Scope and Purpose
Contraste Europe Group
Contraste Europe is a group of companies proposing IT services and solutions to business clients. It is exclusively active in the B2B market and does not propose its services to individual persons.
The group consists of the following companies:
- Contrast Consulting
- Contraste Europe
- Contraste Luxembourg
The group is active in Belgium, Luxembourg, France, Switzerland and Tunisia.
In this document, we'll use the name Contraste to designate all group companies.
This document documents the policy of Contraste as a Data Controller, in other words all the aspects of the processing that Contraste applies to personal data it manages directly.
In the scope of its activities, Contraste collects, stores, and uses, data related to individuals in the recruitment procedure context.
This policy governs this processing. It is designed to comply with the Directive 95/46/EC (the “Data Protection Directive”), and, after May 25th, 2018, the General Data Protection Regulation (GDPR).
This policy is immediately applicable to all parts of Contraste. It supersedes any previous edition.
What data is collected about candidates by Contraste for the recruitment process
For each candidate Contraste Europe collects the following information:
- Name, First name
- Country of citizenship
- Main Language
- Language skills
- Job title (given)
- Job title (standard)
- Telephone numbers (business, mobile, home)
- Addresses (business, home)
- Email addresses (business, private)
- Company name
- Education level
- Training & certification information
- CV Source + info
- Personal interests (sports, arts, ...)
- Employment References
- Document: CV
- Document: Diploma
- Document: Photo
- Document: Copy of IDCard
Why Contraste stores and uses these personal data
Contraste maintains records about professionals seeking work.
These personal data are used with the main purpose to assess the candidate’s ability to take up a proposed job of a Contraste client (qualification, experience…). This include the following data processing:
- Communicate towards the candidates (complementary request, interview results, news about the mission...)
- Transfer personal data of a candidate (CV, contact...) to a client for a potential mission
- Manage candidate documents (Photo, diploma, cover letter...)
- Manage candidates' CVs
- Manage interviews reports
- Manage technical test results
If a candidate has a matching profile, he will be contacted by the recruitment team to discuss the opportunity. If the candidate agrees, his profile will be proposed to the client.
Data about candidates will only be used for these purposes.
How Contraste collects these personal data
Contraste creates and maintains records about candidates by means of the following information sources:
- Candidates send a mail to email@example.com;
- Candidates apply for a position via one of Contraste's website, in reaction to a job post published on that site;
- Candidates publish their profile on specialised websites, such as LinkedIn.com, monster.be, monster.fr, monster.lu, ICTjob.be;
- Partners (specialized recruitment agencies) gives a candidate information to Contraste;
- An employee/consultant of Contraste gives a candidate’s information to the recruitment department (co-optation);
- Candidates conducts interviews;
- Candidates conducts technical tests.
Who processes personal data about candidates?
Each employee and consultant of the Contrast Europe Group have signed up a confidentiality and data protection agreement to ensure that data process within the company are made only for the defined purposes.
Contraste’s client are data processor and are not allowed to transfer the candidate’s information to third parties or to use these data for a purpose other than assess the candidate’s ability to take up the proposed job. As data processor they guarantee to put in place all the technical and organizational measures to protect data as required by the new General Data Protection Regulation (GDPR) replacing the Data Protection Directive 95/46/EC.
How Contraste collects and stores candidates consents
How long Contraste keeps personal data about candidates and what is the legal basis?
After the candidate online opt-in, Contraste keeps data for 2 years according to the data privacy authorities' recommendations and only with the explicit consent of the candidate.
Data subject’s rights about personal data
In respect of the new General Data Protection Regulation (GDPR), candidates have the following rights regarding their personal data stored by Contraste:
- Right to access
- Right of rectification
- Right to erasure (right to be forgotten)
- Right to restrict processing
- Right of data portability
- Right to object to processing
To claim one of these rights, candidates must send an email to ContrastePrivacy@contraste.com with the reason of the request. Contraste will provide any requested information in relation to any of the rights of data subjects with one calendar month of receiving the request. If Contraste receives large numbers of requests, or especially complex requests, the time limit may be extended by a maximum of two further months.
