Privacy Policy

Talenom’s privacy policy describes the practices and principles related to the processing of personal data.

The privacy policy helps you understand what personal data we collect and why, as well as how we process, protect, store and delete your personal data.

This privacy policy applies to Talenom’s website, app, Software, as well as to all Services provided by Talenom, as well as to its relationship with providers and the activities related to employment and recruitment.

Why do we process personal data?

Talenom stores and processes personal data to provide services in a contractual relationship between Talenom and Talenom’s customers (art. 6.1.b. of the European Union’s General Data Protection Regulation – “GDPR”).

Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority (art. 6.1.c. of the GDPR)

Talenom has a legitimate interest in processing personal data for the purpose of directing the marketing and sales of Talenom’s services, as well as for improving the quality of Talenom’s products and services (art. 6.1.f. of the GDPR).

The processing of personal data is based on separate consent (art. 6.1.a. of the GDPR) for the following processing operations:

  • Direct marketing.
  • Use of personal images.
  • Consulting of criminal records.

The data subject has the right to withdraw their consent at any time via a link in marketing messages.

What personal data do we process?

Talenom processes, among others, the following personal data, which may vary according to the type of services contracted:

  • Name and surname.
  • Personal identification number (such as DNI, passport, NIE).
  • Sex, marital status, nationality, age, date and place of birth.
  • Data of relatives and their circumstances, such as date of marriage, divorce, separation, matrimonial regime.
  • Personal registration number, social security number / mutuality.
  • Contact details, such as address, telephone number, email address.
  • Due diligence information required by the Money Laundering Act (KYC information).
  • Information about the beneficial ownership of the company.
  • Health information (e.g. in relation to the probate service of counselling services).
  • Health care(sick leave, accidents at work and degree of disability, excluding diagnoses, allergies, food intolerances, maternity leave, paternity), trade union membership (for the sole purpose of payment of trade union dues, if applicable), trade union representative (where appropriate), proof of attendance from own and third parties.
  • Attendance control data: date and time of entry and exit, reasons for absences.
  • Economic-financial data: payroll data, credits, loans, guarantees, tax deductions, deregistration of assets, judicial withholdings (if applicable), other withholdings (if applicable).
  • Bank details such as card number and IBAN.
  • Economic data relating to civil insolvency, income and expenses, debts, taxes, ownership of assets, life insurance, pensions, scholarships, subsidies, corporate participations, movable and real estate properties in general.
  • Criminal record.
  • Personal images.
  • Customer history, such as contacts and changes to services.
  • Call and video call recordings and other instances from our customer service.
  • User credentials for Talenom electronic services.
  • Log information of the use of the services.
  • Information provided by cookies.
  • Information provided voluntarily by those registered in the recruitment process, such as degrees, training, professional experience, employment details data, incompatibilities, references, among others that may be informed by candidates.
  • Marketing Prohibitions and Consents.

In some of its services, Talenom processes personal data on behalf of Talenom’s customer.

In these cases, the customer is responsible for the registration of the personal data generated and Talenom acts as Processor of personal data, in the capacity defined by the General Data Protection Regulation.

In this case, the processing activities related to the processing of personal data have been agreed separately with the customer of Talenom, using the Description of personal data processing activities included in this document:

Description of personal data processing activities

Regular sources of information

In most cases, we receive your data directly from you, for example in the following situations:

• You become a customer of Talenom and use our products and services
• You participate in surveys, campaigns or Talenom events
• You call our customer service or send a message in the chat
• If you apply to work for us

In addition, we receive information about:

• Registers maintained by authorities
• On sanctions lists
• other services that provide public contact information
• From the contact forms on the Talenom.com website
• Talenom’s internal information sources

How do we take care of our customers’ data protection?

Technical protection of data in registers

The data contained in the register that is processed electronically is technically protected, for example with firewalls, password policy and by offering Talenom’s customers two-factor authentication to customer information systems.

Talenom conducts internal and third-party assessments and audits that cover both the technical security of critical information systems and the processes and guidelines for administrative information security and data protection.

Administrative protection of registers

Talenom has an information security policy that every new employee goes through when they start working at Talenom. The information security policy describes the general rules on information security and data protection that are mandatory for the employee.

Talenom staff’s information security and data protection awareness is regularly maintained in various ways: By organizing both regular information sharing sessions on information security and data protection for the entire company’s personnel, and by organizing mandatory information security and data protection training for employees every year.

