Skip to content

Data Processor Agreement (DPA)

Effective date: 01-01-2023
 

This Data Processing Agreement ("DPA") between Talenthub.io ("Processor") and you ("Controller") sets forth the terms governing the processing of Personal Data under the Talenthub.io Standard Terms and Conditions (the "T&C's"). This DPA is in addition to the T&C's and is effective upon its incorporation into the T&C's, which may be specified in an Order Form or an executed amendment to the T&C's. Once incorporated into the T&C's, the DPA will become part of the T&C's.

In all cases, the Processor or a third party acting on behalf of the Processor acts as the processor of Personal Data, and the Controller remains the controller of Personal Data. The term of this DPA shall follow the term of the T&C's, and any terms not defined herein shall have the meaning set forth in the T&C's.

Hereinafter, the Processor and the Controller are individually referred to as a "party" and collectively referred to as "the parties."

The parties have agreed to this Data Processing Agreement (the "DPA") to comply with the requirements of the General Data Protection Regulation (GDPR) and to ensure the protection of the rights of data subjects.

 

  1. Content
    2.   Preamble
    3.   The rights and obligations of the data controller
    4.   The data processor acts according to instructions
    5.   Confidentiality
    6.   Security of processing
    7.    Use of sub-processors
    8.   Transfer of data to third countries or international organisations
    9.   Assistance to the data controller
    10.  Notification of personal data breach
    11.   Erasure and return of data
    12.  Audit and inspections
    13.  The parties' agreement on other terms
    14.  Remuneration and costs
    15.  Liability and limitations of liability
    16.  Other provisions
    17.   Effective data and termination

    Appendix A - Information about the processing
    Appendix B - Authorised sub-processors
    Appendix C - Instructions pertaining the use of personal data


  2. Preamble
    1. These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data                       processor when processing personal data on behalf of the data controller.
    2. The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the           European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the                 processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General                 Data Protection Regulation).
    3. “Personal information” means any kind of information about an identified or identifiable natural person, cf. General             Data Protection Regulation article 4, nr. 1. If, as part of the fulfilment of the Main Agreement, confidential                             information other than personal data is processed, e.g. information which is deemed confidential pursuant to the               Financial Business Act, any reference to "personal information" also includes this other confidential information.
    4. In connection with the provision of certain services from the data processor to the data controller, as described in               more detail in the parties' Main Agreement and Appendix A to this agreement (the "Main Services"), the data                       processor processes personal data on behalf of the data controller in accordance with this Agreement.
    5. The Agreement takes precedence over any similar provisions in other agreements between the parties unless                     otherwise follows directly from the Agreement, or more far-reaching obligations are stipulated for the data                           processor in the Main Agreement. If additional obligations have been laid down for the data processor by another               agreement between the partners, for example by standard contractual provisions within the meaning of Article 46             (2), litra c and d of the Data Protection Regulation, then these additional obligations apply in addition to the                         Agreement.
    6. If one or more of the provisions of the Agreement is/are not enforceable, are illegal or invalid, they shall be replaced           by fair negotiation or interpretation by provisions which, as far as possible, make the parties as if the provisions in               question were valid and enforceable. If this is not possible, the clause in question or part thereof shall not be                       construed as part of the Agreement. The other provisions of the agreement remain in force.
    7. There are three (3) annexes to this Agreement, and the annexes form an integral part of the Agreement
    8. Annex A contains details of the processing of personal data, including the purpose and nature of the processing,               the type of personal data, the categories of data subjects and the duration of the processing.
    9. Appendix B contains the data controller's conditions for the data processor's use of sub-data processors and a list             of sub-data processors that the data controller has approved the use of.
    10. Appendix C contains the data controller's instructions regarding the data processor's processing of personal data,             a description of the security measures that the data processor must implement as a minimum and how the data                 processor and any sub-data processors are supervised.
    11. The agreement and its annexes must be kept in writing, including electronically, by both parties.
    12. The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant              to the General Data Protection Regulation (the GDPR) or other legislation.

  3. The rights and obligations of the data controller
    1. The data controller is responsible for ensuring that the processing of personal data takes place in compliance with              the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions and the Clauses                (References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member              States”).
    2. The data controller has the right and obligation to make decisions about the purposes and means of the processing          of personal data.
    3. The data controller shall be responsible, among others, for ensuring that the processing of personal data, which the          data processor is instructed to perform, has a legal basis.

