Appendix A – Privacy Policy

The Capacio Privacy Policy describes how Capacio processes personal data in connection with its services, including assessment, profiling, analytics and decision support.

It defines:

• roles and responsibilities as Data Controller and Data Processor
• categories of personal data processed
• purposes and legal basis for processing
• retention periods
• data subject rights
• data transfers and subprocessors

The Privacy Policy applies to customers, partners, users, candidates and test participants.

This Data Processing Agreement governs Capacio’s processing of personal data on behalf of the Customer.

Capacio acts as Data Processor and shall:

• process personal data solely in accordance with Customer instructions
• implement appropriate technical and organizational security measures
• ensure confidentiality of authorized personnel
• support Customer in fulfilling data subject rights
• notify Customer without undue delay in case of data breach
• delete or return personal data upon termination of services
• remain responsible for subprocessors

This DPA ensures compliance with GDPR Article 28 requirements.

Data Processing Agreement (DPA)

This Data Processing Agreement forms part of the agreement between:

• Customer (Data Controller), and
• Capacio AB (Data Processor)

1. Subject matter

Capacio processes personal data on behalf of the Customer for the purpose of providing agreed services related to assessment, profiling, analytics and reporting.

2. Processing instructions

Capacio shall process personal data solely in accordance with the Customer’s documented instructions and applicable data protection law.

3. Confidentiality

Capacio ensures that personnel authorised to process personal data are subject to confidentiality obligations.

4. Security measures

Capacio implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

5. Subprocessors

Capacio may engage subprocessors. A list of subprocessors shall be made available upon request. Capacio remains fully liable for subprocessors.

6. Data subject rights

Capacio assists the Customer in responding to requests from data subjects.

7. Data breaches

Capacio shall notify the Customer without undue delay after becoming aware of a personal data breach.

8. Return or deletion

Upon termination of services, Capacio shall delete or return personal data in accordance with Customer instructions, unless retention is required by law.

9. Audits

Capacio shall make available information reasonably necessary to demonstrate compliance.

10. Governing law

This DPA shall be governed by the law of Sweden.

Where personal data is transferred outside the EU/EEA, such transfers shall be governed by the European Commission’s Standard Contractual Clauses pursuant to GDPR Article 46.

Capacio shall:

• comply with applicable SCC obligations
• implement supplementary safeguards where required
• inform Customer of material changes affecting international data transfers

The applicable SCC module depends on the roles of the Parties.

EU Standard Contractual Clauses

(Controller–Processor / Processor–Processor)

Where personal data is transferred outside the EU/EEA, the Parties agree that such transfers shall be governed by the European Commission’s Standard Contractual Clauses (SCCs), as adopted pursuant to Article 46 GDPR.

The applicable SCC module shall depend on the role of the Parties in the specific processing activity.

Capacio commits to:

• comply with SCC obligations
• implement supplementary safeguards where required
• inform the Customer of material changes affecting data transfers

This Privacy Notice applies to individuals participating in Capacio cognitive and psychological assessments.

It explains:

• what personal data is processed
• the purpose of processing
• rights of the data subject
• limitations of assessment results

Capacio processes assessment data on behalf of the Customer organization that invited the participant.

The Notice ensures transparency and compliance with GDPR Articles 13 and 14.

Privacy Notice for Test Participants

Capacio processes personal data in connection with psychological and cognitive assessments on behalf of the organization that invited you to participate.

What data is processed

• Identification and contact data
• Test responses and assessment results
• Technical data related to test completion

Purpose

The data is processed to support professional purposes such as recruitment, development, coaching or education.

Important information

• The tests do not provide diagnoses
• Results are interpreted in context
• No automated decisions are made based solely on test results

Your rights

You have the right to access, rectify or request deletion of your personal data. Please contact the organization that invited you to take the test.

This document provides information about Capacio’s cognitive assessments of executive functions.

It explains:

• the purpose and nature of the assessments
• what executive functions and cognitive capacity represent
• how results should be interpreted
• limitations of assessment results

The assessments measure executive functioning under standardized conditions and provide objective insight to complement professional evaluation.

Assessment results represent one source of information and should be interpreted in context.

Information about the cognitive assessments (executive functions)

These assessments are designed to measure cognitive and psychological capacity under standardized conditions.

Before you start

• Decide whether you want to learn the test or optimize your performance
• Tests are sensitive to stress, fatigue, distractions and technical issues
• Optimal results require an optimal test situation

What the test measures

• Cognitive capacity and executive functions
• Not intelligence, personality value or potential

How to use the results

A helpful model is:

• Capacity: What does the test show?
• Insight: Do I recognize this pattern? Does it represent my raw capacity as is the intent of the test. Or does it rather represent my testing strategy and/or day-to-day functioning
• Strategy: How can I use strengths and compensate for challenges?

This is one source of information – not the full picture.