- Do you have a Data Protection Officer (DPO)?
- Do you process personal data and if so, of which persons?
- What personal data do you process?
- Where is personal data processed by AssessFirst hosted?
- What is the retention period for the personal data collected?
- Do you process sensitive data?
- Do you do profiling?
- Have you carried out a privacy impact assessment (PIA)?
- Is it AssessFirst or the Client who must inform users of the processing carried out?
- What is your role in the processing of personal data?
- Are AssessFirst employees trained in the protection of personal data?
- Can a Client collect, classify, store and delete Candidate’s data?
- Who are the recipients of personal data?
- Do you sell personal data?
- What is the scope of the parameters that can be set by the Client within the AssessFirst
solution? - What technical and organisational security measures are in place at AssessFirst?
- Do you use subcontractors to provide the Services ?
- In the event of a data breach, does AssessFirst have an obligation to inform the persons concerned?
Do you have a Data Protection Officer (DPO)?
Yes.
AssessFirst has appointed and declared a Data Protection Officer to the CNIL (French Data Protection Authority). You can contact the DPO at the following e-mail address: privacy@assessfirst.com.
Do you process personal data and if so, of which persons?
Yes, we process personal data.
We process personal data of several categories of persons, including
- Candidates (i.e. people who take AssessFirst questionnaires as part of their personal development, as part of a job application or as employees of our Clients in an internal mobility process)
- our Clients
What personal data do you process?
Here is the personal data that we process when people take AssessFirst questionnaires.
For Candidates :
1. Data collected that is necessary for the provision of the service:- Identity and contact details (gender, first name, surname, e-mail, city);
- Professional data (diploma, position, sector of activity, years of experience
certifications, career level, skills and whether or not you work from home); - Identification data (IP address in particular);
- Connection data (logs, token in particular);
- Acceptance data (click);
- Contact details (telephone number) ;
- Professional data (CV, cover letter, professional experience);
- Profile picture;
- Links to social networks (LinkedIn, Twitter, Facebook, Instagram).
For Clients:
1. Data collected necessary for the provision of the service:
- Identity and contact details (gender, first name, surname, e-mail, telephone number, country);
- Professional data (company, diploma, position);
- Identification data (IP address in particular);
- Connection data (e.g. logs, token);
- Acceptance data (click)
- Professional data (sector of activity, years of experience, CV, cover letter, certifications, career level, skills and professional experience) ;
- Profile picture;
- Links to social networks (LinkedIn, Twitter, Facebook, Instagram)
Where is personal data processed by AssessFirst hosted?
The personal data processed by AssessFirst is hosted by Amazon Web Services in
France in a datacenter that meets Tier III and ISO 27001 standards, and in Ireland.
What is the retention period for the personal data collected?
1- For Candidates:
Candidates' personal data can be deleted at any time by them. By default, it is deleted 2 years from the last activity of the Candidate on his account.
2- For our Clients:
For the duration of the contractual relationship with AssessFirst, plus 3 years for the purposes of promotion and prospecting.
As AssessFirst provides a service to Candidates in parallel with the service to Clients, the Candidate account is kept until the Candidate deletes it or for 2 years after the last activity, regardless of the duration of the contract concluded with the Client.
3- Other data
Technical data is kept for a maximum of 1 year following its collection.
Do you process sensitive data?
No, AssessFirst does not process sensitive data within the meaning of Article 9 of the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data, data concerning health, sex life or sexual orientation.
Do you do profiling?
AssessFirst offers psychometric questionnaires that correspond to profiling as defined by the GDPR.
Have you carried out a privacy impact assessment (PIA)?
Yes, we have carried out a privacy impact assessment (PIA) which we can send on request.
Is it AssessFirst or the Client who must inform users of the processing carried out?
AssessFirst informs the data subjects when they register for the service about the processing operations relating to the provision of the service.
