LEGAL NOTICE
LEGAL NOTICE
IMPORTANT — GOVERNING LANGUAGE This Legal Notice was originally drafted in Spanish. In the event of any discrepancy, conflict, or inconsistency between the Spanish version and any translated version, the Spanish version shall prevail for all legal purposes.
IMPORTANT NOTICE — PREVAILING LANGUAGE
This Global Privacy and Data Protection Policy is a translation of the original document drafted in Spanish.
In the event of any discrepancy, inconsistency, or interpretation conflict between this version and the Spanish version, the Spanish version shall prevail for all legal purposes.
GDPR – GLOBAL PRIVACY AND DATA PROTECTION POLICY
1. Introduction
At HS GROUP SOCIEDAD DE RESPONSABILIDAD LIMITADA (hereinafter, “PDA”), we value your privacy and the protection of your Personal Data.
This Global Privacy and Data Protection Policy (hereinafter, the “Privacy Policy”) describes how we collect, use, share, and protect your information in all countries where we operate or provide services.
For the purposes of the Software License Agreements (EULA), the website Terms and Conditions, and other PDA contractual documents, this Global Privacy and Data Protection Policy may also be referred to as the “Security and Privacy Policy,” maintaining in all cases the same scope and content.
PDA complies, among others, with the following data protection regulations:
Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
Argentine Law No. 25,326 and Regulatory Decree No. 1558/2001.
Lei Geral de Proteção de Dados Pessoais (LGPD – Brazil).
California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA – USA).
Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP – Mexico).
Protection of Personal Information Act (POPIA – South Africa).
PDA applies the principles of lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, integrity, confidentiality, and accountability in all Processing of Personal Data.
2. Controller and Global Contact
The Controller of Personal Data will depend on the PDA group entity that provides the service and is identified as the “Licensor” or contractual provider in the EULA, master services agreement, or equivalent commercial document.
Controller – Argentina
When the Client contracts the services through the Argentine entity, the Controller will be:
HS GROUP SOCIEDAD DE RESPONSABILIDAD LIMITADA
(“HS GROUP” o “PDA INTERNATIONAL”)
CUIT: 30-70987001-0
Domicilio: Cerrito 782, Piso 1, Ciudad Autónoma de Buenos Aires, C1010AAP, República Argentina
Correo: gdpr@pdainternational.net
Sitio web: www.pdainternational.net
Controller – United States and Rest of the World (outside Argentina and the European Union)
When the Client contracts the services through the international entity, the Controller will be:
PDA USA LLC
Address: 1752 Aspen Ln, Weston, Florida, United States
EIN: 32-0502196
Email: gdpr@pdainternational.net
Representative in the European Union (Article 27 GDPR)
For clients, data subjects, and authorities located within the European Union, PDA designates as its representative:
Mantra Desarrollo de Negocios S.L.
Address: Calle Cetrería, 103, 28232 Las Rozas de Madrid, Madrid, Spain
Email: gdpr@pdainternational.net
Mantra Desarrollo de Negocios S.L. acts exclusively as a representative designated pursuant to Article 27 of the General Data Protection Regulation (GDPR).
It does not act as Controller or joint Controller and does not perform the functions of a Data Protection Officer (DPO).
Privacy Contact
Inquiries related to Personal Data protection and the exercise of data subject rights may be submitted through:
📧 gdpr@pdainternational.net
Regardless of the PDA group entity acting as Controller, requests will be internally forwarded to the corresponding entity.
3. Definitions
The definitions established in the GDPR, Argentine Law 25,326, LGPD, and equivalent regulations shall apply.
“Personal Data”: any information relating to an identified or identifiable natural person.
“Processing”: any operation or set of operations performed on Personal Data, such as collection, recording, organization, storage, consultation, disclosure, modification, anonymization, or erasure.
4. Data We Collect
PDA may collect the following categories of Personal Data:
Identification data: first name, last name, type and number of identification document, nationality, date of birth
Contact data: address, telephone number, email address.
Employment or professional data: position, company, sector, employment history, area of expertise.
Technical data: IP address, device type, operating system, browser, online identifiers, connection information, and activity logs.
Billing or payment data: data necessary for payment processing and invoicing, as applicable.
Assessment results generated through PDA tools (behavioral profiles, indicators, associated reports).
