PRIVACY NOTICE

Who is responsible for your personal data?
Ework Group AB, 556587-8708, with registered address at Vasagatan 16, 111 20 Stockholm, Sweden is the data controller and is responsible for how your personal data is processed.

Your personal data may also be processed by, or jointly with, companies within our group, including our subsidiaries (together referred to as the“ Group”, “we”, “us” or “our”). A list of our group companies is provided at the end of this Privacy Notice.

What this Privacy Policy covers
This Privacy Policy explains:

  • what personal data we collect about you
  • why we process your data
  • the legal basis for processing
  • how long we keep your data
  • who we share your data with
  • your rights under applicable data protection laws

1. Introduction

We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, and protect personal data relating to external parties, including candidates, consultants, clients, suppliers, marketing recipients, shareholders and investors, and users of our platforms.

It also describes your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. How and Why We Use Your Data

Below we describe how we process personal data depending on your relationship with us.

2.1 Verama Users

This section applies to individuals who have registered an account on Verama regardless of whether they have applied for or performed an assignment.

What personal data we process

  • Account and identification data (name, email address, account credentials)
  • Profile information you choose to provide (such as skills, experience, education, and certifications)
  • Demographic data (e.g. age range and gender)
  • Preferences and settings within the platform
  • Technical and usage data (login data, IP address, session data, and usage statistics)
  • Communications within the platform

Verama enables you to create and manage your own professional profile, including the information you choose to share with us and potential clients. As you control much of the content of your profile, the personal data we process will vary depending on what you provide.

Why we process your data

  • To create and manage your Verama account
  • To enable you to use the platform's features and services
  • To match you with relevant assignments where you have indicated an interest in being considered
  • To analyse diversity and inclusion across our platform
  • To ensure the security and proper functioning of the platform
  • To analyse and improve the platform and user experience

Legal basis

  • Performance of contract – to provide you with access to the Verama platform and its services in accordance with our terms of use
  • Legitimate interest – our legitimate interest in operating and developing the Verama platform, including building and maintaining a network of consultants and independent professionals who can be identified and contacted for relevant opportunities, ensuring the security and proper functioning of the platform, improving user experience, and analysing diversity and inclusion patterns across our platform. The provision of demographic data such as age range and gender is voluntary, and our legitimate interest in collecting this data is balanced against your right to privacy.
  • Consent – where required (e.g. for certain types of processing)

Please note: if you are both a registered Verama user and a candidate or consultant who has applied for or performed an assignment, both section 2.2 and this section apply to you.

2.2 Candidates and Consultants

This section applies to individuals who apply for assignments through us, are matched to or performing assignments through us and/or have been registered in our systems as part of a recruitment or assignment process.

What personal data we process

  • Identification and contact details (name, email, phone number)
  • CV, skills, experience, education
  • Certifications and references
  • Application and assignment history
  • Matching and ranking results
  • Gender (when relevant)
  • Communication and feedback
  • Background screening data (se below)

Why we process your data

  • To identify and match candidates with assignments
  • To evaluate competence and suitability
  • To present candidates to clients
  • To manage assignments and contracts
  • To maintain and develop our talent pool
  • To support clients in fulfilling their equality and diversity reporting obligations, where this forms part of our service delivery
  • To analyse and improve our processes

Background screening

As part of our assignment process, and where requested by a client, we may conduct background checks on candidates and consultants. The scope and level of any background check depends on the requirements of the specific assignment and may include verification of identity, employment history, educational qualifications, professional references, and interviews. In some cases, background checks may also include checks against criminal records registers. Where background checks include criminal record checks, such processing is carried out only to the extent permitted under applicable national law.

Legal basis

  • Performance of contract – when you apply for or perform an assignment
  • Legitimate interest – our legitimate interest in operating and developing our consultancy intermediary business, which includes identifying, evaluating and matching qualified consultants with client assignments, ensuring the quality of our service delivery, managing ongoing assignment relationships, and analysing and improving our processes. In connection with matching, this also includes our legitimate interest in verifying a consultant's stated qualifications by contacting references. Where background checks are carried out, the legal basis is our legitimate interest, and that of our clients, in ensuring that candidates placed in assignments meet the security and suitability requirements of the specific role.
  • Legal obligation – where required (e.g. bookkeeping, compliance)
  • Consent – where required (e.g. for certain types of processing or extended retention)

2.3 Client Representatives

This section applies to individuals who act as representatives of our existing or prospective clients.

