Data Processing Agreement (DPA)

Ikræfttrædelse 23-02-2022

This Talenthub.io Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under the Talenthub.io Customer Terms of Service (the “TOS”). This DPA is an amendment to the TOS and is effective upon its incorporation into the TOS, which incorporation may be specified in an Order or an executed amendment to the TOS. Upon its incorporation into the TOS, the DPA will form a part of the TOS.

In all cases Talenthub.io (“Processor”), or a third party acting on behalf of Processor, acts as the processor of Personal Data and you (“Controller”) remain controller of Personal Data. The term of this DPA shall follow the term of the TOS. Terms not otherwise defined herein shall have the meaning as set forth in the TOS.

Hereinafter the data processor and the data controller are individually called a 'party' and together 'the parties'

The parties have agreed on the following Data Processing Agreement (the Agreement) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.

 

  1. Content
    2. Preamble
    3. The rights and obligations of the data controller
    4. The data processor acts according to instructions
    5. Confidentiality
    6. Security of processing
    7. Use of Sub-processors
    8. Transfer of data to third countries or international organisations
    9. Assistance to the data controller
    10. Notification of personal data breach
    11. Erasure and return of data
    12. Audit and inspection
    13. The parties' agreement on other terms
    14. Commencement and termination
    15. Data controller and data processor contacts/contract points

    Appendix A - Information about the processing
    Appendix B - Authorised sub-processors
    Appendix C - Instruction pertaining the use of personal data

  2. Preamble
    1. These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.
    2. The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
    3. “Personal information” means any kind of information about an identified or identifiable natural person, cf. General Data Protection Regulation article 4, nr. 1. If, as part of the fulfilment of the Main Agreement, confidential information other than personal data is processed, e.g. information which is deemed confidential pursuant to the Financial Business Act, any reference to "personal information" also includes this other confidential information
    4. In connection with the provision of certain services from the data processor to the data controller, as described in more detail in the parties' Main Agreement and Appendix 1 to this agreement (the "Main Services"), the data processor processes personal data on behalf of the data controller in accordance with this Agreement.
    5. The Agreement takes precedence over any similar provisions in other agreements between the parties, unless otherwise follows directly from the Agreement, or more far-reaching obligations are stipulated for the data processor in the Main Agreement. If additional obligations have been laid down for the data processor by another agreement between the partners, for example by standard contractual provisions within the meaning of Article 46 (2), litra c and d of the Data Protection Regulation, then these additional obligations apply in addition to the Agreement.
    6. If one or more of the provisions of the Agreement are not enforceable, are illegal or invalid, they shall be replaced by fair negotiation or interpretation by provisions which, as far as possible, make the parties as if the provisions in question were valid and enforceable. If this is not possible, the clause in question or part thereof shall not be construed as part of the Agreement. The other provisions of the agreement remain in force.
    7. There are three (3) annexes to this Agreement, and the annexes form an integral part of the Agreement
    8. Annex A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
    9. Appendix B contains the data controller's conditions for the data processor's use of sub-data processors and a list of sub-data processors that the data controller has approved the use of.
    10. Appendix C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum and how the data processor and any sub-data processors are supervised.
    11. The agreement and its annexes must be kept in writing, including electronically, by both parties.
    12. The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.

  3. The rights and obligations of the controller
    1. The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions and the Clauses (References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”).
    2. The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
    3. The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

  4. The Data Processor acts according to instructions
    1. The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject, cf. further section 4.2. The data controller shall notify the data controller in writing of this legal requirement before commencing processing, unless the court in question prohibits such notification for reasons of important societal interests.
    2. The Data Processor is only entitled to derogate from this Agreement in relation to "other law" if it is required under other law to which the data processor is subject by virtue of the data processor's establishment in the third country and if this other right is not likely to a significant negative impact on the rights and freedoms of the registrants.
    3. This instruction must be specified in Appendices A and C. Subsequent instructions may also be given by the data controller while personal data is being processed, but the instructions must always be documented and stored in writing, including electronically, together with this Agreement.
    4. The Data Processor may, to the extent not otherwise provided in the Agreement, use all relevant technical and organizational aids, including IT systems, which meet the requirements set out in this Agreement.
    5. The processor shall immediately notify the controller in writing if, in his opinion, an instruction is in breach of this Regulation or data protection provisions of other Union, national or other law of the Member States to which the processor is subject.
    6. The data processor may not condition the full and unlimited compliance with the data controller's instructions on the data controller's prepayment or payment of outstanding invoices, etc., and the data processor has no right of retention in the personal data.
    7. The data controller has instructed the data processor that personal data may only be processed by the sub-processors listed in Annex B from the locations listed in the Annex within the EU. The data processor has stated and guarantees that personal data is only processed, including accessed, within the EU. This also includes the data processor's use of any sub-data processors. The data controller guarantees that personal data is encrypted during transport and storage, and that the decryption key is with the data processor (and not the sub-data processors). The data processor also confirms that the data processor's sub-processors have a fixed procedure for inquiries from authorities, which includes that the sub-processors strongly challenge inquiries in the courts.
    8. The data processor shall indemnify the data controller for any claim that may arise as a result of the data processor or its sub-data processors acting outside the data controller's instructions.

