your privacy, explained.

This data protection notice applies to the processing of personal data we collect when you visit our website, use our mobile app, when we provide you our Services [Local OpCo to define Services] and the processing of personal data of persons who work for companies with which we conduct (or intend to conduct) business.

Your privacy and the security of your personal data is important to Randstad Romania SRL and the rest of the Randstad Group companies.  We are responsible for ensuring that all personal data entrusted to us is processed in accordance with applicable data protection legislation.

This notice explains who we are, for what purposes we may use your personal data, how we handle it, to whom we may disclose it, where it may be transferred to or is accessible from and what your rights are.

• about Randstad

  Randstad România SR Lregistered at the Bucharest Trade Registry under no. J40/8174/2005, unique registration code 17549799, together with its affiliated companies in Romania within the group, namely Randstad Staffing SRL, a limited liability company established and operating under Romanian laws, with headquarters at Bulevardul Dacia 153-155 , floor 6, space B, sector 2, Bucharest (referred to in this notice as: “we” or “us” or “Randstad”), will process your personal data in accordance with this data protection notice (such personal data sometimes also referred to as “information”).

  Except as otherwise set out below, Randstad is the controller of the personal data (‘controller’ within the meaning of applicable data protection legislation).

  For the efficient operation and management of our business, Randstad Group Companies may in certain instances jointly define the purposes and means of Processing Personal Data (joint controllers). Examples of processing activities where Randstad Group companies jointly process personal data are those related to managing our Misconduct Reporting Procedure and Sanctions checks, which we do jointly with Randstad N.V. Please contact us (see the section “Contact us” below) if you want to know more about these jointly-controlled processing activities or would like to receive a summary of the joint controllers’ roles and responsibilities and/or exercise your data protection rights regarding any jointly-controlled processing of your personal data.

• HR technologies

  Our ultimate goal is to support people and organizations in realizing their true potential

  We believe that the best way to achieve that goal is by combining our passion for people with the power of today’s HR technologies. By HR technologies we mean technologies that help us digitize and enhance a variety of recruitment-related processes. 

  For example we use chatbots to improve your talent experience. Chatbots give candidates the opportunity to answer questions based on the requirements of the job they apply for.  This is a user-friendly way for candidates to:

  • provide us with relevant information that may not be readily apparent from the application, profile or resume of a candidate.
  • know promptly whether their skills meet a job’s essential requirements and, if not, to easily explore other jobs or to identify gaps in their skillset.
  • answer at any moment convenient to the user.

  As part of the larger recruitment process, HR technologies allow us to connect candidates more quickly to our consultants.  This, in turn, allows our consultants to better support candidates in exploring jobs and to deliver the right candidates more quickly to our clients. HR technologies also allow our consultants to find people based not only on the jobs they qualify for but also on the basis of jobs they are interested in.

  Improving the client experience 
  
  HR technologies help us to search through a broader and more diverse set of candidates so that we become even better at finding the best talent with the most relevant skill-set for our clients. Thanks to these technologies our consultants can focus on the tasks that require genuinely human traits that technology cannot emulate: creativity and emotion. 

  Web beacons
  
  Our emails may contain a single, campaign-unique "web beacon pixel" to tell us whether our emails are opened and verify any clicks through to links or advertisements within the email. We may use this information for purposes including determining which of our emails are more interesting to users, to query whether users who do not open our emails, wish to continue receiving them and to inform our advertisers in aggregate how many users have clicked on their advertisements. The pixel will be deleted when you delete the email. If you do not wish the pixel to be downloaded to your device, you should select to receive emails from us in plain text rather than HTML.

  Responsible use of HR technologies

  Randstad is committed to the ethical and responsible use of innovative HR technologies (you can read our AI principles here). Randstad does not use these technologies as a substitute for humans or human interaction in any part of its processes. Instead, our use of HR technologies is intended to make interactions with clients and candidates more personal, relevant and meaningful.

  We strive to involve human beings whenever we make decisions that significantly impact you.  If, in exceptional cases, we were to make such decisions based on a fully automated process (ie. without involvement of humans), we will only do so where that is permitted by law and after having notified you.

