Life at Spotify — Candidate Privacy Policy
Last updated July 1, 2024
1. Introduction Thank you for considering a job opportunity at Spotify!
This Candidate Privacy Policy (“Policy”) applies to the processing of personal data collected in connection with career opportunities at Spotify and the hiring process. It explains how and why we gather, store, share and use your personal data, as well as the rights and choices you have around your personal data.
The data controller for the processing of your personal data is the Spotify entity in the country from which you would work if you were offered a job at Spotify. If you are unsure which country or entity this would be, please contact us.
2. Your rights Privacy laws, including the General Data Protection Regulation, give rights to individuals over their personal data. As available and except as limited under applicable law, the rights afforded to individuals are detailed below:
- Be informed – Be informed of the personal data we process about you and how we process it.
- Access / Know – Request access to the personal data we process about you.
- Rectification / Correction – Request that we amend or update your personal data where it’s inaccurate or incomplete.
- Erasure / Deletion – Request that we erase certain personal data about you.
For example, you can ask us to erase personal data:- that we no longer need for the purpose it was collected for
- that we process based on the legal basis of consent, and you withdraw your consent
- when you make a justified objection (see section ‘Object’ below)
There are situations where Spotify is unable to delete your data, for example when:
- it’s still necessary to process the data for the purpose we collected it for
- Spotify’s interest in using the data overrides your interest in having it deleted
- Spotify has a legal obligation to keep the data, or
- Spotify needs the data to establish, exercise or defend legal claims
- Restriction – Request that we stop processing all or some of your personal data.
You can do this if:- your personal data is inaccurate
- our processing is unlawful
- we do not need your information for a specific purpose, or
- you object to our processing and we are assessing your objection request. See section ‘Object’ below.
You can request that we stop this processing temporarily or permanently.
- Object – Object to us processing your personal data.
You can do this if Spotify is processing your personal data on the legal basis of legitimate interests. - Data portability – Request a copy of your personal data in electronic format and the right to transmit that personal data for use by another party.
You can request us to transmit your data when we are processing your personal data on the legal basis of consent or performance of contract. However Spotify will try to honour any request to the extent possible. - Not be subject to automated decision making – Request a manual review of a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.
For more information on how we use automated decision-making, please see Section 5 below. - Withdrawal of consent – Withdraw your consent to us collecting or using your personal data.
You can do this if Spotify is processing your personal data on the legal basis of consent. - Right to lodge a complaint – Contact your local data protection authority about any questions or concerns.
To exercise any of the rights above, please email us. Whether you choose to exercise any privacy right will not affect your recruitment process and you will not be discriminated against in any way. To honor a request, we may need to verify your identity and ask you to provide certain details related to you.
Please note, if you were referred to the application process by someone else, you may have received a confirmation email when your referral was submitted. By following a link in this email you may log into our recruitment tool Lever, where you can access, rectify, and request erasure of certain Application Data. Please note, however, that you need to email us if you would like to exercise a full data subject access request as explained above.
You may designate, in writing or through a power of attorney (in accordance with local law), an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
For purposes of the CCPA, we do not “sell” or “share” personal data as defined by the CCPA. We also do not process any data that is sensitive as defined by the CCPA for secondary purposes as defined by the CCPA’s accompanying regulations.
Privacy Request Metrics The following chart contains statistics about global verifiable requests we received from candidates between 1 January and 31 December 2023:
*Adjustments in your Lever profile either by you or, to the extent available in your country, aided by Spotify's talent acquisition team are not counted as correction requests (e.g., you upload an updated resume)
3. Personal data we processThe table below sets out the categories of personal data we collect and use.
Identifiers,
Professional or employment-related information,
Education information, and other data you provide us
Contact information, such as your name, email address, phone number, city, country, and any other contact information;
Details related to your work experience, such as your CV or resume, cover letter, academic qualifications, transcripts;
Information about the type of employment you are looking for or may be interested in, including targeted compensation, benefits and other job preferences;
Publicly available information from publicly available sources relevant for the hiring process, e.g. your LinkedIn or GitHub profile;
Other information provided by you in the hiring process.