  4. The data processor acts according to instructions
    1. The data processor shall process personal data only on documented instructions from the data controller unless                required to do so by EU law or Member State law to which the processor is subject.
    2. This instruction must be specified in Appendices A and C. Subsequent instructions may also be given by the data              controller while personal data is being processed, but the instructions must always be documented and stored in                writing, including electronically, together with this Agreement.
    3. The data processor may, to the extent not otherwise provided in the Agreement, use all relevant technical and                    organisational aids, including IT systems, which meet the requirements set out in this Agreement.
    4. The processor shall immediately notify and inform the controller in writing if instructions given by the data                           controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data               protection provisions.
    5. The data processor may not condition the full and unlimited compliance with the data controller's instructions on               the data controller's prepayment or payment of outstanding invoices, etc., and the data processor has no right of               retention in the personal data.
    6. The data controller has instructed the data processor that personal data may only be processed by the sub-                       processors listed in Annex B from the locations listed in the Annex. The data controller guarantees that personal                 data is encrypted during transport and storage and that the decryption key is with the data processor (and not the             sub-data processors). The data processor also confirms that the data processor's sub-processors have a fixed                     procedure for inquiries from authorities, which includes that the sub-processors strongly challenge inquiries in the             courts.
    7. The data processor shall indemnify the data controller for any claim that may arise as a result of the data processor            or its sub-data processors acting outside the data controller's instructions.

  5. Confidentiality
    1. The data processor must keep the personal information confidential. The regulation of confidentiality in the Main                Agreement also applies to this Agreement. To the extent that there is a discrepancy between the Main Agreement              and this Agreement, the agreement that provides the widest possible protection of information and confidentiality              shall take precedence. The confidentiality obligation in the Main Agreement does not apply in the event of a breach            of personal data security.
    2. The Data Processor may only grant access to personal data processed on behalf of the data controller to persons              who are subject to the Data Processor's instructional powers, who have committed themselves to confidentiality or            are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary, including to any time          applicable rules of the Financial Business Act. In the processing of confidential information from the data controller,            the data processor and his employees are subject to a criminal duty of confidentiality, cf. section 117ff and section              373 of the Danish Financial Business Act. The list of persons who have been granted access must be reviewed on an          ongoing basis. On the basis of this review, access to personal data must be closed if access is no longer necessary,            and the personal data must no longer be available to these persons.
    3. The data processor must, at the request of the data controller, be able to demonstrate that the persons in question,            who are subject to the data processor's powers of instruction, are subject to the above-mentioned duty of                          confidentiality.
    4. If the data processor is a legal person, this Agreement applies to any person who is subject to the data processor's             instructional powers, and the data processor guarantees that these persons, who have access to the personal data,           comply with the Agreement.
    5. The data processor's obligations under this section 5 exist without a time limit, regardless of whether the parties'                cooperation has otherwise ceased.

  6. Security of processing
    1. Article 32 of the Data Protection Regulation states that the data controller and the data processor, taking into                      account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the            processing in question and the risks of varying probability and seriousness of natural persons' rights and freedoms,            implement appropriate technical and organisational measures to ensure a level of protection appropriate to these              risks.
    2. The data controller shall assess the risks to the rights and freedoms of natural persons constituting the processing              and implement measures to address these risks. Depending on their relevance, it may include:
      1. Pseudonymisation and encryption of personal data
      2. ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services;
      3. ability to restore in a timely manner the availability and access to personal data in the event of a physical or                    technical incident;
      4. a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organisational              measures to ensure treatment safety.
    3. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate               the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to                     mitigate those risks. To this effect, the data controller shall provide the data processor with all information                           necessary to identify and evaluate such risks.
    4. In addition, the data processor shall assist the data controller in complying with the data controller's obligation                   under Article 32 of the Regulation, by, inter alia providing the data controller with the necessary information                       regarding the technical and organisational security measures already implemented by the data controller in                         accordance with Article 32 of the Regulation and any other information necessary for the data controller to comply           with its obligation under the Regulation; Article 32.
    5. If the response to the identified risks - in the opinion of the data controller - requires the implementation of                        additional measures than those already implemented by the data processor, the data controller shall indicate the                additional measures to be implemented in Annex C and in the Main Agreement.

