Charte candidats Groupe Crédit Agricole Indosuez

1. DEFINITIONS

    

The following definitions apply in the Charter:

1. Personal Data : Any information relating to an identified or identifiable candidate. For example, personal data can be candidates’ contact details resume or cover letter;
2. Processing: Any operation (or set of operations) performed on personal data, including, for example, its collection, organisation, storage, modification, use, transmission, distribution or erasure;
3. Purpose: The reason for processing personal data. The purposes of personal data processing in the context of this Charter are stated in §3 below;
4. Recipient: Any natural or legal person, public authority, service or other organisation to which personal data is disclosed;
5. Controller: The entity that defines the purpose of the personal data processing and the resources used to perform said processing. The controller of processing that uses candidates’ personal data is the Group entity that is looking to recruit.
6. Processor: Any entity other than the process manage that processes personal data on behalf and at the request of the controller. A Group entity may therefore be a processor for another Group entity. For example, companies that provide IT or consulting services to the controller, or which are entrusted with HR management services, are considered to be processors.

2. WHAT ARE THE DATA PROTECTION PRINCIPLES APPLIED BY THE GROUP ?

Candidates’ personal data is processed in accordance with the following personal data protection principles:

1. Legal, fair and transparent processing: Candidates’ personal data must always be collected and processed (the for a specific purpose “legal basis”). No processing that breaches the principles defined in this Charter and the GDPR may be performed. Furthermore, clear, comprehensive and transparent information must be provided to all candidates regarding the processing of their personal data;
2. Restricted purposes: Candidates’ personal data must always be collected and processed for specific purposes determined from the outset;
3. Lean data: Only personal data that is strictly necessary in order to achieve the stated purposes may be collected from candidates. No personal data superfluous to the processing performed may be collected or used;
4. Accuracy: Candidates’ personal data must always be accurate and regularly updated. All reasonable measures must be taken to ensure that any inaccurate data is either corrected or erased;
5. Limited retention: Candidates' personal data must not be stored for longer than needed to achieve the purposes for which it was collected.
6. Security: Candidates’ personal data must be stored and processed securely and confidentially.

3. IN WHAT CIRCUMSTANCES ARE CANDIDATES REQUIRED TO PROVIDE PERSONAL DATA? WHAT IS THE LEGAL BASIS FOR THE PROCESSING OF CANDIDATES’ PERSONAL DATA?

The controller processes candidates’ personal data in order to:

1. Manage candidatures, set up the job interview and selection processes, manage recommendations and references, manage the candidate pool and pre-recruitment, and establish promise-to-hire letters and contracts.
These processing are based on candidate’s consent. A candidate’s consent must always be given freely informed and explicit (generally in writing). Candidates may decide to withdraw their consent at any time. However, doing so does not affect the validity of any processing already performed with the candidate’s consent.
2. Manage access to premises and potential video surveillance of the premises.
These processing are justified by a legitimate interest, which consists of ensuring security of goods and individuals (in the real time and afterwards). In this case, candidates may oppose certain processing involving their personal data for reasons relating to their specific circumstances (unless the data controller proves that there are legitimate and essential reasons for the processing prevail over the data subject’s interests, rights and basic liberties or for the purpose of exercising or defending their legal rights).
The processing of personal data communicated by candidates is not based on profiling.

4. IN WHAT CIRCUMSTANCES ARE CANDIDATES REQUIRED TO PROVIDE PERSONAL DATA?

Some personal data may be necessary to review candidatures by the Group. Candidates will be informed about it during the data collection process, by an asterisk or in an equivalent way.
In the case this data is not communicated, the data controller will not be able to process the candidature.

