Life at Spotify — Candidate Privacy Policy

Last updated July 1, 2024

1. Introduction Thank you for considering a job opportunity at Spotify!

This Candidate Privacy Policy (“Policy”) applies to the processing of personal data collected in connection with career opportunities at Spotify and the hiring process. It explains how and why we gather, store, share and use your personal data, as well as the rights and choices you have around your personal data.

The data controller for the processing of your personal data is the Spotify entity in the country from which you would work if you were offered a job at Spotify. If you are unsure which country or entity this would be, please contact us.

2. Your rights Privacy laws, including the General Data Protection Regulation, give rights to individuals over their personal data. As available and except as limited under applicable law, the rights afforded to individuals are detailed below:

  • Be informed – Be informed of the personal data we process about you and how we process it.
  • Access / Know – Request access to the personal data we process about you.
  • Rectification / Correction – Request that we amend or update your personal data where it’s inaccurate or incomplete.
  • Erasure / Deletion – Request that we erase certain personal data about you.
     For example, you can ask us to erase personal data:

    • that we no longer need for the purpose it was collected for
    • that we process based on the legal basis of consent, and you withdraw your consent
    • when you make a justified objection (see section ‘Object’ below)

     There are situations where Spotify is unable to delete your data, for example when:

    • it’s still necessary to process the data for the purpose we collected it for
    • Spotify’s interest in using the data overrides your interest in having it deleted
    • Spotify has a legal obligation to keep the data, or
    • Spotify needs the data to establish, exercise or defend legal claims
  • Restriction – Request that we stop processing all or some of your personal data.
     You can do this if:

    • your personal data is inaccurate
    • our processing is unlawful
    • we do not need your information for a specific purpose, or
    • you object to our processing and we are assessing your objection request. See section ‘Object’ below.

    You can request that we stop this processing temporarily or permanently.

  • Object – Object to us processing your personal data.
    You can do this if Spotify is processing your personal data on the legal basis of legitimate interests.
  • Data portability – Request a copy of your personal data in electronic format and the right to transmit that personal data for use by another party.
    You can request us to transmit your data when we are processing your personal data on the legal basis of consent or performance of contract. However Spotify will try to honour any request to the extent possible.
  • Not be subject to automated decision making – Request a manual review of a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.
    For more information on how we use automated decision-making, please see Section 5 below.
  • Withdrawal of consent – Withdraw your consent to us collecting or using your personal data.
    You can do this if Spotify is processing your personal data on the legal basis of consent.
  • Right to lodge a complaint – Contact your local data protection authority about any questions or concerns.

To exercise any of the rights above, please email us. Whether you choose to exercise any privacy right will not affect your recruitment process and you will not be discriminated against in any way. To honor a request, we may need to verify your identity and ask you to provide certain details related to you.

Please note, if you were referred to the application process by someone else, you may have received a confirmation email when your referral was submitted. By following a link in this email you may log into our recruitment tool Lever, where you can access, rectify, and request erasure of certain Application Data. Please note, however, that you need to email us if you would like to exercise a full data subject access request as explained above.

You may designate, in writing or through a power of attorney (in accordance with local law), an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

For purposes of the CCPA, we do not “sell” or “share” personal data as defined by the CCPA. We also do not process any data that is sensitive as defined by the CCPA for secondary purposes as defined by the CCPA’s accompanying regulations.

Privacy Request Metrics The following chart contains statistics about global verifiable requests we received from candidates between 1 January and 31 December 2023:

Type of request
Received
Complied
Denied
Average response rate
Right to Know / Access
390
390
0
13.81
Request to Delete
14
13
0
5.57
Request to Correct*
68
68
0
15.19
Request to Opt-Out of Data Sharing for Tailored Ads
N/A
N/A
N/A
N/A

*Adjustments in your Lever profile either by you or, to the extent available in your country, aided by Spotify's talent acquisition team are not counted as correction requests (e.g., you upload an updated resume)

3. Personal data we processThe table below sets out the categories of personal data we collect and use.

Category
Category under CCPA
Description
Application Data

Identifiers,

Professional or employment-related information,

Education information, and other data you provide us

Personal data provided by you or the person who referred you. This includes:
  • Contact information, such as your name, email address, phone number, city, country, and any other contact information;

  • Details related to your work experience, such as your CV or resume, cover letter, academic qualifications, transcripts;

  • Information about the type of employment you are looking for or may be interested in, including targeted compensation, benefits and other job preferences;

  • Publicly available information from publicly available sources relevant for the hiring process, e.g. your LinkedIn or GitHub profile;

  • Other information provided by you in the hiring process.

Interview Data

Professional or employment-related information,

Education information, and

other data taken down during the recruitment process

Personal data collected from interviews and outcomes of any recruiting exercises you complete, including personality/reasoning ability tests and, for certain roles, recordings of presentational based interviews.
Background Check Data

Identifiers,

And other data about you provided via background checks and other similar records

Information received from internal and external reference and background checks, including criminal records at offer stage only (if applicable for the position you have applied for, and as permitted by applicable laws);
Travel Data

Identifiers

Personal data we process if Spotify is arranging travel for on-site interviews, such as passport information.
Immigration and Visa Data

Identifiers

Information related to your immigration status and visa requirements.
Voluntary Demographic Data

Characteristics and other data you provided us

On a voluntary basis, we ask you to provide us with demographic information such as gender identity and, as permitted by applicable laws in some countries, race, ethnicity, and veteran status. This information will only be used to help us to evaluate and improve our diversity and belonging efforts on an aggregate level. This information will be processed separately from your application and whether you choose to answer will not affect your job application.