The data contained in the registers can be accessed based on separately granted access rights to Talenom’s employees and subcontractors acting on behalf of Talenom. User access rights are regularly reviewed. System administrators’ access rights are monitored and removed when the user no longer needs them. The access rights of employees who have left Talenom are removed at the end of the employment relationship.

In accordance with the information security policy, the customer’s data is only processed by a Talenom employee whose work duties require it. The processing of customer data on other grounds is prohibited, even if the employee would have a technical access to customer data based on his or her role and business reasons.

All Talenom’s personnel, and subcontractors acting on Talenom’s behalf, have a duty of confidentiality in relation to all Talenom’s customer and personal data. The obligation of confidentiality is recorded in the employment contracts of Talenom’s personnel and in agreements with third parties, including sanctions for violation of confidentiality.

Physical protection of data in registers

Customer data is processed in information systems located in the data center in Spain or in Cloud services located in the European Union.

Disclosure of data and use of subcontractors

Talenom may, if necessary, disclose personal data to any company within the Talenom Group.

In certain cases, Talenom must also disclose personal data to authorities if required by applicable law or regulation or a request from a judicial or administrative authority.

Talenom may disclose non-sensitive personal data to its partners for the purpose of developing services, monitoring quality and marketing.

Talenom does not sell or rent personal data to any other party.

Upon request, Talenom will provide an up-to-date list of the subcontractors it uses.

Transfer of data outside the EU/EEA

Mainly personal data is not transferred outside the European Union or the European Economic Area.

The contact information used in marketing communications and the statistical data generated by the use of Talenom’s electronic systems, as well as the data stored in the recruitment service, are transferred outside the EU / EEA to servers located in the United States. These are protected by the respective service providers in accordance with European Union data protection legislation.

Data transfers outside the EU / EEA are carried out in accordance with the standard contractual clauses for data protection approved by the European Commission.

Upon request, Talenom will inform the subcontractors that transfer data outside the EU/EEA.

How long do we keep the data?

Talenom processes personal data throughout the customer relationship.

Company information and information on the company’s decision-makers is stored at Talenom permanently, because the information is automatically updated for us from the business information system.

When the customer relationship ends, personal data is stored to the extent necessary to comply with our legitimate interests.

We will maintain the direct marketing information until further notice.

Rights of the data subject

In accordance with sections 15-22 of the European Union’s General Data Protection Regulation – GDPR, the data subject has the right to:

  1. right of access to personal data
  2. rectification of data
  3. erasure of data
  4. restriction of processing
  5. transfer data from one system to another
  6. object to the processing of their personal data
  7. lodge a complaint with the supervisory authority

You can object to the processing of your personal data for direct marketing purposes at any time.

The exercise of some of the data subject’s rights is limited by other mandatory legislation, based on which Talenom has the right and obligation to refuse on reasonable grounds the rectification, erasure, restriction of processing or transfer of data from one system to another.

The registered must address a written request based on their rights by e-mail to: protecciondedatos@talenom.com .

Contact details of the controller and data protection officer

Controller
Talenom SLU
Barcelona, Avenida Diagonal, number 532, 7th Floor
NIF: B-66461351

Data Protection Officer
Vanessa Ferrari
E-mail: protecciondedatos@talenom.com

Data breach notification policies

Notification to the data subject is made by the controller if the data breach is likely to result in a high risk to his or her rights and freedoms. The notification describes the nature of the data breach and the measures taken as required by the GDPR.

It is the data controller’s duty to notify the data protection authority within 72 hours of disclosure if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The notification is made in accordance with the instructions of the Data Protection Ombudsman in force at the time.

Limitations

This privacy policy does not apply to third-party websites, applications or services that may be available through additional services provided by partners in Talenom’s services.

By opening the partner’s website, the customer leaves Talenom’s service, allowing the third party to collect and share the information they have collected about the customer.

Talenom recommends that our customers always review the privacy policies of a third-party service before allowing the collection and use of their own personal information on those services.


Description of Processing Activities

Controller: Customer

Processor: Talenom

Why we process personal data

Talenom stores and processes personal data to provide the services provided by the Processor in a contractual relationship between the Processor and the Controller (art. 6.1.b. of the General Data Protection Regulation of the European Union – «GDPR»).

Personal data are also processed and stored to meet the requirements of applicable laws or regulations, or to satisfy a request from a judicial or administrative authority toadministrative (art. 6.1.c. GDPR)).

Talenom will also carry out treatment activities to:

  • Insert the data of the Client’s employees in the payroll and HR management application.
  • The monitoring of the credits of the Client’s private clients.
  • To legal advice or management to a limited company.
  • The administration and billing of a Client.
  • Due diligence (KYC) information required by anti-money laundering legislation
  • Information about the beneficial owner.

