Visage’ has set forth an endeavor (the Corporate DPIA as per ruled under the GDPR Article 35), to assess its operation towards the requirements posed by GDPR having identified items in need of change/ fine tuning and proceeding accordingly in order to transform its operation in compliance with GDPR.
One main topic within such context and despite having provided assertive training to its staff as well as having then tested and registered acquired knowledge lays in creating a clear internal Code of Conduct under GDPR which explicitly demonstrates how to act in face of GDPR main guidelines.
These guidelines apply to all Visage employees.
The European Union has developed the Regulation 2016/679, a piece of legislation also known as GDPR (General Data Protection Regulation) with the main goal of clearly and assertively defining a set of both Operational Guidelines as well as Individuals’ (Data Subjects) rights and obligations towards assuring 3rd party Data Subjects Personal Data Security and Confidentiality and those Data Subjects Privacy.
This document makes references to terms which imply specific concepts under GDPR, being these:
GDPR – European Union Regulation 2016/679 approved by the European Council and Parliament on April 27, 2016.
Consent - of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Controller - means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Protection Officer (DPO) – the DPO assures compliance towards GDPR by the Controller (the company) by means of:
Data Subject – an identifiable natural person to whom Personal Data pertains to.
Personal Data - any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor - means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Retention Period – the time lapse over which Personal Data from a given Data subject is maintained by the company.
GDPR has defined a set of rights pertaining to the Data subjects which must be observed by all entities and towards which, Visage and its employees, as well as direct individual partners, commit to, namely:
Right to Erasure (also known as the Right to be forgotten) – as per the ruling under the GDPR Article 17, the Data Subject is entitled to ask for his/ her Personal Data to be erased from all existing supports within the company and the company must observe such right if:
However, such right may be deemed inapplicable if:
Right of Access (also known as the Data Subject Access Request) – the data subject has the right to ask of the company (controller) which of his/ her Personal Data is in possession of that controller at any given point in time, as per the ruling under the GDPR Article 15.
Right to Rectification - the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, as per the ruling under the GDPR Article 16.
Portability Right - as per the ruling under the GDPR Article 20, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. It is also within this right to transmit those data to another controller (entity) without hindrance from the controller to which the personal data has been initially provided. Including having the Personal Data transmitted directly from one controller to another, where technically feasible.
Right to Restriction of Processing - as per the ruling under the GDPR Article 18, the data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
Visage acknowledges these right as well as understands their relevancy within the scope of assuring Personal Data is clearly available and in control of its rightful owner, meaning the Data Subject towards whom it pertains. Therefore, it is in Visage’ GDPR code of conduct to strictly observe such established Data Subject rights and in case of doubt, given any specific circumstances take the necessary steps, namely by promptly informing and getting appropriate advice from its Data Protection Office (DPO).
Right to submit a Complaint - the Data Subject has the right to lodge a complaint with a supervisory authority and/ or towards Visage about the Processing of Personal Data pertaining to him/ her.
Right to Object - the Data Subject has the right to present objection/ opposition to the Processing of Personal Data that pertains to him/ her under the scope of Profiling that supports Marketing activities, as per the ruling under the GDPR Article 21.
Right to object to Automated individual decision-making, including profiling - The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, as per the ruling under the GDPR Article 22.
Visage’ GDPR Code of Conduct establishes the following obligations that must be observed by all of its staff as well as direct individual partners:
This chapter presents the Service rendered by Visage as well as its Terms towards Data Subjects.
Visage supports companies with their recruitment processes either directly or via recruitment agencies, by allowing a matching best fit professional profiles towards existing job opportunities.
Upon receiving a request from a company in search of a given professional profile, Visage’ expert recruiters resort to available online public profiles (meaning profiles on Social Media which have been published by the Data Subject’ by their own free will) to initially assess potential best fits towards the specific existing recruitment need that was conveyed by the client company.
The potential best fit professional profiles (meaning Personal Data from Data Subject who apparently fit the required professional profile) are then conveyed to the client company so that they must be checked by such entity.
This is a Service which is mutually rendered towards both the client company or recruitment agency under an existing recruitment process which aims at fulfilling a specific recruitment need from such companies as well as a service towards the Data Subject of presenting him/ her with a potential career opportunity.
Personal Data is collected initially from public profiles on Social Media by Visage’ recruiters/ staff.
At a later stage (under a three calendar weeks’ time frame, and therefore observing GDPR article’ 14 stipulations) and with regards to Data Subjects whose professional profile has been deemed as adequate by the client company, Visage will establish direct contact to clearly explain the status of adherence to the recruitment opportunity and ask for the Data Subject’ Explicit Consent as per herein defined under these Terms of Service.
The client company (prospect employer) is provided with access to gathered Personal Data (from Public Sources) via a web interface to Visage’ Platform. Visage does not share such Personal Data with the client company until the Data Subject has agreed to enter into the recruitment process.
The initially collected Personal Data consists of Name and email, plus relevant professional Data which the Data Subject has made public on his/ her free will over Social Media.
