Privacy policy for recruitment using Teamtailor
This Privacy Policy describes how Critical TechWorks collects, uses, stores and protects personal data in the context of recruitment activities.
It applies to all personal data processed through our recruitment platform (powered by Teamtailor), including applications, interviews and AI-assisted recruitment tools.
We process, manage, use and protect personal data in accordance with Regulation (EU) 2016/679 (GDPR), Portuguese Law 58/2019, Regulation (EU) 2024/1689 (EU AI Act) and this Privacy Policy. This policy contributes to CTW’s commitment to transparency, data protection and responsible use of technology in recruitment.
Target audience
This policy applies to all individuals (“Candidates”, “Users”) whose personal data is processed through CTW’s recruitment Service, including: applicants to job vacancies; individuals who register on the CTW careers portal; individuals referred by CTW employees or other candidates; and candidates submitted by external recruiters or recruitment agencies. It also applies to CTW employees involved in recruitment activities (recruiters, hiring teams, interviewers), to the extent that this policy sets out obligations for them.
Privacy Policy statement
CTW is the controller for personal data processed through the recruitment Service. The following principles govern all recruitment data processing activities, in accordance with GDPR, the EU AI Act and CTW’s Internal Privacy Policies:
- Lawfulness, fairness and transparency: Personal data is processed lawfully, fairly and in a transparent manner. Candidates are informed about what data is collected, why, and how it is used.
- Purpose limitation and data minimisation: Data is collected for specified, explicit and legitimate recruitment purposes. Only data that is relevant and proportionate to the recruitment process is collected and processed.
- Storage limitation and integrity: Data is kept only for as long as necessary for the recruitment purpose or as required by law. Technical and organisational measures are in place to ensure data accuracy, confidentiality and integrity.
- Human oversight of AI: AI systems used in recruitment operate as decision-support tools only. No candidate is automatically rejected, ranked, scored or selected without meaningful human review.
- Accountability: CTW is responsible for and able to demonstrate compliance with data protection principles. Data Protection Impact Assessments (DPIAs) are carried out where processing activities are likely to result in a high risk to individuals’ rights and freedoms.
1. Purposes of Processing
The specific purposes of processing are:
- To receive, process and analyse applications to specific job vacancies.
- To evaluate candidates during the recruitment process, including through interviews and assessments.
- To contact candidates regarding future job opportunities that may fit their profile, during the applicable data retention period.
- To enable registration and use of the “Connect” reserved area and its functionalities.
- To send notifications regarding opportunities and recruitment vacancies to registered Users.
- To receive, analyse and store referral data provided by CTW employees or other candidates who made a referral, until the first contact with the referred candidate.
- To internally process applications and assess whether a candidate (including referred candidates) fits active job vacancies.
- To process and analyse applications submitted by external recruiters or recruitment agencies.
- To support interview documentation, including AI-assisted transcription and structured notetaking, where applicable (see Section 7).
2. Collection of Personal Data
2.1 When and how we collect personal data
We collect personal data when Users:
- Submit an application through the Service or otherwise.
- Use the Service to connect with our recruitment teams.
- Provide identifiable data through the website chat function that is relevant to the application.
- Participate in interviews that may be recorded and processed using AI-assisted tools (see Section 7).
Where existing CTW employees make referrals of potential candidates, personal data about such individuals will be collected. The referred individual is considered a User under this Privacy Policy and will be informed about the processing.
2.2 Categories of personal data
Personal data falls into different categories, each illustrated below with examples.
- Identification data: Name, photograph if in the CV.
- Contact data: Email address, telephone number, address.
- Professional data: CV, work experience, education, qualifications, certifications.
- Application data: Motivation letters, assessment results.
- Digital identifiers: LinkedIn profile URL, other professional platform data.
- Interview data (when applicable): Interview recordings (audio), AI-generated transcription and structured notes (see Section 7).
- Referral data (when applicable): Name, contact details and professional data of referring employees or candidates.
Only data that is relevant and proportionate to the recruitment process is collected and processed.
2.3 Data we do not collect
We do not knowingly collect special categories of personal data (Art. 9 GDPR) such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation. If such data is voluntarily provided by the User (e.g., in a CV or during an interview), it will not be used in recruitment decisions.