4. Our purpose for processing your personal dataThe table below sets out:

  • our purpose for processing your personal data
  • our legal justifications (each called a ‘legal basis’) under data protection law, for each purpose
  • categories of personal data which we use for each purpose.

Here is a general explanation of each ‘legal basis’ to help you understand the table:

  • Legitimate Interest: When Spotify or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you.
  • Consent: When Spotify asks you to actively indicate your agreement to Spotify’s use of your personal data for a certain purpose.
  • Compliance with Legal Obligations: When Spotify must process your personal data to comply with a law.
  • Performance of Contract: When it’s necessary for Spotify (or a third party) to process your personal data to comply with obligations under a contract with you or to take steps prior to entering into a contract.
Purpose for processing your data
Legal basis that permits the purpose
Categories of personal data used for the purpose
To communicate with you throughout the hiring process
  • Legitimate interest
  • Application Data
To assess your qualifications, skills, and suitability for the considered job
  • Legitimate interest
  • Application Data
  • Interview Data
To verify your provided information and carry out background checks
  • Legitimate intersest
  • Consent (for certain background checks in certain countries)
  • Compliance with legal obligations (for legally required background checks in certain countries)
  • Application Data
  • Background Check Data
To book travel for on-site interviews, if applicable
  • Legitimate interest
  • Travel Data
To consider you for, and inform you about future job opportunities
  • Consent
  • Application Data
  • Interview Data
To prepare your employment agreement if you are offered a job at Spotify
  • Performance of Contract
  • Application Data
  • Immigration and Visa Data
To assist you with obtaining an immigration visa or work permit (if requested by you)
  • Legitimate interest
  • Compliance with legal obligations
  • Application Data
To comply with applicable laws, regulations, legal processes or enforceable governmental requests, e.g. immigration and visa laws and requirements
  • Compliance with legal obligations
  • Application Data
  • Interview Data
  • Background Check Data
  • Immigration and Visa Data
To evaluate and improve our diversity and belonging efforts on an aggregate level.
  • Consent
  • Voluntary Demographic Data
In addition, we process your information (on an aggregated level) to perform analyses in order to understand, maintain, evaluate and improve our hiring process.

5. Automated decision-makingIn limited circumstances our recruitment processes use elements of solely automated decision-making in order to confirm that we only proceed with candidates who meet the minimum requirements for a job, as set out in a job description. For example, if the job description clearly requires candidates to have previously had managerial experience and the application form asks if you have managerial experience, your application may be rejected automatically if your answer in the application form is “No”. Automated decision-making is only used as an exception when we expect a high volume of applications which we cannot handle manually. You may always request a manual review of the decision by emailing candidateprivacypolicy@spotify.com.

6. Sharing your personal dataWe may share any of your personal data described above to third party service providers such as providers of recruiting tools to organize and facilitate our recruitment process.

We may also share your personal data globally with other companies in the Spotify Group in order to carry out the activities specified in this Policy. Because of the global nature of our business, we share personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU/UK laws or the laws which apply where you live. For example, the laws of these countries may not guarantee the same rights over your data.

Whenever we transfer personal data internationally, we use tools to:

  • make sure the data transfer complies with applicable law

  • help to give your data the same level of protection as it has in the EU/UK (where applicable) and/or the laws which apply where you live

For example, where a data transfer is subject to applicable EU/ UK legislation, we use the following legal mechanisms:

  • EU Standard Contractual Clauses and UK International Data Transfer Addendum (together the 'SCCs'). These clauses require the other party to protect your data and to provide you with EU-level/ UK-level rights and protections. For example, we use SCCs to transfer the personal data described in Section 3 'Personal data we process' to our recruitment tool Lever which uses servers in the US. You can exercise your rights under the SCCs by contacting us or the third party who processes your personal data.

We also identify and use additional protections as appropriate for all data transfers. For example, we use:

  • technical protections, such as encryption and pseudonymisation
  • policies and processes to challenge disproportionate or unlawful government authority requests

7. Data retention and deletionIf your application leads to you becoming a Spotify band member, relevant information we collect about you during the hiring process will become a part of your employment record and retained in accordance with our privacy policies for employee data.

If you did not become a Spotify band member, and you do not want to be considered for future job opportunities, we retain your personal data for 6 months or as long as necessary:

  • to comply with our legal obligations such as immigration and visa requirements, or

  • to resolve any disputes related to the hiring process.

If you have consented to being considered for future job opportunities, we retain your personal data for three years. After this period, you will be asked to renew your consent.

All personal data retained by Spotify will be stored in a secure and confidential manner with limited access rights.

8. How to contact us For any questions or concerns about this Policy, or if you would like to exercise any of your rights explained under Section 2 above, please contact our Data Protection Officer by emailing candidateprivacypolicy@spotify.com.