1. Introduction

Heart Aerospace AB (together with its affiliates, “Heart”) was established with the mission to create green, accessible, and affordable air travel. We believe personal integrity and privacy are fundamental rights, and fully stand behind the European Union General Data Protection Regulation 2016/679 (“GDPR”) and all equivalent local laws wherever we operate. Our affiliate company, Heart Aerospace US LLC, is located in the State of California and may be subject to the California Consumer Privacy Act (“CCPA”). Therefore, we make explicit reference to the CCPA in this notice.

If you apply for a position at Heart, we will need to process your personal data. Therefore, it is essential to us that your data is protected, and that you are informed of your rights and how we process your data. This notice aims to give you an overview of our processing, your rights under the GDPR and the CCPA and how you can exercise them.

Heart Aerospace AB is the controller of your personal data and Jobylon will process the personal data on Heart’s behalf, given that Jobylon provide Heart with their recruitment tool. Jobylon also has a sub-processer, Cluvio GmbH, HRB 173385 B, Germany which provides Cluvio analytics, used to create real-time dashboards and reports to present insights and KPIs to Heart. With regard to onward transfers, the sub processor used by Cluvio is AWS EMEA Sarl (owned by Amazon, Inc.), for their server. However, the data center is located in Frankfurt. Furthermore, Functional Software, Inc., (“Sentry”) provides frontend monitoring. The only personal data that might be processed by Sentry is IP addresses of Heart’s users in case of an error event. Jobylon, however, offers the functionality that gives Heart the possibility to restrict from which IP-addresses the Service can be reached from. This enables Heart to avoid that any of its users would access the Service from an IP-address that could be connected to an individual.

If you have applied for a position at one of Heart Aerospace AB’s affiliates, such as Heart Aerospace US LLC, then this affiliate will also be a processor of your personal data.

2. What is our legal basis?

The GDPR requires us to have a legal basis for collecting and processing your personal data. Heart processes personal data if necessary for the reason which the data was collected and for the duration of our legal basis. After this, we delete your information.

Our legal basis rests chiefly on the following:

Legal Compliance

Heart may process your personal data in order to comply with applicable law. This can for instance be in connection with taxation, labor, or workplace safety laws.

Contractual Obligation

Heart may need to process your personal data to comply with any contracts which we have signed with you. This may include providing notices to a contact person according to an agreement, complying with an employment agreement.

Legitimate Interests

Appropriate processing of personal data is a natural part of conducting business in Heart’s industry. For instance, Heart may process contact information to keep in contact with our customers, CVs from our job applicants, and financial information to provide salaries and benefits to our employees.

Where Heart bases its processing on legitimate interests, we believe our interests are not overridden by your rights under the GDPR or the CCPA. In each case, we endeavor to give correct and current information, so that you are aware of your rights and can exercise them. If you wish to have information on a specific aspect of our data processing, please use the contact details below.

Vital Interests

Heart may need to process your personal data to ensure safety at our facilities and events. This may include information on whether you have undergone sufficient safety awareness training to perform a certain task in our production organization, or if you have health conditions which make you susceptible to significant potential harm in a factory environment.

Consent

In some uncommon circumstances, we may require your consent to process your personal data. This is only done if required by applicable law.

3. The types of personal data we process and why

3.1 Job applicants
With regards to job applicants, we process the following categories of personal data:

3.1.1 Category of Data: Contact details (Name, Address, E- mail address, Telephone number)
3.1.2 Purposes: To maintain contact with you and correctly administer and execute the employment agreement
3.1.3 Legal basis: Legitimate interests, legal compliance and contractual obligations
3.1.4 Retention time: 24 months

3.2.1 Category of Data: Personal identification and financial data (National identification number, gender, bank account and tax details)
3.2.2 Purposes: To verify the identity of the employee and pay salaries and provide other agreed benefits, assist in re-location support and visa applications for overseas employees, comply with applicable tax and accounting laws
3.2.3 Legal basis: Legitimate interests, contractual obligation and legal compliance
3.2.4 Retention time: 24 months

