March 8th, 2021
Visage’ has set forth an endeavor (the Corporate DPIA as per ruled under the GDPR Article 35), to assess its operation towards the requirements posed by the GDPR having identified items in need of change/ fine tuning and proceeding accordingly in order to transform its operation in compliance not only with GDPR but also the California Consumer Protection Act and the ePrivacy Directive of the EU.
One main topic within such context and despite having provided assertive training to its staff as well as having then tested and registered acquired knowledge lays in creating a clear internal Code of Conduct under GDPR which explicitly demonstrates how to act in face of GDPR main guidelines.
These guidelines apply to all Visage employees.
· The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (GDPR), which became enforceable across the EU and the EEA from May 25th, 2018 having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’). The main goal of the GDPR consists of clearly and assertively defining a set of both rights of natural persons (Data Subjects) as well as Operational Guidelines and obligations for companies and organizations towards assuring 3rd party Data Subjects’ Personal Data Security and Confidentiality therefore, those Data Subjects Privacy is assured by those that process their Personal Data.
· The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;
· The California Consumer Privacy Act 2018, assembly Bill of the State of California United States of America No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018 and enforceable from January 1st, 2020 onwards.
Use of Information
We use information about you for the following purposes:
Data Subjects Rights
Data Subjects may exercise their Rights directly towards Visage.
Under the Personal Data Protection Legislation, the Data Subject has the following set of established rights:
[GDPR] Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. Visage will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may exercise this right by reviewing information on Visage’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Visage Customers.
[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:
Know the categories of personal information we collect and the categories of sources from which we got the information;
Know the business or commercial purposes for which we collect and share personal information;
Know the categories of third parties and other entities with whom we share personal information; and
Access the specific pieces of personal information we have collected about you.
[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Customers may directly amend existing information on Visage’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Visage Customers.
[GDPR] Right to erasure. The right to have Personal Data pertaining to him/ her that is under Processing by Visage erased and therefore Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Visage from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[CCPA] Right to deletion. Again, in a similar manner to what the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/ information.
We may refuse the exercise of such right if it prevents us from exercising legal defence, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfil any open contractual obligations.
[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to him/ her. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[CCPA] Right to opt out of sales – We do not “sell “ your data. Under the CCPA the natural person to whom the Personal Data pertains to has the right to object to having that data sold by the company/ entity. This also applies to an household.
[GDPR] Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. Visage will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may directly amend existing information on Visage’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Visage Customers.
[GDPR] Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of its occurrence.
[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding Visage’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. Visage is however also available to provide any clarification towards those Data Subjects who may feel that it's Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead.
[CCPA] Right to be free from discrimination. You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data.
For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide including information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfil your request.
We will use the information you provide to make your CCPA rights requests to verify your identity, identify the personal information we may hold about you and act upon your request.
We strongly recommend that you submit the email and postal address that you used when you created accounts, ordered subscriptions or signed up for a newsletter. After you submit a CCPA rights requests you will be required to verify access to the email address you submitted. You will receive an email with a follow-up link to complete your email verification process. You are required to verify your email in order for us to proceed with your CCPA rights requests. Please check your spam or junk folder in case you can't see the verification email in your inbox.
Exercising Data Subject’s Rights
Under the scope of Personal Data Protection, the Data Subjects may address Visage via an e-mail to support@Visage.app or directly towards Visage’ Data Protection Officer via the email address email@example.com.
The exercise of Data Subjects’ rights as some other “interactions” requires the univocal identification of the person submitting such request as being, in fact, the Data Subject to whom such Personal Data pertains to, hence Visage may have to set in place a process or mechanism that allows it to document having undergone such assertive identification.
Company and Staff Obligations
Visage’ GDPR Code of Conduct establishes the following obligations that must be observed by all of its staff as well as direct individual partners:
Visage supports companies with their recruitment processes either directly or via recruitment agencies, by allowing the matching of best fit professional profiles towards existing job opportunities.
Upon receiving a request from a Corporate Client in search of a given professional profile, Visage’ expert recruiters resort to available online public profiles (e.g. profiles on Social Media which have been published by the Data Subject’ on their own free will) to initially assess potential best fits towards the specific existing recruitment need that was conveyed by the Corporate Client.
The potential best fit professional profiles (meaning Personal Data from Data Subject who apparently fits the required professional profile) are then made visible to a recruiter from the Corporate Client for assessment.
Who is collecting Personal Data
Personal Data is collected initially from public profiles (e.g. on Social Media) by Visage’ recruiters/ staff.
At a later stage (under a three calendar weeks’ time frame, and therefore observing GDPR article’ 14 stipulations) while acting under Legitimate Interest that derives from this article ruling, and exclusively with regards to those Data Subjects whose professional profile has been deemed adequate over the assessment performed by the Corporate Client; the recruiter from the Corporate Client using Visage’ platform and exclusively the Data hosted by it, will establish direct contact with the Data Subject to clearly explain the status of adherence to the recruitment opportunity, asking for the Data Subject’ Explicit Consent to move ahead and have him/ her become a candidate on the recruitment process at hand..
