Privacy Notice for Candidates
1. Purpose of this privacy notice
The Viking group companies, including Viking Ocean Cruises II, Ltd. and Viking River Cruises, Ltd. and all their affiliated companies (collectively, "Viking" or "we"/"us"/"our"), consider the privacy and security of personal data a very important issue and are committed to respect your data privacy rights.
This notice describes how, when and why Viking collect and process personal data about you when you interact with Viking as a candidate. Furthermore, it sets out the rights you have in relation to such personal data.
This notice applies to any individual applying for one or more positions at Viking.
2. Data controller; Global Compliance Officer
The data controller is the legal entity which is responsible for the personal data collected from you. For the purposes of applicable data protection law, the controller of your data will be the Viking affiliate where you are applying for a position.
If you have any questions about how we process your personal data, please feel free to contact the respective data controller and/or Global Compliance Officer. The Global Compliance Officer may be contacted at firstname.lastname@example.org.
3. Kind of personal data we hold about you
Personal data means any information, by itself or combined with other information, that identifies or could reasonably be used to identify you. It does not include any data which has been anonymized so that you can no longer be identified from it. There are special categories of more sensitive personal data which are subject to higher level of protection.
3.1 Recruiting and application handling
We collect and process personal data in connection with the recruitment process at Viking. We may collect, store and use the following categories of personal data:
- Personal details and identification data such as name, title, gender, addresses, telephone numbers, email addresses or other contact details, date and country of birth, photo, citizenship and nationality;
- Skill and experience details such as information about your current and previous positions, education records, training courses, qualifications and certifications, work achievements, language skills, contact details of referees, results of capability assessments and interview assessment/feedback, CV, other relevant information regarding the position you are applying for, and any other information you disclose to us as part of your job application;
- Where relevant, behavioral information and information about personality traits such as data collected to assess a candidate's suitability;
- If you apply via the online portal, the additional following categories of personal information about you: username and data required for log-in; log in frequency and activity; what software, devices or hardware you use to access your profile; your profile preferences and other forms you may complete in the online profile; any privacy or communication channel and frequency preferences[SC1] ;
- Interview history, questions, notes, electronic and physical communication information (such as in- and outbound emails, chat or other instant messaging, faxes, phone meta data, etc.), assessment performance data, technical assessment results, cognitive tests, phone interview recordings/notes and video interview recordings/notes, if applicable;
- CCTV footage from attendance at any EPAM sites where we control the CCTV systems;
- Information to assess your right to work in the hire location, such as your nationality, work permit status including documentary evidence subject to local law and explicit consent, where required.
If you accept a role with Viking, we will also collect data necessary for the employment contract conclusion and onboarding process of the successful candidates such as:
- the applicable government-issued personal identification number (national ID number or national insurance number);
- family information (such as marital status and data of your related persons as well as details of any family or personal relationships within Viking);
- other personal information in connection with the onboarding process such as signature, bank account details, emergency contacts, social security number, insurance data, copy of work permit, proof of your qualifications.
3.3 Sensitive Data
In some cases, the personal data that we collect and process will also include "sensitive personal data" according to the Swiss FADP or "special categories of data" according to GDPR ("Sensitive Data"), in each case where permitted by applicable law only, e.g.
- diversity related information about ethnical origin, religious and philosophical beliefs, health data, trade union membership, etc., where this is used to secure equal opportunity and treatment for all candidates and employees in Viking, in accordance with the local law;
- health data to be used to assess the ability to work and assess and implement any reasonable adjustments as required by law;
- information on criminal proceedings and sanctions as well as information required to undertake required checks for criminal activities (e.g. money laundering, corruption, terrorist financing and related matters), either if this is required by the local law or if the role for which the candidate apply implies a special position of trust and if any criminal acts would have a direct influence on the employment relationship (e.g. in case of a role for senior executives);
- financial information (e.g. summary credit history, bank account details, tax-related information), if and to the extent that such information is relevant for the suitability or performance of the employment relationship (e.g. in case of a role for senior executives).
3.4 Third party personal data
Before providing us with any information about your family or any other third party, if you intend to do so as part of your application (e.g. emergency contacts or referees) you must inform the relevant individuals that you will disclose their personal data to us and provide a copy of this notice to them.
