Privacy Policy
M365Group SIA Version 2.0 | Effective Date: January 1, 2022
1. INTRODUCTION AND DATA CONTROLLER INFORMATION
M365Group SIA, a company incorporated under the laws of the Republic of Latvia with registration number 40203253894, having its registered office at Čiekurkalna 2. līnija 49A – 3, Rīga, LV-1026, Latvia (“M365Group”, “we”, “us” or “our”), is committed to protecting and respecting your privacy and ensuring that your personal data is processed in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”), and any national implementing legislation in the Republic of Latvia.
For the purposes of applicable data protection legislation, M365Group SIA is the data controller responsible for determining the purposes and means of processing personal data as described in this Privacy Policy. Our Data Protection Officer can be contacted at privacy@m365connect.com or by writing to our registered office address marked for the attention of the Data Protection Officer. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our recruitment services, business operations, and website activities. We are committed to being transparent about how we collect and process your personal data and to meeting our data protection obligations.
2. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS
We process personal data relating to various categories of individuals in connection with our business operations. These categories include Candidates (individuals seeking employment opportunities through our services, including those who submit speculative applications), Clients (representatives of organizations that engage our recruitment services), Website Visitors (individuals who visit our website www.m365connect.com), Suppliers and Business Partners (individuals representing organizations with which we have commercial relationships), and Referees and Emergency Contacts (individuals whose contact details are provided to us by Candidates or employees). The types of personal data we process vary depending on your relationship with us but may include identification information (name, date of birth, gender, photograph), contact information (address, email address, telephone numbers), professional information (employment history, education, qualifications, skills, references), financial information (salary expectations, bank details for payment purposes), and technical information (IP addresses, browser information, cookies data). In limited circumstances and only where necessary and lawful, we may process special categories of personal data, such as information revealing racial or ethnic origin, health data relevant to employment, or criminal records data where required for specific roles.
3. LAWFUL BASIS FOR PROCESSING
We ensure that all processing of personal data is justified by an appropriate lawful basis under Article 6 of the GDPR. The lawful bases we rely upon include the performance of a contract where processing is necessary for the performance of our recruitment services agreement with Clients or employment contracts with Candidates; legitimate interests pursued by us or third parties, provided such interests are not overridden by your interests, rights, or freedoms – such legitimate interests include operating our business efficiently, providing recruitment services to Clients, maintaining business records, ensuring network and information security, and preventing fraud; compliance with legal obligations to which we are subject, including employment law requirements, tax obligations, regulatory compliance, GDPR requirements for EU recipients, and the CAN-SPAM Act of 2003 for US recipients; consent where you have given clear consent for us to process your personal data for specific purposes, such as marketing communications or processing special categories of data; and vital interests where processing is necessary to protect someone’s life. Where we process special categories of personal data, we ensure we have an additional lawful basis under Article 9 of the GDPR, such as explicit consent, processing necessary for employment law purposes, or processing necessary for the establishment, exercise, or defense of legal claims.
4. PURPOSES OF PROCESSING
We process personal data for various purposes connected with our recruitment services and business operations. These purposes include providing recruitment and employment services such as identifying and assessing Candidates for specific roles, facilitating introductions between Candidates and Clients, conducting skills assessments and competency evaluations, verifying qualifications and employment history, obtaining and providing references, and facilitating the employment or engagement process. We also process data for business administration purposes including maintaining our business records and databases, managing Client relationships and accounts, processing payments and maintaining financial records, conducting business analytics and reporting, and managing our supplier and partner relationships. Additionally, we process personal data for legal and regulatory compliance including complying with employment and tax legislation, responding to requests from regulatory authorities, establishing, exercising, or defending legal claims, conducting anti-money laundering and sanctions checks where required, and maintaining records as required by law. We also use personal data for marketing and communications purposes, including sending newsletters and updates about our services (where consented), informing Candidates about relevant job opportunities, conducting market research and surveys, and managing our events and webinars. Finally, we process data for website and technology management including operating and improving our website, ensuring network and information security, conducting troubleshooting and system testing, and preventing and detecting fraud or other criminal activity.
5. DATA RETENTION
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Our retention periods are determined based on the nature of the data, the purposes for processing, legal requirements, and our legitimate business needs.
For Candidates, we typically retain personal data for up to two years from our last meaningful contact with you, unless you are placed in a role through our services, in which case we retain relevant records for seven years for legal and contractual purposes. If you have consented to us retaining your details for future opportunities, we will retain your data for up to three years or until you withdraw your consent.
