DATA PROTECTION AND DATA SECURITY POLICY

The protection of personal data and thus your privacy is a matter that GrowMore takes very seriously. We would like to take this opportunity to inform you about the data we store, how we use it, and what it means for you when you use our personalised, customisable services. In order to guarantee the greatest possible protection of your privacy, we always comply with data protection provisions. Please note, our websites and talent assessment partners may contain links to websites operated by third parties which are not covered by this Data Protection Policy as we have no influence or control over whether the operators of such sites comply with the data protection provisions.

The aim of this document is to ensure that all data processing activities within our recruitment agency are in compliance with the GDPR, and that personal data is collected, processed, and stored in a secure and lawful manner.

1. Scope:

This policy and protocols document applies to all data processing activities performed by GrowMore on behalf of data controllers in contractual relationships with us, pursuant to Article 28 GDPR. This includes the processing of personal data relating to candidates and clients, as well as other data subjects as defined by GDPR.

GrowMore’s organisation of information security measures are structured and implemented across multiple protocols including physical security, system/data/transmission access control, data backup and recovery, identification and authentication, incident response and BCP planning, and employee training and awareness to ensure the security of personal data and demonstrate compliance with data protection regulations.

2. Data Protection and Data Security Principles:

Our recruitment agency will follow the following principles of data protection and data security when processing personal data:

2.1. Lawfulness, fairness, and transparency: Personal data will be processed lawfully, fairly, and in a transparent manner in relation to data subjects.

2.2. Purpose limitation: Personal data will be collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.

2.3. Data minimisation: Personal data will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

2.4. Accuracy: Personal data will be accurate and, where necessary, kept up to date.

2.5. Storage limitation: Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

2.6. Integrity and confidentiality: Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

3. Data Protection and Data Security Measures:

Our recruitment agency has implemented the following technical and organisational measures to ensure the security of personal data:

3.1. Access Control: Access to personal data will be restricted to authorised personnel, and data subjects will have the right to access their personal data.

  • Access Controls: Access controls have been implemented to ensure that only authorised personnel have access to the IT systems that handle personal data. Access is granted based on the principle of least privilege, which means that individuals are granted access only to the data and systems that they need to perform their duties.
  • Physical Barriers: Physical barriers such as locks and access keys have been implemented to prevent unauthorised access to IT systems that handle personal data. Access to server case, network enclosure and other critical areas is restricted and monitored.
  • Security Awareness: Security awareness training is provided to all personnel who have access to IT systems that handle personal data. This training includes information about the importance of physical security measures and the consequences of data breaches.
  • Incident Response: Incident response plans are in place to respond to any physical security incidents that may occur. The plans include procedures for reporting incidents, assessing the impact of the incident, and notifying the relevant authorities if necessary.

3.2. Data Separation: Personal data collected for different purposes will be processed separately, and access will be granted only to authorised personnel.

3.3. Pseudonymisation: Personal data will be pseudonymised where appropriate to protect the identity of data subjects.

3.4. Transmission Access Control: Measures have been implemented to ensure that personal data cannot be read, copied, altered or deleted by unauthorised persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of personal data is to be done via data transmission systems.

  • Password protection: Passwords are required for all electronic transmissions of personal data, and password policies are in place to ensure strong passwords are used, and they are regularly updated.
  • Secure data storage media: All data media used to transport personal data, such as USB drives and external hard drives password protected. These data media are stored in secure locations that are only accessible to authorised personnel.

3.5. Entry Control: Personal data entered, altered, or deleted in the IT system will be recorded, and data subjects will have the right to know who has accessed their personal data.

3.6. Availability Control: Personal data will be protected against accidental destruction or loss, and fast recoverability measures will be implemented.