Talenom has a legitimate interest in processing personal data for the purpose of directing the marketing and sales of Talenom’s services, as well as improving the quality of Talenom’s products and services (art. 6.1.f. of the GDPR).

What personal data do we process?

Talenom processes, among others, the following personal data, which may vary according to the type of services contracted:

  • Name and surname.
  • Personal identification number (such as DNI, passport, NIE).
  • Sex, marital status, nationality, age, date and place of birth.
  • Data of relatives and their circumstances, such as date of marriage, divorce, separation, matrimonial regime.
  • Personal registration number, social security number / mutuality.
  • Contact details, such as address, telephone number, email address.
  • Due diligence information required by the Money Laundering Act (KYC information).
  • Information about the beneficial ownership of the company.
  • Health information (e.g. in relation to the probate service of counselling services).
  • Health care(sick leave, accidents at work and degree of disability, excluding diagnoses, allergies, food intolerances, maternity leave, paternity), trade union membership (for the sole purpose of payment of trade union dues, if applicable), trade union representative (where appropriate), proof of attendance from own and third parties.
  • Attendance control data: date and time of entry and exit, reasons for absences.
  • Economic-financial data: payroll data, credits, loans, guarantees, tax deductions, deregistration of assets, judicial withholdings (if applicable), other withholdings (if applicable).
  • Bank details such as card number and IBAN.
  • Economic data relating to civil insolvency, income and expenses, debts, taxes, ownership of assets, life insurance, pensions, scholarships, subsidies, corporate participations, movable and real estate properties in general.
  • Criminal record.
  • Personal images.
  • Customer history, such as contacts and changes to services.
  • Call and video call recordings and other instances from our customer service.
  • User credentials for Talenom electronic services.
  • Log information of the use of the services.
  • Information provided by cookies.
  • Information provided voluntarily by those registered in the recruitment process, such as degrees, training, professional experience, employment details data, incompatibilities, references, among others that may be informed by candidates.
  • Marketing Prohibitions and Consents.

Regular sources of information

In addition to its own data, the Customer adds personal data of its personnel and customers to the Processor’s information services. Personal data may be added based on electronic and/or physical material provided by the customer.

In addition to this, personal data is collected from the tax authorities, the Social Insurance Institution of Spain, insurance companies, trade unions, credit services, enforcement authorities and other parties whose data must be processed in the service provided by the Processor.

Users’ device information is collected automatically in order to develop the services and products offered by the Processor and to develop customer service, using, for example, internet browser cookies from Processor’s digital products and online services.

Disclosure of Personal Data Policies

If needed, personal data is disclosed to the Customer’s Auditor without a separate authorization for the implementation of the agreement between the Customer and the Auditor. In the case of the Client’s other partners, such as lawyers and consultants, the Client will be asked for a separate written authorization to disclose the data. When handing over written material, a data disclosure certificate is drawn up, which indicates the basic information of the material disclosed, to whom the data has been disclosed and when. This certificate of release is stored in customer folders for any subsequent obligation to provide evidence. In connection with the disclosure of digital material, personal user credentials are created for the customer company’s partner in the Processor’s information system, with which the Customer’s partner receives the disclosed information. The Customer’s request to create user credentials to the information system and give access to the Customer’s data also includes the Customer’s consent to the disclosure of the Customer’s data to the respective partner.
Data is disclosed to tax authorities, financial institutions, electronic money communities, pension insurance companies, insurance companies, trade unions, the Social Insurance Institution of Spain or earnings-related pension funds without the Customer’s authorization or consent when the disclosure of data is separately regulated by law.

Talenom may disclose personal data to any entity within the Talenom Group. Talenom does not sell or rent personal data to other parties.

Categories of recipients of personal data – including those in third countries and international organisations

The Processor may disclose the Customer’s personal data within the limits of applicable legislation and in accordance with the terms of the agreement between the Processor and the Customer. Register data may be disclosed, for example, to tax and social security authorities, pension insurance companies, insurance companies, trade unions, earnings-related pension funds, financial institutions.

The processor has a legal obligation to disclose personal data to the authorities based on legal requests for information received from them in writing.

Mainly personal data will not be transferred outside the European Union («EU») or the European Economic Area («EEA»). Data transfers outside the EU or EEA are made in accordance with the standard contractual clauses of the EU’s General Data Protection Regulation concerning data transfers.

Upon request, Talenom will inform the Subcontractors that transfer data outside the EU or the EEA.

