Visage’ has set forth an endeavor to assess its operation towards the requirements posed by GDPR having identified items in need of change/ fine tuning and proceeding accordingly in order to transform its operation in compliance with GDPR.

One main topic within such context and despite having provided assertive training to its staff as well as having then tested and registered acquired knowledge lays in creating a clear Code of Conduct under GDPR which explicitly demonstrates how to act in face of GDPR main guidelines.

These guidelines apply to all Visage\ employees as well as its partners.


The European Union has developed the Regulation 2016/679, a piece of legislation also known as GDPR (General Data Protection Regulation) with the main goal of clearly and assertively defining a set of both Operational Guidelines as well as Individuals’ (Data Subjects) rights and obligations towards assuring 3rd party Data Subjects Personal Data Security and Confidentiality.


This document makes references to terms which imply specific concepts under GDPR, being these:

GDPR – European Union Regulation 2016/679 approved by the European Council and Parliament on April 27, 2016.

Consent - of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller - means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Protection Officer (DPO) – the DPO assures compliance towards GDPR by the Controller (the company) by means of:

Data Subject – an identifiable natural person.

Personal Data - any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor - means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Retention Period – the time lapse over which Personal Data from a given Data subject is maintained by the company.

Data Subjects Rights

GDPR has defined a set of rights pertaining to the Data subjects which must be observed by all entities and towards which, Visage and its employees, as well as direct individual partners, commit to, namely:

Right to be forgotten – the Data Subject is entitled to ask for his/ her Personal Data to be erased from all existing supports within the company and the company must observe such right if:

However, such right may be deemed inapplicable if:

Subject Access Request – the data subject has the right to ask of the company (controller) which of his/ her Personal Data is in possession of that controller at any given point in time.

Right to Rectification - the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Portability Right - the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. It is also within this right to transmit those data to another controller (entity) without hindrance from the controller to which the personal data has been initially provided. Including having the Personal Data transmitted directly from one controller to another, where technically feasible.

Right to Restriction of Processing - the data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

Visage acknowledges these right as well as understands their relevancy within the scope of assuring Personal Data is clearly available and in control of its rightful owner, meaning the Data Subject towards whom it pertains. Therefore, it is in Visage’ GDPR code of conduct to strictly observe such established Data Subject rights and in case of doubt, given any specific circumstances take the necessary steps, namely by promptly informing and getting appropriate advice from its Data Protection Office (DPO).

Company and Staff Obligations

Visage’ GDPR Code of Conduct establishes the following obligations that must be observed by all of its staff as well as direct individual partners:

  1. Strictly observe Data Subjects rights as per defined under GDPR

  1. Operate within the scope of fair and transparent processing of Data Subject’ Personal Data and always within the scope of an existing agreed service (towards which the Data Subject has given Explicit Consent) or any other lawful grounds which may include accessory legal obligations or contracts established between the Data subject and Visage’ partner companies which include explicitly Visage’ intervention as a controller or processor (which includes the legitimate interests pursued by controllers in such specific contexts).

  1. The collection of personal data will always happen within the scope of the law (GDPR) as well as based on lawful grounds as per defined by the law.

  1. Wherever possible and applicable, Personal Data shall be subject to pseudonymization as a mean to add security and assure confidentiality by making it harder to identify the Data Subject from hosted Data.

  1. Visage will not disclose Personal Data from any individual into the public domain under no circumstance. Personal Data sharing exclusively takes place under the scope of specific services rendered towards the Data Subject and in benefit of the Data Subject.

  1. As previously herein mentioned, Visage will strictly observe Data subject rights under GDPR and as per defined by the law. Assuring the means for Data subjects to exercise such rights.

  1. In case of a Data Breach, meaning an incident which exposes Personal Data to unauthorized parties, Visage will immediately proceed in accordance with GDPR while both notifying the relevant Supervisory Authorities as well as the affected Data Subjects.

Terms of Service

This chapter presents the Service rendered by Visage as well as its Terms towards Data Subjects.

Visage supports companies with their recruitment processes either directly or via recruitment agencies, by allowing a matching best fit professional profiles towards existing job opportunities.

Upon receiving a request from a company in search of a given professional profile, Visage’ expert recruiters resort to available online public profiles (meaning profiles on Social Media which have been published by the Data Subject’ by their own free will) to initially assess potential best fits towards the specific existing recruitment need that was conveyed by the client company.

The potential best fit professional profiles (meaning Personal Data from Data Subject who apparently fit the required professional profile) are then conveyed to the client company so that they must be checked by such entity.

This is a Service which is mutually rendered towards both the client company or recruitment agency under an existing recruitment process which aims at fulfilling a specific recruitment need from such companies as well as a service towards the Data Subject of presenting him/ her with a potential career opportunity.

Who is collecting Personal Data

Personal Data is collected initially from public profiles on Social Media by Visage’ recruiters.

