In case you have questions, remarks, criticism or you want to enforce your rights described in this PP, please contact our data protection officer specified at sec. 1.3.
1. Controller, Representative, Data Protection Officer
The owner of the website lionstep.com (hereinafter “Website”) and provider of the services delivered via the Website is:
8008 Zurich (Switzerland)
tel.: +41 44 585 15 68
Lionstep collects and processes personal data through the Website to deliver its services as “Controller”.
The Controller has appointed the following entity as Representative of the European Union:
8008 Zürich (Switzerland)
1.3 Data Protection Officer
The Controller has furthermore appointed a data protection officer (hereinafter “DPO”) in charge of monitoring all processes involving personal data, including compliance with applicable legislation. The DPO is:
8008 Zürich (Switzerland)
Furthermore, as the Controller is established outside of the EU and EEA, the following Representative according to Art. 17 GDPR is designated:
Vittorio De Vecchi Lajolo
Rechtsanwalt, Datenschutzbeauftragter (TÜV)
Oranienburger Str. 23
10178 Berlin (Germany)
2. Data collected via the Website
2.1 Whenever an internet user navigates the Website, logfiles related to his/her visit shall be generated by Lionstep, without regard to the fact, whether or not said user has an account on Lionstep. Such logfiles contain standard data, i.e. queries on the database, and information about the rendered output.
2.2 Further personal data may be collected and processed on one of the legal grounds specified at sec. 4. In particular, whenever personal data are collected on the grounds of the performance of the contract closed between Lionstep and the Data Subject, please refer to Lionstep’s Terms and Conditions (T&C) for Customers, if applicable, to find out, which personal data might be involved.
3. Data Subjects
3.1 The services provided via the Website are available to natural persons looking for a job (hereinafter “Candidates”) and professional recruiters or potential employers (hereinafter “Customers”; Candidates and Customers jointly referred to as “Users”) interested in intermediating or hiring new employees or collaborators. Whenever personal data relating to Users are collected and processed, such Users are referred to as “Data Subjects”.
4. Legal basis
4.1 Unless otherwise specified, personal data relating to Users shall be collected and processed as required by the closing of the contract with the Data Subject and by the performance of such contract, as described in Lionstep’s Terms and Conditions (T&C). Failure to provide such personal data may therefore result in limited or complete unavailability of services, as described in Lionstep’s T&C.
4.2 Furthermore, the Controller’s may collect and process personal data on the grounds of its legitimate interests, such as the legitimate interest in
– advertising for the services offered
– adapting, developing and improving its services with respect to User preferences
– analysing Users’ preferences and Users’ online behaviour for own market research and business development purposes.
In particular, based on these grounds, Customers having previously purchased Lionstep’s Services against payment of a fee may receive promotional newsletters related to products and services similar to those already purchased, as long as they have not objected to receiving such newsletters.
4.3 Should any further personal data be deemed necessary by the Controller, including for the purpose of sending newsletters going beyond what described at the afore-going subsec., the Data Subject’s consent shall be collected.
5.1 Cookies in general
5.1.1 In order to make the navigation on the Website more attractive, the Controller implements cookies enabling certain functions. Cookies are small text files stored on the User’s terminal device. Some of these cookies are deleted from the device as soon as the browser session is terminated (“session cookies”). Other cookies persist on the User’s device enabling the Controller to identify it whenever it is used again to visit the Website (“permanent cookies”).
5.1.3 Refusal to accept cookies may result in limitations or exclusions of single or all functionalities of the Website. Users can always delete the cookies placed on their devices manually.
5.2 First party cookies
5.2.1 We only adopt a session cookie allowing us to track the single User as long as he/she is logged in to our Website. Session cookies are deleted automatically after logout. If Users leave out Website without logging out, session cookies may subsist on their terminal devices. [vd2]
5.3 Third party cookies
5.3.1 Google Analytics is an analytics tool provided by Google Inc., placing a cookie file on the user’s terminal device. The information thus acquired is transferred to and saved on Google servers based in the USA. We adopt the “anonymised” version of Google Analytics: this means that users’ IP-addresses detected by Google Analytics are abridged within the European Union or the EEA. Only in exceptional cases may unabridged IP-addresses be transferred to the Google servers in the USA. Google uses such information to evaluate the use of our website, elaborate statistics and provide us further services related to the website. IP-addresses thus collected will not be shared with other Google data.
