GDPR
GDPR
GDPR
GDPR
INTRODUCTION
At HS GROUP SOCIEDAD DE RESPONSABILIDAD LIMITADA (hereinafter PDA) we work to offer you the best possible experience through our products and services. In some cases, it is necessary to collect information to achieve this. We care about your privacy and believe we should be transparent about it.
Therefore, and for the purposes of the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (hereinafter “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, PDA informs the user that, as data controller, it will incorporate the personal data provided by users in an automated file.
Our commitment begins by explaining the following:
Your data is collected so that the user experience is improved, attending to your interests and needs.
We are transparent about what data we collect about you and why we collect it.
Our intention is to provide you with the best possible experience. Therefore, when we use your personal information, we will always do so in a compliant manner, and when necessary, we will ask for your consent.
We understand that your information belongs to you. Therefore, if you choose not to give us permission to process it, you can ask us to stop processing it.
Our priority is to ensure your security and to process your data in accordance with European regulations.
For more information about the processing of your data, please see the different sections of the privacy policy below:
Responsible for the treatment
Owner:HS GROUP SOCIEDAD DE RESPONSABILIDAD LIMITADA – NIF: 30-70987001-0
Registered Address:Calle Paraguay 647, Piso 4 Dpto 17
Telephone:+54 11 47172900
Website: www.pdainternational.net
If you have any questions, doubts or suggestions regarding how we use your personal data, you may contact the Privacy Officer at gdpr@pdainternational.net
1. DEFINITIONS
The data protection declaration of the PDA is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration must be readable and understandable for the general public as well as for our customers and business partners. To ensure this, the terminology used will first be explained.
In this data protection declaration, we use, among others, the following terms:
- Personal data: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data subjects: The natural persons who are the owners of the data that are the object of the processing.
- Processing: Any operation or set of operations performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, adjustment or combination, restriction, erasure or destruction.
- Controller: The natural or legal person, public authority, agency or any other body which, alone or in collaboration with others, determines the purposes and means of the processing of personal data.
- Processor: A natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
- Recipient: A natural or legal person, a public authority, an agency or any other body to which personal data are disclosed, whether a third party or not.
- Third party: A natural or legal person, public authority, body or agency other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller, are authorized to process personal data.
- Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which, by means of a statement or a clear affirmative action, the data subject expresses his/her agreement to the processing of personal data concerning him/her.
- Right of access: the right of the data subject to contact the data controller to find out whether his or her data are being processed and, if so, what data are being processed, for what purposes and how they are being processed.
- Right of rectification: the right of the data subject to urge the Data Controller to comply with the obligation to maintain the accuracy of the data, rectifying the Personal Data when they are incomplete or inaccurate.
- Right to object: the right of the data subject to request that the processing of his or her Personal Data not be carried out or be stopped in the following cases: (i) processing based on a public interest mission or on legitimate interest, including profiling;
(ii) processing for the purpose of direct marketing, including also profiling. - Right to erasure: The data subject has the right to obtain from the data controller, without undue delay, the deletion of personal data concerning them, in certain circumstances, such as: i) if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ii) if the processing of personal data is based on consent and that consent is withdrawn, provided that the processing is not based on another legitimate reason; iii) if their personal data have been processed unlawfully, among other situations.
- Right to restriction of processing: Allows the data subject, whose personal data is being processed, to request the data controller to apply measures to temporarily suspend the processing of their data or, where appropriate, to avoid its deletion or erasure in specific situations: i) when the processing is unlawful and the data subject opposes the deletion of personal data and requests instead the restriction of its use, or ii) when the controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the formulation, exercise, or defense of claims.
- Right to data portability: The right to transmit the data subject’s personal data to another data controller, provided that the processing is based on consent or within the framework of the execution of a contract, and when the processing is carried out by automated means.
- Right not to be subject to automated individual decisions:: The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning the data subject or similarly significantly affects them.
- Profiling of personal data (“Profiling”): Any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, particularly to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
2. WHAT PERSONAL DATA DO WE COLLECT?
The personal data that the user may provide:
- Name, address and date of birth.
- Telephone number and e-mail address.
- Location.
- Payment and return information.
