Candidate privacy policy

Edition 2018-04

Contraste Europe Group

Contraste Europe is a group of companies offering IT services and solutions to business customers. Contraste Europe is only active in the B2B market and does not offer services to private individuals.

The Group is made up of the following companies

  • Amsit
  • Audaxis
  • Contrast Consulting
  • Contraste Europe
  • Contraste Luxembourg
  • Defimedia
  • Proxiel
  • The Digital Journey
     

The group operates in Belgium, Luxembourg, France, Switzerland and Tunisia.

In this privacy policy, we will use the name ‘Contraste’ to refer to all the companies that make up the group.

This privacy policy documents Contraste’s privacy policy as data controller, i.e. for processing operations for which Contraste defines the purposes and means of processing.

In the course of its business, Contraste collects, stores and uses data relating to individuals for the recruitment process.

This privacy policy concerns this processing and complies with the General Data Protection Regulation (RGPD). This policy applies to all Contraste companies.

Document version

EditionModification
2018-04Original version

General considerations

What personal data is collected on candidates during the recruitment process?

For each candidate, Contraste can collect the following information:

  • Last name, first name
  • Date of birth
  • Type
  • Country of residence
  • Main language
  • Language skills
  • Proposed job title
  • Standard job title
  • Telephone number (business, mobile and private)
  • Postal address (business, private)
  • Email address (business, private)
  • Company name
  • Level of training
  • Training and certification
  • CV (source + info)
  • Personal interests (sports, arts, etc.)
  • Professional experience
  • Photo
  • Document: CV
  • Document: Diploma, covering letter
  • Document: Photo
  • Document: Copy of identity card (in certain cases only)

Why does Contraste collect and use personal data?

Contraste keeps data on professionals looking for work.

This personal data is only used to assess a candidate’s ability (training, experience, etc.) to fill a position offered by Contraste or one of its clients. This involves the following processing:

  • Communicating with candidates (additional requests, interview results, information about an assignment, etc.)
  • Transfer a candidate’s personal data (CV, contact details, etc.) to a client for an assignment
  • Manage candidate documents (photo, diploma, covering letter, etc.)
  • Manage candidates’ CVs
  • Manage interview reports
  • Manage technical test results

If a candidate’s profile matches the search, they will be contacted by the recruitment team to discuss the opportunity. If the candidate agrees to apply, their CV will be offered to the client.

Candidate data is only used for these purposes.

How does Contraste collect personal data?

Contraste collects data on candidates from various sources:

  • Candidates should send an e-mail to the following address join-us@contraste.com;
  • Candidates apply for jobs on one of the Contraste sites, in response to job offers;
  • Candidates publish their profiles on specialist sites such as LinkedIn.com, monster.be, monster.fr, monster.lu and ICTjob.be;
  • A partner (specialised recruitment agency) provides Contraste with candidate information;
  • An employee or consultant provides Contraste with information about a candidate (via the recruitment department) (co-optation);
  • Candidates are interviewed;
  • Candidates take technical tests.

Who processes candidates’ personal data?

Contraste’s recruitment department is the main recipient of candidates’ personal data for the purposes described above in this privacy policy. During the recruitment process, the application may also be transferred to the sales representative in charge of Contraste’s client and to the client himself.

Each Contraste Europe group employee or consultant has signed a confidentiality and data protection policy to ensure that the processing carried out in the company is only done for the purposes defined by Contraste and the client.

Contraste’s clients seeking consultants are considered as sub-contractors and are not authorised to transfer candidate data to third parties or to use it for any purpose other than to assess a candidate’s suitability for the job offered. As processors, they guarantee to put in place all the technical and organisational measures necessary to protect data as required by the General Data Protection Regulation (GDPR) which replaces the Data Protection Directive 95/46/EC.

How does Contraste collect and store candidate consent?

Each candidate is clearly informed of the uses that may be made of their personal data at the time they provide it and as described in this privacy policy.

After the first contact, the candidate will be asked to give his/her explicit consent to the processing of his/her data via the online form. This consent will be stored in Contraste’s system. If Contraste does not obtain the candidate’s consent, their information will not be stored or processed.

How long does Contraste keep candidates’ personal data and on what legal basis?

After receiving the candidate’s consent, Contraste keeps the data for 2 years on the basis of the recommendations of the competent authorities and the candidate’s explicit consent. On the basis of its legitimate interest, Contraste Europe will keep a minimum of information on candidates (surname, first name, e-mail address, telephone number) for the proper functioning of the recruitment department.

Rights of the persons concerned

In compliance with the General Regulation on the Protection of Personal Data (RGPD), users have the following rights with regard to the data that Contraste collects about them:

  • Right of access
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to limitation
  • Right to portability

For any request concerning these rights, users can send an e-mail to ContrastePrivacy@contraste.com with the subject of the request. Contraste will respond to the request made in relation to the rights listed above within one calendar month of receipt of the request. If Contraste receives numerous or complex requests, the response time may increase for a maximum of 2 additional months.

