The PeopleForce Virtual Platform Service Provider is committed to maintaining the confidentiality of information and Personal Data received and will take all measures necessary to ensure that they are safely stored.
What this Policy is about
Not intended for children: The PeopleForce Platform are not intended for children and we do not knowingly collect data relating to children.
We collect Personal Data from you for one or more of the following purposes:
To provide you with information that you have requested or that we think may be relevant to a subject in which you have demonstrated an interest.
To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of products and/or services.
To fulfil an Agreement that we have entered into with you or with the entity that you represent. In these circumstances it may be your entity, rather than yourself, that has provided us with your Personal Data.
To ensure the security and safe operation of our websites and underlying business infrastructure.
To manage any communication between you and us.
A PeopleForce User is a natural or legal person who is registered in the PeopleForce system and is the owner of an account. If you are a PeopleForce User, we may process the following personal information about you:
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes address, email address and telephone numbers.
Profile Data includes your basic account information; username password and access information; photos you may choose to upload; other information you may provide in response to a questionnaire or survey; your interests, preferences and feedback and survey responses; any other information you provide to use in relation to your PeopleForce Account.
Marketing and Communications Data includes your preferences in receiving marketing from us, any third parties and your communication preferences, including registering for our newsletter.
In order to collaborate, receive each other’s products or services, we may need the following information about you in order to communicate with you about your work or organisation.
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes address, email address and telephone numbers.
In addition, to ensure that each visitor to our website can use and navigate the site effectively, we collect the following:
Technical information, including the IP (Internet Protocol) address used to connect your device to the Internet.
Your login information, browser type and version, time zone setting, browser plugin types and versions.
Operating system and platform.
Information about your visit, including the URL (Uniform Resource Locator) clickstream to, through and from our site.
Below, we identify your rights in respect of the Personal Data that we collect and describe how you can exercise those rights.
PeopleForce virtual platform (Platform) - software, a multifunctional HRM personnel management system, which includes an ATS system for recruiting and other related services provided by PeopleForce and which help automate routine personnel management work processes. The Platform consists of various Modules that can work both independently and in combination with other Modules. The PeopleForce Virtual Platform is subject to copyright and intellectual property rights, which are governed and protected by intellectual property and copyright protection laws.
Personal data - information or a set of information about a natural person who is identified or can be specifically identified, directly or indirectly (‘data subject’);
Confidential Information - information or data that is defined as confidential and received by the Service Provider and the User from each other in the process of providing the PeopleForce Virtual Platform Services
Data Import - entering data provided by the User into the PeopleForce platform;
Processing Data - means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Cloud storage - secure cloud storage for storing Data on multiple networked servers across the European Union.
Consent of the data subject to the transfer of data -freely given, specific, informed, unequivocal and clearly defined consent of the owner of the data or the legal and authorized user of such Data to their transfer, expressed, including, by accepting these terms and placing an order for the use of the PeopleForce virtual platform;
Data Protection Legislation- means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder), and the Privacy and Electronic Communications Regulations 2003 as amended;
General Data Protection Regulation - means EU General Data Protection Regulation 2016/679, the UK GDPR;
Information security management system ISO/IEC 27001 - Information security management system, which is part of the overall management system, which is based on an approach that takes into account information security risks (confidentiality, information integrity, etc.), is intended for development, implementation, operation, monitoring, reviewing, maintaining and improving information security.
ISO / IEC 27001 international certification is an independent audit conducted by an international competent certification body, which, subject to confirmation by the organization of ISO / IEC 27001 requirements, issues an ISO / IEC 27001 Certificate. Certification is supported by regular annual audits.
The Service Provider adheres to the ISO/IEC 27001 information security management standards and also the ISO 27701 and GDPR when working with Personal Data and Confidential Information.
The relationship between the Service Provider and the User is governed by the laws of England and other countries in which compliance with the protection of Personal Data and Confidentiality is mandatory.
The User undertakes to respect the confidentiality of all data received in connection with the provision of the service of using the Virtual Platform PeopleForce.
