Data Protection Policy

DATA PROTECTION POLICY THE SHORTLIST CAREERS GmbH

1. Overview Of Your Rights Under GDPR

The Shortlist Careers (Germany) GmbH and our related services in other countries are committed to protecting the confidentiality of information and privacy of our clients, candidates, and other users of our websites and services.

All organisations that process personal data are required to comply with data protection legislation. This includes in particular the Data Protection Act 1998 (or its successor) and the EU General Data Protection Regulation (together the ‚Data Protection Laws‘)

The Data Protection Legislation provides individuals (“data subjects”) specific rights over their personal data and imposes obligations over any company that is duly in possession of or processing their data.

The Shortlist Careers GmbH considers the rights to privacy and always manages the control of personal data with extreme care and due diligence.  We ensure that any information gathered, stored and processed is done with technical and organisational measures as outlined and depicted within the law and through the explicit consent received.

The policy will be reviewed from time to time to take into account new laws and technology, changes to our operations and practices and to make sure it remains appropriate to the changing environment.

2. Definitions

Throughout this policy the following terms have the following meanings:

2.1.     ‚Consent‘ means any freely given, specific, informed and unambiguous indication of an individual’s consent by which he / she has provided clear affirmative consent to retaining, gathering or processing of personal information relating to or being used to identify the person as an individual;

2.2.     ‚Data controller‘ means the organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;

2.3.     ‚Data processor‘ means an individual or organisation which processes personal data on behalf of the data controller;

2.4.     ‚Personal data‘ means any information relating to an individual who can be identified, such as by a name, an identification number, location data, passport or an online identifier;

2.5.     ‚Personal data breach‘ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;

2.6.     ‚Processing‘ means any operation or set of operations performed on personal data, such as collection, recording, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.7.     ‚Profiling‘ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

 

3. What is Personal data?

Personal data means any information relating to an identified or identifiable natural person (data subject), by virtue of submission or obtaining from a public platform.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, telephone number, postal address, e-mail address, an identification number, passport, visa, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4. Collection of Personal data

In order to carry out our business as recruitment consultants and head-hunters, the company may collect personal information from an applicant, a possible applicant or a person that has indicated such interest in a position through email, messaging or any other electronic means. Information being collected, including but not limited to name, contact details, qualifications, work history, right to work in a particular country, language skills, professional qualifications and memberships, work objectives and other information from a submitted CV or online public platform.

Where an applicant or an individual has duly been identified to be suitable for a specific position, the Company may request additional information, depending on the Clients requirements from the Individual which is then shared with the client following affirmative consent by the Data Subject.  Such information is utilized by the client’s company for the respective reference checks and / or confirmations.

4.1.     How Data is collected by the Company?

In most cases, the Company collects personal data directly from the individual via telephone, email or via messaging on social platforms like LinkedIn.

Some indicators can be found in terms of: 

4.1.1.  Personal submission of a CV or application form

4.1.2.  Registering with the Company for head-hunting by individual

4.1.3.  Consent via email or telephone for supply of data to a third party

4.1.4.  Application to advertised positions (from time to time)

4.1.5.  Voluntary submission of information upon request

All information required is gathered, stored and processed if and where so deemed required through such consent. No information is gathered in excess of requirements and additional information is requested from individuals when so required by clients with new consent on such transfer.

The Company will not transfer any information to a client or third party without the explicit written consent of the data subject.

By engaging with the company for placements and head-hunting, the individual and or companies provide The Shortlist Careers GmbH with consent to gather, store and process respective information that is deemed required for operations and purpose as outlined in this policy and / or any privacy notice hereto attached and referenced.

5. Purpose of Data collection, processing and storing

The reason that the Company gathers information from data subjects is outlined and explicitly for the purpose of selection and recruitment.  Information is not stored and / or excessively processed outside of consent and such information is only gathered in terms of purpose and requirements. Personal information is utilized in terms of skills, experience and qualifications that aligns to the job inherent requirements of the client.

The Company will use such information in line with:

5.1.     To provide a recruitment service to both candidate, potential candidate and / or client seeking candidate;

5.2.     To match an individual against vacancies that has been registered with the company;

5.3.     To maintain and promote business relationships

 

6. Our Legal Bases for Processing your Data

Our processing of personal data is outlined in this policy and duly recognised in terms of the EU GDPR regulations.

