills |
GDPR Article 6 (1)(b) GDPR Article 6 (1)(c), BoL Resolution on the Approval of Instructions to Financial Market Participants Aimed at Preventing Money Laundering and/or Terrorist Financing
|
||
Information about pecuniary and/or non-pecuniary interests of the Candidates and their Relatives and other circumstances, where the Candidate is engaged in an activity that could give rise to a potential conflict of interest between the Candidate and the Bank’s Subsidiary (https://www.sb.lt/lt/apie/struktura-ir-valdymas/patronuojamosios-banko-imones), i.e., the nature of individual activity, employment relationships, participation in the activities of other companies (as founders, shareholders, members of management bodies), participation in the activities of public organisations, participation in elected bodies of the state or municipalities, participation in private business, or provision of services in any other form – (applicable to all employees of the Bank Group) |
GDPR Article 6 (1)(b) GDPR Article 6 (1)(c), Guidelines on Internal Governance of 21 March 2018 (EBA/GL/2017/11) |
||
Criminal record (applies to employees of the Bank’s brokerage function who provide investment advice and take orders from clients, Director (CEO) of SBAM and investment decision makers, i.e., members of the Investment Committee, Head of Investment Management Division, Head of Share and KIS Group, Head of Bond Group, Fund Manager, Junior Fund Manager, Director (CEO) of SBD, and key function holders, i.e., Head of Risk Management, Head of Actuarial Function, Head of Compliance, Head of Audit Function) |
GDPR Article 10, GDPR Article 6 (1)(c), LLPPD Article 3 (1) and Article 5 (1), Law on Markets in Financial Instruments Article 17 (1), 17(2)(1), 17(3), Law on Banks Article 34 (10), 34(14), Law on Collective Investment Undertakings Article 9 (4)–(5), Resolution No. 03-181 of the Board of the Bank of Lithuania of 14/11/2023, Law on Insurance Article 22 (5) |
||
Criminal record (applies to the assessment of suitability of Bank managers and key function holders as regards compliance with the requirements set out in Article 34(12)(1) and (13)(1)–(2) of the Law on Banks of the Republic of Lithuania). |
GDPR Article 10, GDPR Article 6 (1)(c) and (3), LLPPD Article 3 (1) and Article 5 (1), Law on Banks Article 34 (2), 34(12)(1) and 34(13)(1)–(2) |
||
Criminal record (applies to other Bank staff) |
GDPR Article 10, GDPR Article 6 (1)(c) and (3), LLPPD Article 3 (1) and Article 5 (1), Law on Banks Article 34(10) and 34(14) |
||
Administrative offences (applies to employees of the Bank’s brokerage function who provide investment advice and take orders from clients, Director (CEO) of SBAM and investment decision makers at SBAM, i.e., members of the Investment Committee, Head of Investment Management Division, Head of Share and KIS Group, Head of Bond Group, Fund Managers, Junior Fund Managers), Director (CEO) of SBD, key function holders, i.e., Head of Risk Management, Head of Actuarial Function, Head of Compliance, Head of Audit Function) |
GDPR Article 6 (1)(c), Law on Markets in Financial Instruments Article 17 (2)(2), Resolution of the Board of the Bank of Lithuania on the approval of regulations of the assessment of managers of supervised financial market participants and their persons carrying out the main functions, No. 03-181.
