Data Protection Agreement
DATA PROCESSING AGREEMENT THIS DATA PROCESSING AGREEMENT (the “Agreement”) is entered into by and between “KARIERA S.A.”, a company duly incorporated and validly existing under the laws of Greece, having its registered office at 4 Kastorias & Messinias str., Gerakas, Attica, Greece, P.C. 153 44, registered with the Companies Register of Greece under number 005366801000 (including its subsidiaries and affiliates, the “Provider”) and the Customer (the “Customer”) who has subscribed to Provider’s Terms of Service.
WHEREAS:
(A) The Customer has subscribed to Provider’s Terms of Service available here (the “Services Agreement”) for the use of the Platform and the provision of certain services (collectively the “Services”), in accordance with the terms and conditions of the Services Agreement.
(B) For the provision of the Services under the Services Agreement, the Provider may process Personal Data (as defined below).
(C) It is hereby agreed that the Customer is the Data Controller of any Personal Data processed for the provision of the Services and the Provider is the Data Processor under this Agreement.
(D) The Data Controller and the Data Processor may be referred to individually as a “Party” and collectively as the “Parties”.
(E) The Parties seek to implement a data processing agreement that complies with the requirements of the Applicable Data Protection Laws (as defined below) in relation to data processing.
1. Data Protection – Definitions
1.1 As the performance of the Services Agreement and the delivery of the Services necessitates he processing of Personal Data, the Data Controller and the Data Processor shall comply with the applicable data protection legislation and regulations.
1.2 “Affiliate” means any corporation or other business entity controlling, controlled by or under common control with the Data Processor.
1.3 “Applicable Data Protection Laws” means the applicable legislation on the protection of Personal Data, and particularly includes the provisions of the General Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”), as well as any other applicable laws, regulations, directives and/or codes of conduct relating to the processing of Personal Data (including any secondary legislation adopted pursuant to the Personal Data Protection Laws and any provision modifying, overriding or replacing them, with or without modification).
1.4 “Data Controller” and “Data Processor”, have the meanings given to them in the GDPR.
1.5 “Personal Data” means Customer Data that identify, can be used to identify, or relate to an identifiable individual as defined in article 4(1)(1) of the GDPR. The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are described in clauses 5.1.1 and 5.1.2 below. The Data Processor only performs processing activities that are necessary and relevant to perform the Services. The Parties shall update accordingly clauses 5.1.1 and 5.1.2 and this Agreement whenever changes occur that necessitate an update.
1.6 “Process”, “Processed”, and “Processing” means the collection, possession, use, disclosure, transfer, storage, deletion, combination, access or other use of Personal Data as contemplated by the Applicable Data Protection Laws.
1.7 Any other words in capital letters that are not defined in this Agreement shall be interpreted in accordance with the Services Agreement.
2. Data Processor’s obligations
2.1 The Data Processor shall ensure that in relation to Personal Data disclosed to it by, or otherwise obtained from the Data Controller, it shall act as the Data Controller’s data processor in relation to such Personal Data under the Data Controller’s instructions, guidance and control, and therefore shall:
2.1.1 create and maintain a record of the Data Processor’s processing activities in relation to this Agreement; the Data Processor shall make the record available to the Data Controller, any auditor appointed by it and/or the supervisory authority on first request;
2.1.2 not process the Personal Data for any purpose other than to deliver the Services and to perform its obligations under the Services Agreement in accordance with the documented instructions of the Data Controller; if it cannot provide such compliance, for whatever reasons, it agrees to promptly inform the Data Controller of its inability to comply;
2.1.3 inform the Data Controller immediately if it believes that any instruction from the Data Controller infringes any Applicable Data Protection Laws;
2.1.4 not disclose the Personal Data to any person other than to its personnel as necessary to perform its obligations under this Agreement and the Services Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations;
2.1.5 take appropriate technical and organisational measures against any unauthorised or unlawful processing as described in clause 7.1 below, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary;
2.16 ensure that access, inspection, processing and provision of the Personal Data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the Personal Data for their work in relation to the performance of the Services;
2.1.7 promptly notify the Data Controller about (i) any legally binding request for disclosure of the Personal Data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Data Controller therewith (ii) any accidental or unauthorized access, and more in general, any unlawful processing and to assist the Data Controller therewith;
2.1.8 deal promptly and properly with all reasonable inquiries from the Data Controller relating to its processing of the Personal Data or in connection with the Services Agreement and this Agreement;
2.1.9 make available to the Data Controller all information necessary to demonstrate compliance with the Applicable Data protection Laws;
2.1.10 at the request and costs of the Data Controller, allow and assist in audits and/or procedures/documentation review, carried out by the Data Controller or by another auditor appointed by the Data Controller, provided that such audits will be conducted in full confidentiality on behalf of the Data Controller or the appointed auditor. Unless Customer’s request for such audit and/or procedures/documentation review follows a security incident, or is otherwise required by Applicable Data Protection Laws, Customer shall not make any such request more than once in any 12-month period.
