Contraste Europe - Privacy policy for candidates

Edition 2018-03

Scope and Purpose

Contraste Europe Group

Contraste Europe is a group of companies proposing IT services and solutions to business clients. It is exclusively active in the B2B market and does not propose its services to individual persons.

The group consists of the following companies:

Amsit
Audaxis
Exis
Contrast Consulting
Contraste Europe
Contraste Luxembourg
Defimedia
Proxiel
The Digital Journey

The group is active in Belgium, Luxembourg, France, Switzerland and Tunisia.

In this document, we'll use the name Contraste to designate all group companies.

This document documents the policy of Contraste as a Data Controller, in other words all the aspects of the processing that Contraste applies to personal data it manages directly.

This Policy

In the scope of its activities, Contraste collects, stores, and uses, data related to individuals in the recruitment procedure context.

This policy governs this processing. It is designed to comply with the Directive 95/46/EC (the “Data Protection Directive”), and, after May 25th, 2018, the General Data Protection Regulation (GDPR).

This policy is immediately applicable to all parts of Contraste. It supersedes any previous edition.

Document Versions

Edition	Changes
2018-03	Original Edition

General Considerations

What data is collected about candidates by Contraste for the recruitment process

For each candidate Contraste Europe collects the following information:

Name, First name
Birthdate
Gender
Country of citizenship
Main Language
Language skills
Job title (given)
Job title (standard)
Telephone numbers (business, mobile, home)
Addresses (business, home)
Email addresses (business, private)
Company name
Education level
Training & certification information
CV Source + info
Personal interests (sports, arts, ...)
Employment References
Picture
Document: CV
Document: Diploma
Document: Photo
Document: Copy of IDCard

Why Contraste stores and uses these personal data

Contraste maintains records about professionals seeking work.

These personal data are used with the main purpose to assess the candidate’s ability to take up a proposed job of a Contraste client (qualification, experience…). This include the following data processing:

Communicate towards the candidates (complementary request, interview results, news about the mission...)
Transfer personal data of a candidate (CV, contact...) to a client for a potential mission
Manage candidate documents (Photo, diploma, cover letter...)
Manage candidates' CVs
Manage interviews reports
Manage technical test results

If a candidate has a matching profile, he will be contacted by the recruitment team to discuss the opportunity. If the candidate agrees, his profile will be proposed to the client.

Data about candidates will only be used for these purposes.

How Contraste collects these personal data

Contraste creates and maintains records about candidates by means of the following information sources:

Candidates send a mail to join-us@contraste.com;
Candidates apply for a position via one of Contraste's website, in reaction to a job post published on that site;
Candidates publish their profile on specialised websites, such as LinkedIn.com, monster.be, monster.fr, monster.lu, ICTjob.be;
Partners (specialized recruitment agencies) gives a candidate information to Contraste;
An employee/consultant of Contraste gives a candidate’s information to the recruitment department (co-optation);
Candidates conducts interviews;
Candidates conducts technical tests.

Who processes personal data about candidates?

The recruitment department of Contraste is the main processor of candidate’s personal data for the purposes described in this privacy policy. During the recruitment process, candidate’s information will also be transferred to the sales in charge of the Contraste’s client and the Contraste’s client seeking for consultants.

Each employee and consultant of the Contrast Europe Group have signed up a confidentiality and data protection agreement to ensure that data process within the company are made only for the defined purposes.

Contraste’s client are data processor and are not allowed to transfer the candidate’s information to third parties or to use these data for a purpose other than assess the candidate’s ability to take up the proposed job. As data processor they guarantee to put in place all the technical and organizational measures to protect data as required by the new General Data Protection Regulation (GDPR) replacing the Data Protection Directive 95/46/EC.

How Contraste collects and stores candidates consents

Each candidate is clearly informed about the use of his personal data as part of the Contraste recruitment procedure and as described in this privacy policy. After the first contact the candidate will be invited to give his explicit consent for data processing via an online form. The consent is stored in the Contraste system. If Contraste doesn’t get the candidate’s consent, candidate’s information will not be stored and processed.

How long Contraste keeps personal data about candidates and what is the legal basis?

After the candidate online opt-in, Contraste keeps data for 2 years according to the data privacy authorities' recommendations and only with the explicit consent of the candidate. On the basis of its legitimate interest, Contraste Europe will keep a minimum of personal information about the candidate (first name, last name, mail address, phone number) for the proper functioning of the recruitment department.