At a later stage and once the Data Subject’ professional profile has been identified as the best fit towards the job opportunity at hand by the client company, additional relevant Personal Data may be collected upon getting explicit consent from the Data Subject.
Since Data is collected from several public sources, at a 1st stage it is submitted to an online service (via a secure API) which under less than 2 minutes and under a totally automated form returns a structured CV.PDF format as per client company requirements.
Such CV (consisting exclusively of Personal Data that has been made public over Social Media Platforms) and access to it is enabled via Visage’ platform to the client company (prospect employer) for initial assessment; Personal Data shall only be then forward (shared) with the client company (prospect employer), only upon opt-in from the Data Subject.
The only information generated during the processing activities consists of the previously mentioned structured layout (.PDF CV file) containing Contact and Professional Categories of Data (collected from the Social Media platforms) which in turn has been freely submitted on such platforms by the Data subject him/ herself for it is part of his/ her online profile).
There is no further processing as well as no new information is produced out of the processing activities than the Contact and Professional Data initially collected.
Visage will retain collected Personal and Professional Data from the Data Subject for a period of less than 3 calendar weeks prior to either establishing contact with the Data Subject to get his/ her explicit consent towards the Service at Hand or disposing of the Personal Data to an encrypted and pseudonymized Data Base.
The process of producing a structured CV by Visage’ partner company TexrKernel takes (as mentioned) under 2 minutes and it is all performed in memory at this partner’ Server based SaaS software application. Once the submitted unstructured Data has been converted into the structured CV.PDF document, such document is forward to Visage via the same secure API and deleted from memory. This means that Visage partner TexrKernel does not retain Personal Data from the Data subject under either memory of physical/ logical storage as per stated under the existing contractual agreement between both companies.
With regards to Data Subjects whose professional profile was deemed unfit towards a given job opportunity by the client company, Visage moves such Personal Data (as mentioned) to an encrypted and pseudonymized repository (Data Base). Independently of the fact that all of the Data exists for public access under Social Media as per the Data Subject’ willing full decision of publishing it on such platforms, this ensures that such Personal Data in the position of Visage is isolated while assuring its security and confidentiality.
Only Visage authorized personnel (direct staff) has the means to use the pseudonymization key as well as trigger the encryption algorithm which will decrypt the Personal Data, hence making it again intelligible.
This will happen once a new Job opportunity towards which such Professional Profile may constitute the best fit in order to have it submitted to the client company for appraisal, significantly reducing the query and response time as well as leveraging the existing archived professional profiles in benefit of the Data Subject him/ herself.
By giving his/ her consent to this Service, the Data subject accepts the herein stated scope and terms.
The Data Subject is entitled to withdraw his/ her consent at any given time by accessing the platform and ticking the “opt out” box. In such case, all of his/ her Personal Data will be deleted from all Visage’ archiving as well as processing supports, and the Data subject will no longer benefit from potential recruitment processes that may arise from thereon as well as any recruitment processes that may still be running.
Additionally, the Data Subject may also decide to “opt out” of the pseudonymized and encrypted archive, merely accepting his/ her Personal Data to be treated under the existing and running recruitment processes at that point in time. Such option means that the individual will no longer be considered under any future recruitment processes that may arise.
As per defined under GDPR, the Data Subject has the option of producing a SAR at any given point in time.
Upon registering in the platform or by email to the email address firstname.lastname@example.org
If at the stage where only Personal Data that has been collected from Public Platforms (Social Media) exists, meaning within the 3 weeks period of collection, a simple reply will be sent to the Data Subject provided the request has been issued via an email address that has been gathered by Visage.
If the information derives from a Data Subject about whom Visage has gathered and/ or produced additional Personal Data out of processing activities after the initial contact phase (3 weeks) and whom has opt-in to a recruitment process or is undergoing a recruitment process, the Data Subject is subject to a two-factor authentication process in order to assure that the person performing the SAR is, in fact, the Data Subject). The same process applies where the Data Subject has requested Visage to forward him/ her all the Personal Data that the company holds about him/ her (DSAR and/ or Right to Portability).
In such cases, where Visage has Personal Data that goes beyond what is available over Public Platforms, it will return over the platform and/ or via email a .PDF file protected by a password which contains in a readable and intelligible manner all such Personal Data.
Again, the file is submitted by email, while the password is forward by an accessory channel only accessible to the Data subject him/ herself in order to assure security and confidentiality of conveyed information.
If via the platform and since user authentication is mandatory, the .PDF file is made available for download without being protected by a password, for it is up to the Data Subject him/ herself to ensure that his/ her authentication credentials remain confidential and only in possession of him/ herself.
The Data Subject can submit a complaint either to the local Supervisory Authority (in case of individuals within the EU) or through Visage’ platform. In such case the complaint shall be registered, analyzed and informed to the EU Regulatory Authority in case of a Data Breach.
The Data Subject will also receive feedback from Visage through its Platform on the complaint subject, regarding the performed analysis over the assessed impact towards his/ her Personal Data within the maximum period of 1 month, being that Visage will set its best effort in order to provide such feedback in the shortest period of time.