What personal data we process

  • Name and contact details
  • Role and company affiliation
  • Communication and correspondence

Why we process your data

  • To manage and maintain client relationships
  • To deliver our services

Legal basis

  • Performance of a contract – to fulfil agreements with your organisation
  • Legitimate interest – our legitimate interest in managing, maintaining and developing our business relationships with clients, including communication, follow-up and business development.

2.4 Supplier and Partner Representatives

This section applies to individuals who represent existing or prospective suppliers, sub-contractors, or partners with whom we have or are developing a contractual or cooperative relationship

What personal data we process

  • Name and contact details
  • Role and organisation
  • Contractual information
  • Communication and correspondence

Why we process your data

  • To manage supplier and partner relationships
  • To administer agreements and cooperation

Legal basis

  • Performance of a contract – to manage agreements with your organisation
  • Legitimate interest – our legitimate interest in managing and maintaining our supplier and partner relationships, including administering cooperation agreements and ensuring effective service delivery.

2.5 Marketing Recipients (Newsletters and Communications)

This section applies to individuals who subscribe to newsletters and/or opt in to receive marketing communications via our website or other channels

What personal data we process

  • Name
  • Email address
  • Preferences and subscription choices
  • Interaction data (e.g. email opens and clicks, where applicable)

Why we process your data

  • To send newsletters and marketing communications
  • To provide relevant and tailored content
  • To analyse and improve our communications

Legal basis

  • Consent – when you sign up to receive marketing communications. You can withdraw your consent at any time by using the unsubscribe link in our communications.
  • Legitimate interest - We may also send you invitations to events, seminars and similar activities based on our legitimate interest in maintaining and developing our business relationships. You can object to such communications at any time by contacting us at privacy@eworkgroup.com.

2.6 Shareholders and Investors

This section applies to shareholders, investors, and other stakeholders who register for or participate in investor events, such as webinars, presentations of interim reports, or other corporate communications activities organised by Ework Group. This section also applies to shareholders whose personal data we process in connection with our obligations as a listed company, including in connection with general meetings.

What personal data we process

  • Name
  • Email address
  • Company name
  • Professional role
  • Shareholding information
  • Proxy and voting information
  • Personal identity number – for shareholders who are natural persons, we receive personal identity numbers from the share register held by Euroclear Sweden AB in connection with the general meeting, for the purpose of verifying that individuals who have registered to attend are registered shareholders

Why we process your data

  • To administer and manage investor events and communications
  • To provide information about our company and financial performance
  • To ensure good communication with our shareholders and other stakeholders
  • To follow up on queries arising from events
  • To fulfil our obligations as a listed company, including convening and administering general meetings, managing shareholder registers, and complying with applicable securities law requirements

Legal basis

  • Legal obligation – we are required to process personal data in connection with our obligations as a listed company under the Swedish Companies Act (aktiebolagslagen), the EU Shareholder Rights Directive II (SRD II), and other applicable securities law and regulatory requirements, including in connection with the administration of general meetings and shareholder identification.
  • Legitimate interest – our legitimate interest as a listed company in communicating openly and effectively with our shareholders and investors, and in ensuring good and informed relationships with our stakeholders.

2.7 Website and System Users

This section applies to individuals who visit our website or use our digital platforms and systems to the extent that such use generates technical data that is collected automatically.

What personal data we process

  • IP address
  • Log data
  • Usage data
  • Cookies and tracking data (where applicable)

Why we process your data

  • To ensure functionality and security
  • To analyse usage and improve our services

Legal basis

  • Legitimate interest – our legitimate interest in ensuring the security and proper functioning of our systems and website, detecting fraud and unauthorised use, and analysing and improving the features and user experience of our platforms.
  • Consent – for cookies and tracking technologies where required

3. Where We Obtain Your Personal Data

In most cases, we collect personal data directly from you, for example when you register on Verama or ClientHub, apply for an assignment, or contact us.