  7. Use of sub-processors
    1. The data processor must meet the conditions set out in Article 28(2) and (4) of the Data Protection Regulation, to               make use of another data processor (a sub-data processor).
    2. The data processor may thus not make use of a sub-data processor to fulfil this Agreement without prior general                written approval from the data controller.
    3. The data processor has the data controller's general approval for the use of sub-data processors. The data                          processor shall notify the data controller in writing of any planned changes regarding the addition or replacement of          sub-data processors with at least 30 days notice and thereby give the data controller the opportunity to object to              such changes before using the sub-data processor(s) in question(s). If the data controller's acceptance of the sub-              data processor cannot be obtained and the data processor continues to use the sub-data processor, the data                      controller is entitled to terminate this Agreement and the parts of the Main Agreement which involve the data                      processor's processing of personal data on behalf of the data controller. or the Main Agreement in its entirety, if the            services under the Main Agreement cannot be separated or the remaining services do not have an independent                value for the data controller. Upon cessation of the use of a sub-data processor, the data processor must give the              data controller written notice thereof. Longer notice of notification in connection with specific processing activities            can be specified in Appendix B. The list of sub-processors that the data controller has already approved is shown in          Appendix B.
    4. When the data processor uses a sub-data processor in connection with the performance of specific processing                  activities on behalf of the data controller, the data processor shall, through a contract or other legal document                    under EU law or the national law of the Member States, impose on the sub-data processor the same data protection          obligations such as those set out in this Agreement, which in particular provide the necessary guarantees that the              sub-processor will implement the technical and organisational measures in such a way that the processing complies          with the requirements of this Agreement and the Data Protection Regulation.
    5. The data processor is therefore responsible for requiring the Sub-Data Processor to at least comply with the Data              Processor's obligations under this Agreement and the Data Protection Regulation.
    6. Prior to the data processor's notification pursuant to section 7.2, the data processor must have carried out an                      appropriate pre-audit (preliminary investigation) of the sub - processor's security level in accordance with Article                28(1) of the Data Protection Regulation.
    7. The sub-data processor also acts solely on instructions from the data controller. All communication with the                        sub-data processor is handled by the data processor unless otherwise agreed. Any changed or specified                            instructions from the data controller must be passed on immediately by the data processor to the sub-data                          processor.
    8. Sub-data processor agreement (s) and any subsequent amendments thereto are sent - at the request of the data                controller - in copy to the data controller, who thereby has the opportunity to ensure that corresponding data                    protection obligations under this Agreement are imposed on the sub-data processor. Provisions on commercial                  terms that do not affect the data protection law content of the subdivision agreement shall not be sent to the data              controller. In addition, the data processor must, upon request, provide documentation for the sub-data processors'            fulfilment of their data protection obligations and the data processor's ongoing control thereof, etc.
    9. In its agreement with the sub-processor, the data processor shall, as far as possible, include the data controller as a          beneficiary third party in the event of the data processor's bankruptcy, so that the data controller can intervene in              the data processor's rights and enforce them against sub-processors. ex. enables the data controller to instruct the            sub-data processor to delete or return the personal data.
    10. If the sub-data processor does not fulfil its data protection obligations, the data processor remains fully liable to the            data controller for the fulfilment of the sub-data processor's obligations. This does not affect the rights of data                    subjects under the Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, vis-à-vis the                    controller and the processor, including the sub-processor.

  8. Transfer of data to third countries and international organisations
    1. Any transfer of personal data to third countries or international organisations by the data processor shall only occur            on the basis of documented instructions from the data controller and shall always take place in compliance with                Chapter V GDPR.
    2. In case transfers to third countries or international organisations, which the data processor has not been instructed             to perform by the data controller, is required under EU or Member State law to which the data processor is subject,           the data processor shall inform the data controller of that legal requirement prior to processing unless that law                   prohibits such information on important grounds of public interest.
    3. Without documented instructions from the data controller or claims under EU law or the national law of the                         member state to which the data processor is subject, the data processor may not, within the framework of this                   Agreement:
      1. transfer personal data to a controller or processor in a third country or an international organisation;
      2. entrust the processing of personal data to a sub-processor in a third country
      3. process the personal data of a third country
    4. The data controller's instructions regarding the transfer of personal data to a third country, including any basis for               transfer in Chapter V of the Data Protection Regulation on which the transfer is based, shall be set out in Annex C.6.
    5. This Agreement shall not be confused with standard contractual provisions within the meaning of Article 46(2)(c)               and (d) of the Data Protection Regulation, and this Agreement may not constitute a basis for the transfer of personal           data within the meaning of Chapter V of the Data Protection Regulation.
    6. If the data controller in Annex C.6 has instructed the data processor to transfer personal data to a third country, it is           the data controller's responsibility to ensure that the basis of transfer described, e.g. standard contractual                           provisions within the meaning of Article 46(2)(c) and (d) of the Data Protection Regulation 2, have been concluded             between the relevant parties.

