Documentation GDPR / DSGVO (Status 07/2021)
​
1. Purpose of data processing
Convidis AG is a total service provider in the personnel sector. The company is headquartered in Glattbrugg. The services offered are Assessments.
​
As a personnel service provider, Convidis AG is in possession of a large number of data records of individuals and companies. Convidis AG's entire IT is outsourced to an external service provider, Aproda AG, based on Microsoft 365 Services from Microsoft Schweiz AG. In addition, it uses the CRM tool HR4YOU. The data is stored redundantly in Germany and Ireland.
2. Listing of the providers involved / disclosure of the data processing chain
The providers involved are:
HR4YOU AG
Ulbarger Street 52
D-26629 Grossefehn
Aproda AG
Birkenstrasse 43B
CH-6343 Rotkreuz​
Microsoft Switzerland AG.
Richtistrasse 3
8304 Wallisellen
Scharley & Partner MDC GmbH
Döbelestrasse 16
D-78462 Constance
papilio AG
Bellerivestrasse 16
CH-8008 Zurich
3. Contracts between Convidis and data processors
3.1 HR4YOU AG
The order for data processing according to §11 BDSG and the documentation of the "technical and organisational measures" according to §9 BDSG are included in the contractual relationship between Convids AG and HR4YOU AG. To ensure that all formal and data protection obligations according to DSGVO are also fulfilled in the future, HR4YOU has provided Convidis AG with a contract amendment as of 25.05.2018.
This agreement replaces, as of 25.05.2018, the previous contractual regulations that were made for commissioned data processing in accordance with §11 BDSG together with technical and organisational measures in accordance with § 9 BDSG. The agreement consists of the "Contract on commissioned processing pursuant to Art. 28 DS-GVO" and the "technical and organisational measures pursuant to Art. 32 EU-DS-GVO".
3.2 Aproda AG
Aproda AG has defined a data protection and data security concept within the scope of the DSGVO and entrusted it to Convidis AG. It has also defined and implemented technical and organisational measures as part of the ISO certification at the St.Gallen site.
3.3 Microsoft Switzerland AG
Microsoft complies with all laws and regulations applicable to the provision of the services by Microsoft, including security breach notification laws and data protection regulations. However, Microsoft is not responsible for compliance with any laws or regulations applicable to Customer or its industry and not generally applicable to information technology service providers. Microsoft does not determine whether professional services data contains information that is subject to particular laws or regulations. All security incidents are subject to the security incident reporting provisions below.
3.4 Scharley & Partner MDC Ltd.
The contractor shall provide the client with an online platform containing electronic tests
and/or questionnaires for self-assessment and assessment in a professional context.
context. In these tests and/or questionnaires, personal data of the client or the candidates are collected. This data is electronically evaluated, statistically processed and made available to the client in the form of a results report. In all of the above cases, the contractor processes personal data within the meaning of Art. 4 No. 1 of the German Data Protection Regulation (DS-GVO) for the client in accordance with Art. 4 No. 2 and Art. 28 of the DS-GVO.
3.5. papilio AG
Papilio complies with the statutory provisions on data protection. All personal data collected in the course of registration or arising during use and protected by the Swiss Data Protection Act or the European Data Protection Regulation will be used exclusively for the purpose of fulfilling the contract.
4. Definition of the candidate's consent to the storage and processing of his/her personal data
With the consent and active interest in one of our services, the candidate (applicant) agrees to the storage and processing of data. If a person wishes that the data no longer remain stored in our system, the deletion will first be confirmed by e-mail and the data subsequently deleted. The main responsibility for this lies with the respective consultant.
Candidates who come for the assessment are informed as follows in the invitation to the assessment, which is sent via HR4YOU:
"By taking part in the assessment, you agree that we may store and evaluate your data and documents electronically. We guarantee that we will treat all information about you as strictly confidential."
​
