DATA PROCESSING AGREEMENT FOR SERVICE PROVIDERS
THIS AGREEMENT is BETWEEN:
1. Datalive Ltd trading as Allsorter a company incorporated under the laws of Ireland, with Registration Number 54124 and having its registered office at Westmoreland House, Westmoreland Park Ranelagh, Dublin 6, Dublin, Ireland, (“Service Provider” or ”Allsorter”);and
2. Company supplying to, __________________________________ (“Customer”).
each a “Party” and together the “Parties”.The agreement is effective as of the later of the dates beneath the parties’ signatures below (the “Effective Date”).
A. The Customer has engaged Allsorter to Process the Relevant Personal Data (as defined below) under the terms of a Master Services Agreement dated (insert date here) and executed by the Parties (the “MSA”) for the provision of effective CV automation software solutions (the “Services”).
B. Customer will use the Services under the terms of the MSA for the purposes of HR solutions.
C. This Agreement sets out the obligations of the Parties with respect to the Processing of the Relevant Personal Data.
1. Definitions and Interpretation
1.1 In this Agreement, unless the context otherwise requires:
“Agreement” means this data processing agreement.
“Controller” has the meaning given to it in the Data Protection Laws.
“Data Protection Authority” means a Supervisory Authority, as that term is defined in the Data Protection Laws.
“Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR.
“Data Protection Laws” means all applicable legislation relating to data protection and privacy, including the EU GDPR and related applicable data protection and privacy laws of the EEA member states and/or the UK GDPR and related applicable data protection laws of the United Kingdom, as the case may be, each as amended, repealed, consolidated or replaced from time to time, and any applicable guidance, rules, requirements and directions issued by a data protection authority in respect of such legislation.
“Data Subject” has the meaning given to it in the Data Protection Laws.
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time.
“GDPR” means the EU GDPR or the UK GDPR, whichever is relevant.
“Personal Data” has the meaning given to it in the Data Protection Laws.
“Personal Data Breach” has the meaning given to it in the Data Protection Laws.
“Personnel” means any current, former or prospective employee, consultant, temporary contractor, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.
“Process”, “Processing” or “Processed” each have the meanings given to them in the Data Protection Laws.
“Processor” has the meaning given to it in the Data Protection Laws.
“Relevant Personal Data” means the categories of Personal Data that are set out in Schedule1 and that are Processed under, or in connection with the provision of the Services.
“Subprocessor” means any party engaged by Service Provider to Process Relevant Personal Data. The Subprocessors approved as at the commencement of this Agreement are as set out in Schedule 1.
“Term” has the meaning given in the [MSA].
“UK GDPR” means the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
2. Subject Matter and Scope
2.1 This Agreement applies only to the Processing of Relevant Personal Data.
2.2 The purpose of this Agreement is to help ensure adequate protection of Relevant Personal Data as may be processed by Service Provider while providing Services under the MSA. To the extent that there is any conflict between this Agreement and the MSA in relation to that purpose, this Agreement shall govern.
3. Obligations of Service Provider
3.1 With respect to the Processing of Relevant Personal Data, Service Provider shall, and shall procure that each of its Personnel, agents and Subprocessors shall, comply with Data Protection Laws, to the extent applicable; and only Process Relevant Personal Data on behalf of and in accordance with Customer’s prior written instructions (including as set out in this Agreement and the MSA) and for no other purpose.
3.2 The Service Provider represents and warrants to the Customer that it shall implement appropriate technical and organisational measures to protect the Relevant Personal Data, in accordance with applicable Data Protection Laws. The Service Provider shall ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect the Relevant Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. The Service Provider shall perform internal inspections on a regular basis, to confirm that it is complying with its obligations under this Agreement and, where appropriate, the Service Provider shall amend its Processing activities to satisfy its obligations under this Agreement.