Additional information voluntarily provided by the user, candidate, participant, or client through forms, communications, or documentation submitted to PDA.
5. Purposes and Legal Bases
PDA processes Personal Data for the following purposes, with the legal bases indicated for reference (particularly under GDPR and equivalent regulations):
Provision, support, and maintenance of contracted services
Management of assessments, report generation, access to SaaS platforms, functional and technical support.
Legal basis:
Performance of a contract or pre-contractual measures (Art. 6.1.b GDPR; Art. 7 LGPD; Art. 10 LFPDPPP).
Legitimate Interest of the Controller (Art. 6.1.f GDPR), where applicable.
Account management, authentication, and communications with clients and users
Creation and administration of user accounts, delivery of operational notifications, security alerts, and service communications.
Legal basis:
Performance of a contract (Art. 6.1.b GDPR).
Legitimate Interest (Art. 6.1.f GDPR).
Sending commercial information, newsletters, and content of interest
Sending news, event invitations, webinars, training materials, and marketing communications.
Legal basis:
Consent (Art. 6.1.a GDPR; Art. 7 LGPD).
Legitimate Interest (Art. 6.1.f GDPR) for existing clients where permitted by applicable law, always providing opt-out mechanisms.
Recruitment and selection processes
Management of applications, interviews, evaluations, and onboarding processes.
Legal basis:
Consent or pre-contractual measures (Art. 6.1.a and 6.1.b GDPR).
Compliance with legal and regulatory obligations
Compliance with accounting, tax, regulatory obligations, or requests from supervisory authorities.
Legal basis:
Legal obligation (Art. 6.1.c GDPR).
Research, development, and improvement of PDA tools Investigación, desarrollo y mejora de herramientas PDA
Continuous improvement of algorithms, metrics, reports, and platform functionalities, including statistical analysis and usage studies.
In these cases, data is preferably used in anonymized or aggregated form.
Legal basis:
Legitimate Interest (Art. 6.1.f GDPR)
Consent when required by local regulations.
Management and response to rights exercise requests
Handling requests for access, rectification, erasure, objection, portability, or any applicable rights.
Legal basis:
Legal obligation (Art. 6.1.c GDPR).
Legitimate Interest in the defense of rights (Art. 6.1.f GDPR).
5.1 BIS. Research and Scientific Publications
PDA may use fully anonymized or aggregated data, provided that such data does not allow the direct or indirect identification of natural persons or client organizations, for purposes of scientific, statistical, academic, methodological, comparative research, or technical dissemination, including the preparation of publications, sector studies, methodological analyses, presentations, or technical materials.
Processing performed on anonymized data does not constitute Processing of Personal Data under GDPR, Law 25,326, LGPD, CCPA/CPRA, or other equivalent regulations, provided that the anonymization applied is irreversible and does not allow the re-identification of data subjects.
6. PDA’s Role
PDA may act as Controller or Processor, depending on the nature of the data and the purpose of Processing:
(a) PDA as Controller
PDA acts as Controller, among others, in the following cases:
- data of clients, prospective clients, representatives, and contact persons of organizations with which PDA maintains commercial relationships (for example, name, position, corporate email, telephone number, interaction history);
- data of website users, newsletter subscribers, event attendees, webinar participants, or marketing activity participants;
- data necessary for account management, billing, legal compliance, security, and service improvement.
In these cases, PDA may use service providers acting as Processors on behalf of PDA (for example, CRM and automation platforms such as HubSpot, email marketing tools, cloud providers), which process data following PDA’s instructions and under data processing agreements.
(b) PDA as Processor
PDA acts as Processor when it processes Personal Data on behalf of its clients, who act as Controllers. This includes, for example:
- data of candidates, employees, consultants, assessors, or other natural persons incorporated by the client into PDA platforms within recruitment, evaluation, development, or talent management processes;
- assessment results, behavioral profiles, and associated information entered by the client or by assessed individuals according to the client’s instructions.
In these cases, PDA processes the data exclusively in accordance with the client’s documented instructions and the provisions of the corresponding License Agreement / service agreement and Annex II – Data Processing Agreement (DPA).
