AXA Spain Local Privacy Notice external

DISCLAIMER INFORMATION NOTICE

MANAGEMENT OF RECRUITMENT PROCESSING AND INTERNAL MOBILITY USING OUR RECRUITMENT PLATFORM

DISCLAIMER

You are responsible for ensuring that the information, messages and any attachments (hereinafter "the information") that you upload to the tool is correct and truthfully represents your work experience. If you need to make any changes to the information you input, you may adjust it at any time. You should ensure that you only input information in the free text box that is relevant to your application and you should take care to avoid inputting any unnecessary sensitive or confidential personal data in the free text field.

You are reminded, as a future/actual user of the platform, that the information is uploaded into the tool solely for the purposes of managing the recruitment (external or internal) of your application(s) for a position and the associated processing described below. You are informed that the tool is not intended to be used for any other purpose.

GENERAL INFORMATION NOTICE ON THE PROTECTION OF YOUR PERSONAL DATA

To the extent that it does not conflict with the local privacy notice relevant to the AXA company to which you are applying (for which please see the section “Local Privacy Notices below), this privacy notice will apply to AXA’s processing of your personal data.

DATA CONTROLLERS

Act as data joint controllers in the context of the processing of your personal data (i.e. they jointly determine the purposes and means of the processing of your information):

GIE AXA, an economic interest grouping, organized under the laws of France, having its registered office at 23 Avenue Matignon, 75008 Paris, registered with the Registry of Commerce and Companies of Paris under number 333 491 066,

AND

The AXA company to which you are applying. For internal processes in Spain this company might be Asociación AXA Todo Corazón, AXA Aurora Vida, S.A, AXA Mediterranean Holding S.A., AXA Pensiones, AXA Regional Services SAU, AXA Seguros Generales S. A., Alpha Scale SAS, Sucursal en España, Axa Exclusiv Seguros e Inversiones, S.A., GIE AXA Sucursal en España, AMDIF, S.L., Asesoramiento Seguros y Previsión Atlantis, S.L, Atlantis Asesores, S.L, Atlantis Correduría de Seguros y Consultoría. S.A.

(Together, "AXA Spain" or “AXA”).

Lastly, once the local entity of AXA contacts you regarding to your request, the procurement process will be managed according to local laws and regulation applicable.

DPO'S CONTACT DETAILS

Data Privacy Officers (DPO) of each entity can be contacted by mail or e-mail address. Please refer to the dedicated addresses indicated by the AXA entity concerned and available below:

- AXA Spain - mail: hrservices@axa.es;

- GIE AXA : privacy@axa.com

COOKIES AND TRACKERS

We enable cookies once you have given your consent, except for technical cookies that are necessary to provide the service you request on the Website. For more details, you undertake to read the Cookies Policy available on the Website.

You can also find contact details in the Local Privacy Notices, as set out above.

PURPOSES OF PROCESSING, LEGAL BASIS AND CATEGORIES OF personal DATA PROCESSED

Purpose n°1): Management of the recruitment process of external candidates

The legal basis for the processing of your personal data legitimizing this purpose is the execution of pre-contractual measures (Art. 6. 1.b) GDPR).

- Identification data, such as: first name, last name, gender (Mr./Ms.) (optional), photo (optional), date of birth or age (may be collected on your resume), personal phone number, personal email address, personal address, nationality.

- Personal life data: family status (may be collected on your resume), hobbies (may be collected on your resume).

- Professional data, such as: interests, skills (a minimum of one topic) or CV (file or link to LinkedIn), professional email, job title, work site, Contract type (permanent or fixed term contract).

To the extent strictly authorized by law, Personal Data can be processed on the CV as follow: Health Data, (information concerning disability) in accordance with Article 9-2-b of the GDPR.

Purpose n°2: Management of CV bank and Management of the sending of job adverts (newsletter)

The legal basis for the processing of your personal data legitimizing this purpose is the application of consent (Art. 6. 1.a) GDPR). Please note that you can withdraw this consent at any time. If you decide to do so, you will no longer receive job offers from the Data Controllers. The withdrawal of your consent does not affect the lawfulness of the processing previously carried out, or any processing for which the legal basis is not consent.