However, in some cases we may receive or collect personal data about you from other sources, including:

  • Authentication partners, if you register for or log into Verama using third party credentials (e.g. LinkedIn & Google), we will import some of your information (name, email and pictures) from such third party to help create your account with us
  • Professional networks and social media, such as LinkedIn, where you have made your profile publicly available;
  • Events, fairs and networking activities, where your contact details are shared with us in connection with your participation or our attendance;
  • Partners and intermediaries, who refer you to us or share your contact details in connection with a potential business relationship;
  • Your employer or the organisation you represent, for example when your employer or a supplier company engages us and provides us with your contact details as a representative;
  • References, provided by you or on your behalf as part of a recruitment or assignment process;
  • Authorised background screening providers, where a background check is carried out as part of the assignment process.
  • Public registers and databases, where relevant and permitted by applicable law (e.g. publicly available company registers);
  • Our clients, who may provide us with your details in connection with an assignment, MSP services, or other services we deliver to them;
  • Web forms and inbound enquiries, submitted via our website.
  • Technical service partners, that provide us with certain data, such as mapping IP addresses to non-precise location data (e.g., city, country), to enable us to provide the Verama services, content, and features; recording user's traffic on the website to enable us to optimize and improve new functionalities of Verama.
  • Advertisers and other advertising partners, from where we may obtain certain data about you, such as cookie id, mobile device id, or email address, and inferences about your interests and preferences that allow us to deliver more relevant ads and measure their effectiveness.
  • Euroclear Sweden AB, from whom we receive the share register including personal identity numbers of shareholders who are natural persons, in connection with the administration of the general meeting.

Where we obtain personal data from sources other than you directly, we will take reasonable steps to ensure that you are informed of this, in accordance with applicable data protection law.

4. Automated Decision-Making and Profiling

As part of our recruitment and matching services, we use partially automated systems to analyse profiles and competencies, match candidates with suitable assignments, and rank candidates based on their relevance to a given assignment. These processes involve profiling based on professional qualifications, experience, and other relevant information provided in connection with an application or an existing candidate profile.

Our internal applicant tracking system (ATS) uses an AI-based matching score to rank candidates against an assignment’s defined skills and requirements. The system analyses information from the candidate's application and CV alongside the job description, scores how well the candidate matches each defined skill or requirement and calculates an overall match percentage. This percentage is used to automatically prioritise candidates for review.

The purpose of this processing is to improve the efficiency and consistency of our matching process, to ensure that the most relevant candidates are identified for each assignment, and to support fair and structured evaluation of candidates. Our recruiters assess the output of the automated matching and ranking before any candidate is presented to a client or any decision affecting you is made. This means that the automated systems support, but do not replace, human judgement.

In connection with any automated or partly automated processing that affects you, you have the right to request human intervention, to express your point of view, and to contest a decision. If you wish to exercise any of these rights or have questions about how our automated systems work, please contact us at privacy@eworkgroup.com.

5. How Long We Keep Your Data

We retain personal data in accordance with our internal retention processes and applicable laws.

Our retention approach is based on the following principles:

  • Purpose limitation – personal data is only retained for as long as necessary to fulfil the purpose for which it was collected
  • Storage limitation – personal data is deleted or anonymised once it is no longer needed
  • Data minimisation – only relevant and necessary data is retained
  • Accuracy – personal data is kept up to date where required
  • Security – retained data is protected by appropriate safeguards
  • Accountability – responsibilities for retention are clearly defined

In practice, retention periods vary depending on the type of data and the purpose of processing. To comply with applicable statutory retention requirements, data will be stored as follows:

If you are registered on Verama, your profile data will be retained for as long as your account remains active, or until you request removal. Where no assignment has been allocated, data related to the recruitment process will be retained for a reasonable period following the completion of that process. Please note that in the event thatyou have performed an assignment, data relating to that assignment – such as contract documentation, timesheets and financial records – will be retained for a longer period in accordance with the retention periods applicable to contracts and financial records set out below.

