- Do you process personal data?
- Do you process sensitive data?
- How long is personal data kept?
- What is your role in the processing of personal data?
- Is AssessFirst or the Client responsible for informing users of the processing carried out?
- Do you do profiling?
- Do you make automated individual decisions?
- Where is personal data hosted?
- Who are the recipients of personal data?
- Do you use subcontractors?
- Do you sell personal data?
- Is it possible to change the confidentiality of an account?
- Can a Customer collect, classify, store and delete data about Individuals on the tool?
- What are the Client’s possible settings on the platform?
- Have you carried out an impact analysis (PIA)?
- Have you appointed a Data Protection Officer (DPO)?
- Are your employees trained in the protection of personal data?
- What technical and organisational security measures have you put in place?
- Do you have a duty to inform in the event of a data breach?
- Do users have any rights over their personal data?
- How can users exercise their rights regarding their personal data?
Do you process personal data?
Yes, we process personal data of several categories of persons and in particular:
- Individuals, i.e. people who complete AssessFirst questionnaires as part of their personal development, job application or internal mobility process with our Clients;
- our Clients.
1. For Individuals :
Data collected that is necessary for the provision of the service:- Identity and contact details (gender, first name, surname, e-mail address, town) ;
- Professional data (diploma, position, sector of activity, years of experience, certifications, career level, skills, whether or not you work from home);
- Biometric data if the VOICE tool is used;
- Identification data (IP address in particular);
- Connection data (logs, token in particular);
- Acceptance data (click);
- Contact details (telephone number) ;
- Professional data (CV, cover letter, professional experience);
- Profile picture;
- Links to social networks (LinkedIn, Twitter, Facebook, Instagram).
2. For Clients:
Data collected necessary for the provision of the service:
- Identity and contact details (gender, first name, surname, e-mail, telephone number, country);
- Professional data (company, diploma, position);
- Identification data (IP address in particular);
- Connection data (e.g. logs, token);
- Acceptance data (click)
- Professional data (sector of activity, years of experience, CV, cover letter, certifications, career level, skills and professional experience) ;
- Profile picture;
- Links to social networks (LinkedIn, Twitter, Facebook, Instagram)
Do you process sensitive data?
No, AssessFirst does not process sensitive data within the meaning of Article 9 of the RGPD.
When using VOICE, AssessFirst collects the voice of Individuals in order to check that all responses come from the same Individual, without any biometric identification or authentication. In this context, voice does not constitute sensitive data within the meaning of the GDPR.
How long is personal data kept?
Individual data: it can be deleted by Individual at any time. By default, it is deleted 2 years after the last activity on the account.
Client data: it is kept for the duration of the contractual relationship with AssessFirst, plus 3 years for promotion and prospecting purposes.
As AssessFirst provides its services to Individuals in parallel with those provided to Clients, the Individual account is kept or deleted regardless of the duration of the contract concluded with the Client.
Other data: technical data is kept for a maximum of 1 year following its collection. Cookies are kept for 13 months following their collection if they are not subject to consent, or 6 months if they are subject to the consent of the person concerned.
What is your role in the processing of personal data?
AssessFirst acts as a separate data controller from its Clients for the provision of a talent management service. The data collected during the creation of the account and the completion of the questionnaires is used to provide this service and some of it is reprocessed to produce the various reports on the Individuals.
Within this framework, AssessFirst determines the methods of processing the data collection, the questions and the functionalities for drawing up reports. AssessFirst thus determines autonomously, without receiving instructions from its Clients, the implementation of the service by processing the information, reprocessing it and providing the service.
Is it AssessFirst or the Client who must inform users of the processing carried out?
AssessFirst informs the data subjects when they register for the service about the processing operations relating to the provision of the service.
At the same time, the Client will inform them of its own processing operations relating to the management of its human resources (recruitment and internal mobility in particular).
Do you do profiling?
Yes, AssessFirst offers psychometric questionnaires that correspond to profiling as defined by the GDPR.
Do you make automated individual decisions?
No. AssessFirst does not make automated individual decisions as referred to in Article 22 of the GDPR.
AssessFirst offers a decision support tool in order to target the most relevant talent according to the Client's needs.
However, the decision to hire or promote internally rests exclusively with the Client. The tools offered on the AssessFirst website are only tools to help Clients and should not be considered as anything else. AssessFirst does not automatically sort or exclude Individuals.
Where is personal data hosted?
The personal data processed by AssessFirst is hosted on Amazon Web Services servers in ISO 27001 and Tier III certified datacenters, located in France (Paris) and backed up in Frankfurt and Ireland.
Who are the recipients of personal data?
