Securitylocus privacy policy

Securitylocus privacy policy

1. Introduction

Securitylocus a/s communicates assignments to the best IT consultants on the market. It is Securitylocus a/s’ insight about each consultant that allows us to achieve the perfect match between the client and the consultant. It can therefore be said without exaggeration that Securitylocus a/s makes a living of processing personal data. Therefore, it is also crucial for us that personal data about our consultants is processed responsibly and securely, in order for you as a consultant to know that you can safely entrust your personal data to us. We know that we only have your personal data on loan for a period of time and that you can ask us at any time to stop processing personal data about you.

2. What personal data does Securitylocus a/s process?

Securitylocus a/s’ work with our consultants takes place in five different main phases: Recruitment, selection, agreement, follow-up and evaluation.

During the recruitment phase, we collect relevant information about a potential consultant’s background, including the consultant’s CV. A typical CV will include name, address, phone number, email address, previous employments, hobbies, date of birth and marital status (ordinary personal data). CV’s do not include cpr-numbers, but potential information on criminal convictions and, if relevant for the consultant to disclose, possibly health data (sensitive personal data).

Based on an interview process, it is assessed whether the candidate fits into Securitylocus a/s’ consulting portfolio. In the selection process, Securitylocus a/s will also request a criminal record (specially regulated personal data), as well as references from previous employers (ordinary personal data). All relevant information is stored and processed in our consultant database. However, the criminal record is not saved, but it is noted in the database that we have seen the criminal record. In some situations, Securitylocus a/s make use of personality tests (sensitive personal data).

When a client needs consultancy, Securitylocus a/s identifies, based on the consultant database, the profiles that are best suited for the assignment. Securitylocus a/s prepares an overview with the relevant candidates for the assignment. The form is sent to the client together with the candidate’s CVs (ordinary personal data).

Once the client has selected the consultant who is suitable for the assignment, Securitylocus a/s ensures that a contract is drawn up with the consultant containing relevant information about the specific assignment, e.g., the expected duration of the assignment, the agreed hourly rate, as well as the consultant’s account number (ordinary personal data). Securitylocus a/s ensures that confidentiality statements and other relevant documentation included in the contractual basis are obtained.

While the assignment is ongoing, Securitylocus a/s continuously follows up on how the cooperation between the client and the consultant proceeds. This information (ordinary personal data) is documented in Securitylocus a/s’ internal systems.

At each end of a collaboration between client and consultant, Securitylocus a/s will, based on information provided by the client and the consultant, carry out an evaluation of the consultant’s performance, which is saved for future reference (ordinary personal data) in Securitylocus a/s’ internal systems.

3. How long does Securitylocus a/s keep your personal data?

Securitylocus a/s’ core business is to communicate assignments to independent IT consultants on the basis of the consultants’ CV (and other relevant information) that Securitylocus a/s processes on the basis of the consent of the consultant, cf. section 5 below. As long as the consultant regularly updates their job status, Securitylocus a/s considers the consultant’s consent to remain valid.

For consultants who have stated that they are on assignment, Securitylocus a/s will consider the consent to be revoked if, for a period of 24 months after the end of the last stated assignment, the consultant has not updated their job status.

For consultants who have indicated that they are not working on an assignment, Securitylocus a/s will consider the consent to be revoked if the consultant has not updated their job status for a period of 24 months.

If the consultant actively indicates that they no longer wish to receive assignments through Securitylocus a/s, then Securitylocus a/s will of course also consider this to be a revocation of the consultant’s consent.

By default, Securitylocus a/s will immediately after the consultant’s withdrawal of his consent delete all personal data about the consultant in Securitylocus a/s’ systems.  However, if the consultant has been sold through Securitylocus a/s on a contract concluded less than 5 years before the end of the relation, Securitylocus a/s is obliged, as per the rules of the bookkeeping act, to continue processing information about the consultant until they are 5 years old.

