From 25 May of 2018 new data protection rules (the EU General Data Protection Regulation – GDPR), which have given rise to very many questions and misunderstandings both in people and in companies, will enter into force in Estonia – similarly to the whole European Union. CV-Online, which has been engaged in bringing together employers and jobseekers in the three Baltic countries for more than twenty years, already has to deal with the issue of processing personal data in its everyday work very often. Therefore, we have also worked through the requirements set by the GDPR in detail and will adopt all the necessary measures in order for the data of our clients and users to be secure and protected.
Important data of all CV-Online users are stored in Estonia, in A-class server rooms that correspond to the ETSI standards of Telia and are under uninterrupted video surveillance. All the network traffic is protected with a firewall and the physical access right to servers is strictly limited.
What should the employer know?
- CV-Online is the controller of user data and clients of CV-Online are processors thereof.
- Information obtained from the CV-Online database may only be used for the purpose of finding employees.
- It is not permitted to transmit data to any third parties without the written permission of CV-Online.
- Each client who makes an enquiry for data from the CV-Online database (also sub-processors of the clients) has an obligation to ensure, upon processing personal data, that the whole activity is in compliance with the legislation in force. Compliance with all the technical and organisational requirements that the GDPR and other legal acts prescribe is mandatory.
- The data of an applicant for a job offer may only be used within the framework of the competition.
- The client is obliged to terminate any further use of data of jobseekers upon expiry of a valid ordering period and delete themselves and ensure that all sub-processors delete the personal data that they have saved and stored.
- If CV-Online incurs any damage due to a breach of the terms and conditions of the contract by the client, the client who breached the terms and conditions will be obliged to compensate CV-Online for the damage.
- CV-Online automatically deletes data of applicants for a job offer after one year has passed from the end of the competition.
In accordance with the GDPR, CV-Online is the controller of personal data and the employers with who CV-Online shares the data are processors.
The new terms and conditions of using the CV-Online database that are to be signed by each employer provide in very detail what the employer may do with the obtained data. Each client may only use the information obtained from the CV-Online database for the purpose of finding employees and it is not permitted to transmit data to any third parties without the written permission of CV-Online.
Each client who makes an enquiry for data from the CV-Online database has an obligation to ensure, upon processing personal data, that the whole activity is in compliance with the legislation in force. Compliance with all the technical and organisational requirements that the GDPR and other legal acts prescribe is mandatory both for clients and all possible sub-processors to whom the client may transmit data.
The rules provided for the processing and storing of data that have been obtained from database search also apply to the data of applicants for a job offer. Employers must also keep in mind that the data of an applicant for a certain job offer may only be used within the framework of this competition. Collection of data of applicants and use thereof for any other reason in the future is not permitted.
The client is obliged to terminate any further use of data of jobseekers upon expiry of a valid ordering period and delete themselves and ensure that all sub-processors delete the personal data that they have saved and stored. If CV-Online incurs any damage due to a breach of the terms and conditions of the contract by the client, the client who breached the terms and conditions will be obliged to compensate CV-Online for the damage.
CV-Online will automatically start to delete from its database the data of applications for job offers. In accordance with the Equal Treatment Act, applicants have the right to claim compensation for damage arising from discrimination within one year, due to which both applicants and employers have been provided with access to information on applications within one year as of the end of the competition. According to the users’ request, we do not automatically delete data concerning CVs or other data – the user can do that themselves or send us a respective request.
In order for CV-Online to provide the best possible service to its users, we send, from time to time, various e-mails – notifications of job offers, newsletters and personal offers – to employers and jobseekers. Similarly to the current practice – and as also provided for by the GDPR – every client and user has the right to refuse offers sent by CV-Online. To this end, we add the opt-out link to each e-mail. If the user has unsubscribed from receiving e-mails, but in the future still wants to receive e-mails, it is also possible to subscribe to e-mails again in the jobseeker’s section of the cv.ee page.
In order for clients and users to be aware of their rights and obligations, we will also send updated terms and conditions to everybody by e-mail before 25 May. After the GDPR has entered into force, it is not possible for the user to use the services of CV-Online without having agreed to the updated terms and conditions. If a user who has not registered in the CV-Online system wants to apply for a job offer, they must agree to the terms and conditions of using the data when applying for the job. If the user agrees to the updated terms and conditions, there will be no significant changes for them in the CV-Online user experience. However, the data owner will obtain clearer understanding and control over who may process their data and how they may be processed and how their data are stored and handled.