This Service Agreement together with the Terms and Conditions shall be regarded as a contract concluded between ACV and the Recruiter and shall apply to all Services (as defined below) provided by ACV to the Recruiter.
By signing the Order (in case the Services are purchased through ACV commerce department), by using the Services (in case such Services are freely available upon registration on the Website), or by forming and paying the Order for the Services by means provided on the Website, the Recruiter agrees to be bound by the terms of this Agreement as well as Terms and Conditions (as defined below). If the Recruiter does not agree to any of the terms this Agreement or Terms and Conditions, the Recruiter must immediately cease to use any Services.
a) currently the subject or the target of any economic, financial or trade sanctions laws, regulations, embargoes or restrictive measures imposed, administered or enforced from time to time by the United States of America, the United Nations, the European Union, the United Kingdom, the jurisdictions where ACV and the Recruiter are incorporated, carry out business or this Agreement is performed or any governmental or regulatory authority, institution or agency of any of the foregoing, including but not limited to the Office of Foreign Assets Control of the U.S. Department of the Treasury (OFAC), the Bureau of Industry and Security of the U.S. Department of Commerce or the U.S. Department of State, the United Nations Security Council, the Council of the European Union, HM Treasury or other relevant sanctions authority (including but not limited to the designation in the Specially Designated Nationals and Blocked Persons list maintained by OFAC, the Denied Persons List maintained by the US Department of Commerce, the UK Sanctions List, and the OFSI Consolidated List maintained by HM Treasury, or any other list issued or maintained by any foregoing sanctions authorities of persons subject to sanctions (including investment or related restrictions), each as amended, supplemented or substituted from time to time) (collectively, the Sanctions); or
b) located, organised, operating or residing in a country, region or territory that is, or whose government is, the subject or the target of the Sanctions from time to time, including but not limited to Crimea, Cuba, Iran, North Korea, Sudan and Syria;
(each such Person is hereinafter referred to as the Sanctioned Person).
Personal Data of the Employees and/or Representatives of Each Party
A. LIST OF PARTIES
Data Exporter (s)/ASV:
Name: UAB “AviationCV.com”
Address: Dariaus ir Girėno str. 21, 02189 Vilnius, the Republic of Lithuania
Contact person’s name, position and contact details: e-mail: email@example.com
Activities relevant to the data transferred under these Clauses: (a) introducing the job seekers to certain recruiters (b) tracking the job ad views and applications (c) providing access to data bases of the job seekers based on recruiter’s search criteria
Signature and date: By transferring Personal Data to Third Countries under the Servic Agreement, the data importer will be deemed to have signed this Appendix A.
Data Importer (s)/The Recruiter:
Name: the entity identified as “the Recruiter” in the Service Agreement and/or in the Terms and Conditions
Contact person’s name, position and contact details: The contact details as otherwise specified in the Service Agreement
Activities relevant to the data transferred under these Clauses: searching and selection of candidates (job seekers) on Website.
Signature and date: By using the Services to transfer Personal Data to Third Countries under the Service Agreement, the data importer will be deemed to have signed this Appendix A
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: the job seekers (pilots, cabin crew, engineers and others)
Categories of personal data transferred: company; field/entry; desired role; title; position; first name; surname; e-mail; passport country of issue; year and month of birth; current city of residence; current country of residence; telephone; career status; letter of recommendation; desired contract; employment availability; license (type of license; country of issue; license number; scanned copy of license; year and month of expiry); medical (medical certificate type; year and month of expiry; medical country of issue; scanned copy of medical certificate); type rating (aircraft make; aircraft type; country of issue; year and month of expiry); professional experience (company; country; position; area of expertise); professional references (company; first name and surname; position; e-mail; telephone; letter of recommendation); instructor/examiner qualifications (chief flight instructor; flight instructor; line training captain; SFE; SFI; TRE; TRI); aircraft experience (aircraft make; aircraft type; P1 hours (PIC); P2 hours (FO); total flying hours); simulator experience (total hours); last flight (aircraft make; aircraft type; date); aircraft rating (aircraft make; aircraft type; rating; country of issue); recent experience (aircraft make; aircraft type; company certification; proof (statement of experience); scanned copy of statement of experience); languages (English ICAO level; ICAO Expiration; ICAO language certificate copy; other languages; written and spoken level; certification); academic degree (level); education (level; country; institution; specialization); other information (accident or incident experience; criminal record); certificate (cabin crew attestation certificate; country of issue; license number; scanned copy of license); visible tattoos; piercings); other documents and certifications (US C1/D Visa; EU resident/EU Visa; airport security clearance (country; airport); qualifications and skills (amos; solid works; autocad; boroscope; quality inspector; painting supervisor; station manager).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
On continuous basis
Nature of the processing:
Purpose(s) of the data transfer and further processing:
To provide services under the Service Agreement according to which Data exporter (ASV) provides personal data about the job seekers and the Recruiter get this information and use it for such the job seeker’s recruitment purposes.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal data cannot be held indefinitely ‘just in case’ it might be useful in future and must be stored for the shortest time as long as necessary to achieve and fulfil the purpose(s) of the data transfer.
