AviLabs Employment Application Privacy Policy

Are you applying for a job with AviLabs? That means you will be untrusting us with your personal data. Your personal privacy is very important to us and this policy applies to the personal data that we at AviLabs collect and process when you apply for a role with us. This Policy explains what personal data we collect about you, how and why we use it, who we disclose it to and how we protect your privacy.

Unfortunately, the policy is rather long as law requires it to be detailed. If you’re in a hurry, the TL;DR version of the policy is: We require your CV and quite a bit of your personal data to evaluate your application for a role with AviLabs. The personal data that we collect about you throughout our application process depends on the role for which you apply to. During our application process, we may share your data to companies that provide services to us (e.g. recruitment agencies). If you are successful, your personal data will be transferred into our HR system to the extent this is necessary for our ongoing employment relationship with you. If you are unsuccessful, we will automatically delete your data when we no longer need it, in accordance with applicable laws. And throughout all this, we will keep your personal data safe.

  1. Who we are

Any references in this Employment Application Privacy Policy (the “Policy”) to “AviLabs” “we”, “us” or “our” means AviLabs ehf., a company registered in Iceland with registration number no. 5208192150 and registered office at Nóatún 17, 105 Reykjavik, Iceland. When it comes to personal data collected under this policy, AviLabs is the “data controller” for the purposes of the Icelandic Data Protection Act and other data protection laws that apply to us, like the EU General Data Protection regulation (the “GDPR”).

  1. Personal data we collect about you

When we use the term “personal data” in this Policy, we mean any information relating to you and through which you can be identified, directly or indirectly, or in combination with other information that we may hold. This could for example be your name, information in your CV or your qualifications. We only collect your personal data where it is necessary for the purposes described in this Policy and in accordance with data protection laws.

We will mainly collect your personal data directly from you, and this will include all the information you provide us with in your CV, your application and your cover letter. If we meet you for an interview, we will also collect the information you provide us with about you in the interview. If you proceed further in our selection process following the interview, we will ask you to send us a copy of your criminal record.  We’ll examine your criminal record for the purposes of taking a decision whether to offer you a job – and then we will delete it. We do not keep copies of criminal records. We do believe that we have a legitmate interest in reviewing the criminal records who are offered a job with us both for security reasons and due to the fact that we are operating in accordance with ISO and SOC certifications, that require us to do this.

In addition to all of the above, you will probably be communicating with us throughout your application process. We will collect your communications with us, for example emails or letters that you exchange with us.  

  1. How do we collect personal data

We will mainly collect your personal data directly from you. However, in some cases we might collect information about you from third parties:

  1. Special categories of personal data

We don’t really collect personal data that is considered “special categories of personal data” that is subject to additional protection under the GDPR (for example, information revealing your racial or ethnic origin, physical or mental health, religious beliefs or trade union membership). However, it may happen that you send us such information without us asking in your CV or your communications with us. In such instances, we do recognize our legal obligations under article 9 of GDPR.

  1. Why we use your data

We will process your personal data in order to assess your application and decide whether you are eligible and suitable for the role for which you have applied, prior to us taking a decision on whether to enter into an employment contract with you. However, to be more detailed, we have identified the following purposes for which we process your data and the lawful basis on which each of these purposes relies:


Lawful Basis

Recruitment and selection. Assessing whether you are a suitable candidate for us.

It is necessary for fulfilling our legitimate interests:

  • to fully assess job applications to ensure that only suitable candidates go through the application process and are selected;
  • to protect our business interests, effectively manage our business operations and maintain our reputation;
  • to ensure the safety, security and integrity of our operations.

Communications. To communicate with you during our application process.

It is necessary for fulfilling our legitimate interests:

  • to protect our business interests, effectively manage our business operations and maintain our reputation.

Reference checks. Perform reference checks to ensure your eligibility for the role (where releveant).

It is necessary for fulfilling our legitimate interests:

  • to protect our business interests, effectively manage our business operations and maintain our reputation.
  • to ensure the safety, security and integrity of our operations.

