Liferay Job Candidate Privacy Notice

Dear Liferay Job Candidate,

In this Liferay Job Candidate Privacy Notice (“Privacy Notice”) we want to inform you how Liferay collects and uses your personal data. With the accelerated digitalisation, privacy has become an increasing concern. While privacy and security of your personal data is important to us, it is also important that you understand how we handle this data.

Liferay operates as an international group of companies and hires based on skills not on location, therefore different data protection laws apply depending on your location. Therefore, applicable requirements on how much detail we need to provide to you, vary depending on where you are and which laws apply to Liferay and your data. We are for now focusing on the EU data protection law called “GDPR” and “UK GDPR”, the Brazilian data protection law called “LGPD” and the Californian data protection law called “CCPA”. This notice is drafted in a way which is required to satisfy the requirements under these laws.

This Privacy Notice will be expanded to the extent this is needed to satisfy requirements under further laws which may apply to Liferay. In addition, this Privacy Notice may be refined and modified by us from time to time with or without prior notice to reflect how our use of your data changes, for example as we introduce new processes and tools or as we refine our processes.

Thanks for your attention and let us know if you have any particular questions right away. You will find our contact details for your questions below.

January 25, 2024

1. Definitions

For clarity, when we say

“Liferay”, “we”, “ours” or “us”, we refer to the Liferay company primarily responsible for your data as explained in Section 2 below.
“Candidate”, “you” or “your”, we refer to all candidates applying for an open position at one of Liferay’s companies, as an officer, worker (no matter if part-time or full time, temporary, seconded or interns) or contractors.
“Personal data”, we mean all the data about or relating to you.
“Process” or “processing”, “treat” or “treatment”, we refer to everything that we do with your personal data, from collecting it to its use and disposal.
“CCPA”, we mean the most prominent data protection law in the US, the Californian version. It applies to the Candidates in California and other Candidates outside the US, who apply for a job with the Liferay company in the US, Diamond Bar.
“GDPR”, we mean that famous European data protection law. GDPR applies to all our Candidates in the European Union and other Candidates outside the EU, who apply for a job with one of the EU based Liferay companies.
“LGPD”, we mean the Brazilian data protection law. It applies to all Candidates of the Liferay company in Brazil and other Candidates outside Brazil, who apply for a job with the Liferay company in Brazil.
“UK GDPR”, we mean GDPR “frozen” as of the end of December 2021 (upon Brexit). Since GDPR hasn't changed since Brexit yet and the UK didn't change the UK GDPR yet, essentially GDPR is the same as UK GDPR for now. UK GDPR applies to all our Candidates in the UK and other Candidates outside the UK, who apply for a job with the Liferay company in the UK.
“Data protection laws”, we mean GDPR, UK GDPR, LGPD, CCPA and any additional relevant national and EU laws that govern how we are supposed to deal with your personal data.

2. Responsible Party

Liferay is responsible for compliance with the data protection laws, when dealing with your personal data. “Liferay” is the Liferay company which is advertising the position. If you are located in a country, where Liferay has an office, then the responsible party is the Liferay entity located in your country. You can find information regarding the Liferay offices, their location and contact details here: https://www.liferay.com/locations

Otherwise:

If you are located in any country in APAC, where Liferay doesn't have any offices: Liferay Singapore Pte. Ltd.;
If you are located in any country in LATAM; where Liferay does not have any offices: Liferay Latin America Ltda;
If you are located in a country in North America, where Liferay does not have any offices: Liferay, Inc.;
If you are located in any other country of the world, where Liferay does not have any offices: Liferay International Limited.

In GDPR and UK GDPR terms Liferay is therefore the “Controller”. In LGPD terms it’s “Controlador” or “Controller”. In CCPA terms it’s the “Business”.

Since all Liferay companies operate together as “One Liferay”, sometimes two or more Liferay companies are together responsible for proper treatment of your personal data. A lawyer using GDPR terms would say, the Liferay company in your employment contract and that other Liferay company are the “Joint Controllers”.

