Candidate Privacy Notification

Back to Careers Page

Last Modified: June 27, 2024

What is this notification all about?

First, it’s great that you’d like to come and play with us, but we need to notify you about your privacy rights when using our LEGO Group Careers platform, where LEGO System A/S, or another LEGO Group entity, is the data controller as described below in the section “Who is Responsible for Your Personal Data?”.

For the purposes of this notification, when we use “we”, “us” or “our” in this notification, we are talking about the LEGO Group.

To apply for a position online within the LEGO Group you will have to create and register a profile on our website using a username and a password of your own choice. Your username and password will be required to gain access to your profile. You can also create and register a profile without applying for a specific position or without releasing your profile in the candidate pool.

If you are below the local legal age applicable, please make sure to consult your parents/legal guardian. Please also be informed that the LEGO Group requires your parents’/legal guardian’s consent before an employment relationship may be established.

What personal data does the LEGO Group collect?

We collect personal data from you that makes it possible for us to assess your candidacy for our available job positions such as:

  • Profile data (e.g. name, your username and password)
  • Contact information (e.g. address, email, telephone number)
  • Background, education and CV information (e.g., references to education, degrees, grades, job history)
  • Application (e.g. motivated application with external references)
  • Photograph (e.g. portrait attached the application)

If you as a candidate are invited for an interview, we may also ask you to provide the following information, if relevant:

  • References check from e.g. former employers
  • Other background check: certain roles and levels and only in respect of those candidates who are selected for either 2nd interview or who are closer to the 'offer stage' and who have given prior consent to the background check
  • Criminal records
  • Test results
  • Financial information (e.g. bank account number, salaries, debts, social benefits, pension, credit report)
  • Special categories of personal data (e.g. health data or your union memberships, where legally permitted and if relevant for the specific position)
  • LinkedIn and other relevant social media profiles

The LEGO Group makes all employment-related decisions entirely on merit and qualifications (in accordance with applicable law). Consequently, you should only include personal data relevant for the review of your application and leave out personal data such as your race or ethnic origin, your political or philosophical orientation, your religious beliefs, your union membership or your sexual orientation.

Be specifically aware if you are:

  • applying for a position in the U.S., you will be asked to provide certain specific demographic information in a separate questionnaire due to our obligation to collect information for equal opportunity compliance purposes. The assessment of your application will not be affected in any way should you choose not to provide the listed information;
  • applying for a position where health certification is required by law or our internal policy, you may also be required to participate in a health examination in compliance with applicable local law;
  • applying for a position where a criminal record, credit report or visa/work permit etc. is required by law or our internal policy, you may be required to provide these as well, in compliance with local law; and
  • already employed within the LEGO Group, personal data collected by us as part of this recruitment process, including but not limited to information on your internal job history, appraisals, assessment and profiling results, education and courses will automatically accompany your application when you apply for a new position internally.

If your application is successful, the job offer may be conditional on preemployment checks being carried out to our satisfaction.

Which are the purposes for processing your personal data?

We will process the personal data submitted by you and/or collected externally (through reference, tests and relevant social medias), for the legitimate purpose of assessing your candidacy for available positions and informing you when having signed up to a job agent.

When you create a Candidate Home Account, we will process your personal data as part of giving you access to and tools on our LEGO Group Careers platform, and where we invite you to join the talent pool we will collect your consent for the purpose of contacting you should be seen being potentially qualified for another job opening at the LEGO Group.

We will analyze and derive statistic results using your personal data (special categories of per-sonal data excluded) for the legitimate purpose of understanding trends in the recruitment process and help improve our recruitment and hiring processes.

Special categories of personal data (e.g. health data or your union memberships if relevant for the specific position) is processed where this is necessary for the purposes of carrying out obligations and exercising specific rights of the LEGO Group or for you in the field of employment and social security and social protection law in so far as it is authorized by law.

Finally, the LEGO Group processes personal data where it is necessary to establish, exercise or defend legal claims, and to protect the LEGO Group, LEGO brand or LEGO products.

Who is responsible for your personal data?

The LEGO Group is made up of several different legal entities spread around the world. You can read more about the LEGO Group here https://www.LEGO.com/aboutus. This notification is issued on behalf of all the companies in the LEGO Group.

