1. Datalive Ltd Trading As Allsorter.com a company established under the laws of Ireland, with Registration Number 54124 and registered address Nova UCD, Belfield Innovation Park, Donnybrook, Dublin 4, Ireland

2. Company supplying to, – insert company details here

each a “Party” and together the “Parties”.

RECITALS

A. The Customer has engaged Datalive to Process the Relevant Personal Data (as defined below) under the terms of a Master Services Agreement dated (insert date here) and executed by the Parties (the “MSA”) for the provision of effective CV automation software solutions (the “Services”)

B. Customer will use the Services under the terms of the MSA for the purposes of HR Solutions

C. This Agreement sets out the obligations of the Parties with respect to the Processing of

The Relevant Personal Data.

1. Definitions and Interpretation

1.1 In this Agreement, unless the context otherwise requires:

“Controller” has the meaning given to it in the GDPR.

“Data Protection Authority” means a Supervisory Authority, as that term is defined in the

GDPR.

“Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR.

“Data Protection Laws” means: (a) the GDPR, Directive 95/46/EC, Directive 2002/58/EC and Directive 2009/136/EC, together with any national implementing laws in any Member State of the European Union; and (b) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each as applicable to any Group Company and each as amended, consolidated or replaced from time to time.

“Data Subject” has the meaning given to it in the GDPR.

“GDPR” means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time.

“Group Company” means, in relation to an entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity, and “control”, for the purposes of this definition, means direct or indirect ownership of, or rights to direct, more than 50% of the voting interests of the relevant entity.

“Personal Data” has the meaning given to it in the GDPR. “Personal Data Breach” has the meaning given to it in the GDPR.

“Personnel” means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.

“Process”, “Processing” or “Processed” each have the meanings given to them in the

GDPR.

“Processor” has the meaning given to it in the GDPR.

“Relevant Personal Data” means the categories of Personal Data that are set out in Schedule 1 and that are Processed under, or in connection with the provision of the Services.

“Term” has the meaning given in the [MSA].

“Subprocessor” means any party engaged by Service Provider to Process Relevant

Personal Data.

2. Subject Matter and Scope

2.1 This Agreement applies only to the Processing of Relevant Personal Data.

2.2 The purpose of this Agreement is to help ensure adequate protection of Relevant Personal Data. To the extent that there is any conflict between this Agreement and the MSA in relation to that purpose, this Agreement shall govern.

3. Obligations of Service Provider

3.1 With respect to the Processing of Relevant Personal Data, Service Provider shall, and shall procure that each of its Personnel, agents and Subprocessors shall:

(a) from the Effective Date up to and including 24 May 2018 (the “Pre-GDPR Period”) comply with all Data Protection Laws, to the extent applicable (noting that the GDPR is not applicable during the Pre-GDPR Period); and

(b) from 25 May 2018 onward (the “GDPR Period”), comply with all Data Protection

Laws, to the extent applicable.

3.2 The Service Provider represents and warrants to the Customer that it shall implement appropriate technical and organisational measures to protect the Relevant Personal Data, in accordance with applicable Data Protection Laws and, during the GDPR Period, in accordance with Articles 32-34 of the GDPR in particular. The Service Provider shall ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect the Relevant Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. Prior to the Processing of any Relevant Personal Data, and then regularly thereafter, the Service Provider shall document its relevant technical and organisational security measures, in the format set out in Schedule 2 below. The Service Provider shall perform internal inspections on a regular basis, to confirm that it is complying with its obligations under this Agreement and, where appropriate, the Service Provider shall amend its Processing activities to satisfy its obligations under this Agreement.

3.3 The Parties agree to promptly complete and execute a data transfer agreement substantially in the form of Controller-to-Processor Standard Contractual Clauses for the transfer of Relevant Personal Data from the European Union to Processors established in third countries and as approved for the purposes of Directive 95/46/EC (as amended, consolidated or replaced from time to time) and thereafter to comply with all of the conditions thereof.

3.4 The Parties hereby acknowledge and agree that the Customer is a Controller and the Service Provider is a Processor with respect to the Processing of the Relevant Personal Data. In addition to, and notwithstanding, any other right or obligation arising under this Agreement or the MSA, the Service Provider shall, in relation to such Processing:

(a) comply with the express instructions or directions of the Customer given from time to time in connection with the Processing of the Relevant Personal Data, and the requirements of any Data Protection Laws; and

(b) only Process the Relevant Personal Data strictly and solely: (i) to the extent necessary in connection with this Agreement, in particular as described in Schedule 1 below; and (ii) in accordance with the documented instructions received from the Customer from time to time. If at any point, the Service Provider becomes legally unable to comply with the Customer’s instructions regarding the Processing of the Relevant Personal Data (whether as a result of a change in applicable law, or a change in the Customer’s instructions), the Service Provider shall promptly:

(i) notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and

(ii) cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as the Customer issues new instructions with which the Service Provider is able to comply.