If you want to opt out from Google Analytics, please install the appropriate browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=en.
6.1 In order to provide a more efficient and personalised service, Lionstep cooperates with various third parties, providing ancillary services. Third parties included in the following categories, may process Users’ personal data on the Controller’s behalf:
– CV-upload and application process managing tools, allowing for a more efficient categorising and filtering of personal profiles
– payment management tools, i.e. services intermediating major payment methods such as credit cards or bank transfers
– advertising, retargeting and tracking tools, allowing Lionstep to analyse Users’ online behaviour for statistical and marketing-related purposes, such as the provision of personalised services or special offers
– social media, allowing Users to log in to the Website through their social media account, including but not limited to Facebook, Twitter, LinkedIn or GitHub.
6.2 Moreover, in case Users qualify as Candidates, their personal data shall be transferred to Customers having published the job offerings that have been applied for. Such Customer may also act as professional recruiters and thereby transfer the applying Candidates’ personal data further to potential employers.
7. Storage period, transfer of personal data to Switzerland and to other countries
7.1 Storage period
Whenever a User decides to terminate the contract closed with the Controller, the latter will irrevocably delete User’s personal data.
7.2 Transfer of personal data to Switzerland and to other countries
7.2.1 The Controller has its legal seat in Switzerland. Personal data are therefore collected and processed in Switzerland, pursuant to the European Commission’s adequacy decision no. 2000/518/EC.
8.1 In order to provide the services described in the T&C and in particular to allow an efficient matching between Candidates and Customers, the Controller organises personal data relating to such Data Subjects in profiles that can be viewed, researched and filtered according to all criteria relevant for the matching purposes, such as job qualifications or geographic areas of interest or activity (“profiling”).
8.2 No automated decision shall be taken on the grounds of such profiling. In particular, decisions to match single Candidates with single Customers shall always be made by human intervention, i.e. by the Controller or by Candidates and Customers themselves.
9. Rights of the Data Subject
9.1 Data Subjects have the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability.
9.1.1 Right to access. The Data Subject has the right to obtain information as to which personal data is being processed by the Controller; how it is being processed; the purposes of processing; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; to whom personal data are communicated and whether personal data are transferred abroad. Data Subjects may request a copy of the data undergoing processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs.
9.1.2 Right to rectification. The Data Subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
9.1.3 Right of erasure (“right to be forgotten”). The Data Subject has the right to request and obtain from the Controller the erasure of personal data concerning him or her without undue delay whenever
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
– the Data Subject has withdrawn consent as described at sec. 8.2 and no other legal ground for processing applies
– the Data Subject exerts his/her right to object as described at sec. 8.1.5 and no other legal ground for processing applies
– personal data have been or are being processed unlawfully
– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject
– the Data Subject is a child
Where the Controller has made the personal data public and is obliged pursuant to this sec. to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
9.1.4 Right to restrict the processing of personal data. The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data
– the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead
– the controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims
– the Data Subject has objected to processing pursuant to sec. 8.1.5 pending the verification whether the legitimate grounds of the controller override those of the data subject.
9.1.5 Right to object. The Data Subject has the right to object to any kind of processing of personal data carried out due to public interest, in the exercise of official authority vested in the Controller or for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on such grounds. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
9.1.6 Right to data portability. The Data Subject shall have the right to request from the Controller the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
– the processing is based on consent or on the performance of a contract; and
– the processing is carried out by automated means.
Where technically feasible, the Data Subject may request from the Controller that personal data be transferred directly to another Controller. The right to data portability shall not affect the right to be forgotten as described at sec. 8.1.3.
9.2 Furthermore Data Subjects whose personal data are being processed on the grounds of their informed, specific and free consent have the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To exert their right to withdraw consent, Users shall contact the Data Protection Officer at the details specified at sec. 1.3.
9.3 Users always have the right to lodge complaints with the competent supervisory data protection authorities, according to such authorities’ own procedure rules.
10. Closing provisions