Data subject’s rights about personal data

In respect of the new General Data Protection Regulation (GDPR), candidates have the following rights regarding their personal data stored by Contraste:

Right to access
Right of rectification
Right to erasure (right to be forgotten)
Right to restrict processing
Right of data portability
Right to object to processing

To claim one of these rights, candidates must send an email to ContrastePrivacy@contraste.com with the reason of the request. Contraste will provide any requested information in relation to any of the rights of data subjects with one calendar month of receiving the request. If Contraste receives large numbers of requests, or especially complex requests, the time limit may be extended by a maximum of two further months.

For a security reason, upon receipt of a request, Contraste will proceed to an identity verification of the requestor. To this end, the receipt acknowledge will include the invitation to do either one of the following:

Forward a scan of an official identification document (ID Card, Passport), along with a copy of a recent utility bill (telephone, electricity…) clearly stating the name and address of the individual involved.
Set up a telephone call, where a number of questions can be asked, the answers being compared with the personal data held in Contraste's database.

The request will be processed if and only if a positive authentication has been realised.

Data processor

Contraste never shares personal data with any other organisation outside of the Contraste Europe Group, with the exception of identified Data Processors. In the recruitment procedure context, data processors of candidate’s information are:

Contraste Clients seeking for consultants
Microsoft Dynamics CRM
Microsoft Office 365

As data processor they guarantee to put in place all the technical and organizational measures to protect data as required by the new General Data Protection Regulation (GDPR) replacing the Data Protection Directive 95/46/EC.

Technical Information Security Measures

List of the security measures

Contraste Europe uses a networked IT infrastructure, allowing its staff to interact internally and with third parties, and to use applications and services. Contraste set up different security measures covering the following areas:

Raise awareness among users
Authenticate users
Manage authorizations
Trace access and manage incidents
Secure workstations
Securing mobile computing
Protect the computer network
Secure the servers
Secure websites
Save and plan for business continuity
Archiving securely
Supervise the maintenance and destruction of data
Manage outsourcing
Secure exchanges with other organizations
Protect the premises
Supervise IT developments
Encrypt, guarantee integrity or sign

Contraste tests and improves these security measures on a regular basis.

Security Breaches

Security Breach Detection

Any event that poses a possible threat to personal data is to be considered as a Security Breach. A threat can be of different natures: loss, modification, corruption, or exposition to third parties.

The events that must be considered as a threat include, for example:

Intrusion of a third party into the corporate network.
Infection of one or more devices by a malware, including a virus, rootkit, …
Loss of a USB key containing files with personal data.
Loss of a PC, tablet or smartphone that contains, or can access, files containing personal data.
Security breach at one of our Data Processors

Contraste has taken a number of measures to detect any of these events without delay.

Risk Evaluation

When conducting a risk analysis, Contraste first identify the potential harm (physical, material or moral damage) associated with a processing activity. Next, we evaluate the severity of harm that could result. Finally, Contraste assess the likelihood of the event by analyzing the vulnerabilities of their systems and operations as well as the nature of the threats. Risk are categorised by “high-risk”, “risk” and “low-risk”.

Security Breach Notification to Authorities

If the security breach could lead to a threat to subject individuals, such as, for example, identity theft, fraud, financial loss or impact on influence, then Contraste will notify the authorities.

This notification must occur within the 72 hours of the positive identification of the security threat. If this delay is exceeded, then the additional delay must be justified.

Security Breach Notification to Subject Individuals

If the risk for subject individuals is considered high, then they must also be informed. If there is a doubt about the degree of risk, then the authorities can be contacted for verification.

If the situation requires a notification to the subject individuals, than they must also be provided guidelines about how to mitigate the risk.

Definitions

Data controller

"Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.”

GDPR, Art.4 (7)

Data processor

"Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”

An employee of the data controller is not considered like a processor.

GDPR, Art.4 (8)

Processing

"Processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

GDPR, Art.4 (2)

Personal Data

"Personal data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

Source: GDPR, Rec.26; Art.4 (1)

Sensitive Personal Data

“Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).”

Source: GDPR, Rec.10, 34, 35, 51; Art.9 (1)

Reference Documents

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/eli/reg/2016/679/oj