Publisher in charge
The responsible publisher of this Website is Contraste Europe SA, headquartered at Avenue Arianelaan N°5 – 1200 Brussels, Belgium (registered for VAT under the number BE 451.992.086 Company number 0451.992.086). You can contact the company by phone +32 (0)2 730 79 80 or by email ContrastePrivacy@contraste.com.
Contraste Europe is the data controller for the collected data on this Website. The Data Protection Officer of Contraste Europe is Robin Smets. You can contact him for privacy requests by mail ContrastePrivacy@contraste.com.
Contraste Europe is a group of companies offering IT services and solutions to corporate clients. It operates exclusively in the B2B market and does not offer its services to individuals.
The group consists of the following companies: Amsit, Audaxis, Contrast Consulting, Contraste Europe, Defimedia, The Digital Journey.
The group operates in Luxembourg, Belgium, France, Switzerland and Tunisia.
In this policy, we use the name Contraste to refer to all group companies.
This policy documents Contraste’s policy as a Controller, in other words, all aspects of the processing that Contraste applies to personal data under its direct control.
What personal data is collected about users on this Website?
Users can provide personal information to Contraste on this website by navigating, applying online or using the contact form.
For each request through the contact web form, Contraste Europe collects the following information:
Name, First name, Company, E-mail, Subject, Message
During navigation, our server stores a server log consisting of your IP address and request history (such as page requests).
Why Contraste stores and uses this personal data
Contraste maintains server logs with the goal of detecting intrusions and fixing bugs on the Web site to ensure system security.
Contraste maintains data on professionals seeking employment. These personal data are mainly used to assess the suitability of the candidate for a proposed job by Contraste or a client of Contraste (qualification, experience…). More information at https://www.contraste.com/en/contraste-europe-privacy-policy-candidates
Contact web form
The information provided by the user through the Contact Web form is used only to respond to the user’s request. With the user’s express consent, his personal information may also be used to send him mailings on work-related topics (new service offerings, participation in trade shows…).
Data about users is used only for these purposes.
How Contraste collects this personal information
Contraste creates and maintains data about users through the following sources of information:
- Users send an email to email@example.com;
- Users send a mail to the “info” mail of a Contraste group company;
- Users apply for jobs online through the Webform;
- Users send a request via the Contact Web form;
- Server log
Who processes users’ personal data?
Contraste’s IT department (controller) and Audaxis SAS (hosting company, processor) are the main recipients of the user’s server log for the purpose described above. Access to the server log is secured and supervised. Audaxis SAS, as data processor, guarantees to take all technical and organizational measures to protect data as required by the new General Data Protection Regulation (GDPR) that replaces the Data Protection Directive 95/46/EC.
Contact web form
Contraste’s Sales Department is the main recipient of the user information collected by the Contact Webform for the purpose described above. Depending on the nature of the request, the user’s personal data may be transmitted to other departments/companies of Contraste Europe involved in the request (Recruitment, Marketing, IT, Admin…).
How Contraste collects and stores users’ consent
Consent is required only for candidates and prospects. After initial contact, the candidate/prospect is asked to give explicit consent for data processing via an online form. The consent is stored in Contraste’s system. If Contraste does not obtain the candidate/prospect’s consent, the candidate/prospect’s data will not be stored and processed.
How long does Contraste store users’ personal data and what is the legal basis?
Server logs are kept for 6 months. Storing server logs is legal until the user is properly informed and if it is only with security purposes like intrusion and bugs detection/resolution.
After the candidate’s online opt-in, Contraste retains the data for 2 years according to the recommendations of the data protection authorities and only with the express consent of the candidate. Based on its legitimate interest, Contraste Europe keeps a minimum of personal information about the candidate (first name, last name, mail address, phone number) for the proper functioning of the recruitment department.
Personal data from the contact form are kept for the time necessary to answer the user’s request. The retention period is variable and depends on the complexity of the request. When a user submits a contact form, he should expect to receive a response.
If the request is commercial, after opt-in, Contraste keeps data for 3 years after the last contact according to the recommendations of the privacy authorities and only with the express consent of the candidate.
Data subject’s rights regarding personal data
Regarding the new General Data Protection Regulation (GDPR), users have the following rights regarding their personal data stored by Contraste:
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten).
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right not to be subjected to a decision based solely on automated processing
To exercise any of these rights, data subjects may send an e-mail to ContrastePrivacy@contraste.com with the reason for the request. Contraste will provide any requested information regarding any of the data subjects’ rights within one calendar month of receiving the request. If Contraste receives large numbers of requests or particularly complex requests, the deadline may be extended by up to two months.