The Service Provider, in working with Personal Data, complies with the requirements of the GDPR, in particular:
Processes Personal Data in a legal, legitimate and transparent manner in relation to the Data subject, namely, only after obtaining the consent of such data subject to the processing of Personal Data and taking into account that such processing is necessary for the performance of the Agreement on the provision of services for the use of the Virtual Platform PeopleForce, to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a Agreement;
Collects Personal Data for the specified, clear and lawful purposes described in the PeopleForce Virtual Platform Services Agreement and does not further process such data in a way that is incompatible with such purposes;
Clearly identifies the received Personal Data and limits them to the extent necessary in view of the purposes of processing (“Data Minimization”);
If necessary, updates the Personal Data and takes all appropriate measures to ensure that inaccurate Personal Data, taking into account the purposes of their processing, is deleted or corrected without delay (“accuracy”);
Keeps Personal Data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed;
Processes Personal Data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);
Monitors the availability of consent to receive and process Personal Data;
Provides the possibility for the data subject to withdraw their consent to the processing of Personal Data at any time and guarantees that the withdrawal of consent will not affect the legality of the processing of Personal Data, which was based on consent before its withdrawal. That is, it equally provides the possibility of both withdrawal and consent.
Provides the possibility of rectification or erasure of Personal Data;
Provides the possibility of restriction of processing of Personal Data concerning the data subject or to object to such processing;
Depersonalises data for their further use by the Service Provider;
Guarantees compliance with the GDPR 2016/679 regulations of all entities that have access to Personal Data;
Does not receive and does not process Personal Data that reveal racial or ethnic origin, political beliefs, religious or philosophical beliefs, or membership in professional unions, as well as genetic data, biometric data for the purpose of unique identification of a natural person, data related to the state of health or data about the sexual life of a natural person or their sexual orientation and other data with a special regime for their access and storage;
Stores data on secure data carriers that meet the requirements of GDPR and ensures ongoing confidentiality, integrity, availability and stability of systems and services for processing Personal Data;
Involve only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
The Service Provider receives Personal Data from the User solely for the purpose of providing access to the Platform (its modules), namely the data necessary for the User's registration in the Service Provider's system and further formation of the User's personal account.
After granting the User access to the Platform, the User independently (and at his/her own discretion) collects and uploads Personal Data of his/her employees, recruiters, third parties to the Service Provider's systems, while the Service Provider does not collect such Personal Data, but only stores them, and therefore is not responsible for their reliability, accuracy, legality, legality, legal way of their collection, etc.
The User is responsible for the truthfulness of the provided Personal Data, as well as for their timely updating. The User guarantees that they have received and transmitted Personal Data on legal grounds and with the sufficient consent and permission of the owner of such data. The Service Provider has the right to request confirmation of the veracity of such data and the sufficiency of the consent of the Personal Data owner.
The Service Provider may provide Confidential Information and Personal Data to Third Parties based on the Users’ direct order (e.g. for the purpose of Platform integration with other services). In this case, the Service Provider is not responsible for the safety of such data and cannot guarantee compliance with the special regime of such information.
The Service Provider may disclose Confidential Information and Personal Data to Third Parties solely for the purpose of providing services to the User, including involving third parties professionals, or integration with third-party software. In this case, the Service Provider is responsible for the actions of such third parties as its own. The use of Personal Data will only be carried out in accordance with the professional or employment duties of this Third Party. These Third Parties are obliged not to disclose in any way Personal Data that has been entrusted to them or that has become known to them in connection with their professional or official duties or employment.
Information may also be provided to law enforcement and other public bodies where such disclosure is mandatory and upon proper request, and the Service Provider shall immediately notify the User.
The Service Provider guarantees protection of Personal Data and Confidential Information from accidental loss or destruction, from illegal processing, including illegal destruction or access to Personal Data, and implements appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects, namely:
Uses data encryption at the content level;
Personal Data is isolated and protected by multiple levels of security using multi-conditional access and multi-factor authentication;
The Service Provider ensures continuous confidentiality, integrity, availability and stability of processing systems and services;
Ensures timely restoration of Personal Data in the event of a technical accident;
Ensures regular testing, evaluation and analysis of the effectiveness of technical and organizational measures to guarantee the security of data processing;
Keeps Data locked down at every level and applies many technical and organizational measures to ensure its preservation and to prevent data leakage and unauthorized access to data, such as:
Active error search program;
Frequent vulnerability scans;
Web application firewall;
Verification of input data;
Annual third-party penetration test;
Continuous security management and monitoring;
The Service Provider uses exclusively safe and secure resources to store Confidential Information and Personal Data, including Cloud storage media.
