EU Privacy Policy
GDPR-compliant privacy policy for users in the European Union and European Economic Area
Last Updated: March 30, 2026 | Applies to: EU/EEA Residents
EU-Specific Privacy Notice
This EU Privacy Policy supplements our Global Privacy Policy and provides specific information for EU/EEA data subjects under Regulation (EU) 2016/679 (General Data Protection Regulation). We have an EU representative as required by GDPR Article 27.
Contents
1Data Controller & EU Representative
Data Controller (GDPR Art. 4(7))
Legal Entity: DAKDAN Talent LLC
Registration: [US Registration]
Address: [US Headquarters Address]
Contact: privacy@dakdantalent.com
EU Representative (GDPR Art. 27)
Representative: [EU Representative Name]
Address: [EU Address - ideally in major EU country]
Country: [France/Germany/Ireland - example]
Contact: eu-rep@dakdantalent.com
Data Protection Officer (GDPR Art. 37-39)
Name: [DPO Name]
Email: dpo@dakdantalent.com
EU Contact: eu-dpo@dakdantalent.com
Response Time: Within 1 month (Art. 12.3)
2Legal Basis for Processing (GDPR Art. 6)
We process your personal data only when we have a valid legal basis under GDPR Article 6(1):
Article 6(1)(a) - Consent
You have given freely-given, specific, informed, and unambiguous consent (Art. 4(11))
Used for: Marketing emails, optional cookies, profile enhancements, newsletter subscriptions
Right to withdraw: Yes, at any time (Art. 7(3))
Article 6(1)(b) - Contractual Necessity
Processing is necessary for performance of our contract with you, or to take steps at your request before entering a contract
Used for: Account management, job applications, matching services, platform functionality, payments
Article 6(1)(c) - Legal Obligation
Processing is necessary for compliance with a legal obligation (EU or Member State law)
Used for: Tax compliance (DAC7), AML checks, employment law, court orders, regulatory reporting
Article 6(1)(f) - Legitimate Interests
Processing is necessary for our legitimate interests or those of a third party (unless overridden by your fundamental rights)
Used for: Fraud prevention, security, analytics, service improvement, direct marketing (B2B)
Legitimate Interests Assessments (LIAs) conducted per EDPB Guidelines - available on request
3Processing Purposes (GDPR Art. 5.1.b - Purpose Limitation)
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account Management | Identity, Contact, Credentials | Art. 6(1)(b) Contract |
| Job Matching | Profile, Skills, Preferences | Art. 6(1)(b) Contract |
| Payment Processing | Financial, Transaction | Art. 6(1)(b) Contract |
| Marketing | Contact, Preferences | Art. 6(1)(a) Consent |
| Fraud Prevention | Technical, Usage, Device | Art. 6(1)(f) Legitimate Interests |
| Analytics | Usage, Technical (anonymized) | Art. 6(1)(f) Legitimate Interests |
| Tax Reporting | Financial, Transaction, Identity | Art. 6(1)(c) Legal Obligation |
4Special Categories of Data (GDPR Art. 9)
Enhanced Protection for Sensitive Data
Article 9 GDPR prohibits processing of special categories unless an exception applies. We only process this data with your explicit consent (Art. 9(2)(a)) or under other permitted exceptions.
Racial or Ethnic Origin (Art. 9(1))
Collected: Only voluntarily for diversity monitoring (anonymized aggregates)
Legal Basis: Art. 9(2)(a) Explicit consent
Purpose: Equal opportunities compliance, diversity reporting
Safeguards: Pseudonymization, encryption, access controls
Withdrawal: Contact DPO anytime
Health Data (Art. 9(1))
Collected: Only when you request workplace accommodations
Legal Basis: Art. 9(2)(a) Explicit consent + Art. 9(2)(b) Employment obligations
Purpose: Provide reasonable accommodations, occupational health compliance
Retention: During employment relationship + 3 years (legal claims)
Biometric Data - Photos (Art. 9(1))
Collected: Profile photos (not processed biometrically unless consent given)
Legal Basis: Art. 6(1)(b) Contract (non-biometric) OR Art. 9(2)(a) Explicit consent (if biometric)
Purpose: Profile display, account identification
Note: We do NOT use facial recognition without explicit consent
5Recipients of Personal Data
We share your personal data with the following categories of recipients:
Data Processors (GDPR Art. 28)
Third-party service providers processing data on our behalf under written Data Processing Agreements (DPAs):
- Cloud hosting providers (AWS, Google Cloud - EU regions)
- Email service providers (SendGrid - EU infrastructure)
- Analytics providers (Google Analytics with IP anonymization)
- Payment processors (Stripe - PCI DSS compliant)
- Customer support platforms (Zendesk - EU data center)
All processors bound by GDPR-compliant DPAs with SCCs for third-country transfers
Controllers - Employers
When you apply for jobs, your application data is shared with employer controllers. Employers are independent controllers responsible for their own GDPR compliance.
