In connection with recruitments with the LEGO Foundation, we process your personal data as stated in this policy in order to assess if you qualify as a candidate for a vacancy with us.
In connection with recruitments with the LEGO Foundation, we process your personal data as stated in this policy in order to assess if you qualify as a candidate for a vacancy with us.
We recommend that your application does not contain civil registration number (CPR) or any sensitive personal data such as information that reveals racial or ethnic background, religious beliefs, trade union membership, sexuality, health information etc. If a position, in exceptional cases, requires a specific health condition, we will, if required, following a specific assessment, ask for your consent to process such information, cf. Article 7 and 9(2)(a) of the General Data Protection Regulation (GDPR) and Section 11(2)(2) of the Danish Data Protection Act (databeskyttelsesloven).
See below for further information about the personal data we process when you apply for a position with us.
1. Contact information
The LEGO Foundation is the data controller in respect of the personal data collected and processed in connection with the processing of your application. Contact us here:
LEGO Fonden
Att.: HR & Capability Building & Finance
CVR no. 12458339
Højmarksvej 8
DK-7190 Billund
E-mail: [email protected]
2. Processing of your application
We process any information, including personal data, contained in your application and CV to evaluate your application.
This will typically be the following information: Name, address, photo, date of birth, gender, telephone number, e-mail address, marital status, education and training, career history, driver’s license information and recommendations/references.
If you are invited for a job interview, we will receive more information about you during this interview that we will use in the further recruitment process.
We use Article 6(1)(b) of the GDPR as our basis, as in this case, your personal data are processed prior to the conclusion of an employment contract. In addition, we process your information on the basis of Article 6(1)(f) of the GDPR with a view to pursuing our legitimate interest in conducting the recruitment process.
3. Information from Recruitment Agencies, Social media, etc.
As part of our recruitment process, we may receive information about relevant candidates for a position from external Recruitment Agencies and/or Head-hunters, if the Recruitment Agency and/or Head-hunter is entitled to share the information with us. We may also search the Internet for relevant and available information, including content on social media such as LinkedIn, Facebook, Twitter, Instagram, etc. We typically look for information about your previous employment, activities, competences and performance.
We use the provision on legitimate interest stipulated in Article 6(1)(f) of the GDPR as our basis for obtaining information about candidates from Recruitment Agencies and/or Head-hunters, social media, etc. We do this to be able to assess whether you have a profile that fits our company and the specific position.
4. Screening and background check
If we conduct a screening or a background check of you, the purpose is to ensure that there are no circumstances that may conflict with the position you have applied for. We always assess whether it is relevant in relation to the position in question, and you will be informed before a screening or background check is carried out.
The screening carried out is based solely on publicly available information (internet searches, content in public registers, media archives, information on social media, such as LinkedIn, Facebook, Twitter, Instagram, etc.) we process the personal data collected as part of the screening on the basis of the nature of the General Data Protection Regulation art. 6 (1) (f), as we have a legitimate interest in ensuring that your profile fits the position in question and that there are no circumstances that may conflict with the position you have applied for.
If a background check is conducted, our screening will, in addition to the information included in the screening, typically include information beyond what is publicly available. If it is relevant to the position you have applied for, we will obtain your consent in accordance with article 6 (1) (a) and article 9(2)(a) of the General Data Protection Regulation before the background study is conducted. You can withdraw your consent at any time by contacting us at the contact details above. If you withdraw your consent, it will only take effect from this point on. Therefore, it does not affect the lawfulness of our processing of the data up to the time when you withdraw your consent.
5. Information from personality tests, skills tests etc.
During the recruitment process for the position that you have applied for, you may be asked to complete a personality test, an aptitude test or similar, you will be informed once we have processed your application. We always assess whether it is relevant for the specific position.
The purpose of the tests is to assess your competences and qualifications as a potential employee, and if your profile fits the company and the specific position.
We process your personal data collected as part of the test on the basis of Article 6(1)(f) of the GDPR, as we have a legitimate interest in finding the most suitable candidates for the position. We will, however, use your consent under Article 6(1)(a) and art. 9 (2) (a) of the GDPR as our basis, if the relevant test contains sensitive personal data. You may withdraw your consent at any time. You do this by contacting us using the contact information above. If you withdraw your consent, such withdrawal does not take effect until the date of withdrawal. It therefore does not affect the legality of our data processing up to the time when you withdraw your consent.
6. Criminal record and child protection certificate
6.1 Criminal record
For some positions, we may obtain a criminal record. We always assess whether it is necessary to obtain a criminal record based on the relevant position. The aim is to ensure that you have not previously been convicted of a crime that may be relevant to the position, you are applying for.