  5. Confidentiality
    1. The data processor must keep the personal information confidential. The regulation of confidentiality in the Main Agreement also applies to this Agreement. To the extent that there is a discrepancy between the Main Agreement and this Agreement, the agreement that provides the widest possible protection of information and confidentiality shall take precedence. The confidentiality obligation in the Main Agreement does not apply in the event of a breach of personal data security.
    2. The Data Processor may only grant access to personal data processed on behalf of the Data Controller to persons who are subject to the Data Processor's instructional powers, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary, including to any time applicable rules of the Financial Business Act. In the processing of confidential information from the Data Controller, the data processor and his employees are subject to a criminal duty of confidentiality, cf. section 117ff and section 373 of the Danish Financial Business Act. The list of persons who have been granted access must be reviewed on an ongoing basis. On the basis of this review, access to personal data must be closed if access is no longer necessary, and the personal data must no longer be available to these persons.
    3. The data processor must, at the request of the data controller, be able to demonstrate that the persons in question, who are subject to the data processor's powers of instruction, are subject to the above-mentioned duty of confidentiality.
    4. If the data processor is a legal person, this Agreement applies to any person who is subject to the data processor's instructional powers, and the data processor guarantees that these persons, who have access to the personal data, comply with the Agreement.
    5. The data processor's obligations under this section 5 exist without time limit, and regardless of whether the parties' cooperation has otherwise ceased.

  6. Security of processing
    1. 1 Article 32 of the Data Protection Regulation states that the data controller and the data processor, taking into account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the processing in question and the risks of varying probability and seriousness of natural persons' rights and freedoms, implement appropriate technical and organizational measures to ensure a level of protection appropriate to these risks.

      The data controller shall assess the risks to the rights and freedoms of natural persons constituting the processing and implement measures to address these risks. Depending on their relevance, it may include:

      1. Pseudonymisation and encryption of personal data
      2. ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services;
      3. ability to restore in a timely manner the availability and access to personal data in the event of a physical or technical incident;
      4. a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure treatment safety.
    2. According to Article 32 of the Regulation, the data controller - independently of the data controller - must also assess the risks to the rights and freedoms of natural persons that the processing entrusted to the data controller by the data controller constitutes and implement measures to address those risks. For the purposes of this assessment, the data controller shall make the necessary information available to the data processor which enables him or her to identify and assess such risks.
    3. In addition, the data processor shall assist the data controller in complying with the data controller's obligation under Article 32 of the Regulation, by, inter alia: to provide the data controller with the necessary information regarding the technical and organizational security measures already implemented by the data controller in accordance with Article 32 of the Regulation and any other information necessary for the data controller to comply with its obligation under the Regulation; Article 32.
    4. If the response to the identified risks - in the opinion of the data controller - requires the implementation of additional measures than those already implemented by the data controller, the data controller shall indicate the additional measures to be implemented in Annex C and in the Main Agreement.

  7. Use of sub-processors
    1. The data processor must meet the conditions set out in Article 28(2) and (4) of the Data Protection Regulation, to make use of another data processor (a sub-data processor).
    2. The Data Processor may thus not make use of a sub-data processor to fulfil this Agreement without prior general written approval from the Data Controller.

      The data processor has the data controller's general approval for the use of sub-data processors. The data controller shall notify the data controller in writing of any planned changes regarding the addition or replacement of sub-data processors with at least 6 months' notice and thereby give the data controller the opportunity to object to such changes before using the sub-data processor (s) in question ( e). The data controller has the right to object to the use of a sub-data processor without justification. If the data controller's acceptance of the sub-data processor cannot be obtained and the data processor continues to use the sub-data processor, the data controller is entitled to terminate this Agreement and the parts of the Main Agreement which involve the data processor's processing of personal data on behalf of the data controller, free of charge. or the Main Agreement in its entirety, if the services under the Main Agreement cannot be separated or the remaining services do not have an independent value for the data controller. Upon cessation of the use of a sub-data processor, the data processor must give the data controller written notice thereof. Longer notice of notification in connection with specific processing activities can be specified in Appendix B. The list of sub-processors that the data controller has already approved is shown in Appendix B.