For security reasons, Contraste will proceed with an identity check of the requester upon receipt of a request. To this end, the receipt will include the invitation to do one of the following:
Forward a scan of an official proof of identity (identity card, passport) along with a copy of a recent utility bill (telephone, electricity…) that clearly shows the person’s name and address.
Setting up a telephone conversation, where a number of questions can be asked, with the answers being compared to the personal data in Contraste’s database.
The request is processed if and only if positive authentication is achieved.
Contraste never shares personal data with any other organization outside the Contraste Europe Group, with the exception of identified data processors. As part of the recruitment process, data processors of candidates’ information are:
- Clients of Contraste seeking consultants
- Microsoft Dynamics CRM
- Microsoft Office 365
For the web hosting of this Website, the data processor is Audaxis SAS.
As a data processor, they guarantee the implementation of all technical and organizational measures to protect data as required by the new General Data Protection Regulation (GDPR) that replaces the Data Protection Directive 95/46/EC.
Security measures for technical information
List of security measures
Contraste Europe uses a networked IT infrastructure, which allows its employees to communicate and use applications and services internally and with third parties. Contraste has established several security measures covering the following areas:
- User awareness
- Authenticate users
- Managing authorizations
- Track access and manage incidents
- Securing workstations
- Securing mobile computing
- Securing the computer network
- Securing the servers
- Securing websites
- Store and plan for business continuity
- Secure archiving
- Oversee the maintenance and destruction of data
- Manage outsourcing
- Secure exchanges with other organizations
- Protecting the buildings
- Guide IT developments
- Encrypt, guarantee integrity or sign
- Contraste regularly tests and enhances these security measures.
Detection of security breaches
Any event that poses a potential threat to personal data should be considered a Security Breach. A threat can be of various types: loss, alteration, corruption or exposure to third parties.
Events that should be considered a threat include:
- Intrusion of a third party into the corporate network.
- Infection of one or more devices by malware, including a virus, rootkit, …
- Loss of a USB key containing files with personal data.
- Loss of a personal computer, tablet or smartphone that contains or can access files containing personal data.
- Security breach at one of our data processors
Contraste has taken a number of measures to detect each of these events immediately.
When conducting a risk analysis, Contraste first identifies the potential harm (physical, material or moral) associated with a processing activity. Next, we evaluate the severity of the harm that could result. Finally, Contraste assesses the likelihood of the event by analyzing the vulnerabilities of their systems and operations and the nature of the threats. The risks are classified as “high risk,” “risk” and “low risk.”
Reporting security breaches to authorities
If the security breach could lead to a threat to the affected individuals, such as identity theft, fraud, financial loss or influence, Contraste will notify the authorities.
This notification must occur within 72 hours of the positive determination of the security threat. If this deadline is exceeded, the additional delay must be justified.
Notification of security breach to affected individuals
If the risk to those affected is considered high, they should also be informed. If in doubt about the extent of the risk, the authorities may be contacted for verification.
If the situation requires notification to those affected, they should also be provided with guidance on how to mitigate the risk.
The data controller is a natural or legal person (for example, a company), a public authority, an agency or another body which, alone or jointly with others, determines the purposes and means of processing personal data.
For example, Contraste is a legal entity that is the data controller for processing personal data of its employees in the context of its human resources management.
GDPR, Art.4 (7)
The processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of and purely on the instructions of the controller.
An employee of the controller is not considered a processor.
GDPR, Art.4 (8)
Processing personal data
A processing of personal data is any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means (e.g. software), such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
GDPR, Art.4 (2)
Personal data refers to any information about an identified or identifiable natural person, also referred to as the data subject. A person is considered identifiable when a natural person can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier, or by one or more elements characterizing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Source: GDPR, Rec.26; Art.4 (1)
Sensitive personal data
Sensitive personal data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; data concerning health or sexual life and sexual orientation; genetic data or biometric data. Data relating to criminal offenses and convictions are treated separately (as criminal law is outside the legislative competence of the EU).”
Source: GDPR, Rec.10, 34, 35, 51; Art.9 (1)
Data Privacy Authorities
Data Protection Authority
Rue de la Presse, 35
Telephone +32 2 274 48 00
Commission Nationale de l’Informatique et des Libertés (CNIL).
3 Place de Fontenoy
F-75334 Paris Cedex 07
Telephone +33 1 53 73 22 22
National Commission for Data Protection (CNDP).
1, avenue du Rock’n’Roll
Telephone +352 26 10 60 1
European Data Protection Supervisor