As of May 23, 2018
AppleSearch values your privacy. This privacy notice explains what data we process and why we do so, in addition to clarifying what you as a client or candidate may expect in terms of data privacy.
In this notice, we use the following terms, the meanings of which are clarified below:
“Client” refers to our clients and their employees who have consulted with us in order to search for and recruit qualified candidates. The term also refers to persons and organisations considered by us as potential clients and either (a) have approached us for the purpose described above or (b) are identified by us as potentially in need of our services now or in the near future.
“Candidate” refers to any candidate or potential candidate being considered or evaluated by us through the search and recruitment services that we provide on behalf of our clients.
“Data” refers to any information relating to an identified or identifiable natural person, as defined by EU Regulation 2016/679 (“the General Data Protection Regulation,” “GDPR”), Chapter 1 (Art. 4). The terms “data” and “information” are used interchangeably in this notice.
“Processing” refers to any operation or set of operations performed on personal data or sets of personal data, as defined by the General Data Protection Regulation, Chapter 1 (Art. 4).
Data Processing – What, Why and How
We process information on the basis of our legitimate business interests as an executive search firm, except where those interests are overridden by your interests and fundamental rights as a data subject.
1. Client Data
We process information provided by you in order to develop and maintain a business relationship with you and to fulfill our contractual obligations towards you. Generally, your contact details, along with notes and records of our contact history, are sufficient for this purpose.
Where appropriate and in accordance with legal requirements, we may process information about you or your colleagues from other sources, usually for the purpose of market intelligence and due diligence. These sources include online and offline media, attendee lists at relevant events and/or third-party sources.
2. Candidate Data
Candidate data consists of data submitted by you, data collected from third parties and data provided to us by our clients.
Data submitted by you: When you speak to or are otherwise in contact with us, you may provide us with personal information by, for example, submitting to us your CV or speaking with us in connection with our services. The data you provide typically includes your:
• Contact details: such as your full name, email address, job title, name of your employer, postal address and telephone number
• CV information: such as your employment history, educational history, qualifications and certifications, and other skills such as languages spoken or technical aptitudes
• Personality profile: such as your hobbies, behaviour and character traits
• Other information: such as your performance history and compensation details. We also retain records and notes of our contact history with you.
Data collected from third-party sources: We may process information about you from third-party sources for the purpose of market intelligence and due diligence. Such sources may include, but are not limited to, referees and publicly available third-party sources such as news reports and social media. We collect such information only when appropriate, and we take steps to ensure that third parties are legally permitted to disclose it.
Data provided by our clients: In certain cases, our clients may provide us with information about candidates. For example, our clients may provide us with information about a candidate or candidates whom our clients would like us to get into contact with and evaluate on their behalf. In these cases, it is our client who controls what data we process and how we process it, and accordingly, you should get in contact with our clients if you have privacy-related questions or concerns. We note, however, that we are not responsible for the privacy policies of our clients, and this privacy notice does not apply to the privacy- and data protection -related practices of our clients.
We process candidate data in order to effectively match the needs of our clients with your skills, aptitudes and experience, where appropriate. Accordingly, we may disclose your data to our clients so that they may evaluate you as a candidate, but only with your consent.
We may also disclose data to our clients when under contractual obligation to do so, or when a client requests such data to enable them to comply with their own legal requirements. We will do the above only with your consent unless required or authorized by law to do so without your consent.
3. Source and Referee Data
In the case of sources and referees, the data is typically contact information, and we use these details to contact you in order to obtain your opinion or to gather information about candidates. We may also process your contact details to inform you of any service of ours that may be of interest to you as a potential client or candidate. As in the case of clients and candidates, we keep notes and records of our contact history with you.
Legal Basis for Data Processing
In accordance with the General Data Protection Regulation, the grounds upon which we process your data are as follows:
1. Necessary for the purposes of our legitimate interests
We typically process data on the basis that such processing is necessary for us in the context of our legitimate business interests. Our legitimate business interests consist of our ability to provide our services as an executive search firm. It also includes our ability to inform clients and candidates about our services. We process data on this basis only so long as your rights and interests as a data subject are not overridden by our data processing.
2. Necessary for contractual purposes
In order to fulfill a contractual obligation towards you in providing our services, or in order to enter into a contract with you upon your request, it will be necessary for us to process your personal data.
3. Necessary for legal compliance
We may process your data in order to fulfill legal requirements. We may also disclose your data to regulatory or law enforcement agencies if we are required by law to do so.
In some cases, where we intend to process your data in a particular way, we may ask for your consent. If you offer your consent, you may withdraw your consent at any time.
How Long We Keep Your Data
The duration of our data retention depends on the services we perform for you and the duration of time that you require us to perform these services. In the case of candidates, our services are often performed on an ongoing basis, potentially lasting many years, as we often help to place candidates, or evaluate their suitability for placements, throughout their careers. Therefore, the purpose for which we retain candidate data is generally ongoing.
In cases of data other than that pertaining to candidates, the duration of data retention will likewise depend on whether a legitimate business interest of ours continues to be served by our processing of such data, so long as your rights as a data subject do not override these interests.
How We Store Your Data and Who Has Access
Your data is stored on cloud servers in the United States, and access to your data is limited to employees and agents of AppleSearch, as well as our clients. We disclose candidates’ information to clients who have open employment positions in which a candidate may be interested. We disclose CVs only with the consent of a candidate.
You may invoke all rights as a data subject accorded to you under Regulation (EU) 2016/679 (General Data Protection Regulation), Chapter 3 (Art. 12 – 23). Please note that we must verify your identity before we are able to act on any rights-related request. This means that we must have evidence of your identity. Questions and requests may be submitted to us using the contact details given in the Contact section of this notice.
Your rights as a data subject include those described below. For further details, please refer to the text of the Regulation in question.
1. Right of Access
You have the right at any time to be informed of what data we hold about you and to ask for a copy of the data. Where appropriate, depending on whether GDPR permits it, we may refuse your request, either in whole or in part. If we do this, we will provide you with our reasons for doing so.
2. Right of Correction or Completion
If the data we have about you is incomplete, out-of-date or otherwise inaccurate, or if you believe that it is, you may ask that we edit this data so that it is complete, up-to-date and accurate.
3. Right of Erasure
You may ask at any time that we erase your data. In general, we will make every effort to comply with such a request. However, it may be that a legitimate business interest of ours, a legal requirement or a contractual obligation precludes us from doing so. The conditions that require our compliance with a data-erasure request are provided in Regulation (EU) 2016/679 (General Data Protection Regulation), Chapter 3 (Art. 17).
4. Right to Object
In some cases, you have the right to object to our processing of your data by contacting us using the details given in the Contact section of this notice. For instance, if you find that our legitimate interests are insufficient to override your rights and interests as a data subject. In all cases, you have the right to object to our use of your data for direct marketing purposes, and we are obliged to comply.
5. Right to Restrict Processing
You have the right to ask us to restrict the processing of your data. For instance, you may have concerns about its accuracy and you may ask us to restrict its processing until we have verified its accuracy.
6. Right to Data Portability
You have the right to request a machine-readable and structured copy of your data and the right to transfer that data to a third-party organization. This right only applies to data that you have provided to us and which is processed by automated means.
You may direct privacy- and data protection-related requests, questions and concerns, including any invocations of your rights, to Michael Levy Florescu (Data Protection Officer), using the following contact details:
Michael Levy Florescu
You are also entitled to lodge a complaint at the Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) at their telephone number +40.318.059.211 or through their website http://www.dataprotection.ro.