ToC h2 (don't edit)ToC h3 (don't edit)
No items found.
Back to Legal

Talenthub Data Processing Agreement

This Data Processing Agreement ("DPA") between Talenthub.io ("Processor") and you ("Controller") sets forth the terms governing the processing of Personal Data under the Talenthub.io Standard Terms and Conditions (the "T&C's"). This DPA is in addition to the T&C's and is effective upon its incorporation into the T&C's, which may be specified in an Order Form or an executed amendment to the T&C's. Once incorporated into the T&C's, the DPA will become part of the T&C's.

In all cases, the Processor or a third party acting on behalf of the Processor acts as the processor of Personal Data, and the Controller remains the controller of Personal Data. The term of this DPA shall follow the term of the T&C's, and any terms not defined herein shall have the meaning set forth in the T&C's.

Hereinafter, the Processor and the Controller are individually referred to as a "party" and collectively referred to as "the parties."

The parties have agreed to this Data Processing Agreement (the "DPA") to comply with the requirements of the General Data Protection Regulation (GDPR) and to ensure the protection of the rights of data subjects.

  1. Content
    2.   Preamble
    3.   The rights and obligations of the data controller
    4.   The data processor acts according to instructions
    5.   Confidentiality
    6.   Security of processing
    7.    Use of sub-processors
    8.   Transfer of data to third countries or international organisations
    9.   Assistance to the data controller
    10.  Notification of personal data breach
    11.   Erasure and return of data
    12.  Audit and inspections
    13.  The parties' agreement on other terms
    14.  Remuneration and costs
    15.  Liability and limitations of liability
    16.  Other provisions
    17.   Effective data and termination

    Appendix A - Information about the processing
    Appendix B - Authorised sub-processors
    Appendix C - Instructions pertaining the use of personal data

2. Preamble

These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor when processing personal data on behalf of the data controller.

The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal information” means any kind of information about an identified or identifiable natural person, cf. General Data Protection Regulation article 4, nr. 1. If, as part of the fullfilment of the Main Agreement, confidential information other than personal data is processed, e.g. information which is deemed confidential pursuant to the Financial Business Act, any reference to "personal information" also includes this other confidential information.

In connection with the provision of certain services from the data processor to the data controller, as described in more detail in the parties' Main Agreement and Appendix A to this agreement (the "Main Services"), the data processor processes personal data on behalf of the data controller in accordance with this Agreement.

The Agreement takes precedence over any similar provisions in other agreements between the parties unless otherwise follows directly from the Agreement, or more far-reaching obligations are stipulated for the data processor in the Main Agreement. If additional obligations have been laid down for the data processor by another agreement between the partners, for example by standard contractual provisions within the meaning of Article 46 (2), litra c and d of the Data Protection Regulation, then these additional obligations apply in addition to the Agreement.

If one or more of the provisions of the Agreement is/are not enforceable, are illegal or invalid, they shall be replaced by fair negotiation or interpretation by provisions which, as far as possible, make the parties as if the provisions in question were valid and enforceable. If this is not possible, the clause in question or part thereof shall not be construed as part of the Agreement. The other provisions of the agreement remain in force.

There are three (3) annexes to this Agreement, and the annexes form an integral part of the Agreement

Annex A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

Appendix B contains the data controller's conditions for the data processor's use of sub-data processors and a list of sub-data processors that the data controller has approved the use of.

Appendix C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum and how the data processor and any sub-data processors are supervised.

The agreement and its annexes must be kept in writing, including electronically, by both parties.

The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.

3. The rights and obligations of the data controller

The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions and the Clauses (References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”).

The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

The data controller shall be responsible, among others, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

4. The data processor acts according to instructions

The data processor shall process personal data only on documented instructions from the data controller unless required to do so by EU law or Member State law to which the processor is subject.

This instruction must be specified in Appendices A and C. Subsequent instructions may also be given by the data controller while personal data is being processed, but the instructions must always be documented and stored in writing, including electronically, together with this Agreement.

The data processor may, to the extent not otherwise provided in the Agreement, use all relevant technical and organisational aids, including IT systems, which meet the requirements set out in this Agreement.

The processor shall immediately notify and inform the controller in writing if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.

The data processor may not condition the full and unlimited compliance with the data controller's instructions on the data controller's prepayment or payment of outstanding invoices, etc., and the data processor has no right of retention in the personal data.

The data controller has instructed the data processor that personal data may only be processed by the sub- processors listed in Annex B from the locations listed in the Annex. The data controller guarantees that personal data is encrypted during transport and storage and that the decryption key is with the data processor (and not the sub-data processors). The data processor also confirms that the data processor's sub-processors have a fixed procedure for inquiries from authorities, which includes that the sub-processors strongly challenge inquiries in the courts.

The data processor shall indemnify the data controller for any claim that may arise as a result of the data processor or its sub-data processors acting outside the data controller's instructions.

5. Confidentiality

The data processor must keep the personal information confidential. The regulation of confidentiality in the Main Agreement also applies to this Agreement. To the extent that there is a discrepancy between the Main Agreement and this Agreement, the agreement that provides the widest possible protection of information and confidentiality shall take precedence. The confidentiality obligation in the Main Agreement does not apply in the event of a breach of personal data security.

The Data Processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the Data Processor's instructional powers, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary, including to any time applicable rules of the Financial Business Act. In the processing of confidential information from the data controller, the data processor and his employees are subject to a criminal duty of confidentiality, cf. section 117ff and section 373 of the Danish Financial Business Act. The list of persons who have been granted access must be reviewed on an ongoing basis. On the basis of this review, access to personal data must be closed if access is no longer necessary, and the personal data must no longer be available to these persons.

The data processor must, at the request of the data controller, be able to demonstrate that the persons in question, who are subject to the data processor's powers of instruction, are subject to the above-mentioned duty of confidentiality.

If the data processor is a legal person, this Agreement applies to any person who is subject to the data processor's instructional powers, and the data processor guarantees that these persons, who have access to the personal data, comply with the Agreement.

The data processor's obligations under this section 5 exist without a time limit, regardless of whether the parties' cooperation has otherwise ceased.

6. Security of processing

Article 32 of the Data Protection Regulation states that the data controller and the data processor, taking into account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the processing in question and the risks of varying probability and seriousness of natural persons' rights and freedoms, implement appropriate technical and organisational measures to ensure a level of protection appropriate to these risks.

The data controller shall assess the risks to the rights and freedoms of natural persons constituting the processing and implement measures to address these risks. Depending on their relevance, it may include:

  • Pseudonymisation and encryption of personal data ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services;
  • ability to restore in a timely manner the availability and access to personal data in the event of a physical or technical incident;
  • a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organisational measures to ensure treatment safety.

According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.

In addition, the data processor shall assist the data controller in complying with the data controller's obligation under Article 32 of the Regulation, by, inter alia providing the data controller with the necessary information regarding the technical and organisational security measures already implemented by the data controller in accordance with Article 32 of the Regulation and any other information necessary for the data controller to comply with its obligation under the Regulation; Article 32.