Professional or employment-related information,
Education information, and
other data taken down during the recruitment process
Identifiers,
And other data about you provided via background checks and other similar records
Identifiers
Identifiers
Characteristics and other data you provided us
4. Our purpose for processing your personal dataThe table below sets out:
- our purpose for processing your personal data
- our legal justifications (each called a ‘legal basis’) under data protection law, for each purpose
- categories of personal data which we use for each purpose.
Here is a general explanation of each ‘legal basis’ to help you understand the table:
- Legitimate Interest: When Spotify or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you.
- Consent: When Spotify asks you to actively indicate your agreement to Spotify’s use of your personal data for a certain purpose.
- Compliance with Legal Obligations: When Spotify must process your personal data to comply with a law.
- Performance of Contract: When it’s necessary for Spotify (or a third party) to process your personal data to comply with obligations under a contract with you or to take steps prior to entering into a contract.
- Legitimate interest
- Application Data
- Legitimate interest
- Application Data
- Interview Data
- Legitimate intersest
- Consent (for certain background checks in certain countries)
- Compliance with legal obligations (for legally required background checks in certain countries)
- Application Data
- Background Check Data
- Legitimate interest
- Travel Data
- Consent
- Application Data
- Interview Data
- Performance of Contract
- Application Data
- Immigration and Visa Data
- Legitimate interest
- Compliance with legal obligations
- Application Data
- Compliance with legal obligations
- Application Data
- Interview Data
- Background Check Data
- Immigration and Visa Data
- Consent
- Voluntary Demographic Data
5. Automated decision-makingIn limited circumstances our recruitment processes use elements of solely automated decision-making in order to confirm that we only proceed with candidates who meet the minimum requirements for a job, as set out in a job description. For example, if the job description clearly requires candidates to have previously had managerial experience and the application form asks if you have managerial experience, your application may be rejected automatically if your answer in the application form is “No”. Automated decision-making is only used as an exception when we expect a high volume of applications which we cannot handle manually. You may always request a manual review of the decision by emailing candidateprivacypolicy@spotify.com.
6. Sharing your personal dataWe may share any of your personal data described above to third party service providers such as providers of recruiting tools to organize and facilitate our recruitment process.
We may also share your personal data globally with other companies in the Spotify Group in order to carry out the activities specified in this Policy. Because of the global nature of our business, we share personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU/UK laws or the laws which apply where you live. For example, the laws of these countries may not guarantee the same rights over your data.
Whenever we transfer personal data internationally, we use tools to:
make sure the data transfer complies with applicable law
- help to give your data the same level of protection as it has in the EU/UK (where applicable) and/or the laws which apply where you live
For example, where a data transfer is subject to applicable EU/ UK legislation, we use the following legal mechanisms:
- EU Standard Contractual Clauses and UK International Data Transfer Addendum (together the 'SCCs'). These clauses require the other party to protect your data and to provide you with EU-level/ UK-level rights and protections. For example, we use SCCs to transfer the personal data described in Section 3 'Personal data we process' to our recruitment tool Lever which uses servers in the US. You can exercise your rights under the SCCs by contacting us or the third party who processes your personal data.
We also identify and use additional protections as appropriate for all data transfers. For example, we use:
- technical protections, such as encryption and pseudonymisation
- policies and processes to challenge disproportionate or unlawful government authority requests
7. Data retention and deletionIf your application leads to you becoming a Spotify band member, relevant information we collect about you during the hiring process will become a part of your employment record and retained in accordance with our privacy policies for employee data.
If you did not become a Spotify band member, and you do not want to be considered for future job opportunities, we retain your personal data for 6 months or as long as necessary:
to comply with our legal obligations such as immigration and visa requirements, or
- to resolve any disputes related to the hiring process.
If you have consented to being considered for future job opportunities, we retain your personal data for three years. After this period, you will be asked to renew your consent.
All personal data retained by Spotify will be stored in a secure and confidential manner with limited access rights.
8. How to contact us For any questions or concerns about this Policy, or if you would like to exercise any of your rights explained under Section 2 above, please contact our Data Protection Officer by emailing candidateprivacypolicy@spotify.com.