DATA PROCESSING AGREEMENT
- 1. [CLIENT NAME] (the “Processor”) ; and
- 2. JOBODO LIMITED, trading as JOB HERON (company number 10342786) with registered address at 90 Paul Street, London, United Kingdom, EC2A 4NE (the “Controller”), collectively referred to as “Parties” and individually as “Party”.
This Data Processing Agreement (the “Agreement”) forms part of the Client Agreement for the use of online services from Job Heron (identified in the Client Agreement as the “Service”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
Having regard to the fact that:
- 1. The Controller has access to the personal data of various candidates (“Data subjects”);
- 2. The Controller wants the Processor to execute certain types of processing in accordance with the Client Agreement and the Data Protection Policy;
- 3. The Controller has determined the purpose of and the means for the processing of personal data as governed by the terms and conditions referred to herein;
- 4. The Processor has undertaken to comply with this Agreement and to abide by the security obligations and all other aspects of the Data Protection Act 1998 (the “Act”);
- 5. Where, within the meaning of this Agreement, the Act is referred to, from 25th of May 2018 onwards, the corresponding provisions of the General Data Protection Regulation (“GDPR”) are meant and shall apply. Have agreed as follows:
- 6. The Processor undertakes to process personal data on behalf of the Controller strictly in accordance with the conditions and documented instructions laid down in this Agreement and guarantees compliance with all corresponding sections of the Act, pursuant to Section 5 above.
- 7. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller shall inform the Processor in writing of any such purposes which are not contemplated in this Data Processing Agreement and shall take no unilateral decisions regarding the processing of personal data for other purposes, including decisions regarding the provision thereof to third parties and data storage.
- 8. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.
- 9. The Processor guarantees compliance with all applicable laws and regulations, including those governing the protection of personal data, such as the Act and agrees to furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under the Act and pursuant to this Agreement.
- 10. The Processor’s obligations arising under the terms of this Agreement apply also to whomsoever processes personal data under the Processor’s instructions, whether as an affiliate, employee, contractor or otherwise and the Processor shall impose confidentiality obligations on all personnel who process the relevant data.
- 11. The Processor shall implement measures to assist the Controller in complying with the rights of data subjects and in obtaining approval from Data Protection Authorities (DPAs) where required.
- 12. At the Controller’s selection, the Processor shall either return or destroy the personal data at the of the relationship, unless otherwise expressly required by EU or national law.
TRANSMISSION OF PERSONAL DATA
- 13. The Processor may process the personal data in countries outside the European Economic Area (“EEA”). The Processor may also transfer the personal data to a country outside the EEA, provided that such country guarantees an adequate level of protection and satisfies the other obligations applicable to it pursuant to this Agreement and the Act. Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.
ALLOCATION OF RESPONSIBILITY
- 14. The Processor shall only be responsible for processing personal data under this Agreement in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes not reported by the Controller to the Processor and processing by third parties.
- 15. The Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Agreement.
ENGAGING OF THIRD PARTIES OR SUBCONTRACTORS
- 16. The Processor shall not appoint a sub-processor without the prior written consent of the Controller. Where the Controller agrees to the appointment of sub-processors, those sub-processors must be appointed on the same terms as those set out in this Agreement.
- 17. The onus is on the Processor to ensure that such third parties are obliged to agree in writing to the same terms as agreed between the Controller and the Processor in this Agreement.
DUTY TO REPORT
- 18. In the event of a security leak and/or the unlawful obtaining of personal data as per section 55 of the Act, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor shall take all reasonable steps to ensure that the furnished information is complete, correct and accurate.
- 19. If required by law or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
- 20. The duty to report includes the duty to report the fact that a leak has occurred, including details regarding: the (suspected) cause of the leak, the (currently known and/or anticipated) consequences thereof, the (proposed) solution, and the measures that have already been taken.
- 21. When processing data pursuant to this Agreement, the Processor shall take adequate technical and organisational security measures to prevent the loss of data and/or any form of unlawful processing, such as unauthorised disclosure, deterioration, alteration or disclosure of personal data.. The Processor shall endeavour to ensure that the security measures implemented are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs involved.
- 22. The Controller shall only make personal data available to the Processor if it is assured that necessary and adequate security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed between the Parties.
HANDLING REQUESTS FROM INVOLVED PARTIES
- 23. Where a Data subject submits a request to the Processor to inspect, or to improve, add to, change or protect his or her personal data, the Processor will forward the request to the Controller and the request shall be dealt with by the Controller. The Processor may notify the Data subject hereof.
NON DISCLOSURE AND CONFIDENTIALITY
- 24. All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Agreement is subject to a duty of confidentiality vis-à-vis third parties.
- 25. This duty of confidentiality does not apply when the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the terms of this Agreement, or if there is a legal requirement to do so..
- 26. To confirm compliance with this Agreement, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements and will not interfere unreasonably with the Processor’s business activities. An audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data and no earlier than two weeks after the Controller has provided written notice to the Processor.
- 27. The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties. The costs of the audit will be borne by the Controller.
DURATION AND TERMINATION
- 28. This Agreement is entered into for the duration of the cooperation between the Parties and may not be terminated in the interim.
- 29. This Agreement may only be amended by the Parties subject to mutual consent.
- 30. The operation and implementation of this Agreement shall be governed by English law. Any dispute arising between the Parties in connection with this Agreement shall be referred to the competent English court.
- 31. Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.