This Data Processing Agreement (“Processing Agreement”) forms part of the “Terms” (defined hereinafter) for the use of the “Services” (defined hereinafter) between the “Data Controller” (defined hereinafter) and the “Data Processor” (defined hereinafter) together as the “Parties”.
The Data Controller enters into this Processing Agreement on behalf of itself and to the extent required under “Applicable Data Protection Laws” (defined hereinafter), in the name and on behalf of the Data Subjects, and to the extent the Data Processor processes the “Personal Data” (defined hereinafter) for which the Data Controller qualifies as a Data Controller.
In course of providing of the Services to the Data Controller, the Data Processor shall only process Personal Data on behalf and as determined by the Data Controller. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
a. The Data Controller is permitted and has obtained and/or possesses the requisite corporate authorisations to enter into this Processing Agreement.
b. The Data Controller acts as a data controller in accordance with Applicable Data Protection Laws.
c. The Data Controller wishes to subcontract certain Services, which require the processing of Personal Data by the Data Processor, in accordance with the purpose and means as specified by the Data Controller in this Processing Agreement.
d. The Parties seek to implement this Processing Agreement in accordance with Applicable Data Protection Laws.
e. In the event of a conflict between the Data Controller and the Data Processor, this Processing Agreement shall control with respect to its subject matter.
f. This Processing Agreement may be modified by the Company under the same terms and conditions that apply to modifications to the Terms.
g. The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. In the event of any inconsistency arising between the provisions of this Processing Agreement and the Terms, the provisions of this Processing Agreement shall prevail, unless explicitly mentioned otherwise in this Processing Agreement.
1.2. For the sake of clarity, this Processing Agreement shall apply to any Processing of Personal Data by the Company as the Data Processor on behalf of the User as the Data Controller as part of the Services, unless Parties have explicitly made other contractual arrangements relating to said Processing of Personal Data.
1.3. Definitions for terms will apply to both singular and plural uses of the terms. The terms ‘controller’, ‘data subject’, ‘personal data’, ‘process/processing’, ‘processor’, and to the extent relevant shall have the same meaning as in the GDPR.
1.4. Capitalised terms and expressions used in this Processing Agreement shall have the same meaning as defined in the Terms, except when specifically defined otherwise below. Furthermore, if a Document has a separate definition, then that definition will apply in relation to that Document.
1.4.1. Applicable Data Protection Laws means any applicable laws and regulations of the European Union, the member states of the European Union and the Netherlands protecting the fundamental rights and freedoms of individuals, and in particular the right to privacy with respect to the Processing of Personal Data, including, but not restricted to the GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming), as such laws and regulations are amended, extended and re-enacted from time to time;
1.4.2. Candidate means the Data Subject who is seeking employment and/or intends to provide of their services to the User and have provided a valid and informed consent to the Data Controller for processing their Personal Data and for using the Services.
1.4.3. Data Controller means the User;
1.4.4. Data Processor means the Company, Neurolytics B.V. a registered company having its registered office at Europalaan 400, 4th Floor, 3526 KS Utrecht, The Netherlands;
1.4.5. Data Subject means the Candidates, Employees and/or End-Users of the Data Controller;
1.4.6. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
1.4.7. Parties mean both the Data Controller and the Data Processor;
1.4.8. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in accordance with the GDPR;
1.4.9. Personal Data Breach means a breach of the security obligations under this Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed;
1.4.10. Personal Data means the User Content;
1.4.11. Processing Agreement means this data processing agreement and all annexes in accordance which the Data Processor processes the Personal Data for the purpose and means specified by the Data Controller;
1.4.12. Processing means the actions as specified in Annexure 1 of this Processing Agreement.
1.4.13. Services as defined in the Terms;
1.4.14. Standard Contractual Clause means any standard data protection clauses adopted or approved by the European Commission or another competent authority in accordance with Applicable Data Protection Laws;
1.4.15. Sub Processor a processor that has been engaged by the Data Processor to perform specific Processing activities on behalf of the Data Controller as specified in Annexure 1;
1.4.16. Terms means the general terms and conditions that the Parties have agreed to be applicable as made available in/on https://neurolytics.ai for the provision and availing of the Services;
1.4.17. Third Country means any country outside of the European Economic Area;
2.1. This Processing Agreement shall remain valid for the entire duration of the Terms and for any additional duration as agreed by the Parties in writing.