For security reasons, for each request relating to these rights, Contraste will verify the identity of the person submitting the request. To do this, the person concerned will be asked to do one of two things:

  • Send a copy of an official document (identity card, passport) and a copy of a utility bill (telephone, electricity, etc.) clearly stating the name and address of the person concerned.
  • Call Contraste, who will carry out a strict telephone check, comparing the answers provided by the user with the information available to them.

Contraste will respond to the request only after a positive identification.

Subcontractor

Contraste does not share personal data with companies other than those belonging to the Contraste group, with the exception of identified sub-contractors. During the recruitment process, the sub-contractors of candidates’ personal data are :

  • Contraste clients looking for consultants
  • Microsoft Dynamics CRM
  • Microsoft Office 365

The website is hosted by Audaxis SAS.

As subcontractors, they guarantee that they have put in place all the technical and organisational measures necessary to protect data, as required by the General Data Protection Regulation (RGPD), which replaces Directive 95/46/EC.

Technical information on safety measures

List of safety measures

Contraste Europe uses a networked IT infrastructure, enabling its staff to interact internally and with third parties, and to use applications and services. Contraste has implemented various security measures covering the following areas:

  • Raising user awareness
  • Authenticating users
  • Managing authorisations
  • Track access and manage incidents
  • Securing workstations
  • Securing mobile computing
  • Protecting the IT network
  • Securing servers
  • Securing websites
  • Recording and planning business continuity
  • Archiving in total security
  • Supervising data maintenance and destruction
  • Managing subcontracting
  • Guarantee the security of exchanges with other organisations
  • Protecting your premises
  • Manage IT developments
  • Encrypt, guarantee integrity or sign

Contrast tests and improves these measures on an ongoing basis.

Security breach

Detecting a security breach

Any event presenting a potential threat to personal data must be considered a security breach. A threat can be of various kinds: loss, modification, corruption or exposure to third parties.

Here are some examples of events that should be considered a threat:

  • Third party intrusion into the company network
  • Infection of one or more devices by malicious software, including a virus, rootkit, etc.
  • Loss of a USB stick containing files with personal data.
  • Loss of a PC, tablet or smartphone containing or capable of accessing files containing personal data.
  • Security breach in one of our Data Processors

Contraste has taken a number of steps to detect these events without delay.

Risk assessment

When carrying out a risk analysis, Contraste first identifies the potential damage (physical, material or moral) associated with a processing activity. Next, we assess the severity of the damage that could result. Finally, Contraste assesses the likelihood of the event by analysing the vulnerabilities of their systems and operations and the nature of the threats. Risks are categorised as ‘high risk’, ‘risk’ and ‘low risk’.

Notification of security breaches to the relevant authorities

If the security breach may result in a threat to data subjects, such as, for example, identity theft, fraud, financial loss or impact on influence, Contraste will inform the authorities.

This notification must be made within 72 hours of the positive identification of the security threat. If this deadline is exceeded, the additional time must be justified.

Notification of security breaches to the people concerned

If the risk to the people concerned is deemed high, they must also be informed. If there is any doubt about the degree of risk, the authorities can be contacted for verification. If the situation requires notification of the data subjects, they must also be provided with instructions on how to mitigate the risk.

Definitions

  • Data controller

‘Controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data., the controller (or the criteria for appointing the controller) may be designated by these laws.’

GDPR, Art.4 (7)

  • Subcontractor

‘The processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.’

An employee of the data controller is not considered to be a processor.

GDPR, Art.4 (8)

  • Treatment

‘Processing means any operation or set of operations which is performed upon personal data or sets of personal data, whether by collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

GDPR, Art.4 (2)

  • Personal data

‘Personal data: any information relating to an identified or identifiable natural person (‘data subject’), where an identifiable person can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.’

Source: GDPR, Rec.26; Art.4 (1)

  • Sensitive personal data

‘Sensitive personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data. are processed separately (criminal law does not fall within the EU’s legislative remit). ’

Source: GDPR, Rec.10, 34, 35, 51; Art.9 (1)

Reference document

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) http://eur-lex.europa.eu/eli/reg/2016/679/oj

Authorities responsible for protecting privacy

Belgium

Data Protection Authority

Rue de la Presse, 35

B-1000 Bruxelles

Belgium

Phone +32 2 274 48 00

https://www.autoriteprotectiondonnees.be/

contact@apd-gba.be

Luxembourg

National Commission for Data Protection (CNDP)

1, avenue du Rock’n’Roll

L-4631 Esch-su-Alzette

Luxembourg

Phone +352 26 10 60 1

https://cnpd.public.lu

France

Commission Nationale de l’Informatique et des Libertés (CNIL) (French Data Protection Authority)

3 Place de Fontenoy

TSA 80715

F-75334 Paris Cedex 07

France

Phone +33 1 53 73 22 22

Europe

European Data Protection Supervisor

https://edps.europa.eu