4. How your personal data is collected
When you apply for one or more open positions at Viking or you submit a generic application, we collect personal data about you as follows:
- Directly from you, such as using our online portal or submitting applications, email applications or at a recruitment fair;
- From recruitment agencies, if you submit your application through them and have agreed for them to provide us with your application information (they determine what information they want from you and they shall provide you with their own privacy notice);
- From publicly available sources such as third party websites and job boards that you have used to seek employment;
- From current Viking employees or third parties, with your consent;
- From third party websites or platforms that help us verify employment history from publicly available sources.
5. How your personal data is used
We collect only your personal data which we need for a specific purpose. Your personal data collected during your job application will be used only to the extent this is relevant to achieve that purpose and shared only with the employees and third parties that are directly involved in the recruitment processes for the specific position.
In particular, we process personal data of candidates for the following purposes, within applicable legal framework:
- Allowing you to register, set up and maintain an online profile, if you apply via the online portal. (Legal basis: necessary for entering into a contract with you.)
- Evaluating of your application and your suitability for the role you applied to by reviewing all data we have collected from you. (Legal basis: necessary to safeguard our legitimate interest; grounds according to section 6 below in case of Sensitive Data such as health data or diversity related information.)
- Getting reference information, e.g. from your current or former employer. (Legal basis: consent.)
- Progressing and handling your application, such as contacting you, conducting assessments and interviews, determining the suitability of a candidate's qualifications, maintaining information on the status of your application, etc. (Legal basis: necessary to safeguard our legitimate interest; grounds according to section 6 below in case of Sensitive Data such as health data or diversity related information.)
- Carrying out background checks on the candidate as part of the employee onboarding process, in general for specific functions, roles or locations. This includes, e.g.
- verifying your skills, qualifications and background for a particular role, verifying any existing or potential conflicts of interest or any other restrictions which may otherwise restrict or prevent your employment with Viking (Legal basis: necessary to safeguard our legitimate interest),
- verifying your financial and other information, if this is relevant for the suitability or performance of the employment relationship (Legal basis: necessary to safeguard our legitimate interest),
- verifying your criminal records, if this is required by the local law or is relevant for the suitability or performance of the employment relationship (Legal basis: necessary to comply with legal obligations, where applicable, or grounds according to section 6 below).
- Making a decision about your recruitment and choosing the candidate who is the most suitable for the open job position. (Legal basis: necessary to safeguard our legitimate interest; grounds according to section 6 below in case of Sensitive Data.)
- Onboarding the successful candidate, e.g. by collecting information required to complete the employee onboarding process, creating and signing the employment contract and other employment documentation, managing the HR records and updating the employee database (e.g. keeping your application data on file), creating the necessary accounts in our information systems, providing you access to the Viking premises, providing mandatory notifications to authorities, providing you with equipment, training and information required for the position you have been recruited. (Legal basis: necessary to take pre-contractual steps or to perform our contractual obligations towards you; grounds according to section 6 below in case of Sensitive Data.)
- Managing external providers in the recruiting process and application handling, e.g. recruitment agencies, and in the onboarding process, e.g. insurance companies, pension funds. (Legal basis: necessary to safeguard our legitimate interest; grounds according to section 6 below in case of Sensitive Data such as health data or diversity related information.)
- Keeping you informed and communicating with you about any actual or potential job vacancy, if you have opted in for it. (Legal basis: consent.)
- Carrying out audits, reviews and compliance checks to monitor the quality of the recruitment process and website, including compliance with Viking's corporate policies and legal requirements. (Legal basis: necessary to safeguard our legitimate interest.)
- Responding to complaints, processing related questions, exercising or defending legal claims or executing our duties, vis-à-vis you or third parties, on the basis of legitimate interest of Viking. (Legal basis: necessary to safeguard our legitimate interest; grounds according to section 6 below in case of Sensitive Data.)
- Complying with any legal and regulatory obligations imposed on Viking in relation to its recruitment practices such as governmental reporting requirements as well as replying to any actual or potential proceedings, requests or the inquiries of a public or judicial authority, e.g. if Viking is under a duty to disclose personal data to comply with any legal obligation. (Legal basis: necessary to comply with a legal obligation.)