2.2. In addition, Clauses 10, 11, 13, 14, 15, 16 and 18 shall remain in effect and valid after the tenure in Clause 2.1 of this Processing Agreement, to the extent reasonably required.
3. Processing of Personal Data
3.1. The Data Processor shall process Personal Data on the Data Controller’s behalf in accordance with the instructions of the Data Controller provided through the use of the Services and as set out in Appendix 1 of this Processing Agreement. The details of the Processing of Personal Data are specified in DPA Appendix 1.
3.2. The Data Processor shall:
a. comply with all Applicable Data Protection Laws in the Processing of Personal Data on behalf of the Data Controller; and
b. not process Personal Data other than on the relevant Data Controller’s documented instructions.
3.3. The Data Controller instructs the Processor to process the Personal Data of consenting Data Subjects on their behalf.
3.4. The Data Controller shall ensure that the Data Processor may lawfully Process the Personal Data on the Data Controller’s behalf in accordance with this Processing Agreement for the performance of the Terms.
3.5. The Data Controller shall ensure that all Data Subjects shall have provided valid consent before the use of the Services by the Data Controller and/or the Data Subjects and have been informed.
3.6. The Data Controller’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. If the Data Processor believes that any instruction of the Data Controller infringes Applicable Data Protection Laws, it shall inform the Data Controller in writing without delay in a manner prescribed under the Terms.
3.7. The Data Processor shall be entitled to suspend performance on such instruction until the Data Controller confirms or modifies such instruction. The Data Processor is not required to actively investigate whether instructions from the Data Controller are compliant with the Applicable Data Protection Laws.
3.8. The Data Processor may be legally required under Applicable Laws to disclose Personal Data that it Processes to third parties such as statutory authorities. In this regard, the Data Controller shall be informed by the Data Processor as permitted by Applicable Laws and statutory orders.
4. Processor Personnel
4.1. The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent and/or contractor of any Sub Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of this Processing Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Data Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1. Taking into account the state of the art, the reasonable costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the Personal Data maintain and implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures in accordance with Applicable Data Protection Laws.
5.2. The Data Controller shall not materially decrease the overall security during the tenure of this Processing Agreement.
6.1. The Data Processor may use Sub Processors to provide certain parts of the Services on Data Controller’s behalf. The Data Controller hereby gives a general written authorisation to the Data Processor to engage any Sub Processor for the Processing of Personal Data as specified in Annexure 2.
6.2. The Data Processor may only engage a Sub Processor if it has imposed, in writing, the necessary responsibilities and obligations on the Sub Processor as required by article 28 GDPR. The Data Processor may remove or appoint other suitable and reliable Sub Processors at its own discretion in accordance with this article.
6.3. The Data Processor will give at least 30 Business Days prior notice of any changes to the list of Sub Processors to the Data Controller. The Data Controller may object to a Sub Processor. If the Data Controller does not object to the inclusion of a Sub Processor within this timeframe, the Data Controller shall have deemed to have accepted the inclusion of the respective Sub Processor. Where the Sub Processor fails to fulfil its data protection obligations, the Data Processor shall remain similarly liable to Subscriber for the performance of its obligations under this Processing Agreement.
6.4. The Data Processor shall reasonably ensure that the Sub Processor has implemented appropriate technical and organisational measures in accordance with the Applicable Data Protection Laws.
7. Data Subject Rights
7.1. The User shall inform the Data Subjects that it is the Data Controller and how Data Subjects may contact the User with requests. The Company shall not be that contact point.
7.2. The Company shall make reasonable efforts, to immediately notify the User, if it receives a request from a Data Subject for access to, inspection, data portability, correction, rectification and/or deletion of Personal Data. The Company shall not respond to any such requests of Data Subjects without the Data Controller’s prior written consent.
