Who we are
FINANCIAL ADMINISTRATION SERVICES (Luxembourg) S.A is a Luxembourg based Recruitment Advisory Firm. Our ultimate mission is to connect professionals and organizations using Partnership – Tailored Approach – Solution methodology. Our commitment is to be transparent about the data we collect. More specifically how it is used and with whom it is shared.
The new General Data Protection Regulation (GDPR) comes into effect across Europe on May 25th, 2018. This regulation applies wherever an individual’s personal data is entered, processed and stored. Accordingly, there are also changes that affect how the personal data of applicants is processed by FINANCIAL ADMINISTRATION SERVICES (Luxembourg) S.A. In order to be compliant with this new law, we invite you to review our Data Protection Policy.
GDPR (EU) 2016/679
For purposes of this Attestation, “GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation, together with any addition implementing legislation, rules or regulations that are issued by applicable supervisory authorities. Words and phrases in this Attestation shall, to the greatest extent possible, have the meanings given to them in Article 4 of the GDPR. In particular:
“Personal Data“ has the meaning given to it in Article 4(1) of the GDPR: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
“Personal Data Breach” has the meaning given to it in Article 4(12) of the GDPR: “[any] breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
“Processing” has the meaning given to it in Article 4(2) of the GDPR: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
“Subprocessor” means any processor as defined in Article 4(8) of the GDPR: “[any] natural or legal person, public authority, agency or other body which processes personal data” on behalf of the Processor (including any affiliate of the Processor).
“Transfer” means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.
1. Who is responsible for the processing of your personal data
The Processor in the sense of the GDPR and other national data protection laws of the member states as well as other data protection regulations is: FINANCIAL ADMINISTRATION SERVICES (Luxembourg) S.A. with its headquarters – Address: 304 Route de Thionville, L-5884 Howald, Luxembourg (website: www.fast.lu / tel.: +352 20 211 432 / mail: firstname.lastname@example.org)
2. FINANCIAL ADMINISTRATION SERVICES Internet based platforms
(a) Website Hosting & Administration: FINANCIAL ADMINISTRATION SERVICES (Luxembourg) S.A webpage is hosted by EXAGENIUS SAS au capital de 10 000 € / RCS Saint-Malo 840 439 285 00023 (code APE 6209Z)
N° TVA : FR68840439285
Siège social : 22 RUE DU PONT PINEL – 35400 Saint-Malo – France
(b) “Contact forms” & Emails: There is an option of using FINANCIAL ADMINISTRATION SERVICES (Luxembourg) S.A website to connect with us electronically and/or to introduce your CV. By clicking the “Send” button, you consent to the transmission to us of the data entered in the input form. In addition, we save the date and time of your contact. Alternatively, contact via the e-mail address provided is also possible. In this case, the user’s personal data transmitted along with e-mail and our response will be stored. The personal data voluntarily transmitted to us in this context is used to process your inquiry and to contact you as needed. The legal basis for the transmission of the data is Art. 6 (1) (a) GDPR. The data will be used for this purpose until the specific conversation with you has ended. The conversation will be considered ended when it can be inferred from the circumstances that the relevant facts have been conclusively clarified
(c) Google Re-Captcha: In specific cases we use the reCAPTCHA service https://www.google.com/recaptcha/intro/ by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, (“Google”) based on a legitimate interest (i.e. the interest to ensure the correctness of data, avoidance of automatic registrations / orders by so-called bots, and economical operation of our online offering within the meaning of Art. 6 (1) f) GDPR). Google is certified under the Privacy Shield Agreement and thus warrants that it complies with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). We use re-Captcha to distinguish whether an input is made by a human or abusively by automated, mechanical processing. The query in this context includes the sending of the IP address and any other data required by Google for the reCAPTCHA service to Google. Your input will be transmitted to Google and analyzed for this purpose. For more information about Google reCAPTCHA and Google’s Data Protection Policy, please visit the following links: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android
3. Obligations & Sharing of the Data
1. Processor shall at all times strictly comply in all material respects with all applicable laws, statutes, ordinances, rules, regulations and orders, in effect or hereafter established, as such relate to Processor’s performance of Services. Furthermore, in accordance with GDPR Article 28(1), Processor represents and warrants that it has implemented appropriate technical and organizational measures in such a manner that its Processing of Personal Data will meet the requirements of the GDPR and other privacy laws and ensure the protection of the rights of the data subjects.
2. In accordance with GDPR Article 28(2), the Processor shall not engage any Subprocessor without prior specific or general written authorization of the Client. In the case of general written authorization, the Processor shall inform the Client of any intended changes concerning the addition or replacement of other Subprocessors and give the Client the opportunity to object to such changes. The Processor shall also comply with the requirements for subprocessing as set forth in Article 28(4), and will ensure that the data protection obligations set forth herein are imposed upon the Subprocessor, and that the Processor’s contract with the Subprocessor contains sufficient guarantees that the Processing will meet the requirements of the GDPR.
3. In accordance with GDPR Article 28(3), the following terms shall apply to Processor’s performance under the Agreements:
(a) The Processor shall only process the Personal Data
i. as needed to provide the Services
ii. in accordance with the specific documented instructions that it has received from the Client, including with regard
to any Transfers, and
iii. as needed to comply with applicable law (in which case, the Processor shall provide prior notice to the Client of
such legal requirement, unless that law prohibits this disclosure)
(b) Processor shall ensure that persons authorized to process the Personal Data have committed themselves to
confidentiality or are under an appropriate statutory obligation of confidentiality
(c) Processor shall take all security measures required by GDPR Article 32, namely:
i. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
ii. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed
iii. The Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not process them except on instructions from the Client, unless he or she is required to do so by EEA Member State law
(d) Taking into account the nature of the processing, Processor shall reasonably assist the Client by applying and enforcing appropriate technical and organizational measures for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights
(e) Taking into account the nature of processing and the information available to the Processor, Processor shall comply with (and shall reasonably assist the Client to comply with) the obligations regarding Personal Data Breaches (as set forth in GDPR Articles 33 and 34), data protection impact assessments (as set forth in GDPR Article 35), and prior consultation (as set forth in GDPR Article 36)
(f) At the Client’s discretion, the Processor shall delete or return all the Personal Data to the Client after the end of the provision of services relating to Processing, and delete existing copies
(g) The Processor shall provide the Client full cooperation and with all information necessary to demonstrate compliance with the obligations laid down in the GDPR, and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client; and The Processor shall immediately inform the Client if, in its opinion, an instruction infringes the GDPR other Union or Member State data protection provisions
4. The Processor shall not Transfer any Personal Data (and shall not permit its Subprocessors to Transfer any Personal Data) without the prior consent of the Client or Candidate. The Processor understands that Client must approve and document that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists.
5. The Processor will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. Processor will notify the Client without undue delay in the event of any Personal Data Breach.
6. The Processor shall maintain all records required by Article 30(2) of the GDPR, and (to the extent they are applicable to Processor’s activities for the Client) Processor shall make them available to the Client upon request.
7. The Processor shall, and shall ensure that its hosting providers (if any), comply with international security standards such as ISO 27001 or equivalent. Processor shall not and shall ensure that its employees, agents, contractors and other representatives do not store Personal Data on any: (a) portable computing device including, but not limited to, cell phone, smartphone or laptop; or (b) removable media, such as compact disc, flash drive or tape; unless the Personal Data is encrypted using state-of-the-art techniques and processes.
FINANCIAL ADMINISTRATION SERVICES (Luxembourg) S.A