  9. Assistance to the data controller
    1. Taking into account the nature of processing, the data processor shall assist the data controller as far as possible by            appropriate technical and organisational measures in compliance with the data controller's obligation to respond to          requests for the exercise of data subjects' rights as set out in Chapter III of the Data Protection Regulation.
    2. This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s            compliance with:
      1. the right to be informed when collecting personal data from the data subject
      2. the right to be informed when personal data have not been obtained from the data subject
      3. the right of access by the data subject
      4. the right to rectification
      5. the right to erasure (‘the right to be forgotten’)
      6. the right to restriction of processing
      7. notification obligation regarding rectification or erasure of personal data or restriction of processing
      8. the right to data portability
      9. the right to object
      10. the right not to be subject to a decision based solely on automated processing, including profiling
    3. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data                           processor shall furthermore, taking into account the nature of the processing and the information available to the               data processor, assist the data controller in ensuring compliance with:
      1. The data controller's obligation to without undue delay and if possible within 72 hours, after he has become                   aware of reporting a breach of personal data security to the competent supervisory authority, the Danish Data               Protection Agency, unless it is unlikely that the breach of personal data security involves a risk to the rights or               freedoms of natural persons
      2. the data controller's obligation to notify the data subject of a breach of personal data security without undue                 delay, when the breach is likely to entail a high risk to the rights and freedoms of natural persons;
      3. the data controller's obligation to carry out an analysis of the consequences of the proposed processing                       activities for the protection of personal data prior to the processing (an impact assessment);
      4. the data controller's obligation to consult the competent supervisory authority, the Danish Data Protection                   Agency, before processing, if an impact assessment concerning data protection shows that the processing will             lead to a high risk in the absence of measures taken by the data controller to limit the risk.
    4. The parties shall define in Appendix C the appropriate technical and organisational measures by which the data                processor is required to assist the data controller as well as the scope and the extent of the assistance required. This          applies to the obligations foreseen in Clause 9.1. and 9.2.
    5. The data processor shall, without undue delay upon receipt of a request directly from the data subject or from a                third party related to Chapter III of the Data Protection Regulation, inform the data controller in writing.
    6. The data processor shall comply with the obligations set forth in this Agreement without additional consideration              from or costs to the data controller, unless otherwise specifically stated in the Agreement.
    7. The data processor is not entitled to payment from the data controller to handle inquiries from the data subjects                about insights/objections or to delete data in the system as a result of the data processor having set up the system in          such a way that the data controller does not or only with large inconvenience can handle inquiries from registered              or delete data on its own.

  10. Notification of personal data breach
    1. The data processor shall inform the data controller without undue delay after becoming aware that there has been              a breach of personal data security.
    2. The data processor's notification to the data controller must be made to example@example.com without undue                  delay and no later than 36 hours after he has become aware of the breach, so that the data controller can comply              with his obligation to report the breach of personal data security to the competent supervisory authority, in                          accordance with Article 33 of the Data Protection Regulation.
    3. In accordance with clause 9.2.a, the data processor shall assist the data controller in notifying the breach to the                  competent supervisory authority. This means that the data processor must assist in providing the following                          information, which according to Article 33(3), must appear from the data controller's notification of the breach to              the competent supervisory authority:
      1. the nature of the breach of personal data security, including, if possible, the categories and approximate                        number of data subjects concerned and the categories and approximate number of personal data records                    concerned;
      2. the likely consequences of the breach of personal data security
      3. the measures taken or proposed by the data controller to deal with the breach of personal data security,                       including, where appropriate, measures to limit its potentially harmful effects.
    4. The data processor must keep and maintain a record of all security breaches. The list must be made available to                the data controller or the supervisory authorities upon written request.
    5. The Parties shall set out in Annex C the information that the data processor must provide in connection with his                  assistance to the data controller in his obligation to report breaches of personal data security to the competent                  supervisory authority.