7.3. The Data Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller obligations, as reasonably understood by Data Controller, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws.
7.4. The Company shall provide such cooperation and assistance only on the User’s Support request and only in so far as the User cannot meet their obligations under Applicable Data Protection Laws without the Company’s cooperation and assistance.
8. Personal Data Breach
8.1. The Data Processor shall to the extent permitted by Applicable Laws, notify the Data Controller without undue delay upon the Data Processor becoming aware of a Personal Data Breach affecting the Personal Data processed on behalf of the Data Controller, providing Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.
8.2. Such notification as specified under Clause 8.1 shall include at least:
a. a description of the nature of the Personal Data Breach, including to the extent possible, information that assists the Data Controller in determining the categories of and approximate number of Data Subjects concerned, categories and approximate number of Personal Data records concerned;
b. information available to the Data Processor that assists the Data Controller in determining the likely consequences of the Security Breach; and
c. a description of the measures taken or proposed to be taken by the Data Processor to address the security breach, including, where appropriate, measures to mitigate its possible adverse effects.
9. Information and Audit
9.1. If the Data Controller reasonably concludes that an audit or inspection of technical and organisational measures at the Data Processor’s premises is necessary to monitor the compliance with this Processing Agreement for an individual case, then the Data Controller shall have the right to carry out such an audit or inspection provided such audit or inspection will be conducted:
a. during regular business hours during Business Days;
b. without interfering with the Company’s business operations;
c. upon prior written notice containing valid reasons for the audit or inspection, of at least 30 Business Days in advance in accordance with the Terms and further consultation with the Data Controller;
d. subject to the execution of a confidentiality undertaking;
e. at most once a calendar year; and
f. the Data Controller shall bear its own expenses and compensate the Data Controller for the cost and/or losses with regard arising out the audit or inspection.
9.2. Such audit or inspection shall be carried out by the Data Controller, or an inspection authority composed of independent persons in possession of the required professional qualifications, selected by the Data Controller. For the sake of clarity, the independent auditors shall have to enter into a tripartite confidentiality agreement with the Data Controller and Data Processor.
9.3. The Data Controller agrees that it will cooperate, together with the Data Processor, with supervisory authorities and similarly the Data Processor shall also cooperate. The Data Processor will reasonably allow for and contribute to audits and inspections, conducted by supervisory authorities. The Data Controller shall notify the Data Processor immediately of any planned audits and inspections by Supervisory Authorities.
9.4. The Data Processor shall co-operate with the Data Controller and take reasonable commercial steps as directed by Data Controller to assist in the investigation, mitigation and/or remediation of each such Personal Data Breach, at the cost of the Data Controller. However, the Data Processor shall provide assistance only in so far as the Data Controller cannot meet its obligations under the Applicable Data Protection Laws without the Data Controller’s assistance.
The Data Controller shall furnish immediately after the verification, inspection or audit to the Data Processor a copy of the report of such audit without any additional cost and/or set-off.
10.1. The Data Processor may only disclose the Personal Data to any other relevant third party for the purpose of:
a. complying with Data Controller’s reasonable and lawful instructions;
b. as required in connection with the Services, to fulfil the legitimate obligations under the Terms and/or this Processing Agreement; and/or
c. as required to comply with Applicable Data Protection Laws, or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which The Data Processor is subject, provided that the Data Processor will (to the extent permitted by Applicable Law) inform the Data Controller in advance of any disclosure of Personal Data and will reasonably co-operate with Data Controller to limit the scope of such disclosure to what is legally required.
11. Deletion or Return of Personal Data
11.1. Upon termination of the Services and if requested by Data Controller in writing, the Data Processor shall as soon as reasonably practical, return and/or delete the Personal Data, provided that the Data Processor may:
a. retain one copy of the Personal Data as necessary to comply with any legal, regulatory, judicial, audit or internal compliance requirements; and/or
b. defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from the Data Processor’s systems;
c. for such retention and/or deferral periods as referred to in Clauses 11.1(a) and/or or 11.1(b) of this clause, the provisions of this Processing Agreement shall continue to apply to such Personal Data; and
d. the Data Processor reserves the right to charge Data Controller for any reasonable costs and expenses incurred by the Data Processor in storage, transfer and/or deletion of the Personal Data pursuant to this clause.