The Client will inform data subjects of the processing operations relating to the management of their human resources (in particular recruitment and internal mobility).
What is your role in the processing of personal data?
AssessFirst acts as a separate data controller from its Clients for the provision of a talent management service. The data collected during the creation of the account and the completion of the questionnaires is used to provide this service and some of it is reprocessed to produce the various reports on the Candidates. Within this framework, AssessFirst determines the methods of processing the data collection, the questions and the functionalities for drawing up reports. AssessFirst thus determines autonomously, without receiving instructions from its Clients, the implementation of the service by processing the information, reprocessing it and providing the service.
Are AssessFirst employees trained in the protection of personal data?
Yes.
Staff are made aware of the issue of personal data protection.
Can a Client collect, classify, store and delete Candidate’s data?
A Client can invite Candidates to share their data with him or her. The Client may decide to delete its access to this data, and consequently no longer be able to process it. Only the Candidate can decide to modify or delete his/her data.
Who are the recipients of personal data?
AssessFirst ensures that the personal data in its care is only accessible to authorised internal or external recipients.
1. Concerning Candidates
Internal recipients |
External recipients |
Authorised staff of the support service, legal services, IT services and their line managers
|
Clients (and end clients when a Client uses AssessFirst on behalf of an Service providers (hosting, applicant management tool -ATS-) Other Candidates (if the Candidate wishes to invite contacts to AssessFirst) Judicial authorities, court officers where applicable |
2. Concerning Clients
Internal recipients |
External recipients |
Authorised personnel from the marketing department, departments responsible for handling the Client relationship, administrative departments, logistics and IT departments and their line managers
|
Suppliers Candidates (recipients of Client’s email) Judicial authorities, court officials where applicable
|
Do you sell personal data?
No.
We do not sell personal data to third parties. The provision of personal data to third parties only concerns our external service providers in the context of the provision of services, which are themselves subject to the same requirements under the GDPR.
What is the scope of the parameters that can be set by the Client within the AssessFirst solution?
The data collected by AssessFirst concerns the professional potential of individuals, what makes them unique: personality traits, motivational factors, ways of thinking. This information enables us to go beyond the CV and understand a person's ability to succeed and flourish in a given professional environment.
- The Client can create as many job profiles as they wish;
- The Client can modify the standard communication messages when inviting Candidates;
- The Client can integrate its logo and colours to enhance the Candidate experience;
- The Client may not modify the questionnaires offered, in order to guarantee the reliability of the measurements carried out on AssessFirst (standardised questionnaires that meet the requirements for psychometric questionnaires).
What technical and organisational security measures are in place at AssessFirst?
AssessFirst has put in place a number of organisational and technical measures to protect the personal data in its care, including
- training employees in IT security and the protection of personal data;
- managing access authorisations for data
- taking internal backup measures;
- managing identification processes;
- conducting security audits and penetration tests;
- adopt an information systems security policy;
- adopt a business continuity/disaster recovery plan;
- use security protocol and solutions.
Do you use subcontractors to provide the Services ?
All our staff are employed by AssessFirst, which guarantees the quality and control of
our Services.
However, in the context of data processing, AssessFirst uses data processors within the
meaning of GDPR:
- Amazon Web Services (AWS) for data hosting, in France and Ireland.
- Brevo, for email delivery. The data is hosted in France.
AssessFirst ensures that all its relationships with its data processors are GDPR compliant, and
requires them to implement strict technical and organisational security measures based on ISO
27001 standards. These measures include data encryption, strict access controls, regular
internal audits and ongoing staff training.
In the event of a data breach, does AssessFirst have an obligation to inform the persons concerned?
AssessFirst undertakes to notify the CNIL within 72 hours following the discovery of a data breach.
If the said breach poses a high risk to Clients and Candidates and the data has not been protected, AssessFirst will:
- notify the Clients and Candidates concerned;
- provide the Clients and Candidates concerned with the necessary information and recommendations.