|
||
Assessment of the Candidate, for the purpose of ensuring compliance with the legal requirements for managers (applies to members of the Supervisory Council of the Bank, members of the Board, the Chief Executive Officer and Deputy Chief Executive Officer, the Head of Internal Audit Division, the Director (CEO) of SBAM, and investment decision makers, i.e., members of the Investment Committee, Head of Investment Management Division, Head of Share and KIS Group, Head of Bond Group, Fund Managers, Junior Fund Managers, Director (CEO) of SBD, and key function holders, i.e., Head of Risk Management, Head of Actuarial Function, Head of Compliance, Head of Audit Function)
Manager Form approved in accordance with the requirements of the Bank of Lithuania and the data collected, for example: name and surname, former surname, email address, national identification number, date of birth, place of birth, nationality, former passport, identity card details, residential and correspondence address, phone number, education, professional qualifications, work activities over the last 10 years, specific knowledge that could be useful while working for a financial market participant, acquired while holding the specified position, civil actions, administrative and criminal proceedings against both individuals and controlled companies, bankruptcy of the natural person, legal entity, restructuring, managed companies (if any) (respective percentage values, position held), financial results of companies; positions held with other employers, legal entities whose participants are related persons, relatives, private interests, financial liabilities, and other information and documents relevant to the assessment and issuance of the permit by the Bank of Lithuania |
GDPR Article 6 (1)(b), GDPR Article 6 (1)(c), GDPR Article 10 Resolution of the Board of the Bank of Lithuania on the approval of regulations of the assessment of managers of supervised financial market participants and their persons carrying out the main functions, Law on Collective Investment Undertakings Article 9 (4) |
Transferred to the Bank of Lithuania/European Central Bank if necessary |
|
Data relating to sanctions applied/not applied (applies to the Bank’s managers (i.e., members of the Bank’s Supervisory Council, members of the Board of the Bank, the Chief Executive Officer and his/her deputies, the Head of Internal Audit Division), the Bank’s key function holders (i.e., the Head of Risk Management Function (CRO), Head of Compliance Function (CCO), Head of Internal Audit Function, Chief Financial Officer (CFO), Chief Information Officer (CIO)), members of the Board of the Group companies, Chief Executive Officers (CEOs) of the Group companies, key function holders of the Group companies (Head of Audit Function, Head of Risk Management Function, Head of Actuarial Function, Head of Compliance of SBD)
Data collected in accordance with the requirements of the Bank of Lithuania: name, surname, date of birth |
GDPR Article 6 (1)(b), GDPR Article 6 (1)(c), Resolution of the Board of the Bank of Lithuania on Approval of Instructions to Financial Market Participants on Implementation of International Sanctions (sub-paragraph 9.4.2) |
Transferred to the Bank of Lithuania/European Central Bank if necessary |
until the end of the employment relationship or term of office |
For Candidates where at least one employer is SBAM – the information on the list of securities owned, for example: type of securities, name of securities, ISIN, number of securities, custodian, name and surname of security holder |
GDPR Article 6 (1)(b), GDPR Article 6 (1)(c), Rules on the Organisation and Operation of Management Companies Articles 61–64 |
Transferred to the Bank of Lithuania/European Central Bank if necessary |
10 years after the end of the employment relationship |
Data relating to qualifications, professional skills, and professional qualities obtained while working for the current employer |
GDPR Article 6 (1)(a) |
These data are not transferred |
|
Data relating to qualifications, professional skills, and professional qualities obtained while working for the former employer |
GDPR Article 6 (1)(f) (legitimate interest provided for in LLPPD[2] Article 5 (2), checking the suitability of the Candidate) |
These data are not transferred |
|
[1] GDPR Article 6 (1)(a) the Candidate’s consent; (b) performance of the employment contract or other agreement concluded with the Candidate; (c) compliance with our legal obligations; (f) legitimate interests of the Bank Group or other persons.
[2] Law on Legal Protection of Personal Data of the Republic of Lithuania
7.2. Selection/assessment of Interns
The data listed below are collected about Interns.
What categories of data do we collect? |
What are the legal grounds for collecting information about me? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|
Name(s), surname(s) |
GDPR Article 6 (1)(a), GDPR Article 6 (1)(b) |
We do not transfer these data to other controllers |
If no internship contract has been concluded with the Candidate by the end of the selection process/while the selection process is in progress (applies to CV) |
Address (place of residence) |
|||
Mobile or other telephone number |
|||
Email address |
|||
CV information (education, training, previous internships, workplaces) |
|||
Information about the assessment of the Candidate |
GDPR Article 6 (1)(b) |
These data are not transferred |
7.3. Selection of Candidates for the Supervisory Council
The data listed below are collected about Candidates to the Supervisory Council of the Bank and, where explicitly stated, their relatives. In order to comply with the requirements of the legislation, we are required to provide the Bank of Lithuania/European Central Bank with the information about you listed below.
What categories of data do we collect? |
What are the legal grounds for collecting information about me? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|
CV information (education, language skills, training, previous workplaces, personal characteristics) |
GDPR Article 6 (1)(a), GDPR Article 6 (1)(b) |
Bank of Lithuania/European Central Bank |
If no employment contract has been concluded with the Candidate by the end of the selection process/while the selection process is in progress |
8. Concluding the contract
8.1. Concluding the employment contract/maintaining employment relationship
What categories of data do we collect? |
What are the legal grounds for collecting information about me? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|
Name(s), surname(s) |
GDPR Article 6 (1)(b), GDPR Article 6 (1)(c) |
State Social Insurance Fund Board (Sodra) |
50 years after the end of the contract |
National identification number |
|||
Commencement of duties |
|||
Type of contract |
|||
Mobile or other telephone number |
These data are not transferred |
||
Email address |
|||
Address (place of residence) |
|||
Position |
|||
Job functions |
|||
Wages |
|||
Trial period |
|||
Other information provided in the employment contract |
|||
Information provided in the document certifying education (educational institution, degree, etc.) |
10 years after the end of the business relationship |
||
Name(s), surname(s), national identification number(s) of the minor child(ren) (in the case of a single parent, details of the document certifying this) |
|||
Medical certificate/personal health history/other document certifying health condition (disability, etc.) |
|||
Driving licence (if required to perform job functions) (applies for a driver’s position) |
These data are not retained |
9. Information about Candidates (including Candidates for the Supervisory Council of the Bank) and their relatives and how the Bank Group processes personal data
9.1. Ensuring compliance with the legal requirements for Candidates (including Candidates for the Supervisory Council of the Bank)
More detailed information about the processing of data is provided to the Candidates (including Candidates for the Supervisory Council of the Bank) in the Bank Group’s internal information documents upon the conclusion of their employment or other contracts.