We only obtain a criminal record when there are few candidates left for the position, or if you have been offered a position with us.
We use consent under Article 6(1)(a) of the GDPR as well as Sections 8(3) and 11(2)(2) of the Danish Data Protection Act as our basis when we obtain criminal records. You may withdraw your consent at any time. You do this by contacting us using the contact information above. If you withdraw your consent, such withdrawal does not take effect until the date of withdrawal. It therefore does not affect the legality of our data processing up to the time when you withdraw your consent. If it is a requirement for employment in the position that you can present us with a satisfactory criminal record, your withdrawal of consent before such a record is obtained may imply that you will not be considered for the position, or that the offer of employment will be withdrawn.
6.2 Child protection certificate
For some positions, we have to obtain a child protection certificate, if the position involves an opportunity to get in direct contact with children and young people under the age of 15, cf. Section 2(1) of the Act on the retrieval of a statement of previous convictions in respect of children on the appointment of staff (børneattestloven). We always assess whether it is necessary to obtain a child protection certificate based on the relevant position. The aim is to ensure that the candidate we hire has not previously been convicted under the provisions of the Danish Criminal Code (straffeloven) relating to sexual relations with children under the age of 15.
We only obtain a child protection certificate when you have been offered a position with us. In this connection, we will first ask for your consent for such processing.
We use consent under Article 6(1)(a) and Article 7 of the GDPR, Sections 8(3) and 11(2)(2) of the Danish Data Protection Act as well as Section 3 of the Act on the retrieval of a statement of previous convictions in respect of children on the appointment of staff as our basis when we obtain child protection certificates. You may withdraw your consent at any time. You do this by contacting us using the contact information above. If you withdraw your consent, such withdrawal does not take effect until the date of withdrawal. It therefore does not affect the legality of our data processing up to the time when you withdraw your consent. If employment in the relevant position requires that you can present us with a clean child protection certificate, your withdrawal of consent before such a certificate is obtained may imply that you will not be considered for the position, or that the offer of employment will be withdrawn.
7. Information from former employer or others
For some positions, it is necessary to obtain references from former employers, colleagues, personal network or similar. If we obtain such references, we may register the information that we receive.
We will obtain your consent using Article 6(1)(a) of the GDPR and 12 (3) of the Danish Data Protection Act as our legal basis for such processing, before we contact any references. In any case, we will obtain your consent to contact references if we want to obtain information of a more subjective nature (e.g. academic or social skills), sensitive information or information about criminal matters. Thus, we will use your consent based on Article 6(1)(a), 9(2)(a) of the GDPR and 12 (3) of the Danish Data Protection Act as our legal basis.
8. Copies of passports and other identification documents
In connection with the recruitment process we may arrange travel bookings or similar on your behalf and in such case, we may obtain information about your passport or other identification documents.
We use the rule on legitimate interest stipulated in Article 6(1)(f) of the GDPR as the basis for processing such data, as we need to process information about your passport or other identification documents in order to arrange for travel bookings on your behalf.
We use consent as stipulated in Article 6(1)(a) and Article 7 of the GDPR and Section 11(2)(2) of the Danish Data Protection Act as our legal basis if your documents contain information about your civil registration number (CPR).
9. Residence and work permit
It is a condition of appointment that you have a valid residence and work permit. To ensure this, we may ask for a copy of your passport in connection with your employment.
If, because of your citizenship, you need residence and work permits to work lawfully in Denmark, we also obtain copies of your residence and work permits via the Danish Agency for International Recruitment and Integration.
We use Article 6(1)(c) of the GDPR as our legal basis and Section 11(1)(1) of the Danish Data Protection Act when we obtain a copy of your passport and possibly work and residence permits, since we have an obligation to ensure this under Section 59(5) of the Danish Aliens Act (udlændingeloven).
10. Storage and deletion
10.1 If you are not offered a position/unsolicited application
If you are not offered a position, we will keep your application and any other personal data collected in connection with the recruitment process, including the results of your personality test, for a period of up to 6 months after the recruitment process is finished, unless you have given your consent to longer storage of such data.
If we have obtained a copy of your criminal record or your child protection certificate in connection with the recruitment process, we will not keep this record or certificate after the end of the recruitment process.
If we have obtained information about your passport or other identification documents in connection with the recruitment process, we will delete such information when they are no longer relevant for the purpose they were obtained for.