That other company is Liferay, Inc. in Diamond Bar, California, US (“Liferay US”). This is the case as Liferay US has a great IT Team that procures and provides all of us globally with the helpful tools and services we use to do our jobs. In addition, it is the case where your hiring manager or department lead is working for Liferay US. Otherwise, that other company is the Liferay company for which your hiring manager or department lead is working.

3. Data Protection Officer

In some countries, under certain conditions, the data protection laws create an obligation for Liferay to appoint a specific person for overseeing Liferay’s compliance with the data protection laws. We usually call them “Data Protection Officer” (“DPO”) which is the term used in GDPR, UK GDPR and LGPD.

If you are located in Germany, you can reach our DPO at: [email protected].
If you are located in Ireland, you can reach our DPO at: [email protected].
If you are located in France, you can reach our DPO at: [email protected].
If you are located in Hungary, you can reach our DPO at: [email protected].
If you are located in Spain, you can reach our DPO at: [email protected].
If you are located in Brazil, you can reach our DPO at: [email protected].

Otherwise, you can reach out to our data protection team via [email protected] if you have any questions or concerns about Liferay’s processing of your personal data.

4. Your Personal Data We Collect

Liferay processes your personal data to meet our legal, statutory and contractual obligations and to enable us to recruit and to employ people. You can read more about these purposes in section 5 below.

The personal data that we collect is:

Name
Date of Birth
Home Address
Personal Email
Home Telephone Number
Mobile Telephone Number
Nationality
Professional References
In certain cases, permits and visas
Financial information (salary expectations)
Photograph for inclusion with CV, if provided by you
In certain cases, Special Category Data (Criminal Records, Drug Tests)
Qualifications/ certifications
Job title(s) you are applying for
Your availability/ notice period with previous employer
Your location
Your salary expectations
Any data you might otherwise provide to us to support your application (e. g. your work samples, website urls, etc.) or as might be required to establish an employment relationship with you in compliance with the applicable laws (e.g. visa permits, etc.)
Our assessments of your application and its fitness for the particular positions your applied for
Our email exchange with you, summaries of our conversations with you

We collect information in the following ways:

Submitted CV/Resumes
Job Forums & Recruitment Agencies
Directly from Candidates
Electronic Vacancy Applications
Social Media Applications
Postal and Email Applications

5. Our Use Of Your Personal Data

Here we would like to explain how and why Liferay uses your data.

Under GDPR/UK GDPR and LGPD we are required to outline the legal grounds for the use of the data. Therefore we named the corresponding UK GDPR/ GDPR/LGPD legal bases for processing your personal data:

We need to process your personal data in order to decide if we can hire you for certain positions, if you apply for or otherwise express your interest in working at Liferay, as follows:

Your Application:

The data will include information about you and your professional experience, education and training such as your application, your name (and any former names), postal address, email address, phone number, universities attended, academic degrees obtained, grades, professional certifications and licenses, employment history, curriculum vitae or resume, test results if you are asked to take a test, eventually your salary expectations.

You submit the data to us and we use your data at your request to see if we can establish an (employment) contract with you.

Hiring Process:

If we extend an offer of employment or a contractor position at Liferay to you, we will process personal information about the position to which you have been appointed, your job title at Liferay, the compensation or project-based contractor rate we offer to you, whether you accept the offer, your signature (the latter two pieces of information are provided by you directly and unless you give those to us, we cannot conclude the relevant - employment or contractor - contract with you)and your starting compensation or project-based contractor rate, and your start date at Liferay. We use the data to establish a contract with you.

In some countries and for some positions which involve access to our cloud customers data, all our or our most confidential information or important assets, such as in Tech Ops and Support, InfoSec, IT , GS, Finance, we might be required to conduct a background check for you. Such background checks are based on our legitimate interest to secure our customers and our most sensitive information and assets. Where required under the applicable laws, we will collect your consent separately. In any case, you will be notified of this step and the scope of the background check upfront.