- IP address, date and time you access our services, internet browser you use and information about your device’s operating system.
- Any other information or data you choose to share with us.
In some cases, it is mandatory to fill in the registration form to access and enjoy certain services offered on the web; likewise, not providing the requested personal data or not accepting this data protection policy makes it impossible to subscribe or register.
3. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?
At PDA we collect and process the information provided by the interested parties for the following purposes:
- Manage orders or hire any of our online services.
- To manage the sending of the information requested.
- To develop commercial actions and perform the maintenance and management of the relationship with the user, as well as the management of the services offered through the website and information tasks, being able to perform automatic assessments, profiling and customer segmentation tasks in order to customize the treatment according to their characteristics and needs and improve the customer’s online experience.
- For recruitment purposes, in case you want to join the PDA team, either because there is a position that fits your profile or because you want to send us your CV, we will use that data for that purpose.
- In some cases it will be necessary to provide information to Authorities or third party companies for auditing purposes, as well as to handle personal data from invoices, contracts and documents to respond to claims from customers or Public Administrations.
4. PDA ALWAYS ACTS AS DATA CONTROLLER?
PDA may be both a Controller and a Processor of personal data under the terms of the GDPR. For example, PDA will be the Controller when a natural person Customer (data subject within the terms of the GDPR) enters into a contract directly with us, for the processing of that Customer’s data.
We will also act as Data Controllers in the case of users who browse our website, once we process their personal data for the intended purpose.
In most cases, due to the nature of our business, PDA does not have a direct relationship with data subjects and exclusively processes end-user personal data on behalf of customers and according to their instructions. Therefore, if you are an employee or candidate using our platform, we act solely as Data Processors of your data. Our Clients are the ones who decide the purposes for which they use PDA Assessement and the other PDA Tools, as well as the means of data collection that we make available on our platform.
5. HOW DO WE COLLECT YOUR INFORMATION?
We collect your personal information through different means, but you will always be informed at the time of collection through informative clauses about the data controller, the purpose and legal basis of the processing, the recipients of the data and the period of conservation of your information, as well as the way in which you can exercise your rights regarding data protection.
In general, the personal information we process is limited to identification data (name and surname, date of birth, address, ID number, telephone and e-mail), contracted services and payment and billing data.
In cases of personnel management and selection, we collect academic and professional data in order to meet the obligations arising from the maintenance of the employment relationship or, where appropriate, to become part of our staff.
PDA uses social networks and this is another way to reach you. The information collected through the messages and communications you post may contain personal information that is available online and accessible to the public. These social networks have their own privacy policies explaining how they use and share your information, so PDA recommends that you consult them before using them to confirm that you agree with the way in which your information is collected, processed and shared.
Through our website we collect personal information related to your navigation through the use of cookies. To know clearly and precisely what cookies we use, what are their purposes and how you can configure or disable them, see our Política de Cookies
Below, you can see a diagram explaining the data collection and processing process when using one of the PDA Tools that we hope you will find useful:
The company that asked you to use the online tool is the data controller and PDA acts as data processor. The data controller decides what data is collected and what this data is used for. If you have any concerns about the data they request from you or about the process, you should contact them in the first instance.
We act as data processors for two main methods of data processing: 1. providing clientswith access to their own logins on our server to administer the service themselves or 2. administering the final report submission service on behalf of the data controller – this report will be described as self-assessment in this document.
6. ARE YOUR PERSONAL DATA USED FOR PROFILING AND/OR AUTOMATED DECISIONS?
General profiling is performed without any automated decision process being employed through it.
The objective of general profiling is to evaluate general personal aspects about the interested parties in order to analyze and make predictions about their abilities to perform a job, their interests or their likely behaviors. For this purpose, different questionnaires will be used to collect this information.
The categories of data used in general profiling are personal preferences, interests, reliability, behavior, behavior, aptitudes, habits and values, which are necessary for the preparation of the PDA Evaluation Report.
Through the elaboration of these general profiles it is possible to identify the necessary skills to successfully perform a specific job position, so that this indicator becomes a reference for selection, evaluation, development, compensation and even organizational changes.
