1. Data processing Controller and contacts
1.1. The personal data processing Controller is I-Work Group Ltd. (hereinafter – Controller), the unified registration no. 50103353551, legal address Ozolciema street 42 k-2. apt. 100, Riga, LV-1058, Latvia, actual address Terbatas street 32, Riga, LV-1011, Latvia.
1.2. I-Work Group Ltd. contact address regarding data processing is firstname.lastname@example.org.
2. The purpose of data processing
2.1. I-Work Group Ltd. processes personal data for the purpose of mediatory services between Controller and data Processor, who is an employer for whose open vacancies Data Subject applies. Data Subject agrees in writing to the data processing after they have submitted their CV and/or Application letter.
2.2. In exceptional cases, Data Subjects may apply directly for the vacancies of employers through the vacancy page of www.i-work.lv/en website, where I-Work Group Ltd. no more is the Data Controller.
2.3. The goal of a Data Subject may be general seeking for a job, not associated with the actual vacancies that have been published. In this case, the Data Subject agrees that their data will be at the Data Controller’s disposal for a particular period of time or until the Data Subject informs the Controller about deletion of their data.
2.4. Data of Data Subjects that are not general job seekers, but are potential candidates for a particular vacancy, are provided to the Processor only with a written consent of the Data Subject from the Processor. The Data Subject agrees that their data are at the disposal of the Controller.
2.5. The Controller uses the data of the Data Subjects only for the purposes indicated in 2.1–2.2, with exception of the cases when information about Data Subjects is required to comply by law by the Government or security instances.
3. Description of Data Subject categories and personal data categories
3.1. Data Subjects are individual persons – job seekers, employees. The data processing is performed by the Controller, who is holder of the data, and by the Processor, who is the potential employer and a legal entity. The Controller does not disclose the data to the third parties, with the exception of cases when information about Data Subjects is required to comply by law by the Government or security instances, when consent has been received from the Data Subject to process their data further and with the normative request by the respective entity:
3.1.1. Data Subjects are individual persons, who are job seekers and voluntarily submit their data or CV by acting and applying for the job advertisements published;
3.1.2. Data Subjects are individual persons, who are potential candidates that can be registered in the data base of the Controller and have agreed that their data is collected with a purpose to find a job;
3.1.3. The information of Data Subjects is their CV or Curriculum Vitae. The Controller does not process sensitive information, thus no information is asked from Data Subjects regarding their gender, age, religion, birth and other personal data.
3.1.4. Data Subjects are Employees of the Controller, with whom work relationship has been established and a job contract has been signed.
3.2. The processing of data of the Controller is not meant for the third parties, nor is it handed over to them.
3.3. Within the current data protection policy, the Data Controller is I-Work Group Ltd., and it ensures the storage of the data of the Data Subjects and handing them over to the Processor – the employer.
3.4. The Processor is a legal entity or an individual person, who is a performer of economic activities and by whose order the Controller publishes job vacancies, seeks for candidates, performs selection and evaluation. Then information of the Data Subject is handed over to the Processor, who may process the data only within the purpose indicated in the respective service agreement between the Controller and the Processor:
3.4.1. It is forbidden for the Processor to hand over the Controller’s data about the Data Subjects to the third parties without written consent of the Data Subject based on the Processor’s agreement with another Processor about the handover of the respective data of the Data Subjects;
3.4.2. It is forbidden for the Processor to keep the data on the Data Subjects after the accomplishment of the goal or the end of the respective agreement between the Controller and the Processor. Within the context of this Policy, the data should be deleted form the Processor’s system;
3.4.3. If the Processor wants to keep the Controller’s data on Data Subjects, the Data Subject has to be asked for consent in written form.
3.5. Within this Policy, if the Controller acquires, on the basis of a contract, the data of Data Subjects that already are the data of another Controller’s Data Subjects and are offered by this Controller, then the Controller becomes the Processor of the data and is bound by the data protection and processing principles of the another Controller, on the basis of an agreement.
4. Terms for Subject data keeping and deletion
4.1. The Controller keeps the Data Subjects’, that are job seekers, information, until the goal indicated in the contract between the Controller and the Processor has been accomplished or the contest for the vacancy – ended;
4.1.1. The Data Subject’s information is deleted at the moment when the Data Subject has received the information about the results of the contest for the vacancy and has not given permission for further storage of their data;
4.1.2. If the Data Subject wants their information to be stored after the contractual obligations between the Controller and the Processor have been fulfilled, the Data Subject should give a written consent that their data can be kept for the purposes of other suitable job offerings;
4.1.3. The Data Subject at any time has the right to demand the deletion of their data, and the Controller has the obligation to delete the data from the system.
4.2. The Controller keeps the Data Subject information of their employees until the end of their work relationship and archives it afterwards according to the legislation of the Republic of Latvia and the terms of storage of personnel documentation indicated in the Law of the National Archive of Latvia.
5. The legal basis of the data processing
5.1. The legal basis for the Controller and the Processor is mutual written agreement.
5.2. A written consent of the Data Subject for the data processing.
6. Technical, safety and organizational safety measures
The Controller provides the data processing and storage using contemporary technologies and guarantees safe storage of the data.
6.1. Safety and protection of the data
6.2. The Controller implements appropriate technical and organizational measures in order to ensure the safety level that is necessary for data storage:
6.2.1. pseudonymization and enciphering of personal data;
6.2.2. secured data processing system and continuous confidentiality, integrity, availability and stability of the service, appropriate information security systems, software for safe data storage;
6.2.3. ability to restore timely the availability and access to the personal data in case physical or technical accident or interruption in operation of the systems has occurred;
6.2.4. regular technical and organizational measures to test, measure and evaluate the effectivity of data protection security in order to ensure the data processing safety;
6.2.5. the Controller ensures training for the Data Subjects that are employees regarding the data processing and the Data Subjects’ data processing.
6.3. Data protection breach and measures to prevent it
6.3.1. In case the personal data protection breach could result in high risk to the rights and freedoms of an individual person, the Controller, without unjustified delay, informs the Data Subject about the violation of personal data protection.
6.3.2. In the notification of the Data Subject, clear and simple language should be used, describing the nature of personal data protection breach.
6.3.3. The Data Subject does not have to be informed, if one of the following conditions has been fulfilled:
184.108.40.206. the Controller has implemented appropriate technical and organizational protection measures, and they are suitable for personal data affected by violation of the personal data protection, especially such measures that render the personal data incomprehensible for persons who have no authority to access the data, for example, enciphering;
220.127.116.11. the Controller has implemented further measures that ensure that the violation could not materialize further;
18.104.22.168. it would require disproportionately great effort. In this case public announcement or likewise can be used, so that the Data Subjects are informed effectively;
22.214.171.124. if the Controller has not informed yet the Data Subject about the breach of the personal data protection, the supervision authority, having weighed up the potentiality that the breach of personal data protection could result in high risk, can demand that the Controller should inform the Data Subject.
7. Other terms