If you have undergone a background screening, screening data is retained only until the check has been completed and reported. A record confirming that a background check has been carried out may be retained for the duration of the relevant assignment and deleted thereafter

If you are a representative of a client, supplier or partner, we will retain your data for as long as is necessary to maintain the business relationship

If you receive marketing communications from us, your data will be retained until you withdraw your consent or object to the processing.

If you visit our websites, your data will be retained for as long as is set out in our cookie notice.

Contracts, agreements and related financial records will be retained during the term of the agreement and for 10 years thereafter, in accordance with applicable accounting and limitation period legislation.

If you register for or participate in an investor event or webinar, your data will be retained for the duration of the event and until any follow-up communications have been resolved, after which it will be deleted unless you have also signed up for other communications from us.

Personal data may only be retained beyond the periods set out above where necessary to comply with legal obligations, to establish, exercise, or defend legal claims, or to fulfil contractual commitments.

When personal data is no longer required, it is securely deleted or anonymised in a way that ensures it cannot be restored or reconstructed, in accordance with our internal retention processes.

6. Sharing of Personal Data

We may share your personal data with the following categories of recipients where necessary for the purposes described in this Privacy Policy. All recipients are required to process personal data in accordance with applicable data protection laws and to implement appropriate security measures. Where recipients process personal data on our behalf, they act as data processors and we ensure that appropriate data processing agreements are in place.

Clients

We share personal data with our clients where relevant for the delivery of our services, including presenting candidate profiles, managing assignments, and reporting. Clients receive only the personal data necessary for the specific purpose. Where a background check has been carried out at the request of a client, the outcome of that check may be shared with the requesting client to the extent necessary for the purpose of the assignment and permitted under applicable law.

Suppliers and Service Providers

We share personal data with external suppliers and service providers who support our operations. These include providers of systems and platforms used in our day-to-day business, such as, customer relationship management (CRM) systems, vendor management systems (VMS), time reporting and expense management systems, contract management and e-signing tools, financial and accounting systems, marketing and newsletter platforms, event management platforms, forms providers, corporate communications partners and virtual event platform providers used in connection with investor and shareholder communications, background screening providers, and cloud infrastructure and hosting services.

Group Companies

We may share personal data within the Group where necessary for service delivery, administration, internal reporting and analysis, and IT operations and support. A full list of our group companies is set out at the end of this Privacy Policy.

Authorities and Legal Obligations

We may disclose personal data to public authorities or other third parties where required by law, regulation, or legal process. This includes disclosures to tax authorities, courts, regulatory bodies such as the Swedish Authority for Privacy Protection (IMY), and other competent authorities where we are under a legal obligation to do so.

Other Recipients

In specific circumstances, we may also share personal data with legal counsel and law firms in connection with disputes or legal proceedings, auditors in connection with internal or external audits, insurance companies in connection with insurance claims, and debt collection agencies in connection with overdue invoices.

7. International Transfers

Some of our suppliers, service providers, or group companies may be located outside the EU/EEA.

When transferring personal data internationally, we ensure that appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses
  • Adequacy decisions by the European Commission
  • Other lawful transfer mechanisms

We also ensure that:

  • only necessary data is transferred
  • appropriate technical and organisational security measures are applied

You may request a copy of the relevant transfer mechanism by contacting us at privacy@eworkgroup.com.

8. How We Protect Your Personal Data

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it against unauthorised access, loss, or misuse.

On the technical side, personal data is encrypted both at rest and in transit, access to personal data is restricted on a need-to-know basis and controlled through Multi-Factor Authentication, and our systems are regularly updated, monitored, and tested for vulnerabilities. We maintain backup and recovery procedures to protect against data loss, and security is embedded throughout our software development processes.