Our internal staff information is deemed to be controlled by the Company management for the purposes of promulgating salaries, declarations to financial institutions (Government) and respective third parties where so deemed lawful.

in relation to its own staff and candidates and is a data controller for the purposes of the Data Protection Laws. The Company has registered with Amtsgericht Berlin, and its registration number is [HRB 173725 B].

The Company commit and undertake that it will only process personal data where it has a legal basis for doing so:

6.1.     Consent

The Company requires written consent to gathering, storing and processing any personal data in line with this Policy, any Privacy Notice and / or covered under legal terms of the industry (recruitment services).

The consent provided is explicit to The Shortlist Careers GmbH and we duly ensure that both parties understand their respective rights and intentions during a consultation process.  The processing is in line with Article 6(1)(a) of the GDPR, which states „[name] have given consent to the processing of his/her personal data for one or more specific purposes„.

6.2.     Legitimate Interests

As a recruitment consultancy, it is in both the Company’s interest and that of the data subject, as a candidate or possible candidate, that the Company process such personal information, in order to provide the individual and / or company with the best and most effective and efficient service.

This basis for processing is in accordance with Article 6(1)(f) of the GDPR, which states „processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [the person] which require protection of personal data.“

6.3.     Contract

Although the Company does not require a formal contract or agreement to be undersigned between itself and the data subject, it is believed that an agreement does exist upon engagement and providing of personal information with consent to process as such and against the purpose of selection and recruitment services.

As such, in accordance with Article 6(1)(b) of the GDPR, the Company processes personal information „for the performance of a contract to which the [name] are party or in order to take steps at the request of [name] prior to entering into a contract„.

7. Disclosure of Personal data to Third Parties

The company may disclose personal data to third parties in terms of:

7.1.     Introduction as a protentional employee in a position advertised and / or identified by the client to be suitable against the individuals’ specific skills, experience and / or abilities.

7.2.    A professional association or registration body that has a legitimate interest in the disclosure of personal and sensitive information in order to check, verify and / or confirm such professional registrations, qualifications and / or suitability to be placed.

7.3.    In order to comply with any requests from regulatory or law enforcement authorities to release such personal data if they so require.

7.4.    Sharing of information with other consultants within The Shortlist Careers GmbH as a company for the purposes of providing effective recruitment services in other locations.

7.5.    Where third party service providers are utilized to perform functions on behalf of the Company (in terms of internal staff for payroll and accounting purposes, for clients in terms of invoicing and billing and for referencing where so deemed required – with consent).  These third parties could include lawyers, auditors and accountants, technical support functions and IT consultants carrying out testing and development work on our IT systems).  All parties are duly under agreement with the Company which contains confidentiality clauses, standard clauses, safeguarding clauses and breach processing.

 

8. Transfer of Information Internationally / Across borders

The company has worked and operated as a global recruitment agency to various clients, including businesses and individuals in Europe, United Kingdom, Singapore, USA, Netherlands, etc.

Our databases are located in Germany and upon receipt of personal information, we ensure that explicit consent is obtained for the transfer of any data to clients, individuals or third parties with the purpose, safeguards and security measures in place to protect and manage such transfers quickly and securely.

We explicitly undertake and ensure that security measures is in place for the transfer of information across borders in that Data Sharing Agreements are duly in place with any processors or receivers of such data outside of the EU and to only those countries where sufficient data protection regulations are duly in place to safeguard such information, aligned to the legislation of the EU.

9. Management and Security of Personal data

The company takes safeguarding extremely seriously and as a Data Processor and Controller, has put in place and are duly following the key principles set out by legislation:

9.1.     Processing information in a lawfully, fairly, and transparent manner;

9.2.     Only collect information for specified and legitimate purposes without excessive processing or gathering of information not requirement or without purpose;

9.3.     Information that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

9.4.     Accurate and up to date information to which reasonable step are taken to ensure that personal data are duly updated and accurate at all times;

9.5.     Retained for no longer than is necessary for the purposes for which the personal data are processed;

9.6.     Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using             appropriate technical or organisational measures; and

9.7.     The company shall be responsible for, and be able to demonstrate, compliance with the principles.

 

10. Retention Period

The company will retain personal data during the recruitment process to which unsuccessful candidates’ information are immediately destroyed and / or deleted from any system or platform.

