Personal Data Protection Notice

 

Personal Data Protection Notice

Last updated: April 2024

Introduction

Tom&Co (hereinafter "Tom&Co", "company", "we", “us” or “our”) attaches great importance to the protection of personal data and undertakes to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 ("GDPR") as well as any other applicable laws and regulations.

Scope

This personal data protection notice (‘’Notice’’) explains how Tom&Co, in its capacity as data controller, collects, uses, shares and otherwise processes your personal data as part of your relationship with us as a candidate applying for a job offer, in accordance with applicable laws and regulations on the protection of personal data.

Update

This Notice will be reviewed on a periodic basis. Any changes to this Notice shall be approved by Tom&Co. The latest version of this Notice will always be available on our website.

Categories of personal data processed

The term “personal data” means any information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.

We collect the personal data that you include in your application when you send us an unsolicited application, apply for an existing job offer or are contacted by a Tom&Co consultant to fulfill recruitment or hiring needs of Tom&Co or those of a company having a contractual relationship with Tom&Co:

  • Identification data such as last name, first name, title, nationality, a copy of your identity card (if applicable), or the identification code if your application has been recommended by one of our employees;
  • Contact details such as postal address, e-mail address, phone number;
  • Professional data such as current position, work experience, skills, education, CV and cover letter;
  • If applicable, information relating to offences, namely the extract from your criminal record;
  • If applicable, information relating to your disability situation or your professional reclassification for an adapted position.

In addition, you may be likely to take one or more tests, namely a logical reasoning test, motivation test and/or personality test using the AssessFirst tool. The skills evaluated during these tests always have a direct link with the position to which you are applying. The hiring decision belongs exclusively to Tom&Co.

AssessFirst acts as a full-fledged data controller. To learn more about the processing of your personal data by AssessFirst, please consult their personal data policy: https://www.assessfirst.com/fr/politique-relative-aux-donnees-a-caractere-personnel/

Finally, you may be invited to answer to a series of preselected video questions.

In any case, only the personal data strictly necessary for the processing of your application are processed and do not include special categories of data such as political opinions, religious beliefs or health-related data.

We also collect data from:

  • References (i.e., your former employers) that you have designated, from whom we collect the following categories of data: name, previous periods of employment, performance during the previous employment;
  • Publicly accessible sources, such as LinkedIn and other job boards, from which we collect name, email address, academic and professional background, as well as other relevant data appearing on your profile.

If you are invited to an interview, it usually takes place by phone or videoconference in order to simplify communication and avoid unnecessary travel. As a rule, the final interview takes place on premises.

Legal bases and purposes of processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.

We process your data for the following purposes:

 

Legal bases

Purpose

Execution of pre-contractual measures or legitimate interest

Processing of applications received (registration, entry of information into the database...)

Contractual execution

Retention of CVs of unsuccessful candidates for the purpose of contacting them for future employment opportunities at Tom&Co or a company with which Tom&Co has a contractual relationship for recruitment purposes and which could potentially be interested in these candidates

Legitimate interest or legal obligation

Criminal record check, if applicable

Legitimate interest

Assessment of the qualifications and skills necessary to perform the job to which you are applying (tests, deferred video interview ...)

Execution of pre-contractual measures or legitimate interest (depending on the stage of the recruitment process)

Conducting interviews, including video interviews

Legitimate interest and / or execution of a contract or pre-contractual measures, depending on the stage of the recruitment process at which the communication takes place

Communication regarding the hiring process (emails, phone calls, texts)

Consent: We will only contact your former employers if you give us your explicit consent

Reference checks, if applicable

 

When we process your data on the basis of your consent, you have the right to withdraw your consent at any time by contacting us as indicated below. It should be noted that the withdrawal of your consent does not affect the legality of the data processing based on the consent before its withdrawal.

Recipients of personal data

To achieve the purposes listed above, the data is transferred to the following recipients:

  • The employees involved in the recruitment process;
  • Companies that have a business relationship with Tom&Coand may be interested in your profile;
  • Third-party service providers acting as sub-processors and on instructions from Tom&Co.

In this case, a contract is established between Tom&Co and the sub-processor in question and appropriate technical and organizational measures are put in place in accordance with Articles 28 and 32 of the GDPR. Tom&Co only uses sub-processors with sufficient guarantees and who are imposed the same obligations.

As a general rule, no data is transferred outside the EU/EEA. Nevertheless, when a third-party service provider processes data outside the EEA as part of the provision of services, appropriate measures, usually in the form of standard contractual clauses, are put in place.

Retention period

Your data is kept only for the duration related to the purposes pursued by Tom&Co. Thus, if your application is unsuccessful, we will keep your personal data for a period of 24 months counting from your application date. In this way, we can contact you in the event that a similar position becomes vacant and for which you may be an interesting candidate.

In addition, when you send us an unsolicited application, we consider that you consent at the same time to the storage of your data in our CV library for a period of 2 years.

Finally, we also keep your data in order to prove, in the event of legal action, that we did not discriminate against candidates on prohibited grounds and that we conducted the recruitment process and the pre-employment selection in a fair and transparent manner.

Security of personal data

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk so that the processing complies with the GDPR and applicable date protection laws.

These measures must provide for a level of security considered appropriate considering the technical standards and the type of personal data processed but also:

  • the state of the art and implementation costs.
  • the nature, scope, context, and purposes of processing; and
  • the likelihood and severity of the risk to the rights and freedoms of natural persons.

Security requirements are continually evolving, and effective security requires frequent assessment and regular improvement of outdated security measures. We are committed to continuously evaluate, strengthen, and improve the measures we implement.

Data subjects’ rights

As a natural person, you have several rights regarding your personal data that we can exercise in certain circumstances, including:

  • the right of access: You can request access to the data concerning you at any time as well as a copy of the data.
  • the right to rectification: You can request at any time that inaccurate or incomplete data be rectified.
  • the right to erasure: You can request that your data be deleted when, for example, the data is no longer necessary for the purposes for which it was collected or processed.
  • the right to restriction of processing: You can request that Tom&Co restrict the processing of data if, for example, you question the accuracy of the data concerning you or if you object to the processing of data concerning you.
  • the right to data portability: You have the right to have your data transferred to another data controller in a structured, commonly used, and machine-readable format, if the processing is carried out by automated means or if it is based on prior consent.
  • the right to object to processing: You can object to the processing of your data and can withdraw your consent if the processing is based on consent, for example if the data is used for commercial prospecting purposes.

If you wish to exercise your rights, please contact us at dpo@skeeled.com

Your request will be responded to within 1 month at the latest, starting from the moment of your identity confirmation. We may extend the time limit by a further 2 months if the request is complex or if we have received a high number of requests.

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Notice. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you are not satisfied with our response, you also have the right to lodge a complaint at any time with the National Commission for Data Protection (CNPD): https://cnpd.public.lu/

Links

Our website contains links to other websites but note that this Notice applies only to personal data collected by Tom&Co and to how Tom&Co processes personal data. We are not responsible for the privacy practices of other websites.