Privātuma politika

PRIVACY POLICY

NO-CV cares about your privacy, so we have created this document that explains how we handle your data. If you still have additional questions after familiarizing yourself with it, do not hesitate to contact us directly at the contacts listed below.

ESSENTIAL INFORMATION IN BRIEF

Data Controller:

UAB NO-CV legal entity code: 305341396, address Domininkonų st. 11, Vilnius, Lithuania (hereinafter referred to as “Company”, “we” or “NOCV”)

Main purposes of data processing:

• Provision of services to legal entities;
• Candidate selection and presentation to a potential employer (profiling);
• Direct marketing (send newsletters, make offers, conduct market research);
• Administration of requests.

Your rights as a data subject: to know what data about you is processed; demand correction of inaccurate data; require the transfer of data to another manager; object to data processing; object to data processing or withdraw your consent at any time; require the destruction of data; demand to limit their processing and the right to submit a complaint to the State Data Protection Inspectorate at [email protected].

Profiling: We inform you that we carry out profiling based on candidates’ CV data, experience and other professional abilities. This profiling does not have any negative impact on the applicant as a data subject. If you object to your data being processed by our algorithm and presented to a potential employer, be sure to inform us, BECAUSE YOU HAVE THE RIGHT TO OBJECT DECISIONS MADE ONLY BY AUTOMATED MEANS.

More information can be found below.

CHAPTER I

GENERAL PROVISIONS

1. This NO-CV UAB Privacy Policy (hereinafter – the Policy) regulates the purposes of personal data processing of natural persons whose data is processed by the Company, establishes the procedure for exercising their rights, and regulates the application of personal data processors.

2. This Policy is prepared based on:

2.1. by the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter – ADTAĮ);

2.2. EU General Data Protection Regulation (hereinafter – GDPR);

2.3. by the Law on Electronic Communications of the Republic of Lithuania (hereinafter – ERĮ);

2.4. other legal acts related to the processing and protection of personal data.

3. This Policy applies to the Company’s automatic processing of personal data of natural persons, as well as manual processing of systematic personal data sets. This Policy also determines the rights, duties and responsibilities of the Company’s employees in relation to the processing of personal data.

4. The term “Mobile application” used in the policy means the mobile application NO-CV administered by the Company and the online platform (website) related to this application, which together are intended to provide services to persons looking for work (“Candidates”).

CHAPTER II

PURPOSES OF DATA PROCESSING

a. Candidate account creation and administration

In order to submit your details as a Candidate through our managed app, you must first create your account. When creating an account and administering it, the Company processes the following data of persons (Candidates) who wish to participate in the job selection process or use the Company’s selection services: name, surname, gender, work experience, abilities, language, email address, phone number, address, CV, nature of the job sought, date of birth, education, other details specified in the documents submitted to the Candidate Company. In the event that the legal acts of the Republic of Lithuania provide for additional restrictions on the type of information about Candidates that can be processed, we ensure that only those Candidates’ personal data that are allowed to be processed are processed. Sensitive data is not processed unless the Candidate chooses to provide this data about himself.

The basis of data processing is the execution of the End User License Agreement.

The data processed for this purpose will be stored until the date of deletion of the Candidate’s account or, if the account has been inactive for more than 2 years, it will be deleted automatically. We will notify you twice before deleting your account.

Data subjects themselves provide their personal data. In specific cases, data may be obtained from third parties, e.g. when Candidates make a purchase, data is received from payment service companies or, when logged in with a Google or Facebook account, data is received directly from these companies.

Candidate data is shared with potential employers. In other cases, the data may be transferred if it is necessary according to legislation or during the legal procedures of the merger/acquisition of the Company.

b. Provision of services to legal entities.

Candidate search and selection services are provided to legal entities (potential employers). In order to receive these services, you need to register in our app, where a responsible employer representative creates a dedicated account. With this account, the NO-CV algorithm provides the employer with a list of ranked candidates in order of priority. Information is selected and presented in a convenient list form with the status assigned next to it: “Matching” – persons who meet the criteria of the job position; or “Applied” – persons who have applied for the employer’s job position.

The basis of data processing is the execution of the End User License Agreement.

The data processed for this purpose will be stored until the date of deletion of the employer’s account or, if the account has been inactive for more than 2 years, it will be deleted automatically. We will notify you twice before deleting your account.