Your personal data will be shared with recruitment teams from AXA :

1) to allow you to have a good visibility of your applications and profiles within all AXA entities and

2) to enable them to perform analytics on the use of the platform

- Personal life data: family status (may be collected on your resume), hobbies (may be collected on your resume);

- Professional data, such as : interests, skills (a minimum of one topic) or CV (file or link to LinkedIn).

Purpose n°3): Management of internal mobility of AXA employees

The legal basis for the processing of your personal data legitimizing this purpose is the execution of contractual measures (Art. 6. 1.b) GDPR).

Your personal data will be shared with recruitment teams from AXA :

1) to allow you to have a good visibility of your applications and profiles within all AXA entities and

2) to enable them to perform analytics on the use of the platform

- Personal life data: family status (may be collected on your resume), hobbies (may be collected on your resume);

- Professional data, such as : interests, skills (a minimum of one topic) or CV (file or link to LinkedIn), employee number, professional email, local ID, job title, manager’s name, professional family and sub-family, work site, business unit, assignment categories (local terms, short or long term assignment), Contract type (permanent or fixed term contract), seniority date (job seniority date, entity seniority date or AXA seniority date), geographic mobility (willing to relocate nationally/internationally), management position, business phone number.

Purpose n°4): Match candidates’ profiles to job positions (“the matching test”) using artificial intelligence

The legal basis for the processing of your personal data legitimizing this purpose is the application of precontractual measures for the external applications and the execution of contractual measures for internal candidates (Art. 6.1.b RGPD). This data processing should help either AXA entities to find the most adapted candidates for a job role or to help the candidate to find the best job positions in AXA.

It is the match between the data of the job offer and some data filled in by the candidate which are the following:

- skills (key words);

- job family (i.e. compliance, finance, security etc.);

- experiences

- desired place of work;

- type of contract (fixed-term contract, permanent contract, internship, work experience).

Purpose n°5): Administration of the platform (monitoring of use and functioning and ticket management)

The legal basis for the processing of your personal data legitimizing this purpose is the application of the legitimate interest (Art. 6 1.f) of the GDPR). The legitimate interests pursued by the data controllers consist in the necessity to maintain the platform to enables recruitment and the provision of additional services to applicants while respecting the principles of security, compliance and necessary technical developments.

All personal data mentioned in this privacy policy, except authentication (password and passAXA)

Logs for security, platform connection data and IP address

Purpose n°6): Referral of internal AXA candidates

The legal basis for the processing of your personal data legitimizing this purpose is the application of consent (art. 6.1. a) of the GDPR.

- Identification data, such as: first name, last name, personal email address, personal phone number (optional);

- professional data: resume (optional), job category, preference in the location of the job offer (optional).

Purpose n°7): Development of AXA Employees’ expertise & skills (GIG)

The legal basis for the processing of your personal data legitimizing this purpose is that the processing is necessary for the performance of the contract (Art. 6. 1.b) of GDPR.

- Identification data: First name, last name, gender, language;

- Professional data: number of years of experience, name of employers;

- Personal life: competencies & interests (optional).

For all the purposes for which the legal basis is the legitimate interest (Art. 6.1.f of the GDPR), you can obtain information on these purposes on request by writing to the DPO contact of the company to which you are applying.

MANDATORY NATURE OF DATA COLLECTION AND THE POSSIBLE CONSEQUENCES OF FAILURE TO PROVIDE SUCH DATA

Some information collected in the application is mandatory for the data controllers to be able to evaluate your application or to send you the various job offers offered by the data controllers. Fields marked with an asterisk (*) in the application are mandatory where others are optional.

If you do not provide this mandatory information, you will not be able to be called back by recruiters or to receive the various job offers presented by the data controllers.

THE SOURCE OF THE PERSONAL DATA IN CASE OF INDIRECT COLLECTION

When you are an employee of an AXA entity, we will collect data relating to you from existing human resources databases.

Another source of data may come from LinkedIn when the candidate applies for job roles in AXA on LinkedIn website.