  11. Erasure and return of data
    1. Upon termination of the personal data processing services, the data processor and its sub-processors are obliged to          return all personal data that has been processed on behalf of the data controller in a structured commonly used and          machine-readable format and confirm to the data controller that all personal data are subsequently deleted at the              end of the agreement, unless EU law or the national law of the Member States, provides for the longer storage of the          personal data by the data processor.
    2. The data processor may continue to process the personal data for up to three (3) months after the termination of               the Agreement, to the extent that this is necessary to take the necessary statutory measures. During the same                     period, the data processor is entitled to have the personal data included in the data processor's usual backup                     procedure. The data processor's processing during this period is still considered to take place in compliance with               the instructions and the other requirements in the Agreement.
    3. Notwithstanding the above points, the Agreement and provisions in the Main Agreement, which deal with the                     processing of personal data, apply as long as the data processor processes the data controller's personal data,                   regardless of whether the Agreement and the Main Agreement have been formally terminated.
    4. The data processor must, at the request of the data controller, provide the necessary documentation that the return           and/or deletion has taken place in accordance with the deletion instructions from the data controller. The data                   controller may request that the data processor obtain an audit statement from an external auditor that the personal           data has been returned and/or deleted from the data processor and its possible sub-data processors. The costs to            the external auditor are borne by the data controller.

  12. Audit and inspections
    1. The data processor shall make available to the data controller all information necessary to demonstrate compliance           with the obligations laid down in Article 28 and the Clauses and allow for audits, including inspections, conducted             by the data controller or another auditor mandated by and paid by the data controller.
    2. Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub-                          processors are specified in appendices C.7. and C.8.
    3. The data processor shall be required to provide the supervisory authorities, which pursuant to applicable                            legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of            such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate              identification.

  13. The parties' agreement and other terms
    1. The parties may agree on/to other clauses concerning the provision of the personal data processing service                       specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses in the Agreement or                     prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

  14. Remuneration
    1. The parties are only entitled to payment for the fulfilment of this Agreement, where this is specifically stated herein.
    2. Notwithstanding the above, a party is not entitled to payment for assistance in investigating or implementing                      changes, etc. to the extent that such assistance or modification is a direct consequence of the breach of this                      Agreement or data protection law by that party.

  15. Liability and limitations of liability
    1. The Parties are liable in accordance with the general rules of applicable law, subject to the limitations set forth in                 this paragraph 15.
    2. The Parties' maximum liability for all accumulated claims in accordance with this Agreement follows from the                     Parties' Main Agreement.
    3. Notwithstanding clause 15.2, the following are not covered by the limitation of liability in this clause 15:
      1. Loss because of gross negligence or wilful misconduct by the other Party.
      2. Expenditure and resource consumption in fulfilling a Party's obligations to a supervisory authority or the data                 subject or costs of investigations (eg in the event of a security breach), compensation, tort and other                               compensation to data subjects, as well as administrative fines imposed by a supervisory authority, fines                         adjudicated by the courts to the extent that they are caused by the other Party's breach or breach of data                    protection law and this Agreement.

  16. Other provisions
    1. The provisions of the main agreement, including but not limited to provisions on violation, force majeure and                       dispute resolution, shall also apply to this Agreement, unless otherwise specifically provided in this Agreement.
    2. Except where an express time frame is specified in this Agreement, no Party's delay or failure to exercise a right,                  power or the like will be prejudicial or deemed a waiver of such right, power or the like, which this has under the                Agreement.
    3. Any Party's waiver of any right or breach of this Agreement shall not be construed as a waiver of rights or                           acceptance of any other or subsequent infringement and shall be in writing.

  17. Effective date and termination
    1. The Agreement shall take effect on the date of signature by both Parties. The agreement is valid until either (a) the               main agreement terminates or (b) the agreement is terminated, cf. clauses 17.3-17.4.
    2. Both parties may demand that the Agreement be renegotiated if changes in the law or inconveniences in the                     Agreement give rise to this.
    3. The agreement is valid for as long as the service concerning the processing of personal data lasts. During this                   period, the Agreement may not be terminated unless other provisions governing the provision of the personal data             processing service are agreed upon between the parties.
    4. If the provision of the personal data processing services ceases and the personal data has been deleted or returned           to the data controller in accordance with clause 11.1 and Annex C.4, the Agreement may be terminated with written             notice by both parties in accordance with the Main Agreement's provisions on termination and revocation.
    5. Notwithstanding the termination of the Agreement, the provisions of the Agreement which, according to its                         content, are intended to regulate the Parties' rights and obligations after the termination of the Agreement, shall                 continue to have effect.





    Appendix A - Information about the processing

A.1. Main benefit

The data controller and the data processor have entered into an agreement for the delivery of:

A survey tool to measure and analyse candidate feedback in order to optimize the overall candidate experience. The solution analyses feedback from candidates throughout the recruitment process. Completion is optional for the candidate and may contain personal information, depending on the candidate's completion of the evaluation. The candidate answers questions related to the recruitment process using, for example, a 5 or 10-scale answer as well as the possibility of stating comments in a free text field. The feedback can be accessed by the data controller via the data processor's platform and is owned exclusively by the data controller.

