1. Why Do You Need this Privacy Notice?
This CHI Team & Candidate Privacy Notice (this “Privacy Notice”) is provided by CHI Software (“we”, “us”, “our”). “You” or “your” refers to you as our candidate, contractor, or employee.
We encourage you to carefully read this Privacy Notice as it provides you with information about your personal data being processed in connection with your recruitment or engagement by us (collectively, the “Engagement”).
In this Privacy Notice, personal data and personal information are used as synonyms and mean any information that directly or indirectly identifies you as an individual. In this Privacy Notice we explain which types of personal data we hold on you, how we collect and process such data, how long we keep it, and so on.
2. What Is Our Role and How to Reach Us?
We act as a controller with respect to your personal data collected in connection with the Engagement, meaning that we determine the purposes and means of processing your personal data.
We respect your privacy and are committed to protecting your personal data. Therefore, we process your personal data in accordance with this Privacy Notice and we endeavour to comply with the applicable data protection legislation, which includes the General Data Protection Regulation, also known as the GDPR (the “Applicable Legislation”).
If you have any questions regarding this Privacy Notice or the processing of your personal data, contact us via the following contact details:
CHI Software
Name: CHI Software
Email: privacy@chisw.com.
3. What Are Our Principles?
Lawfulness. We endeavour to process personal data in accordance with the Applicable Legislation and only on the basis of the appropriate legal grounds.
Fairness. We do our best to handle personal data in ways that you would reasonably expect and we do not use any personal information in ways that have unjustified adverse effects on you.
Transparency. We endeavour to make the processing activities transparent and understandable for you, including by providing you with all reasonably necessary information regarding the processing.
Data Minimisation. We endeavour to process only necessary personal data, taking into consideration the requirements of the Applicable Legislation.
Purpose Limitation. We process your data only for the purposes it was collected. If we establish any other purpose, we will inform you reasonably in advance.
Accuracy. We aim to ensure the accuracy of your personal data, including by providing you with the opportunity to rectify or complete it.
Confidentiality, Integrity, and Availability. We try to comply with the best practices applicable to the development and maintenance of the security systems.
Storage Limitation. We keep the personal data as long as prescribed in this Privacy Notice, based on the purposes the data was collected.
Accountability. We do our best to comply with the Applicable Legislation, and, furthermore, if we disclose personal data to any person, we will do our best to ensure that such person will comply with the terms of the Applicable Legislation and this Privacy Notice.
4. How Do We Collect Your Personal Data?
We collect and process your personal data in a variety of ways, including, but not limited to:
| From you | From third-party sources, such as |
|---|---|
| When you submit a curriculum vitae (CV), recruitment cover letter or similar document. | Job forums, recruitment agencies, partners. |
| Former employers when and if gathering references. | |
| When you directly provide us with some personal information or documents containing personal information. | Public sources, such as professional social media (LinkedIn), public registers, etc. |
| Sources where we posted a vacancy announcement. |
5. What Personal Data Do We Process?
We collect and process the following types of personal data as outlined below. Please note that we may also collect certain other information, which may be required under the applicable law.
| Data | Description |
|---|---|
| ID Data | |
| Full name | This includes your first name, last name and middle name, if any. |
| Nationality | Means the country of your citizenship. |
| Date of birth | Means the date when you were born. |
| Photo | Your photo will be used to create an internal corporate profile. |
| ID document information | This includes your passport or ID card and associated information. |
| Extract from the public register, confirming the status of an individual entrepreneur | You are required to provide us with this extract if you are registered and act as an individual entrepreneur. |
| Taxpayer identification number | This is a unique number assigned by the respective tax authority. |
| Payment Data | |
| Payment details | This includes your account details, such as: IBAN code or account number, name of beneficiary, name of account, etc. |
| Consideration amount | This includes amounts of fees, consideration and other remuneration due to you for the performance of Engagement. |
| Contact Data | |
| Your contact details | This includes your email address, phone number, and social media nicknames, such as Telegram handle, Skype link, Linkedin account etc. |
| Address of residence | This includes information about the country of residence, city, ZIP code, name of the street, building and/or apartment number. |
| Proof of address | It means the respective document, confirming your residential address and associated information. |
| Emergency contact phone number | This includes the phone number of a person of your choice who we may contact in case of an emergency when we cannot reach you out. |
| Children Data | |
| Information about children | This includes information on the presence and number of children. This information is optional and provided at your discretion. |
| Date of birth | This includes information about each child’s date of birth. This information is optional and provided at your discretion. |
| Other Data | |
| CV Data | This may include your biography, full name, date and place of birth, information about your education, English level, contact details, recent job places, job descriptions, professional experience, working hours, links to your social media accounts, and any other information contained in your CV, recruitment cover letter or similar document. |
| Information collected from public resources | This may include information that you made publicly available. |
| Information collected from former employers when and if gathering references | This may include information about your professional skills, performance reviews, etc. |
| Information collected from job forums, recruitment agencies, partners or other sources where we posted a vacancy announcement | This may include your CV(s) and associated information, performance reviews, recent job places, job descriptions, professional experience, etc. |
| Other data requested by us or data that you choose to provide us with | Please do not provide personal data unless it is reasonably necessary or requested by us. |
