Storyblok GmbH, and its subsidiaries (“Storyblok” or “we” or “us”), collect Personal Data during the application and recruitment process at our company. We are committed to protecting and respecting your privacy; therefore, we would like to share with you what Personal Data we collect, with whom we share such data, measures we have in place to protect your Personal Data, your rights and where you can contact us.

“Personal Data” is any information which is related to an identified or identifiable natural person. This includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular applicant.

As a global company, Storyblok conducts business in many countries across the world. Some countries maintain specific laws on the collection, use, transfer and disclosure of personal information of individuals, including job applicants. We comply with all applicable privacy and data protection laws, including, the European General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights and Enforcement Act (CPRA). This Privacy Policy (together with any other documents referred to herein) sets out the basis on which Personal Data collected from you, or that you provide to us, will be processed by us in connection with our recruitment processes. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it.

Where you apply for a job opening posted by us, these Privacy Notice provisions will apply to our processing of your personal information in addition to this Applicant Privacy Policy, which is available on our website: https://www.storyblok.com/legal/privacy-policy

Personal Data we may collect from you

There are a variety of categories of Personal Data we may collect, process, and disclose to third parties for hiring, recruitment and other operational purposes. Within the 12 months preceding the date this Statement was last updated, we have collected the following types of data. We may collect and process some, or all, of the following types of information from you:

a. Information that you provide during the job application process

This includes information provided through an online job site, via email, LinkedIn, in person or online at interviews, in your CV, covering letter and/or by any other method, including:

• Personal Information or personal identifiers about you & contact data (e.g. name, surname, form of address, email address, telephone number, street address, date of birth, citizenship, work authorization status).
• Characteristics of legally protected classifications, such as gender and age.
• Sensitive personal information, such as Social Security Number, driver’s license number, state identification number, or passport number.
• Qualification data (e.g. cover letter, CV, previous employment, professional qualifications, educational qualifications, professional licenses, and skills).
• Optional information, such as information relating to references, salary preference, application photo, or other information that you provide to us in your application or upload.

b. Information collected or created by us during the recruitment process, including:

• Communications & correspondence between you and us.
• Interview notes, test scores, presentation materials, and/or a record of your progress through any hiring process that we may conduct.

c. Information obtained from publicly available sources.

This may include information we may collect such as details of your employment and education history from business-related public sources available online (e.g. LinkedIn, other social media or similar).

All information submitted by an applicant when applying to a job should be true, complete and not misleading. Should you submit inaccurate, incomplete, or misleading information, it can lead to rejection of your application.

In addition, you are obliged to ensure the information you submit does not violate any third party’s rights. It is solely your responsibility to obtain consent from any reference or other individual prior to providing their personal information to Storyblok as part of the application process.

We kindly ask that you refrain from submitting any sensitive information under applicable law, except where such sensitive information may be legally required. Sensitive information can include information on race, religion, ethnicity, nationality or national origin, age, gender identity, sexual orientation, marital status, medical or health information (including disability status), genetic or biometric information, political or philosophical beliefs, political party or trade union membership, judicial data, and veteran status.

How we may use your Personal Data

Lawful basis for processing

We process your data based on the implementation of contractual or pre-contractual measures (Art. 6 para. 1 letter b GDPR) our legitimate interest in accordance with (Article 6 (1) lit f GDPR), your consent (Article 6 (1) lit a GDPR) or to fulfill legal obligations (Art.6 (1) lit c GDPR) a):

Contractual or pre-contractual measures

We process your data to find candidates to fill our job openings – so for the initiation of a potential contractual relationship with you.

Legitimate interests:

In certain cases, we process your data to protect our legitimate interests or that of third parties. Such legitimate interests are: ensuring IT security, the effective administration and management of the recruitment process, and/or to deal with disputes and accidents and take legal or other professional advice; to conduct data comparison with EU anti-terrorist lists in accordance with Regulations (EC) No. 2580/2001 and 881/2002 for the purpose of combating terrorism. As a company EU law obliges us to play our part in the fight against terrorism. No funds may be made available to persons and organizations on the terrorist lists (provision prohibition). We are also obliged to carry out this comparison for the AEO certificate as an authorized economic operator.

Legal obligations

As a company we are subject to various legal obligations. The processing of Personal Data may be necessary to fulfill these obligations, including:

• For the protection of legal retention periods (such as Section 15 (1) and (29) Equal Treatment Act (Gleichbehandlungsgesetz, GlBG);

• To comply with Storyblok's legal obligations such as Section 18 Austrian Employee Act (Angestelltengesetz, AngG) or Section 1157 Austrian Civil Code (Allgemenies Bürgerlichers Gesetzbuch, ABGB).