A.2. Information about the processing

 

The purpose of the data processor's processing of personal data on behalf of the data controller The Collaboration Agreement incl. Annexes regulate the rights and obligations of the parties in connection with the data processor making a platform available to the data controller. As part of this collaboration, the data processor will host the Talenthub platform on behalf of the data controller as well as assist the data controller in collecting, measuring, and analysing candidate feedback collected via the Talenthub Feedback module.
The data processor's processing of personal data on behalf of the data controller is primarily about (the nature of the processing) The data processor hosts the Talenthub platform on behalf of the data controller and assists the data controller in collecting, measuring, and analysing candidate feedback. In addition, the data processor makes the data as well as the analysis available to the data controller via the platform.

In editable fields where candidates have the ability to write free text, Talenthub has implemented a bot that scans for text that may contain personal information. If the bot finds text - such as email addresses or phone numbers - these will be anonymised by replacing this information with xxxx’s so that these cannot be used to identify people.
The processing includes the following types of personal information about the data subjects General personal information, including answers (feedback) from candidates, any information related to the candidate's experiences (which may make it possible to identify the applicant in question), feedback related to the recruitment process, identification information in the form of names and email addresses of employees of the data controller and logging the behaviour of the data controller’s employees on the platform.
The processing includes the following categories of data subjects The category of registered, identified, or identifiable natural persons covered by the Agreement or the processing activity:
       Job applicants to the data controller
      Employees of the data controller
The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The treatment has the following duration The processing may take place until the termination of this Agreement, cf., however, sections 11 and 17.

 

 

Appendix B - Authorised sub-processors

 B.1. Approved sub-processors

On commencement of the Agreement and the Clauses, the data controller authorises the engagement of the following sub-processors:

 

NAME ADDRESS DESCRIPTION OF PROCESSING LOCATION(S) FOR PROCESSING
Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy
L-1855 Luxembourg
Amazon Web Services hosts the platform that the data processor makes available to the data controller. Frankfurt, Germany
Google Cloud EMEA 70 Sir John Rogerson’s Quay
Dublin 2, Ireland
Processes our Google Suite in different locations. These, however, hold duplicates of the same things.   Dublin, Ireland
  St. Ghislain, Belgium
  Eemshaven, Netherland
  Hamina, Finland

The data controller shall on the commencement of the Clauses authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation, cf. clause 7 – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing. In addition, the data processor may not - without observing point 7 - process the personal data at locations other than those agreed above.

 

 B.2. Prior notice for the authorisation of sub-processors

The data processor must notify the data controller in writing of the replacement or addition of sub-processors no later than 30 days prior to commissioning, whereby the data controller has been given the opportunity to object to the use of the use in question or change, cf. 7.2.

 

 

Appendix C - Instructions pertaining the use of personal data

C.1 The subject of instructions for the processing

The data processor’s processing of personal data on behalf of the data controller is described in Appendix A – Information about the processing.

 

C.2. Security of processing

It is a cloud solution that processes little ordinary personal information on job applicants.

The data processor is then entitled and obliged to make decisions about which technical and organisational security measures must be implemented in order to establish the necessary (and agreed) security level.

However, the data processor must - in any case and as a minimum - implement the following measures, which have been agreed with the data controller:

1.1 Information security policy
The data processor must ensure that there is a management-approved information security policy.

1.2 Organisation of information security
The data processor must ensure that there is a focus on information security in its own organisation with a defined division of roles and responsibilities.

In addition, the data processor's data access to the data controller's personal data must be secured through contracts, declarations of confidentiality and ensuring separation of functions in order to minimise errors and misuse of data.

The data processor must have a process for IT project management that defines roles and responsibilities and requires a documented project risk assessment.

The data processor shall implement a policy and supporting security measures to manage the risks arising from the use of mobile equipment.

The data processor must implement a policy and supporting security measures to protect information that is accessible and processed or stored in remote workstations.

1.3 Employee responsibility
The data processor must have established a process so that employees and consultants know their responsibilities in relation to information security.

The data controller must ensure that the data processor's employees and external consultants, through education and training, are made aware of information security and are regularly kept up to date with the organisation's policies and procedures throughout the duration of the employment relationship.