Technical and organizational security measures

Technical protection of data in registers

The data contained in the register that is processed electronically is technically protected, for example with firewalls, password policy and by offering Talenom’s customers two-factor authentication to customer information systems.

Talenom conducts internal and third-party assessments and audits that cover both the technical security of critical information systems and the processes and guidelines for administrative information security and data protection.

Administrative protection of registers

The processor protects the Customer’s data from unauthorized access and dissemination. Only the employees of the Processor and subcontractors acting on behalf of the Processor have access to the data contained in the register based on separately granted access rights. Access rights are monitored, and the creation of unsafe user access combinations are prohibited by the user access management policy and their creation is controlled as part of the access management process. The access rights of the administrators are regularly checked and are deleted when the user no longer needs them. The access rights of employees who have left the processor are removed from all systems upon termination of employee’s employment.

The customer’s data is only processed by a Talenom employee whose work duties require it. It is forbidden for processor’s employees to process personal data on other grounds, even if the employee would have a technical access to customer data based on his or her role and business reasons. All of Processor’s personnel and subcontractors acting on its behalf have a duty of confidentiality in relation to all the Customer’s financial management information and personal data. The obligation of confidentiality is recorded in the employment contracts of Talenom’s personnel and in agreements with third parties, including sanctions for violation of confidentiality.

Employees who process customer data are trained through regular trainings, where the legality criteria for doing the work are an integral part of the training. The information security and data protection awareness of the processor’s staff is regularly maintained in various ways, for example, by organizing regular information sessions on information security and data protection for the entire personnel of the company and by arranging mandatory information security and data protection training for employees every year, in order to pass the subject matter test. The Processor has drawn up an information security policy that each new employee of the Processor becomes familiar with when starting their work. The existence and location of the information security policy are communicated in regular information security trainings and employees are reminded of the binding nature of the information security policy. The information security policy describes the general rules on information security and data protection that are binding on the employee, whether they are technical rules, information security processes or practices and instructions suitable for everyday work.

Physical protection of data in registers

Customer data is processed in information systems located in the data center in Spain or in Cloud services located in the European Union.

Customer’s obligations

The customer is responsible for the implementation and maintenance of adequate technical and organizational information security measures in their own information systems and physical environments.

Planned deletion periods for data groups

The Processor deletes the Customer’s personal data from its information systems to the extent required by law when the Customer leaves the Processor.

Rights of the data subject

In accordance with sections 15-22 of the European Union’s General Data Protection Regulation, the data subject has the right to:

  1. right of access to personal data
  2. rectification of data
  3. erasure of data
  4. restriction of processing
  5. transfer data from one system to another
  6. object to the processing of their personal data
  7. lodge a complaint with a supervisory authority

The exercise of some of the data subject’s rights is limited by other mandatory legislation, based on which Talenom has the right and obligation to refuse on reasonable grounds the rectification, erasure, restriction of processing or transfer of data from one system to another.

In situations where the data subject wishes to inspect or amend his or her data from data belonging to a personal register owned by a Talenom customer, the data subject must make a request for an inspection or change of the data to the controller, and the controller takes care of the implementation of the request for inspection or change of data together with the data processor Talenom. In this case, the controller must address a written request for verification to the following address: protecciondedatos@talenom.com.

Controller’s instructions to data processor

The customer may describe separately in separate documentation the more detailed instructions given to the processor for the processing of personal data, which the Processor stores in customer-specific file folders, as part of the customer-specific instructions.

Data breach notification

Controller

The notification is made by the Processor to the Controller without undue delay after the disclosure of the data protection breach. The notification describes the nature of the data breach and the measures taken as required by law.

Registered

Notification is given to the data subject by the Controller if the data breach is likely to result in a high risk to his or her rights and freedoms. The notification describes the nature of the data breach and the measures taken as required by law.

Supervisory authority

It is the Controller’s duty to notify the National Data Protection Authority within 72 hours of being reported if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The Processor assists the Controller in notifying the National Data Protection Authority of a separate request.

Processor (Service Provider) and contact information

Processor’s name:
Talenom SLU
Barcelona, Avenida Diagonal, number 532, 7th Floor
NIF: B-66461351

Data Protection Officer:
Vanessa Ferrari
E-mail: protecciondedatos@talenom.com

Contact information of the subcontractor

The customer has given general consent to the use of subcontractors. Talenom provides a list of subcontractors upon request.

Contact us

Enter your details and we’ll get in touch with you soon or call us on +34 932 20 80 60 Mon–Thu, 10 am–5 pm and Fri, 10 am–1 pm.

Contact us

Let us know how we can help you