Data of employers and their representatives may be transferred to potential Candidates. In other cases, the data may be transferred if it is necessary according to the legislation or during the legal procedures of the merger/acquisition of the Company.

c. Candidate selection and presentation to a potential employer (profiling)

NOCV has created a modern tool that speeds up the search for employees and increases the chances of applicants to be noticed. The NO-CV algorithm provides the employer with a list of ranked candidates in order of priority. Information is selected and presented in a convenient list form with the status assigned next to it: “Matching” – persons who meet the criteria of the job position; or “Applied” – persons who have applied for the employer’s job position. This selection of Candidates is carried out in an automated manner and is based on the analysis and matching of the information provided by the Candidate (education, work experience, salary payment and others) with the need identified by the employer.

The purpose of data processing is to find the most suitable candidates and present them to a potential employer.

The basis of data processing is the execution of contracts with the Candidate and potential employer. Data required for profiling are stored until the Candidate deletes his account, or if his account is inactive for more than 2 years.

Data generated during profiling is provided to potential employers.

The data is stored in the Company’s databases, to which the companies providing IT services to the Company have access UAB Baltneta (data storage), UAB Mediapark (development and maintenance of mobile applications), MB Skaitmenos grupė (website maintenance).

d. Direct marketing (send newsletters, make offers, conduct market research)

For direct marketing purposes, the Company processes only the email address.

Data processing is based on consent.

Data subjects provide their personal data to the Company themselves by filling out the newsletter order form on the website.

The term of data storage is 3 years after the day of consent, unless consent is revoked earlier.

The data is stored in the Company’s databases, to which the companies providing IT services to the Company have access UAB Baltneta (data storage) and UAB Mediapark (development and maintenance of the mobile application), MB Skaitmenos grupė (website maintenance), MB Instaakademija (sending newsletters).

The Company does not knowingly process the data of minors for this purpose, but when collecting data for direct marketing purposes, the Company does not check the age of the data subjects, as this would be treated as excessive data collection.

DATA SUBJECTS HAVE THE RIGHT TO NOT CONSENT TO THE PROCESSING OF THEIR DATA FOR THIS PURPOSE WITHOUT SUFFERING ANY NEGATIVE CONSEQUENCES, AND IF CONSENT, THEY MAY WITHDRAW SUCH CONSENT AT ANY TIME BY NOTIFYING US IN ANY MANNER CONVENIENT TO THEM.

e. Administration of requests

For the purpose of administration of requests, the company processes the following data of natural persons who apply: name, surname, language, email address. The company may also process other data directly received from the data subject and necessary for the investigation, administration or evaluation of the request, inquiry or complaint.

The basis of data processing is the legitimate interest of the Company – to provide high-quality customer service and to solve the problems that have arisen.

The data is stored no longer than 1 year after the date of receipt of the request (taking into account the limitation period of the consumer complaint).

The data is not transferred to any data recipient for this purpose.

CHAPTER III

RIGHTS OF DATA SUBJECTS AND THE PROCEDURE FOR THEIR IMPLEMENTATION

Data subjects have the right:

a. to know (be informed) about the processing of their personal data.

b. by submitting to the Company a document confirming the identity of the person or by electronic means that allow the proper identification of the person – to get acquainted with his personal data and their processing, to receive information from which sources and what specific personal data are collected, for what purpose processed, recipients at least during the last 1 year, additionally – to receive copies of documents containing their personal data;

c. to require correction, deletion or limitation of personal data, except for storage, when the
processing violates the requirements of legal acts;

d. do not consent to the processing of their personal data;

e. to request the transfer of data to another data controller or to provide them directly to the data subject in a form convenient for the data subject (such data is provided to the Company by the data subject himself);

f. submit a complaint to the supervisory authority;

g. withdraw consent (if personal data is processed on the basis of consent).

In all cases, the Company must provide the data subject with information (unless the data subject already has such information) about:

• Company name, legal entity code and registered office;
• for what purposes and legal grounds are the personal data of the data subject processed;
• data recipients and their categories;
• the period for which the data will be stored, or the criteria used to determine that period;
• other additional information (what personal data the data subject must provide and the consequences of not providing data, about the data subject’s right to access his personal data and the right to correct incorrect, incomplete, inaccurate personal data) to the extent necessary to ensure proper processing of personal data without violating rights of the data subject;
• the transfer of personal data to third parties no later than at the time of the first data submission and if the data subject did not know that the data would be transferred to another party.