    3. When the data processor uses a sub-data processor in connection with the performance of specific processing activities on behalf of the data controller, the data processor shall, through a contract or other legal document under EU law or the national law of the Member States, impose on the sub-data processor the same data protection obligations such as those set out in this Agreement, which in particular provide the necessary guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of this Agreement and the Data Protection Regulation.

    4. The Data Processor is therefore responsible for requiring the Sub-Data Processor to at least comply with the Data Processor's obligations under this Agreement and the Data Protection Regulation.
    5. Prior to the data processor's notification pursuant to section 7.2, the data processor must have carried out an appropriate pre-audit (preliminary investigation) of the sub - processor's security level in accordance with Article 28(1) of the Data Protection Regulation.
    6. The sub-data processor also acts solely on instructions from the data controller. All communication with the sub-data processor is handled by the data processor, unless otherwise agreed. Any changed or specified instructions from the data controller must be passed on immediately by the data processor to the sub-data processor.
    7. Sub-data processor agreement (s) and any subsequent amendments thereto are sent - at the request of the data controller - in copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations under this Agreement are imposed on the sub-data processor. Provisions on commercial terms that do not affect the data protection law content of the subdivision agreement shall not be sent to the data controller. In addition, the data processor must, upon request, provide documentation for the sub-data processors' fulfilment of their data protection obligations and the data processor's ongoing control thereof, etc.
    8. In its agreement with the sub-processor, the data processor shall, as far as possible, include the data controller as a beneficiary third party in the event of the data processor's bankruptcy, so that the data controller can intervene in the data processor's rights and enforce them against sub-processors. ex. enables the data controller to instruct the sub-data processor to delete or return the personal data.
    9. If the sub-data processor does not fulfil its data protection obligations, the data processor remains fully liable to the data controller for the fulfilment of the sub-data processor's obligations. This does not affect the rights of data subjects under the Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.

  8. Transfer of data to third countries or international organisations
    1. Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.
    2. In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
    3. Without documented instructions from the data controller or claims under EU law, the national law of the member state or other law to which the data processor is subject, the data processor may not, within the framework of this Agreement:
      1. transfer personal data to a controller or processor in a third country or an international organization;
      2. entrust the processing of personal data to a sub-processor in a third country
      3. process the personal data of a third country
    4. The data controller's instructions regarding the transfer of personal data to a third country, including any basis for transfer in Chapter V of the Data Protection Regulation on which the transfer is based, shall be set out in Annex C.6.
    5. This Agreement shall not be confused with standard contractual provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation, and this Agreement may not constitute a basis for the transfer of personal data within the meaning of Chapter V of the Data Protection Regulation.
    6. If the data controller in Annex C.6 has instructed the data controller to transfer personal data to a third country, it is the data controller's responsibility to ensure that the basis of transfer described, e.g. standard contractual provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation 2, have been concluded between the relevant parties.

  9. Assistance to the data controller
    1. Taking into account the nature of processing, the Data Processor shall, assist the Data Controller as far as possible by appropriate technical and organizational measures in compliance with the Data Controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the Data Protection Regulation.

      This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:

      1. the right to be informed when collecting personal data from the data subject
      2. the right to be informed when personal data have not been obtained from the data subject
      3. the right of access by the data subject
      4. the right to rectification
      5. the right to erasure ('the right to be forgotten')
      6. the right to restriction of processing
      7. notification obligation regarding rectification or erasure of personal data or restriction of processing
      8. the right to data portability
      9. the right to object
      10. the right not to be subject to a decision based solely on automated processing, including profiling
    2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:
      1. The data controller's obligation to without undue delay and if possible within 72 hours, after he has become aware of reporting a breach of personal data security to the competent supervisory authority, the Danish Data Protection Agency, unless it is unlikely that the breach of personal data security involves a risk to the rights or freedoms of natural persons
      2. the data controller's obligation to notify the data subject of a breach of personal data security without undue delay, when the breach is likely to entail a high risk to the rights and freedoms of natural persons;
      3. the data controller's obligation to carry out an analysis of the consequences of the proposed processing activities for the protection of personal data prior to the processing (an impact assessment);
      4. the data controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency, before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in the absence of measures taken by the data controller to limit the risk.
    3. The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.
    4. The data processor shall, without undue delay upon receipt of a request directly from the data subject or from a third party related to Chapter III of the Data Protection Regulation, inform the data controller in wriing.
    5. The Data Processor shall comply with the obligations set forth in this Agreement without additional consideration from or costs to the Data Controller, unless otherwise specifically stated in the Agreement.
    6. The data processor is not entitled to payment from the data controller to handle inquiries from the data subjects about insights / objections or to delete data in the system as a result of the data processor having set up the system in such a way that the data controller does not or only with large inconvenience can handle inquiries from registered or delete data on its own.