3.3 The Parties agree to promptly complete and execute a data transfer agreement substantially in the form of Controller-to-Processor Standard Contractual Clauses for the transfer of Relevant Personal Data from the European Union to Processors established in third countries and as approved for the purposes of Directive 95/46/EC (as amended, consolidated or replaced from time to time) and thereafter to comply with all of the conditions thereof.
3.4 The Parties hereby acknowledge and agree that the Customer is a Controller and the Service Provider is a Processor with respect to the Processing of the Relevant Personal Data. In addition to, and notwithstanding, any other right or obligation arising under this Agreement or the MSA, the Service Provider shall, in relation to such Processing:
(a) comply with the express instructions or directions of the Customer given from time to time in connection with the Processing of the Relevant Personal Data, and the requirements of any Data Protection Laws; and
(b) only Process the Relevant Personal Data strictly and solely: (i) to the extent necessary in connection with this Agreement, in particular as described in Schedule 1 below; and (ii) in accordance with the documented instructions received from the Customer from time to time. If at any point, the Service Provider becomes legally unable to comply with the Customer's instructions regarding the Processing of the Relevant Personal Data (whether as a result of a change in applicable law, or a change in the Customer's instructions), the Service Provider shall promptly:
(i) notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and
(ii) cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as the Customer issues new instructions with which the Service Provider is able to comply.
3.5 In addition, the Service Provider, and where applicable the Service Provider’s representative, shall, in relation to the Processing of the Relevant Personal Data:
(a) (i) create; (ii) keep up-to-date for the duration of the Processing; and (iii) maintain for seven years thereafter; complete and accurate records in writing (including in electronic form) of its Processing activities, including all categories of its Processing activities, in relation to the Relevant Personal Data, and disclose such records to the Customer, or any Data Protection Authority, promptly upon demand;
(b) ensure the Relevant Personal Data are kept confidential; (ii) take all reasonable steps to ensure the reliability and trustworthiness of the Service Provider’s Personnel and any Subprocessors, and (iii) ensure that all relevant Service Provider Personnel, and any relevant Subprocessors, have committed themselves to ensuring the confidentiality of all the Relevant Personal Data that they Process;
(c) (i) ensure that, in each instance in which it engages a Subprocessor to Process any Relevant Personal Data, it shall: (i) only appoint such Subprocessor in accordance with the process outlined in clause 3.7; (ii) keep the Customer informed if there is any change to the role or status of the Subprocessor; and (iii) enter into a binding written agreement with the Subprocessor that imposes on the Subprocessor the same obligations that apply to the Service Provider under this Agreement with respect to the Processing of the Relevant Personal Data;
(d) at the Customer’s request and expense, promptly provide the Customer with all reasonable technical and organisational assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights;
(e) at the Customer’s request and expense, promptly provide the Customer with all reasonable assistance necessary to enable the Customer to: (i) notify relevant breaches of the GDPR and/or any domestic Data Protection Lawsto the relevant Data Protection Authority and/or affected Data Subjects; (ii) conduct Data Protection Impact Assessments; and (iii) obtain any necessary authorisations from the Data Protection Authority, to the extent such breaches did not occur as a result of any error, omission or negligence on behalf of Service Provider or its Personnel;
(f) permanently and securely delete (or, at the election of the Customer, return) all Relevant Personal Data in the possession or control of Service Provider or any of its Subprocessors, within thirty (30) days after the end of the Term, unless the applicable legislation relating to data protection and privacy, including the EU GDPR and related applicable data protection and privacy laws of the EEA member states and/or the UK GDPR and related applicable data protection laws of the United Kingdom require otherwise; and procure that its Subprocessors shall do likewise;
(g) at the Customer’s request and expense, and to the extent Service Provider can do so taking into the account the nature and extent of the Processing and the Relevant Personal Data stored by Service Provider, Service Provider shall (i) promptly provide the Customer with all information reasonably necessary to enable the Customer to demonstrate compliance with its obligations pursuant to Data Protection Laws; and (ii) allow for and contribute to audits, including inspections, conducted by the Customer or an auditor appointed by the Customer; and
(h) notify the Customer promptly, and in any event within twenty-four (24) hours, of: (i) becoming aware of any Personal Data Breach affecting the Relevant Personal Data; (ii) becoming aware of any material breach of this Clause 3; or (iii) receipt of any correspondence or communication from any Data Subject, the Data Protection Authority or third party regarding the Processing of the Relevant Personal Data.