Organisationally, we maintain data protection and information security policies that apply to all employees, and we provide regular training and awareness activities to ensure that our staff understand their responsibilities. Suppliers who process personal data on our behalf are subject to data processing agreements and regular risk assessments. We have incident management procedures in place to enable a prompt response to any personal data breach, including notification to the relevant supervisory authority and affected individuals where required by law.

Our security measures are reviewed at least annually and updated as needed to reflect emerging threats and best practices.

9. Your Rights

Under applicable data protection law, including the GDPR, you have a number of rights in relation to the personal data we hold about you. These rights are described below, along with information on how to exercise them. We will respond to any request without undue delay and in any event within one month of receipt. In complex cases, or where a large number of requests are received simultaneously, we may extend this period by a further two months, in which case we will inform you accordingly.

To exercise any of the rights described in this section, please contact our Privacy team by email at privacy@eworkgroup.com or by writing to us at Ework Group AB, Att: Privacy team, Vasagatan 16, 111 20 Stockholm, Sweden. We may need to verify your identity before processing your request.

Right of access

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about how and why it is processed. To submit an access request, please contact us as set out above.

Right to rectification

You have the right to request that we correct any inaccurate personal data we hold about you, and to have incomplete data completed. If you believe that any information we hold about you is incorrect or out of date, please contact us and we will take steps to correct it promptly.

Right to erasure

You have the right to request that we delete personal data we hold about you in certain circumstances, for example where the data is no longer necessary for the purpose for which it was collected, where you have withdrawn your consent and there is no other legal basis for the processing, or where you have objected to the processing and there are no overriding legitimate grounds. Please note that this right is not absolute — in some cases we may be required or entitled to retain your data, for example to comply with a legal obligation or to establish, exercise, or defend legal claims. To submit an erasure request, please contact us as set out above.

Right to restriction of processing

You have the right to request that we restrict the processing of your personal data in certain circumstances. Where processing is restricted, we will continue to store your data but will not process it further without your consent, except for the purposes of establishing, exercising, or defending legal claims. To request a restriction, please contact us as set out above.

Right to object

You have the right to object to processing of your personal data where that processing is based on our legitimate interests. If you object, we will cease processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims. You also have an unconditional right to object to the processing of your personal data for direct marketing purposes at any time. To exercise your right to object, please contact us as set out above or, for marketing communications, use the unsubscribe link included in our emails.

Right to data portability

Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to request that we transmit that data directly to another controller where technically feasible. To submit a portability request, please contact us as set out above.

Right to withdraw consent

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to the withdrawal. To withdraw consent, please contact us at privacy@eworkgroup.com or, in the case of marketing communications, use the unsubscribe link in our emails.

Right to lodge a complaint

If you have concerns about how we process your personal data, we encourage you to contact us first so that we can try to resolve the matter. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), Box 8114, 104 20 Stockholm, Sweden, imy@imy.se, www.imy.se. If you are located in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence.

10. Contact

If you have any questions about this Privacy Policy, you can contact our Privacy team by sending an email to privacy@eworkgroup.com, or by writing to us at the following address:

Ework Group AB

Att: Privacy team

Vasagatan 16

111 20 Stockholm

Sweden

11. Updates

We may update this Privacy Policy from time to time to reflect changes in how we process personal data, as well as changes in legal, technical, or business developments.

When we make updates, the latest version will always be available on our website. Where appropriate, we may also inform you of significant changes through our website or via other relevant communication channels.

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your personal data.

12. Group Companies (Subsidiaries)

We are part of a group of companies. Personal data may be processed by, or shared with, the following group companies where relevant:

  • Ework Group Public AB, Sweden
  • Ework Group Denmark ApS, Denmark
  • Ework Group Norway AS, Norway
  • Ework Group Consulting Norway AS, Norway
  • Ework Group Finland Oy, Finland
  • Ework Group Poland Sp. z o.o., Poland
  • Ework Group Slovakia, s.r.o, Slovakia
  • Ework Group Belgium BV SRL, Belgium
  • Ework Group Germany Services GmbH

We ensure that all companies within the Group process personal data in accordance with applicable data protection laws and internal policies (including this Privacy Policy).

 

Last updated April 2026