Data Protection Addendum
1. Intro
This Data Protection Addendum ("Addendum") forms part of the the Service Contract (″Agreement″) as described in TalentDesk.io Terms & Conditions between:
- Provider acting on its own behalf (and where applicable, as agent for each Provider affiliate); and
- Manager acting on its own behalf and as agent for each Manager Affiliate.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
2. Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
‘Applicable Laws’ means (a) European Union or Member State laws with respect to any Manager Personal Data in respect of which the Manager and any Manager Affiliate is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Manager Data in respect of which the Manager or any Manager Affiliate is subject to any other Data Protection Laws;
‘Manager Affiliate’ means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Manager, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
‘Manager Data’ means all information, data or records of whatever nature and in whatever form (including Personal Data) relating to the business, employees or other activities of the Manager and any Manager Affiliate, whether subsisting before the date of this Agreement or as created or processed as part of, or in connection with, the Services;
‘Data Protection Laws’ means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
‘EEA’ means the European Economic Area
‘EU Data Protection Laws’ means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
‘GDPR’ means EU General Data Protection Regulation 2016/679;
‘Personal Data’ means any personal data (as such term is defined in the Data Protection laws) processed as part of the Services; and
‘Services’ means the services and other activities to be supplied to or carried out by or on behalf of the Provider for the Manager (and Manager Affiliates) pursuant to the Agreement.
3. Data Protection
The Provider and the Manager will comply with the Data Protection Laws when processing Personal Data under the Agreement.
The scope of the processing carried out by the Provider under the Agreement is as follows:
- scope, nature and purpose of processing: the Personal Data provided to the Provider for the purposes of carrying out the Services; and
- duration: for the duration of the Agreement.
The Provider confirms that, when acting as processor for the Manager in relation to Personal Data, the Provider shall:
- only process Personal Data on the documented instructions of the Manager (which shall include the provision of the Services under the Agreement) unless required to process that Personal Data for other purposes by EU Law. Where such a requirement is placed on the Provider it shall provide prior notice to the Manager unless the relevant law prohibits the giving of notice on important grounds of public interest;
- inform the Manager if, in its opinion, the Manager’s instructions would be in breach of the Data Protection Laws;
- provide reasonable assistance to the Manager to respond to requests from individuals exercising their rights under Data Protection Laws;
- promptly notify the Manager if it receives a request from an individual attempting to exercise their rights under the Data Protection Laws. The Provider shall act in accordance with the Manager’s reasonable instructions when dealing with that request; and
- provide reasonable assistance to the Manager to conduct privacy impact assessment (and any related consultations) where required under the Data Protection Laws. If this requires the Provider to take additional steps beyond those directly imposed on the Provider by Data Protection Laws, the Provider shall notify the Manager of any costs and the parties shall agree whether the Manager will pay the Provider for any reasonable costs of taking those additional steps.
At the request of the Manager, the Provider shall provide evidence of its compliance with this Clause 2 and allow the Manager to audit that compliance (either by itself or by using an auditor nominated by the Manager).
On termination of the Agreement and at the option of the Manager, the Provider shall promptly return or delete Manager Data and certify in writing that it has done so. The Provider may retain a copy of the Manager Data only to the extent it is obliged to do so by EU Law.
The Provider shall not transfer Personal Data outside of the EEA unless it has a lawful basis for that transfer. The Provider shall inform the Manager of that transfer and, where necessary, the documented instructions of the Manager shall be updated with details of that transfer.
3 Data Security
The Provider shall notify the Manager immediately should it become aware of, or reasonably suspect that there has been, a security breach leading to the accidental or unauthorised loss, alteration or disclosure of Manager Data (a ″Security Breach″). As part of that notification, the Provider shall provide:
- a description of the nature of the Security Breach, including the volume and type of Manager Data affected and the categories and approximate number of individuals concerned;
- the likely consequences of the Security Breach; and
- a description of the measures taken or proposed to be taken to address the Security Breach including, where appropriate, measures to mitigate its possible adverse effects.
Where a Security Breach is the result of the Provider’s breach of the Agreement or negligence, the Provider shall indemnify and hold harmless the Manager (and any Manager Affiliate) against any costs, claims, demands, expenses and damages of whatsoever nature arising out of or in connection with that breach.
4. Use of Sub-Processors
The Manager provides a general authorisation to the Provider to engage further processors to process the Manager Data. The Provider shall provide the Manager with a list of those further processors. The Provider shall give the Manager prior notice of any intended addition to or replacement of those further processors. If the Manager reasonably objects to that change, the Provider shall refrain from making that addition or replacement.
The Provider shall ensure that it has a written contract with further processors it engages to process Manager Data. That contract must impose obligations on the further processor equivalent to those set out in this Addendum and the Provider shall ensure that the further processor complies with those obligations.
Last updated: May 14, 2018