3.5 During the GDPR Period, the Parties shall continue to abide by the obligations set out in Clause 3.4 above. In addition, during the GDPR Period, the Service Provider, and where applicable the Service Provider’s representative, shall, in relation to the Processing of the Relevant Personal Data:

(a) (i) create; (ii) keep up-to-date for the duration of the Processing; and (iii) maintain for seven years thereafter; complete and accurate records in writing (including in electronic form) of its Processing activities, including all categories of its Processing activities, in relation to the Relevant Personal Data, and disclose such records to the Customer, or any Data Protection Authority, promptly upon demand;

(b) ensure the Relevant Personal Data are kept confidential; (ii) take all reasonable steps to ensure the reliability and trustworthiness of the Service Provider’s Personnel and any Sub processors, and (iii) ensure that all relevant Service Provider Personnel, and any relevant Sub processors, have committed themselves to ensuring the confidentiality of all the Relevant Personal Data that they Process;

(c) (i) ensure that, in each instance in which it engages a Subprocessor to Process any Relevant Personal Data, it shall: (i) only appoint such Subprocessor in accordance with the prior written authorisation of the Customer (such authorisation not to be unreasonably withheld, conditioned or delayed); (ii) keep the Customer informed if there is any change to the role or status of the Subprocessor; and (iii) enter into a binding written agreement with the Subprocessor that imposes on the Subprocessor the same obligations that apply to the Service Provider under this Agreement with respect to the Processing of the Relevant Personal Data;

(d) at the Customer’s request and expense, promptly provide the Customer with all reasonable technical and organisational assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights;

(e) at the Customer’s request and expense, promptly provide the Customer with all reasonable assistance necessary to enable the Customer to: (i) notify relevant breaches of the GDPR to the Data Protection Commission and/or affected Data Subjects; (ii) conduct Data Protection Impact Assessments; and (iii) obtain any necessary authorisations from the Data Protection Commission;

(f) permanently and securely delete (or, at the election of the Customer, return) all Relevant Personal Data in the possession or control of Service Provider or any of its Subprocessors, within thirty (30) days after the end of the Term, unless the applicable law of the European Union or an EU Member State requires otherwise; and procure that its Subprocessors shall do likewise;

(g) at the Customer’s request and expense: (i) promptly provide the Customer with all information necessary to enable the Customer to demonstrate compliance with its obligations under the GDPR, to the extent that the Service Provider is able to provide such information; and (ii) allow for and contribute to audits, including inspections, conducted by the Customer or an auditor appointed by the Customer; and

(h) notify the Customer promptly, and in any event within twenty-four (24) hours, of: (i) becoming aware of any Personal Data Breach affecting the Relevant Personal Data; (ii) becoming aware of any material breach of this Clause [3]; or (iii) receipt of any correspondence or communication from any Data Subject, the Data Protection Commission or third party regarding the Processing of the Relevant Personal Data.

3.6 The Service Provider shall not, whether through action or omission, place the Customer in breach of any Data Protection Laws.

3.7 The Service Provider shall remain primarily liable and responsible for the acts and omissions of its Personnel, agents and Subprocessors. All breaches of this Clause 3 by the Service Provider’s Personnel, agents or Subprocessors shall be deemed to be acts of the Service Provider. Nothing in this Agreement shall relieve the Service Provider of any liability for the acts or omissions of any of any Service Provider Personnel in relation to any Relevant Personal Data.

3.8 The Service Provider warrants that it will comply with the provisions of applicable Data Protection Legislation and shall:

indemnify and hold harmless the Customer for any loss to the Customer ( including indirect and consequential loss) arising from a breach by the Service Provider, its employees, agents or sub-contractors, of its obligations under this clause 3 or of Data Protection Laws.

indemnity and hold harmless the Customer from and against any data protection or privacy claims arising out of, or in connection with any breach of or any breach of Data Protection Laws or this Clause 3 by the Service Provider, its employees, agents and/or sub-contractors and hold the Customer harmless from and against any losses, damages, costs (including reasonable legal fees) and expenses incurred (including indirect or consequential loss) incurred by the Customer or awarded by a court of competent jurisdiction against the Customer or its affiliates as a result of or in connection with such a claim.

4. Obligations of Customer

4.1 The Customer warrants that it complies with its obligations under applicable Data Protection Laws in respect of the Service Provider’s engagement to Process any Relevant Personal Data.

5. Termination

5.1 This Agreement shall terminate automatically upon the termination or expiry of the MSA.

Notwithstanding termination of this Agreement, nor any other provision of this Agreement or the MSA, the Service Provider’s obligations under Clauses 3 and this Clause 5 shall continue in full force and effect for the duration of the period in which the Service Provider Processes any Relevant Personal Data.

5.2 The Customer shall be entitled to terminate this Agreement immediately by notice in writing to the Service Provider if:

(a) The Service Provider is in material or persistent breach of this Agreement, and such breach (if capable of being remedied) has not been remedied within ten (10) business days after having been notified of such breach by the Customer; or

(b) The Service Provider becomes insolvent, has a receiver, administrator or administrative receiver appointed over the whole or any part of its assets, enters into any arrangement with creditors, or has a winding up order or procedure.

6. Waiver

6.1 Failure by either Party to exercise or enforce any right available to that Party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of the Party’s rights under this Agreement.

7. Invalidity

7.1 If any term or provision of this Agreement is held by a court of competent jurisdiction to be illegal or unenforceable, in whole or part, the validity of the remaining provisions and of this Agreement shall remain unaffected. The same shall apply in the event that this Agreement is incomplete.

8. Entire Agreement

8.1 This Agreement forms the entire agreement and understanding between the Parties with respect to its subject matter, and supersedes all prior discussions, agreements and understandings, of any kind, whether written or oral, between the Parties with respect to the subject matter of this Agreement.

9. Variation

9.1 No amendment or modification of this Agreement shall be binding on the Parties unless made in writing, expressly referring to this Agreement, and signed by a duly authorised representative of each Party.

10. Notices

10.1 Any notice made in relation to this Agreement shall be made in writing and delivered by hand or sent by airmail, facsimile, or electronic mail with notice of receipt, sent to the contact address first written above or any other address, number, or email address as the intended recipient previously has designated. The notice shall be deemed to be made when the communication is actually received by the addressee.

11. Governing Law

11.1 This Agreement shall be governed by, and construed in accordance with, the laws of Ireland and each Party irrevocably submits to the exclusive jurisdiction of the district court of Ireland.