6. How Do We Use Personal Data?
| Description | Lawful Basis for Processing | |
|---|---|---|
| ID Data | ||
| To identify you as an individual and verify your identity. | To take steps at your request prior to entering into a contract (i.e., to engage you) 一 if you reach us for the Engagement (e.g., apply for a vacancy posted by us). |
Our legitimate interest: a) to create and personalise your corporate profile 一 with respect to your photo; andb) to protect our rights and legitimate interests or those of third parties in a case of any violation of your obligations in relation to the Engagement.Our legal obligation to keep and retain information about our counterparties to comply with the applicable laws.b) to protect our rights and legitimate interests or those of third parties in a case of any violation of your obligations in relation to the Engagement.Our legal obligation to keep and retain information about our counterparties to comply with the applicable laws. |
| To prepare and execute the relevant agreements (such as service agreement or non-disclosure agreement) in relation to the Engagement. | To perform a contact with you 一 if we enter into the Engagement with you. | |
| To maintain personnel records.< | ||
| To arrange your personal medical insurance | Our legitimate interest to take out personal insurance on your behalf. | |
| Our legitimate interest to conduct a background check to determine whether you have any criminal or administrative liabilities. This is necessary to help reduce risk for criminal activities such as violence, abuse, theft, etc. | ||
| Payment Data | ||
| To make payments in relation to the Engagement. | To perform a contact with you. | Our legal obligation to keep and retain the financial records to comply with the applicable laws. |
| To maintain financial records and administer the respective payments. | ||
| Contact Data | ||
| To contact you with respect to the Engagement. | To take steps at your request prior to entering into a contract (i.e., to engage you) 一 if you reach us for the Engagement (e.g., apply for a vacancy posted by us). |
Our legitimate interest: a) to achieve these purposes; andb) to reach you if you failed to respond to us 一 with respect to the emergency or additional phone number. |
| To respond to you regarding the Engagement or this Privacy Notice. | To perform a contact with you 一 if we enter into the Engagement with you. | |
| To transfer necessary equipment, materials and other items for the performance of the Engagement. | ||
| Children Data | ||
| To build an internal corporate culture and friendly work environment by providing your children with corporate gifts on certain holidays. | Our legitimate interest to achieve this purpose. | |
| Other Data | ||
| To assess your professional experience and skills. | To take steps at your request prior to entering into a contract (i.e., to engage you) 一 if you reach us for the Engagement (e.g., apply for a vacancy posted by us). | |
| To determine whether you fit for the respective position. | Our legitimate interest: a) to interview you to achieve these purposes 一 if we reach you for the Engagement (e.g., contact you via the contact details indicated in your CV posted on any job forum); and b) to create candidate databases in order to further reach you as a potential candidate for the Engagement. |
|
| To perform a contract with you 一 if we enter into the Engagement with you. | ||
7. How Long Do We Process Your Data?
As a general rule, we keep personal data as long as it is necessary for the purposes it was collected. We may process certain personal data longer than outlined below, if it is necessary:
a) to meet our legal obligations under the applicable law;
b) in relation to anticipated or pending legal proceedings; or
c) to protect our rights and legitimate interests or those of third parties.
| Data | Storage Period | Rationale |
|---|---|---|
| ID Data Contact Data Other Data |
For ten (10) years after the expiration or termination of your Engagement, regardless of reason 一 if we or our affiliate entered into the Engagement with you. | We set this retention period due to: a) our legal obligations to keep and retain the business records to comply with the applicable laws; and b) our legitimate interest to protect our or third-party rights in case of any violation of your confidentiality or other obligations in relation to the Engagement, that are construed to survive its termination or expiration. |
| Until the expiration or termination of your Engagement, regardless of reason 一 with respect to your photo provided for the corporate profile. | We need your photo as long as your corporate profile is active, i.e., until you remain our employee or contractor. | |
| For three (3) years after either, we or you, reject the Engagement 一 with respect to Other Data and if we have not hired or engaged you. | We need this data to create candidate databases in order to be able to reach you as a potential candidate for the Engagement. | |
| Children Data | Until the expiration or termination of your Engagement, regardless of reason. | We need this data to provide your children with the corporate gifts on certain holidays as long as you remain our employee or contractor. |
| Payment Data | For six (6) years from the end of the last financial year the Payment Data relates to. | We set this retention period due to our legal obligations to keep and retain the financial records to comply with the applicable laws. |
8. How Do We Share Your Data?
General. We do not sell or rent out your data. However, we may share your personal data in accordance with this Privacy Notice, Applicable Legislation, or with your consent, in each case for the purposes of and if it is reasonably necessary for:
a) performance of the Engagement and our undertakings with you in connection therewith;
b) maintenance of and securing the personnel records; or
c) compliance with the applicable laws and regulations.