Your consent

If you have given us your consent to the collection, processing or transfer of certain Personal Data, then this consent forms the legal basis for the processing of this data. This applies to the following cases:

• Group-wide sharing of your application in case we do not hire you for the job opening you applied for, but see opportunities in other companies belonging to the group;

• Saving your application for a period of one (1) year after the legal retention period in case we cannot consider you for the job opening you applied for, but maybe for other job openings in the future.

You can revoke your consent at any time by letter or e-mail, so that the processing of your data for the named purposes are no longer permitted from the time of receipt of your revocation. The lawfulness of the processing of your data until revocation remains unaffected by your revocation.

Purposes of processing

We use information held about you in the following ways:

• To consider your application in respect of a role for which you have applied or any other potential engagement within our organization or our subsidiaries and affiliates.

• To assess and make a decision about your suitability for a role

• To communicate with you in respect of the recruitment process.

• To communicate about your engagement with any of our suppliers or service providers, especially such as consultants, covered with a confidentiality agreement.

• To enhance any information that we receive from you with information obtained from third-party sources.

• To find appropriate candidates to fill our job openings.

3. Disclosure of your data

Your data will be processed mainly by our human resources department and the department responsible for the respective processing purpose. In some cases, however, other group companies or external bodies are also involved in the processing of your data. We share your personal information with the third parties for the purposes of processing your application, recruiting assistance, background check processing, and similar services.

External Services Providers:

We may share your Personal Data with the external service providers (data processors) where necessary. We require all our service providers to undergo a thorough diligence process by our team to ensure that your data is adequately protected. This process includes a review of the data we plan to disclose to the service provider and the associated level of risk, the service provider’s security policies, measures, certifications and third party audits, and whether the service provider has a mature privacy program in place that respects the rights of data subjects.

The table/list below shows the disclosures we have made within the last 12 months:

Application Management:

Greenhouse (Greenhouse Software Inc. 8 West Street, 11th Floor, New York, NY 10011 USA, Website: https://www.greenhouse.com/; Privacy Policy: https://www.greenhouse.com/uk/privacy-policy)

Digital Signatures:

DocuSign (DocuSign Inc., 221 Main St. Suite 1550 San Francisco California 94105, USA; Website: https://www.docusign.com/; Privacy Policy: https://www.docusign.com/privacy/)

Email, cloud storage, communication, video conferencing

Google Workspace (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://workspace.google.com/; Privacy Policy: https://policies.google.com/privacy?hl=en-US)

Video conferencing

Zoom (Zoom Video Communications, Inc., 55 Almaden Blvd, 6th Floor, San Jose, CA, USA; Website: https://zoom.us/; Privacy Policy: https://explore.zoom.us/en/privacy/)

Background Checks where specific authorization or consent is provided:

Veremark (Veremark, 85 Great Portland Street London W1W 7LT; Website: https://https://www.veremark.com ; Privacy Policy: https://www.veremark.com/legal/privacy-policy)

Other external data recipients

We may share your data with other external third parties as required, based on our legitimate interests (e.g. auditors, pension and employee benefit funds, insurance providers, (tax) consultants, legal representatives), and on a case-by-case basis with credit reference agencies, background check and online test providers or other third parties involved in the fulfillment of the contract with you and third parties otherwise involved in the recruitment or employment relationship, (e.g. travel agencies, online booking portals, telecommunications service providers, IT infrastructure operators, etc.). All our commissioned data processors only process data on our behalf and on the basis of our instructions for providing the services for which they are engaged.

Storyblok group companies

We may share Personal Data within our group, with our affiliates and associated companies for the purposes of administration, accounting, reporting purposes and reviewing / furthering / facilitating your job application.

Public bodies and authorities

Where required, we may also share your data with the following public bodies or authorities such as: regulators and competent authorities, employment agencies, financial authorities, social insurance carriers, health insurance companies, chambers of commerce, and investigation authorities.

No Sale of Personal Data

Please note: We do not “sell” or “share” any Personal Data from our applicants, including your Sensitive Personal Data, as defined under the California Consumer Privacy Act of 2018, and amended by the California Privacy Rights Act. We have never engaged in such activities, nor have we engaged in such activities in the 12 months prior to the date this policy was last updated.

4. Transfers of Personal Data

For the EEA residents: We may transfer your Personal Data outside the EEA area on the condition that all appropriate safeguards required by GDPR are in place. Transfer mechanism in place for such international transfers are:

• The Adequacy decisions of the European Commission

• Standard Contractual Clauses

• Binding corporate rules

When required by GDPR, Storyblok conducts also transfer impact assessments, prior to the transfer of Personal Data.

For the transfer of Personal Data to the United States, Storyblok relies on the EU-US Data Privacy Framework.

