1. Types of Data Collected

1.1 Data controller:

1.1.1 The data controller responsible for the processing of your personal data is Depowise OÜ,
16379409, Harju maakond, Tallinn, Kesklinna linnaosa, Liivalaia tn 36, 10132.

1.2 Types of Data Collected:

1.2.1 We collect and process personal data only to the extent necessary for recruitment, hiring decisions, and related administrative purposes. Below is an overview of the types of data we process, the purposes, and the corresponding legal bases:

Type of Personal Data	Purpose of Processing	Legal Basis
Identification and Contact Data (e.g., name, address, phone number, email address)	To communicate with you about your application, schedule interviews, and maintain candidate records.	Consent; Legitimate interest (efficient recruitment communication).
Application Documents (e.g., CV, cover letter, references, certificates, portfolios)	To assess your qualifications, experience, and suitability for a specific role.	Pre-contractual necessity; Legitimate interest.
Interview Notes and Assessment Results	To evaluate performance and suitability for the role and ensure fair recruitment decisions.	Legitimate interest; Pre-contractual necessity.
Work Eligibility and Background Data (e.g., right to work information, identity verification)	To verify legal employment eligibility and prevent unlawful hiring.	Legal obligation; Legitimate interest.
Optional Demographic or Diversity Data (only if voluntarily provided)	To promote diversity, inclusion, and equal opportunity initiatives.	Consent.
Publicly Available Professional Data (e.g., LinkedIn profile, professional websites)	To validate professional background and experience, where relevant to the role.	Legitimate interest.
Communication History (emails, messages, notes during process)	To manage correspondence and ensure a transparent recruitment process.	Legitimate interest; Consent (if extended communication after process).
Recruitment Metrics and Statistical Data (aggregated, non-identifiable data)	To analyze and improve recruitment processes and diversity outcomes.	Legitimate interest.

1.2.2. We do not collect sensitive personal data (e.g., health, ethnicity, or criminal records) unless it is legally required and directly relevant to the position. Any such processing is subject to heightened safeguards.

2. Consent and Extended Consent

2.1 Initial Consent:

By submitting your application, you consent to the processing of your personal data for recruitment purposes related to the specific position you have applied for.

2.2. Extended Consent

2.2.1. You may choose to grant extended consent for your data to be retained for 24 months to be considered for future job openings. This consent is requested in the application form. You may withdraw this consent at any time by contacting info@depowise.com.

3. Data Retention

3.1 Data Retention Policy:

3.1.1. In case of the following scenarios, the data retention periods are as follows:

Scenario	Retention Period
Lack of initial consent (application not consented for processing)	30 days
Lack of extended consent (application withdrawn or job opening closed)	30 days
Extended consent provided	24 months

3.1.2. After the retention period expires, your personal data will be securely deleted.

3.1.3. When applications are deleted: 

• All personally identifiable information (e.g., CVs, contact details, communications) is permanently erased from our systems. 

• Only aggregated, anonymized statistics (e.g., total number of applications, diversity metrics) may be retained for internal reporting. 

3.1.4. All deletions are performed securely and irreversibly in accordance with industry standards. 

3.1.5. Data may be retained beyond the stated periods when: 

• Required by applicable employment or anti-discrimination laws 

• Necessary for the establishment, exercise, or defense of legal claims 

• Required for audit or record-keeping obligations

3.1.6. Once these obligations end, data will be securely deleted or anonymized

4. Data Sharing and Recepients

4.1. Your data may be shared only where necessary and in accordance with this policy. Typical recipients include:

4.1.1. Internal teams such as HR, hiring managers, and interviewers.

4.1.2. Third-party service providers (data processors) supporting our
recruitment process, such as:

·        Recruitment platforms and applicant tracking systems (ATS)

4.2. All third parties act under written Data Processing Agreements (DPAs) ensuring compliance with GDPR and data security obligations. We do not sell or share personal data for marketing or unrelated purposes.

5. Data Security

5.1. We implement appropriate technical and organizational measures to
protect your personal data, including:

• Encryption of data in transit and at rest
• Secure access controls and authentication systems
• Role-based access limitation for HR and hiring staff
• Regular audits and security reviews
• Staff training in data protection and confidentiality
• Procedures for timely breach detection and response

In the event of a personal data breach, affected individuals will be
notified where legally required.

5.2. You have the right to:

• Access your personal data 
• Rectify incorrect or incomplete data
• Withdraw consent at any time
• Request deletion of your data (“right to be forgotten”)
• Object to processing based on legitimate interests
• Request data portability

5.3. If you wish to exercise any of the rights described above, please contact us using the contact details provided in Section 1 of this policy.

5.4. If you believe that the processing of your personal data infringes your rights, you also have the right to lodge a complaint with the Data Protection Inspectorate (Andmekaitse Inspektsioon) or to seek remedy before a competent court.

The contact details of the Data Protection Inspectorate are available on their official website at www.aki.ee

Valid from: 20.10.2025