Medical Job

PRIVACY POLICY

Medical Job (hereinafter: „Data Controller”) is committed to fully respecting their clients’ (doctors and medical personnel, hereinafter „Data Subject” or „Candidate”) rights concerning data controlling. Accordingly, we manage the Data Subjects’ personal data in agreement with the European Union’s Act of 2016/679 on the protection of natural persons and natural persons’ data management, and the free flow of this data (hereinafter: General Data Protection Regulation or „GDPR”).

Data Controller’s contact data:

Name of Data Controller: Medical Job
Representative of Data Controller: Elias El Salibi
Address: Zouk Mosbeh Lebanon
Phone number: +9613375667
E-mail address: info@medicaljob.me

1.PURPOSE OF DATA CONTROLLING, GENERAL DURATION

The purpose of data management is to successfully recruit the Data Subjects to hospitals in the Gulf & Mena Region (hereinafter: „Recruitment”), and the transaction of relocation to the aim countries (hereinafter: „Relocation”), including its full administration (hereinafter: „Services”). The Data Controller manages the Data Subjects’ data from initial contact (using basic contact information) through successful Recruitment to the transaction of Relocation, to the extent necessary for certain Services. This whole process can last for over two years. After having completed the Services, of the data management, in the interest the follow-up processing of rights and obligations concerning the contract (hereinafter: „Follow-up procedures”) (based on the contract with the hospital, follow-up on the candidate, legal obligations), and in the interest of information and marketing, continues.

Follow-up procedures will make data management necessary even after the completion of Services in order to upkeep legal obligations (local, and possibly Lebanese law) and depending on the legal relationship established with the given hospital.

Furthermore, we will store the data necessary for contacting the Data Subject, for further informing the Data Subject, or to inform them about further services similar to the Services, i.e. marketing.

2.DATA CONTROLLING AND SCOPE OF CONTROLLED DATA

The actual content of data controlling, the scope of personal data, its time of preservation will be discussed service phase by phase in this privacy policy separately.

3.LEGAL BASIS FOR DATA CONTROLLING

In all phases of the process it is the particular (in case of special category personal data) and voluntary consent of the Data Subject based on their previous information. Furthermore, the legal basis of data controlling can be:

the completion of the contract with the Data Subject concerning our Services,
the completion of all legal obligations of the Data Controller.

4.THE POSSIBLE REASONS OF THE INCOMPLETION OF DATA CONTROLLING

The controlling of the personal data, its communication towards the Data Controller happens in order to successfully provide the Services, these personal data are reasonably necessary for the Data Controller’s Services, thus not providing data can result in the incompletion of the Services.

5.DATA CONTROLLING DURING RECRUITMENT

5.1.DATA CONTROLLING NECESSARY FOR ESTABLISHING CONTACT

5.1.1.THE PURPOSE OF DATA CONTROLLING

The Data Controller’s main activity is recruiting doctors and medical personnel to member countries of the Gulf & Mena Regions, for which activity the Data Controller establishes contact with doctors and medical personnel with a degree from one of the member countries of the Gulf & Mena Regions. These criteria are necessary because of the accepting country’s authorization processes. The Data Controller contacts the Data Subjects by using publicly available data, or the voluntary applicants’ given contact data, to offer opportunities that can advance them financially, in their standard of living regarding their careers, and their personal life as well.

5.1.2.SCOPE OF CONTROLLED DATA

The Data Subject’s name, and contact data (phone number, email address), the candidate’s medical specialty, and subspecialty, other degrees, professional experience, language knowledge, sex, nationality, the CV provided by the Data Subject, whether it is in Lebanese, English, or another language, and the pictures of the Data Subject.

In order to provide our Services, we control data on public social media sites (LinkedIn, Facebook, Instagram, and other social media sites) also concerning the data published by the Data Subject, on their own profile, which includes the registration date in the given public database.

5.1.3.LEGAL BASIS FOR CONTROLLED DATA

Primarily based on the previous information of the Data Subject, their specific (in case of special category personal data) and voluntary consent, both with regards to publicly available data, and the data provided to us by the Data Subject. Furthermore, the legal basis of data controlling can be:

the completion of the contract with the Data Subject concerning our Services,
the completion of all legal obligations of the Data Controller.