If the response to the identified risks - in the opinion of the data controller - requires the implementation of additional measures than those already implemented by the data processor, the data controller shall indicate the additional measures to be implemented in Annex C and in the Main Agreement.

7. Use of sub-processors

The data processor must meet the conditions set out in Article 28(2) and (4) of the Data Protection Regulation, to make use of another data processor (a sub-data processor).

The data processor may thus not make use of a sub-data processor to fulfill this Agreement without prior general written approval from the data controller.

The data processor has the data controller's general approval for the use of sub-data processors. The data processor shall notify the data controller in writing of any planned changes regarding the addition or replacement of sub-data processors with at least 30 days notice and thereby give the data controller the opportunity to object to such changes before using the sub-data processor(s) in question(s). If the data controller's acceptance of the sub- data processor cannot be obtained and the data processor continues to use the sub-data processor, the data controller is entitled to terminate this Agreement and the parts of the Main Agreement which involve the data processor's processing of personal data on behalf of the data controller. or the Main Agreement in its entirety, if the services under the Main Agreement cannot be separated or the remaining services do not have an independent value for the data controller. Upon cessation of the use of a sub-data processor, the data processor must give the data controller written notice thereof. Longer notice of notification in connection with specific processing activities can be specified in Appendix B. The list of sub-processors that the data controller has already approved is shown in Appendix B.

When the data processor uses a sub-data processor in connection with the performance of specific processing activities on behalf of the data controller, the data processor shall, through a contract or other legal document under EU law or the national law of the Member States, impose on the sub-data processor the same data protection obligations such as those set out in this Agreement, which in particular provide the necessary guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing complies with the requirements of this Agreement and the Data Protection Regulation.

The data processor is therefore responsible for requiring the Sub-Data Processor to at least comply with the Data Processor's obligations under this Agreement and the Data Protection Regulation.

Prior to the data processor's notification pursuant to section 7.2, the data processor must have carried out an appropriate pre-audit (preliminary investigation) of the sub - processor's security level in accordance with Article 28(1) of the Data Protection Regulation.

The sub-data processor also acts solely on instructions from the data controller. All communication with the sub-data processor is handled by the data processor unless otherwise agreed. Any changed or specified instructions from the data controller must be passed on immediately by the data processor to the sub-data processor.

Sub-data processor agreement (s) and any subsequent amendments thereto are sent - at the request of the data controller - in copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations under this Agreement are imposed on the sub-data processor. Provisions on commercial terms that do not affect the data protection law content of the subdivision agreement shall not be sent to the data controller. In addition, the data processor must, upon request, provide documentation for the sub-data processors' fulfilment of their data protection obligations and the data processor's ongoing control thereof, etc.

In its agreement with the sub-processor, the data processor shall, as far as possible, include the data controller as a beneficiary third party in the event of the data processor's bankruptcy, so that the data controller can intervene in the data processor's rights and enforce them against sub-processors. ex. enables the data controller to instruct the sub-data processor to delete or return the personal data.

If the sub-data processor does not fulfill its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-data processor's obligations. This does not affect the rights of data subjects under the Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.

8. Transfer of data to third countries and international organisations

Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.

In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

Without documented instructions from the data controller or claims under EU law or the national law of the member state to which the data processor is subject, the data processor may not, within the framework of this Agreement:

  • transfer personal data to a controller or processor in a third country or an international organisation;
  • entrust the processing of personal data to a sub-processor in a third country
  • process the personal data of a third country

The data controller's instructions regarding the transfer of personal data to a third country, including any basis for transfer in Chapter V of the Data Protection Regulation on which the transfer is based, shall be set out in Annex C.6.

This Agreement shall not be confused with standard contractual provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation, and this Agreement may not constitute a basis for the transfer of personal data within the meaning of Chapter V of the Data Protection Regulation.

If the data controller in Annex C.6 has instructed the data processor to transfer personal data to a third country, it is the data controller's responsibility to ensure that the basis of transfer described, e.g. standard contractual provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation 2, have been concluded between the relevant parties.

9. Assistance to the data controller

Taking into account the nature of processing, the data processor shall assist the data controller as far as possible by appropriate technical and organisational measures in compliance with the data controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the Data Protection Regulation.

This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:

  • the right to be informed when collecting personal data from the data subject
  • the right to be informed when personal data have not been obtained from the data subject
  • the right of access by the data subject
  • the right to rectification
  • the right to erasure (‘the right to be forgotten’)
  • the right to restriction of processing
  • notification obligation regarding rectification or erasure of personal data or restriction of processing
  • the right to data portability
  • the right to object
  • the right not to be subject to a decision based solely on automated processing, including profiling

In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:

  • The data controller's obligation to without undue delay and if possible within 72 hours, after he has become aware of reporting a breach of personal data security to the competent supervisory authority, the Danish Data Protection Agency, unless it is unlikely that the breach of personal data security involves a risk to the rights or freedoms of natural persons
  • the data controller's obligation to notify the data subject of a breach of personal data security without undue delay, when the breach is likely to entail a high risk to the rights and freedoms of natural persons;
  • the data controller's obligation to carry out an analysis of the consequences of the proposed processing activities for the protection of personal data prior to the processing (an impact assessment);
  • the data controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency, before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in the absence of measures taken by the data controller to limit the risk.

The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.

The data processor shall, without undue delay upon receipt of a request directly from the data subject or from a third party related to Chapter III of the Data Protection Regulation, inform the data controller in writing.

The data processor shall comply with the obligations set forth in this Agreement without additional consideration from or costs to the data controller, unless otherwise specifically stated in the Agreement.

The data processor is not entitled to payment from the data controller to handle inquiries from the data subjects about insights/objections or to delete data in the system as a result of the data processor having set up the system in such a way that the data controller does not or only with large inconvenience can handle inquiries from registered or delete data on its own.

10. Notification of personal data breach

The data processor shall inform the data controller without undue delay after becoming aware that there has been a breach of personal data security.

The data processor's notification to the data controller must be made to example@example.com without undue delay and no later than 36 hours after he has become aware of the breach, so that the data controller can comply with his obligation to report the breach of personal data security to the competent supervisory authority, in accordance with Article 33 of the Data Protection Regulation.

In accordance with clause 9.2.a, the data processor shall assist the data controller in notifying the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which according to Article 33(3), must appear from the data controller's notification of the breach to the competent supervisory authority:

  • the nature of the breach of personal data security, including, if possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the likely consequences of the breach of personal data security
  • the measures taken or proposed by the data controller to deal with the breach of personal data security, including, where appropriate, measures to limit its potentially harmful effects.

The data processor must keep and maintain a record of all security breaches. The list must be made available to the data controller or the supervisory authorities upon written request.

The Parties shall set out in Annex C the information that the data processor must provide in connection with his assistance to the data controller in his obligation to report breaches of personal data security to the competent supervisory authority.

11. Erasure and return of data

Upon termination of the personal data processing services, the data processor and its sub-processors are obliged to return all personal data that has been processed on behalf of the data controller in a structured commonly used and machine-readable format and confirm to the data controller that all personal data are subsequently deleted at the end of the agreement, unless EU law or the national law of the Member States, provides for the longer storage of the personal data by the data processor.