  10. Notification of personal data breach
    1. The data processor shall inform the data controller without undue delay after becoming aware that there has been a breach of personal data security or that there has been a non-compliance with clauses 6.2 and 6.3.
    2. The data processor's notification to the data controller must be made to security of the data controller to their designated email address without undue delay and no later than 24 after he has become aware of the breach, so that the data controller can comply with his obligation to report the breach of personal data security to the competent supervisory authority, in accordance with Article 33 of the Data Protection Regulation.
    3. In accordance with clause 9.2.a, the data controller shall assist the data controller in notifying the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which according to Article 33 (3), must appear from the data controller's notification of the breach to the competent supervisory authority:
      1. the nature of the breach of personal data security, including, if possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
      2. the likely consequences of the breach of personal data security
      3. the measures taken or proposed by the data controller to deal with the breach of personal data security, including, where appropriate, measures to limit its potential harmful effects.
    4. The data controller must maintain and maintain a record of all security breaches. The list must be made available to the data controller or the supervisory authorities upon written request.
    5. The Parties shall set out in Annex C the information that the data controller must provide in connection with his assistance to the data controller in his obligation to report breaches of personal data security to the competent supervisory authority.

  11. Erasure and return of data
    1. Upon termination of the personal data processing services, the data processor and its sub-data processors are obliged to return all personal data that has been processed on behalf of the data controller in a structured commonly used and machine-readable format and confirm to the data controller that all personal data are subsequently deleted at the end of the agreement, unless EU law, the national law of the Member States, or other law to which the data processor is subject, provides for the longer storage of the personal data by the data processor.
    2. The data processor may continue to process the personal data for up to three (3) months after the termination of the Agreement, to the extent that this is necessary to take the necessary statutory measures. During the same period, the data processor is entitled to have the personal data included in the data processor's usual backup procedure. The data processor's processing during this period is still considered to take place in compliance with the instructions and the other requirements in the Agreement.
    3. Notwithstanding the above points, the Agreement and provisions in the Main Agreement, which deal with the processing of personal data, apply as long as the data processor processes the data controller's personal data, regardless of whether the Agreement and the Main Agreement have been formally terminated.
    4. The data processor must, at the request of the data controller, provide the necessary documentation that the return and / or deletion has taken place in accordance with the deletion instructions from the data controller. The data controller may request that the data processor obtain an audit statement from an external auditor that the personal data has been returned and / or deleted from the data processor and its possible sub-data processors. The costs to the external auditor are borne by the data controller, provided that the declaration confirms that the personal data has been returned and / or deleted.

  12. Audit and inspection
    1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for audits, including inspections, conducted by the data controller or another auditor mandated by and paid by the data controller.
    2. Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub-processors are specified in appendices C.7. and C.8.
    3. The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.

  13. The parties' agreement on other terms
    1. The parties may agree other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses in the Agreement or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

  14. Remuneration and costs
    1. The parties are only entitled to payment for the fulfilment of this Agreement, where this is specifically stated herein.
    2. Notwithstanding the above, a party is not entitled to payment for assistance in investigating or implementing changes, etc. to the extend that such assistance or modification is a direct consequence of the breach of this agreement or data protection law by that party.

  15. Liability and limitations of liability
    1. The parties are liable in accordance with the general rules of applicable law, subject to the limitations set forth in this paragraph 15.
    2. The parties maximum liability for all cumulated claims in accordance with this Agreement follows from the Parties Main Agreement.
    3. Notwithstanding clause 15.2, the following are not covered by the limitation of liability in this clause 15:
      1. Loss because of gross negligence or wilful misconduct by the other Party.
      2. Expenditure and resource consumption in fulfilling a Party's obligations to a supervisory authority or the data subject or costs of investigations (eg in the event of a security breach), compensation, tort and other compensation to data subjects, as well as administrative fines imposed by a supervisory authority, fines adjudicated by the courts to the extent that they are caused by the other Party's breach or breach of data protection law and this Agreement.