Method and format of provision of personal data:
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
C.COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: State Data Protection Inspectorate, address L. Sapiegos str. 17, LT-10312 Vilnius, the Republic of Lithuania, e-mail firstname.lastname@example.org
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymisation and encryption of personal data, such as: Counter & Random Number Generator (RNG); Cryptographic hash function; MAC-HMAC; Symmetric encryption; Advanced techniques (Asymmetric encryption; ring signatures and group pseudonyms; pseudonyms based on multiple identifiers or attributes; pseudonyms with proof of ownership etc.);
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, such as: Password policies; encryption; a virtual private network; leased lines; a secure electronic communications network etc.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, such as: regular backups, business continuity readiness plans, disaster recovery plans (ability to switch data centers in the event of flooding, earthquake, fire or other physical destruction or power outage to protect personal data against accidental destruction and loss) etc.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing, such as: Regularly conducting vulnerability assessments and penetration testing to identify potential security weaknesses in systems and infrastructure; implementing regular security audits to evaluate the effectiveness of technical and organizational measures in place; regularly monitoring systems and networks for unusual or suspicious activity, and taking appropriate action in response; establishing incident response and management procedures to quickly and effectively respond to security incidents etc.
Measures for user identification and authorization, such as: password-based authentication; multi-factor authentication; biometric authentication etc.
Measures for the protection of data during transmission, such as: encryption of a file or; a secure email facility that encrypts the data including attachments; using only inside a trusted network (SSL certificate for websites (https: //) to transfer data within forms) etc.
Measures for the protection of data during storage means, that personal data should not be kept for longer than necessary to achieve and fulfil the purposes.
Measures for ensuring physical security of locations at which personal data are processed, such as: intruder detection systems should be installed in all security zones; physical barriers should, where applicable, be built to prevent unauthorized physical access; an automatic fire suppression system, closed control dedicated air conditioning system and uninterruptible power supply (UPS) should be implemented at the server room etc.
Measures for ensuring events logging, such as: there should be no possibility of deletion or modification of log files content; access to the log files should also be logged in addition to monitoring for detecting unusual activity etc.
Measures for ensuring system configuration, including default configuration, such as: restricted use of functions; security by default; configuration control inventory or inventories, containing configurations of critical systems etc.
Measures for internal IT and IT security governance and management, such as: developing and implementing policies and procedures for IT management and IT security; providing regular training and awareness programs for employees on IT security best practices; implementing effective risk management processes to identify and mitigate potential threats to IT systems and data; establishing incident management procedures to quickly and effectively respond to security breaches or other IT incidents etc.
Measures for certification/assurance of processes and products, such as: conducting regular audits and assessments to ensure ongoing compliance with standards and regulations; implementing a system for monitoring, measuring and reporting on the performance of processes and products; regularly reviewing and updating the certification/assurance program to ensure it stays current with industry developments and changing regulations; establishing a system for continual improvement of processes and products etc.
Measures for ensuring data minimization, such as: regularly reviewing and evaluating existing systems and processes to identify opportunities for data minimization; collecting only the minimum amount of personal data necessary to perform a specific task or function; regularly reviewing and deleting any personal data that is no longer needed for the purpose for which it was collected; implementing technical measures to prevent the collection of unnecessary data (e.g. using data masking techniques) etc.
Measures for ensuring data quality, such as: establishing clear and consistent guidelines for data entry, storage, and use; implementing procedures for data validation and verification to ensure that data is accurate, complete, and consistent etc.
Measures for ensuring limited data retention, such as: establishing clear data retention policies and schedules that specify how long personal data will be kept; regularly reviewing data retention policies and schedules to ensure that personal data is not kept for longer than is necessary; implementing technical and organizational measures to ensure that personal data is deleted or anonymized once it is no longer needed; conducting regular data clean-up activities to identify and delete any personal data that is no longer needed etc.
Measures for ensuring accountability, such as: adequate documentation on what personal data are processed, how personal data are processed, to what purpose and for how long the personal data will be processed; implementing regular monitoring and reporting to track compliance with data protection and privacy policies and procedures; establishing incident response and management procedures to respond about data protection and privacy incidents as soon as possible etc.
Measures for allowing data portability and ensuring erasure, such as: providing data in a structured, commonly used and machine-readable format; establishing procedures for individuals to request their data, and for fulfilling such requests in a timely and efficient manner; establishing procedures for individuals to request that their data be erased, and for fulfilling such requests in a timely and efficient manner; regularly reviewing and deleting any personal data that is no longer needed for the original purpose for which it was collected; implementing access controls and security measures to ensure that only authorized personnel can delete personal data etc.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter: Technical and organizational measures mentioned above shall be applicable to (sub-) processors. Additionally, the importer acting as the controller shall have adequate contractual clauses with the (sub-) processor according to Regulation (EU) 2016/679.