Criminal checks. Conducting criminal record checks (which you provide to us) and processing information relating to criminal convictions and offences.

This processing is necessary to fulfil our legitimate interest to ensure the safety, security, and integrity of our business operations. This will only take place where it is permitted or required by law.

  1. How long we keep your personal data for

If you become an AviLabs employee, we will transfer your data into our HR systems, to the extent it is necessary for our ongoing employment relationship. Following that, our employee privacy policy will take over and govern your personal data. Other information that we do not need will be deleted.

If you are unsuccessful in your application, we will retain your data for 9 months after our selection process is complete. This will be for us to be able to respond to enquiries, complaints or claims and to demonstrate that the selection process was carried our properly. Following that we will delete your data. There may be a possibility that AviLabs would like to retain your information for a longer period of time, e.g. for future employment opportunities with the company. In such instances we will contact you and ask for your permission to retain your information for a longer period.

  1. Protecting personal data

We are committed to protecting the personal data we hold and we have implemented appropriate technical and organisational measures against unauthorised, accidental or unlawful access, loss, destruction or damage of such data.

In addition, we only allow access to your data to our employees, agents, contractors or other parties who have a business need to know. When we trust third parties to process your data on our behalf, we require that they will protect your data the same way we do and that they comply with appropriate security standards.

We have procedures and policies in place in the event of a security breach related to personal data. Where relevant, we will notify you or our supervisory authority of a security breach when we are under the duty to do so under the GDPR.

  1. Sharing personal data

In order to fulfil the purposes we have set out above, we may need to disclose part of your data to the following categories of other parties, as appropriate;

  1. Your data protection rights

You have specific rights under the GDPR that allow you to understand and, to certain extent, control the way we process your personal data:

  1. The right to access your data: you have the right to receive a copy of the personal data we hold about you and to receive information about how we process such data.
  2. The right to correct your data: you have the right correct your data. If you suspect that we hold inaccurate or incomplete information about you, please let us know so that we can update and complete our records.
  3. The right to delete: in certain instances, you have the right to request that we delete your data. Please note that we will automatically delete or anonymise your data after its retention period has passed and as such, you do not need to submit a specific request for this.
  4. The right to restrict processing: in limited circumstances, you may request that we do not process your data, but only store it, e.g. while you are seeking us to correct your data.
  5. The right to withdraw consent: in limited circumstances, you may have the right to withdraw your consent for our processing of your personal data, where we are utilizing your consent as a basis for our processing. In such instances, we will respect your choice and stop processing your data further.
  6. The right to object: You may consider that you have reasons to object to the use of your personal data when such use is only based on our legitimate interests as described in this Policy. Before using your data for legitimate interests, we have balanced these interests against your rights and freedoms. However, if you consider that you have grounds to object to the use of your data, you can explain to us your particular situation and we will individually review your request.
  7. Rights in relation to automated decision making: We do not take decisions about individuals during the recruitment process based solely on automated processing. As such, in the context of your application process, this right is not applicable.
  8. The right to data portability: Where the processing of your data is based on consent or on a contract and the processing is carried out by automated means, you have the right to receive such data in a structured, commonly used, machine-readable format. However, in the context of your application process this right would not be applicable, as our processing is not carried out by automated means nor based on consent or contract.

You can exercise your above rights by contacting our Data Protection Officer. For more information, see section 11 below.

  1. Updates to this Policy

We will modify this Policy when there is a change to the way we process your data and when we need to ensure that the information we provide to you is up to date and in accordance with the relevant data protection laws. Any new version of this Policy will be published on this website.

  1. Contact information

Questions or comments in relation to this Policy, and/or requests concerning your rights under GDPR, should all be directed to our Data Protection Officer in writing to the following email: dpo@avilabs.is, or to our address: AviLabs ehf., Nóatúni 17, 105 Reykjavík, Iceland.