5.1.4.RETENTION TIME OF CONTROLLED DATA

The duration of Service providing, which can exceed two years.

Furthermore, besides the legal bases listed in point 3 above (completion of contract, legitimate interest, and the completion of the Data Controller’s legal obligation) require that the scope of personal data (basically the data required for personal identification and contact) be controlled even after the completion of Service providing.

5.1.5. DATA FORWARDING

According to GDPR forwarding data to member states of the Gulf & Mena Regions does not have data security risks, thus the Data Subject’s specific consent is not necessary from this standpoint.

For technical processing and storing, the personal data is controlled by a data processor whose servers are in the United States of America (the state of California). Based on our experience we can maximize the effectiveness of our inner processes with this service provider. Considering that data forwarding outside the Gulf & Mena Regions requires permission, we ask for the Data Subject’s consent for this particular forwarding.

5.1.6. DATA PROCESSOR

Given that our Services are complex, time-consuming activities requiring special expertise, we use subcontractors to provide them. We are accountable for our subcontractors the same way we are for ourselves. Subcontractors acting on our behalf will also treat the personal data of the Data Subjects in the following cases. In the words of GDPR, they are considered to be Data Processors.

During the contacting phase the data processing areas (where the controlling of the personal data is done by subcontractors):

Employment company
External salesmen

We only use data processors who provide appropriate guarantee compliance with the data controlling requirements of GDPR, and proper technical and organizational measures that ensure the protection of the Data Subjects’ rights.

5.2.RECRUITMENT PHASE

5.2.1.PURPOSE OF DATA CONTROLLING

The Data Controller prepares professional material about the candidates included in the recruitment process. This document contains the candidates’ professional background, education, and acquired employment experience. The Data Controller manages this data in a form that they comply as much as possible with the recruitment destination country’s inner standards. The documents are prepared in a form that maximizes the Data Subject’s possibility of employment in the destination country. The primary objective of data controlling is to provide the most comprehensive picture of the Data Subject for potential future employers, and to provide them with new employment possibilities.

5.2.2. SCOPE OF CONTROLLED DATA

Those data controlled according to point 5.1.2, and the Data Controller also manages those data contained in the Data Subject’s CV and motivation letter. These can be birthday, address, language knowledge, Skype account, notice period, relationship status, or profile picture. Besides these data, the Data Controller manages detailed information on the Data Subject’s professional knowledge and educational background. For medical activities, official documentation is necessary in the Gulf & Mena Regions, thus Medicaljob manages the Data Subject’s practice permit and medical diploma to ensure regulatory compliance. In case the Data Subject is from outside the Gulf & Mena Regions, their certificate of conformity and homologation is managed as well.

5.2.3.LEGAL BASIS FOR CONTROLLED DATA

the completion of the contract with the Data Subject concerning our Services,
the completion of all legal obligations of the Data Controller.\

5.2.4. RETENTION TIME OF CONTROLLED DATA

The time necessary to provide the Services, which could exceed two years.

Contact data will be retained for marketing purposes until the Data subject does not request their erasure.

5.2.5. DATA FORWARDING

Your personal data will be forwarded to healthcare institutions in the Gulf & Mena Regions member states for the provision of the Service, of which we will inform the Data Subject. If the Data Subject expressly consents to this, your personal information will be passed on to other intermediary companies, thereby increasing the scope for employment possibilities.

According to GDPR forwarding data to member states of the Gulf & Mena Regions does not have data security risks, thus the Data Subject’s specific consent is not necessary from this standpoint.

5.2.6.DATA PROCESSOR

During the recruitment phase the data processing areas (where the controlling of the personal data is done by subcontractors):

Khaled Saadi

5.3.INTERVIEW LEVEL DATA CONTROLLING

5.3.1.THE PURPOSE OF DATA CONTROLLING

The purpose of data controlling is for the Data Controller to be able to present a more comprehensive picture about the Data Subject to the potential employers, for this they prepare a detailed professional material called a Portfolio, thus aiding the Data Subject’s search for employment. Due to the international travels that are included in the interview process, the Data Controller manages data necessary for flights, car rentals, and accommodation bookings to make the Data Subject’s stay in the destination country easier.