The data processor may continue to process the personal data for up to three (3) months after the termination of the Agreement, to the extent that this is necessary to take the necessary statutory measures. During the same period, the data processor is entitled to have the personal data included in the data processor's usual backup procedure. The data processor's processing during this period is still considered to take place in compliance with the instructions and the other requirements in the Agreement.

Notwithstanding the above points, the Agreement and provisions in the Main Agreement, which deal with the processing of personal data, apply as long as the data processor processes the data controller's personal data, regardless of whether the Agreement and the Main Agreement have been formally terminated.

The data processor must, at the request of the data controller, provide the necessary documentation that the return and/or deletion has taken place in accordance with the deletion instructions from the data controller. The data controller may request that the data processor obtain an audit statement from an external auditor that the personal data has been returned and/or deleted from the data processor and its possible sub-data processors. The costs to the external auditor are borne by the data controller.

12. Audit and inspections

The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for audits, including inspections, conducted by the data controller or another auditor mandated by and paid by the data controller.

Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub- processors are specified in appendices C.7. and C.8.

The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.

13. The parties' agreement and other terms

The parties may agree on/to other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses in the Agreement or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

14.Remuneration

The parties are only entitled to payment for the fulfillment of this Agreement, where this is specifically stated herein.

Notwithstanding the above, a party is not entitled to payment for assistance in investigating or implementing changes, etc. to the extent that such assistance or modification is a direct consequence of the breach of this Agreement or data protection law by that party.

15. Liability and limitations of liability

The Parties are liable in accordance with the general rules of applicable law, subject to the limitations set forth in this paragraph 15.

The Parties' maximum liability for all accumulated claims in accordance with this Agreement follows from the Parties' Main Agreement.

Notwithstanding clause 15.2, the following are not covered by the limitation of liability in this clause 15:

  • Loss because of gross negligence or wilful misconduct by the other Party.
  • Expenditure and resource consumption in fulfilling a Party's obligations to a supervisory authority or the data subject or costs of investigations (eg in the event of a security breach), compensation, tort and other compensation to data subjects, as well as administrative fines imposed by a supervisory authority, fines adjudicated by the courts to the extent that they are caused by the other Party's breach or breach of data protection law and this Agreement.

16. Other provisions

The provisions of the main agreement, including but not limited to provisions on violation, force majeure and dispute resolution, shall also apply to this Agreement, unless otherwise specifically provided in this Agreement.

Except where an express time frame is specified in this Agreement, no Party's delay or failure to exercise a right, power or the like will be prejudicial or deemed a waiver of such right, power or the like, which this has under the Agreement.

Any Party's waiver of any right or breach of this Agreement shall not be construed as a waiver of rights or acceptance of any other or subsequent infringement and shall be in writing.

17. Effective date and termination

The Agreement shall take effect on the date of signature by both Parties. The agreement is valid until either (a) the main agreement terminates or (b) the agreement is terminated, cf. clauses 17.3-17.4.

Both parties may demand that the Agreement be renegotiated if changes in the law or inconveniences in the Agreement give rise to this.

The agreement is valid for as long as the service concerning the processing of personal data lasts. During this period, the Agreement may not be terminated unless other provisions governing the provision of the personal data processing service are agreed upon between the parties.

If the provision of the personal data processing services ceases and the personal data has been deleted or returned to the data controller in accordance with clause 11.1 and Annex C.4, the Agreement may be terminated with written notice by both parties in accordance with the Main Agreement's provisions on termination and revocation.

Notwithstanding the termination of the Agreement, the provisions of the Agreement which, according to its content, are intended to regulate the Parties' rights and obligations after the termination of the Agreement, shall continue to have effect.

Appendix A - Information about the processing

A.1. Main benefit

The data controller and the data processor have entered into an agreement for the delivery of:

A survey tool to measure and analyse candidate feedback in order to optimize the overall candidate experience. The solution analyses feedback from candidates throughout the recruitment process. Completion is optional for the candidate and may contain personal information, depending on the candidate's completion of the evaluation. The candidate answers questions related to the recruitment process using, for example, a 5 or 10-scale answer as well as the possibility of stating comments in a free text field. The feedback can be accessed by the data controller via the data processor's platform and is owned exclusively by the data controller.

A.2. Information about the processing

The purpose of the data processor's processing of personal data on behalf of the data controller. 

The Collaboration Agreement incl. Annexes regulate the rights and obligations of the parties in connection with the data processor making a platform available to the data controller. As part of this collaboration, the data processor will host the Talenthub platform on behalf of the data controller as well as assist the data controller in collecting, measuring, and analysing candidate feedback collected via the Talenthub Feedback module.

The data processor's processing of personal data on behalf of the data controller is primarily about (the nature of the processing)

The data processor hosts the Talenthub platform on behalf of the data controller and assists the data controller in collecting, measuring, and analysing candidate feedback. In addition, the data processor makes the data as well as the analysis available to the data controller via the platform.

In editable fields where candidates have the ability to write free text, Talenthub has implemented a bot that scans for text that may contain personal information. If the bot finds text - such as email addresses or phone numbers - these will be anonymised by replacing this information with xxxx’s so that these cannot be used to identify people.

The processing includes the following types of personal information about the data subjects

General personal information, including answers (feedback) from candidates, any information related to the candidate's experiences (which may make it possible to identify the applicant in question), feedback related to the recruitment process, identification information in the form of names and email addresses of employees of the data controller and logging the behaviour of the data controller’s employees on the platform.

The processing includes the following categories of data subjects

The category of registered, identified, or identifiable natural persons covered by the Agreement or the processing activity:

  • Job applicants to the data controller
  • Employees of the data controller

The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The treatment has the following duration

The processing may take place until the termination of this Agreement, cf., however, sections 11 and 17.

Appendix B - Authorised sub-processors

B.1. Approved sub-processors

On commencement of the Agreement and the Clauses, the data controller authorises the engagement of the following sub-processors:

NAME ADDRESS DESCRIPTION OF PROCESSING LOCATION(S) FOR PROCESSING

Amazon Web Services EMEA SARL38 Avenue John F. Kennedy L-1855 Luxembourg

Amazon Web Services hosts the platform that the data processor makes available to the data controller.

Google Cloud EMEA 70 Sir John Rogerson’s Quay Dublin 2, Ireland 

Google Cloud processes our Google Suite in different locations. 

These, however, hold duplicates of the same things.

  • Frankfurt, Germany 
  • Dublin, Ireland
  • St. Ghislain, Belgium
  • Eemshaven, Netherland
  • Hamina, Finland

The data controller shall on the commencement of the Clauses authorise the use of the above-mentioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation, cf. clause 7 – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing. In addition, the data processor may not - without observing point 7 - process the personal data at locations other than those agreed above.

B.2. Prior notice for the authorisation of sub-processors

The data processor must notify the data controller in writing of the replacement or addition of sub-processors no later than 30 days prior to commissioning, whereby the data controller has been given the opportunity to object to the use of the use in question or change, cf. 7.2.

Appendix C - Instructions pertaining the use of personal data

C.1 The subject of instructions for the processing

The data processor’s processing of personal data on behalf of the data controller is described in Appendix A – Information about the processing.