12.1. The Data Processor shall maintain the requisite record of Processing activities in regard to the provision of the Services as required under Applicable Data Protection Laws.
13. Data Transfer
13.1. The Data Processor shall not transfer or authorize the transfer of Personal Data to Third Countries, without the prior written consent of the Data Controller. However, if the Services are accessed by any person on behalf of the User by any means, the User shall be solely liable for any consequences, including costs, cause of action, damages, losses.
13.2. If Personal Data processed under this Processing Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on European Union approved Standard Contractual Clauses for the transfer of Personal Data.
13.3. The Data Controller agrees that in case no appropriate adequacy decision or any other appropriate data transfer mechanism applies for transfer of Personal Data to a Third Country and such transfer requires such a decision or mechanism under Data Protection Law, the Data Processor shall enter into Standard Contractual Clauses.
13.4. The User hereby expressly authorizes the Company to enter into Standard Contractual Clauses, on its behalf as far as necessary, and commissions the Company to enforce these Standard Contractual Clauses on the User’s behalf where appropriate and at the cost of the User.
13.5. Nothing in this Processing Agreement shall be construed to prevail over any conflicting clause of any Standard Contractual Clauses that have been entered into by the Company including Standard Contractual Clauses entered into on behalf of the User.
14. Limitation of Liability
14.1. The liability of the Data Controller is limited in accordance with the Terms, arising out of:
a. and/or anyway relating to the use of the Services by the Data Controller and/or Data Subject;
b. the accuracy, veracity, correctness, authenticity, legality and/or validity of any Personal Data;
c. a Personal Data Breach caused by any act and/or omission of the Data Controller; and/or
d. Personal Data Breach caused by any act and/or omission by a Sub-Processor.
15.1. The Data Controller shall indemnify and hold harmless the Data Processor in the manner as specified in the Terms arising out of and/or related to any contravention by the Data Controller and/or Data Subject, of any of the provisions of this Processing Agreement and/or violation of Applicable Law.
16. Notices and Communication
16.1. All notices and communications given under this Processing Agreement must be in writing and must be sent by e-mail to the address set out below:
17.1. If any court of law deems any clause of this Processing Agreement as unenforceable, then the other terms shall remain valid in full force. The invalid or unenforceable provision shall after mutual written consultation with a User – be replaced by the Company by a valid provision, which is as close as possible to the intended effect of the invalid or unenforceable provision.
18. Governing Law and Jurisdiction
18.1. The Processing Agreement shall be governed by and construed in accordance with the laws of the Netherlands.
18.2. Any disputes which may arise out of or in connection with this Processing Agreement shall be settled in the manner specified in the Terms.
Annexure 1 - Description of Processing
Scope and Roles
This Processing Agreements applies when Personal Data is processed by the Data Processor. In this context, the Company shall act as the data processor to the User who shall be the data controller with respect to Personal Data.
Nature and Purpose of the Processing
The User agrees to use the Services only for recruitment and/or talent acquisition purposes in the manner specified in the Terms. The Company shall on behalf of User, process Personal Data as part of the Services and pursuant to the Terms.
The Processing of Personal Data shall only relate to the following Data Subjects:
Categories of Personal Data
The Company shall on behalf of the User process the following categories of Personal Data relating to the Data Subjects:
a. Contact details, including name;
b. Video recordings of the face of the Candidates and/or Employees;
c. Audio recordings of the Candidates and/or Employees;
d. E-mail and/or written communications;
e. Correspondence details, including work address, e-mail address, telephone number;
f. Work history;
g. Job title;
h. Location data as identified through IP address;
i. Information regarding Candidates gathered through integrations between the Services and Third Party Services on request of the Subscriber or End-Users;
j. Notes about Candidates;
k. Any information provided by the Candidates during the use of the Services on behalf of the Data Controller;
l. Ratings of Candidates on the Reports;
m. Login information, including identification and password;
o. IP address;
p. HTTP requests and responses;
q. Date and time of usage;
r. Traffic source;
s. Text based submissions containing personal data; and/or
t. Other Personal Data relating to Candidates that is processed as part of the Services. For the sake of clarity, Personal Data that relates to Candidates and simultaneously to other Data Subjects will be considered to be processed on behalf of the Subscriber (for instance, an email from a user to a Candidate).