In certain countries and under certain circumstances, for example for the purposes of a background checks, supplemental privacy notices will be provided, to ensure compliance with local requirements.

In addition, Liferay collects personal data through its web pages e. g. through cookies or forms. If You visit any of them, please note that the respective privacy notices apply.

6. Recipients of Your Personal Data

Sometimes we need to share your personal data with:

Other Liferay companies - to enable the review of your application by the hiring managers and other decision makers who might be working at other Liferay entities globally or to enable use of certain systems and services procured and/or managed by a Liferay company which is not the responsible Liferay company as described in Section 2 above;
Service providers who provide services and systems to Liferay - to enable your use of such systems and services or to support our hiring process.
Recruitment agencies - where we receive your application from a recruitment agency, we might need to keep it informed about the progress of the recruitment process, our hiring decision and eventually agreed conditions.

7. Transfers of Your Personal Data

Liferay is part of an international group of companies. Liferay companies therefore use shared systems and services. In addition, we operate in a matrix-organization. It means that your potential future manager or department lead does not necessarily work for the same Liferay company for which you work but can be working from a different country or even a different continent.

When we enable communication for you with the managers or other decision makers working for other Liferay companies, enable for the potential manager or department lead access to your personal data, or enable your use of certain systems and services for the purposes of your application, we transmit to or enable access to your personal data for such other Liferay companies and service providers providing cloud services to Liferay. Such “sharing” of personal data is called a “transfer” under some data protection laws. When the other Liferay companies are located in another country, and your data virtually “crosses the borders”, this is called a “cross-border data transfer”.

Since Liferay companies are located in many countries globally, as you understand, such cross-border transfers of your personal data are happening at Liferay very often. A full list of all Liferay locations can be found here: https://www.liferay.com/locations. If your data leaves the country of your location, it travels to the location of the Liferay office which advertises the position for which you apply, and otherwise to the service provider we use for the management of applications in the US, and depending on your role and the location of the hiring manager, to one of our offices in the US and in the EU.

7.1. For Liferay’s Candidates located in the EEA

7.1.1. General conditions of cross-border transfers

If You are based in the EU, then GDPR requires Liferay to make sure that it only transfers your personal data to other countries if Liferay can ensure that it will be properly protected in the recipient country, too. Same applies to you, if you are based in the UK, under the UK GDPR.

GDPR allows free flows of your personal data to the recipients based in the EEA (EU + Iceland, Liechtenstein and Norway).

In addition, Your personal data can flow freely to some other countries. For such countries the European Commission has confirmed that based on the laws which apply there, your personal data is safe there. This is confirmed by a so-called “EU adequacy decision”. That applies for example to the UK, Canada and Japan. Since Liferay group of companies has offices in Canada and Japan, Liferay transfers your personal data to the Liferay companies in the UK, Canada, Japan and US companies certified under the EU-U.S. Data Privacy Framework based on the EU adequacy decision.

UK GDPR also allows free flows of data to certain countries subject to the “adequacy regulations”, including the EEA countries, Canada, Japan and US companies certified under the UK Extension to the EU-U. S. Data Privacy Framework. Since Liferay group has offices in the US, Canada, Japan and EEA, Liferay transfers your personal data to these countries based on the UK adequacy regulations.

For transfers of your personal data to other countries we will call such countries “third countries”, like Brazil, Liferay has established contracts to protect your personal data. We use the so-called “Standard Contractual Clauses” (“clauses”) to transfer your personal data to Liferay companies in third countries. These clauses very precisely describe how the recipient in a third country has to treat and protect your personal data. That way, even if the national data protection laws in such countries do not establish the same obligations on the companies to protect your data as in the EEA and UK, the recipients are obliged to protect your data according to the clauses.

If you would like to read the clauses, you can request a copy of the applicable clauses from Liferay. Please submit such a request to [email protected].