3.6 The Service Provider shall not, whether through action or omission, place the Customer in breach of any Data Protection Laws.
3.7 The Customer acknowledges and confirms its prior general consent to sub-contracting of the data processing by Allsorter to its vetted subprocessors, an up-to-date list of which is maintained by the Service Provider and available on request. Any sub-processors utilised by the Service Provider will comply with data protection terms which are substantially similar to the data protection obligations set out in this Agreement, including, but not limited to, standard contractual clauses where appropriate. As between the Data Controller and the Data Processor, the Data Processor shall remain fully liable for all acts or omissions of any data sub-processor appointed by it pursuant to this section.
3.8 The Service Provider shall remain primarily liable and responsible for the acts and omissions of its Personnel, agents and Subprocessors. All breaches of this Clause 3 by the Service Provider’s Personnel, agents or Subprocessors shall be deemed to be acts of the Service Provider. Nothing in this Agreement shall relieve the Service Provider of any liability for the acts or omissions of any Service Provider Personnel in relation to any Relevant Personal Data.
3.9 The Service Provider warrants that it will comply with the provisions of applicable Data Protection Legislation and shall:
(i) indemnify and hold harmless the Customer for any loss to the Customer (including indirect and consequential loss) arising from a breach by the Service Provider, its employees, agents or sub-contractors, of its obligations under this clause 3 or of Data Protection Laws.
(ii) indemnify and hold harmless the Customer from and against any data protection or privacy claims arising out of, or in connection with any breach of or any breach of Data Protection Laws or this Clause 3 by the Service Provider, its employees, agents and/or sub-contractors and hold the Customer harmless from and against any losses, damages, costs (including reasonable legal fees) and expenses incurred (including indirect or consequential loss) incurred by the Customer or awarded by a court of competent jurisdiction against the Customer or its affiliates as a result of or in connection with such a claim.
3.10 Nothing in this Agreement limits or excludes liability of either Party in respect of any claims for death or personal injury caused by negligence, fraud or any other liability which cannot be excluded or limited by law.
3.11 To the maximum extent permitted by applicable law, Service Provider will not have any liability to Customer for any loss of profits, loss of business, loss of data, loss of use, loss of goodwill, or for any indirect, special, incidental, punitive, or consequential damages of any kind however caused.
3.12 Subject to clause 3.10 and 3.11, in no event whatsoever shall the aggregate liability of Service Provider (whether arising for breach of contract, indemnity, misrepresentation (whether tortuous or statutory), tort (including negligence), breach of statutory duty, warranty, strict liability or any other legal theory howsoever arising) under or in connection with this Agreement exceed 100% of the Charges paid to Service Provider by Customer.
Customer acknowledges and agrees that Service Provider may collect and use anonymised data from provision of its Services relating to outcomes, usage data and other information. This data shall be irreversibly anonymised and shall therefore no longer be considered Relevant Personal Data under the Data Protection Laws.
4. Obligations of Customer
4.1 The Customer warrants that it complies with its obligations under applicable Data Protection Laws in respect of the Service Provider’s engagement to Process any Relevant Personal Data.
5.1 This Agreement shall terminate automatically upon the termination or expiry of the MSA. Notwithstanding termination of this Agreement, nor any other provision of this Agreement or the MSA, the Service Provider’s obligations under Clauses 3 and this Clause 5 shall continue in full force and effect for the duration of the period in which the Service Provider Processes any Relevant Personal Data.
