Privacy and Personal Data Protection Policy

At askblue, we respect the privacy of personal data subjects with whom we interact in the course of our activities — in particular candidates, employees, representatives of our clients, suppliers, business partners, and other entities — and we strive to act with transparency and integrity in all situations. In accordance with the General Data Protection Regulation (EU Regulation 2016/679), “the protection of natural persons in relation to the processing of personal data is a fundamental right”. For this reason, we rigorously protect and process personal data in compliance with applicable legislation and with full respect for individual rights.
This Privacy and Personal Data Protection Policy aims to define the principles governing the processing of personal data carried out by askblue, specifying the categories of personal data we process, the purposes and legal basis for such processing, the criteria used to determine the data retention period, the types of third-party entities to whom data may be disclosed and the purpose of such disclosure, as well as the procedure to be followed in the event of a personal data breach.

Principles of the General Data Protection Regulation

Personal data will be processed by askblue in accordance with the principles established in the General Data Protection Regulation (hereinafter referred to as the Regulation), and through the implementation of appropriate technical and organizational security measures, proportionate to the perceived risks and aimed at safeguarding the data subject’s right to privacy. In accordance with the Regulation, personal data must be:

processed lawfully, fairly and transparently in relation to the data subject (principles of lawfulness, fairness and transparency);
collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes or without the data subject’s consent;
adequate, relevant and limited to what is necessary in relation to the
for which they are processed;
accurate and kept up to date where necessary;
stored securely and only for as long as necessary for the purposes for which they are processed, ensuring protection against unauthorized or unlawful processing, accidental loss or destruction, and maintaining the integrity and confidentiality of the data.

Consequently, it is the responsibility of askblue and its employees to ensure that personal data is processed based on the principle of lawfulness, with full respect for the data subject’s privacy.

In compliance with the Regulation, the processing of personal data shall only take place if and when one of the following conditions is met:

the data subject has given consent, through signature or agreement (via online form, email or paper);
the processing of data is necessary for the conclusion, management, or execution of a contract with the data subject (for example, various activities and pre-contractual steps required for the potential conclusion of an employment contract);
the processing of data is necessary to comply with legal obligations to which askblue is subject, such as the disclosure of data to the Tax Authority and Social Security;
the processing of data is necessary for the purposes of legitimate interests pursued by askblue.

Collection and Processing of Personal Data

Under the Regulation, the processing of personal data is understood as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. askblue maintains an up-to-date record of personal data processing activities, particularly with regard to data relating to candidates, employees, clients and suppliers, specifying the purpose of processing, legal basis, retention period and data transfers.

Candidates’ Personal Data

askblue, as a recruiting entity and for the specific purposes of recruitment and selection, will record the following identification and professional data of its candidates, within the scope of pre-contractual steps necessary for the potential conclusion of a contract:

First name;
Last name;
Email address;
Phone number;
Curriculum Vitae (CV), including any personal data provided by the data subject.

askblue presumes that the personal data has been submitted freely and on the initiative of the respective data subject, in an informed and transparent manner, and based on the premise that the data is accurate and truthful. Mere access to and browsing of askblue’s website does not imply the provision of any personal data that may identify the user. However, by applying to askblue — whether directly through our website or via other platforms — candidates, as data subjects, are voluntarily and proactively providing askblue with their personal data for the purpose of processing such data within the scope of recruitment and selection activities. The performance of pre-contractual steps at the request of the data subject thus constitutes the lawful basis for askblue’s processing of personal data for recruitment and selection purposes.

Employees’ Personal Data

askblue collects and processes employees’ personal data for the purposes of complying with legal obligations, payroll processing and human resources management. As an employer, askblue processes the following categories of personal data:

Identification data;
Family-related data (e.g. marital status);
Contact details;
Protection systems (e.g. insurance);
Professional data;
Financial information;
Data related to workplace accidents;
Data related to medical certificates (e.g. temporary incapacity certificate);
Traffic and location data (e.g. electronic communications);
Other sensitive data not explicitly defined as such in the Regulation (e.g. disciplinary proceedings).

The processing of personal data for the performance of a contract to which the data subject is a party and for compliance with legal obligations to which the data controller is subject, constitutes the lawful basis for askblue’s processing of employees’ personal data. Employees may, at any time, exercise their right to access their personal data and request its rectification if necessary. The processing of employees’ personal data is detailed in an internal document.
Askblue’s employment contracts include a clause on “Confidentiality and Personal Data Processing,” which sets out the scope of data processing, the employee’s rights and their duties in cases where they access personal data as part of their role. askblue ensures that all personal data collected from employees is processed in strict compliance with applicable data protection legislation and is not subsequently processed in a manner incompatible with the stated purposes.

Clients, Partners and Suppliers Personal Data

askblue, in its business relationships with clients, partners and suppliers, will only collect the identification data of those employees designated as key points of contact for the development of the business relationship, namely:

First name;
Last name;
Email adress;
Professional phone number;
Job title and position held within the partner or supplier’s company.

askblue collects and processes the personal data of employees of its clients, business partners and suppliers for the purpose of managing contacts and activities arising from the development of commercial relationships and business operations within the corporate sphere, namely:

Contracts (i.e. contract signing, communication with third parties involved in the contracts and responding to requests from clients/suppliers/partners);
Business development and improvement of askblue’s services.

