From 25 May new data protection rules (the EU General Data Protection Regulation – GDPR), which have given rise to very many questions and misunderstandings both in people and in companies, will enter into force in Lithuania – similarly to the whole European Union. CV-Online, which has been engaged in bringing together employers and job seekers in the three Baltic countries for more than twenty years, already has to deal with the issue of processing personal data in its everyday work very often. Therefore, we have also worked through the requirements set by the GDPR in detail and will adopt all the necessary measures in order for the data of our clients and users to be secure and protected.
Important data of all CV-Online users are stored in Lithuania, in A-class server rooms that correspond to the ETSI standards of Telia and are under uninterrupted video surveillance. All the network traffic is protected with a firewall and the physical access right to servers is strictly limited.
What should the employer know?
In accordance with the GDPR, CV-Online is the controller of personal data and the employers with who CV-Online shares the data are processors.
The new terms and conditions of using the CV-Online database that are to be signed by each employer provide in very detail what the employer may do with the obtained data. Each client may only use the information obtained from the CV-Online database for the purpose of finding employees and it is not permitted to transmit data to any third parties without the written permission of CV-Online.
Each client who makes an inquiry for data from the CV-Online database has an obligation to ensure, upon processing personal data, that the whole activity is in compliance with the legislation in force. Compliance with all the technical and organizational requirements that the GDPR and other legal acts prescribe is mandatory both for clients and all possible sub-processors to whom the client may transmit data.
The rules provided for the processing and storing of data
that have been obtained from database search also apply to the data of applicants for a job offer. Employers must also keep in mind that the data of an applicant for a certain job offer may only be used within the framework of this competition. Collection of data of applicants and use thereof for any other reason in the future is not permitted.
The client is obliged to terminate any further use of data of job seekers upon expiry of a valid ordering period and delete themselves and ensure that all sub-processors delete the personal data that they have saved and stored. If CV-Online incurs any damage due to a breach of the terms and conditions of the contract by the client, the client who breached the terms and conditions will be obliged to compensate CV-Online for the damage.
CV-Online will automatically start to delete from its database the data of applications for job offers. In accordance with the Equal Treatment Act, applicants have the right to claim compensation for damage arising from discrimination within one year, due to which both applicants and employers have been provided with access to information on applications within one year as of the end of the competition. According to the users’ request, we do not automatically delete data concerning CVs or other data – the user can do that themselves or send us a respective request.
What should the job seeker know?
The main aim of the GDPR is to protect data owners and give them as much control over the use of their data as possible. Each person who enters their CV in the CV-Online system or applies for a job in the system must have an opportunity to gain access easily and quickly to the whole information that we have about them and their data. It must also be possible for the data owner to delete all of their data if the data owner so requests.
If a user has logged in to our system, all the information that has been collected about them in CV-Online will be available on the jobseeker page. In the “My CVs” sector there is the “My data” link that opens an overview of all the data set that we have about the user. It is also possible to save the data in PDF format there or, if necessary, delete them from our system. A user who has applied for a job or ordered notifications to their e-mail without having registered themselves as a CV-Online user can make us enquiries for their data or ask to delete their data by e-mail.
The procedure for use of the personal data in the CV-Online database
will not change significantly upon entry into force of the GDPR. This is mainly so because until today CV-Online has also taken care that all the user data are as much secured as possible and that access to the data is controlled and regulated.
The user data in the CV-Online database – if the data owner has permitted that – are available to those employers who have ordered a fee-charging service in CV-Online. In addition, the user has the right to determine whether their data can be found from the database search or whether they are visible only to those employers for whose competition the user has applied. If the user has such a request, it is also possible for them to determine the employers to whom the user data will not become visible under any circumstances. It is also possible, at any time, to change the visibility of one’s data, block them or demand that CV-Online delete the data and terminate any further processing thereof.
The employers who obtain access,
through CV-Online, to job seekers’ data are obliged to use the data only for the intended purpose – the use of the data must be related to searching for employees and the employer has the right to use the data that have been submitted upon applying for a job offer only within the framework of a respective competition. Upon expiry of the CV-Online service for the employer, the employer will be obliged to delete all the obtained data and their further processing will be prohibited.
In order for CV-Online to provide the best possible service to its users, we send, from time to time, various e-mails – notifications of job offers, newsletters and personal offers – to employers and job seekers. Similarly to the current practice – and as also provided for by the GDPR – every client and user has the right to refuse offers sent by CV-Online. To this end, we add the opt-out link to each e-mail. If the user has unsubscribed from receiving e-mails, but in the future still wants to receive e-mails, it is also possible to subscribe to e-mails again in the job seeker’s section of the cvonline.lt page.
In order for clients and users to be aware of their rights and obligations,
we will also send updated terms and conditions to everybody by e-mail before 25 May. After the GDPR has entered into force, it is not possible for the user to use the services of CV-Online without having agreed to the updated terms and conditions. If a user who has not registered in the CV-Online system wants to apply for a job offer, they must agree to the terms and conditions of using the data when applying for the job. If the user agrees to the updated terms and conditions, there will be no significant changes for them in the CV-Online user experience. However, the data owner will obtain clearer understanding and control over who may process their data and how they may be processed and how their data are stored and handled.