  16. Other provisions
    1. The provisions of the main agreement, including but not limited to provisions on violation, force majeure and dispute resolution, shall also apply to this Agreement, unless otherwise specifically provided in this Agreement.
    2. Except where an express time frame is specified in this Agreement, no Party's delay or failure to exercise a right, power or the like will be prejudicial or deemed a waiver of such right, power or the like. , which this has under the Agreement.
    3. Any Party's waiver of any right or breach of this Agreement shall not be construed as a waiver of rights or acceptance of any other or subsequent infringement and shall be in writing.

  17. Effective date and termination
    1. The Agreement shall take effect on the date of signature by both Parties. The agreement is valid until either (a) the main agreement terminates or (b) the agreement is terminated, cf. clauses 17.3-17.4.
    2. Both parties may demand that the Agreement be renegotiated if changes in the law or inconveniences in the Agreement give rise to this.
    3. The agreement is valid for as long as the service concerning the processing of personal data lasts. During this period, the Agreement may not be terminated unless other provisions governing the provision of the personal data processing service are agreed between the parties.
    4. If the provision of the personal data processing services ceases and the personal data has been deleted or returned to the data controller in accordance with clause 11.1 and Annex C.4, the Agreement may be terminated with written notice by both parties in accordance with the Main Agreement's provisions on termination and revocation.
    5. Notwithstanding the termination of the Agreement, the provisions of the Agreement which, according to its content, are intended to regulate the Parties' rights and obligations after the termination of the Agreement, shall continue to have effect.

 

 

Appendix A - Information about the processing

A.1. Main benefit

The data controller and the data processor have entered into an agreement for the delivery of:

A survey tool to measure and analyse candidate feedback in order to optimize the overall candidate experience. The solution analyses feedback from candidates through the recruitment process. Completion is optional for the candidate and may contain personal information, depending on the candidate's completion of the evaluation. The candidate answers questions related to the recruitment process using, for example, a 5 or 10-scale answer as well as the possibility of stating comments in a free text field. The feedback can be accessed by the data controller via the data processor's platform and is owned exclusively by the data controller.

A.2. Information about the processing

The purpose of the data processor's processing of personal data on behalf of the data controller

The Pilot agreement incl. Annexes regulates the rights and obligations of the parties in connection with the data processor making a platform available to the data controller. As part of this collaboration, the data processor will host the Talenthub platform on behalf of the data controller as well as assist the data controller in collecting, measuring, and analysing candidate feedback collected via the Talenthub Feedback module.

The data processor's processing of personal data on behalf of the data controller is primarily about (the nature of the processing)

The data processor hosts the Talenthub platform on behalf of the data controller and assists the data controller in collecting, measuring, and analysing candidate feedback. In addition, the data controller makes the data as well as the analysis available to the data controller via the platform.

In edible fields where candidates have the ability to write free text, Talenthub has implemented a bot that scans for text that may contain personal information. If the bot finds text - such as email addresses, names, or phone numbers - these will be anonymized by replacing this information with xxxx’s so that these cannot be used to identify people.

The processing includes the following types of personal information about the data subjects

General personal information, including answers (feedback) from candidates, any information related to the candidate's experiences (which may make it possible to identify the applicant in question), feedback related to the recruitment process, identification information in the form of names and email addresses of employees of the data controller and logging the behavior of the data controller’s employees on the platform

The processing includes the following categories of data subjects

The category of registered, identified, or identifiable natural persons covered by the Agreement or the processing activity:

a)      Job applicants at the data controller

b)      Employees of the data controller

The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The treatment has the following duration

The processing may take place until the termination of this Agreement, cf., however, section 11 and 17


 

Appendix B - Authorised sub-processors

B.1. Approved sub-processors

NAME

ADDRESS

DESCRIPTION OF PROCESSING

LOCATION(S) FOR PROCESSING

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy
L-1855 Luxembourg

Amazon Webservices hosts the platform that the data processor makes available to the data controller

Frankfurt, Germany

CompanYoung A/S

Nyhavnsgade 15, 4. th
9000 Aalborg

Helps with administration of our Google Accounts and have access to same as us. Everything that is not being and processed by/at Goodle are being processed by them in Aalborg

Aalborg, Denmark

Google Cloud EMEA

70 Sir John Rogerson’s Quay
Dublin 2, Irland

Processes our Google Suite in different locations. These, however, hold duplicates of the same things

- Dublin, Ireland
- St. Ghislain, Belgium
- Emshaven, Netherland
- Hamina, Finland

Intercom Inc.