(c) Relationship with the EULA and the DPA
When PDA acts as Processor, the obligations established in the EULA and the DPA executed with the client shall apply. When PDA acts as Controller, the provisions of this Privacy Policy shall apply, without prejudice to the rights of data subjects and the mandatory data protection regulations applicable.
7. Profiling and Automated Decisions
PDA tools and assessments may generate behavioral or competency profiles, as well as indicative indicators for recruitment, development, internal mobility, or training processes. However:
These profiles are indicative in nature and do not imply automated decisions producing legal effects or similarly significant effects for individuals, in accordance with Article 22 GDPR and the principles of the EU AI Act (2024).
The interpretation of results and decisions adopted based on them correspond to the client or user responsible for the process (employer, organization, educational entity, etc.).
This provision is aligned with the EULA, which establishes that the Software does not produce binding automated decisions.
Data subjects may:
• request human intervention in the interpretation of results,
• express their point of view,
• challenge the evaluation where applicable, and
• exercise the rights provided in Section 12 of this Policy.
8. Security and Confidentiality
PDA implements technical, organizational, and administrative measures appropriate to the risk, including, among others:
Encryption in transit and at rest (for example, TLS 1.3, AES-256).
Role-based access control and multi-factor authentication, where applicable.
Logging and auditing of relevant operations involving Personal Data.
Encrypted backups, environment segregation (production, testing, development), and disaster recovery plans.
Confidentiality policies, non-disclosure agreements, and continuous staff training in privacy and security.
Incident response and data breach protocols.
In the event of a security breach that may affect individuals’ rights, PDA will notify competent authorities and, where applicable, affected parties within 72 hours, in accordance with Articles 33 and 34 GDPR and equivalent regulations in other jurisdictions.
9. International Data Transfers
PDA conducts international transfers of Personal Data under the following safeguards:
Between Argentina and the European Union: Argentina is considered a country with an adequate level of protection under European Commission Decision 2003/490/EC.
Between regions or third countries: Standard Contractual Clauses (SCCs – Decision 2021/914/EU) are applied and, where applicable, mechanisms provided under LGPD, CCPA/CPRA, and LFPDPPP.
United States: PDA uses providers that comply with the EU–U.S. Data Privacy Framework or that offer Standard Contractual Clauses or equivalent safeguards.
Brazil: transfers are carried out subject to Articles 33–36 LGPD and the guidelines of the Autoridade Nacional de Proteção de Dados (ANPD).
All transfers are limited to the purposes described in this Policy and are carried out under equivalent standards of security and confidentiality.
10. Sub-processors and Third Parties
PDA may use technology or service providers acting as Sub-processors, including:
Hosting and cloud providers (primarily within the European Economic Area).
CRM and automation platforms (for example, HubSpot or other equivalent platforms)
Payment gateways (for example, Stripe, Mercado Pago, or others depending on the country).
Messaging, technical support, and performance analytics tools.
All Sub-processors are subject to:
data processing agreements that comply with Article 28 GDPR, and
periodic security and privacy audits or reviews.
The updated list of Sub-processors may be consulted at www.pdainternational.net/gdpr or requested at gdpr@pdainternational.net.
PDA will ensure that:
all Sub-processors maintain adequate guarantees of security and confidentiality, and
any associated international transfer is carried out through SCCs, Data Privacy Framework, or other internationally recognized mechanisms.
11. Data Retention
Personal Data will be retained only for the period strictly necessary to fulfill the purposes of Processing or while legal, contractual, or defense-of-rights obligations exist.
Indicative reference periods:
Assessment data: According to the contract or instructions of the client acting as Controller (when PDA acts as Processor).
Client and billing data: For the duration of the contractual relationship plus up to 10 additional years, in accordance with limitation periods and legal obligations (for example, tax or accounting).
Candidate data: Up to 1 year from the last contact or until the right to erasure is exercised, unless a longer legal retention obligation applies.
Technical data or cookies: According to the cookie policy applicable to each site or platform, with a usual maximum period of 2 years.
Anonymized data for research and statistical analysis: May be retained indefinitely, provided that they do not allow the identification of natural persons.
12. Data Subject Rights
Any data subject has the right to:
Access their Personal Data.
Rectify inaccurate or incomplete data.
Erase data when it is no longer necessary or when legally applicable.
Restrict or object to Processing, in cases provided by law.