The Data Processor shall only process the aforementioned Personal Data insofar as it falls under the Services and is necessary for the use of the relevant Functions, except when Personal Data has been anonymized and is used to improve the Services in accordance with the Terms.
The User may provide the Company with additional instructions regarding the processing of Personal Data through their use of and within the limits of the Services. For example, a User may choose in the Service Portal to delete Personal Data relating to a Candidate.
Data Controller Controls
The Services includes Functions which provide the Data Controller with a number of controls, including security features, that the Data Controller may use to retrieve, correct, delete or restrict Personal Data and the Reports.
The Data Controller may use these controls as technical and organizational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from Data Subjects.
Details of Data Processing
The Data Processor will retain and process the Personal Data for as long as the Data Processor has an ongoing legitimate business need to do so, and in accordance with the provisions of this Processing Agreement and the Terms.
Personal Data collected from Data Subjects shall be archived within 12 months of collection and prepared for deletion and anonymization.
Personal Data may be deleted or anonymized per the Data Controller’s instruction or the individual owning the Personal Data at any time.
The Data Processor assists the Data Controller gain a competitive advantage in the modern talent marketplace by providing assessment of the Personal Data of the Data Subjects for the purpose of making a decision in regard to the hiring of a Candidate.
The Data Controller can use the Services to learn more about their Candidates and/or Employees through the Features including the, video-based analysis of the Personal Data. The analysis involves the use of validated experimental cognitive psychology, computer vision science and artificial intelligence to retrieve information for personal insights and development, learning and coaching purposes, and to augment the User’s decision-making in the hiring process.
The Data Processor may also collect other Personal Data from the Candidate on behalf of the Data Controller by means of the assessment and processes that information to provide the Services. The Data Processor shall share the outcomes of the assessment both with the Data Controller and the Candidates.
Nature of the processing
The Services as described in the Terms and as initiated by Data Controller from time to time.
The Parties agree that this Processing Agreement and the Terms (including the provision of instructions and/or commands via the Service Portal and Functions made available by the Company for the Services) shall constitute the Data Controller’s documented instructions regarding the Company’s processing of Customer Data. Therefore, the Data Processor shall process the Personal Data only in accordance with such Data Controller’s instructions.
For any additional instructions outside the scope of the controller’s Instructions (if any), except as permitted under the Terms and this Processing Agreement, requires prior written agreement between the Parties, including agreement on any additional fees payable by the User to the Company for carrying out such instructions.
Technical and Organisational Measures
The following is a non-exhaustive list of technical and organisational security measures taken and implemented by the Company:
a. The Data Processor has processes in place for quality assurance of the Services. Such processes include automated testing and pre-deployment manual testing of features and bug fixes.
b. All new code for the Services and/or Features is reviewed by at least one senior developer before it’s released to a production environment. The review includes a check for the use of secure coding practices.
c. Encryption is used for all transfer of Personal Data by the Service over the internet.
d. All passwords for the Services are stored using an industry standard hashing algorithm.
e. A specialized Third Party penetration tester will regularly test the security of the Services provided under the Terms.
f. All Personal Data in the Service is backed up regularly.
g. Employees of the Data Processor receive access rights to Personal Data in the Service only on a need-to-know basis. Access rights are revoked subsequently.
h. The Service shall only be hosted in Third Party data centers that have a high level of security and availability, such as ISO 27001 certified data centers.
i. The Data Processor will have reasonable measures in place for the Service to protect its servers from DDOS attacks.
j. The infrastructure for the provision of the Service shall be protected by one or more firewalls.