3.7. Data access control: Measures to ensure that persons authorised to use the IT system have access only to the personal data pursuant to their access rights:

  • Rights Group Assignments: Access to personal data is assigned based on rights groups, which are groups of individuals with similar job responsibilities and access requirements. Each rights group is assigned specific access permissions to ensure that only authorised personnel have access to personal data.
  • Access Requests: Access requests are reviewed and approved by authorised personnel to ensure that individuals are only granted access to personal data if they have a legitimate need to access it. Access requests are reviewed against the individual’s rights group assignment to ensure that access is only granted based on their job responsibilities.
  • Data Segregation: Personal data is segregated based on rights groups to ensure that each group only has access to the data that is necessary for their job responsibilities. This helps prevent unauthorised access to personal data and limits the risk of data breaches.
  • Regular Access Reviews: Regular reviews of access rights are conducted to ensure that individuals are only accessing personal data that is necessary for their job responsibilities. These reviews help identify any unauthorised access attempts or suspicious activity and enable appropriate action to be taken to prevent data breaches.
  • Access Revocation: Access to personal data is revoked when an individual no longer requires access or leaves the organisation. This helps ensure that personal data is only accessible to authorised personnel and reduces the risk of data breaches caused by former employees or contractors.

3.8 Identification and Authentication

  • User authentication: Access to IT systems that handle personal data is granted only to authorised personnel who have been authenticated with their user IDs and passwords. User IDs are unique to each user and are logged and monitored.
  • Regular reviews: Regular reviews are conducted to ensure that access controls and entry control measures are working effectively. Any issues or concerns are addressed promptly.

3.9 Business Continuity Management and Disaster Recovery:

  • Regular backups: Regular backups of personal data are taken to ensure that in the event of accidental destruction or loss, data can be restored quickly. Backup procedures are regularly reviewed and tested to ensure their effectiveness.
  • Disaster recovery planning: Disaster recovery plans are developed to ensure that personal data can be recovered quickly in the event of a disaster or major disruption. General BCP policy: https://recruitment.growmo.re/business-continuity-planning/

4. Data Protection Officer (DPO):

Our recruitment agency has appointed a Data Protection Officer (DPO) to oversee our data protection and data security policies and procedures, and to act as a point of contact for data subjects and supervisory authorities. The DPO is responsible for monitoring compliance with data protection laws and regulations, advising on privacy matters, and ensuring that our policies and procedures remain up to date.

5. Data Protection Impact Assessment (DPIA):

Our recruitment agency conducts a Data Protection Impact Assessment (DPIA) where necessary to assess the impact of data processing activities on the protection of personal data. The DPIA is conducted prior to the commencement of any new processing activity, and where necessary, is updated periodically.

6. Data Breach Notification:

In the event of a personal data breach, our recruitment agency will take immediate steps to contain the breach and assess the impact on the affected individuals. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR. Additionally, we will notify affected individuals without undue delay, providing them with clear and concise information about the breach and the measures taken to address it.

7. Data Retention and Disposal

Our recruitment agency only retains personal data for as long as necessary to fulfill the purposes for which it was collected, including any legal or regulatory retention requirements. Once the data is no longer necessary, we will ensure that it is securely and permanently disposed of using appropriate methods, such as shredding, erasing, or deleting the data from our systems.

8. Privacy Impact Assessment (PIA)

Our recruitment agency conducts a PIA for any new projects, processes, or systems that involve the processing of personal data, as required by the GDPR. The PIA assesses the potential impact on individual privacy rights and determines whether additional measures are necessary to protect personal data. We also consult with our Data Protection Officer and/or legal counsel as appropriate to ensure compliance with relevant laws and regulations.

9. Employee Training

Our recruitment agency will provide regular training to all employees who handle personal data, to ensure that they are continuously aware of their data protection and data security obligations, as well as the risks and consequences of non-compliance. This training includes information about data protection laws and regulations, our policies and procedures, and best practices for protecting personal data.

GrowMore is committed to protecting the privacy and security of personal data, and to complying with all relevant laws and regulations. We will continue to monitor and review our policies and procedures to ensure that they remain effective in protecting personal data and meeting our obligations under the GDPR. If you have any additional questions about data protection and privacy, please contact our Corporate Privacy Officer.