Contraste Europe - Privacy policy for candidates

1. Description

This "Candidate Privacy Policy" sets out how Contraste Europe and its subsidiaries handle personal data: what personal data is processed, for what purpose, to whom it is transmitted, the rights of data subjects, etc. It reflects the company's (and the group's) data protection policy.

Contraste Europe is a group of companies offering IT services and solutions to businesses. It operates exclusively in the B2B market, and does not offer its services to private individuals.

The group includes the following companies: Amsit, Audaxis, Contrast Consulting, Contraste Europe, Defimedia, The Digital Journey.

The group is present in Luxembourg, Belgium, France, Switzerland and Tunisia.

In this policy, we use the name Contrast to refer to all the companies in the group.

This policy documents Contraste's policy as controller, i.e. all aspects of the processing that Contraste applies to personal data that it manages directly in relation to the recruitment and hiring of candidates.

2. This policy

In the course of its activities, Contraste collects, stores and uses data on individuals as part of the recruitment process.

This policy governs such processing. It is designed to comply with Directive 95/46/EC (the "Data Protection Directive") and, after May 25, 2018, the General Data Protection Regulation (GDPR).

This policy applies immediately to all parts of Contraste. It replaces all previous editions.

General considerations

What data about candidates is collected by Contraste as part of the recruitment process?

For each candidate, Contraste Europe collects the following data:

- Last name, First name

- Date of birth

- Type

- Country of nationality

- Main language

- Language skills

- Job description (data)

- Job description (standard)

- Telephone numbers (business, mobile, personal)

- Addresses (business, personal)

- E-mail addresses (business, private)

- Company name

- Education level

- Training and certification information

- CV Source + info

- Personal interests (sports, art, etc.)

- Employment references

- Photo

- Document: CV

- Document : Diploma

- Document : Photo

- Document: Copy of identity card (front only!) National registration number used only for social security purposes if an employment contract is actually concluded.

2.1 Why does Contraste store and use personal data?

Contraste maintains data on professionals seeking employment.

This personal data is used for the main purpose of assessing the applicant's suitability for a job offered by a Contraste customer (qualifications, experience, etc.). This includes the processing of the following data:

- Communicate with candidates (additional requests, interview results, news about the assignment, etc.).

- Forward a candidate's contact details (CV, contact...) to a customer for a potential assignment

- Management of candidate documents (photo, diploma, cover letter, etc.)

- Candidate CV management

- Call report management

- Management of technical test results

If a candidate presents a suitable profile, he or she is contacted by the recruitment team to discuss the opportunity. If the candidate agrees, the profile is presented to the customer.

Candidate data will only be used for these purposes.

2.2 How Contraste collects personal data

Contraste creates and stores candidate data from the following information sources:

- Candidates should send an e-mail to join-us@contraste.com ;

- Candidates apply for a position on one of Contraste's websites, in response to a job posting on that site;

- Candidates publish their profiles on specialized websites such as LinkedIn.com, monster.be, monster.fr, monster.lu, ICTjob.be ;

- Partners (specialized recruitment agencies) provide Contraste with information about a candidate;

- A Contraste employee/consultant passes on a candidate's details to the recruitment department (cooptation);

- Candidates are interviewed;

- Candidates undergo technical tests.

2.3 Who processes candidates' personal data?

Contraste's recruitment department is primarily responsible for processing candidates' personal data for the purposes described in this privacy policy. During the recruitment process, candidates' data is also passed on to Contraste's clients' sales managers and to Contraste's consultants who are looking for clients.

Every Contraste Europe Group employee and consultant has signed a confidentiality and data protection agreement to ensure that data processing within the company is carried out only for the defined purposes.

Contraste's clients are data controllers and must not disclose candidate information to third parties or use this data for any purpose other than assessing the candidate's suitability for the job offered. As data controllers, they guarantee to take all technical and organizational measures to protect data, as required by the General Data Protection Regulation (GDPR), which replaces the Data Protection Directive 95/46/EC.

2.4 How Contraste collects and stores candidate consents

Each candidate will be clearly informed of the use of his/her personal data in the context of Contraste's recruitment procedure and as described in this privacy policy. After the first contact, the candidate is invited to give his/her explicit consent to data processing by means of an online form. Consent is stored in Contraste's system. If Contraste does not obtain the applicant's consent, the applicant's data will not be stored and processed.

2.5 How long does Contraste keep candidates' personal data and what is the legal basis?

After online acceptance by the candidate, Contraste retains the data for two years in accordance with the recommendations of the data protection authorities and only with the candidate's express consent. On the basis of its legitimate interest, Contraste Europe retains a minimum amount of the candidate's personal data (surname, first name, postal address, telephone number) for the proper operation of the recruitment service.

2.6 The data subject's rights with regard to personal data

In relation to the General Data Protection Regulation (GDPR), users have the following rights in relation to their personal data stored by Contrast:

• Right to information

• Right of access

• Right of rectification

• Right to erasure (or the right to be forgotten)

• Right to restrict processing

• Right to data portability

• Right to object

• Right not to be the subject of an automated decision

• Right to withdraw consent

To exercise any of these rights, data subjects may send an e-mail to ContrastePrivacy@contraste.com stating the reason for the request. Contraste will provide any requested information relating to data subjects' rights within one calendar month of receipt of the request. If Contraste receives a large number of requests or particularly complex requests, the deadline may be extended by up to two months.