C.2. Security of processing

It is a cloud solution that processes little ordinary personal information on job applicants.

The data processor is then entitled and obliged to make decisions about which technical and organisational security measures must be implemented in order to establish the necessary (and agreed) security level.

However, the data processor must - in any case and as a minimum - implement the following measures, which have been agreed with the data controller:

C.2.1. Pseudonymisation and encryption of personal data
The main systems used by the data processor including Talenthub.io, G-suite and Amazon all encrypt “data in transit” with at least TLS 1.2 and “data at rest” with at least 256-bit AES.

C.2.2. Ensure ongoing confidentiality, integrity, availability
All data is backed up at least once every 24 hours, and most are backed up continuously as changes are made. Also, company policy dictates that no files are physically stored on a PC drive or similar, partly because of security risks, but also because of the risk of losing data.

C.2.3. The ability to restore availability in a timely manner
Should the data processor encounter an unforeseen event, a Disaster Recovery Plan has been implemented. This ensures fast recovery of data from the data processor's redundant backups located in separate geographical zones.

C.2.4. Regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures
If necessary, the data processor performs security audits that test both digital and physical compliance. In addition, all employees undergo training in data security and management when they start their employment with the data processor.

C.2.5. Access to the information via the Internet
The transfer of files and information carried out by the data processor's employees follows specific guidelines regarding which information can be conveyed and which systems this can be done through. These systems have all passed our internal requirements regarding security and traceability.

C.2.6. Protection of information during transmission
When the data processor transmits data, the data processor uses end-to-end encryption. This ensures that the information remains unintelligible to outsiders, even if they were to pick it up along the way. The data processor's transmission protocols are configured to allow only secure connections, and any attempt to connect via unsecured methods is immediately rejected.

C.2.7. Protection of information during storage
Transfer of files and information carried out by the Data Processor's employees follows specific guidelines regarding which information can be conveyed and which systems this can be done through. These systems have all passed our internal requirements regarding security and traceability. In addition, all data is encrypted with AES-256 at rest.

C.2.8. Regarding physical security of locations
Access to the physical assets of the data processor (i.e. IT equipment) is limited to the data processor's employees and selected persons responsible for cleaning/maintenance at the data processor’s office. All persons have been issued a key and a code for our alarm system. The office building is monitored by a security company 24 hours a day, 7 days a week. No assets are stored locally in our office, but rather in the cloud, where they are located redundantly in data centers in Europe.

Physical access to the office is checked continuously. This means that physical and digital access is withdrawn/revoked if an employee quits. The data processor also has a digital access system based on the individual employee's position and work, which ensures that employees only have access to information and materials that are relevant to their work. All systems log the individual's use of the systems, which allows for detailed tracking of use and, more importantly, misuse of any information.

C.2.9. Home/remote workplaces
Employees are allowed home/remote work. For home/remote work, the same rules and guidelines apply as for attendance at the office, and activities are stored, cf. c.2.8, in the cloud.

C.2.10. Logging
All systems have a minimum log that shows the creation, updating and deletion of items or information. In addition, all systems have a log function that shows who has gained access to a given piece of information.

C.3. Assistance to the data controller

The Data Processor shall, as far as possible - within the scope and extent below - assist the Data Controller in accordance with clauses 9.1 and 9.2 by implementing the following technical and organisational measures.

At the specific request of the data controller, the data processor shall, taking into account the nature of the processing, assists the data controller as far as possible by means of appropriate technical and organisational measures in fulfilling the data controller's obligation to respond to requests for the exercise of the data subject's rights as laid down in the personal data legislation.

If a data subject makes a request for the exercise of his rights towards the data processor, the data processor shall notify the data controller without undue delay.

Taking into account the nature of the processing and the information available to the data processor, the data processor shall, upon specific request, also assists the data controller in ensuring compliance with the data controller's obligations in relation to:

  • Implementation of appropriate technical and organisational measures
  • Security breach
  • Notification of breach of personal data security to the data subject
  • Implementation of impact analyses
  • Prior hearings from the supervisory authorities

Furthermore, the data processor is free to inform the system owner and/or other contact persons in accordance with the main agreement.

C.4. Storage and period / erasure process

Personal information is stored for as long as the Main Agreement is active and the collaboration continues, after which it is deleted by the data processor.

In the event of deletion or request for deletion, the personal data in question must be irrevocably removed from all storage media on which they have been stored, so that personal data cannot be recovered, including with any sub-processors in accordance with section 11.1. This applies regardless of whether it is the data controller or the data processor who is responsible for the deletion.

C.5. Processing location

The processing and storage of the personal data covered by the Agreement may not take place without observance of clause 7 at locations other than the following:

Store Kongensgade 72C, 1264 Copenhagen, Denmark

In addition, reference is made to the listing under Appendix B.1 above.

The data processor is obliged to inform the data controller in writing of changes in locations for the data processor's processing of personal data with at least 1 month 'written notice, however by transfer to insecure third countries with at least 2 months' written notice, thereby giving the data controller the opportunity to against the transfer.

C.6. Instructions on the transfer of personal data to third countries

All data is stored and processed within the EU.

If the data controller does not in this Agreement or subsequently provide a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of the Agreement.

C.7. Procedures for the data controller's audit, including inspections, of the processing of personal data being performed by the data processor

Upon request, the Data Processor shall provide a management declaration/statement subject to the usual confidentiality obligations regarding the Data Processor's compliance with the Data Protection Regulation, data protection provisions of other EU or national laws and this Agreement.

There is an agreement between the parties that the data processor must provide the following:
 

  • Management statements

    Management statements are sent without undue delay to the data controller for information. The data controller may challenge the framework for and/or the method in the declaration and in such cases may request a new management declaration under another framework and/or using another method.

    In addition, the data controller or a representative of the data controller has access to carry out audits.

    Any expenses of the data controller in connection with an audit shall be borne by the data controller himself. However, the data processor shall allocate the resources (mainly time) necessary for the data controller to carry out this audit.

    The data processor shall also provide authorities which, under EU law or the law of a Member State, have access to the data controller's and data controller's facilities, or representatives acting on behalf of the authorities, access to the data processor's physical facilities upon presentation of proper identification.

C.8. Procedures for audit, of the processing of personal data being performed by sub-processors

Notwithstanding any contrary provision in this Agreement, it is acknowledged and agreed that certain limitations may apply with respect to the audit rights concerning sub-processors due to the policies and constraints imposed by the sub-processors. Sub-processors, such as Amazon and Google, do not permit audits of their facilities or systems. In such cases, the Data Processor shall make reasonable efforts to obtain assurances from its sub-processors regarding the protection of personal data.

The Data Processor shall ensure that its sub-processors are bound to provide adequate data protection and security measures as required by applicable data protection laws and regulations. If the Data Processor becomes aware of any material breach by a sub-processor, it shall take appropriate steps to remedy or mitigate the breach.

In the event that the Data Controller reasonably believes that a sub-processor's processing activities pose a significant risk to the protection of personal data, the Data Processor shall cooperate with the Data Controller in finding alternative solutions that comply with applicable data protection laws and regulations.