555 West 18th Street
New York, NY 10011
United States

Talenthub uses Intercom for cloud-based customer support services.

Data is stored in the EU (not specified further)

Hubspot, Inc.

Nyhavnsgade 15, 4. th
9000 Aalborg

Talenthub uses Hubspot to manage customer relations, write notes and manage deals

Dublin, Ireland


The data controller shall on the commencement of the Clauses authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation, cf. clause 7 – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing. In addition, the data processor may not - without observing point 7 - process the personal data at locations other than those agreed above.

 

B.2. Prior notice for the authorisation of sub-processors

The data processor must notify the data controller in writing of the replacement or addition of sub-data processors no later than 6 months prior to commissioning, whereby the data controller has been given the opportunity to object to the use of the use in question or change, cf. 7.2.

 

 

Appendix C - Instruction pertaining to the use of personal data

C.1. The subject of/instruction for the processing

The data processor’s processing of personal data on behalf of the data controller is described in Appendix A – Information about the processing.

 

C.2. Security of processing

It is a cloud solution that processes little ordinary personal information on job applicants.

The data processor is then entitled and obliged to make decisions about which technical and organizational security measures must be implemented in order to establish the necessary (and agreed) security level.

However, the data processor must - in any case and as a minimum - implement the following measures, which have been agreed with the data controller:

1.1 Information security policy

The data processor must ensure that there is a management-approved information security policy.

1.2 Organization of information security

The data processor must ensure that there is a focus on information security in its own organization with a defined division of roles and responsibilities.

In addition, the data processor's data access to the data controller's personal data must be secured through contracts, declarations of confidentiality and ensuring separation of functions in order to minimize errors and misuse of data.

The data processor must have a process for IT project management that defines roles and responsibilities and requires a documented project risk assessment.

The data processor shall implement a policy and supporting security measures to manage the risks arising from the use of mobile equipment.

The data controller must implement a policy and supporting security measures to protect information that is accessible and processed or stored in remote workstations.

1.3 Employee safety

The data processor must have established a process so that employees and consultants know their responsibilities in relation to information security.

The data controller must ensure that the data processor's employees and external consultants, through education and training, are made aware of information security and are regularly kept up to date with the organization's policies and procedures throughout the duration of the employment relationship.

1.4 Asset management

The data processor must keep a list of IT assets, the ownership of which appears.

1.5 Access control

The data processor must have a documented access control process and ensure that access is granted solely on the basis of a work-related need.

The data processor must have established procedures for the establishment, closure and ongoing review of allocated rights based on the principle of a work-related need as well as the decision on function separation.

The data processor must limit and control the allocation and use of privileged access rights as well as ensure ongoing control. The principle of least privilege must be applied.

The data processor must have secure log-on procedures to minimize the opportunities for unauthorized access to systems and applications.

1.6 Cryptography

The data processor must ensure encryption with up-to-date encryption level for communication over open networks and between systems and ensure that key management takes place after a documented process.

The data controller must have a policy for the use of cryptography for the protection of information. The data processor must also ensure that the policy for the use of cryptography supports the current risk assessment

The data controller must ensure that a policy of use, protection and lifetime of encryption keys is implemented throughout the life cycle of an encryption key. The policy must be in accordance with the applicable risk assessment.

1.7 Physical protection and environmental protection

The data processor must plan and establish physical protection against natural disasters, malicious attacks or accidents of the data processor's physical locations and possibly data centers.

The data processor must ensure protection against unauthorized access to the data processor's physical locations and possibly data centers through an access control process. The data controller must ensure regular review of physical access rights.

1.8 Reliability

The data processor must ensure that operating procedures are documented and maintained. As a minimum, the following procedures must be included:

  • malware protection
  • backup
  • logging and monitoring
  • management of operating software
  • vulnerability management

1.9 Communication security

The data processor must ensure that networks are managed and controlled to protect information. The data processor must ensure that the data controller's personal data, which are communicated internally and externally, are processed correctly in terms of legislation, ethics, and business during the lifetime of the information. In addition, access to the network must be protected.

2.0 Procurement, development, and maintenance of systems

The data processor must ensure that security requirements for development are assessed and integrated into the solutions.

2.1 Changes in systems

The data processor must ensure that changes in IT systems follow a documented change process with relevant approvals and tests.

The data processor must ensure that development, test and operating systems are kept separate, and that capacity and performance are monitored and controlled.