3. Lawfulness of processing
We process personal data on the following legal bases:
- Processing applications and evaluating candidates for a specific vacancy: Pre-contractual steps at the request of the data subject [Art. 6(1)(b)].
- Communicating with candidates about their application status: Pre-contractual steps [Art. 6(1)(b)].
- Sourcing candidate data from public professional sources: Legitimate interest of CTW in identifying suitable candidates [Art. 6(1)(f)]
- Retaining data beyond 12 months for future recruitment opportunities: Consent of the data subject [Art. 6(1)(a)].
- Referral processing (employee and candidate referrals) and processing applications from external recruiters: Legitimate interest of CTW and the referring party in facilitating recruitment [Art. 6(1)(f)].
- Interview recording and AI-assisted transcription: Consent of the data subject (see Section 7) [Art. 6(1)(a)].
- AI-assisted recruitment support tools (screening, structuring, prioritisation): Legitimate interest of CTW in efficient, consistent, and fair recruitment [Art. 6(1)(f)].
Legitimate interest balancing: Where we rely on legitimate interest, we have conducted a balancing assessment to ensure that our interests do not override the fundamental rights and freedoms of the data subjects.
4. Storage, Transfers and Retention
4.1 Data storage and international transfers
We may share personal data with:
- Data processors and subprocessors acting on our instructions for the provision of the Service.
- Authorities or legal advisors in case of suspected criminal or improper behaviour.
- Authorities, legal advisors or other parties where required by law or regulatory order.
Personal data collected through the Service is stored and processed within the EU/EEA, primarily in Ireland (Teamtailor’s hosting infrastructure). Where data is transferred to countries outside the EU/EEA, such transfers are protected by:
- An adequacy decision of the European Commission (Art. 45 GDPR); or
- Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR), complemented by supplementary measures where required.
4.2 Key subprocessors
- Purpose: Recruitment platform (the Service).
- Data Processed: All application and candidate data.
- Purpose: AI-assisted interview transcription and structured notetaking.
- Data Processed: Interview recordings (audio), AI-generated transcriptions and notes.
- Location: EU (Germany), UK and USA.
A complete list of subprocessors is available upon request.
4.3 Retention periods per data category
- Application data (not selected): 12 months from application; user may opt-in to extended retention for future opportunities.
- Application data (extended retention): Until consent is withdrawn, reviewed annually; Requires active opt-in by User.
- Application data (referral, no interest): Deleted without undue delay upon determination of no interest.
- Data upon selection for employment: Duration of employment + 1 year after termination; For employment contract purposes.
- Connect account data: Duration of account activity + 1 year after last access.
- Interview recordings (audio) and transcriptions: Deleted upon conclusion of the recruitment process for the specific vacancy; Maximum 12 months.
5. Users’ Rights
Under the GDPR, Users have the following rights:
- Access (Art. 15): Request information about what personal data we process, receive a copy free of charge.
- Rectification (Art. 16): Request correction of inaccurate personal data.
- Erasure (Art. 17): Request deletion of personal data, subject to legal retention obligations.
- Restriction (Art. 18): Request restriction of processing in specific circumstances.
- Data portability (Art. 20): Receive personal data in a structured, machine-readable format and transfer it to another controller.
- Objection (Art. 21): Object to processing based on legitimate interest; we will cease processing unless compelling legitimate grounds exist.
- Withdraw consent (Art. 7(3)): Withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal.
- Not subject to automated decisions (Art. 22): Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see Section 7).
- Lodge a complaint: File a complaint with CNPD (Comissão Nacional de Proteção de Dados).
To exercise these rights, please contact us using the details in Section 9.
6. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of data in transit and at rest.
- Access controls restricting data access to authorised personnel.
- Regular security assessments of the Service and its subprocessors.
- Contractual security obligations imposed on all data processors.
While we take all reasonable precautions, transmissions over the internet cannot be guaranteed to be fully secure. Users are responsible for keeping their login credentials confidential.
We may use aggregated, fully anonymised data for analytics and market research. Such data cannot be used to identify any individual and is therefore not personal data.
