CARIAD Estonia: Privacy Policy for application management

In the present document, we would like to explain how your personal data will be processed by CARIAD Estonia AS (CARIAD) when applying to a job in CARIAD or when applying for a job in user company who provides service to CARIAD and to inform you about your rights under data protection law.

1. Who will be responsible for processing your data, and how can you reach the Data

The controller of your data within the meaning of data protection laws is CARIAD Estonia AS (Lõõtsa 1a, Tallinn, Estonia 11415).

You can contact CARIAD about data processing by e-mail to: CARE-Legal@cariad.technology

The responsible data protection officers/data protection coordinators of CARIAD can be found here (Contacts).

2. What categories of data do we use and where do we get it from?

Through your application process, we process your personal data. Personal data, as defined in the General Data Protection Regulation (GDPR) means all data, that is related to an identified or identifiable person, such as the name, contact information or all documents you submit to us during the application process.

The types of personal data that we will process particularly include:

  • Desired position
  • Name
  • E-Mail-Address
  • Place of residence
  • Telephone/mobile number
  • If applicable Social-Media-Profile
  • Salary expectations
    • Desired start-date
    • Data on personal/professional circumstances & characteristics
    • If applicable photo and/or other image
    • If applicable work permit
    • All documents uploaded during the application process, such as CV (mandatory) and letter of interest
  • We get the personal data:
    • From you directly
    • From third party public sources as LinkedIn, Facebook
    • From a third-party source to whom you have given consent to share your data with CARIAD
    • From existing employees with recommendations about potential applicants.

3. For what purposes, and on what legal basis, will your data be processed?

We will process your data for the purposes of our job application management, including

communications and interviews, verification your identity and qualification and conducting of

test and assessments or other suitability evaluations, fitted to the corresponding

position. The legal basis for the above-mentioned processing activities are:

  • Legitimate interest (Art. 6 (1) (f) GDPR) when recruiting
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) (b) GDPR;)
  • Legal compliance (Art. 6 (1) (c) GDPR)
  • Consent (Art. 6 (1) (a) GDPR)

4. Talent-Pool

As part of the application process, you can give your consent to be part of our talent-pool. If you decide to do that, we will store your information for up to 1 year and contact you if your profile is matching one of our job-opportunities. You can withdraw the consent for the talentpool at any time by sending us e-mail to CARE-Career@cariad.technology.

The legal basis for the data processing in the talent pool is consent according to Art. 6 (1) a GDPR.

5. To whom will we disclose your data?

Within our company, only those persons and bodies receive your personal data that need it to fulfil our contractual and legal obligations. We only make your data available to other group companies to the extent that this is necessary for group-wide communication, group management and administration.

6. How long will your data be stored?

Your personal data will be deleted 1 year after a possible rejection due to legal obligation in defending ourselves against possible legal claims (Art. 6 (1) c GDPR) . If you wish your data to be stored in the talent pool, your data will be deleted from there also after 1 year at latest.

If you have not already chosen to be part of the talent pool during your application process, we will ask you per e-mail for your consent (Art. 6 (1) a GDPR).

At the end of the respective retention period, your data will be deleted automatically.

7. What privacy rights can you claim as a data subject?

In addition to the right to request information about the data concerning you and correction of your data, you also have the right to request deletion and the right to object to the processing or the right to restrict the processing of your data, insofar as this does not conflict with any statutory provisions. Furthermore, you have the right to data portability. If we collect and process your personal data based on your consent, you also have the right to revoke the consent you have given with effect for the future. To the extent necessary, we must verify your identity before we can process your respective requests.

If, despite our efforts to ensure that data is correct and up to date, incorrect information is stored, we will correct it after being notified accordingly.

For complaints, you have the option of contacting the Estonian data protection supervisory authority:

Estonian Data Protection Inspectorate, 39 Tatari St., 10134 Tallinn E-mail: info@aki.ee

8. Security

Your data will be protected by CARIAD using the appropriate technical and organizational security measures to prevent accidental or deliberate manipulation, loss, destruction or access by unauthorized persons.

Last amended: June 2025