Privacy Policy

The Nors Group’s Recruitment Platform

1. SCOPE

1-A This Privacy Policy serves to comply with your right to information regarding the processing of your personal data, whenever you interact with us or send us your curriculum vitae and associated personal information through this platform.

2-Through this privacy statement, we also wish to express our obligation to uphold your privacy and protect your personal data.

3-As such, we make this duty a daily priority in the course of our business, as we comply with and enforce the terms of the General Data Protection Regulations of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data (GDPR), amended on 23 May 2018 (Official Journal of the EU L 127/2) and corrected on 12 October 2020 (Council of the European Union), as well as Portuguese Law 58/2019 of 8 August, which ensures the implementation of the GDPR in the Portuguese internal legal system.

4- For us to start, continue and conclude a selection and recruitment process, we need to process your personal data, this document serving to provide you with the information required by law.

5-If you have any queries, comments or suggestions to make about this Privacy Policy of our recruitment platform, please contact us, using the contact details indicated in point 14 of this policy.

2. GENERAL PRINCIPLES OF OUR PRIVACY POLICY

1-Within the scope of your relationship with us, whenever you access our recruitment platform and provide us with your personal data or interact in such a way that we are able to collect them, namely through the forms we make available and through cookies, we would like to underline that you are accepting our Privacy Policy, and your personal information is processed in accordance with the rules and concepts made known and provided for herein, including any amendment that comes to be made.

2- This policy supports us in the underlying principles that are outlined below, which we consider to be essential activity drivers:

Only duly authorised people process the personal data that are strictly necessary for specific and legitimate purposes;

ii) We consider the security of the processing of your data to be a constant priority, and we review it periodically in accordance with the technological innovation in which we regularly invest;

iii) We know that personal data belong to the data subjects, and so we are bound to only process them in accordance with the legal rules in force, respecting and enforcing respect for your rights;

iv) We foster Privacy, Data Protection and Information Security best practices, which we disclose internally and review regularly, as we believe our improvement process to be continuous, acknowledging that it is always possible to do more and better.

3. CONCEPTS AND INFORMATION FOR DATA SUBJECTS

1- Within the scope of and for the purpose of this policy, we follow the definitions contained in article 4 of the General Data Protection Regulations, namely the ones indicated below, without excluding compliance with the other definitions indicated therein:

i) Personal Data - personal data are any information regarding an identified or identifiable natural person, a natural person being considered to be identifiable if they can be directly or indirectly identified, namely by referring to an identification number or one or more specific aspects of their physical, physiological, psychological, economic, cultural or social identity.

i) Processing - an operation or series of operations carried out on personal data or on sets of personal data, by automated or manual means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

iii) Consent - from the data subject, embodied in an expression of free, specific informed and unequivocal desire, by which the data subject, through a statement or unequivocal positive act, accepts that the personal data related to them is subject to processing.

iv) Data Controller - a natural or legal person, public authority, agency or other body that, individually or in conjunction with others, determines the purposes and means of processing personal data.

v) Data Processor - a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller of such data.

4. WHO IS THE CONTROLLER

The companies of the Nors Group to which the candidate submits their application are the ones who determine the respective purposes and means of processing the data, each one being considered to be the controller, pursuant to the General Data Protection Regulations, EU Regulation 2016/679 of 27 April 2016, and subsequent alterations, whose contacts can be obtained at www.nors.com

5. WHAT PERSONAL DATA DO WE PROCESS ON OUR RECRUITMENT PLATFORM?

1-We follow the definition set out in article 4, paragraph 1 of the General Data Protection Regulations, according to which personal data are considered to be information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be directly or indirectly identified, in particular by reference to an
identifier, such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2-The Nors Group processes the following categories and respective types of personal data (which you transmit to us during the application process):

(i) Identification data, such as your name, nationality or identification document, date of birth, tax identification number and social security number;

(ii) Contact data, such as your address, telephone/mobile phone number and email address;

(iii) Data on your personal situation (if applicable): residence permit/work permit and data regarding the immigration process;

(iv) Professional data: Data regarding your professional experience, data contained in your curriculum vitae, including employment history, academic qualifications, professional and academic certificates, professional references and recommendation letters;

v) Demographic data (country or region of residence);

vi) if necessary and applicable, we will also process data regarding licenses and data regarding your driving license:

3- Within the scope of the recruitment and selection process, we may collect information that might reveal your racial or ethnic origin (for example, when you indicate your nationality or if you include a photograph on your CV). Such information constitutes special data categories, pursuant to the General Data Protection Regulations.