Back to Legal
Quick links

Last updated on:

September 24, 2024

Talenthub Data Processing Agreement

Details

This Data Processing Agreement ("DPA") between Talenthub.io ("Processor") and you ("Controller") sets forth the terms governing the processing of Personal Data under the Talenthub.io Standard Terms and Conditions (the "T&C's"). This DPA is in addition to the T&C's and is effective upon its incorporation into the T&C's, which may be specified in an Order Form or an executed amendment to the T&C's. Once incorporated into the T&C's, the DPA will become part of the T&C's.

In all cases, the Processor or a third party acting on behalf of the Processor acts as the processor of Personal Data, and the Controller remains the controller of Personal Data. The term of this DPA shall follow the term of the T&C's, and any terms not defined herein shall have the meaning set forth in the T&C's.

Hereinafter, the Processor and the Controller are individually referred to as a "party" and collectively referred to as "the parties."

The parties have agreed to this Data Processing Agreement (the "DPA") to comply with the requirements of the General Data Protection Regulation (GDPR) and to ensure the protection of the rights of data subjects.

  1. Content
    2.   Preamble
    3.   The rights and obligations of the data controller
    4.   The data processor acts according to instructions
    5.   Confidentiality
    6.   Security of processing
    7.    Use of sub-processors
    8.   Transfer of data to third countries or international organisations
    9.   Assistance to the data controller
    10.  Notification of personal data breach
    11.   Erasure and return of data
    12.  Audit and inspections
    13.  The parties' agreement on other terms
    14.  Remuneration and costs
    15.  Liability and limitations of liability
    16.  Other provisions
    17.   Effective data and termination

    Appendix A - Information about the processing
    Appendix B - Authorised sub-processors
    Appendix C - Instructions pertaining the use of personal data

2. Preamble

These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor when processing personal data on behalf of the data controller.

The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal information” means any kind of information about an identified or identifiable natural person, cf. General Data Protection Regulation article 4, nr. 1. If, as part of the fullfilment of the Main Agreement, confidential information other than personal data is processed, e.g. information which is deemed confidential pursuant to the Financial Business Act, any reference to "personal information" also includes this other confidential information.

In connection with the provision of certain services from the data processor to the data controller, as described in more detail in the parties' Main Agreement and Appendix A to this agreement (the "Main Services"), the data processor processes personal data on behalf of the data controller in accordance with this Agreement.

The Agreement takes precedence over any similar provisions in other agreements between the parties unless otherwise follows directly from the Agreement, or more far-reaching obligations are stipulated for the data processor in the Main Agreement. If additional obligations have been laid down for the data processor by another agreement between the partners, for example by standard contractual provisions within the meaning of Article 46 (2), litra c and d of the Data Protection Regulation, then these additional obligations apply in addition to the Agreement.

If one or more of the provisions of the Agreement is/are not enforceable, are illegal or invalid, they shall be replaced by fair negotiation or interpretation by provisions which, as far as possible, make the parties as if the provisions in question were valid and enforceable. If this is not possible, the clause in question or part thereof shall not be construed as part of the Agreement. The other provisions of the agreement remain in force.

There are three (3) annexes to this Agreement, and the annexes form an integral part of the Agreement

Annex A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

Appendix B contains the data controller's conditions for the data processor's use of sub-data processors and a list of sub-data processors that the data controller has approved the use of.

Appendix C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum and how the data processor and any sub-data processors are supervised.

The agreement and its annexes must be kept in writing, including electronically, by both parties.

The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.

3. The rights and obligations of the data controller

The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions and the Clauses (References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”).

The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

The data controller shall be responsible, among others, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

4. The data processor acts according to instructions

The data processor shall process personal data only on documented instructions from the data controller unless required to do so by EU law or Member State law to which the processor is subject.

This instruction must be specified in Appendices A and C. Subsequent instructions may also be given by the data controller while personal data is being processed, but the instructions must always be documented and stored in writing, including electronically, together with this Agreement.

The data processor may, to the extent not otherwise provided in the Agreement, use all relevant technical and organisational aids, including IT systems, which meet the requirements set out in this Agreement.

The processor shall immediately notify and inform the controller in writing if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.

The data processor may not condition the full and unlimited compliance with the data controller's instructions on the data controller's prepayment or payment of outstanding invoices, etc., and the data processor has no right of retention in the personal data.

The data controller has instructed the data processor that personal data may only be processed by the sub- processors listed in Annex B from the locations listed in the Annex. The data controller guarantees that personal data is encrypted during transport and storage and that the decryption key is with the data processor (and not the sub-data processors). The data processor also confirms that the data processor's sub-processors have a fixed procedure for inquiries from authorities, which includes that the sub-processors strongly challenge inquiries in the courts.

The data processor shall indemnify the data controller for any claim that may arise as a result of the data processor or its sub-data processors acting outside the data controller's instructions.

5. Confidentiality

The data processor must keep the personal information confidential. The regulation of confidentiality in the Main Agreement also applies to this Agreement. To the extent that there is a discrepancy between the Main Agreement and this Agreement, the agreement that provides the widest possible protection of information and confidentiality shall take precedence. The confidentiality obligation in the Main Agreement does not apply in the event of a breach of personal data security.

The Data Processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the Data Processor's instructional powers, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary, including to any time applicable rules of the Financial Business Act. In the processing of confidential information from the data controller, the data processor and his employees are subject to a criminal duty of confidentiality, cf. section 117ff and section 373 of the Danish Financial Business Act. The list of persons who have been granted access must be reviewed on an ongoing basis. On the basis of this review, access to personal data must be closed if access is no longer necessary, and the personal data must no longer be available to these persons.

The data processor must, at the request of the data controller, be able to demonstrate that the persons in question, who are subject to the data processor's powers of instruction, are subject to the above-mentioned duty of confidentiality.

If the data processor is a legal person, this Agreement applies to any person who is subject to the data processor's instructional powers, and the data processor guarantees that these persons, who have access to the personal data, comply with the Agreement.

The data processor's obligations under this section 5 exist without a time limit, regardless of whether the parties' cooperation has otherwise ceased.

6. Security of processing

Article 32 of the Data Protection Regulation states that the data controller and the data processor, taking into account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the processing in question and the risks of varying probability and seriousness of natural persons' rights and freedoms, implement appropriate technical and organisational measures to ensure a level of protection appropriate to these risks.

The data controller shall assess the risks to the rights and freedoms of natural persons constituting the processing and implement measures to address these risks. Depending on their relevance, it may include:

  • Pseudonymisation and encryption of personal data ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services;
  • ability to restore in a timely manner the availability and access to personal data in the event of a physical or technical incident;
  • a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organisational measures to ensure treatment safety.

According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.

In addition, the data processor shall assist the data controller in complying with the data controller's obligation under Article 32 of the Regulation, by, inter alia providing the data controller with the necessary information regarding the technical and organisational security measures already implemented by the data controller in accordance with Article 32 of the Regulation and any other information necessary for the data controller to comply with its obligation under the Regulation; Article 32.

If the response to the identified risks - in the opinion of the data controller - requires the implementation of additional measures than those already implemented by the data processor, the data controller shall indicate the additional measures to be implemented in Annex C and in the Main Agreement.