2.2 Supplier relations

The data processor must set at least the same security requirements for sub-data processors and other subcontractors that apply to the data processor and ensure compliance with these through regular follow-up

2.3 Management of information security breaches

The data processor must record, and risk assess information security incidents and report these to the data controller without undue delay. The data processor shall establish procedures for the collection of evidence in the event of information security incidents.

2.4 Information security aspects of emergency, contingency, and re-establishment management

The data processor must have prepared contingency plans that define how systems or services are properly re-established as well as an established process for communication to the data controller. The contingency plans must be tested annually or in the event of major changes.

2.5 Compliance

The data processor must regularly examine whether systems and services meet the data processor's security requirements as well as the security requirements' efficiency and ability to ensure lasting confidentiality, integrity, availability and robustness of systems and services.

 

C.3. Assistance to the data controller

The Data Processor shall, as far as possible - within the scope and extent below - assist the Data Controller in accordance with clauses 9.1 and 9.2 by implementing the following technical and organisational measures described in C.2.

 

C.4. Storage period/erasure procedures

The data processor must delete personal data in accordance with current, documented instructions from the Data Controller and in accordance with clause. 11 of this Agreement. In addition, the following specific minimum requirements are set for the Data Processor's deletion of personal data:

 

Specific instructions to delete

The data processor makes sure, by means of a scanning program, to scan the evaluations from, for example, job candidates in order to ensure that there is no personal information in the answers to evaluations. Possibly. personal data is replaced by "***".

The data processor does not store evaluations from job candidates until the scanner has deleted any personal information.

Upon termination of the personal data processing service, the data controller shall either delete or return the personal data in accordance with clause 11.1, unless the data controller - after the signing of this Agreement - has changed the data controller's original choice. Such changes must be documented and stored in writing, including electronically, in conjunction with the regulations.

General instructions to delete

In the event of deletion or request for deletion, the personal data in question must be irrevocably removed from all storage media on which they have been stored, so that personal data cannot be recovered, including with any sub-data processors in accordance with section 11.1. This applies regardless of whether it is the data controller or the data processor who is responsible for the deletion.

Any personal information in the possession of the data processor on behalf of the data controller must be continuously reviewed, assessed, and deleted to the extent that:
a) the personal data are no longer necessary for the purpose for which they are processed or have been collected and for which storage or processing is not required under mandatory EU law or the law of national Member States to which the Data Processor or Data Controller is subject;
b) where the storage of personal data will in any other way be contrary to the regulation, EU law or Danish law, or
c) where the legal basis for the processing or collection of personal data under the Regulation ceases.

Notwithstanding this Agreement or the provisions of the Main Agreement, the data processor shall delete personal data in its possession, which the data controller has been ordered to delete by the Danish Data Protection Agency or another similar supervision.

In connection with the ongoing deletion and at least once a year, the data processor must ensure checks of and the necessary documentation that the deletion has taken place in accordance with this Agreement. The data controller shall provide this documentation in accordance with clause 11 and in particular 11.5.

 

C.5. Processing location

The processing and storage of the personal data covered by the Agreement may not take place without observance of clause 7 at locations other than the following:

Skudehavnsvej 1, st. tv, 2150 Nordhavn, Denmark

In addition, reference is made to the listing under Appendix B.1 above.

The data processor is obliged to inform the data controller in writing of changes in locations for the data processor's processing of personal data with at least 2 months 'written notice, however by transfer to insecure third countries with at least 6 months' written notice, thereby giving the data controller the opportunity to against the transfer.

The processing and storage of the personal data covered by the Agreement may not take place without observance of clause 7 at locations other than the following:

Skudehavnsvej 1, st. tv, 2150 Nordhavn, Denmark

In addition, reference is made to the listing under Appendix B.1 above.

The data processor is obliged to inform the data controller in writing of changes in locations for the data processor's processing of personal data with at least 2 months 'written notice, however by transfer to insecure third countries with at least 6 months' written notice, thereby giving the data controller the opportunity to against the transfer.

 

C.6. Instruction on the transfer of personal data to third countries

The data processor is hereby instructed to transfer personal data to the sub-data processors in the third countries, which appear from the list of locations in Appendix B.1.

In addition, when transferring personal data to insecure third countries, the data processor must ensure that there is a legal basis for transfer by applying the EU Commission's standard contracts (for the use of a data processor in an insecure third country) with the necessary additions under the Data Protection Regulation and this Agreement. other legal basis for transfer, both by further agreement with the data controller.