4. We only collect the above personal information if you have made them expressly public, if you have given us your explicit consent or if their processing is necessary due to a legal obligation to which the NORS Group is subject.

5-Only if permitted by law and appropriate with regard to the role to be carried out by the applicant, we may also collect personal data related to criminal convictions or offences (for example, a copy of your criminal record).

6. WHAT ARE THE PURPOSES FOR PROCESSING YOUR PERSONAL DATA

1- Within the scope of our recruitment platform, the Nors Group processes your personal data for the following purposes:

i) Recruitment and Selection, in accordance with the vacancies that are advertised by us;

ii) Processing spontaneous applications that are sent to us;

iii) Processing applications for internships.

7. FOR HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

1- The personal data are processed in strict compliance with the applicable legislation and are stored in specific databases created for that purpose.

2-The period of time during which the data are stored and retained varies depending on the purpose for which your personal information is processed. As such:

i) Pursuant to the labour law, we keep records of the recruitment and selection processes for a period of 5 (five) years.

ii) In the case of spontaneous applications, we keep your data for a period of 2 (two) years, after which we will securely erase them.

iii) The General Data Protection Regulations determine that after fulfilling its purpose, the personal information must be erased, while, in the case of vacancies, and if you are not selected for the position for which you applied, if we deem fit, we will request your consent and on that basis alone we will keep the personal information for a period of 1 (one) year for the purpose of considering it for a possible future vacancy, guaranteeing that you have the right, at any given time, to withdraw your consent.

8. ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?

1-Your personal data are processed by us within the scope of our recruitment platform in strict observance of the principle of lawfulness.

2- Depending on the circumstances, your personal data may be processed based on the following legal grounds:

i) Pre-contractual proceedings at your request when you apply for the vacancy;

ii) our legitimate interests, when we process your personal information within the scope of a spontaneous application for a possible future vacancy.

9. TRANSMISSION OF DATA TO SUBCONTRACTORS (DATA PROCESSORS)

1- For the purpose of pursuing the purposes envisaged in the previous paragraphs, the Nors Group may, if it deems fit, transmit your data to subcontractors (data processors) for the identified purposes, that is, consultancy firms, vocational training companies, building management companies, or access control companies, IT system maintenance companies and IT platforms, companies that carry out psychotechnical tests, pursuant to the contracts entered into with them, as well as other companies of the NORS Group.

2- Should we use subcontractors who process your data on our behalf, which implies those entities accessing those data, we take the appropriate, contractually-envisaged measures in order to ensure that those subcontractors present sufficient, appropriate guarantees of implementing technical and organisational measures and that they will only act in accordance with our documented instructions, and will process the data only for the envisaged purposes and will delete them or return them at the end of the service provided.

3-In accordance with that set out in the previous paragraph, the Nors Group declares its most solid commitment to adopt the appropriate security measures to ensure that they guarantee the security of the processing of your data, with the aim of guaranteeing their due confidentiality, integrity and availability, pursuant to the applicable legislation regarding personal data protection.

10. TRANSFERS TO THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS

Should we communicate your personal data to third countries or international organisations, we will scrupulously comply with the applicable legal provisions and will determine the suitability of the country or organisation in question with regard to the requirements applicable to such transfers, or we will implement appropriate guarantees that enable the data subjects to enjoy enforceable rights and effective corrective legal measures, pursuant to the GDPR.

11. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

1- Pursuant to the GDPR, through the internal organisational measures that we have implemented and periodically review, we guarantee that you may exercise your rights as a data subject, within the deadlines and in compliance with the foreseen legal obligations.

 2- Your rights as a data subject:

i) Right of access - you have the right to ask us for information related to knowing if your data are being processed or otherwise, what data we process and for what purposes, among other things. If you so wish, you may ask us for a copy of your personal data that are being processed, although supply of other copies may be subject to payment of a reasonable fee, taking into account the administrative costs. Should the request be made electronically, and unless indicated otherwise by you, the information will be supplied by us in a generally used electronic format;

ii) Right to Rectification – you have the right that we proceed, without undue delay, to rectify inaccurate personal data concerning you and that incomplete date be completed;

iii) Right to cancellation – also known as right to be forgotten - in certain circumstances, you may ask for your personal data to be deleted from our records, without undue delay, whenever for one of the reasons provided for in the GDPR;

iv) Right to Object – you have the right to object to the processing of your personal information, for reasons related to your specific situation. It should be noted that the processing of your personal data is essential for the purpose of the recruitment and selection process and the subsequent possible signing of an employment contract. If you object to data processing, we will stop the processing but that will prevent the recruitment and selection process from continuing;

v) Right to Portability – you have the right to transfer your personal data retained by us to another organisation or to receive them in a structured, generally-used, automatic reading format;

vi) Right to Processing Restriction - the right to obtain restriction on the processing of your personal data, when, for example, you intend to dispute the accuracy of your personal data during a period of time that enables us to verify their accuracy, when the processing is lawful or if you have filed your right to object;

vii) Right to lodge a complaint with the controlling entity- in Portugal the control authority is the CNPD- Comissão Nacional de Proteção de Dados (www.cnpd.pt);

viii) Right to demand compensation and accountability- if you have incurred material or immaterial losses due to a breach of the GDPR you have the right to receive compensation from the data controller or processor for the losses incurred;

ix) Right not to be subject to automated decisions- you have the right not to be subject to any decision taken exclusively based on automated processing, including the definition of profiles, which is effective in your legal domain or that significantly affects you in a similar way;

x) Right to easily withdraw the consent given. It should be noted that if you withdraw your consent, the lawfulness of the processing carried out based on the previously given consent is not compromised, pursuant to the law.

3- For the purpose of exercising these rights, please refer to point 14 of this Privacy Policy, infra.

4- After expressing to us your wish to exercise one or more of the rights indicated, in an email or by another means, we will act accordingly, and within the legal deadline of 30 (thirty) days, you will receive a duly substantiated communication from us.

5- The legal deadline mentioned in the previous paragraph may extend to 60 (sixty) days, due to the number or complexity of the requests.

13. WHAT MEASURES HAVE WE IMPLEMENTED TO GUARANTEE THE SECURITY OF YOUR PERSONAL DATA?

a) We have adopted appropriate technical and organisational measures to ensure the right level of security for the risk, which we review and improve periodically, and these are aimed at guaranteeing the security and protection of your personal data with regard to their availability, authenticity, integrity and confidentiality, as well those aimed at preventing their loss, inappropriate use, alteration, processing or unauthorised access, and also any other form of unlawful processing.

b) Our commitment to the security of your personal data is permanent, which is a commitment that involves a series of measures aiming to safeguard and mitigate the risk of breach of those same data, namely the measures provided for in article 32 of the GPDR, depending on the risk, context and purposes, among which the following should be highlighted:

i) Personal data pseudonymisation and coding;

ii) The ability to ensure the constant confidentiality, integrity, availability and resilience of the processing systems and services;

iv) The ability to re-establish the availability of, and access to, personal data in a timely manner, in the case of a physical or technical incident;

v) A process to regularly test, assess and evaluate the efficacy of the technical and organisational measures in order to guarantee the security of the processing.

c) The level of security that we implement takes into account the risks that the processing presents, considering the particular risks of destruction, loss, accidental or unlawful alteration, unauthorised dissemination of, or access to the personal data transmitted, retained or subject to any other type of processing;

d) Please note that despite our very best endeavours regarding security issues, and notwithstanding their constant verification, we cannot fully and absolutely guarantee the inviolability of the information received, taking into account the insecure nature of open networks, as is the case of the Internet.