What categories of data do we collect? |
What are the legal grounds for collecting information about me? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|
Details of the Candidate’s (including Candidates for the Supervisory Council of the Bank) immediate family (degree of relationship, name(s), surname(s), year of birth, place of work, position) |
GDPR Article 6 (1)(c), GDPR Article 6 (1)(f) (the Bank Group’s legitimate interest in ensuring compliance with legal requirements when specific data for the performance of a legal obligation are not specified in the applicable legislation), Law on Banks Article 34 (10) and (12), paragraphs 8.3 and 8.7 of the Regulations for the Organisation of Internal Control and Risk Assessment (Management) of the Bank of Lithuania Paragraph 42 of the Regulations for Assessment of Heads and Key Function Holders of Financial Market Participants Supervised by the Bank of Lithuania |
These data are not transferred |
If no employment or other contract has been concluded with the Candidate by the end of the selection process/while the selection process is in progress, 10 years after the end of the employment relationship or office |
9.2. Other cases where data on members of the Board of the Bank, members of the Supervisory Council of the Bank and their close relatives are processed
Why do you collect information about me? |
What kind of information do you collect about me? |
What are the legal grounds for collecting information about me? |
To whom do you transfer information about me? (Controllers) |
How long do you retain information about me? |
---|---|---|---|---|
Controls on trading in financial instruments |
Name(s), surname(s), surname(s) given at birth, national identification number, date of birth, personal and work mobile or other telephone number, address, companies controlled. Information about immediate family (degree of relationship, name(s), surname(s), year of birth or national identification number, companies controlled, position held) |
GDPR Article 6 (1)(c), Market Abuse Regulation Articles 18 and 19 |
Bank of Lithuania
|
5 years from the date of updating the lists and from the date of notification |
Name(s), surname(s), details of the financial instrument transaction |
Nasdaq |
|||
Ensuring compliance with the requirements of internal lending and lending to affiliates of the Bank Group |
Name(s), surname(s), national identification number and/or date of birth, address, mobile or other telephone number, email address, companies controlled, number of shares held, position held Information about immediate family (degree of relationship, name(s), surname(s), year of birth or national identification number, companies controlled, number of shares held, position held), details of the transaction |
GDPR Article 6 (1)(c), Law on Banks Articles 52 and 53, Law on Corporate Income Tax Article 40 |
Bank of Lithuania (PRDB) |
Retained for 10 years |
10. Processing of data of unsuccessful Candidates for employment, Interns for the purpose of submitting future job/internship offers
In cases where you apply for a specific job/internship position at the Bank Group but are not offered a job/internship, we may ask you to consent to the processing of your personal data for the purpose of offering you a job/internship at the Bank Group in the future, when we consider you to be a suitable candidate for a specific job/internship position at the Bank Group.
What categories of data do we collect? |
What are the legal grounds for collecting information about me? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|
Name(s), surname(s), mobile or other telephone number, email address, CV information (education, language skills, training, previous jobs, personal characteristics) |
GDPR Article 6 (1)(a) |
We do not transfer these data to other controllers
|
12 months from the date of consent |
11. Survey of Candidates, Interns on selection evaluation
In order to assess and improve the Bank Group’s selection processes for candidates for employment and internship, personal data shall be processed by sending surveys to the contacts provided by the Candidates. If the Candidate does not wish to have his/her personal data processed in this way, he/she has the right to object to such processing by sending an email to the address specified in Clause 18 of these Rules.
