Data Protection Policy

1. GENERAL

Background to the General Data Protection Regulation (“GDPR”);

The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1998 and supersedes the laws of individual Member States that were developed in Compliance with Data Protection Directive 95/46/EC. Its purpose to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that is processed with their content.

The GDPR will apply to all the controllers that are established in the EU (European Union) who process the personal data of data subjects, in the content of that establishment. It will also apply to the controllers outside the EU that process personal data in order to offer goods and services, or monitor the behavior of data subject who are resident in the EU.

Personal Data – Any information relating to an identified or identifiable natural person (“data subject”); an indefinable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identify of that natural person.

Personal data within the respective legislative and regulatory provisions covers ‘any data that can be used to identify a living individual either directly or indirectly’. Individuals can be identified by various means including but not limited to, their address, telephone number or e-mail address. Anonymized or aggregated data is not regulated by the provisions, providing the anonymization or aggregation of the data is irreversible.

2. INTRODUCTION

2.1. The purpose of this document is to provide a concise policy statement regarding the Data Protection obligations of HumanPower.

2.2. HumanPower needs to gather and use certain information about individuals.

2.3. These information can include job candidates, suppliers, business contacts, employees, clients and other people the organization has a relationship with or may need to contact.

2.4. HumanPower makes no distinction between the rights of Data Subjects who are employees, and those who are not. All are treated equally under this Policy.

2.5. This policy describes how this personal data must be collected, handled and stored to meet the company`s data protection standards, and to comply with the law.

2.6. Data processing agreement with HumanPower L.L.C.,Ulpiana, Imzot Nike Prela Villa 1 Prishtina 10000, Kosovo, which provides the software for processing the applicants data. HumanPower L.L.C., processes the data on behalf of Teleperformance Germany S. à r. l. & Co. KG.

2.7. Data protection officer within the meaning of data protection laws is:
Arion Rizaj
HumanPower L.L.C.
Address: Imzot Nike Prela Villa 1
Email: [email protected]



3. DATA PROTECTION LAW

3.1. HumanPower has a legal obligation to comply with all relevant legislation in respect of data protection.

3.2. All legislation relevant to an individual’s right to the confidentiality of their information and the ways in which that can be achieved and maintained are paramount to the HumanPower. Significant penalties can be imposed upon the organization or its employees for non-compliance.

3.3. The aim of this policy is to outline how HumanPower meets its legal obligations in safeguarding confidentiality and adheres to information security standards. The obligations within this policy are principally based upon the requirements of the Data Protection Act 1998 and the forthcoming GDPR, as the key legislative and regulatory provisions governing the security of person-identifiable information.

3.4. The Data Protection Act 1998 describes how organizations – including [HumanPower] must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.

3.5. The Data Protection Act is underpinned by eight important principles. These say that personal data must:

• Be processed fairly and lawfully;
• Be obtained only for specific, lawful purposes;
• Be adequate, relevant and not excessive;
• Be accurate and kept up to date;
• Not be held for any longer than necessary;
• Processed in accordance with the rights of data subjects;
• Be protected in appropriate ways;
• Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection;

4. PRINCIPLES

4.1. Our Company Data Protection Policy refers to our commitment to treat information of employees, clients, customers, job candidates and other interested parties with the utmost care and confidentiality.

4.2. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.

4.3. The goal of our data protection policy is to depict the legal data protection aspects in one summarising document.

4.4. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

4.5. Employees of our Company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered.

Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.

4.6. The policy will be reviewed periodically by the HumanPower Team. Where review and update is necessary due to legislative changes this will review and update is necessary due to legislative changes this will be done immediately.

4.7. In accordance with the HumanPower’s equality and diversity policy statement, this procedure will not discriminate, either directly or indirectly, on the grounds of gender, race, color, ethnic or national origin, sexual orientation, marital status, religion or belief, age, union membership, disability, offending background or any other personal characteristic.

5. POLICY SCOPE

5.1. This policy refers to all parties (employees, job candidates, customers, suppliers,clients etc.) who provide any amount of information to us.

5.2. This policy applies to:

• The head office of HumanPower;
• Employees and staff;
• All the candidates;
• All clients, contractors, supplier and other people working on behalf of HumanPower.

5.3. It applies to all that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1995. This can include:

• Name of individuals;
• Postal addresses;
• Email addresses;
• Telephone numbers;
• Plus any other information relating to individuals;

5.4. This data protection policy ensures HumanPower:

• Complies with data protection law and follows good practice;
• Protects the rights of staff, candidates, clients, customers and partners;
• Is open about how it stores and processes individuals' data;
• Protects itself from the risks of a data breach;
• Protects the organization;
• Be open and honest with individuals whose data is held;
• Provide training and support for staff who handle personal data, so that they can act confidently and consistently;

6. POLICY ELEMENTS

6.1. As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, photographs, social security numbers, financial data etc.

6.2. Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.