The procedure for implementing the rights of data subjects. The company undertakes:

• enable the data subject to exercise the stated rights of the data subject, except for cases provided for by law, when this is necessary to ensure national security or defense, public order, crime prevention, investigation, disclosure or prosecution, important economic or financial interests of the state, official or professional ethics prevention of violations, its investigation and determination, protection of the rights and freedoms of the data subject or other persons;
• DATA SUBJECTS TO EXERCISE THEIR RIGHTS SHOULD CONTACT THE COMPANY AT THE FOLLOWING CONTACTS: [email protected]
• The Company must ensure that all necessary information is provided to the data subject in a clear and understandable manner.
• The response must be sent to the data subject no later than within 20 (twenty) working days from the date of receipt of the request. If the data subject is refused access to the data, he is provided with a reasoned and reasoned response regarding the non-fulfillment of his request.
• The Company immediately informs the recipients of personal data that have been corrected or destroyed at the request of the data subject, the processing of personal data has been stopped, unless providing such information is impossible or too complicated (due to a large number of data subjects,
  data period, irrationally high costs). In this case, the State Data Protection Inspectorate must be notified immediately.
• The Company provides the data to the data subject free of charge. In certain cases (when the data subject clearly abuses his rights, unreasonably repeatedly submits requests for information, extracts, documents) for such provision of information and data, the data subject may have to pay compensation in accordance with the requirements of legal acts and the rates set by the Company.

CHAPTER IV

ORGANIZATIONAL AND TECHNICAL PERSONAL DATA PROTECTION MEASURES

The Company makes all reasonable efforts to ensure that the Company’s organizational and technical data security measures comply with GDPR requirements. In order to protect personal data from an accidental or unlawful destruction, alteration, disclosure or any other unlawful processing, the following infrastructural, administrative and telecommunication (electronic) measures are taken:

• Appropriate placement and maintenance of hardware equipment, maintenance of information systems, network management, ensuring the security of Internet use and other information technology measures:
• access to data and the right to perform data processing operations are granted only to the Company’s employees or subcontractors who need access to personal data in the performance of duties and work functions or services provided;
• ensure the security of premises where personal data is stored (only authorized persons can enter the relevant premises).
• if a computer or electronic communication device is assigned to a specific employee, such
  computer/electronic communication device(s) must be password protected. Passwords must be changed periodically, as well as in certain circumstances (changes of employees, a threat of hacking, a suspicion that the password has become known to third parties, etc.)
• the protection of personal data against unauthorized access to the internal computer network by means of electronic communications is ensured.
• strict compliance with the safety standards set by the safety office;
• proper organization of work and other administrative measures;
• the necessary data security measures are implemented taking into account the results of the risk assessment;
• data backup and recovery;
• ensuring that data is restored from the latest available backups in the event of data loss due to hardware failure, software error or other data integrity breach;

Company employees or subcontractors handling personal data must adhere to the principle of confidentiality and keep any important information they come across in the course of their duties confidential. This obligation also applies after transferring to another position in the Company or ending the employment or contractual relationship with the Company.

Company employees or subcontractors can process personal data automatically only after gaining access to the relevant information system. Access to personal data can only be granted to the person who needs the personal data to perform the functions. Upon termination of employment, the employee’s rights to access registers and other programs are revoked.

Company employees or subcontractors may transfer documents with personal data only to Company employees or subcontractors who have the right to work with personal data according to duties or separate assignments.

Company employees or subcontractors performing data processing functions of the data subject must prevent accidental or unauthorized processing, properly and safely manage accounting (avoid unnecessary data storage of the data subject, etc.). Copies of documents containing data subject data are destroyed in such a way that the content of such documents cannot be recovered and identified.

Company employees or subcontractors whose computers store data or whose computers have access to the Company’s information systems where data is stored must use passwords on their computers; “Guest” user accounts in such systems, i.e. accounts without a password are prohibited. These computers also require a screen saver with a password.

Unless absolutely necessary, data files should not be copied digitally, i.e. to local computer drives, removable media, remote file storage, etc.

Security control and deletion of personal data contained in external data carriers and e-mails after their use is ensured by transferring them to databases.

Company employees or subcontractors must organize their work in such a way that the access of other persons to the processed personal data is limited as much as possible. This provision is implemented:

• without leaving documents with processed personal data unattended or a computer that can be used to open files with personal data so that the information contained in them can be read by employees who do not have the right to work with specific personal data, students or other persons;
• protecting documents in such a way that they (or their fragments) cannot be read by random persons;
• if documents with personal data are transferred to other Company employees, departments, branches,
  offices, subcontractors through persons who do not have the right to process personal data, or by mail or courier, they must be transferred in a sealed opaque envelope. This section shall not apply where such communications are made in person and in confidence.

CHAPTER V

DATA TRANSFER OUTSIDE THE EU

The company currently processes data without sending data outside the EU/EEA. If the business situation changes and there is a need to provide data to third parties, we would ensure that the data is sent to a country that has the adequacy recognition of the EU Commission, or that the EU Standard Contractual Terms or another GDPR-approved mechanism is applied.

CHAPTER VI

FINAL PROVISIONS

Changes or additions to the Policy are announced on the Company’s websites or in the Mobile Applications environment.

Last reviewed in 17 February 2022.