- Ensuring the security of buildings, property and information located or stored on the premises and preventing unauthorized access to secure premises, e.g. maintaining building access logs and CCTV system images. (Legal basis: necessary to safeguard our legitimate interest.)
To the extent applicable under the applicable data protection laws, we use your data where we have identified a legal basis for our use or where an exception applies that means we can use your data without identifying a legal basis. Where required by the applicable data protection laws, the legal bases we rely on to use, store, process and share your data may include: (a) Performance of a contract; (b) Legitimate interests: We use your data where it furthers our legitimate interest in developing our business, as long as our legitimate interest is not outweighed by any negative impact on your rights and freedoms; (c) Legal obligations: We use your data so that we can comply with our legal obligations (such as ensuring your health and safety or complying with labor laws). To the extent applicable, we may also rely on the following grounds to process your information: where your consent can be lawfully provided under the applicable data protection laws, where necessary to protect the vital interests of any individual in a life-or-death situation, and if widely considered to be in the public interest.
6. Use of Sensitive Data
Where we process Sensitive Data (see in particular sections 3.3 and 5 above), this processing is always done fairly and lawfully in ways that would be reasonably expected and on the basis of legal grounds for processing provided by the applicable law, e.g. in case of applicable GDPR when: (i) you have given explicit consent; (ii) the personal data are manifestly made public by you; (iii) processing is necessary to meet obligations or exercise rights in applicable law relating to employment, social security, and healthcare; (iii) processing is necessary to establish, exercise or defend legal claims; (iv) processing is necessary for the assessment of your working capacity; (v) processing is necessary for reasons of substantial public interest.
7. Failure of the candidate to provide information
You are not obliged to provide personal data to us during the recruitment process. However, if your profile is incomplete and/or inaccurate, we may not be able to process your application properly or at all and your application may be rejected.
8. Data sharing
We only share your personal data with the following categories of persons:
- The recruitment team and employees of Viking and the Viking affiliates that are directly involved in the recruitment and/or onboarding process for the specific position and any future recruitment processes, as the case may be;
- Third party service providers involved in the recruitment and/or onboarding process, who are contractually bound to confidentiality, such as our IT system or hosting providers, cloud service providers, social media platforms, database providers, consultants (including the recruitment agency whom you used to apply to Viking, lawyers etc.), third party providers who carry out pre-employment checks and assessments on candidates, and insurers. In these cases, we take steps to ensure that the service providers meet our data security standards, so that your personal data remains secure: they are contractually obliged to handle your personal data only for specific purposes pursuant to this notice and in accordance with our instructions, and to comply with the applicable data protection laws and certain technical and organizational security measures, including measures relating to IT management, risk assessment and measures (e.g. physical controls, logical access controls, malware and hacking protection; data encryption measures, backup and recovery management measures) in line with our policies;
- The referees provided on your application to Viking;
- Authorities (administrative bodies or courts or party to proceedings) where we are required to disclose information by applicable law or at their request, or to safeguard our legitimate interests, or to comply with a contractual obligation with you.
We only transfer your personal data outside the EEA, whether to Viking affiliates or third parties, (i) to countries which are deemed to provide an adequate level of data protection as per the EU Commission decision or, in the absence of such legislation that guarantees adequate protection, (ii) based on appropriate safeguards that Viking has in place, including contractual measures, e.g. standard contractual clauses adopted by the European Commission and recognized by the competent Data Protection Authority; a copy of those clauses is available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) or another statutory exemption provided by local applicable law.
9. Data security
We are committed to protecting your personal data from unauthorized access, use or disclosure. We have put in place appropriate security measures to prevent your data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. We maintain organizational, technical, and physical safeguards to help protect the data we collect from you, store, process and use, including firewalls, anti-spamware and anti-malware tools, anonymity protocols, encryption and limited access controls. These safeguards vary depending upon a variety of factors, including the sensitivity of the data. Where any data is stored in hard copy, the paper documents and copies are stored in secure premises.
Our IT systems are protected against unauthorized access with various level of controlled and password protected access rights. We limit access to your data to those personnel and third parties on a need-to-know basis, i.e., who need the access in order to fulfill the tasks and duties relating to service provision. Access to any Sensitive Data (such as health-related data or any Sensitive Data required by local legislation) will usually be limited to persons making decisions, typically the recruitment team. Additionally, all service providers are permitted to process your data based on Viking's instructions, and they are subject to a duty of confidentiality.