  To ensure all candidates are treated fairly we take steps to avoid bias where we use HR technologies. For example:

  • We regularly test the output created by these technologies to identify potential unfair bias.
  • We regularly obtain expert advice to continuously improve the way in which we identify and remove bias.
  • Both our consultants and our search and match algorithms are thoroughly trained and always work together.

   

• with whom do we share your personal data?

  We may share your personal data:

  • with other entities of the Randstad group of companies. We are part of a multinational group of companies and sometimes we may share personal data with other Randstad groups of companies for the purposes of efficient management of business, compliance with legal and regulatory requirements and to provide our Services to you (include as matching) and to our clients. For an overview of these entities, click here.
  • with Randstad clients. Within the scope of our services, including recruitment and provision of temporary work.
  • with third parties providing HR-related services to use (e.g. payroll service providers).
  • with third party providers of IT-related services (e.g. we use an external provider to support our IT-infrastructure; e.g. an important part of our software and databases sit in a cloud-environment which is operated by a third party service provider).
  • with third parties providers of marketing-related services (e.g. we may store your personal data in a cloud-based CRM-application that is hosted and provided by a third party service provider; e.g. when we use a third party service provider to organise an event we may share your personal data with that third party in order to invite you to that event).
  • with providers of professional services (e.g. to our auditors, our tax advisors, our legal advisors).
  • with banks and insurers (e.g. in order to pay the salaries of our temporary workers we share some of their personal data with our bank).
  • with pension funds. 
  • with public authorities (e.g. pursuant to applicable law Randstad must disclose personal data to the social security authorities and to tax authorities).

  with law enforcement authorities, courts and regulatory authorities (e.g. as part of a criminal investigation police services may require us to disclose personal data to them).

  We may also disclose your personal data to third parties

   

  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; or
  • if all or a substantial part of our assets are acquired by a third party, in which case the personal data that we hold about you may be one of the transferred assets.

  When we share your personal data as described above, such personal data may be transferred both within and outside the European Economic Area (EEA).

  In the event that we transfer your personal data internationally, we will only do so in line with applicable law, and we will require that there is an adequate level of protection for your personal data, and that appropriate security measures are in place.
  
  
  
  Your personal data may be transferred from countries located within the EEA to countries located outside of the EEA (such as the United States). In such cases, we will require that the following safeguards are observed:

  • The laws of the country to which your personal data is transferred ensure an adequate level of data protection. Click here for the list of non-EEA countries that, according to the European Commission, provide an adequate level of data protection; or
  • The transfer is subject to standard data protection clauses approved by the European Commission. More information about those data protection clauses is available here; or
  • Any other applicable appropriate safeguards under article 46 of the EU General Data Protection Regulation (2016/679).

  For more information about the safeguards that we have implemented to protect your personal data internationally, please contact us at privacy@randstad.ro.

   

• how we will protect your personal data?

  We have technical and organizational security measures in place to protect your personal data from being accidentally lost, used, altered, destructed, disclosed or accessed in an unauthorized way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your personal data are governed by Randstad's rules for information and IT security, data protection and other internal regulations and guidelines applicable to the processing of personal data.

  While we have measures in place to protect your personal data, it is important for you to understand that 100% complete security cannot be guaranteed. Accordingly, we have procedures in place to deal with data security incidents and to comply with legal requirements applicable to the detection, handling and notification of personal data breaches. 

• your data protection rights

  You have the following rights regarding your personal data: 

  1. Right to be informed: You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. This is why we are providing you with the information in this notice.

  2. Right of access: You have the right to access the personal data we keep about you – this is because we want you to be aware of the personal data we have about you and to enable you to verify whether we process your personal data in accordance with applicable data protection laws and regulations.

  3. Right to rectification: If your personal data is inaccurate or incomplete, you have the right to request the rectification of your personal data.

  4. Right to erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep it. This is not a general right to erasure, there are exceptions.

  5. Right to restrict processing: You have rights to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to make sure the restriction is respected in future.

  6. Right to data portability: You have the right to obtain and reuse your personal data in a structured, commonly used and machine-readable format in certain circumstances. In addition, where certain conditions apply, you have the right to have such personal data transferred directly to a third party.