5.2 The Customer shall be entitled to terminate this Agreement immediately by notice in writing to the Service Provider if:
(a) The Service Provider is in material or persistent breach of this Agreement, and such breach (if capable of being remedied) has not been remedied within ten (10) business days after having been notified of such breach by the Customer; or
(b) The Service Provider becomes insolvent, has a receiver, administrator or administrative receiver appointed over the whole or any part of its assets, enters into any arrangement with creditors, or has a winding up order or procedure.
6.1 Failure by either Party to exercise or enforce any right available to that Party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of the Party’s rights under this Agreement.
7.1 If any term or provision of this Agreement is held by a court of competent jurisdiction to be illegal or unenforceable, in whole or part, the validity of the remaining provisions and of this Agreement shall remain unaffected. The same shall apply in the event that this Agreement is incomplete.
8. Entire Agreement
8.1 This Agreement forms the entire agreement and understanding between the Parties with respect to its subject matter, and supersedes all prior discussions, agreements and understandings, of any kind, whether written or oral, between the Parties with respect to the subject matter of this Agreement.
9.1 No amendment or modification of this Agreement shall be binding on the Parties unless made in writing, expressly referring to this Agreement, and signed by a duly authorised representative of each Party.
10.1 Any notice made in relation to this Agreement shall be made in writing and delivered by hand or sent by airmail, facsimile, or electronic mail with notice of receipt, sent to the contact address first written above or any other address, number, or email address as the intended recipient previously has designated. The notice shall be deemed to be made when the communication is actually received by the addressee.
11. Governing Law
11.1 This Agreement shall be governed by, and construed in accordance with, the laws of the Republic of Ireland and each Party irrevocably submits to the exclusive jurisdiction of the courts of the Republic of Ireland.
SIGNED by or on behalf of the Parties on the Effective Date.
Schedule 1: Data Processing Activities
The Relevant Personal Data concern the following categories of Data Subjects:
- Candidate resumes/CVs
- Client personnel information added to cover sheets
Categories of Relevant Personal Data
The following Relevant Personal Data may be Processed by Service Provider:
- Information in a standard curriculum vitae/resume (e.g. name, address and other contact information including personal telephone numbers and email addresses, educational history, employment history, degree(s) and other qualifications, languages and other skills);
- Age/date of birth;
- Nationality and citizenship;
- Government-issued identification information, passport or visa information;
- Job title and role / function;
- salary and compensation data (including non-salary benefits, bonuses and incentives and other financial information);
- To the extent permitted or required by applicable law marital status, and family situation;
- Nationality and citizenship; and
- Employee records.
Special Categories of Data
It is not anticipated that any categories of Sensitive Personal Data will be Processed by Service Provider, especially if listed in the personal details section of the candidate’s resume/CV. It will not be extracted into the formatted document unless the user specifically copies it into the editing interface. If it is included in the work experience details as the job title, employer, etc., it will be brought across but can be deleted by the user.
Data Processing Operations
The Purposes for which the Relevant Personal Data are Processed are as follows:
- Provision of the Services;
- Identity verification;
- Enabling access to services on multiple devices and transfer of accounts to new devices;
- Enabling users to find other users on the Services;
- Monitoring, detecting and deterring unauthorised or fraudulent use of, or abuse of, the Services;
- Improving and/or optimising the Services;
- Providing customer support, and to responding to inquiries;
- Providing users with information regarding the Services like feature updates;
- Notifying users of any other important information regarding the Services;
- Aggregating anonymised statistical data regarding the Services; and
- Complying with applicable laws or legal obligations.
Personal data retention
The Relevant Personal Data shall be retained as per the written instructions of the Customer at the time of the Agreement, with the retention period measured from the date it is imported into the Allsorter system. In case of no specific instructions, the Service Provider shall retain the Personal Data in the system for seven (7) from the date it was uploaded into the system, after which it will be marked for deletion in the next automated deletion job.
Contact for data protection inquiries
Belfield Innovation Park
Dublin 4, Dublin, Ireland