14. WE HAVE NOMINATED A DATA PROTECTION OFFICER

1- The Nors Group companies in Portugal have appointed their Data Protection Officer (DPO) to monitor and ensure correct compliance with the internal policies and applicable legal regulations regarding personal data protection, and their name and contacts have been communicated to the competent control authority.

2-If you have any doubts or questions about the way we collect and process personal data you may contact the Data Protection Officer

Portugal:

Contacts of the Data Protection Officer 
_________________________________________________
Name:
David Santos Barata
Email: dpo@nors.com

Brazil:

Contacts of the Data Protection Officer 
_________________________________________________

Name: Regina Ferroni
Email: lgpd@nors.com

Other countries: 

Contacts of the Data Protection Officer 
_________________________________________________
Name: dpo@nors.com

15. CHILDREN’S DATA

1. We do not collect or intend to collect children’s personal data on our recruitment platform, in the light of the recipients of the services we provide;

2. Pursuant to article 8 of the GDPR, a child’s personal data may only be subject to processing based on the prior consent provided for in sub-paragraph a) of paragraph 1 of article 6 of the GPDR regarding the direct offer of services of the information society when that child has reached the aged of 13.

3. In the event of our collecting a child’s personal data voluntarily, we shall take every care to comply with the legislation in force on that matter, namely by obtaining prior parental consent for the processing of personal data to be carried out, in which case we use, if possible, secure authentication means, as provided for in Law 58/2019 of 8 August.

16. LINKS TO OTHER WEBSITES

1-Our recruitment platform may contain links that lead to other websites.

2- The NORS Group is not responsible for, does not approve, or by any other means support or subscribe the content of such websites, or their policies, including the websites linked to them or referred to therein.

3- So that the user can be duly informed, we advise them to read the privacy policies of any other website that is linked to our recruitment platform.

17. WHAT WILL WE DO IF THERE IS A BREACH OF PERSONAL DATA?

1-If a breach of personal data takes place, that is, a breach of security that accidently or unlawfully causes the unauthorised destruction, loss, alteration, dissemination of, or access to, personal data transmitted, retained or subject to any other type of processing, we will comply with the provisions of the General Data Protection Regulations and provide adequate information.

2-If the breach of personal data might implicate a high risk to your rights and liberties, we will communicate with you in a clear and simple language, without undue delay, informing you that the breach of personal data has taken place, providing the legally required relevant information, including:

i) the name and contacts of the data protection officer or another point of contact where further information may be obtained;

ii) a description of the probable consequences of the breach of personal data;

iii) outlining the measures adopted or proposed by us to remedy the breach of personal data, including, should it be the case, measures to mitigate its possible negative effects.

3-If it is not possible to supply all that information at once, it will be supplied to you in phases, which we will do without undue delay.

18. USE OF COOKIES

1-Our recruitment platform uses cookies.

2-To find out more about cookies, particularly which cookies we use on our recruitment platform and their function, duration and accessibility or otherwise by third parties, among other relevant information, namely, how to manage them in your Internet browser, please refer to our Cookies Policy (please insert link to the cookies policy).

19- EMPLOYEE TRAINING

1-We believe that the human factor is crucial with regard to compliance with the applicable regulations concerning personal data protection.

2- That is why we provide initial and subsequent training to all our employees, ensuring that in a uniform manner, everyone is aware of the applicable rules and best practices in order to protect the personal information that you provide to us.

20. REVIEW OF OUR PRIVACY POLICY

We reserve the right to alter the content of the Privacy Policy of this recruitment platform without prior warning, without prejudice to our making known and publishing the alterations made, such alterations being an integral part of the Privacy Policy.

21-VERSIONS OF OUR POLICY

Version 1    |     September 2021