If the EU Commission's standard contracts are cancelled or declared invalid by the European Court of Justice or other relevant courts, the parties must cooperate in good faith to find other solutions to any transfers of personal data to third countries.

If the data controller does not in this Agreement or subsequently provide a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of the Agreement.

 

C.7. Procedures for the data controller's audit, including inspections, of the processing of personal data being performed by the data processor

The Data Processor shall at its own expense, obtain a management declaration from an independent third party subject to the usual confidentiality obligations regarding the Data Processor's compliance with the Data Protection Regulation, data protection provisions of other EU or national law and this Agreement.

There is agreement between the parties that the data processor must provide the following:

  • Management statements

Management statements are sent without undue delay to the data controller for information. The data controller may challenge the framework for and / or the method in the declaration and in such cases may request a new management declaration under another framework and / or using another method.

Based on the results of the declaration, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other EU law or the national law of the Member States and this Agreement.

In addition, the data controller or a representative of the data controller has access to carry out audits or inspections, including physical inspections, with the locations from which the data processor processes personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out when the data controller deems it necessary.

Any expenses of the data controller in connection with a physical inspection shall be borne by the data controller himself. However, the data controller is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out his inspection.

The data processor shall also provide authorities which, under EU law or the law of a Member State, have access to the data controller's and data controller's facilities, or representatives acting on behalf of the authorities, access to the data processor's physical facilities upon presentation of proper identification.

 

C.8. Procedures for audits, including inspections, of the processing of personal data being performed by sub-processors

The Data Processor shall, at the request of the Data Controller, obtain, at the expense of the Data Processor, a management declaration from an independent third party subject to the usual confidentiality obligations regarding the Data Processor's compliance with the Data Protection Regulation, data protection provisions.

It is agreed between the parties that the data processor must provide the following:

  • Management statement

Management statement is sent without undue delay to the data controller for information. The data controller may challenge the framework and / or method of the declaration and may in such cases request a new statement of assurance under another framework and / or using another method.

Based on the results of the declaration, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other Union or national law and this Agreement.

In addition, the data processor or a representative of the data processor has access to carry out inspections, including physical inspections, with the locations from which the sub-data processor processes personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out when the data controller (or data controller) deems it necessary.

Documentation for such inspections is sent without undue delay to the data controller for information. The data controller may challenge the framework and / or method of the inspection and in such cases may request the conduct of a new inspection under another framework and / or using another method.

Based on the results of the monitoring, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other Union or national law and this Agreement.

The data controller may - if deemed necessary - choose to initiate and participate in a physical inspection at the sub-data processor. This may become relevant if the data controller considers that the data controller's inspection at the sub - data controller has not provided the data controller with sufficient assurance that the sub - data processor's processing is in accordance with the Data Protection Regulation, other EU or national law data protection provisions and this Agreement.

Any participation of the data controller in an inspection by the sub-processor does not alter the fact that the processor still has full responsibility for the sub-processor's compliance with the Data Protection Regulation, data protection provisions of other EU law or Member States' national law and this Agreement.

Any costs incurred by the data processor and the sub-data processor in connection with a physical inspection of the sub-data processor's locations initiated by the data controller are to be covered by the data controller.

 

C.9. General documentation on the data controller

The data processor is obliged, upon written request, to submit the following general documentation to the data controller:

  1. A statement by the data processor's management that the data processor, during its processing of personal data on behalf of the data controller, continuously ensures compliance with its obligations under this Agreement.
  2. A description of the practical measures, including both technical and organizational measures, that the data processor has implemented to ensure compliance with its obligations under the Agreement. The description can i.e., include the creation of established and implemented management systems for information security and for the processing of personal data as well as the description of other implemented measures. As part of this, the data processor is also obliged to participate in follow-up meetings with the data controller in this regard.
  3. A description of the control measures that the data processor has initiated and implemented to measure and control the impact of the established management system for information security and for the processing of personal data as well as performance measurements therefrom.

The general documentation must be handed out no later than five (5) working days after the data controller has submitted his written request to the data processor, unless otherwise specifically agreed. The data processor's preparation of documentation takes place at the data processor's own expense.

The data processor must, in accordance with the applicable personal data law regulations at all times, keep a record of the processing of personal data performed for the data controller. The list must be made available to the data controller to the data controller or any relevant supervisory authority within a reasonable time upon request. As part of this, the data processor shall provide the data controller with information on the general technical and organizational security measures applied for the protection of personal data.

Legal Responsible

Kevin Rebsdorf

+45 22282321

kevin@companyoung.com