7. Use of Artificial Intelligence in Recruitment
As part of our recruitment processes, CTW uses systems supported by artificial intelligence (“AI systems”) to assist in the management and evaluation of applications. This section provides the transparency required under GDPR Art. 13(2)(f), Art. 14(2)(g), and the EU AI Act (Regulation (EU) 2024/1689).
7.1 AI systems used in recruitment
- Purpose: Recruitment platform AI.
- What it does: May include AI-assisted candidate matching, application screening support, and content suggestions.
- Data processed: Application data, CV content, candidate profile data.
- Purpose: Interview intelligence.
- What it does: Records interviews (with prior consent), generates AI-powered transcriptions, and produces structured interview notes.
- Data processed: Interview audio, candidate and interviewer speech content, AI-generated structured notes.
7.2 How AI is used and how it is NOT used
- AI systems are used as decision-support tools to assist our recruiters and hiring teams. They help structure information, reduce administrative burden, and improve consistency in documentation.
- AI systems are not used to make autonomous recruitment decisions. No candidate is automatically rejected, ranked, scored, or selected by an AI system without meaningful human review.
- AI outputs (e.g., Metaview interview notes) serve as supplementary documentation; recruiters independently form their assessment of each candidate.
- We do not use emotion recognition, sentiment analysis, or biometric categorisation in our recruitment process.
7.3 Human oversight
All recruitment decisions, including candidate progression, evaluation, and selection, are made by qualified human recruiters and hiring teams who:
- Independently assess each candidate based on the full range of available information.
- Are instructed to critically review AI-generated outputs and not to rely solely on them.
- Have the authority to disregard AI outputs in their decision-making.
7.4 Interview recording
When recording is used during an interview:
- The candidate is informed before the interview that an AI-assisted transcription tool will be used.
- The candidate’s explicit consent is obtained before recording begins.
- The candidate may decline recording without any negative impact on their candidacy. The interview proceeds normally without AI assistance.
- The recording is used solely for the purpose of generating structured interview notes for the recruitment process.
- Recordings and AI-generated transcriptions are deleted upon conclusion of the recruitment process for the specific vacancy, unless the candidate consents to extended retention.
7.5 Automated decision-making
CTW does not subject candidates to decisions based solely on automated processing that produce legal or similarly significant effects. All AI tools in our recruitment process operate in an advisory capacity with meaningful human oversight.
7.6 Candidate rights regarding AI processing
In addition to the rights listed in Section 5, candidates have the following rights specifically related to AI-assisted processing:
- Information about AI involvement: Request details about which AI systems were used in their recruitment process.
- Meaningful explanation of AI logic: Request information about the logic, significance, and envisaged consequences of any AI-assisted processing.
- Human review: Request that any AI-assisted assessment be reviewed by a qualified human recruiter.
- Opt out of interview recording: Decline recording without prejudice to the application.
- AI Act notification: Be informed before any interview processed by a high-risk AI system, in accordance with Art. 26(7) of the EU AI Act.
7.7 Fairness, accuracy and bias mitigation
We take the following measures to ensure AI systems do not introduce bias or unfairness:
- Regular monitoring of AI system outputs for accuracy and potential discriminatory patterns.
- Periodic review of AI-assisted recruitment outcomes to detect adverse impact.
- Vendor assessment requirements for bias testing and fairness documentation.
- Human oversight as the primary safeguard against AI-driven bias.
7.8 Legal basis for AI processing
- Interview recording and AI transcription: Consent [Art. 6(1)(a)]
- AI-assisted candidate matching and screening support: Legitimate interest [Art. 6(1)(f)]
7.9 Data protection impact assessment
Data Protection Impact Assessments (DPIAs) are carried out where processing activities are likely to result in a high risk to individuals’ rights and freedoms, as required by Art. 35 GDPR and Art. 26(9) of the EU AI Act.
8. Security
When using the Service, information may be stored as cookies. We use cookies to improve the user experience and gather usage statistics. The information collected may, in some instances, constitute personal data and is regulated by our Cookie Policy, accessible through the Service. Users may disable cookies via browser settings, which may affect Service functionality.
9. Contact
We may update this Privacy Policy at any time.
For questions about this Privacy Policy, to exercise your data protection rights, or for any other matter related to our handling of personal data, contact CTW’s Data Protection Officer using the e-mail privacy@criticaltechworks.com.