  7. Right to object to processing: You have the right to object to certain types of processing, in certain circumstances. In particular, the right to object to the processing of your personal data based on our legitimate interests or on public interest grounds; the right to object to processing for direct marketing purposes (including profiling); the right to object to the use of your personal data for scientific or historical research purposes or statistical purposes in certain circumstances.

  8. Right to withdraw consent: If our processing of your personal data is based specifically on your consent, you have the right to withdraw that consent at any time. This includes your right to withdraw consent to our use of your personal data in the context of voluntary employee surveys.

  9. Right to object to automated decision making: You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects for you or similarly significantly affects you.  Automated decision making takes place when an electronic system uses personal data to make a decision without human intervention.  This is not a general right to object, there are exceptions.  For example, we are allowed to use automated decision making where it is necessary to perform a contract with you and appropriate measures are in place to safeguard your rights.  For further information, see the section “Innovative HR technologies”.

  You can exercise your rights by sending a request to the data protection officer at privacy@randstad.ro. We will handle your request with particular care to ensure that you can exercise your rights effectively. We may ask you for proof of identity to make sure we don't share your personal data with anyone but you! You should be aware that in special cases (eg due to legal requirements) we may not be able to comply with your request immediately. 

  In any case, within one month of your request, we will inform you of the actions taken. You have the right to file a complaint with a data protection supervisory authority: ANSPDCP with headquarters in B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest and having the e-mail address anspdcp@dataprotection.ro.

   

• changes to this data protection notice

  We may update this notice from time to time. You can see the date on which the last change was made below. We advise you to review this notice on a regular basis so that you are aware of any changes.

  This statement was updated in 2023.

frequently asked questions

• what is GDPR?

  GDPR (General Data Protection Regulation) is a set of rules and regulations adopted by the European Union (EU) in 2016 and applied since May 25, 2018. The purpose of this regulation is to protect the fundamental rights and freedoms of individuals with regard to the processing of personal data and to ensure the free movement of such data within the EU. GDPR imposes strict obligations on companies and organizations that process personal data and establishes significant sanctions for non-compliance with the regulations.

• who does GDPR apply to?

  GDPR applies to:

  To organizations and companies established in the EU: Regardless of their size or the nature of their business, the GDPR applies to all companies and organizations in the EU that process personal data of individuals (EU citizens or residents).

  To organizations and companies outside the EU: The GDPR also applies to companies and organizations established outside the EU, if they offer goods or services in the EU (even for free) or monitor the behavior of individuals in the EU (for example, by tracking online activity).

• where is compliance with the Data Protection Regulation mandatory?

  Compliance with the General Data Protection Regulation (GDPR) is mandatory in all member states of the European Union (EU) and the European Economic Area (EEA). The GDPR also applies to companies or organizations established outside the EU and EEA if they offer goods or services (including free ones) to individuals in the EU or monitor their behavior within the EU. The GDPR therefore has extraterritorial applicability, meaning that organizations worldwide must comply with the regulations as long as they process personal data of EU citizens or residents.

• what does personal data mean?

  Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

   

  Examples of personal data include:

  • Name and surname

  • Home address

  • Email address

  • Phone number

  • CNP (Cod Numeric Personal)

  • Unique identifiers, such as passport numbers or online IDs (cookies, IP addresses)

  • Demographic data, such as age, gender, ethnicity

  • Medical, financial or employment data

• what are the special categories of personal data?

  Special categories of personal data, also known as sensitive data, are information that reveals more sensitive aspects of a person's life and that, if used or disclosed inappropriately, could lead to discrimination or other negative consequences. The GDPR provides enhanced protection for these categories of data. Special categories of personal data include:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Union membership

  • Genetic data (information resulting from the analysis of a person's DNA)

  • Biometric data (used for the purpose of uniquely identifying a person, such as fingerprints, facial recognition, etc.)

  • Health data (information regarding a person's physical or mental health, medical treatments, etc.)

  • Data relating to sex life or sexual orientation

• what does personal data processing mean?

  Processing of personal data refers to any operation or set of operations which is performed upon personal data, whether or not by automated means. It includes a wide range of actions relating to personal data, such as:

  • Collection: obtaining data from data subjects or from other sources (e.g. recruitment portals, social media, etc.)