5. How we protect your Personal Data

We take appropriate measures to ensure that all Personal Data is kept secure including appropriate security measures to prevent Personal Data from being accidentally lost or used or accessed in an unauthorized way. We limit access to your Personal Data to those who have a genuine organizational need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted through any online means, therefore any transmission remains at your own risk.

6. How long do we keep your data?

We only store data for as long as it is needed to fulfill the specific purpose for which it was obtained. Storyblok will retain your information for a period of one (1) year after your application unless other mandatory retention periods apply. Our retention periods may vary if we have: an ongoing employment relationship with you, your consent to store the data for a longer period of time, a legal obligation to retain the data for a longer period of time, or a legal basis to defend against claims (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

Legal basis of the contractual relationship

In case we hire you, we will continue holding your data for the term of your employment and any applicable legal retention periods.

Legal basis of consent:

If you have given your consent to retain records for a longer period of time (in the applicant pool), we will store your data for the period for which you have granted your consent.

Legal requirements:

Data may be stored for longer than specified if required to assert our legal rights or defend against legal claims.

7. Withdrawing your application

If you like to withdraw your application before completing the application process, i.e. delete your data and your account, the stored data will be blocked for the duration of the ongoing application process and deleted permanently as per the data retention policy in place after the conclusion of the application process. You can ask for such deletion of your candidate profile and your application documents by contacting us at any time under the address above.

8. Your rights in connection with the processing of your data

Your rights

In certain countries, you may have specific rights under applicable privacy law. This may include the right of access, the right to rectification, the right to erasure under, the right to restriction of processing, the right to object and the right to data portability.

• Right to object

Pursuant to Art. 21 para. 1 GDPR, you may have the right to object at any time to the processing of Personal Data concerning you on the basis of Art. 6 para.1 lit. e GDPR (data processing in the public interest) or Article 6 para.1 lit. f GDPR (data processing to protect a legitimate interest), this also applies to profiling based on this provision. In the event of your objection, we will no longer process your Personal Data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

• Right to revocation of consent

You can revoke your consent to the processing of your Personal Data at any time. Please note that the revocation is only valid for the future. For any revocation of consent, please contact us using the contact details provided above.

• Right to access information

You may have the right to request information as to whether we have stored Personal Data about you. If you wish, we will inform you of the data concerned, the purposes for which the data is processed, to whom this data is disclosed, how long the data is stored and what further rights you are entitled to with regard to this data.

• Right to deletion or correcting of your data

You may have the right to have your data corrected or deleted. If there is no reason for further storage, we will delete your data, otherwise we will restrict processing.

• Right to portability

You may have the right to request that we provide all Personal Data that you have provided to us in a structured, current and machine-readable format either to you or to a person or company of your choice.

• Complaint

In addition, there is a right in some countries to lodge a complaint to the responsible data protection supervisory authority and we may work with them to resolve your concern. The supervisory authority in Austria is the Austrian Data Protection Authority (https://www.data-protection-authority.gv.at/) which may be contacted at dsb@dsb.gv.at. The supervisory authority in California is the California Privacy Protection Agency which may be contacted at info@cppa.ca.gov.

• Right to non-discrimination

The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA) prohibits us from discriminating against you when choosing to exercise your rights under the California Privacy Rights Act.

Assertion of your rights

We hope that we can resolve any query or concern you raise about our use of your Personal Data.

If you would like to exercise any of those rights, please:

• contact us using our contact details above,

• let us have enough information to identify you,

• let us have proof of your identity and address, and

• let us know the information to which your request relates

We will process your enquiries immediately and in accordance with legal requirements and inform you of the measures we have taken.

9.Obligation to provide your Personal Data

To take part in the recruitment process, you must provide us with the Personal Data that is necessary to carry out the recruitment process or that we are required to collect by law. If you do not provide us with this information, we will not be able to consider you for a job opening.

Is there automated decision-making/profiling?

You are not subject to any automated decisions that have legal effect on you or that significantly affect you in a similar way. We also do not perform any profiling measures.

10. How to contact us

You can contact us at: Storyblok GmbH, Peter-Behrens-Platz 2, 4020 Linz, Austria, registered in Austria, with registration number FN 479743 f.

If you have any questions or complaints in relation to the use of your Personal Data or this Privacy Policy, you can contact us via e-mail at: legal@storyblok.com or under the address above.

Storyblok has appointed a data protection officer (DPO). The DPO may be contacted via e-mail: dpo@storyblok.com

Changes to this policy

Storyblok reserves the right to amend this policy in its discretion and at any time. As required by law, we will review and revise this policy on an annual basis.

If the purpose or manner of processing your Personal Data changes, we will update this information and you may check the updates under the same link.

Previous versions: You can find the archive of previous versions under this link.