The PDA tools have been developed for application purposes to assess competencies and behaviors related to the work environment (e.g. initiative, patience, autonomy, etc.) allowing to identify the behavioral profile and uniqueness of people, manage their talent, develop skills and motivate them to reach their exponential talent.
They are merely consultative support tools that address these goals without producing any automated decisions based on these assessments. Therefore, they are not tools that automatically deny stakeholders a job opportunity or place them at any disadvantage, i.e., the outcome of the assessments does not result in significant exclusion or discrimination of stakeholders.
The stakeholders do not correspond to an exhaustive defined group of people and the profile describes only limited aspects of the data categories identified.
In the overall profiling process, anonymization techniques will be used to protect the privacy of data subjects, among other technical and organizational measures.
7. ARE YOUR PERSONAL DATA USED FOR AUTOMATED DECISIONS?
No, PDA does not make automated decisions through the processing of personal data with (or without) profiling in its tools.
8. DOES PDA USE PERSONAL DATA FOR RESEARCH PURPOSES?
PDA conducts research and data analysis, thus, your data may be processed for research purposes.
When we process personal data for research, we do so as a data controller, based on the legitimate interest to offer products and services that better meet the needs and wishes of our customers, always safeguarding the right to object to the processing under the terms of the GDPR.
Personal data processed for research purposes will be retained for the time appropriate to each case depending on the type of research in which it is involved.
When we process personal data for research, we ensure that we take appropriate security measures, such as anonymization and pseudonymization procedures, so that your data is not or no longer identifiable, or can no longer be attributed to a data subject without the use of additional information listed separately.
We ensure that our research team has access to the minimum amount of data necessary to carry out this work and that they are subject to ethical standards and the GDPR.
Finally, once the research is completed, all data used is discarded or anonymized, making it impossible to identify an individual from the data.
9. IF PDA IS THE CONTROLLER: WHAT IS THE LEGAL BASIS FOR PDA TO USE YOUR DATA?
This depends, although we can assure you that PDA only processes data where we have a lawful basis for doing so.
Depending on the range of services we offer and how they are provided, we will rely on a different lawful basis when processing your data, which may be, non-exhaustively, consent, performance of a contract or pre-contract and/or compliance with legal obligation.
We may also process your data as a data controller to enable us to achieve our legitimate interests, always ensuring that these are carefully balanced and do not have an adverse impact on your rights.
In particular cases where we seek your consent to process your personal data. We will ensure that the consent obtained is in line with applicable applicable law and is specific and informed where necessary and in accordance with the purpose of the processing.
10. HOW DOES PDA ENSURE THE SECURITY OF YOUR SYSTEMS AND PROTECT YOUR DATA?
At PDA we take the security of the personal data you have entrusted to us seriously. All of our servers used for our evaluations are hosted in highly secure environments located in the European Economic Area (EEA),
PDA periodically tests the security of our networks. Access to personal data is restricted and can only be accessed by those who have a legitimate reason to do so.
All our offices are equipped with access control systems and all PDA employees receive regular training on data protection and IT security.
If you would like to learn more about how we secure our systems, please read our Policies which are available on the website and provide more details on how we incorporate both security and privacy by design.
However, absolute security cannot be guaranteed and no security system is impenetrable so, in the event that any information under our control and under our control is compromised as result of a security breach, we will take appropriate steps to investigate the incident, notify the Control Authority and, where appropriate, those users who may have been affected to take appropriate action.
11. USER'S RESPONSIBILITY
By providing their data through electronic channels, the user guarantees that they are over 14 years of age and that the data provided to PDA are true, accurate, complete and up to date. To this effect, the user confirms that he/she is responsible for the veracity of the data communicated and that he/she will keep such information conveniently updated so that it corresponds to his/her real situation, being responsible for any false or inaccurate data that he/she may provide, as well as for any damages, direct or indirect, that may arise.
12. HOW LONG DO WE KEEP YOUR INFORMATION?
At PDA we only keep your information for the period of time necessary to fulfill the purpose for which it was collected, to comply with the legal obligations imposed on us and to meet the possible liabilities that may arise from the fulfillment of the purpose for which the data were collected.