5.3.2.SCOPE OF CONTROLLED DATA

Those data controlled according to point 5.2.2 and all that is said by the Data Subject during the motivational interview concerning their motivation, dedication, and personal preferences, and the data covered in the personality test. Furthermore, the Data Controller manages those data that are necessary for the organization of international travels, for example, the Data Subject’s ID number, or passport information.

A so-called NEO PI-R test is applied for the personality test, during which the Data Subject’s answers (considered personal data) are processed and evaluated by a software (considered profiling). The data given during testing is used to analyze or predict professional performance, possibly state of health, personal preferences, interests, trustworthiness, behavior, thus during the use of NEO PI-R medical data is controlled as well.

5.3.3.LEGAL BASIS FOR CONTROLLED DATA

the completion of the contract with the Data Subject concerning our Services,
the completion of all legal obligations of the Data Controller.

5.3.4.RETENTION TIME OF CONTROLLED DATA

Time necessary for the provision of Services, foreseeably 36 months.

5.3.5.DATA FORWARDING

Your personal data during the provision of Services will be forwarded to medical facilities in the Gulf & Mena Regions, of which we will send the Data Subjects regular summaries.

According to GDPR data forwarding to the member states of the Gulf & Mena Regions does not have data security risks, so no consent is needed from the Data Subject. The Data Subject’s personal data, including the NEO PI-R test, and the data given in it, will be sent to Psychological Assessment Resources – PAR, Inc. in the USA, which agrees with the conditions in Article 1 of the EU Committee 2016/1250 Act, thus they can guarantee GDPR compatible data protection for this type of data forwarding. For this reason, the Data Subject’s specific consent is not necessary for the forwarding of the test and the personal data given in it.

5.3.6.DATA PROCESSOR

During the interview level data controlling the data processing areas are (where data controlling is done by our subcontractors)

Psychologist
Psychological Assessment Resources |
Our partner who measures medical competencies
Proofreader

5.4.DATA CONTROLLING CONCERNING RELOCATION, INTEGRATION

5.4.1.THE PURPOSE OF DATA CONTROLLING

The Data Controller handles the preparation and certification of official documents necessary for international employment and settlement, and the language preparation of the Data Subject, which are included in the Services. The Data Controller manages the administration of personal documentation prepared by international authorities, so that the Data Subjects face fewer challenges during relocation and integration.

5.4.2.SCOPE OF CONTROLLED DATA

Documents for authorization:

certified copy of an official document containing the name, nationality, and birth date (e.g. relevant pages of the passport),
certificate of name change, marriage certificate (if there was a change of name),
CV, education and professional experience in chronological order,
University diploma or other document certifying professional education, and its translation (to English, or the destination country’s language),
a document certifying the current professional status, which is to be sent to the destination country’s health insurance authority,
certificate of specialization, and its translation (to English, or the destination country’s language) (if applicable),
certificate of conformity prepared by the relevant authority,
authorization, if the Candidate is not acting in their own name.

Residence permit (To the destination country’s authorities):

a copy of the contract of employment, or an employer’s declaration according to the standards in the member state,
profile picture,
all other documents requested by the member state.

Social security (to the Local Municipality Service):

a completed entry form for new citizens,
a copy of passport/personal ID,
a copy of a document certifying the address (rental agreement, statement from the lessor),
a copy of marriage certificate / divorce certificate / death certificate,
a copy of the birth certificate of children under 18.

Language preparation:

basic data necessary for language teaching (name, data of birth)
photographs taken of the language groups, or individuals.

Data controlling during the relocation process, concerning accommodation:

providing contact data and basic communication with the lessor.

5.4.3.LEGAL BASIS FOR CONTROLLED DATA

Primarily based on the previous information of the Data Subject, their specific (in case of special category personal data, and regarding that the Data Subject can be a child under 16, as a family member) and voluntary consent, both with regards to publicly available data, and the data provided to us by the Data Subject. Furthermore, the legal basis of data controlling can be:

the completion of the contract with the Data Subject concerning our Services,
the completion of all legal obligations of the Data Controller.