2.1.11 Subject to clause 6 (Sub-processors), refrain from engaging another data processor without the prior written consent of the Data Controller;
2.1.12 assist the Data Controller, to the extent applicable and subject to reasonable additional compensation, with the Data Controller’s obligations under Applicable Data Protection Laws.
3. Data Controller’s obligations
3.1 The Data Controller represents, warrants and ensures that: a) all privacy policies of the Data Controller comply fully with all Applicable Data Protection Laws and accurately describe the processing of Personal Data contemplated by this Agreement, and b) it has lawfully obtained by the data subjects any and all – if required – permissions, approvals and/or consents for the processing by the Data Processor of their Personal Data on behalf of and in accordance to the instructions of the Data Controller. Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which same are acquired. In this context, the Data Controller shall indemnify the Data Processor of any claims and actions of third parties related to the processing of Personal Data without express consent and/or legal basis under this Agreement and the Services Agreement.
3.2 The Data Controller acknowledges that, with respect to the Services, it is responsible for ensuring compliance with all Applicable Data Protection Laws including, but not limited to: (i) ensuring that all Personal Data is processed fairly and lawfully and in full compliance with Applicable Data Protection Laws; (ii) ensuring that data subjects are fully informed of the processing of their Personal Data necessary for the performance of the Services and as described in this Agreement; the Data Controller explicitly mentioning in its privacy policy the Data Controller’s collaboration with the Data Processor for the provision of the Services, as well as the purpose of processing, and (iii) ensuring that all necessary disclosures and consents have been obtained from data subjects to permit the processing of their Personal Data by Data Processor to perform the Services and as described in this Agreement and the Services Agreement.
4. Data transfers
4.1 Personal Data processed in the context of this Agreement may not be transferred by the Data Processor to a country outside the European Economic Area (EEA) without the prior written consent of the Data Controller, which shall not be unreasonably withheld or delayed. If Personal Data processed under this Agreement are transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise or stipulated under the Applicable Data Protection Laws, rely on module two of the EU approved standard contractual clauses for the transfer of Personal Data from controllers to Processors and available here (as amended or updated from time to time). For the purposes of the descriptions in the EU approved standard contractual clauses and only as between the Provider and the Customer, the Parties hereby agree that the Provider is a “data importer” and the Customer is the “data exporter” (notwithstanding that the Customer is located outside the EEA).
4.2 It is not the intention of either Party that this Agreement contradicts or restricts any of the provisions set forth in the EU approved standard contractual clauses or limits the rights of any data subject or of any competent supervisory authority. Accordingly, if and to the extent the EU approved standard contractual clauses conflict with any provision of this Agreement, the EU approved standard contractual clauses shall prevail.
5. Data Processing
5.1 In addition to the information provided elsewhere in the Agreement and the Services Agreement, the Parties wish to document the following information in relation to the data processing activities: (i) Categories of data subjects whose personal data is processed: Employees – including, past, potential, present and future staff (such as volunteers, agents, independent contractors, interns, part-time or full-time employees etc.) of Customer.
Candidates – past, potential, present and future candidates of the Customer who are being considered or have been selected for placement for a role with the Customer.
Referees / References – past, present, potential and future employment referees for a particular candidate of the Customer. (ii) Categories of Personal Data processed: Employees and Candidates: Personal information (including, but not limited to, name, identification number(s), photograph(s), address, birth date, gender, marital status, number of children, emergency contact, telephone number(s), academic and professional qualifications, CV/resume, employment history, language proficiency, etc.); Information in connection with the employee’s job (including, but not limited to, title, grade, location, reporting lines, team affiliation, hire date, working hours, contract details, performance and evaluation data, employee discipline information, work history, benefits and insurance, assets assigned, training, time-off documentation, etc.); Payroll related information (including, but not limited to, salary and compensation information, tax and social security information, bank details, pensions, bonuses, other benefits, etc.). Referees / References: Contact details, namely address, telephone number (fixed and mobile), email address, fax number, emergency contact information. (iii) Sensitive data processed: only if the Customer elects to enter such data in the Platform. The Provider applies restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for authorized staff), keeping a record of access to the data, or additional security measures. Sensitive data may include indicatively the health status or disability information of employees, candidates etc.