Same principles apply when we need to share your personal data with vendors in third countries providing systems and services we use. If such vendors are not located in the EEA or UK, but in a country which has the EU adequacy decision as summarized here, we rely on the EU adequacy decision to justify transfers of your data. Where the vendor is located in a third country, we rely on the clauses, or under exceptional circumstances on one of the exceptions mentioned above.

7.1.2. EU-U.S. Data Privacy Framework with UK Extension and Swiss-U.S. Data Privacy Framework

Liferay, Inc. and Liferay Cloud , Inc. (for purposes of this section collectively, also referred to as “Liferay”) comply with

the EU-U.S. Data Privacy Framework (EU-U.S. DPF),
the UK Extension to the EU-U.S. DPF, and
the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

as set forth by the U.S. Department of Commerce.

Liferay has been certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received

from the European Union in reliance on the EU-U.S. DPF and
from the United Kingdom (and Gibraltar) under the UK Extension to the EU-U.S. DPF.

Liferay certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, those Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Liferay is responsible for the processing of personal data it receives, under the DPF, and subsequently transfers to a third party acting as an agent on its behalf. Liferay complies with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Liferay’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, Liferay may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Liferay commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Liferay at: [email protected].

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Liferay commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

7.2. For Liferay Candidates located in Brazil

If you are based in Brazil, then LGPD requires Liferay to make sure that it only transfers your personal data to other countries if Liferay can ensure that it will be properly protected in the recipient country, too.

Therefore we can freely transfer your data to countries, which provide for an appropriate level of protection. LGPD is a new law and the national data protection authority (ANPD) did not provide any final guidance yet on which countries would be considered acceptable. However, since we realize that LGPD is a comprehensive data protection law that is very similar to GDPR and the EU Member states have established supervisory authorities to oversee compliance and enforce the data protection laws and the EU Commission, when making its adequacy decisions, applies the same requirements, we believe that it’s safe to say that EEA and countries which have received a EU adequacy decision will be considered “safe” in LGPD terms, too. We therefore, freely transfer your personal data to Liferay companies based in the EEA, UK and Japan and to Liferay, Inc. certified under the EU-U.S. Data Privacy Framework in the US.

Otherwise, LGPD allows us to transfer your personal data to recipients in other countries, where we can establish a proper level of data protection using specific contracts. Again, LGPD is a new law and the national data protection authority (ANPD) did not provide any final guidance yet on the exact terms of such contracts. However, since LGPD is very similar to GDPR, we believe that it’s safe to assume that the clauses we use for transfers of personal data from EEA to third countries (we said we would call “clauses” above) should be sufficient, too and rely on them. This is what we use, when we need to transfer your personal data to countries outside the EEA and the EU adequacy countries.

We might furthermore need to occasionally transfer your data abroad to countries which do not provide for sufficient standards of protection without using the clauses, when:

It’s necessary to protect your or someone else’s physical safety or life, for example if you have an accident abroad and we have some information the doctor in that country urgently need to know to be able to help you
With the authorization by the competent data protection authority (ANPD)
When you expressly allow us to do that in a specific case
to make sure we can deliver on our agreements with you, for example when we owe you something that needs to be delivered by a vendor located in a third country to you.
when this is necessary for Liferay to enforce its claims or to protect itself against any claims by a third party.
When we are obligated to do so to comply with legal requirements.

Same principles apply when we need to share your personal data with vendors in third countries providing systems and services we use. If such vendors are located in the EEA, or in a country which has the EU adequacy decision, we freely transfer your personal data to such recipients as we are convinced that these countries provide appropriate protections for your personal data. Where the vendor is located in a third country, we rely on the clauses, or under exceptional circumstances on one of the exceptions mentioned above.

8. Retention of Your Personal Data

We only retain your data for as long as we need it to reach the original purpose - to consider you as a valid candidate for a particular position you applied for which depending on the circumstances can take between 3 and 6 months - and for any compatible purposes thereafter or as long as required:

under the applicable laws or
to enforce our contracts or
to eventually resolve disputes.