The Corporate Client (prospective employer) nominates a recruiter from its team who becomes a Visage user with access to gathered Personal Data exclusively via a web interface on Visage’ Platform. Visage does not share such Personal Data with the Corporate company until the Data Subject has agreed to participate in the recruitment process. Where the DAta Subject has agreed to participate in the recruitment process, the gathered Personal Data is then transferred to the Corporate Client and the entire recruitment process ceases with regards to Visage, meaning also the Personal Data is erased from Visage’ repositories.
All those Data Subjects who refuse to participate in the recruitment process as well as those who simply do not provide a reply will have their Personal Data erased from Visage platform within 28 days of its collection from public sources.
With whom and for which purpose will which Personal Data be shared
Personal Data is exclusively shared with the Corporate Client which is running the recruitment process once the Data Subject has accepted to participate in that same process as a candidate.
Before that point, Visage merely allows a recruiter user from the Corporate Client to visualize the Data Subject’s data which is publicly available over social media, in order for an assessment of that professional profile to be made.
If the Data Subject’s profile is deemed to be a best fit towards the job opportunity at hand, then the recruiter from the Corporate Client will reach out to the Data Subject via Visage mail service to invite him/ her to become a candidate under that recruitment process.
Which and How will generated information (processed Data) be used
The only information generated during the processing activities consists of a structured CV layout containing Contact and Professional Categories of Data, collected from public platforms and which in turn has been freely submitted on such platforms by the Data Subject him/ herself.
Visage does not undergo any type of Automated Personal Data Processing activities or Decision Making, mainly (yet not exclusively) that may lead to “Profiling” activities.
The Principle of Data Minimization
Visage takes every reasonable step to ensure that Personal Data under its direct Processing activities (as the Joint-Controller, since it only seeks and gathers data where requested by a Corporate Client) is absolutely limited to the amount and type that is necessary to deliver its Services towards its Corporate Clients as it has been agreed with those via a Contract. The Personal Data shall not be maintained over redundant repositories nor for any longer than required under the scope of agreed services.
As mentioned, the Corporate Client is the Controller defining then internally their own Personal Data Processing “scope” and “purpose”, that they must inform to the Data Subject (Candidate) once he/she accepts to participate in the recruitment process and starts interacting directly with those companies.
How long will Personal Data be Stored and how
Visage will retain collected Personal Data from the Data Subject for a period of less than 3 calendar weeks prior to either contact is established with the Data Subject to get his/ her explicit consent towards the Service at Hand or erasing the Personal Data.
The process of producing a structured CV by Visage’ partner company TexrKernel takes (as mentioned) under 2 minutes and it is all performed in memory at this partner’ Server based SaaS software application. Once the submitted unstructured Data has been converted into the structured CV.PDF document, such document is forward to Visage via the same secure API and deleted from memory. This means that Visage partner TexrKernel does not retain Personal Data from the Data subject under either memory of physical/ logical storage as per stated under the existing contractual agreement between both companies.
International Data Transfers
Some of Visage’s Corporate Clients are established out of the EU/ EEA (meaning not EU Member States nor within the European Economic Area), in these cases Visage has Data Processing Agreements in place with those Corporate Clients where the Standard Contractual Clauses from the EU are applicable.
Notwithstanding that fact, where candidates are concerned (Data Subjects whom have accepted to participate in a given recruitment process), the transfer of Personal Data is agreed to by the candidate while providing Consent to participating in that process.
“Agreed Services” or “Services” means those Services being rendered by the Controller towards the Data Subject towards which he/ she has agreed with and/ or comprehending Processing legitimacy that derives from an existing and documented Legal Basis.
“Controller” means the “Party” which determines the “scope”, “purpose” and form of Personal Data Processing activities.
“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.
“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while replacing the Directive 95/46/EC and having become enforceable on May 25th, 2018.
“IT Landscape” means the set of IT assets and services of and at the disposal of either the Data Subject, [COMPANY] or its Partners that enables their Personal Data Processing to occur, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
“Legal Basis” means the enlisted Legal Basis that a Controller has to entice Personal Data Processing activities under “GDPR”, namely (but not limited to) having documented: the Data Subject’ Explicit Consent towards those Personal Data Processing activities; the Controller’ Legitimate Interest in proceeding with those activities; accessory legal obligations that the Controller must observe and which entitled it to proceed with such activities within the limits of GDPR ruling and inherent obligations.
“Partner” means any 3rd party entity towards which the Controller may resort in order to ensure Personal Data Processing activities under an established Legal Basis (as defined under the “GDPR”) and within the scope of agreed Services with the Data Subject.
“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify a specific natural person, the “Data Subject”.
“Personal Data Processing” means any operation or set of operations which is performed upon “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.
“Processor” means the entity which proceeds with authorized Personal Data Processing activities on behalf of the “Controller”.