What are the purposes of the processing? |
What categories of data do we collect? |
What is the legal basis that allows us to collect this information about you? |
Who do we transfer data to? (Controllers) |
How long do we retain the data? |
---|---|---|---|---|
Evaluation of the selection process for the Bank Group’s Employees or Interns through the Candidate, Intern survey |
Name(s), surname(s), email address, your evaluation of the selection process (score and opinion) |
GDPR Article 6 (1)(f) the Bank Group’s legitimate interest to assess and improve the success and efficiency of the selection process for Candidates for employment and Interns |
We do not transfer these data to other controllers
|
12 months after the end of selection |
12. Receipt and disclosure of data
Data of the Candidates are received from the Candidates themselves, their relatives, employees of the Bank Group, companies managing job portals, recruitment firms contracted by the Bank, various state and non-state registers and institutions and the public domain.
When a Candidate decides to apply for a specific position at the Bank Group via social networks (Facebook, LinkedIn), the following personal data of the Candidates from these social networks are received in the Teamtailor Candidate Management System integrated on the Bank’s website: name, surname, email address and mobile or other telephone number, if it is provided on the social networks.
Information about Candidates may be disclosed to processors engaged by us (intermediaries, service providers such as IT, accounting service providers or sub-contractors) so that they can carry out the processing of personal data entrusted to them in strict accordance with our instructions.
When processing Candidates’ personal data using the Teamtailor Candidate Management System integrated on the Bank’s website (Candidates submit their data when subscribing to job and/or internship offers, applying for a specific position in the Bank Group or, when Candidates’ data are provided by employees of the Bank Group or by recruitment firms contracted by the Bank, recommending Candidates as potential candidates or interns), Candidates’ personal data are disclosed both to the engaged data processor, i.e., Teamtailor AB (Teamtailor Candidate Management System), and to the sub-processors engaged by this processor: Amazon Web Service, Heroku, Google Ireland Limited; Intercom, Datadog Inc; Google Firebase Cloud Messaging; Section.io; Apple Inc. Candidates should note that the sub-processors used by Teamtailor are subject to change and you can find up-to-date information on the sub-processors used by Teamtailor at the following address: https://support.teamtailor.com/en/articles/4723968-list-of-sub-processors-for-customers-using-our-eu-region.
In addition, we may disclose information about Candidates:
- if we are required to do so by law;
- to protect our rights or interests;
- when we intend to sell part of the Bank Group’s business or part of its assets, in which case personal data of the Candidates may be disclosed to a potential buyer of the business or part of it;
- following the sale of the Bank Group’s business or a substantial part of its assets to a third party.
Except as provided in these Rules, we do not provide your personal data to any third parties.
The list of recipients or categories of recipients referred to in the Rules is subject to change, so if you wish to receive personal data processing information, please contact us using the contact details set out in Clause 18 of these Rules.
Where these Rules refer to Article 6 (2)(b) (performance of a contract) or Article 6 (2)(c) (fulfilment of a legal obligation) of GDPR as the legal basis for processing the data, the data processed shall be necessary to achieve the specified purposes.
13. Transfer of data to third countries[1]
Please note that when Candidates’ personal data are processed using the Teamtailor Candidate Management System integrated on the Bank’s website, Candidates’ personal data are transferred to a third country (the United States of America), to the processors/sub-processors engaged by Teamtailor AB, as indicated in the table below. Please note that the European Commission’s decision does not recognise the US as having an adequate level of data protection.
Sub- processor |
Nature of services |
Place of establishment |
Country of data storage |
Reference to a document establishing appropriate safeguards under GDPR Article 46 (2) |
---|---|---|---|---|
Amazon Web Service |
Database storage |
USA |
Ireland |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) [ https://d1.awsstatic.com/Controller_to_Processor_SCCs.pdf_] |
Heroku |
Cloud computing (remote server) services |
USA |
Ireland |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) [_https://www.salesforce.com/eu/blog/2021/09/salesforce-dpa-update-contractual-clauses.html_] |
Google Ireland Limited |
Google Analytics cookie to monitor advertising campaigns, visitor numbers and behaviour |
USA |
Ireland/US |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) |
Intercom |
Customer support chat, sending emails and newsletters |
USA |
USA |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) [__https://www.intercom.com/legal/data-processing-agreement_] |
Datadog |
Log management |
USA |
Germany |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) [ https://www.datadoghq.com/pdf/Datadog_GDPR_Data_Processing_Addendum_v2.0_2021.09.27.pdf_] |
Push notifications for Android |
USA |
USA |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) |
|
Harmonising the delivery network |
USA |
USA |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) [https://www.section.io/docs/about/terms-of-service/data-processing/] |
|
Push notifications for Apple |
USA |
USA |
Standard data protection clauses approved by the European Commission (GDPR Article 46 (2)(c)) |
[1] Third countries are: all countries that are not members of the European Union and the European Economic Area.