  • Recording: documenting or storing data in an organized system

  • Organization: structuring data in a way that allows for easy access and use

  • Structuring: creating a system for classifying or indexing data

  • Storage: keeping data for a period of time, in electronic or physical format

  • Adaptation or modification: changing or updating personal information according to specific needs

  • Extraction: selecting specific data from a larger set of information

  • Consultation: examining or verifying personal data

  • Usage: applying data for various purposes, such as analysis, reporting, or decision-making

  • Disclosure by transmission: sharing data with other entities, including through communications networks

  • Dissemination or making available in any other way: distributing or publishing data in a way accessible to a large number of people

  • Restriction: limiting access to or use of personal data

  • Deletion or destruction: permanent removal of personal data

  • Basically, any action that involves the use, manipulation or management of personal data can be considered processing within the meaning of the GDPR.

• what is a data operator?

  A data controller is a legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of the GDPR, the data controller has the primary responsibility for ensuring that the processing of personal data is carried out in accordance with the principles and requirements of the Regulation.

  The responsibilities of a data controller include, but are not limited to:

  • Ensuring compliance with data protection principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality

  • Processing personal data only where there is a legal basis

  • Informing data subjects about the processing of their personal data, their rights and the ways to exercise them

  • Implementing appropriate security measures to protect personal data against unauthorized access, disclosure, destruction or loss

  • Cooperating with and complying with supervisory authorities

  • Appointment of a Data Protection Officer (DPO), if necessary

  • Data Protection Impact Assessment (DPIA) for processing operations with a high risk to the rights and freedoms of data subjects

  • In practice, a data controller can be a company, a non-profit organization, a public institution or any other entity that processes personal data for its own purposes, even a natural person.

• what are the principles underlying GDPR?

  The GDPR sets out seven fundamental principles governing the processing of personal data. These principles must be respected by data controllers and data processors in any personal data processing activity:

  • Lawfulness, fairness and transparency: The processing of personal data must be lawful, fair and transparent in relation to the data subject. This means that the processing must have a legal basis, not adversely affect the rights of the data subject and be carried out in a clear and open manner.

  • Purpose limitation: Personal data must be collected for a specific, explicit and legitimate purpose and not further processed in a way incompatible with that purpose. In other words, the data must be used only for the purposes for which it was originally collected.

  • Data minimization: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This principle refers to the collection and use of only the personal data strictly necessary to fulfil the specified purpose.

  • Accuracy: Personal data must be accurate and, where necessary, kept up to date. Data controllers have the responsibility to ensure that inaccurate or incomplete data is corrected or erased.

  • Storage limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. This principle refers to storing data only for as long as is necessary and implementing appropriate retention periods.

  • Integrity and confidentiality: Personal data must be processed in a manner that ensures adequate data security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. This principle requires the implementation of appropriate technical and organizational measures to ensure data security.

  • Accountability: The data controller is responsible for complying with the above principles and must be able to demonstrate compliance with these principles. This principle emphasizes the importance of proactive accountability and documentation of GDPR compliance.

  • These principles represent the foundation for the protection of personal data under the GDPR and must be respected in all data processing activities.

     

  Recommendation: for a detailed explanation of the principles underlying GDPR, we recommend the dedicated article on The 7 GDPR principles. Principles related to the processing of personal data.

• what are the legal grounds on which data can be processed?

  According to the GDPR, the processing of personal data is only permitted if it is based on at least one of the following legal grounds:

  Consent : The data subject has given his/her consent to the processing of personal data for one or more specific purposes. Consent must be freely expressed, informed, specific and unambiguous.

  Performance of the contract : Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject's request prior to entering into a contract.

  Legal obligation : Processing is necessary for compliance with a legal obligation to which the data controller is subject. This refers to cases where the data controller has a specific legal obligation to process the personal data.

  Protection of vital interests : Processing is necessary to protect the vital interests of the data subject or of another natural person. This legal basis is applicable in situations of emergency or risk to the life and integrity of the data subject or of other persons.

  Performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This legal basis usually applies to public authorities and entities exercising powers conferred by law.

• what is explicit consent and when is it necessary?