For Clients, we retain business records, including contact information and transaction history, for seven years following the end of our business relationship to comply with legal and tax requirements.
For Website Visitors, we retain technical information collected through cookies and similar technologies in accordance with our Cookie Policy, typically for up to 24 months.
For Email Marketing Compliance, we maintain suppression lists containing email addresses of individuals who have opted out of marketing communications indefinitely, as required by the CAN-SPAM Act and to ensure we honor opt-out requests permanently. These suppression records contain only the minimum information necessary (email address and opt-out date) to ensure compliance with your communication preferences and applicable laws. If you wish to re-subscribe to marketing communications after opting out, you must explicitly request to do so by contacting us at marketing@m365connect.com.
We implement appropriate measures to ensure that personal data is securely destroyed or anonymized when it is no longer needed, using secure deletion methods for electronic data and confidential shredding for paper records. However, certain records such as opt-out requests, suppression lists, and legal compliance documentation will be retained indefinitely as required by law or to demonstrate our compliance with applicable regulations including the CAN-SPAM Act.
6. DATA SHARING AND INTERNATIONAL TRANSFERS
We may share personal data with third parties in certain circumstances, always ensuring appropriate safeguards are in place. Categories of recipients include Clients and prospective employers to whom we introduce Candidates as part of our recruitment services; third-party service providers who assist us in delivering our services, such as IT service providers, assessment providers, background checking agencies, and professional advisors; regulatory authorities and law enforcement agencies where required by law or to protect our rights; successor entities in the event of a merger, acquisition, or sale of all or part of our business; and other members of our corporate group for internal administrative purposes. When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. These safeguards may include transferring to countries that have been deemed to provide an adequate level of protection by the European Commission; using specific contracts approved by the European Commission which give personal data the same protection it has in the EEA (Standard Contractual Clauses); where applicable, relying on specific derogations provided for in the GDPR, such as explicit consent or the transfer being necessary for the performance of a contract. You can obtain information about the appropriate safeguards we have in place for international transfers by contacting our Data Protection Officer.
7. DATA SECURITY
We have implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include physical security measures such as restricted access to our offices and secure storage of paper records; technical security measures including encryption of data in transit and at rest, firewalls and anti-virus software, regular security updates and patches, and secure password policies and multi-factor authentication; organizational measures such as staff training on data protection and information security, confidentiality obligations for all staff and contractors, regular security assessments and audits, and incident response procedures. We require all third parties who process personal data on our behalf to implement appropriate security measures and to process data only in accordance with our instructions. Despite our security measures, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security of your personal data.
8. YOUR RIGHTS AS A DATA SUBJECT
Under the GDPR, you have various rights in relation to your personal data, which you can exercise free of charge, subject to certain limitations. These rights include the right of access to request a copy of the personal data we hold about you and information about how we process it; the right to rectification to request that we correct any inaccurate personal data and complete any incomplete personal data; the right to erasure (right to be forgotten) to request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected; the right to restriction of processing to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data; the right to data portability to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and is carried out by automated means; the right to object to object to processing based on legitimate interests, direct marketing, or processing for research or statistical purposes; rights in relation to automated decision-making and profiling not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; and the right to withdraw consent where we rely on consent as the lawful basis for processing, you can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
9. EXERCISING YOUR RIGHTS
To exercise any of your rights, please contact our Data Protection Officer using the contact details provided in this Privacy Policy. When you make a request, we may need to verify your identity to ensure we are releasing information to the correct person. We will respond to your request within one month of receipt, although this may be extended by up to two additional months for complex requests. If we extend the response time, we will inform you within one month of receiving your request and explain why the extension is necessary. We will not charge a fee for responding to your request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request. If we refuse your request, we will explain why and inform you of your right to complain to the supervisory authority. You have the right to lodge a complaint with the Data State Inspectorate of the Republic of Latvia (Datu valsts inspekcija) if you believe we have not handled your personal data in accordance with applicable data protection laws. Contact details for the Data State Inspectorate are: Address: Elijas iela 17, Riga, LV-1050, Latvia; Email: pasts@dvi.gov.lv; Phone: +371 67223131.
10. COOKIES AND SIMILAR TECHNOLOGIES
Our website uses cookies and similar technologies to distinguish you from other users, provide you with a good experience when you browse our website, and allow us to improve our site. Cookies are small text files that are placed on your device when you visit our website. We use different types of cookies for various purposes, including strictly necessary cookies that are essential for the operation of our website; performance cookies that collect information about how visitors use our website; functionality cookies that remember choices you make and provide enhanced features; and targeting cookies that record your visit to our website and the pages you visit to provide you with relevant content.