At a later stage (under a three calendar weeks’ time frame, and therefore observing GDPR article’ 14 stipulations) and with regards to Data Subjects whose profile has been deemed as adequate by the client company, Visage will establish direct contact to clearly explain the status of adherence to the recruitment opportunity and ask for the Data Subject’ Explicit Consent as per herein defined under these Terms of Service.

What Personal Data is Being Collected

The initially collected Personal Data consists of Name and email, plus relevant professional Data which the Data Subject has made public on his/ her free will over Social Media.

At a later stage and once the Data Subject’ professional profile has been identified as the best fit towards the job opportunity at hand by the client company, additional relevant Personal Data will be collected upon getting explicit consent from the Data Subject.

With whom and for which purpose will which Personal Data be shared

Since Data is collected from several sources, at a 1st stage it is submitted to an online service (via a secure API) which under less than 2 minutes and under a totally automated form returns a structured CV.PDF format as per client company requirements.

Such CV is forward to the client company for appraisal and feedback with regards to its adherence to the existing recruitment process requirements.

Which and How will generated information (processed Data) be used

The only information generated during the processing activities consists of the previously mentioned structured layout (.PDF CV file) containing Personal and Professional Data (collected from the Social Media platforms which in turn has been freely submitted on such platforms by the Data subject him/ herself).

There is no further processing as well as no new information is produced out of the processing activities than the Personal and Professional Data initially collected.

How long will Personal Data be Stored and how

Visage will retain collected Personal and Professional Data from the Data Subject for a period of less than 3 calendar weeks prior to either establishing contact with the Data Subject to get his/ her explicit consent towards the Service at Hand or disposing of the Personal Data to an encrypted and pseudonymized Data Base.

The process of producing a structured CV by Visage’ partner company XXXX takes (as mentioned) under 2 minutes and it is all performed in memory at this partner’ Server based SaaS software application. Once the submitted unstructured Data has been converted into the structured CV.PDF document, such document is forward to Visage via the same secure API and deleted from memory. This means that Visage partner XXXXX does not retain Personal Data from the Data subject under either memory of physical/ logical storage as per stated under the existing contractual agreement between both companies.

With regards to Data Subjects whose professional profile was deemed unfit towards a given job opportunity by the client company, Visage moves such Personal Data (as mentioned) to an encrypted and pseudonymized repository (Data Base). Independently of the fact that all of the Data exists for public access under Social Media as per the Data Subject’ willing full decision of publishing it on such platforms, this ensures that such Personal Data in the position of Visage is isolated while assuring its security and confidentiality.

Only Visage authorized personal (direct staff) has the means to use the pseudonymization key as well as trigger the encryption algorithm which will decrypt the Personal Data, hence making it again intelligible.

This will happen once a new Job opportunity towards which such Professional Profile may constitute the best fit in order to have it submitted to the client company for appraisal, significantly reducing the query and response time as well as leveraging the existing archived professional profiles in benefit of the Data Subject him/ herself.

Data Subject Consent

By giving his/ her consent to this Service, the Data subject accepts the herein stated scope and terms.

The Data Subject is entitled to withdraw his/ her consent at any given time by accessing the platform and ticking the “opt out” box. In such case, all of his/ her Personal Data will be deleted from all Visage’ archiving as well as processing supports, and the Data subject will no longer benefit from potential recruitment processes that may arise from thereon as well as any recruitment processes that may still be running.

Additionally, the Data Subject may also decide to “opt out” of the pseudonymized and encrypted archive, merely accepting his/ her Personal Data to be treated under the existing and running recruitment processes at that point in time. Such option means that the individual will no longer be considered under any future recruitment processes that may arise.

How can the Data Subject produce a Subject Access Request (SAR)

As per defined under GDPR, the Data Subject has the option of producing a SAR at any given point in time.

Upon registering in the platform or by email (subject to a posterior two-factor authentication process in order to assure that the person performing the SAR is, in fact, the Data Subject), the Data Subject may request Visage to forward him/ her all the Personal Data that the company holds about him/ her.

Visage will return over the platform and/ or via email a .PDF file protected by a password which contains in a readable and intelligible manner all such Personal Data.

Again, the file is submitted by email, while the password is forward by an accessory channel only accessible to the Data subject him/ herself in order to assure security and confidentiality of conveyed information.

If via the platform and since user authentication is mandatory, the .PDF file is made available for download without being protected by a password, for it is up to the Data Subject him/ herself to ensure that his/ her authentication credentials remain confidential and only in posession of him/ herself.

How can the Data Subject produce a Personal Data complaint

The Data Subject can submit a complaint either to the local Regulatory Authority (in case of individuals within the EU) or through Visage’ platform. In such case the complaint shall be registered, analyzed and informed to the EU Regulatory Authority in case of a Data Breach.

The Data Subject will also receive feedback from Visage through its Platform on the complaint subject, regarding the performed analysis over the assessed impact towards his/ her Personal Data within the maximum period of 1 month, being that Visage will set its best effort in order to provide such feedback in the shortest period of time.