10.2 If you are offered a position
If you are offered a position, your application as well as additional personal data collected in connection with your appointment will be part of your employee file with us.
If we have obtained a copy of your criminal record in connection with the recruitment process, we will not keep that record after the end of the recruitment process. In connection with a possible appointment, we merely register that it was presented to us.
If we have obtained a copy of your child protection certificate in connection with the recruitment process, and you are offered a position, we will register in your employee file that this certificate was presented to us. However, the child protection certificate will be deleted after such registration.
11. If you choose to connect with The LEGO Foundation via the recruitment platform
If you choose to connect with the LEGO Foundation via the recruitment platform to be considered for vacant positions, receive relevant job postings and news, we process your personal data for these purposes.
If you use the Connect function, we may, depending on what you choose to share, process the following general personal data: CV, name, phone number, preferences, and your presentation of yourself.
We use Article 6 (1) (a) of the General Data Protection Regulation as the basis for processing your personal data, as the processing is based on your consent to receive relevant job postings and news.
If we review the connected candidates to fill a vacant position, we use Article 6 (1) (a) of the General Data Protection Regulation as the basis for the processing, as you have consented to be registered in the candidate database.
We process your personal data for six months or until you revoke your consent or delete the personal data on your profile.
12. Using our recruitment solution
When you access our recruitment platform, we use cookies to collect personal information about your behavior. We also use various plug-ins that make it easier for you to share content from our website on social media such as Facebook, Instagram, LinkedIn, etc. You can read more about this and get an overview of these third-party providers in the cookie overview, which can be accessed via our cookie policy https://thelegofoundation.teamtailor.com/cookie-policy/
We process your personal data in connection with your use of our website as described above and further described in our cookie overview. In connection with our use of necessary cookies, we process your personal data on the basis of Article 6 (1) (f) of the General Data Protection Regulation, as we have a legitimate interest in offering you a website that works.
If you consent to the use and placement of additional categories of cookies, we process your personal data in connection with this based on consent Article 6 (1) (a) of the General Data Protection Regulation.
You can read more about the use of cookies in our cookie policy https://thelegofoundation.teamtailor.com/cookie-policy. You can revoke or change your consent by rejecting cookies in the cookie overview or by blocking cookies in your browser's settings.
13. Other recipients that may process your data
In connection with the recruitment process, other people may receive your personal data. These can be public authorities or providers who deliver systems and assist with administrative functions, e.g.:
- Recruitment agencies
- Supplier of IT systems, including recruitment system
- KIRKBI HR Shared Service Center, assisting with employee administration.
- Providers of personality and aptitude tests etc.
- Providers of background checks
- Other third parties providing relevant services under a contract with LEGO Foundation
We may share personal data with providers of travel agencies, providing services in connection with travel bookings, administration, etc., airlines and advisors within various areas, including lawyers and accountants.
14. Transfer of personal data
In connection with the processing of your personal data for the purposes described in this policy, your personal data will be transferred to data controllers or data processors located in countries outside the EU/EEA, including LEGO Group units.
When we make such transfers, we will always take reasonable steps to ensure that your personal data are processed confidentially.
If your personal data are transferred to countries outside the EU/EEA, such transfer will take place on the following legal basis:
- Binding Corporate Rules
- The country has been approved by the European Commission as having an adequate level of security
- If the country has not been approved by the European Commission as having an adequate level of security, we will ensure transfer as follows:
- By transferring to a recipient certified under the EU-US Privacy Shield
- By using the European Commission's standard contractual clauses
- By obtaining your consent to such transfer
We use Microsoft Office 365 with data storage within the EU/EEA. However, data may be transferred or accessed from locations in third countries. Should this be the case, the transfer basis will be the standard contractual clauses of the European Commission.
15. Your rights
15.1 Rights of the data subject
According to the General Data Protection Regulation and the Danish Data Protection Act, you have certain rights.
- You have a right of access to the information that we process about you as well as certain other information
- You have the right to have inaccurate personal data concerning you rectified
- In special cases, you have the right to have personal data about you erased before our general erasure time
- In certain cases, you have the right to restrict the processing of your personal data
- In certain cases, you have the right to object to our otherwise legitimate processing of your personal data
- In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit such personal data from one data controller to another without hindrance (data portability)
If you want to exercise your rights, please contact us using the above contact information.
15.2 Complaint to the Data Protection Agency
You can complain about our processing of your personal data to the Danish Data Protection Agency. For the Data Protection Agency's contact information, see the Agency's website: www.datatilsynet.dk.
Version 3.0, May 2023