The Service Provider engages operators to carry out Data processing, who provide sufficient guarantees regarding the implementation of the necessary technical and organizational measures in a way that allows for the compliance of the processing with the requirements of the GDPR and guaranteeing the protection of the rights of the Data Subject.
The Service Provider has the international ISO / IEC 27001 Certificate, which is a guarantee that the service provider complies with the ISO/IEC 27001 information security management standards, as well as the GDPR when working with confidential information and Personal Data.
The Service Provider has what he believes are appropriate security controls in place to protect Personal Data.
Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of the Service Provider’s ISMS. The Service Provider does not, however, have any control over what happens between the User's device and the boundary of the Service Provider's information infrastructure. Users should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information. The Service Provider accepts no liability in respect of breaches that occur beyond his sphere of control.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the lawful bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us for further information.
As a Data Subject whose personal information PeopleForce hold, the User has certain rights. If the User wishes to exercise any of these rights, he/she may write to the email:[email protected]. To process the User's request, the Service Provider will ask to provide two valid forms of identification for verification purposes. The User’s rights are as follows:
The right to be informed
The Service Provider is obliged to provide clear and transparent information about its data processing activities. This is provided by this privacy notice and any related communications the Service Provider may send to the User.
The right of access
The User may request a copy of their Personal Data held by the Service Provider free of charge. Once the Service Provider has verified User's identity and, if relevant, the authority of any third-party requester, the Service Provider will provide access to the personal data it stores about the User, as well as to the following information:
The purposes of the processing.
The categories of Personal Data concerned.
The recipients to whom the Personal Data has been disclosed.
The retention period or envisioned retention period for that Personal Data.
When Personal Data has been collected from a Third Party, the source of the Personal Data.
If there are exceptional circumstances that mean that the Service Provider may refuse to provide information, the Service Provider will explain this to the User. If responding to a request may require additional time or entail unreasonable costs (which may have to be borne by the User), the Service Provider will notify the User.
The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing Personal Data, the User may request to delete the Personal Data. This includes Personal Data that may have been unlawfully processed. The Service Provider will take all reasonable steps to ensure erasure.
The right to restrict processing
The User may ask the Service Provider to stop processing his/her Personal Data. The Service Provider will still hold the Data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies the User may exercise the right to restrict processing.
The right to rectification
When the User believes that the Service Provider holds inaccurate or incomplete personal information about the User, he/she may exercise his/her right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
The accuracy of the Personal Data is contested.
The right to data portability
The User may request his/her set of Personal Data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
The right to object
The User has the right to object processing of his/her data where:
Processing is based on legitimate interest;
Processing is for the purpose of direct marketing;
Processing is for the purposes of scientific or historic research; or
Processing involves automated decision-making and profiling.
We may share your personal data with the parties set out below for the purposes set out in the table above.
Internal third parties such as our employees or officers and legal entities within the PeopleForce group of companies.
With research and trial partners, being commercial research.
External third parties, payment providers, specialist IT support, cloud hosting providers, communications partners and sub-contractors.
Professional advisers including lawyers, bankers, marketing agencies, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Credit reference agencies, law enforcement and fraud prevention agencies.
HM Revenue & Customs, regulators and other authorities who require reporting or processing activities in certain circumstances.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We do not usually or regularly transfer data outside of the UK in the course of our business. In the event we transfer your personal data out of the UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government (including the EEA as at the date of this version of the Policy).
Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK, as well as conducting an appropriate risk assessment.
PeopleForce adheres to the restricted use requirements set out in the Google API User Data Policy.
We ensure that:
- our data handling practices comply with Google API Services User Data Policy;
- Use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the Limited use requirements.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
The Service Provider has the right to alter the terms and conditions of this policy, which he notifies to the User not later than one calendar month before such changes become valid.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal information changes and this can be done through your PeopleForce Account for all PeopleForce Users.