For security reasons, upon receipt of a request, Contraste will check the applicant's identity. To this end, the acknowledgement of receipt will contain an invitation to perform one of the following operations:

Send a scan of an official proof of identity (ID card, passport), together with a copy of a recent utility bill (telephone, electricity, etc.) clearly indicating the name and address of the person concerned - without a national register number.

The organization of a telephone conversation, during which a number of questions can be asked, the answers being compared with the personal data contained in the Contraste database.

The request will be processed if and only if a positive authentication is obtained.

3. Other provisions

3.1 Subcontracting

Contraste never shares candidates' personal data with any other organization outside the Contraste Europe group, with the exception of Contraste clients seeking consultants and two identified subcontractors. As part of the recruitment process, the sub-contractors of candidate data are as follows:

- Microsoft Dynamics CRM

- Microsoft Office 365

For the hosting of the recruitment website, the data controller is Audaxis SAS.

As data processors, they guarantee the implementation of all technical and organizational measures to protect data, as required by the General Data Protection Regulation (GDPR).

3.2 Security measures for technical information

Contraste Europe uses a networked IT infrastructure, enabling its employees to communicate internally and with third parties, and to use applications and services. Contraste has implemented various security measures covering the following areas:

- User awareness

- User authentication

- Authorization management

- Access monitoring and incident management

- Securing workstations

- Secure mobile computing

- Securing the computer network

- Server security

- Secure websites

- Store and plan for business continuity

- Secure archiving

- Data maintenance and destruction control

- Outsourcing management

- Secure exchanges with other organizations

- Protecting buildings

- Guide IT developments

- Encrypt, guarantee integrity or sign

- Contraste regularly tests and improves these security measures.

3.3 Safety violations

Security vulnerability detection

Any event representing a potential threat to personal data must be considered a security breach. The threat may be of various kinds: loss, alteration, corruption or exposure to third parties.

Events that should be considered as a threat are the following:

- Third-party intrusion into the company network.

- Infection of one or more devices by malicious software, including viruses, rootkits, etc.

- Loss of a USB stick containing files with personal data.

- Loss of a PC, tablet or smartphone containing or capable of accessing files containing personal data.

- Security breach at one of our subcontractors

Contraste has taken a number of steps to detect these events.

3.3.1 Risk assessment

During a risk analysis, Contraste first identifies the potential damage (physical, material or moral) associated with a processing activity. Next, we assess the severity of the harm that could result. Finally, Contraste assesses the probability of the event by analyzing the vulnerabilities of its systems and operations and the nature of the threats. Risks are classified into three categories: "high risk", "risk" and "low risk".

3.3.2 Reporting security breaches to the authorities

If the breach of security could result in a threat to the persons concerned, such as, for example, identity theft, fraud, financial loss or influence, Contraste will inform the authorities.

This notification must be made within 72 hours of the positive determination of the security threat. If this deadline is exceeded, the additional delay must be justified.

Notification of the security breach to the persons concerned

If the risk to the persons concerned is deemed high, they must also be informed. If there is any doubt about the extent of the risk, the authorities can be contacted for verification.

If the situation requires notification to the people concerned, they must also be given advice on how to mitigate the risk.

4. Definitions

Controller

The controller is a natural or legal person (e.g. a company), public authority, department or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

For example, Contraste is a legal entity that is responsible for processing the personal data of its employees as part of its human resources management.

GDPR, Art.4 (7)

Processor

The processor is a natural or legal person, public authority, department or other body that processes personal data on behalf of the controller and only on the controller's instructions.

An employee of the controller is not considered a processor.

GDPR, Art.4 (8)

Processing of personal data

The processing of personal data is any operation or set of operations which may or may not be performed upon personal data or sets of personal data by automated means (e.g. software), such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

GDPR, Art.4 (2)

Personal data

Personal data refers to any information relating to an identified or identifiable natural person, also known as a "data subject". A person is considered identifiable when he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors characterizing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Source: GDPR, Rec.26; Art.4 (1)

Sensitive personal data

Sensitive personal data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to offences and convictions are dealt with separately (criminal law does not fall within the legislative competence of the EU)".

Source : GDPR, Rec.10, 34, 35, 51 ; Art.9 (1)

Privacy authorities

Belgium

Data Protection Authority

Rue de la Presse, 35

B-1000 Brussels, Belgium

Phone +32 2 274 48 00

www.dataprotectionauthority.be

contact@apd-gba.be

France

French Data Protection Authority (CNIL)

3 Place de Fontenoy

TSA 80715

F-75334 Paris Cedex 07, France

Phone +33 1 53 73 22 22

Luxembourg

National Commission for Data Protection (CNDP)

1, avenue du Rock'n'Roll

L-4631 Esch-su-Alzette, Luxembourg

Telephone +352 26 10 60 1

https://cnpd.public.lu

Europe

European Data Protection Supervisor

https://edps.europa.eu