Privacy Policy

for Job Applicants


In this privacy policy we describe how we comply with the General Data Protection Regulation (GDPR) when we process personal data of our job applicants.

If you do not belong to this category, you will find the relevant information concerning your case in connection to where this privacy policy is available.

Data Controller

We operate all over the world, but we are domiciled in Sweden. Our name, corporate ID-number, postal address and e-mail is: Bambuser AB (org. nr 556731 - 3126) Regeringsgatan 55, 111 56 Stockholm, Sweden. 


For the sake of clarity, the terms “we, us, our” etc. in this privacy policy always refer to this company.

Data Protection Officer

Of course we have a DPO. To get in touch, send an e-mail to: 

Purposes for processing

The purpose of our processing of your personal data is to determine whether we think our way of working and the open posts we have are suitable for you. If the answer is yes, we will offer you a job.

Legal grounds

Legitimate interest: We have a legitimate interest in ensuring that we hire the candidates we believe are best suited for the positions available. We will not process any data on this ground, if that legitimate interest would be overridden by your interests or fundamental rights and freedoms.

Consent: This legal ground is only used if a formal background check is necessary. In such a case, we will inform you of the information we want to secure and verify, and ask for your permission to conduct the check. You are in your full right to refuse. However, should you refuse that we conduct a background check, the recruitment process stops and you will no longer be eligible for the position in question. 

Legal obligation: it is possible that in individual cases we have to process certain personal data due to an obligation under law or regulation. Should this apply to your case, we will inform you of this, provided that no other law or regulation prohibits it. 

Camera surveillance at our Swedish office

If you visit us in Stockholm, we want you to know that our entrance doors are under camera surveillance. 

The reason for this processing is to prevent and investigate crime and unathorized access. The legal ground is our legitimate interest in keeping our office safe from undesired visits. Since the scope of processing is very narrow and you would be an invited and desired guest if you should visit us, the balancing test shows that the processing does not violate your fundamental rights and freedoms and that our legitimate interest carries more weight. Thus, the indicators are in favour of the processing. The video is deleted after 12 months, unless it is part of an ongoing investigation. 

We present this as a separate point, because it concerns a completely different subject matter compared to all other processing in our relation.

Categories of data

In order to fulfill the purposes of our processing activities we need to process the following types of personal data: Name, physical address, electronic contact data, phone number, salary claim, social security number (in Sweden, personnummer), professional and educational background, references and leisure activities.

Depending on the risk level of the potential position, we need to conduct a formal background check. This would typically include the processing of criminal records, credit reports, verification reports (e.g. identity, previous employment, education, social security number), and reference checks. There may also be other categories relevant to only a specific post. Not every category of data is processed in each individual case, it depends on the risk level of the position in question. Further, formal background checks are only carried out in the final rounds of the recruitment process and only after the candidate in question has been informed about the check, what it contains and authorizes it. The checks are used to reinforce a hiring decision and not as a way to disqualify someone or reduce the number of applicants for a position. 

In your application and communication with us, you may also provide us with personal data that we have not asked for. Since we cannot know in advance if this will be the case or not, or what that data would be, we categorize it as personal data not requested. 

Categories of recipients of data

Internally, the data is handled on a need to know basis. This normally includes our talent acquisition lead, the hiring manager, the team lead, a peer, a C-level or People Operations Manager, and our Hiring Committee. 

External recipients would be relevant processors and authorities. The need to know approach also applies for external recipients. Concerning authorities, we only provide data that we are legally obliged to provide. 

Retention period

If the recruitment process results in your acceptance of our job offer, the retention rules in our Employee Privacy Policy become relevant. If the recruitment process does not lead to such an outcome, the procedure depends on how the personal data was originally collected. If we approached you, we will ask you after 3 months if you want us to keep or delete your personal data. If your answer is yes, then you will be asked the same question after another 12 months.  If the first step was you approaching us, then you will be asked that question after 12 months. Afterwards, you will be asked the same question every 12 months. The reason for this procedure is that new opportunities arise all the time and if we are able to easily retrieve your file, we can make you new proposals much faster. Of course, you can always delete your file anytime you want. 

Your rights

You are always free to get in touch with us and ask what personal data we have about you. You may ask for their rectification or erasure, that the processing should be restricted or ceased and that your data should be transferred to somebody else. We will do what you ask us to do, provided that no other laws or rules prevent us. In any case, we will get back to you and reply to your demand and we will tell you what measures we have taken and on what grounds. We use automatic reply functions, but no automated decisions and no profiling. 

Transfers to third countries

We keep the maximum of our personal data processing within the EU/EES, but this is not always possible. If it is necessary in order to handle your application, then we may transfer data to third countries. For the same reasons, it may also be necessary to store data in third countries. The legal ground for such transfers will be either article 49.1(a) or (b) GDPR. 

About changes to this privacy policy

This privacy policy is a dynamic document, which means that it will change if the way we do business changes. Should this happen, then the new privacy policy will replace the old one with immediate effect. Since it can neither be considered to be a legal obligation nor meaningful in any other way, we will not communicate such a change of privacy policy in any other way than to publish the new privacy policy here. 

The right to lodge a complaint

We believe that the way we process personal data complies with the GDPR. Should you be of another opinion, we would appreciate it if you tell us what you believe is wrong. You are also free to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten, IMY. If it is more convenient to you, you may lodge your complaint with another supervisory authority. 

This privacy policy was last updated on the 5th of October, 2022. 

Ready to reach all-new records?

Whether you’re 100% prepared to scale your e-commerce or need more info, Team Bambuser are ready to tailor to your perfect needs.

Request a Demo