SECURITY OF PERSONAL DATA

The data controllers use appropriate technical and organizational measures to protect the Personal Data that the data controllers collect and process about you. The measures that the data controllers put in place are designed to ensure a level of security that is sufficient considering the risks associated with the processing of your Personal Data in accordance with AXA Group standards. You can find more information in the Country-Specific Privacy Notices as set out above.

RECIPIENTS OR CATEGORIES OF RECIPIENTS AND NON-EU TRANSFERS

The data controllers will communicate your personal data only to identified and authorized recipients.

In addition to any recipients set out in the relevant Country-Specific Privacy Notices as set out above, these recipients include:

· AXA Group Operations (France) in charge of the integration of the platform and the management of IT support;

· Local AXA entities: authorized persons involved in the recruitment process such as human resources (recruiters only), manager(s) involved in your recruitment process;

· AXA Group Operations (Portugal), subcontractor of AXA Group Operations and in charge of the processing of requests to exercise rights;

· iCIMS (United States, United Kingdom, Germany, Ireland) and their subcontractors, in charge of the implementation, use and maintenance of the platform.

· Other subcontractors depending on local AXA entities (cf. AXA local privacy notices above).

For countries or jurisdictions that do not provide an adequate level of protection, data controllers provide safeguards to ensure the security and confidentiality of your personal data and frame this transfer either by:

(i) the Standard Contractual Clauses adopted by the European Commission or similar where required by local regulation (eg. International Data Transfer Agreement in the UK),

(ii) when your personal data is transferred to other AXA Group entities, by the Group's Binding Corporate Rules (available via the following link - Learn More section: https://www.axa.com/fr/a-propos-d-axa/nos-engagements). These Binding Corporate Rules apply to relationships between entities, including those located in countries that do not provide an adequate level of protection.

DATA RETENTION PERIOD

For the purposes 1) concerning the management of the recruitment process of external candidates, 2) concerning the constitution of a CV-library and the sending of job adverts, , 4) concerning the provision of the matching test, and 6) concerning the referral of internal candidates , the data retention period will usually depend on the country of the AXA entity to which you are applying. . Please refer to the Appendix below according to your country.

For the purposes 1) concerning the management of the recruitment process of external candidates, the retention period is 30 days after the closure of the job advert in the active data base unless you give us your explicit consent to keep it, for potential future job opportunities 2) concerning the constitution of a CV-library and the sending of job adverts, the data retention period is 12 months after your consent in the active database.

For the purposes 3) concerning the internal recruitment, and 7) concerning GIGs, your data will be kept for the duration of your employment contract.

For the purpose n°5) concerning the administration of the platform, the retention period has be defined following the purposes identified above.

There is a restricted data processing (archiving data) before purging your data, meaning that AXA overwrites the email with a pseudo email and changes the person folder to “restricted processing”. That restricted data processing is strictly necessary for evidence purposes in case of litigation. The record stays in the platform based on country retention period and then it is purged.

DATA SUBJECTS’ RIGHTS

In any case, and at any time, you could exercise your rights to access, rectify, erasure, request to obtain the restriction of the processing of your personal data, and request portability of your personal data, addressing the HR mailbox at hrservices@axa.es

To contact the DPO or exercise your rights, the contact details are as follows:

· For GIE AXA, the contact details are as follows:

- 23 avenue Matignon, 75008, París

- privacy@axa.com

· For local entities: please refer to the contact information provided at the beginning of this Privacy Policy.

You may be asked for information to confirm your identity and/or to assist the Company to locate the data you are seeking as part of our response to your request.

THE RIGHT TO MAKE A COMPLAINT TO A SUPERVISORY AUTHORITY

Finally, you have the right to raise any concerns about how your personal data is being processed with a competent supervisory authority, in particular before the Spanish Supervisory Authority, Agencia Española de Protección de datos, or any other local authorities.

UPDATES TO THIS PRIVACY NOTICE

The joint data controllers may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When the data controllers update this privacy notice, the data controllers will take appropriate measures to inform you, consistent with the significance of the changes the data controllers make. The data controllers will obtain your consent to any material privacy notice changes if and where this is required by applicable data protection laws.

This Privacy Notice was last updated on March 31th 2025.