7. Use of sub-processors

The data processor must meet the conditions set out in Article 28(2) and (4) of the Data Protection Regulation, to make use of another data processor (a sub-data processor).

The data processor may thus not make use of a sub-data processor to fulfill this Agreement without prior general written approval from the data controller.

The data processor has the data controller's general approval for the use of sub-data processors. The data processor shall notify the data controller in writing of any planned changes regarding the addition or replacement of sub-data processors with at least 30 days notice and thereby give the data controller the opportunity to object to such changes before using the sub-data processor(s) in question(s). If the data controller's acceptance of the sub- data processor cannot be obtained and the data processor continues to use the sub-data processor, the data controller is entitled to terminate this Agreement and the parts of the Main Agreement which involve the data processor's processing of personal data on behalf of the data controller. or the Main Agreement in its entirety, if the services under the Main Agreement cannot be separated or the remaining services do not have an independent value for the data controller. Upon cessation of the use of a sub-data processor, the data processor must give the data controller written notice thereof. Longer notice of notification in connection with specific processing activities can be specified in Appendix B. The list of sub-processors that the data controller has already approved is shown in Appendix B.

When the data processor uses a sub-data processor in connection with the performance of specific processing activities on behalf of the data controller, the data processor shall, through a contract or other legal document under EU law or the national law of the Member States, impose on the sub-data processor the same data protection obligations such as those set out in this Agreement, which in particular provide the necessary guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing complies with the requirements of this Agreement and the Data Protection Regulation.

The data processor is therefore responsible for requiring the Sub-Data Processor to at least comply with the Data Processor's obligations under this Agreement and the Data Protection Regulation.

Prior to the data processor's notification pursuant to section 7.2, the data processor must have carried out an appropriate pre-audit (preliminary investigation) of the sub - processor's security level in accordance with Article 28(1) of the Data Protection Regulation.

The sub-data processor also acts solely on instructions from the data controller. All communication with the sub-data processor is handled by the data processor unless otherwise agreed. Any changed or specified instructions from the data controller must be passed on immediately by the data processor to the sub-data processor.

Sub-data processor agreement (s) and any subsequent amendments thereto are sent - at the request of the data controller - in copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations under this Agreement are imposed on the sub-data processor. Provisions on commercial terms that do not affect the data protection law content of the subdivision agreement shall not be sent to the data controller. In addition, the data processor must, upon request, provide documentation for the sub-data processors' fulfilment of their data protection obligations and the data processor's ongoing control thereof, etc.

In its agreement with the sub-processor, the data processor shall, as far as possible, include the data controller as a beneficiary third party in the event of the data processor's bankruptcy, so that the data controller can intervene in the data processor's rights and enforce them against sub-processors. ex. enables the data controller to instruct the sub-data processor to delete or return the personal data.

If the sub-data processor does not fulfill its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-data processor's obligations. This does not affect the rights of data subjects under the Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.

8. Transfer of data to third countries and international organisations

Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.

In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

Without documented instructions from the data controller or claims under EU law or the national law of the member state to which the data processor is subject, the data processor may not, within the framework of this Agreement:

  • transfer personal data to a controller or processor in a third country or an international organisation;
  • entrust the processing of personal data to a sub-processor in a third country
  • process the personal data of a third country

The data controller's instructions regarding the transfer of personal data to a third country, including any basis for transfer in Chapter V of the Data Protection Regulation on which the transfer is based, shall be set out in Annex C.6.

This Agreement shall not be confused with standard contractual provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation, and this Agreement may not constitute a basis for the transfer of personal data within the meaning of Chapter V of the Data Protection Regulation.

If the data controller in Annex C.6 has instructed the data processor to transfer personal data to a third country, it is the data controller's responsibility to ensure that the basis of transfer described, e.g. standard contractual provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation 2, have been concluded between the relevant parties.

9. Assistance to the data controller

Taking into account the nature of processing, the data processor shall assist the data controller as far as possible by appropriate technical and organisational measures in compliance with the data controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the Data Protection Regulation.

This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:

  • the right to be informed when collecting personal data from the data subject
  • the right to be informed when personal data have not been obtained from the data subject
  • the right of access by the data subject
  • the right to rectification
  • the right to erasure (‘the right to be forgotten’)
  • the right to restriction of processing
  • notification obligation regarding rectification or erasure of personal data or restriction of processing
  • the right to data portability
  • the right to object
  • the right not to be subject to a decision based solely on automated processing, including profiling

In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:

  • The data controller's obligation to without undue delay and if possible within 72 hours, after he has become aware of reporting a breach of personal data security to the competent supervisory authority, the Danish Data Protection Agency, unless it is unlikely that the breach of personal data security involves a risk to the rights or freedoms of natural persons
  • the data controller's obligation to notify the data subject of a breach of personal data security without undue delay, when the breach is likely to entail a high risk to the rights and freedoms of natural persons;
  • the data controller's obligation to carry out an analysis of the consequences of the proposed processing activities for the protection of personal data prior to the processing (an impact assessment);
  • the data controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency, before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in the absence of measures taken by the data controller to limit the risk.

The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.

The data processor shall, without undue delay upon receipt of a request directly from the data subject or from a third party related to Chapter III of the Data Protection Regulation, inform the data controller in writing.

The data processor shall comply with the obligations set forth in this Agreement without additional consideration from or costs to the data controller, unless otherwise specifically stated in the Agreement.

The data processor is not entitled to payment from the data controller to handle inquiries from the data subjects about insights/objections or to delete data in the system as a result of the data processor having set up the system in such a way that the data controller does not or only with large inconvenience can handle inquiries from registered or delete data on its own.

10. Notification of personal data breach

The data processor shall inform the data controller without undue delay after becoming aware that there has been a breach of personal data security.

The data processor's notification to the data controller must be made to example@example.com without undue delay and no later than 36 hours after he has become aware of the breach, so that the data controller can comply with his obligation to report the breach of personal data security to the competent supervisory authority, in accordance with Article 33 of the Data Protection Regulation.

In accordance with clause 9.2.a, the data processor shall assist the data controller in notifying the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which according to Article 33(3), must appear from the data controller's notification of the breach to the competent supervisory authority:

  • the nature of the breach of personal data security, including, if possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the likely consequences of the breach of personal data security
  • the measures taken or proposed by the data controller to deal with the breach of personal data security, including, where appropriate, measures to limit its potentially harmful effects.

The data processor must keep and maintain a record of all security breaches. The list must be made available to the data controller or the supervisory authorities upon written request.

The Parties shall set out in Annex C the information that the data processor must provide in connection with his assistance to the data controller in his obligation to report breaches of personal data security to the competent supervisory authority.

11. Erasure and return of data

Upon termination of the personal data processing services, the data processor and its sub-processors are obliged to return all personal data that has been processed on behalf of the data controller in a structured commonly used and machine-readable format and confirm to the data controller that all personal data are subsequently deleted at the end of the agreement, unless EU law or the national law of the Member States, provides for the longer storage of the personal data by the data processor.