Curricular information of candidates may be shared with askblue’s clients within the scope of recruitment and selection processes, subject to prior consent, in order to proceed with the application process and better ensure the alignment of skills and professional experience with the goals and expected outcomes of the projects developed by askblue for and with its clients.
The sharing of employee data with third parties is carried out to comply with legal obligations to which askblue, as an employer, is subject, and for the performance of a contract to which the data subject is a party. Details regarding the sharing of employee data are set out in a dedicated internal document.

Data retention

Personal data will be retained for the minimum period necessary and proportionate to the purposes for which it is processed. Data submitted to askblue by its subject, collected and processed accordingly, will be retained for the time required to fulfill the purpose arising from the original processing intent. askblue will retain personal data for the period established under the labor legislation in force at any given time.

Candidates’ Personal Data

The personal data collected during the recruitment process will be retained for a maximum period of five years, counted from the date the data is submitted or updated by the candidate, or from the last contact made with them. This period may be altered in case of withdrawal of consent by the data subject or if there is a legal obligation requiring data retention for a longer period. After this period, the personal data will be deleted.

Employees’ Personal Data
Employees’ personal data will be retained throughout the duration of the employment contract and, thereafter, for as long as necessary to fulfil applicable legal obligations in this regard—up to 10 years following termination of the contract. Once this period has elapsed, and unless there is a legal basis justifying the retention of data for a longer duration, the data will be deleted.

Clients, Partners and Suppliers Personal Data
Clients, partners and suppliers personal data of will be retained throughout the duration of the contract and, subsequently, for the period necessary to comply with applicable legal obligations in this regard—up to 10 years after the termination of the contract. Once this period has elapsed, and unless there is a legal basis justifying the retention of data for a longer duration, the data will be deleted.

Data subjects rights

Data subjects whose personal data are processed by askblue may, at any time, exercise their rights, namely:

The right to access their personal data (including the purposes of the processing, categories of data, whether personal data has been transferred to third parties, and the retention period);
The right to rectify, erase or restrict the processing of their personal data;
The right to data portability, specifically the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit such data to another data controller;
The right to object.

Where consent is the legal basis for the processing of personal data, the data subject has the right to withdraw their consent at any time. However, the exercise of this right does not affect the lawfulness of processing carried out based on previously given consent, in accordance with the conditions set forth by the Regulation.
To exercise their rights or to clarify any doubts, the data subject may contact askblue via the email address rgpd@askblue.com, clearly and objectively indicating the instruction they intend to submit. They may also lodge a complaint with the competent supervisory authority through the institutional means and contacts made available for that purpose.

Security measures

Personal data will be processed by askblue using appropriate technical and organizational security measures, tailored to the perceived risks and designed to safeguard the data subject’s right to privacy. Askblue maintains an up-to-date record of personal data processing activities for which it is responsible, as well as proper information classification, and implements measures to protect the confidentiality, integrity, and availability of data (e.g., regular system backups, access controls…). Askblue employees must follow established guidelines regarding password definition, acceptable use of technological resources, information classification, and other applicable policies and standards. At the physical security level, askblue offices operate an access control system and employees must follow a clean desk policy, ensuring that documents containing personal data are not left on desks, printers, or in cabinets that cannot be locked. Data subjects (including candidates, employees, clients, suppliers, and partners) should, however, be aware that whenever data collection occurs over open networks, their data may circulate without adequate security measures, and there is a risk that it may be seen and used by unauthorized third parties.

Procedures in case of personal data breach

In accordance with the General Data Protection Regulation (GDPR), a personal data breach is defined as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or processed.” If a personal data breach or suspected breach is detected, the incident will be properly analysed based on its level of severity and risk to the data subjects. If the breach is confirmed and found to potentially compromise the rights and freedoms of the data subjects, it must be reported to the competent supervisory authority without undue delay and no later than 72 hours after becoming aware of the incident. In cases where askblue acts as a Data Processor, any personal data breach must be reported to the Data Controller as soon as askblue becomes aware of the incident, and within a maximum period of 24 hours. It is the responsibility of the Data Controller to take the necessary steps to assess the scope and impact of the breach and to communicate it to the competent supervisory authority, with askblue providing any necessary support.
Notification to the competent supervisory authority or to the Data Controller must include, whenever such information is available:

The nature of the personal data breach, including the categories and approximate number of affected data subjects, as well as the categories and approximate number of personal data records involved (if possible);
Contact details of the internal person responsible for data protection matters;
Possible consequences of the data breach;
Measures adopted or proposed to remedy and minimize potential negative effects of the personal data breach.

Likewise, if it is confirmed that the personal data breach may compromise the rights and freedoms of data subjects, and when acting as Data Controller, askblue will inform the data subjects as promptly as previously stated. It is the responsibility of all askblue employees, as well as all those acting under its authority, to immediately report any actual or suspected personal data breach to the email rgpd@askblue.com, or directly to the IT Support department (in the case of an IT incident) or to the Backoffice team. All reported incidents will be analysed, and the appropriate steps will be taken according to their level of criticality.

Approval and review

This Policy was approved by Management and has been in effect since 01/01/2016, with its latest revision in July 2025. Askblue reserves the right to, at any time, without prior notice and with immediate effect, amend, supplement, or revoke, in whole or in part, this Privacy and Personal Data Processing Policy.

Last update on October 29th, 2025.