AssessFirst ensures that the personal data for which it is responsible is only accessible to authorised recipients:
Concerning Individuals:
- Internal recipients: authorised support, legal and IT staff and their line managers;
- External recipients:
- Clients (and end customers where a Client uses AssessFirst on behalf of an end client)
-
- Service providers (hosting, emailing and any talent management tools used by Client Candidates)
- Other Individuals (if the Individual wishes to invite contacts)
- Judicial authorities and court officers where applicable
Concerning Clients:
- Internal recipients: authorised personnel from the marketing department, departments responsible for handling Customer relations, administrative departments, logistics and IT departments and their line managers;
- External recipients: service providers, Individuals, judicial authorities and legal auxiliaries where applicable.
Do you use subcontractors ?
All our staff are employed by AssessFirst, which guarantees the quality and control of
our Services. However, in the context of data processing, AssessFirst uses data processors within the meaning of GDPR:
- Amazon Web Services (AWS) for data hosting in EU (mainly in France).
- Brevo, for email delivery. The data is hosted in France.
requires them to implement strict technical and organisational security measures based on ISO
27001 standards. These measures include data encryption, strict access controls, regular
internal audits and ongoing staff training.
Do you sell personal data?
No. We do not sell personal data to third parties. The provision of personal data to third parties only concerns our external service providers in the context of the provision of services, which are themselves subject to the same requirements under the GDPR.
Is it possible to change the confidentiality of an account?
Yes, from your account settings, click on the "confidentiality" tab. Under the heading "Choose the visibility of your profile", you can click on the option of your choice. Don't forget to save the changes you have made so that your choice is taken into account.
Can a Client collect, classify, store and delete Candidate’s data?
A Client can invite Individuals to share their data with him or her. The Client may decide to delete its access to this data, and consequently no longer be able to process it. Only the Individual can decide to modify or delete his/her data.
What are the Client’s possible settings on the platform?
The Client can create as many job profiles as they like, change the standard communication messages when they invite Individuals, or add their logo and colours to improve the candidate experience.
However, the Client cannot modify the questionnaires proposed, as they are standardised in order to guarantee the reliability of the measurements made.
Have you carried out an impact analysis (PIA)?
Yes, we have carried out a privacy impact assessment (PIA) which we can send on request.
Have you appointed a Data Protection Officer (DPO)?
Yes, AssessFirst has appointed and declared a Data Protection Officer to the CNIL. You can contact him/her at the following e-mail address: privacy@assessfirst.com.
Are your employees trained in the protection of personal data?
Yes, all our employees receive regular training on cyber security and personal data.
What technical and organisational security measures have you put in place?
AssessFirst has put in place a number of organisational and technical measures to protect the personal data in its care, including :
- training employees in IT security and the protection of personal data;
- managing access authorisations for data
- taking internal backup measures;
- managing identification processes;
- conducting security audits and penetration tests;
- adopt an information systems security policy;
- adopt a business continuity and a disaster recovery plan;
- use security protocol and solutions.
Do you have a duty to inform in the event of a data breach?
AssessFirst undertakes to notify the CNIL, the French data protection authority, within 72 hours of becoming aware of a data breach.
In accordance with the conditions imposed by the GDPR, and if the said breach poses a high risk to Clients and/or Individuals, AssessFirst will notify the Clients and Individuals concerned and provide them with the necessary information and recommendations.
Do users have any rights over their personal data?
AssessFirst users have a number of rights in respect of their personal data, in accordance with the provisions of the GDPR:
- Right of access: to find out whether data relating to you is being processed, and to obtain a copy. This request can be made directly from the account settings, via the "Confidentiality" tab, then the "Right to portability" section.
- Right of rectification: to correct inaccurate or incomplete data. Certain changes can be made directly from the account settings, by clicking on the "Account" tab. Once the changes have been saved, the data will be updated automatically.
- Right to deletion: to request the deletion of your data. By deleting your account from your personal space, all the personal data associated with it is deleted.
- Right to object: to object to the processing of your data for canvassing purposes. This request can be made directly from your account settings, via the "Confidentiality" tab and then the "Marketing and commercial processing" section;
- Right to portability: to receive your data in a structured, commonly used and machine-readable format. This request can be made directly from the account settings, via the "Confidentiality" tab, under the heading "Right to portability";
- Right to limit processing: to temporarily suspend the processing of your data in the event of a dispute.
How can users exercise their rights regarding their personal data?
Data subjects can exercise their rights :
- directly from their AssessFirst account for certain rights (rectification portability, deletion, limitation) ;
- by contacting our DPO:
- by e-mail at privacy@assessfirst.com, or
- by post to AssessFirst - 10 rue de la Paix , 75002 Paris, France.
The request must come from the person concerned. If necessary, AssessFirst may request a copy of proof of identity if there is reasonable doubt as to the identity of the person making the request.