Please note that if we share any portion of your personal data with third persons, we will endeavour to secure such transfer using appropriate legal, organisational, and technical measures.
Recipients. Given the purposes outlined above, your personal information is shared with the following categories of recipients:
a) our affiliates, meaning any person controlling, controlled by, or under the same control as we;
b) our personnel, contractors and consultants, who are required to have such data in connection with your Engagement and on a “need-to-know” basis, such as our legal department for conducting the paperwork, financial department for administering payments, English department for conducting level checks, etc.;
c) our partners, clients and customers, who are required to have such data on a “need-to-know” basis, for example, if you are engaged to provide certain services to any of our clients (outsourcing);
d) payment processors and/or payment service providers to make payments to you;
e) CRM systems and other systems for the data management and storage, whether internal or external;
f) insurance companies;
g) government authorities, upon their request or if necessary to comply with our legal obligations; and
h) another entity by virtue of succession, including as a result of merger, reorganisation, acquisition, or liquidation.
9. Do We Transfer Your Personal Data to Third Countries?
Sometimes we may transfer your personal data to countries that do not offer the same level of data protection as the laws of the European Union, EEA or your country. In case we transfer your personal data to a country that does not maintain the “adequate” level of data protection, as defined by the European Commission, we will put in place suitable safeguards, which give you more protection and control regarding your personal data, and take reasonable steps to ensure that your privacy rights continue to be protected as outlined in this Privacy Notice and provided for in the Applicable Legislation. As a general rule, we will use the Standard Contractual Clauses (special documents developed by the European Commission) as an appropriate safeguard. You may reach us via the contact details indicated herein to ask whether your personal data is subject to transfer to a third country.
10. Are You Subject to Automated Decision-Making?
According to the Applicable Legislation, you have the right not to be subject to a decision based solely on automated processing of data, including profiling, which produces legal effects concerning you or similarly significantly affecting you. Automated decision-making is the process of making a decision by automated means without any human influence on the outcomes. A process might still be considered solely automated if a human inputs the data to be processed, and then the decision-making is carried out by an automated system.
We do not make any automated decisions based on your personal data, including profiling, which produce legal effects concerning you or similarly significantly affect you. If we intend to do so, we will do our best to inform you about the same in advance.
11. What About Securing Your Personal Data?
We strive to do our best to keep your personal data secure. We always review and update appropriate technical and organisational measures to:
a) keep your personal data secure in accordance with the Applicable Legislation, our internal policies and procedures regarding the storage of, access to, and disclosure of personal data; and
b) protect you against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to them.
We endeavour to implement and maintain reasonably necessary technical and organisational measures to protect the confidentiality, integrity and availability of your personal data. Your personal information may undergo anonymisation, pseudonymisation, and/or encryption to ensure safe transfer and/or processing.
12. What Data Subject Rights Do You Have?
General. According to the Applicable Legislation, you may have the rights outlined below. In order to exercise your rights as a data subject, we may request certain information from you to verify your identity and confirm that you have the right to exercise such rights.
Data Subject Rights. According to the Applicable Legislation, you may have the following rights:
| Rights | Description |
|---|---|
| Right to access your personal data (commonly known as a “data subject access request”) | This enables you to (i) ask us whether we process your personal data, and (ii) request certain information about the processing activity and/or a copy of the personal data we hold about you as well as (iii) check that we are lawfully processing it. |
| Right to rectification of the personal data | This enables you to have any incomplete or inaccurate data we hold about you completed or rectified, though we may need to verify the accuracy of the new data you provide us with. |
| Right to erasure of your personal data (commonly known as a “right to be forgotten”) | This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal or technical reasons which will be notified to you, if applicable, at the time of your request. |
| Right to object to processing of your personal data | This enables you to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. |
| Right to restrict the processing of your personal data | This enables you to ask us to suspend the processing of your personal data in the following scenarios: (i) if you want us to establish the data’s accuracy, (ii) where our use of the data is unlawful but you do not want us to erase it, (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims, (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. |
| Request the transfer of your personal data (commonly known as a “right to the data portability”) | We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. |
| Right to withdraw consent | You may withdraw your consent at any time where we are relying on consent to process your personal data. |
| Right not to be subject to automated decision-making | You reserve the right not to be subject to a decision based solely on automated processing of data, including profiling, which produces legal effects concerning you or similarly significantly affecting you. Please note that currently you are not subject to the automated decision-making, which produces legal effects concerning you or similarly significantly affecting you. |
| Right to file a complaint | You may file a complaint with a relevant supervisory authority in case we violate your rights or obligations imposed on us under the Applicable Legislation. The relevant supervisory authority may depend on the place where you are located.
The details of the Cyprus data protection supervisory authority: |
13. Can We Modify and Update this Privacy Notice?
We keep our Privacy Notice under regular review and we may update it at any time. If we make any changes to this document, we will change the “Last Updated” date above. If we make substantial changes to the way we treat your personal information, we will notify you about the same prior to the change becoming effective.