  Explicit consent is a clear and unambiguous form of agreement that a data subject gives to the processing of personal data for one or more specific purposes. It is one of the legal grounds for processing personal data under the GDPR.

  Explicit consent refers to situations where the data subject clearly and directly expresses their agreement, usually by a written statement or a clear affirmative action. Unlike “implicit” or “presumed” consent, which can be inferred from the data subject’s behavior, explicit consent requires a voluntary and informed act on the part of the data subject.

  Explicit consent is required in the following cases:

  Processing of sensitive data (special categories of data): The GDPR imposes stricter requirements for the processing of such data, which includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation. In order to process such data, data controllers must obtain the explicit consent of the data subject, except where other specific legal grounds provided for in the GDPR apply.

  Transfer of personal data outside the EU: Explicit consent may be required when personal data are transferred outside the EU or the European Economic Area (EEA), to countries that do not provide an adequate level of data protection, as assessed by the European Commission. In such cases, data controllers must obtain the explicit consent of the data subject for the transfer of data outside the EU/EEA.

  To be valid, explicit consent must be:

  • Freely expressed: The data subject must not be coerced, manipulated or unfairly influenced to give consent.

  • Informed: The data subject must be clearly and fully informed about the purpose of the data processing, the identity of the data controller and any other relevant information.

  • Specific: Consent must relate to one or more specific, separate and distinct purposes.

  • Unambiguous: Consent must be expressed through a clear affirmative action, such as checking a checkbox, signing a statement, or performing a similar action.

  Data controllers must keep a record of consent obtained to demonstrate compliance with the GDPR. They must also inform data subjects of their right to withdraw consent at any time and ensure that withdrawing consent is as easy as giving it.

  It is important to note that if a data controller relies on the explicit consent of the data subject for the processing of personal data and the data subject withdraws consent, the data controller must cease processing the data for the purposes for which the consent was given, unless there is another legal basis for the continued processing.

• what are individuals' rights regarding GDPR?

  The GDPR provides a number of rights for data subjects (individuals whose personal data are processed) in relation to data protection. These rights are intended to give data subjects more control over their personal data and to ensure transparency and accountability on the part of data controllers. The main rights of data subjects under the GDPR include:

  • Right to information: Data subjects have the right to be informed about the processing of their personal data, including the purpose of the processing, the categories of data processed, the recipients to whom the data are disclosed and the data retention period.

  • Right of access: Data subjects have the right to request confirmation that their personal data is being processed and, if so, to obtain access to this data and detailed information about the data processing.

  • Right to rectification: Data subjects have the right to request the correction of their inaccurate personal data and to complete data that is incomplete.

  • Right to erasure of data ("right to be forgotten"): Data subjects have the right to request the erasure of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or processed, or when the person withdraws consent.

  • Right to restriction of processing: Data subjects have the right to request the restriction of processing of their personal data in certain situations, such as when the accuracy of the data is contested or when the processing is unlawful but the person opposes the erasure of the data.

  • Right to data portability: Data subjects have the right to receive the personal data they have provided to a data controller in a structured, commonly used and machine-readable format, and have the right to transmit these data to another data controller without hindrance from the current data controller.

  • Right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances, such as where the processing is based on the legitimate interest of the data controller or the performance of a task carried out in the public interest.

  • Right not to be subject to automated decisions, including profiling: Data subjects have the right not to be subject to decisions based solely on automated processing of their personal data, including profiling, which produce legal effects or significantly affect the data subject. This right applies in particular when decisions are taken without human intervention and have negative consequences, such as refusing a loan or a personalized offer with higher prices. There are exceptions where automated decisions are necessary for the conclusion or performance of a contract, are authorized by law or are based on the data subject's explicit consent.

  • Right to lodge a complaint with a supervisory authority: Data subjects have the right to lodge a complaint with a national data protection authority if they consider that the processing of their personal data infringes the GDPR or other data protection laws.

  • It is the responsibility of data controllers and data processors to ensure that they respect these rights and respond appropriately to data subjects' requests. Companies must have appropriate mechanisms in place to handle requests regarding data subjects' rights and communicate clearly and transparently with data subjects about the exercise of these rights.