In some cases, if we aren’t able to offer to you the position you applied for, but see other openings coming for which we would like to consider you, we will ask you if we may keep your application including your CV in our systems longer, depending on your profile and the openings we see coming, for a term up to 12 months.

If we decide to hire you, your data which has been used for a hiring decision, will be maintained for the duration of your employment with Liferay and thereafter as long as required:

under the applicable laws or
to enforce our contracts or
to eventually resolve disputes.

After the periods mentioned above Liferay will delete your personal data from all its systems.

9. Your Rights

You have the following rights in relation to our processing of your personal data:

Right to access: You can ask us to give you information about whether or not your personal data is processed, and if Yes, certain further details, such as with which entities your personal data has been shared;
Right to rectification: if you deem that your data is falsely recorded in our systems, you can ask to have that rectified;
Right to erasure: in certain situations (especially if the processing of your personal data is based on consent provided by you) you can ask that we delete, block or anonymize personal data related to you. However, we may oppose this request (especially if we have a legal obligation to retain your personal data).
Right to object to the processing of personal data: If you are located in Brazil, you can oppose any processing of your personal data, if such processing does not comply with the applicable laws.
Right to refuse consent: if we ask you to provide consent, you should be aware that you can refuse to provide consent, without any major detriment, except eventually inconvenience. We will inform you in each particular case of the available alternatives and the consequences.
Right to withdraw consent: if you gave your consent to us, you are free to withdraw that at any time and without any conditions. That case we will not process your personal data in the future for the reason we sought your consent for.
Right to request restriction of processing: If you’re in the UK, EEA or Brazil, you also have the right to restrict the processing of personal data: there are situations (for example if you contest the accuracy of your personal data and we are verifying the accuracy of the data) in which you have the right to ask for the restriction of the processing of your personal data. If this right is exercised, we can only store your personal data, but we cannot make any other action on it (e.g. we cannot create statistics using it).
Right to data portability: If you’re in the UK; EEA or Brazil, under certain circumstances you can request us to enable portability of your data to another service or product provider.
Right to opt-out from automated decision-making and profiling: to the extent Liferay uses your data for automated decision making with legal or similar effects, you have the right to opt-out of the use of your data for such purposes.

If you are a California (US) resident, you have the following rights in relation to our processing of your personal data:

Right to know: You can request us to disclose to you: (1) the categories and/or specific pieces of personal information we have collected about you, (2) the categories of sources for that personal information, (3) the purposes for which we use that information, (4) the categories of third parties with whom we disclose the information, and (5) the categories of information that we sell or disclose to third parties. You can make a request to know up to twice a year, free of charge.
Right to delete: You can request us to delete the personal information we have collected from you and tell our service providers to do the same, subject to certain exceptions (such as if we are legally required to keep the information to comply with legal obligations).
Right to opt-out of sale or sharing: You may request us stop selling or sharing your personal information (“opt-out”).
Right to correct: You may ask us to correct inaccurate information that we may have about you.
Right to limit use and disclosure of sensitive personal information: You can direct us to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as participating in the selection process or the purposes corresponding to your hiring as a Liferay employee and all those related to the job.

For submitting requests, you can contact us by email at: [email protected]

Further to the above, if you feel that we have breached the applicable data protection laws, you have the right to lodge a complaint with the data protection supervisory authority of your country:

If You are based in the EU, you can find the competent authority and the contact details here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. Also under the Data Privacy Framework, any complaints against Liferay, Inc. (US) can be submitted to the EU data protection authorities.
If You are based in Brazil, you can find the competent authority and the contact details here: https://www.gov.br/anpd/pt-br
If You are based in the USA, California, you can find the competent authority and the contact details here: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
For the competent authorities in other countries, please consult this map: https://www.cnil.fr/en/data-protection-around-the-world

You don’t need to pay any fees in order to exercise your rights. We will do our best to respond to you as soon as we can.

10. Contact

For any questions or requests relating to this Privacy Notice or handling of your personal data by Liferay, please contact us as at: [email protected]