Port their data to another Controller (where applicable under relevant regulations).
Withdraw consent at any time, without retroactive effects.
Not be subject to automated decisions producing legal effects or similarly significant effects, under Article 22 GDPR and equivalent regulations.
To exercise these rights, the individual may write to gdpr@pdainternational.net, indicating the right they wish to exercise and attaching valid identification or the necessary elements to verify their identity.
They may also lodge complaints with the data protection authority of their country, for example:
Argentina: Agencia de Acceso a la Información Pública (AAIP).
European Union: competent national authority (for example, AEPD in Spain).
Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos (INAI).
United States: state consumer protection or privacy authorities, depending on jurisdiction (for example, California Attorney General for CCPA/CPRA).
South Africa: Information Regulator (POPIA).
13. Exercise of Rights in Specific Jurisdictions
Brazil (LGPD)
Data subjects may exercise their rights in accordance with Articles 17–22 LGPD by contacting gdpr@pdainternational.net.
United States – California (CCPA/CPRA)
California residents may request information regarding the categories of data collected, their source, the purposes of Processing, and the third parties with whom they have been shared.
They may also request deletion of their Personal Information or exercise the right to opt out of any potential sale or commercial transfer of Personal Data.
PDA does not sell Personal Information within the meaning defined by CCPA/CPRA.
Mexico (LFPDPPP)
Data subjects may exercise ARCO rights (Access, Rectification, Cancellation, and Opposition) in accordance with Articles 28–35 LFPDPPP through gdpr@pdainternational.net.
14. Data Storage
Data is preferably stored on servers located within the European Economic Area (EEA), under certified security measures (for example, ISO 27001, SOC 2).
When providers located outside the EEA are used, PDA ensures that:
Standard Contractual Clauses are applied,
internationally recognized transfer mechanisms are used (for example, Data Privacy Framework, SCCs, LGPD/LFPDPPP equivalents), and
adequate levels of protection, security, and confidentiality are maintained.
15. User Responsibility
The User is responsible for the accuracy, truthfulness, and updating of the Personal Data incorporated or provided to PDA, as well as for not transmitting third-party information without having previously obtained a valid legal basis for such Processing.
When the User decides to evaluate or record Personal Data of minors within the Software, it shall be their sole responsibility to ensure compliance with applicable regulations in each jurisdiction, including, where applicable, obtaining consent from the holder of parental authority, legal guardian, or equivalent figure.
The Licensor does not verify the age of assessed individuals nor directly obtain such consent.
16. Incidents and Breach Communications
In the event of detecting or suspecting any unauthorized access, loss, improper disclosure, or misuse of Personal Information, users may immediately notify gdpr@pdainternational.net, indicating in the subject line: “Privacy Incident”.
PDA will activate its incident response protocols to investigate, mitigate, and, where applicable, notify authorities and affected individuals.
17. Policy Updates
PDA may modify this Policy in order to:
adapt it to new regulations or criteria of supervisory authorities,
reflect changes in its processes, services, or technologies, or
incorporate additional regulatory requirements.
Updated versions will be published on the PDA website.
When modifications are substantial (for example, materially changing Processing purposes or data subject rights), PDA will notify users through electronic means (email, platform notice, or equivalent mechanism).
Continued use of PDA services or platforms, where permitted by applicable law, will imply acknowledgment of the new version, without prejudice to the fact that:
modifications involving a material change in the purpose of Processing, or significantly affecting individuals’ rights, may require express acceptance or renewed consent, in accordance with applicable law.
Last updated: November 3, 2025.
18. Informational Annex – Data Processing Flow
The data Processing flow during PDA assessment processes is represented in the diagram included in the system’s informational materials and/or documentation provided to clients.
This diagram generally reflects the lifecycle of Personal Data, from its collection to its deletion or anonymization, in accordance with current contractual and legal obligations, including: data collection, storage, and Processing for the indicated purposes,
generation and use of reports or results, retention for applicable periods, and deletion, anonymization, or definitive blocking when no longer necessary.
recolección de datos, almacenamiento y tratamiento para las finalidades indicadas, generación y uso de reportes o resultados, conservación por los plazos aplicables, y
eliminación, anonimización o bloqueo definitivo cuando ya no sean necesarios.