The European Union adopted the privacy reform package that sets a new bar globally for privacy rights, security and compliance. One of these legislative acts is the European Regulation (EU) 2016/679 (“GDPR”) and ePrivacy Regulation. (First Round Technology AG) is devoted to meet the new regulatory requirements and identify what technical and organizational measures must be taken to ensure compliance with the regulatory changes.

Commitment to GDPR Compliance acknowledges its responsibilities under the GDPR and commits to ensure GDPR compliance as of 25th of May 2018.

Scope outlines privacy practices with respect to its services and systems, namely a) Regulatory Compliance and b) Information Security. Regulatory Compliance details the approach to compliance requirements, in terms of Data Processor/Controller role, protection Data Subject’s privacy, and awareness. The Information Security includes details on data access controls and operations security controls.

a) Regulatory Compliance acknowledges its role under the GDPR as both, Data Controller and Data Processor.

The controller/processor in accordance with Article 4(7) EU General Data Protection Regulation (GDPR) is:

First Round Technology AG

Fabrikstrasse 5

6330 Cham


Telephone: +41 (0)41 781 12 85

E-mail: carries out multiple number of processing activities, such as, (i) collection, (ii) storage, (iii) transmission and (iv) making personal data available to third parties.

In order to comply to the regulatory requirements, established a strong governance and appointed a Data Protection Officer to handle data security related requests from data authorities, customers and data subjects.

Data Protection Officer

First Round Technology AG

Fabrikstrasse 5

6330 Cham


Telephone: +41 (0)41 781 12 85


Data Controller is a search engine for sourcing passive candidates and is therefore directly engaged in the personal data processing. processes personal data by collecting data from third party data providers that are considered public web sources (“Public Sources”, “Public Data”). Public sources enter into agreements with data subjects, in which data subject consents in making its profile visible to the search engines and third parties, provided, however, that third parties have a clearly defined purpose of processing (“purpose limitation”) and ensure lawful, transparent and secure processing.

When collects publicly available data for its own business purposes, acts as a Data Controller by defining the processing means that is compatible with the purposes for which the data subject allowed his/her data to be processed.

Data Processor

When customers are using as its sourcing partner, customer instructs to search for candidates on its behalf, based on individual criterions set forth by the customer. When conducting the candidate search, assess the qualification of a candidate to match the Customer’s criterions.

Subsequent access and use of the personal data made visible to the customers must be carried out solely upon having a legal ground, such as legitimate interest (Article 6 of the GDPR). In this case, customers become a Data Controller and must take the appropriate technical and organizational measures to safeguard the personal data it controls. Controller bears the accountability under the GDPR.

Third Party Processors may engage third-party service providers and vendors (“Service Provider”).

All third-party service providers must comply with data processing regulations that contain the mandatory requirements governed by Article 28 (3) of the GDPR, accept privacy terms and other rules associated with data security.

Transfer to third countries

European Union has approved Model Clauses for personal data transfer outside EU, to ensure that personal data protection requirements are applied contractually for the recipients of data outside EU and EEA. includes Model Clauses to its data processing agreement, if the personal data is transferred outside of EU/EEA to both non-EU/EEA controllers and processors.

Data Subject’s Privacy upholds the protection of data subject’s rights, is committed to making sure data subjects can exercise their rights effectively and that requests are handled in a timely fashion.

These rights are standardised in Articles 15 – 22 (GDPR) (EU), and include:

  • - The right of access (Art. 15 (GDPR) (EU)
  • - The right to erasure (right to be forgotten) (Art. 17 (GDPR) (EU)
  • - The right to rectification (Art. 16 (GDPR) (EU)
  • - The right to data portability (Art. 20 (GDPR) (EU)
  • - The right to restriction of data processing (Art. 18 (GDPR) (EU)
  • - The right to object to data processing (Art. 21 (GDPR) (EU)

Right to Access. A data subject can request access to his/her personal data and obtain a copy of such personal data in a format acceptable to the data subject (e.g. pdf, word.). The data subject can submit a request form (the contact form) online via After the form is submitted, reviews the form and conducts requestor’s identity verification without undue delay. Upon successful verification, the data subject is provided with a copy of his/her personal data.

Right to Data Portability. ensures data portability in a manner that if a data subject is willing to transfer its data to another service provider, we provide such data subject with data in a structured, commonly used and machine-readable format.

Right to Erasure (“Right to be forgotten”) and Right to Rectification. Data subjects are entitled to request erasure or rectification of their data by filing an appropriate request via e-mail to will handle requests for data to be rectified or deleted, unless there is a legal requirement that prohibits such request to be fulfilled. When request is fulfilled, the data subject will be informed that his/her data is changed or erased and is not-longer derived from the data sources. Note that in order to comply with legal requirements, will store information about each requestor for the purposes of providing an evidence that a request has been fulfilled.

Right to Object. At all times, the data subject is entitled to object to processing of personal data concerning him or her. Right to Object can be exercised by submitting a form (contact form) at Upon receipt of the form, will cease the processing, unless there is a legal or statutory ground for such processing.

Right to be informed. If the data subject is inquiring about processing activities conducted with respect to his/her personal data,, without undue delay, will provide information about: (i) purposes of processing; (ii) categories and types of personal data; (iii) retention period; (iv) source of the relevant personal data; (v) privacy rights and information on data portability. Please refer for more information to Note that will update its privacy policies and privacy statement to encompass information on exact processing activities, data sources, and a guidance for data subjects to efficiently exercise each of his/her its rights.

Notification Requirements. does not claim ownership of personal data. By making candidate profiles available to the customer, profiles may contain references to the public source where the contact details of candidates are visible. Contact details are used to contact a candidate and exercise legitimate interest. When the candidate is reached, customer must comply with the Article 14 Information to be provided where personal data have not been obtained from the data subject.

Privacy will (by the means of system configuration) ensure that processing is minimized to what is necessary for the recruitment purposes. As for EU data subjects, will only process information that is justifiably related to employment and is derived from the data sources that corresponds with the sourcing opportunities.

b) Information Security continuously improves its information security with respect to operations security, access control, information security policies, information security incident management and applies the number of technical and organizational measures to protect its data from unauthorized access, alteration, use, disclosure, or destruction.

Access Control

To manage the access to its data, has applied the access controls to ensure the following:

  • - Access to information resources is controlled through processes that address authorization, modification, revalidation and revocation of information system privileges.
  • - Access is strictly limited to appropriate individuals on a "need to know" and "least privilege" basis.
  • - Access revocation due to resignation, termination or transfer, is conducted in a timely manner.

Customers of are accountable for all actions performed under their user id and are responsible for protecting and managing the confidentiality of their passwords and log-in credentials.