This policy sets out how Mindit Consulting SRL collects and processes personal data and complies with the legal requirements as to the processing of the personal data that are applicable to entity’s business in order to guarantee and protect the natural persons’ fundamental rights and freedoms.
Mindit Consulting SRL is a company providing services for the verification of the professional profile, based on the written agreement, at the request of a possible employer of the candidate/ data subject or of the current employer, defined also as Client in the relation with Mindit Consulting SRL.
The Purpose of the Personal Data Collection and Processing
Mindit Consulting SRL collects and processes the data for the purposes of fulfilling the service agreement that it has entered into with the Client. The subject matter of the Agreement consists in the performance of services in the human resource domain, respectively the verification of professional profiles.
The Type of the Data Categories that We Collect and Process
Data related to content element: the surname and first name, the father’s initial, the date and place of birth, the email address, the telephone number, the domicile address.
Data related to purpose element: information from photocopies of the study documents, photocopies of the criminal records, data from the data subject’s CV, data on the data subject in terms of the professional experience, recommendations from the previous places of work.
Mindit Consulting SRL has taken the following measures in order to protect the data it collects:
For the purposes of complying with the related legal provisions and processing safely the personal information and data, Mindit Consulting SRL has prepared and implemented organizational and technical measures oriented to the following directions of action:
• Employing a Data Protection Officer (DPO)
• Identifying and mapping the data flows
• Storage and levels of access
• Measures of safety related to the protection of computers and access terminals, both physically and from the standpoint of the access to the data they comprise and cyberattacks
• The personnel’s training
• Providing the continuity of the data protection process
Mindit Consulting SRL uses Office 365 supplied by Microsoft, providing anti-malware protection and the security, confidentiality and the integrity are active at all the device levels. The communication with the Controller, candidate/ data subject and the third parties is provided by means of the email service, supplied by Microsoft, and the documents are stored on SharePoint, both the email service and SharePoint are part of Microsoft 365 package. Moreover, the used laptops and devices comprise active licences.
The access to the database is provided based on the user sole name and the minimum mandatory complexity password, according to the Microsoft criteria. Moreover, it is limited, as the access is provided by the platform administrator to each member, based on the level of access required for the position of each separate person.
Who Does Have Access to the Data Mindit Consulting SRL Collects and Processes?
For each separate verification a sole Mindit employee is appointed, that is to deal with all the flow required for the preparation of the verification report for the candidate’s professional profile. Such person has signed a non-disclosure clause contract, is familiar with the procedure and the regulations on the personal data security, is periodically trained to this purpose. Therefore, Mindit Consulting SRL holds the control for each separate verification.
The Data Storage Duration
The data that Mindit Consulting SRL collects and processes under the agreements of services for the verification of the candidates’ professional profiles are stored only for the duration of such agreements. Following the conveyance of the full report to the Client, all the data provided by the client for verification purposes are deleted from Mindit database. The full report will be subject to pseudonymisation following the conveyance thereof by the Client and preserved as per the agreement.
Mindit Consulting SRL’s Compliance with the Data Subject’s Rights
1. The Right to Be Informed
If it is further required that further personal data be procured in addition to those ones procured directly from the Client, and they are procured directly from the data subject, Mindit Consulting SRL undertakes to provide to the data subject at least the following information, save when such persons already holds such information:
– The identity and the contact data of Mindit Consulting SRL and the contact data of the Data Protection Officer
– The purposes for which such data are processed, as well as the legal ground of the processing
– The lawful interests that Mindit Consulting SRL pursues
– Who are the recipients or the categories of personal data recipients
– The engagement given by Mindit Consulting SRL related to the fact that it does not transfer the personal data outside the borders of Romania
In addition to the said information, in order to provide the processing transparency principle, Mindit Consulting SRL also provides the following information:
– The data preservation period or the criteria according to which such period is calculated
– The right to rectification, erasure, object, restriction
– The right to data portability
– The right to withdraw consent at any time
– The right to lodge a complaint with the Supervisory Authority
– If the request is part of a legal or contractual obligation or requirement and the possible consequences of the failure to supply
2. The Right to Intervention on Data
Any data subject has the right to obtain, during the period Mindit Consulting SRL stores such data, at request and free of charge.
a) where applicable, the rectification, the update, blocking or erasure of the data whose processing does not comply with the law, especially of the incomplete or inaccurate data;
b) where applicable, the transformation into anonymous data of the data whose processing does not comply with the law;
In order to exercise this right, the data subject will send to Mindit Consulting SRL a request to the email address email@example.com. The requester may specify in the request whether he/she desires that such information be conveyed to him/her to a certain address, that may be an email or by a correspondence service providing that the delivery is given solely personally.
3. The Right to Object
The data subject has the right to object at any time, throughout the processing, for good and lawful reasons related to its particular situation, that data referring to the data subject would represent the subject matter of a processing, save otherwise provided for by law. In case of reasoned objection, the processing cannot refer anymore to such data. In order to exercise this right, the data subject will send to Mindit Consulting SRL a request to the email address firstname.lastname@example.org . The requester may specify in the request whether he/she desires that such information be conveyed to him/her to a certain address, that may be an email or by a correspondence service providing that the delivery is given solely personally.
4. The Right not to be Subject to an Individual Decision
The data subject has the right to request and obtain the withdrawal/ cancellation/ re-evaluation of any decision taking legal effects in relation to the data subject, taken exclusively based on an automated personal data processing.
5. The Right to Data Portability
The data subject has the right to receive the personal data related to the data subject, including the professional verification report prepared by Mindit Consulting SRL under the service agreement signed with the Client and that it provided to the controller, in a structured, commonly used and machine-readable format, and has the right to transmit such data to another controller, without hindrance from Mindit Consulting SRL.
If there is a data breach, Mindit Consulting SRL, as processor undertakes to inform the agreement Beneficiary, within the shortest time possible, on any such breach.
If there is a data breach, as associate controller, Mindit Consulting SRL, together with the other associate controllers, undertakes to inform within the shortest time possible, but not later than 72 hours, the National Supervisory Authority for Personal Data Processing, on such security breach as well as on the measures that Controllers have taken in order to remedy/ prevent the negative effects.