The data processor may continue to process the personal data for up to three (3) months after the termination of the Agreement, to the extent that this is necessary to take the necessary statutory measures. During the same period, the data processor is entitled to have the personal data included in the data processor's usual backup procedure. The data processor's processing during this period is still considered to take place in compliance with the instructions and the other requirements in the Agreement.

Notwithstanding the above points, the Agreement and provisions in the Main Agreement, which deal with the processing of personal data, apply as long as the data processor processes the data controller's personal data, regardless of whether the Agreement and the Main Agreement have been formally terminated.

The data processor must, at the request of the data controller, provide the necessary documentation that the return and/or deletion has taken place in accordance with the deletion instructions from the data controller. The data controller may request that the data processor obtain an audit statement from an external auditor that the personal data has been returned and/or deleted from the data processor and its possible sub-data processors. The costs to the external auditor are borne by the data controller.

12. Audit and inspections

The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for audits, including inspections, conducted by the data controller or another auditor mandated by and paid by the data controller.

Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub- processors are specified in appendices C.7. and C.8.

The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.

13. The parties' agreement and other terms

The parties may agree on/to other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses in the Agreement or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

14.Remuneration

The parties are only entitled to payment for the fulfillment of this Agreement, where this is specifically stated herein.

Notwithstanding the above, a party is not entitled to payment for assistance in investigating or implementing changes, etc. to the extent that such assistance or modification is a direct consequence of the breach of this Agreement or data protection law by that party.

15. Liability and limitations of liability

The Parties are liable in accordance with the general rules of applicable law, subject to the limitations set forth in this paragraph 15.

The Parties' maximum liability for all accumulated claims in accordance with this Agreement follows from the Parties' Main Agreement.

Notwithstanding clause 15.2, the following are not covered by the limitation of liability in this clause 15:

  • Loss because of gross negligence or wilful misconduct by the other Party.
  • Expenditure and resource consumption in fulfilling a Party's obligations to a supervisory authority or the data subject or costs of investigations (eg in the event of a security breach), compensation, tort and other compensation to data subjects, as well as administrative fines imposed by a supervisory authority, fines adjudicated by the courts to the extent that they are caused by the other Party's breach or breach of data protection law and this Agreement.

16. Other provisions

The provisions of the main agreement, including but not limited to provisions on violation, force majeure and dispute resolution, shall also apply to this Agreement, unless otherwise specifically provided in this Agreement.

Except where an express time frame is specified in this Agreement, no Party's delay or failure to exercise a right, power or the like will be prejudicial or deemed a waiver of such right, power or the like, which this has under the Agreement.

Any Party's waiver of any right or breach of this Agreement shall not be construed as a waiver of rights or acceptance of any other or subsequent infringement and shall be in writing.

17. Effective date and termination

The Agreement shall take effect on the date of signature by both Parties. The agreement is valid until either (a) the main agreement terminates or (b) the agreement is terminated, cf. clauses 17.3-17.4.

Both parties may demand that the Agreement be renegotiated if changes in the law or inconveniences in the Agreement give rise to this.

The agreement is valid for as long as the service concerning the processing of personal data lasts. During this period, the Agreement may not be terminated unless other provisions governing the provision of the personal data processing service are agreed upon between the parties.

If the provision of the personal data processing services ceases and the personal data has been deleted or returned to the data controller in accordance with clause 11.1 and Annex C.4, the Agreement may be terminated with written notice by both parties in accordance with the Main Agreement's provisions on termination and revocation.

Notwithstanding the termination of the Agreement, the provisions of the Agreement which, according to its content, are intended to regulate the Parties' rights and obligations after the termination of the Agreement, shall continue to have effect.

Appendix A - Information about the processing

A.1. Main benefit

The data controller and the data processor have entered into an agreement for the delivery of:

A survey tool to measure and analyse candidate feedback in order to optimize the overall candidate experience. The solution analyses feedback from candidates throughout the recruitment process. Completion is optional for the candidate and may contain personal information, depending on the candidate's completion of the evaluation. The candidate answers questions related to the recruitment process using, for example, a 5 or 10-scale answer as well as the possibility of stating comments in a free text field. The feedback can be accessed by the data controller via the data processor's platform and is owned exclusively by the data controller.

A.2. Information about the processing

The purpose of the data processor's processing of personal data on behalf of the data controller. 

The Collaboration Agreement incl. Annexes regulate the rights and obligations of the parties in connection with the data processor making a platform available to the data controller. As part of this collaboration, the data processor will host the Talenthub platform on behalf of the data controller as well as assist the data controller in collecting, measuring, and analysing candidate feedback collected via the Talenthub Feedback module.

The data processor's processing of personal data on behalf of the data controller is primarily about (the nature of the processing)

The data processor hosts the Talenthub platform on behalf of the data controller and assists the data controller in collecting, measuring, and analysing candidate feedback. In addition, the data processor makes the data as well as the analysis available to the data controller via the platform.

In editable fields where candidates have the ability to write free text, Talenthub has implemented a bot that scans for text that may contain personal information. If the bot finds text - such as email addresses or phone numbers - these will be anonymised by replacing this information with xxxx’s so that these cannot be used to identify people.

The processing includes the following types of personal information about the data subjects

General personal information, including answers (feedback) from candidates, any information related to the candidate's experiences (which may make it possible to identify the applicant in question), feedback related to the recruitment process, identification information in the form of names and email addresses of employees of the data controller and logging the behaviour of the data controller’s employees on the platform.

The processing includes the following categories of data subjects

The category of registered, identified, or identifiable natural persons covered by the Agreement or the processing activity:

  • Job applicants to the data controller
  • Employees of the data controller

The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The treatment has the following duration

The processing may take place until the termination of this Agreement, cf., however, sections 11 and 17.

Appendix B - Authorised sub-processors

B.1. Approved sub-processors

On commencement of the Agreement and the Clauses, the data controller authorises the engagement of the following sub-processors:

NAME ADDRESS DESCRIPTION OF PROCESSING LOCATION(S) FOR PROCESSING

Amazon Web Services EMEA SARL38 Avenue John F. Kennedy L-1855 Luxembourg

Amazon Web Services hosts the platform that the data processor makes available to the data controller.

Google Cloud EMEA 70 Sir John Rogerson’s Quay Dublin 2, Ireland 

Google Cloud processes our Google Suite in different locations. 

These, however, hold duplicates of the same things.

  • Frankfurt, Germany 
  • Dublin, Ireland
  • St. Ghislain, Belgium
  • Eemshaven, Netherland
  • Hamina, Finland

The data controller shall on the commencement of the Clauses authorise the use of the above-mentioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation, cf. clause 7 – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing. In addition, the data processor may not - without observing point 7 - process the personal data at locations other than those agreed above.

B.2. Prior notice for the authorisation of sub-processors

The data processor must notify the data controller in writing of the replacement or addition of sub-processors no later than 30 days prior to commissioning, whereby the data controller has been given the opportunity to object to the use of the use in question or change, cf. 7.2.

Appendix C - Instructions pertaining the use of personal data

C.1 The subject of instructions for the processing

The data processor’s processing of personal data on behalf of the data controller is described in Appendix A – Information about the processing.