We also use tracking technologies in our email communications, including pixel tags (also known as web beacons or clear GIFs) to understand whether our emails have been delivered, opened, and which links have been clicked. These tracking pixels are small, transparent images embedded in emails that allow us to collect certain information about your interaction with our emails, such as your IP address, the time the email was opened, and the type of device or email client used. You can disable email tracking pixels by setting your email client to not download images automatically, though this may affect how our emails display.
Most web browsers allow you to control cookies through your browser settings. However, if you disable cookies, you may not be able to access all functionality of our website. For detailed information about the cookies we use and the purposes for which we use them, please see our Cookie Policy available on our website. All use of cookies and tracking technologies complies with applicable laws including GDPR and the CAN-SPAM Act where applicable.
11. MARKETING COMMUNICATIONS
We may use your personal data to send you marketing communications about our services, events, and other information we think may be of interest to you. We will only send you marketing communications where we have your consent or where we have a legitimate interest to do so and you have not opted out. Our legitimate interest in sending marketing communications extends to existing Clients and Candidates with whom we have an established business relationship.
For recipients in the United States, we comply with the CAN-SPAM Act of 2003 requirements, which means our marketing emails will: (i) clearly identify the message as an advertisement where required; (ii) include our valid physical postal address (Čiekurkalna 2. līnija 49A – 3, Rīga, LV-1026, Latvia); (iii) provide a clear and conspicuous opt-out mechanism; (iv) honor opt-out requests within 10 business days; (v) use accurate header information and non-deceptive subject lines; and (vi) not use harvested email addresses or misleading header information. Violations of CAN-SPAM can result in penalties of up to $51,744 per email, and we take compliance seriously.
For all marketing emails sent globally, we ensure that: (i) the sender is clearly identified as M365Group SIA; (ii) subject lines accurately reflect the content of the message; (iii) commercial messages are identified as advertisements where required by law; (iv) our physical postal address is included in every marketing email; (v) clear unsubscribe links are provided in every marketing email; (vi) opt-out requests are processed within 10 business days for US recipients and without undue delay for EU recipients; and (vii) suppression lists are maintained indefinitely to ensure we do not send marketing emails to individuals who have opted out.
You can opt out of receiving marketing communications at any time by: clicking the unsubscribe link in any marketing email we send you; contacting us at marketing@m365connect.com; or updating your preferences in your account settings if applicable. Once you opt out, we will add your email address to our permanent suppression list to ensure you do not receive future marketing communications from us. This suppression list is maintained indefinitely as required by the CAN-SPAM Act. If you wish to re-subscribe to our marketing communications after opting out, you must explicitly request to do so by contacting us.
We maintain comprehensive docu
12. CHILDREN'S PRIVACY
Our services are not directed at individuals under the age of 16, and we do not knowingly collect personal data from children under 16. If you are under 16, please do not provide any personal data to us. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that information as soon as possible. If you believe we may have collected personal data from a child under 16, please contact our Data Protection Officer immediately.
13. AUTOMATED DECISION-MAKING AND PROFILING
We may use automated systems to assist in the recruitment process, such as applicant tracking systems that help us manage and organize Candidate information. However, we do not make decisions based solely on automated processing, including profiling, that would have legal effects or similarly significantly affect you. Any automated systems we use are designed to support human decision-making, not replace it. All significant decisions regarding Candidates, such as whether to progress an application or make a job offer, involve meaningful human involvement. If we introduce any automated decision-making processes in the future that would fall within the scope of Article 22 of the GDPR, we will ensure appropriate safeguards are in place and inform you of your rights in relation to such processing.
14. UPDATES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes to this Privacy Policy, we will notify you by email (where we have your email address) or by posting a prominent notice on our website prior to the change becoming effective. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data. The date at the top of this Privacy Policy indicates when it was last updated. Your continued use of our services after any changes to this Privacy Policy will constitute your acknowledgment of the changes and your consent to abide by the updated Privacy Policy.
15. CONTACT INFORMATION
If you have any questions or concerns about this Privacy Policy or our data protection practices, or if you wish to exercise any of your rights as a data subject, please contact us using the following information: Data Protection Officer, M365Group SIA, Čiekurkalna 2. līnija 49A – 3, Rīga, LV-1026, Latvia; Email: privacy@m365connect.com; Phone: +4915203824573. We take all privacy concerns seriously and will endeavor to respond to your inquiries promptly and thoroughly.