In any case, and as a general rule, we will keep your personal information as long as there is a contractual relationship that binds us or you do not exercise your right of deletion and / or limitation of treatment, in which case, the information will be blocked without giving use beyond its conservation, while it may be necessary for the exercise or defense of claims or may arise some kind of liability that had to be addressed.
If you are conducting an online assessment with one of our tools, PDA acts only as the data processor and the employer or prospective employer acts as the data controller, so they will decide how long the data should be retained and will manage the processing, retention and deletion process accordingly.
For our clients using our self-assessment service (where we provide a managed service to send assessment links), the relationship of controller and processor remains, with PDA as the processor, so we will follow the client’s explicit instructions to delete data.
In the event that you wish to join our staff and apply for one of our jobs, the data provided will become part of our database and will be retained for the duration of the selection process and for a maximum of 01 year or until you exercise your right of deletion.
13. TO WHOM DO WE COMMUNICATE YOUR DATA?
In general, at PDA we do not share your personal information, except for those assignments that we must make based on legally imposed obligations.
You can communicate your opposition to the transfer of your data, although in that case, it would not be possible to provide the requested service.
Also, your personal information will be at the disposal of the Public Administrations, Judges and Courts, for the attention of possible responsibilities born from the treatment.
14. INTERNATIONAL DATA TRANSFERS
PDA is based in Argentina, a country that has been declared by the European Commission as having an adequate level of protection (Commission Decision 2003/490/EC of June 3, 2003).
In turn, our servers are located in countries of the European Economic Area (EEA).
Thus, international data transfers are made only to countries within the European Economic Area (EEA), complying both with the Argentine regulations (Law 25.326 -PDPA) and the GDPR.
In addition, our international data transfers are usually carried out on the basis of contractual or other rules provided for by the GDPR, which aim to ensure adequate protection of your data. For this purpose, we rely on the safeguards provided for in Article 46 of the GDPR or, where applicable, Article 49 of the GDPR. In either case, PDA guarantees the implementation of appropriate safeguards to protect the privacy and security of your personal data.
15. WHAT ARE YOUR RIGHTS REGARDING THE PROCESSING OF YOUR DATA AND HOW CAN YOU EXERCISE THEM?
Data protection regulations allow you to exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to their processing, as well as not to be subject to decisions based solely on the automated processing of your data, where applicable.
These rights are characterized by the following:
- Their exercise is free of charge, except in the case of manifestly unfounded or excessive requests (e.g. repetitive nature), in which case PDA may charge a fee proportional to the administrative costs incurred or refuse to act.
- You may exercise your rights directly or through your legal representative or volunteer.
- We must respond to your request within one month, although, taking into account the complexity and number of requests, the deadline may be extended by a further two months.
- If PDA does not comply with the request, it will inform you, within one month at the latest, of the reasons for its inaction and the possibility to complain to a Supervisory Authority.
Please note that, if you take a PDA assessment, the responsible party (this would normally be your employer, prospective employer or educational establishment) is ultimately responsible for assisting you in exercising your rights, so we recommend that you contact them in the first instance.
To exercise your rights PDA makes the following means available to you:
- Sending a document, where the right to be exercised and the reasons, scanned and signed to the email address gdpr gdpr@pdainternational.net indicating in the subject “Exercise of GDPR Rights”.
You must prove your identity by attaching a photocopy or, where appropriate, a scanned copy of your ID card or equivalent document in order to verify that we only answer to the person concerned or his legal representative, in this case must provide proof of representation.
Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, we inform you that you may file a complaint with the National Control Authority.
16. HOW AND WHERE IS YOUR DATA STORED?
PDA ensures the security of client and candidate data at all times.
Our main servers are hosted in the highest rated data centers in the European Economic Area (EEA), which strictly control access to the physical environment and provide exceptional system availability. At PDA we also manage our IT environment, ensuring that we maintain full control of the systems that underpin the assessments we provide and the information they contain.
17. REPORT A DATA BREACH OR REQUEST RESOLUTION OF PRIVACY ISSUES
If you believe there has been a loss of the personal data we use or manage, or an unlawful use or disclosure of this data or any data privacy issue, please contact our Privacy Officer at gdpr@pdainternational.net .