Privacy Notice

Processing of Candidate Employee Data

As the Controller of your personal data, Oikonomakis Law Firm, with its headquarters in Greece (Athens, Voukourestiou 18), is committed to protecting and respecting your privacy. 

This Notification regarding the Processing of Data of Candidate Employees defines the framework for the processing of personal data which you have made available to us through your CV, your social media profile where you applied to us (e.g., LinkedIn), or a partner recruitment platform (e.g., Workable, Indeed). It also covers data generated during the evaluation process of your application. These data are processed exclusively for the purpose of evaluating your candidacy and assessing your suitability for the position for which you applied, as well as for other available positions within the Firm. 

The processing of candidate personal data may be carried out by one or more entities of the Oikonomakis Law Firm. Where two or more group entities jointly determine the purposes and means of processing, they act as joint controllers within the meaning of Article 26 GDPR. When the involved entities act as joint controllers, specific information on their respective roles and responsibilities is provided to data subjects in accordance with Article 26 GDPR. 

A centralized data protection governance framework is in place, and requests under the GDPR may be addressed to the central data protection contact point at compliances@oikonomakislaw.com.

 

Legal Basis of Processing.

The legal basis for the processing of your personal data is that such processing is necessary:

  • Pursuant to Article 6 (1b) of the GDPR, for taking steps at your request prior to entering into an employment contract.
  • Furthermore, for positions based in Germany, processing is carried out in accordance with Section 26(1) of the German Federal Data Protection Act (BDSG), which regulates data processing for employment-related purposes explicitly in Germany.

 

Information we collect from you.

As part of the process mentioned above, we may process all or some of the following types of information from you:

  • All information is submitted during your application via recruitment platforms, email, or in-person interactions. This includes your CV, cover letter, and academic or professional transcripts.
  • Full name, contact details (email, postal address, phone number), date of birth, professional experience, seniority level, and qualifications.
  • If you participate in a digital interview via video conferencing tools, we may process your image and voice data.
  • A record of any correspondence or communication exchanged between you and the Company during the recruitment phase.
  • Documentation regarding your evaluation, interview performance, and your overall progress through the various stages of our recruitment process, including psychometric assessment results, evaluation scores, interviewer notes, and internal suitability indicators.
  • The Firm does not store raw questionnaire responses; only summarized assessment results made available through the recruitment platform are processed.

 

In addition, we inform you that if you provide us with letters of recommendation as part of the evaluation process, only after your consent will we contact the persons who sign the recommendations with the contact information you provide us.

Automated decision making.

As part of the process mentioned above, we may collaborate with professional recruitment partners and digital platforms to identify suitable candidates based on criteria expressly identified by us or considered essential to the role you have applied for. While the initial screening and identification of eligible profiles may involve automated processing tools (e.g., keyword matching or filtering by criteria), we ensure that such tools are used solely as supportive measures. All substantive decisions regarding which candidates will be shortlisted and contacted for further assessment are subject to meaningful human intervention by our authorized staff. The final evaluation and any decision to offer employment are never based solely on automated processing. Candidates may express their point of view and contest the outcome of any automated-supported assessment. No legal or similarly significant effects for the candidate arise solely from automated processing.

How long we keep your personal data.

In case your application is unsuccessful, we will retain your data for a period of six (6) months.

If you choose to have your CV retained to be re-evaluated if another relevant job position that fits your profile arises, with your permission, we will keep it for a period of 24 twenty-four months. For persons located in Germany, the retention period is limited to six (6) months.

However, your data may be deleted at an earlier time following your relevant request at compliances@oikonomakislaw.com

 

Disclosure of your information.

Only Oikonomakis Law Firm and the partner recruitment companies (only in the case that you have transmitted your data through a partner company) have access to your data in the context of your request, evaluation actions of your application for employment or professional cooperation. In addition, the recipients of your data are companies-providers of the electronic platforms through which we manage your nomination. The above companies act as processors of your personal data. They are contractually bound to comply with all the necessary personal data protection rules and to process your personal data with complete confidentiality and exclusively under our guidelines.