1.4 Asset management
The data processor must keep a list of IT assets, the ownership of which appears.

1.5 Access control
The data processor must have a documented access control process and ensure that access is granted solely on the basis of a work-related need.

The data processor must have established procedures for the establishment, closure and ongoing review of allocated rights based on the principle of a work-related need as well as the decision on function separation.

The data processor must limit and control the allocation and use of privileged access rights as well as ensure ongoing control. The principle of least privilege must be applied.

The data processor must have secure log-on procedures to minimise the opportunities for unauthorised access to systems and applications.

1.6 Cryptography
The data processor must ensure encryption with up-to-date encryption level for communication over open networks and between systems and ensure that key management takes place after a documented process.

The data processor must have a policy for the use of cryptography for the protection of information. The data processor must also ensure that the policy for the use of cryptography supports the current risk assessment

The data processor must ensure that a policy of use, protection and lifetime of encryption keys is implemented throughout the life cycle of an encryption key. The policy must be in accordance with the applicable risk assessment.

1.7 Physical protection and environmental protection
The data processor must plan and establish physical protection against natural disasters, malicious attacks or accidents of the data processor's physical locations and possibly data centres.

The data processor must ensure protection against unauthorised access to the data processor's physical locations and possibly data centres through an access control process. The data processor must ensure a regular review of physical access rights.

1.8 Reliability
The data processor must ensure that operating procedures are documented and maintained. As a minimum, the following procedures must be included:
   malware protection
  backup
  logging and monitoring
  management of operating software
  vulnerability management

1.9 Communication security
The data processor must ensure that networks are managed and controlled to protect information. The data processor must ensure that the data controller's personal data, which are communicated internally and externally, are processed correctly in terms of legislation, ethics, and business during the lifetime of the information. In addition, access to the network must be protected.

2.0 Procurement, development, and maintenance of systems
The data processor must ensure that security requirements for development are assessed and integrated into the solutions.

2.1 Changes in systems
The data processor must ensure that changes in IT systems follow a documented change process with relevant approvals and tests.

The data processor must ensure that development, test and operating systems are kept separate, and that capacity and performance are monitored and controlled.

2.2 Supplier relations
The data processor must set at least the same security requirements for sub-data processors and other subcontractors that apply to the data processor and ensure compliance with these through regular follow-up.

2.3 Management of information security breaches
The data processor must record, and risk assess information security incidents and report these to the data controller without undue delay. The data processor shall establish procedures for the collection of evidence in the event of information security incidents.

2.4 Information security aspects of emergency, contingency, and re-establishment management
The data processor must have prepared contingency plans that define how systems or services are properly re-established as well as an established process for communication to the data controller. The contingency plans must be tested annually or in the event of major changes.

 

C.3. Assistance to the data controller

The Data Processor shall, as far as possible - within the scope and extent below - assist the Data Controller in accordance with clauses 9.1 and 9.2 by implementing the following technical and organisational measures described in C.2.

 

C.4. Storage and period / erasure process

The data processor must delete personal data in accordance with current, documented instructions from the data controller and in accordance with clause 11 of this Agreement. In addition, the following specific minimum requirements are set for the Data Processor's deletion of personal data:

Specific instructions to delete

The data processor makes sure, by means of a scanning program, to scan the evaluations from, for example, job candidates in order to ensure that there is no personal information in the answers to evaluations. Possibly, personal data is replaced by "***".

The data processor does not store evaluations from job candidates until the scanner has deleted any personal information.

Upon termination of the personal data processing service, the data processor shall either delete or return the personal data in accordance with clause 11.1, unless the data controller - after the signing of this Agreement - has changed the data controller's original choice. Such changes must be documented and stored in writing, including electronically, in conjunction with the regulations.

General instructions to delete

In the event of deletion or request for deletion, the personal data in question must be irrevocably removed from all storage media on which they have been stored, so that personal data cannot be recovered, including with any sub-processors in accordance with section 11.1. This applies regardless of whether it is the data controller or the data processor who is responsible for the deletion.

Any personal information in the possession of the data processor on behalf of the data controller must be continuously reviewed, assessed, and deleted to the extent that:
    a)   the personal data are no longer necessary for the purpose for which they are processed or have been collected and for                which storage or the processing is not required under mandatory EU law or the law of national Member States to which                the Data Processor or Data Controller is subject;
    b)   where the storage of personal data will in any other way be contrary to the regulation, EU law or Danish law, or
    c)    where the legal basis for the processing or collection of personal data under the Regulation ceases.