5. WHO RECEIVES CANDIDATES’ PERSONAL DATA?

For the purposes of the processing described above, candidates’ personal data may in certain cases be disclosed to a variety of recipients, including:
• Group entities,
• IT – Data processing firms, test editors, or data processors in charge of access to premises and eventual video surveillance providers.
• Recruitment agencies
Group entities acting as controllers must choose processors that provide adequate guarantees that the processing will comply with the principles of the GDPR and that the personal data will remain confidential and secure.
If a recipient of personal data is located in a country outside the European Union, the recipient must comply with local legal requirements that provide a suitable level of protection, or, for the case of companies in the United States, comply with the Privacy Shield (a self-certification mechanism recognised by the European Commission), or else provide guarantees ensuring an equivalent level of protection.
These guarantees may be in the form of the standard contractual clauses on personal data protection adopted by the European Commission (namely, a transfer agreement between the controller and a processor, stating the respective obligations upon each if personal data is transferred outside the European Union).

6. HOW IS CANDIDATES’ PERSONAL DATA SECURED?

Solutions used to store and process candidates’ personal data must satisfy the security prerequisites specified by the Group’s Information Systems department and are subject to stringent approval and audit procedures.
The Group has implemented technical and organisational measures to ensure that candidates’ personal data remains secure and confidential. These include:
§ Access control and user permissions for IT equipment used to process candidates’ personal data;
§ Ensuring the security of technical infrastructures (including workstations, networks and servers) and data (for example, backups and business continuity plan);
§ Restricting who is authorised to process personal data, depending on the purpose of the processing and the resources allocated;
§ Strict non-disclosure obligations binding the Group’s processors;
§ Rapid response procedures in the event of a security incident involving candidates’ personal data.

7. HOW LONG IS CANDIDATES’ PERSONAL DATA STORED?

The candidate’s personal data regarding the processing of candidatures’ management, mentioned in 1. of §3 is stored for eighteen (18) month after the candidate’s last contact with the Group.
Personal data collected for managing access to the premises is stored for three (3) month. Personal data collected for the management of eventual video surveillance systems is stored for thirty (30) days.
Throughout the storage period, only “need-to-know” individuals with the appropriate permissions may have access to candidates’ personal data, based on the purposes of the intended processing.
At the end of the storage period, candidates’ personal data must be either permanently erased or irreversibly anonymised.

8. WHAT RIGHTS DO CANDIDATES HAVE REGARDING THE PROCESSING OF THEIR PERSONAL DATA?

All candidates may exercise the following rights at any time:

1. Right to access: Candidates may obtain information regarding the nature, source and use of their personal data. Whenever personal data is disclosed to third parties, candidates may also obtain information concerning the identities or categories of the recipients;
2. Right to rectification: Candidates may request that inaccurate or incomplete personal data be corrected or supplemented;
3. Right to erasure: Candidates may request that their personal data be erased, particularly if it is no longer necessary for the performed processing. The controller must erase personal data promptly, except in the cases provided for in the Regulation;
4. Right to restrict processing: Candidates may request that their personal data be made temporarily unavailable to prevent its subsequent processing, for example by moving their data to a different processing system, in the circumstances defined by the GDPR .
5. Right of opposition: Candidates may oppose certain processing involving their personal data for reasons relating to their specific circumstances, except where legitimate and essential reasons for the processing prevail over the data subject’s interests, rights and basic liberties or for the purpose of exercising or defending their legal rights;
6. Right to portability: Whenever personal data is processed after obtaining the candidate’s consent or required for the performance of a contract, the candidates concerned may ask to receive their personal data provided to the controller, in a widely-used and structured electronic format. This right to portability can be exercised only if the data processing is operated under candidate’s consent.

The controller undertakes to examine requests submitted by candidates within the time limits specified in the GDPR.

9. CONTACT

To get a copy of the appropriate warranties mentioned at the paragraph 5 and to exercise the rights mentioned on the §8 , candidates may contact the Data Protection Officer.

 10. CHARTER APPLICABILITY AND AMENDMENTS

The Charter shall be applicable with effect from 25 May 2018.
The Charter is available to download from each intranet Group entity, at the following address: https://jobs.ca-indosuez.com/mention-legale.aspx.

It is liable to change, in response to regulatory or processing changes.