 

Transfers of personal data outside the European Economic Area

Where personal data of candidate employees are transferred to recipients located outside the European Economic Area (EEA), including in particular service providers supporting the operation of recruitment and applicant tracking platforms that may be based in the United States, such transfers are carried out in strict compliance with Chapter V of the GDPR.

In particular:

  • The transfer of personal data is based on the European Commission’s Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR, as incorporated into the relevant data processing agreements with our service providers.
  • Before any such transfer, and on an ongoing basis, Oikonomakis Law Firm has assessed the legal framework of the recipient country, the nature of the services provided, and the categories of personal data transferred, to determine whether the level of protection afforded to personal data is essentially equivalent to that guaranteed within the European Union.
  • The categories of personal data transferred may include, depending on the recruitment platform and the stage of the recruitment process, identification and contact data, professional background information, application materials, recruitment metadata, evaluation-related data, and system-generated technical data necessary for the platform’s operation, security, and support. No transfer of special categories of personal data is intended.
  • Where required, supplementary technical and organizational measures are implemented in addition to the SCCs, including, as appropriate, encryption of data in transit and at rest, access control mechanisms, role-based access limitations, logging and monitoring of access, and contractual obligations limiting access by third-country authorities to the maximum extent permitted by law.
  • The transferred personal data are processed exclusively for the purposes of supporting the recruitment process and strictly in accordance with our documented instructions. Our service providers are contractually prohibited from using the data for their own purposes.

Oikonomakis Law Firm continuously monitors the adequacy of these safeguards and will take additional measures or suspend transfers where necessary to ensure compliance with applicable data protection requirements.

 

Transfers to recruitment and applicant tracking system (ATS) providers.

Where the processing of candidate personal data is carried out through recruitment and applicant tracking system (ATS) providers, such as Workable, personal data may be transferred to and processed by sub-processors located outside the European Economic Area (EEA), including in the United States, solely for the purposes of operating, maintaining, and supporting the recruitment platform. Such transfers are based on the European Commission’s Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. They are subject to a prior assessment by Oikonomakis Law Firm of the nature of the data transferred, the categories of recipients, and the applicable legal framework of the recipient country. The data transferred through ATS platforms may include identification and contact details, application materials, professional and educational background information, recruitment-related metadata, evaluation-related data generated within the platform, and system-generated technical data. No special categories of personal data are intended to be transferred. Appropriate supplementary technical and organizational measures are implemented in accordance with the ATS provider’s security framework, including encryption, access controls, and contractual limitations on access to the data, to ensure a level of protection essentially equivalent to that guaranteed within the European Union.

Protection of Personal Data.

Considering the nature, the scope, the context, and the purposes of the processing, as well as the risks of the different probability of occurrence and seriousness for the rights and freedoms of natural persons, Oikonomakis Law Firm applies appropriate technical and organizational measures to ensure and be able to prove that the processing is carried out under the GDPR, adopting and implementing a holistic personal data security policy.

During the assessment of the appropriate security level by Oikonomakis Law Firm., account shall be taken of the risks arising from the processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

To prevent personal data breaches, Oikonomakis Law Firm, as the controller, has adopted and implements a policy against attacks on the information systems it owns and manages and a specific policy for the management of any cases of personal data breaches.

 

Your rights.

  • Right to access, correction, and deletion. The right of access does not extend to purely internal deliberations, comparative evaluations, or decision-making rationales, except to the extent that specific elements qualify as personal data relating to the candidate.
  • Right to restriction of processing
  • Right to object
  • Right to withdraw consent

For any questions regarding your data or to exercise your rights, please contact our DPO, at compliances@oikonomakislaw.com

Suppose you consider that one of your requests has not been satisfied sufficiently and legally, or that the right to protect your data is violated by any processing we carry out. You can appeal to the Hellenic Data Protection Authority (1-3 Kifisias Ave., 11523 Ampelokipi, tel. 210.647.5600, www.dpa.gr).

Contact.

For any further information or requests regarding this notification, you can contact us at compliances@oikonomakislaw.com