C.2. Security of processing

It is a cloud solution that processes little ordinary personal information on job applicants.

The data processor is then entitled and obliged to make decisions about which technical and organisational security measures must be implemented in order to establish the necessary (and agreed) security level.

However, the data processor must - in any case and as a minimum - implement the following measures, which have been agreed with the data controller:

C.2.1. Pseudonymisation and encryption of personal data
The main systems used by the data processor including Talenthub.io, G-suite and Amazon all encrypt “data in transit” with at least TLS 1.2 and “data at rest” with at least 256-bit AES.

C.2.2. Ensure ongoing confidentiality, integrity, availability
All data is backed up at least once every 24 hours, and most are backed up continuously as changes are made. Also, company policy dictates that no files are physically stored on a PC drive or similar, partly because of security risks, but also because of the risk of losing data.

C.2.3. The ability to restore availability in a timely manner
Should the data processor encounter an unforeseen event, a Disaster Recovery Plan has been implemented. This ensures fast recovery of data from the data processor's redundant backups located in separate geographical zones.

C.2.4. Regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures
If necessary, the data processor performs security audits that test both digital and physical compliance. In addition, all employees undergo training in data security and management when they start their employment with the data processor.

C.2.5. Access to the information via the Internet
The transfer of files and information carried out by the data processor's employees follows specific guidelines regarding which information can be conveyed and which systems this can be done through. These systems have all passed our internal requirements regarding security and traceability.

C.2.6. Protection of information during transmission
When the data processor transmits data, the data processor uses end-to-end encryption. This ensures that the information remains unintelligible to outsiders, even if they were to pick it up along the way. The data processor's transmission protocols are configured to allow only secure connections, and any attempt to connect via unsecured methods is immediately rejected.

C.2.7. Protection of information during storage
Transfer of files and information carried out by the Data Processor's employees follows specific guidelines regarding which information can be conveyed and which systems this can be done through. These systems have all passed our internal requirements regarding security and traceability. In addition, all data is encrypted with AES-256 at rest.

C.2.8. Regarding physical security of locations
Access to the physical assets of the data processor (i.e. IT equipment) is limited to the data processor's employees and selected persons responsible for cleaning/maintenance at the data processor’s office. All persons have been issued a key and a code for our alarm system. The office building is monitored by a security company 24 hours a day, 7 days a week. No assets are stored locally in our office, but rather in the cloud, where they are located redundantly in data centers in Europe.

Physical access to the office is checked continuously. This means that physical and digital access is withdrawn/revoked if an employee quits. The data processor also has a digital access system based on the individual employee's position and work, which ensures that employees only have access to information and materials that are relevant to their work. All systems log the individual's use of the systems, which allows for detailed tracking of use and, more importantly, misuse of any information.

C.2.9. Home/remote workplaces
Employees are allowed home/remote work. For home/remote work, the same rules and guidelines apply as for attendance at the office, and activities are stored, cf. c.2.8, in the cloud.

C.2.10. Logging
All systems have a minimum log that shows the creation, updating and deletion of items or information. In addition, all systems have a log function that shows who has gained access to a given piece of information.

C.3. Assistance to the data controller

The Data Processor shall, as far as possible - within the scope and extent below - assist the Data Controller in accordance with clauses 9.1 and 9.2 by implementing the following technical and organisational measures.

At the specific request of the data controller, the data processor shall, taking into account the nature of the processing, assists the data controller as far as possible by means of appropriate technical and organisational measures in fulfilling the data controller's obligation to respond to requests for the exercise of the data subject's rights as laid down in the personal data legislation.

If a data subject makes a request for the exercise of his rights towards the data processor, the data processor shall notify the data controller without undue delay.

Taking into account the nature of the processing and the information available to the data processor, the data processor shall, upon specific request, also assists the data controller in ensuring compliance with the data controller's obligations in relation to:

  • Implementation of appropriate technical and organisational measures
  • Security breach
  • Notification of breach of personal data security to the data subject
  • Implementation of impact analyses
  • Prior hearings from the supervisory authorities

Furthermore, the data processor is free to inform the system owner and/or other contact persons in accordance with the main agreement.

C.4. Storage and period / erasure process

Personal information is stored for as long as the Main Agreement is active and the collaboration continues, after which it is deleted by the data processor.

In the event of deletion or request for deletion, the personal data in question must be irrevocably removed from all storage media on which they have been stored, so that personal data cannot be recovered, including with any sub-processors in accordance with section 11.1. This applies regardless of whether it is the data controller or the data processor who is responsible for the deletion.

C.5. Processing location

The processing and storage of the personal data covered by the Agreement may not take place without observance of clause 7 at locations other than the following:

Store Kongensgade 72C, 1264 Copenhagen, Denmark

In addition, reference is made to the listing under Appendix B.1 above.

The data processor is obliged to inform the data controller in writing of changes in locations for the data processor's processing of personal data with at least 1 month 'written notice, however by transfer to insecure third countries with at least 2 months' written notice, thereby giving the data controller the opportunity to against the transfer.

C.6. Instructions on the transfer of personal data to third countries

All data is stored and processed within the EU.

If the data controller does not in this Agreement or subsequently provide a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of the Agreement.

C.7. Procedures for the data controller's audit, including inspections, of the processing of personal data being performed by the data processor

Upon request, the Data Processor shall provide a management declaration/statement subject to the usual confidentiality obligations regarding the Data Processor's compliance with the Data Protection Regulation, data protection provisions of other EU or national laws and this Agreement.

There is an agreement between the parties that the data processor must provide the following:
 

  • Management statements

    Management statements are sent without undue delay to the data controller for information. The data controller may challenge the framework for and/or the method in the declaration and in such cases may request a new management declaration under another framework and/or using another method.

    In addition, the data controller or a representative of the data controller has access to carry out audits.

    Any expenses of the data controller in connection with an audit shall be borne by the data controller himself. However, the data processor shall allocate the resources (mainly time) necessary for the data controller to carry out this audit.

    The data processor shall also provide authorities which, under EU law or the law of a Member State, have access to the data controller's and data controller's facilities, or representatives acting on behalf of the authorities, access to the data processor's physical facilities upon presentation of proper identification.

C.8. Procedures for audit, of the processing of personal data being performed by sub-processors

Notwithstanding any contrary provision in this Agreement, it is acknowledged and agreed that certain limitations may apply with respect to the audit rights concerning sub-processors due to the policies and constraints imposed by the sub-processors. Sub-processors, such as Amazon and Google, do not permit audits of their facilities or systems. In such cases, the Data Processor shall make reasonable efforts to obtain assurances from its sub-processors regarding the protection of personal data.

The Data Processor shall ensure that its sub-processors are bound to provide adequate data protection and security measures as required by applicable data protection laws and regulations. If the Data Processor becomes aware of any material breach by a sub-processor, it shall take appropriate steps to remedy or mitigate the breach.

In the event that the Data Controller reasonably believes that a sub-processor's processing activities pose a significant risk to the protection of personal data, the Data Processor shall cooperate with the Data Controller in finding alternative solutions that comply with applicable data protection laws and regulations.