Securitylocus a/s will continue to process the personal data of retired consultants if they wish to join Securitylocus a/s’ pensioners’ club until either consent is revoked or after 24 months without reply to Securitylocus’ inquiries.  

4. Who does Securitylocus a/s disclose your personal data to?

When one of our clients has an assignment that we believe matches the consultant’s profile, we disclose the consultant’s personal data to our client. When our clients process personal data about our consultants in their own company, they are independently data responsible to you as a consultant.

As part of our collaboration with other consultancy companies, Securitylocus a/s will occasionally disclose personal data (typically CVs) about our consultants. However, this disclosure will only be made with the explicit consent of the consultant.

Securitylocus a/s uses a number of IT suppliers to handle the operation and maintenance of our IT systems. Our IT suppliers only process personal data about you following instructions from us. We have entered into data processing agreements with our IT suppliers, which, among other things, include our security requirements.

5. Legal basis for processing

In connection with our recruitment process, we process personal data about potential consultants. The legal basis for this treatment is that the consultant has actively consented Securitylocus a/s with the treatment hereof. Securitylocus a/s continuously processes new personal data about the consultant when the consultant regularly updates their job status and CV. The basis for this treatment is based on the consent originally given.

When Securitylocus a/s matches the consultant’s profile to a specific assignment, a number of new personal data processing is carried out. The legal basis for this treatment is that it is a prerequisite for the conclusion of a contract with Securitylocus a/s, of which the consultant is one party.

In order for Securitylocus a/s to fulfil its contractual obligations in relation to the client, Securitylocus a/s processes ongoing personal data about you, e.g., whether the hourly effort delivered etc. Securitylocus a/s is also in ongoing dialogue with the client about how they experience and assess the quality of your work. The basis for this treatment is that Securitylocus a/s’ contractual obligations towards the client are reflected in the contract concluded between Securitylocus a/s and the consultant, and that the treatment is therefore in the natural extension of the fulfilment of a contract to which the consultant is a party.

6. IT Security

The IT security at Securitylocus a/s is regulated by our IT security policy, which is translated into internal guides and guidelines on information security. We prepare and maintain risk assessment that we use to document information security threats and to identify the technical and administrative measures that we need to implement to address the threats.

We pay particularly a focus on measures to ensure that unauthorised persons do not have access to your personal data. We have, among other things, established procedures for granting access rights to those of our employees processing personal data. The rights are granted on the basis of a need-to-know principle. We control our employees’ use of access through logging and supervision.

In addition to the internal systems in Securitylocus a/s, we use external IT suppliers who are responsible for the operation and maintenance of our IT solutions. Our requirements for IT security are set out in the data processing agreements that we have entered into with our IT suppliers. We continuously follow up on the fact that our IT suppliers meet our requirements.

In the event of a security breach that results in a high risk of identity theft, financial loss, loss of reputation or other significant inconvenience, we will notify you of the security breach as soon as possible.

7. Your rights

As a consultant at Securitylocus a/s, you have a number of rights under the General Data Protection Regulation in relation to the personal data we process about you.

• You have the right to access what personal data we process about you
• You have the right to have the personal data we have registered about you rectified and updated
• You have the right to have the personal data we have registered about you deleted  
• You have the right to obtain a copy of the data you have provided to Securitylocus a/s.

Inquiries about your data

Securitylocus a/s
Kronprinsessegade 26
1306 Copenhagen

E-mail: gdpr@Securitylocus.com

You can also contact us if you have any questions about the above or if you believe that your personal data is being processed in violation of the law.

Securitylocus a/s shall endeavour to respond to all requests within 30 days of receipt. In the event of requests for corrections and/or deletion of your personal data, we examine whether the conditions are met and, if so, make changes or deletions as soon as possible.

Securitylocus a/s may reject requests that are unduly repetitive, affecting the privacy of others’ personal information, is required due to legal obligations or in situations where the requested action must be considered to be extremely complicated (for example, requests for information that is solely available as backups).