Notwithstanding this Agreement or the provisions of the Main Agreement, the data processor shall delete personal data in its possession, which the data controller has been ordered to delete by the Danish Data Protection Agency or another similar supervision.

In connection with the ongoing deletion and at least once a year, the data processor must ensure checks of and the necessary documentation that the deletion has taken place in accordance with this Agreement. The data controller shall provide this documentation in accordance with clause 11.

 

C.5. Processing location

The processing and storage of the personal data covered by the Agreement may not take place without observance of clause 7 at locations other than the following:

Skelbækgade 4, 4. tv., 1717 Copenhagen V, Denmark

In addition, reference is made to the listing under Appendix B.1 above.

The data processor is obliged to inform the data controller in writing of changes in locations for the data processor's processing of personal data with at least 1 month 'written notice, however by transfer to insecure third countries with at least 2 months' written notice, thereby giving the data controller the opportunity to against the transfer.

 

C6. Instructions on the transfer of personal data to third countries

The data processor is hereby instructed to transfer personal data to the sub-processors in the third countries, which appear from the list of locations in Appendix B.1.

In addition, when transferring personal data to insecure third countries, the data processor must ensure that there is a legal basis for transfer by applying the EU Commission's standard contracts (for the use of a data processor in an insecure third country) with the necessary additions under the Data Protection Regulation and this Agreement.

If the EU Commission's standard contracts are cancelled or declared invalid by the European Court of Justice or other relevant courts, the Parties must cooperate in good faith to find other solutions to any transfers of personal data to third countries.

If the data controller does not in this Agreement or subsequently provide a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of the Agreement.

 

C.7. Procedures for the data controller's audit, including inspections, of the processing of personal data being performed by the data processor

Upon request, the Data Processor shall provide a management declaration/statement subject to the usual confidentiality obligations regarding the Data Processor's compliance with the Data Protection Regulation, data protection provisions of other EU or national laws and this Agreement.

There is an agreement between the parties that the data processor must provide the following:
   - Management statements

Management statements are sent without undue delay to the data controller for information. The data controller may challenge the framework for and/or the method in the declaration and in such cases may request a new management declaration under another framework and/or using another method.

Based on the results of the declaration, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other EU laws or the national law of the Member States and this Agreement.

In addition, the data controller or a representative of the data controller has access to carry out audits or inspections, including physical inspections, with the locations from which the data processor processes personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out when the data controller deems it necessary.

Any expenses of the data controller in connection with a physical inspection shall be borne by the data controller himself. However, the data processor shall allocate the resources (mainly time) necessary for the data controller to carry out his inspection.

The data processor shall also provide authorities which, under EU law or the law of a Member State, have access to the data controller's and data controller's facilities, or representatives acting on behalf of the authorities, access to the data processor's physical facilities upon presentation of proper identification.

 

C.8. Procedures for audit, including inspections, of the processing of personal data being performed by sub-processors

The Data Processor shall, at the request of the Data Controller, provide a management declaration/statement subject to the usual confidentiality obligations regarding the Data Processor's compliance with the Data Protection Regulation, and data protection provisions.

It is agreed between the parties that the data processor must provide the following:
   - Management statement

Management statement is sent without undue delay to the data controller for information. The data controller may challenge the framework and/or method of the declaration and may in such cases request a new statement of assurance under another framework and/or using another method.

Based on the results of the declaration, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other Union or national laws and this Agreement.
In addition, the data processor or a representative of the data processor shall have access to carry out inspections, including physical inspections, with the locations from which the sub-processor processes personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out when the data processor (or data controller) deems it necessary.

Documentation for such inspections shall without undue delay be sent to the data controller for information. The data controller may challenge the framework and/or method of the inspection and in such cases may request the conduct of a new inspection under another framework and/or using another method.

Based on the results of the monitoring, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other Union or national laws and this Agreement.

The data controller may - if deemed necessary - choose to initiate and participate in a physical inspection at the sub-processor. This may become relevant if the data controller considers that the data controller's inspection at the sub-processor has not provided the data controller with sufficient assurance that the sub-processor's processing is in accordance with the Data Protection Regulation, other EU or national law data protection provisions and this Agreement.

Any participation of the data controller in an inspection by the sub-processor does not alter the fact that the processor still has full responsibility for the sub-processors compliance with the Data Protection Regulation, data protection provisions of other EU laws or Member States' national law and this Agreement.

Any costs incurred by the data processor and the sub-data processor in connection with a physical inspection of the sub-data processor's locations initiated by the data controller are to be covered by the data controller.