3.3.1 Category of Data: Next of kin data (name, address, telephone number)
3.3.2 Purposes: To enable contact with your next of kin in case of accidents or for communicating other vital information. This is processed if the application proceeds to employment.
3.3.3 Legal basis: Legitimate interests
3.3.4 Retention time: 24 months

3.4.1 Category of Data: Information contained in your CV or cover letter (e.g. job experience, education, photographs, language skills)
3.4.2 Purposes: For the legitimate purpose of executing the recruitment process and evaluate whether to offer you a position at Heart Aerospace
3.4.3 Legal basis: Legitimate interests
3.4.4 Retention time: 24 months

3.5.1 Category of Data: Notes and assessments made by Heart during the recruitment process.
3.5.2 Purposes: For the legitimate purpose of evaluating a candidate’s suitability for the position.
3.5.3 Legal basis: Legitimate interests
3.5.4 Retention time: 24 months

3.6.1 Category of Data: Results from performance tests.
3.6.2 Purposes: For the legitimate purpose of evaluating a candidate’s suitability for the position.
3.6.3 Legal basis: Legitimate interests
3.6.4 Retention time: 24 months

The data listed above will be processed during the recruitment process and then stored for a maximum of 24 months after which it will be deleted. The reason for this is that Heart may need to show that the employment procedure was non-discriminatory. Heart does not, however, have any obligation to save the data you provide. Heart may also ask to keep the data for further periods and give you the opportunity to opt in of further processing by us. It is then still in our legitimate interest to continue processing such data until the expiration of the communicated period. If you opt in, the information will then be retained for another 12 months, after which it will be deleted.

Most of the data processed is supplied by you, yourself. Information may, however, be collected using publicly available sources. Your personal data is processed in a conventional and regular recruitment manner. The key steps being collection, storage, evaluation, contacts, and deletion. Such processing is necessary to facilitate the recruitment process, which is in the legitimate interest of Heart.

Heart does not “sell” or “share” (as defined by the CCPA) personal information or sensitive personal information about California residents.

Please note that data in your application may be used for recruitment to other positions than the one you’re currently applying for.

4. Special categories of data
Heart is aware that some personal data, such as some types of health and safety data, require extra care under the GDPR. We will only process such information if we have a legal obligation, legitimate interest, or authorization under our collective bargaining agreement. If required by applicable law, Heart will inform you and seek your explicit consent.

5. Your rights
Your rights under the GDPR include the following:

1. To know what personal data Heart holds about you
2. To restrict our processing of your data, in certain circumstances
3. To have access to your data and to transfer it to a different controller
4. To have your data corrected if inaccurate

In some circumstances you may also object to our processing of your personal data or require us to delete it. You may also ask us to provide your data in legible format and transfer it to another company.

You always have the right to submit a complaint to the competent authorities. In Sweden, it is the Swedish Authority for Privacy Protection (SWE: Integritetsskyddsmyndigheten). We encourage you to reach out to us before you do so, so that we can rectify the issue.

Your rights under the CCPA include the following:

1. The right to know about the personal information a business collects about them and how it is used and shared;
2. The right to delete personal information collected from them (with some exceptions);
3. The right to opt-out of the sale or sharing of their personal information; and
4. The right to non-discrimination for exercising their CCPA rights.
5. The right to correct inaccurate personal information that a business has about them; and
6. The right to limit the use and disclosure of sensitive personal information collected about them.

If you believe your rights under the CCPA have been violated, you can always submit a complaint to the California Privacy Protection Agency. We encourage you to reach out to us before you do so, so that we can rectify the issue.

6. Who is the controller of your personal data?
Heart may be the controller of your personal data if we collected the data directly from you or from third party sources. In case Heart is the controller, the correct legal entity is the following:

Heart Aerospace AB, registered in Sweden under company registration number 559150-5721.
Address: Lindholmsallén 2, 417 55, Gothenburg, Sweden

7. How to get in touch
If you wish to execute any of your rights under the GDPR and CCPA, you may contact us by sending an e-mail to privacy@heartaerospace.com.

You may also contact privacy@jobylon.com. Jobylon may not, however, be able to answer your question or comply with your request without the approval of the employer.