6.3. Our data will be:

• Accurate and kept up-to-date;
• Collected fairly and for lawful purposes only;
• Processed by the company within its legal and moral boundaries;
• Protected against any unauthorized or illegal access by internal or external parties;

6.4. Our data will not be:

• Communicated informally;
• Stored for more than a specified amount of time;
• Transferred to organizations, states or countries that do not have adequate data protection policies;
• Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities)

6.5. In addition to ways of handling the data, HumanPower has direct obligations towards people to whom the data belongs. Specifically we must:

• Let people know which of their data is collected;
• Inform people about how we will process their data;
• Inform people about who has access to their information;
• Have provisions in cases of lost, corrupted or compromised data;
• Allow people to request that we modify, erase, reduce or correct data contained in our databases;

7. DATA PROTECTION RISKS

7.1. This policy helps to protect HumanPower from some very real data security risks, including:

• Breach of confidentiality. For instance, information being given out inappropriately.
• Filing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
• Reputational damage. For instance, the company should suffer if hackers successfully gained access to sensitive data.

8. RESPONSIBILITIES

8.1. Everyone who works for HumanPower has some responsibility for ensuring data is collected, stored and handled appropriately.

8.2. Each team that handles personal data must ensure that it is handled processed in line with this policy and data protection principles.

8.3. The head of HumanPower is ultimately responsible for ensuring that HumanPower, meets its legal obligations.

8.4. The only people able to access data covered by this policy should be those who need it for their work.

8.5. Data should not be shared informally. When access to confidential information is required, employees can request it from their manager/director.

8.6. HumanPower will provide training to all employees to help them understand their responsibilities when handling data.

8.7. Employees should keep all data secure, by taking sensible precautions and following the guidelines below.

8.8. Personal data should not be disclosed to unauthorized people, either within company or externally.

8.9. Data should be regularly reviewed and updated of it is found to be out of date. If no longer required, it should be deleted and disposed of.

8.10. HumanPower regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

8.11. HumanPower intends to ensure that personal information is treated lawfully and correctly.

8.12. To this end, HumanPower will, through appropriate management and strict application of criteria and controls:

• Observe fully conditions regarding the fair collection and use of information;
• Meet its legal obligations to specify the purposes for which information is used;
• Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements;
• Ensure the quality of information used;
• Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:

o The right to be informed that processing is being undertaken;
o The right of access to one’s personal information;
o The right to prevent processing in certain circumstances and
o The right to correct, rectify, block or erase information which is regarded as wrong information)

• Take appropriate technical and organizational security measures to safeguard personal information;
• Ensure that personal information is not transferred abroad without suitable safeguards;
• Develop transparent data collection procedures;
• Build secure networks or protect online data from cyber-attacks;
• Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information;
• Set out clear procedures for responding to requests for information;

9. DATA STORAGE

These rules describe how and where data should be safely stored.

When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason;

• When not required, the paper or files should be kept in a locked drawer or filing cabinet;
• Employees should make sure paper and printouts are not left where unauthorized people could see them;
• Data printouts should be shredded and disposed of securely when no longer required;

When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly and never shared between employees.
• Data should be only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
• Servers containing personal data should be sited in a secure location, away from general office space.
• Data should be backed up frequently. Those backups should be tested regularly, in line with the company`s standard backup procedures.
• Data should never be saved directly to laptops or other media devices like tablets or smart phones.
• All servers and computers containing data should be protected by approved security and a firewall.

Location of data processing where the data processing takes place and where the IT infrastructure is located, is Netherlands

The software is a customized recruitment application management system designed in PHP
The server is running in CentOS

10. DATA USE

Personal data is of no value to HumanPower unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

• When working with personal, employees should ensure the screens of their computers are always locked when left unattended.
• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• Data must be encrypted before being transferred electronically.
• Personal Data should never be transferred outside of the European Economic Area.
• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.

11. SUBJECT ACCESS REQUEST

All individuals who are the subject of personal data held by HumanPower, are entitled to:

• Ask what information the company holds about them and why;
• Ask how to gain access to it.
• Be informed how to keep it up to date;
• Be informed how the company is meeting its data protection obligations;

If an individual contacts HumanPower, requesting this information, this is called a subject access request.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.