Despite all reasonable practices, no security method is infallible. We have implemented procedures to deal with any actual or suspected data security breach and will notify you and any applicable regulatory authority about a breach where we are legally required to do so.
10. Automated processing of your data
We may use automated processing methods to make a decision based on your personal data. The logic for making this decision is based on the requirements of the job description and whether your experience and background meet those requirements so that your application may be rejected if your profile does not meet the minimum requirements of the job description. In case we use automated processing methods, you have the right to request to be informed accordingly, to request that a natural person reviews the related decision where such decision is exclusively based on such processing and to contest the decision by submitting a data subject request.
11. Data retention
We store data you provide to us on different IT systems in the countries we operate in around the world.
We will only keep your personal data for as long as reasonably necessary to fulfill the purposes we collected it for (as long as our legitimate interest or your consent, as applicable, remains valid) or to comply with legal or internal policy requirements, whichever is longer. In general, although there may be exceptions due to local legal requirements (e.g. based on tax law), data relating to unsuccessful candidates for roles within Viking is kept for 24 months after the date on which we notify you that your most recent application has been unsuccessful. Any maximum storage term set forth by applicable law will prevail. In case of employment contract conclusion, we will process your personal data according to the "Privacy Notice for Crew and Personnel" of Viking which will be provided separately upon employment. After the retention period, your personal information will be deleted or anonymized.
Regarding CCTV, we keep recorded footage for as long as permitted and/or required by the applicable data protection laws. After that time period, any CCTV recorded footage is automatically deleted unless it is evidence in an on‑going investigation or retention is otherwise required by law.
12. Your data and privacy rights
You may have the following rights under the applicable data protection law depending on the jurisdiction in which you are located and in which your personal data is processed:
- Right to request access to your personal data. This enables you to receive a copy of the data that we hold about you and to check that we are collecting and using it lawfully;
- Right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you completed or corrected;
- Right to request erasure of your personal data. This enables you to ask us to delete or remove data where there is no good reason for us continuing to use it. You may also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below or in limited other circumstances);
- Right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party), provided our reasons for the processing don't outweigh any prejudice to your data privacy rights;
- Right to request the restriction of collecting or using your personal data. This would enable you to ask us to suspend using personal data about you, for example, if you want us to establish its accuracy or the reason for using it;
- Right to request to port your personal data to a new supplier;
- Right to withhold or withdraw your consent for the processing of your personal data, if we rely on consent as our legal basis for using your data.
If you would like to exercise any of your data and privacy rights (depending on the specific rights you may have under the applicable data protection law), or if you have any questions or concerns about how we have used your data, please contact the respective data controller and/or Global Compliance Officer (see section 2 above).
We will honor such requests, withdrawal or objection as required under applicable data protection law but these rights are not absolute: they do not always apply and exemptions may be engaged. Exercising your rights is free, but we may charge a reasonable fee or we may refuse to comply with your requests in case of multiple similar, consecutive requests or requests that are manifestly unfounded or excessive. We are also entitled to decline requests on statutory grounds, in which case we will inform you of that and the reasons for it. In order to meet your request, we may ask you to verify your identity and/or provide specific data to help us to ensure that your data is not disclosed to any person who has no right to receive it and to better understand your request.
You may designate an authorized agent to make a request on your behalf. When submitting the request, please ensure the authorized agent is identified as an authorized agent.
We will not discriminate against you because you made any of these requests.
If you wish to make a complaint about how we have handled your personal data, you may contact our Global Compliance Officer (see section 2 above).
If you are not satisfied with our response or believe we are processing your personal data against the law, you may also contact the Data Privacy Authority in the jurisdiction where you live or work or in the place where you believe an issue in relation to your personal data has arisen (for Switzerland see https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt.html; for EEA countries see https://edpb.europa.eu/about-edpb/about-edpb/members_en; for UK see https://ico.org.uk/global/contact-us/).
13. Changes to this notice
We reserve the right to update this notice at any time. We will take steps to provide you with notice when we make any updates to this notice that might have an adverse effect on you. We will communicate these in the usual way that we communicate with you.