To ensure equivalent protection of personal data when transferring personal data to third countries to that afforded in the European Union, not only are there contracts setting out the terms and conditions for the transfer of personal data in accordance with the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission by Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, but also in the light of the jurisprudence of the Court of Justice of the European Union there are also additional safeguards in place in order to ensure that the effectiveness of the standard safeguards is guaranteed:
- all data traffic is transmitted over an encrypted connection;
- all documents are also encrypted at rest;
- root accounts are not used;
- we use servers located in the territory of the European Union (except where personal data are processed by sub-processors Google Ireland Limited, Intercom; Google Firebase Cloud Messaging; Section.io; Apple Inc.);
- two-factor login applies to all employees;
- in the case of using Google Analytics, measures have been implemented to anonymise the IP address;
- contractual measures obliging sub-processors to immediately send notices of any requests for disclosure of processed personal data received, where this is permitted by law.
14. Rights of the Candidates
This section provides information on Candidates’ rights in relation to the processing of their personal data and when Candidates can exercise these rights. If you wish to obtain more information about your rights as a Candidate or to exercise your rights as a Candidate, you may contact us using the contact details set out in Clause 18 of these Rules.
- The Candidates have the right to be informed about what data are collected and used and to request access to or a copy of the data (right of access).
- The Candidates have the right to have inaccurate data rectified and incomplete data completed, taking into account the nature of the collection and use of the data (right to request rectification).
- The Candidates have the right to have their data removed if there is a legitimate reason for this (right to be forgotten).
- The Candidates have the right to request that the collection and use of their data be restricted, provided that the statutory criteria are met (right to restrict processing);
- Subject to statutory criteria, the Candidates have the right to receive the data they have provided in a structured, commonly used and computer-readable format and to have it transferred to another data controller or, where technically feasible, the Candidates may request that the data be transferred (right to data portability);
- The Candidates have the right to object to the collection and use of data – only where the collection and use are based on legitimate interest (Article 6(1)(f) of the GDPR) (right to object). The basis on which personal data are processed is indicated under the specific purpose of processing.
- The Candidates have the right to withdraw their consent at any time. Such withdrawal shall not affect the lawfulness of the collection and use based on your consent prior to the withdrawal.
The Candidates shall be provided with information on the actions taken following their request for the exercise of their rights without undue delay, but not later than within one (1) month of receipt of the request. Depending on the complexity of the request and the number of requests received, this deadline may be extended by a further 2 (two) months. In this case, the Candidate shall be informed within one (1) month of receipt of the request of such extension and the reasons thereof. The exercise of Candidates’ rights may only be denied in cases provided for by law.
15. Complaints
If the Candidate believes that his/her rights as a person have been and/or may be violated, he/she is urged to contact us immediately using the contact details set out in Clause 18 of these Rules. Upon receipt of a complaint from a Candidate, the Candidate shall be contacted within a reasonable period of time to inform him/her of the progress of the investigation of the complaint and, subsequently, of the outcome.
If the Candidate is not satisfied with the results of the investigation, he/she may lodge a complaint with the supervisory authority – State Data Protection Inspectorate (www.vdai.lrv.lt, L. Sapiegos g. 17, Vilnius, www.vdai.lrv.lt, tel. (+370 5) 271 28 04, 279 1445).
16. Liability
The Candidate is responsible for maintaining the confidentiality of the data he/she provides to us and for ensuring that the data he/she provides to the Bank Group are accurate, correct and complete. In the event of a change in the data provided by the Candidate, the Candidate must immediately inform the Bank Group at personal@sb.lt. The Bank Group shall in no event be liable for any damage caused to the Candidate as a result of the Candidate’s provision of incorrect or incomplete personal data, or for the Candidate’s failure to notify the Bank Group of any change in such data.
17. Changes to the Rules
The Group company may update or change these Rules at any time. Such updated or changed Rules shall become effective upon posting on the Bank’s website. The Candidate should check them from time to time to make sure that he/she is satisfied with the current version of the Rules.
In the event of an update of the Rules, Candidates shall be informed of the material changes by posting them on the Bank’s website.
18. Our contacts
In case of any questions, requests or comments regarding these Rules, the processing of personal data, complaints or any other issues related to the protection of personal data in the Bank Group, please contact us using the following contacts:
Joint Stock Company Šiaulių Bankas
Tilžės g. 149, LT-76348 Šiauliai
Email: info@sb.lt
Tel. 1813 or +370 37 301 337 (calls from abroad)
or
For data protection issues:
personal@sb.lt