We conduct due diligence on employer data protection practices.
Public Authorities
EU/Member State authorities, tax authorities, law enforcement (only when legally required - Art. 6(1)(c))
6International Data Transfers (GDPR Art. 44-50)
Some of your data may be transferred to countries outside the EU/EEA. We ensure adequate safeguards:
Adequacy Decisions (Art. 45)
We transfer to countries with EU Commission adequacy decisions: Andorra, Argentina, Canada (commercial orgs), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay.
Standard Contractual Clauses (Art. 46(2)(c))
For transfers to countries without adequacy decisions (e.g., United States):
- • EU Standard Contractual Clauses (2021): Commission Implementing Decision (EU) 2021/914
- • Transfer Impact Assessments (TIAs): Conducted per Schrems II requirements
- • Supplementary Measures: Encryption in transit and at rest, access controls, data minimization
- • Monitoring: Ongoing review of third-country legal landscape
EU-US Data Privacy Framework (Art. 45)
For US transfers, we rely on processors certified under the EU-US Data Privacy Framework (Commission Adequacy Decision 2023/1795).
For copies of SCCs or TIAs, contact: eu-dpo@dakdantalent.com
7Data Retention (GDPR Art. 5.1.e - Storage Limitation)
We retain personal data only as long as necessary for the purposes for which it was collected:
| Data Type | Retention Period | Justification |
|---|---|---|
| Active account data | Duration + 6 months | Contractual necessity |
| Job applications | 6 months post-decision | Legitimate interests (legal claims) |
| Financial/tax records | 7-10 years | Legal obligation (Member State laws) |
| Marketing consent | Until withdrawn + 30 days | Consent withdrawal processing |
| Cookies (analytics) | 13 months max | ePrivacy Directive compliance |
| Litigation data | Duration + limitation period | Legal claims (varies by Member State) |
After retention periods expire, we securely delete or anonymize data in accordance with our data retention schedule.
8Your Data Subject Rights (GDPR Art. 15-22)
You have the following rights under GDPR. See our GDPR Rights page for detailed information.
Art. 15 - Right of Access
Free copy of your data + transparency info
Art. 16 - Right to Rectification
Correct inaccurate/incomplete data
Art. 17 - Right to Erasure
Right to be forgotten (with exceptions)
Art. 18 - Right to Restriction
Limit processing temporarily
Art. 20 - Right to Portability
Receive data in structured format
Art. 21 - Right to Object
Object to legitimate interests processing
Exercise Your Rights
Submit requests within 1 month response time (Art. 12.3):
• Email: eu-dpo@dakdantalent.com
• Portal: Data Subject Request Portal
• Post: EU Representative, [EU Address]
9Automated Decision-Making (GDPR Art. 22)
Article 22(1) Protection
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.
Our Position: We do NOT make solely automated decisions with legal/significant effects. All AI-assisted processes involve human review.
Job Matching Algorithm
Nature: AI suggests jobs; you decide whether to apply (no automated decision)
Art. 22 Applies: No - you retain full control
Transparency: Algorithm logic explained in AI Terms
Resume Screening (Employer Tool)
Nature: AI ranks candidates; employer reviews and decides
Art. 22 Applies: No - employer makes final hiring decision
Your Rights: Request human review, challenge employer decision
Safeguards: Bias testing, explainability, human oversight
10Data Protection Impact Assessments (GDPR Art. 35)
We conduct DPIAs for high-risk processing activities as required by Article 35:
✓ AI-Powered Candidate Screening
DPIA conducted for profiling and automated evaluation - Mitigations: bias testing, human oversight, transparency
✓ Special Category Data Processing
DPIA for diversity monitoring - Mitigations: explicit consent, pseudonymization, strict access controls
✓ International Data Transfers
Transfer Impact Assessments per Schrems II - Mitigations: SCCs, encryption, legal analysis
DPIA summaries available upon request to: eu-dpo@dakdantalent.com
11Supervisory Authority (GDPR Art. 77)
You have the right to lodge a complaint with your national data protection authority or with our lead supervisory authority.
Our Lead Supervisory Authority
[Lead SA - based on EU Representative location]
Example: If representative in Ireland:
Data Protection Commission (Ireland)
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Email: info@dataprotection.ie
Website: dataprotection.ie
Find your national authority: EDPB Members List
12EDPB Guidelines Compliance
We comply with European Data Protection Board (EDPB) guidelines and recommendations:
Consent (Guidelines 05/2020)
Clear, granular, freely-given consent mechanisms
Targeting (Guidelines 08/2020)
Transparency in targeted advertising
Dark Patterns (Guidelines 03/2022)
No deceptive design patterns in UI/UX
Deceptive Patterns (Guidelines 2023)
Transparent cookie notices and choices
This EU Privacy Policy was last updated on March 30, 2026 and is compliant with GDPR (EU) 2016/679. For our global privacy policy, see Privacy Policy.