(iv) The Data Processor does not store or process or make available any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, unless the Customer elects to enter such data in the Platform.
(v) The duration of the data processing activities and the period for which the Personal Data will be retained is aligned with the Agreement’s duration. Other than to the extent required to comply with the Applicable Data Protection Laws, following termination or expiration of the Services Agreement, Data Processor shall delete or return all Personal Data (including copies thereof) processed pursuant to this Agreement. This requirement shall not apply to the extent that the Provider is required by any Applicable Data Protection Law to retain some or all of the Personal Data, in which event the Provider shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
6. Sub-processors
6.1 The Data Processor is hereby given by the Data Controller general authorization to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within seven (7) calendar days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor. If, within the aforementioned timeframe following receipt of a notice of the engagement of a new Sub-Processor, the Customer objects to the engagement of that Sub-Processor on data protection grounds, then either the Provider will not engage the Sub-Processor to process the Personal Data or the Customer may elect to terminate the Services Agreement and this Agreement pursuant to the terms of the Services Agreement.
6.2 For the avoidance of any doubt, the Data Controller hereby acknowledges and agrees that (a) Affiliates of the Data Processor may be appointed as Sub-processors; and (b) the Data Processor and its Affiliates may engage third party sub-processors to process Personal Data in connection with the provision of the Services and this Agreement in accordance with clause 6.1 above.
6.3 The Data Processor shall be liable for the acts and omissions of its Sub-processors to the extent that the Data Processor would be liable if performing the services of each Sub-processor directly under this Agreement.
6.4 Appointed sub-processors. Notwithstanding clause 6.1 hereof, an up-to-date list of the Sub-processors, which are deemed necessary for the provision of the Services at the time of entering into this Agreement and are hereby approved by the Data Controller is currently provided here.
7. Security Measures and Breach Notification
7.1 The Provider will implement and maintain all reasonable and appropriate technical and organizational security measures to meet the requirements of Applicable Data Protection Laws, and in particular, to protect against the occurrence of security incidents and to preserve the security, integrity and confidentiality of Personal Data (the “Security Measures”). Such Security Measures shall take into account industry standards, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of a security incident and potential impact on the rights and freedoms of data subjects. At a minimum, the Provider implements the Security Measures identified in Provider’s Security Policy which is available here.
7.2 In the event of a security incident, the Provider shall inform the Customer without undue delay and provide written notification of the security incident. Such notification shall be provided in accordance with article 33 of the GDPR and shall include at minimum the information described therein.
8. Parties’ Liability
8.1 It is explicitly and unreservedly acknowledged by the Parties that each Party may claim compensation from the other Party against any administrative fine or any compensation to a third party or public body, or body exercising public power paid by that Party or any judicial claim raised against that Party, due to any infringement of the Applicable Data Protection Laws by act or omission of the other Party under its respective contractual obligations.
8.2 Each Party explicitly and unreservedly acknowledge that its failure to comply with its obligations under the Applicable Data Protection Laws, as well as with the terms of this Agreement, will constitute a material breach thereof, providing the other Party with the right to terminate the Services Agreement.
9. Governing Law
9.1 The validity, construction and performance of this Agreement (and any claim, dispute or matter arising under or in connection with it or its enforceability) and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of Greece except for each conflicts of laws principles, unless otherwise required by a mandatory law of any other jurisdiction.
9.2 Each of the parties to this Agreement irrevocably agrees that the courts of Athens, Greece shall have exclusive jurisdiction to hear and decide any suit, action or proceedings, and/or to settle any disputes, which may arise out of or in connection with this Agreement or its formation or validity and, for these purposes, each Party irrevocably submits to the jurisdiction of the courts of Athens, Greece.
10. Duration and termination
10.1 This Agreement is aligned with and follows the duration of the Services Agreement.
10.2 The Agreement may not be terminated in the interim.
10.3 This Agreement may only be amended by the Parties in writing and subject to mutual consent.
10.4 The Parties shall cooperate in good faith in amending and adjusting this Agreement in the event of new privacy legislation comes in force.