1. Home
  2. Legal
  3. General questions on the application of the GDPR at AssessFirst

Client FAQ

  1. Do you have a Data Protection Officer (DPO)?
  2. Do you process personal data and if so, of which persons?
  3. What personal data do you process?
  4. Where is personal data processed by AssessFirst hosted?
  5. What is the retention period for the personal data collected?
  6. Do you process sensitive data?
  7. Do you do profiling?
  8. Have you carried out a privacy impact assessment (PIA)?
  9. Is it AssessFirst or the Client who must inform users of the processing carried out?
  10. What is your role in the processing of personal data?
  11. Are AssessFirst employees trained in the protection of personal data?
  12. Can a Client collect, classify, store and delete Candidate’s data?
  13. Who are the recipients of personal data?
  14. Do you sell personal data?
  15. What is the scope of the parameters that can be set by the Client within the AssessFirst
    solution?
  16. What technical and organisational security measures are in place at AssessFirst?
  17. In the event of a data breach, does AssessFirst have an obligation to inform the persons concerned?

Do you have a Data Protection Officer (DPO)?

Yes.

AssessFirst has appointed and declared a Data Protection Officer to the CNIL (French Data Protection Authority). You can contact the DPO at the following e-mail address: privacy@assessfirst.com.

 

Do you process personal data and if so, of which persons?

Yes, we process personal data.

We process personal data of several categories of persons, including

  • Candidates (i.e. people who take AssessFirst questionnaires as part of their personal development, as part of a job application or as employees of our Clients in an internal mobility process)
  • our Clients

 

What personal data do you process?

Here is the personal data that we process when people take AssessFirst questionnaires.

For Candidates :

1.  Data collected that is necessary for the provision of the service:
  • Identity and contact details (gender, first name, surname, e-mail);
  • Professional data (diploma, position);
  • Identification data (IP address in particular);
  • Connection data (logs, token in particular);
  • Acceptance data (click);
2.  Non-mandatory data collected:
  • Contact details (telephone number, location) ;
  • Professional data (sector of activity, years of experience, CV, cover letter, certifications, career level, skills and professional experience, whether or not you work from home);
  • Profile picture;
  • Links to social networks (LinkedIn, Twitter, Facebook, Instagram).

For Clients:

1.  Data collected necessary for the provision of the service:

  • Identity and contact details (gender, first name, surname, e-mail, telephone number) ;
  • Professional data (company, diploma, position);
  • Identification data (IP address in particular);
  • Connection data (e.g. logs, token);
  • Acceptance data (click)
2.  Non-mandatory data collected:
  • Professional data (sector of activity, years of experience, CV, cover letter, certifications, career level, skills and professional experience) ;
  • Profile picture;
  • Links to social networks (LinkedIn, Twitter, Facebook, Instagram)

 

Where is personal data processed by AssessFirst hosted?

The personal data processed by AssessFirst is hosted in France in a datacenter operated by Amazon Web Services that meets Tier III and ISO 27001 standards.

 

What is the retention period for the personal data collected?

1- For Candidates:

Candidates' personal data can be deleted at any time by them. By default, it is deleted 2 years from the last activity of the Candidate on his account.

 

2- For our Clients:

For the duration of the contractual relationship with AssessFirst, plus 3 years for the purposes of promotion and prospecting.

 

As AssessFirst provides a service to Candidates in parallel with the service to Clients, the Candidate account is kept until the Candidate deletes it or for 2 years after the last activity, regardless of the duration of the contract concluded with the Client.

 

3- Other data

Technical data is kept for a maximum of 1 year following its collection.

 

Do you process sensitive data?

No, AssessFirst does not process sensitive data within the meaning of Article 9 of the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data, data concerning health, sex life or sexual orientation.

 

Do you do profiling?

AssessFirst offers psychometric questionnaires that correspond to profiling as defined by the GDPR.

 

Have you carried out a privacy impact assessment (PIA)?

Yes, we have carried out a privacy impact assessment (PIA) which we can send on request.

 

Is it AssessFirst or the Client who must inform users of the processing carried out?

AssessFirst informs the data subjects when they register for the service about the processing operations relating to the provision of the service.

The Client will inform data subjects of the processing operations relating to the management of their human resources (in particular recruitment and internal mobility).

 

What is your role in the processing of personal data?

AssessFirst acts as a separate data controller from its Clients for the provision of a talent management service. The data collected during the creation of the account and the completion of the questionnaires is used to provide this service and some of it is reprocessed to produce the various reports on the Candidates. Within this framework, AssessFirst determines the methods of processing the data collection, the questions and the functionalities for drawing up reports. AssessFirst thus determines autonomously, without receiving instructions from its Clients, the implementation of the service by processing the information, reprocessing it and providing the service.

 

Are AssessFirst employees trained in the protection of personal data?

Yes.

Staff are made aware of the issue of personal data protection.

 

Can a Client collect, classify, store and delete Candidate’s data?

A Client can invite Candidates to share their data with him or her. The Client may decide to delete its access to this data, and consequently no longer be able to process it. Only the Candidate can decide to modify or delete his/her data.

 

Who are the recipients of personal data?

AssessFirst ensures that the personal data in its care is only accessible to authorised internal or external recipients.

1. Concerning Candidates

Internal recipients

External recipients

Authorised staff of the support service, legal services, IT services and their line managers

 

Clients

Service providers (hosting, applicant management tool -ATS-)

Other Candidates (if the Candidate wishes to invite contacts to AssessFirst)

Judicial authorities, court officers where applicable

 

2. Concerning Clients

Internal recipients

External recipients

Authorised personnel from the marketing department, departments responsible for handling the Client relationship, administrative departments, logistics and IT departments and their line managers

 

Suppliers

Candidates (recipients of Client’s email)

Authorised staff of the auditing departments (auditor, departments responsible for internal auditing procedures, etc.)

Judicial authorities, court officials where applicable

 

 

Do you sell personal data?

No. 

We do not sell personal data to third parties. The provision of personal data to third parties only concerns our external service providers in the context of the provision of services, which are themselves subject to the same requirements under the GDPR.

 

What is the scope of the parameters that can be set by the Client within the AssessFirst solution?

The data collected by AssessFirst concerns the professional potential of individuals, what makes them unique: personality traits, motivational factors, ways of thinking. This information enables us to go beyond the CV and understand a person's ability to succeed and flourish in a given professional environment.

  • The Client can create as many job profiles as they wish;
  • The Client can modify the standard communication messages when inviting Candidates;
  • The Client can integrate its logo and colours to enhance the Candidate experience;
  • The Client may not modify the questionnaires offered, in order to guarantee the reliability of the measurements carried out on AssessFirst (standardised questionnaires that meet the requirements for psychometric questionnaires).

 

What technical and organisational security measures are in place at AssessFirst?

AssessFirst has put in place a number of organisational and technical measures to protect the personal data in its care, including 

  • training employees in IT security and the protection of personal data;
  • managing access authorisations for data
  • taking internal backup measures;
  • managing identification processes;
  • conducting security audits and penetration tests;
  • adopt an information systems security policy;
  • adopt a business continuity/disaster recovery plan;
  • use security protocol and solutions.

 

In the event of a data breach, does AssessFirst have an obligation to inform the persons concerned?

AssessFirst undertakes to notify the CNIL within 72 hours following the discovery of a data breach.

If the said breach poses a high risk to Clients and Candidates and the data has not been protected, AssessFirst will: 

  • notify the Clients and Candidates concerned;
  • provide the Clients and Candidates concerned with the necessary information and recommendations.