Information of candidates that has gone through vetting and / or shortlisting are retained for a period not exceeding 18 months, which is duly outlined and in line with the company terms and conditions on replacement of candidates with clients.

Internal records pertaining to staff members and clients are duly retained against statute in terms of 10 years for financial records and 6 years for any commercial letters and correspondence.

Where a data subject requests or exercises his / her right to request deletion or destroying of any information, such request will be managed in terms of the statues and / or obligations placed upon the Company by law to retain or destroy.

11. Data Maintenance

The company acknowledge that it is a responsibility of the company to ensure accurate information is gathered, stored and processed at all times and is duly requesting individuals to ensure that the company are updated or remain updated with any changes to information that is deemed important through engagements.

12. Privacy Notices

Each individual that are engaged with the Company is required to note and agree to the respective Privacy Notices as outlined. These include the website privacy notice, candidate privacy notice and / or any other notice that is deemed important to the Company.

12.1. Job Alerts – Emails

Any person engaging via job alerts will be prompted to opt in in order to receive notices of positions and / or updates to any opportunities.

An individual has the right to opt out at any time and / or request the company to delete or amend the decision to opt in.

12.2. Aggregate Information – Website

The company has the right to gather statistics in terms of website visitors, clicks and / or worldwide interests.  Such statistics are gathered through acceptance of cookies and notices that are provided for when entering the website.

12.3. Cookies

A cookie is a simple text file that is stored on your computer or mobile device by a website’s server. Each cookie is unique to the respective web browser. It will contain some anonymous information, such as a unique identifier and the site name.

The Company will utilize ‚analytical‘ cookies where deemed require, in order to enable and record the performance of the website.

More information about cookies can be found here:  https://www.allaboutcookies.org/

13. Individual Rights under GDPR

In terms of the GDPR, a data subject has certain rights to which the Company has listed a few (but not limited to):

13.1.  The right for access to data and data portability

The right to view, receive or obtain any personal data previously provided to the company, in a structured and readable format.

The right to request such information to be transmitted to another data controller in terms of:

13.1.1. The processing is based on the data subjects’ consent or a contract; and

13.1.2. The processing is carried out by automated means.

13.2.     The right to have data rectified

Rectification of inaccurate information or incomplete information may be requested by the data subject themselves.  If the Company has provided information to a third party, such party will be informed of any amendments to the information.

 13.3. The right to have information deleted or destroyed

This right is associated and aligned with the legislative or statutory indications depicted or referenced under clause 10.

Alternatively, and notwithstanding such clauses, the data subject may request the total deletion and / or destruction of information from the Company database if and when such data subject is an unsuccessful candidate and is not deemed eligible for future consideration or does not want to be considered for future placements.  Explicit written consent is required in terms of such request.

Internal staff and / or clients, suppliers or contractors will be subjected to the law in terms of 10 years and / or 6 years respectively with deletion requests being considered in terms of Governance and compliance.  Deletion and / or destruction may be rejected under law.

13.4. The right to lodge a complaint

A data subject has the right to lodge a complaint with the company at any time, also referred to as Data Subject Access Request (SARs) or DP complaint.

Upon receiving a claim, the company will cease any and all processing, institute an investigation into the compliant details and merits to which a thorough report will follow to the data subject and / or complainant.

Where such compliant is deemed or found without merit, such processing will be reconvened with notice to the data subject.  Each data subject has the right to submit a formal complaint to government or regulator.

14. Enforcement of rights

All requests regarding individual rights should be sent to the person whose details are listed at the bottom of this policy document.   The company shall act upon any data subject access request (SAR), or any request relating to rectification, erasure, restriction, data portability or objection or decision-making processes or profiling within one month of receipt of the request.

Where the Company deem such request as complicated, it may extend the period with a further month, where necessary.

In terms of the law, the company has the right to reject and / or refuse the SAR where it is deemed to be excessive, unfounded or repetitive in nature.

15. Changes to this Privacy Policy

The company will review and amend this Policy at any time if and when deemed required by or with the impact of changing legislation and / or the company outlook.

16. Implementation of Policy

This Policy shall be deemed effective as of 01 September 2022 (last review date).

17. Contact

You can contact our Data Protection specialist by email using this address: drina@entreprenor.uk