In case of a child under 16, data controlling is only legal if the parent or legal guardian has allowed it and given consent.

5.4.4.RETENTION TIME FOR CONTROLLED DATA

Time necessary for the provision of relocation services, foreseeably 36 months.

Furthermore, the legal bases listed next to consent in point 3 (completion of contract, legal interest, and the completion of the Data Controller’s legal obligations) require, that a certain scope of personal data (data necessary for personal identification, and contact) be controlled after the completion of the relocation services. The contact data will be used for marketing purposes, until the Data Subject requests its erasure.

5.4.5.DATA FORWARDING

Data forwarding is possible to these institutions by request of the Data Subject:

local municipality service,
or a relevant authority or government of equal standing of the given member state of the Gulf & Mena Regions.
every authority, whose contribution is necessary for the provision of Services.

According to GDPR forwarding data to member states of the Gulf & Mena Regions does not have data security risks, thus the Data Subject’s specific consent is not necessary from this standpoint.

5.4.6. DATA PROCESSOR

Data processors necessary for relocation, integration related data controlling (where the data controlling is done by our subcontractors):

authorities, offices of destination country,
language teachers,
apartment owners, lessors.

6.DATA PROTECTION

The Data Controller will take the necessary technical and organizational measures and establish appropriate procedural rules to ensure the security of personal data throughout the entire process of data management.

The Data Controller chooses and controls the IT tools used for the management of personal data in a way that the handled data:

is accessible for authorized personnel (availability);
its authenticity and authentication are provided (authenticity of data management);
its uniformity is verifiable (data integrity);
it is protected against unauthorized access (data privacy).

The Data Controller

protects the data by enforcing appropriate measure against accidental or unlawful destruction, loss, modification, damage, unauthorized publication, or unauthorized access.
limits access to the personal data by establishing authorization levels,
protects IT systems by using a fire wall and virus protection,
ensures that in the process of electronic data management the data is only accessible for an intended purpose, under controlled circumstances, by those who need it in order to perform their duties,
provides appropriate technical solutions for the protection of files managed in various electronic databases, in order to ensure that the stored data – unless it is made legally possible – is not directly linked or assigned to the Data Subject.

In the light of the current state of the art, the Data Controller provides technical, organizational and corporate measures to protect the security of data management, which provides a level of protection that corresponds to the risks associated with data management.

The Data Controller records any possible privacy incidents, indicating facts tied to these, their effects, and measures taken as remedies. The Data Controller reports the possible incidents without delay, preferably within 72 hours of realizing the occurrence of the privacy incident, to the National Data Protection and Freedom of Information Authority (hereinafter: Authority), unless the privacy incident is not likely to pose a risk to the rights and freedoms of natural persons.

7. DATA SUBJECT’S RIGHTS AND THE CONDITIONS FOR ENFORCING THEM

The Data Subject may request information concerning the management of their personal data, and the rectification of their personal data, furthermore, they may request the deletion of their personal data– except for statutory data management – as specified during the data collection process, or through the customer service.

7.1.RIGHT TO INFORMATION

At the request of the Data Subject, the Data Controller shall provide information on the data, source of the data, purpose of the data processing, legal basis, duration of the data processing, the name and address of the Data Processor, and the activities concerning data processing of the data managed by the Data Controller, or by the assigned Data Processor, furthermore, in case the Data Subject’s data has been forwarded, on the legal basis and addressee of the transmission. The data controller shall provide the information in writing, in a clear form, within the shortest possible time from the submission of the request, but not later than within 25 days. Information is free of charge if the requested information has not yet been filed with the Data Controller for the same data field in the current year. In other cases, reimbursement can be determined. The Data Controller may refuse to inform the Data Subject only in statutory cases In the event of non-disclosure, the data controller shall inform the data subject in writing that refusal of the information has been made under the provisions of the Information Act. In the case of information refusal, the Data Controller notifies the Data Subject about the possibility of legal redress, and of turning to the Authority.