For a security reason, upon receipt of a request, Contraste will proceed to an identity verification of the requestor. To this end, the receipt acknowledge will include the invitation to do either one of the following:
- Forward a scan of an official identification document (ID Card, Passport), along with a copy of a recent utility bill (telephone, electricity…) clearly stating the name and address of the individual involved.
- Set up a telephone call, where a number of questions can be asked, the answers being compared with the personal data held in Contraste's database.
The request will be processed if and only if a positive authentication has been realised.
Contraste never shares personal data with any other organisation outside of the Contraste Europe Group, with the exception of identified Data Processors. In the recruitment procedure context, data processors of candidate’s information are:
- Contraste Clients seeking for consultants
- Microsoft Dynamics CRM
- Microsoft Office 365
As data processor they guarantee to put in place all the technical and organizational measures to protect data as required by the new General Data Protection Regulation (GDPR) replacing the Data Protection Directive 95/46/EC.
Technical Information Security Measures
List of the security measures
Contraste Europe uses a networked IT infrastructure, allowing its staff to interact internally and with third parties, and to use applications and services. Contraste set up different security measures covering the following areas:
- Raise awareness among users
- Authenticate users
- Manage authorizations
- Trace access and manage incidents
- Secure workstations
- Securing mobile computing
- Protect the computer network
- Secure the servers
- Secure websites
- Save and plan for business continuity
- Archiving securely
- Supervise the maintenance and destruction of data
- Manage outsourcing
- Secure exchanges with other organizations
- Protect the premises
- Supervise IT developments
- Encrypt, guarantee integrity or sign
Contraste tests and improves these security measures on a regular basis.
Security Breach Detection
Any event that poses a possible threat to personal data is to be considered as a Security Breach. A threat can be of different natures: loss, modification, corruption, or exposition to third parties.
The events that must be considered as a threat include, for example:
- Intrusion of a third party into the corporate network.
- Infection of one or more devices by a malware, including a virus, rootkit, …
- Loss of a USB key containing files with personal data.
- Loss of a PC, tablet or smartphone that contains, or can access, files containing personal data.
- Security breach at one of our Data Processors
Contraste has taken a number of measures to detect any of these events without delay.
When conducting a risk analysis, Contraste first identify the potential harm (physical, material or moral damage) associated with a processing activity. Next, we evaluate the severity of harm that could result. Finally, Contraste assess the likelihood of the event by analyzing the vulnerabilities of their systems and operations as well as the nature of the threats. Risk are categorised by “high-risk”, “risk” and “low-risk”.
Security Breach Notification to Authorities
If the security breach could lead to a threat to subject individuals, such as, for example, identity theft, fraud, financial loss or impact on influence, then Contraste will notify the authorities.
This notification must occur within the 72 hours of the positive identification of the security threat. If this delay is exceeded, then the additional delay must be justified.
Security Breach Notification to Subject Individuals
If the risk for subject individuals is considered high, then they must also be informed. If there is a doubt about the degree of risk, then the authorities can be contacted for verification.
If the situation requires a notification to the subject individuals, than they must also be provided guidelines about how to mitigate the risk.
- Data controller
"Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.”
GDPR, Art.4 (7)
- Data processor
"Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
An employee of the data controller is not considered like a processor.
GDPR, Art.4 (8)
"Processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
GDPR, Art.4 (2)
- Personal Data
"Personal data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
Source: GDPR, Rec.26; Art.4 (1)
- Sensitive Personal Data
“Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).”
Source: GDPR, Rec.10, 34, 35, 51; Art.9 (1)
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/eli/reg/2016/679/oj
Data Privacy Authorities
Commission for the Protection of Privacy
Rue de la Presse, 35
Telephone +32 2 274 48 00
National Commission for Data Protection (CNDP)
1, avenue du Rock'n'Roll
Telephone +352 26 10 60 1
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
F-75334 Paris Cedex 07
Telephone +33 1 53 73 22 22
European Data Protection Supervisor