We have appointed a Global Data Protection Officer (“DPO”) who is responsible for overseeing questions in relation to this notification. If you have any questions about this notification, please contact us. You can also send a letter to the DPO at:

   LEGO System A/S
   Aastvej 1, 7190 Billund
   Denmark
   Att: DPO

Please include your name, country and other details to which your inquiry relates.

Transfer and protection of your personal data

As a global organization with offices and operations throughout the world, we will transfer personal data collected by us on an aggregated or individual level to various divisions, subsidiaries, joint ventures and affiliated companies of the LEGO Group around the world located inside or outside the European Economic Area for the purposes stated above and in accordance with applicable laws, as well as to subcontractors to the LEGO Group (data processors) for storage and service purposes.

Your personal data will be accessed by the LEGO Group employees and entities on a need-to-know basis only. Your personal data will only be disclosed to third parties if you have given your consent hereto or if the LEGO Group is allowed to disclose the information under applicable law, including to:

  • partners and other business contacts being subject to confidentiality, and
  • governmental authorities (e.g. tax authorities, the police and other public authorities requesting information and where the LEGO Group is either obligated to provide the information or it is assessed that the LEGO Group is otherwise allowed to provide the information).

The transfer of personal data between the LEGO Group entities will be based on the LEGO Group Binding Corporate Rules

If suppliers and subcontractors process your personal data outside of the EU/EEA, such transfer of personal data will either be subject to an EU Commission adequacy decision, an EU approved certification mechanism or the EU Commission’s standard contractual clauses.

You can always request a copy of the transfer agreements, which include the transfer of personal data.

Security measures

The personal data are available internally in the LEGO Group IT systems, servers and applications which are subject to the LEGO Group cyber security policies for access and security controls.

The LEGO Group has implemented fraud prevention and detection efforts on our platforms which may be used to identify improper access and activities.

The LEGO Group has implemented technological and organizational measures to safeguard your personal data from unauthorized or improper use while it is in our possession. We store personal data on servers with limited access located in secured facilities. Our security measures are evaluated on an ongoing basis. We use our best endeavors to ensure an appropriate level of security tailored to the specific risks of the personal data being processed and require the same from our suppliers and subcontractors.

Personal data retention

The LEGO Group has a retention scheme with retention terms applicable country wide. We delete personal data in accordance with this retention scheme. Any extension of the retention terms will be made based on the applicable law requirements (such as documenting legal compliance or disputes or for archiving purposes).

Personal data may also be kept for a longer period of time if it is necessary for us to retain the information for handling and defending a claim or a dispute.

Your privacy rights

As a data subject you have the following rights in respect of the personal data, we hold on you:

  • Request access to the personal data we process about you: You have the right to ask us for information about or access to your personal data. There are some exemptions, which means you may not always receive all the data we process.
  • Request rectification of your personal data: this right entitles you to have your personal data corrected if it is inaccurate or incomplete.
  • Object to the processing of your personal data: this right entitles you to request that we no longer process your personal data. However, it only applies in certain circumstances, and we may not need to stop the processing of your personal data if we can give legitimate reasons to continue using your personal data.
  • Request the erasure of your personal data: this right entitles you to request the erasure of your personal data. Please note that, in certain circumstances, we may be required to retain some of your personal data after you have requested deletion to satisfy our legal or contractual obligations. We may also be permitted by applicable laws to retain some of your personal data to satisfy our business needs.
  • Request the restriction of the processing of your personal data: this right entitles you to request that we only process your personal data in limited circumstances, including with your consent.
  • Request portability of your personal data: this right entitles you to receive a copy (in a structured, commonly used and machine-readable format) of personal data processed only by automated means and on the basis of consent or of fulfilling a contract.
  • Withdraw your consent: You can withdraw your consent at any time by opting out in e-mail or contacting us. However, this will not affect our right to process personal data obtained prior to the withdrawal of your consent, or our right to continue parts of the processing based on other legal bases than your consent.
  • File a complaint: You can always lodge a complaint with a data protection authority, for example the Danish Data Protection Agency.

If you wish to exercise your privacy rights, please contact gdpr.hr@LEGO.com or send a letter to LEGO System A/S, Aastvej 1, DK-7190 Billund, Denmark, Att.: Data Privacy.