7.2.RIGHT TO CORRECTION

If the personal data does not comply with reality and the personal data corresponding to reality is available to the Data Controller, the personal data will be corrected by the Data Controller.

7.3.RIGHT TO ERASURE

Personal data must be erased if its handling is illegal; if the Data Subject requests it (except for compulsory data management); if it is incomplete or incorrect, and this cannot be legally remedied, provided that erasure is not legally forbidden; if the purpose of data management has ceased, or if the legally declared deadline for data storing has expired; if it has been ordered so by the court or the Authority.

7.4.RIGHT TO RESTRICTION OF PROCESSING

Instead of being deleted, the Data Controller will block the personal data if the Data Subject so requests or if, on the basis of the information available to him, it is assumed that the deletion would harm the legitimate interests of the Data Subject. Personal data so locked up can only be handled as long as there is a data management purpose that excludes the erasure of personal data. The Data Controller shall indicate the personal data they manage if the Data Subject disputes its correctness or accuracy, but the incorrect or inaccurate nature of the disputed personal data can not be clearly identified.

7.5.OBLIGATION TO CORRECT OR ERASE PERSONAL DATA, AND TO NOTIFY ON RESTRICTIONS OF DATA MANAGEMENT

The Data Controller informs the Data Subject regarding correction, restriction and erasure. Notification may be omitted if it does not prejudice the legitimate interest of the Data Subject for the purpose of data handling. If the Data Controller fails to complete the Data Subject’s request for rectification, restriction or erasure, they shall within 30 days acknowledge the factual and legal grounds for refusal of the correction, restriction or erasure request. In the case of refusal of an application for rectification, erasure or restriction, the Data Controller shall inform the Data Subject of the judicial remedy and of the possibility of appeal to the Authority.

7.6.RIGHT TO OBJECTION

The Data subject is entitled to object any time for reasons concerning their own situation to the processing of data necessary for the execution of a task performed in the public interest or in the exercise of a public authority exercised on the Data Controller or for the treatment of the legitimate interests of the data controller or a third party, including profiling based on those provisions too.

In the event of an objection, the Data Controller shall not process the personal data unless it is justified by compelling reasons of lawfulness which prevail over the interests, rights and freedoms of the Data Subject, or which relate to the submission, enforcement or protection of legal claims.

The Data Controller shall examine the objection within the shortest time possible, but at most within 15 days of the submission of the request, decide on the matter of its validity and inform the applicant in writing. If the Data Controller establishes the validity of their objection, data management – including further data collection and data transfer – will terminate and data shall be locked, moreover, the Data Controller informs those about the measures taken who have been previously sent the data which is the subject of the objection, and those who are obligated to take measures in order to enforce the right to objection. If the Data Subject disagrees with the decision of the Data Controller or if the Data Controller fails to comply with the statutory deadline, the concerned party may refer the case to the court within 30 days from the date of notification of the decision or from the last day of the deadline. The Data Controller can also sue the Data Subject. The Data Controller can not erase the relevant data if the data processing is ordered by law. However, the data can not be forwarded to the data receiver if the Data Controller agrees to the objection or the court has found the objection rightful.

7.7.RIGHT TO STORE DATA

The Data Subject shall have the right to receive the personal data that they have commissioned to the Data Controller in a fragmented, widely used machine-readable format and forward this data to another Data Controller.

7.8.POSSIBILITY OF JUDICIAL REMEDY

In the event of violation of their rights and in the cases specified by law, the Data Subject may turn to the court against the Data Controller. The court proceeds in urgency.

If the Data Subject has suffered material or non-material damage as a result of the breach of the Data Protection Regulation, they are entitled to compensation for the damage sustained by the Data Controller or the Data Processor. The Data Controller or the Data Processor shall be exempt from liability if they prove that the damage was caused by an unavoidable cause outside the scope of data management. There is no need to reimburse the damage in so far as it is due to the intentional or gross negligence of the injured party.

Submitting an objection or complaint does not affect the other rights – regulated in the data protection acts – of the Data Subject.

The Data Protection Officer (hereinafter: DPO) is involved in the processing of the complaint. The Data Subject can submit a complaint to:

Medical Job
Lebanese Court

Privacy Policy