Trust Hub

Legal Resources at PeopleForce

Data Processing Agreement

Terms

These terms of Personal Data processing an Agreement between a Legal Entity, PEOPLEFORCE LTD, incorporated and operating under the laws of England and Wales, company number 12537808, with its registered office at 10 John Street, London, WC1N 2EB, United Kingdom (that processes Personal Data on behalf of a Data Controller) (hereinafter referred to as the “Processor”) and the party that has concluded Terms of Services with the Processor (that determines the purposes and means of the processing) (hereinafter referred to as the “Data Controller”) and hereinafter jointly referred to as the Parties.

This Data Processing Agreement lays out technical requirements for the Data Controller and the Processor to follow when processing data. This includes setting terms for how data is stored, protected, processed, accessed, and used.

Whereas

  1. (A) The Processor, as Service Provider makes the Peopleforce platform available to the Data Controller, in accordance with the Terms of Service Agreement for the use of the PeopleForce platform (hereinafter referred to as the “Principal Agreement”) signed by the Parties.
  2. (B) When using the Services of the Processor, the Data Controller will have to upload personal data to the systems of the Processor, regarding which the Data Controller acts as a Data Controller and the Data Processor acts as Data Processor.
  3. (C) Data Protection Legislation,  means: General Data Protection Regulation (GDPR); UK GDPR;
  4. (D) The Parties seek to implement a data processing agreement that complies with Data Protection Legislation;
  5. (E) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and interpretation

  1. Unless otherwise defined herein, terms and expressions with capitalized first letters used in this Agreement shall have the following meaning:

a. “DPA” means this Data Processing Agreement and all schedules (if any);

b. “Data Controller Personal Data” means Personal Data Processed by Data Processor on behalf of Data Controller pursuant to or in connection with the Service Agreement and this Agreement, indicated in Annex 1 to this DPA;

c. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

d. “Data Protection Laws” means the GDPR and, to the extent applicable, the data protection or privacy laws of any country, in particular the British Data Protection Act of 2018;

e. “EEA” means the European Economic Area;

f. “GDPR” means EU General Data Protection Regulation 2016/679

g. “Data Transfer” means:

-a transfer of Data Controller Personal Data from the Data Controller to the Data Processor; or

-an onward transfer of Data Controller Personal Data to a Subprocessor, or between two Subrocessors;

h. “Principal Agreement” means the Terms of Services referred to in point (A) above;

i. “Services” means the services provided by the Data Processor to the Data Controller in accordance with the Principal Agreement;

j. “Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with this DPA.

k. Other terms, including without limitation: “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning ascribed to them in the GDPR, and their cognate terms shall be construed accordingly.

2. Subject of the DPA and the scope, purpose and nature of the processing of personal data

  1. Based on art. 28 section 3 GDPR the Data Controller entrusts the Processor with Personal Data for processing and the Processor undertakes to process them in accordance with the DPA. 
  2. The purpose of processing Personal Data is the performance of the Principal Agreement, in particular the provision of Services such as collection, recording, organisation, structuring, storage, retrieval, combination and erasure of Personal Data within the PeopleForce Platform of the Processor.
  3. Personal data will be processed by the Processor in electronic form in the IT systems. The Parties declare that, in order to perform their obligations under the Principal Agreement, they shall provide each other with personal data only to the extent necessary for that purpose, i.e:

    a. personal data of each Party's representatives such as: name, surname and position,
    b. personal data of Data Controller's employees participating in the execution of the Agreement such as: name, surname, position, email address and business telephone number.
  4. Each Party shall process the data of the persons referred to in the Principal Agreement for the purpose of performing and settling the Principal Agreement and for the purposes arising from legitimate interests involving the establishment, assertion or defence of legal claims arising out of or in connection with the Principal Agreement.
  5. For the avoidance of any doubt, the Parties confirm that when Personal Data is shared with the other party, the other party becomes a separate data controller of that Personal Data within the meaning of Article 4(7) of the GDPR, i.e. it processes them for different purposes and independently and independently decides on the means of their processing.
  6. The Processor undertakes to fulfil, on behalf of the Data Controller, the information obligation, with respect to the persons indicated by it, referred to in the DPA above, including informing them of the provision of their data to the Data Controller to the extent and for the purposes described above, in particular indicating the information required under Article 13 and 14 of the GDPR.  

3. Principles for the processing of personal data

  1. The Processor may process Personal Data only to the extent and for the purpose provided for in the DPA and the Principal Agreement. The Data Controller instructs the Processor to process Personal Data for the specific purpose of providing the Services. Since, when using the Processor's Services, the Data Controller independently uploads Personal Data to the Processor's systems, in relation to which the Service Provider acts as the Data Processor, the parties have agreed in particular on certain limitations of the Data Processor's liability, namely:

    a. The Data Controller transfers its Personal Data, and the Processor collects Personal Data of the Data Controller as a data subject solely for the purpose of providing access to the Platform (its modules), in particular, such data as the full name of the user or the full name of the company, registration data, e-mail address, other data necessary for registration;
    b. After providing the Data Controller with access to the Platform, the Data Controller independently and at its own discretion collects and uploads Personal Data of its employees, recruiters, third parties to the systems of the Processor; Therefore, the Processor does not collect such Personal Data, but only stores them, and therefore is not responsible for their reliability, accuracy, legality, legal way of collecting them, etc;
    c. The Data Controller is solely responsible to the Data Subjects whose data the Data Controller independently collects and uploads to the data processor's systems, including Personal Data obtained from systems that integrate with the Platform, namely for their legality, accuracy, reliability, legal way of collecting them, etc.
    d. It is stipulated, that while the PeopleForce platform modules provide functionality for users to add extra fields and input any data into these fields, the Data Processor does not facilitate the input or storage of sensitive data by platform users. This includes, but is not limited to, personal information concerning children, health-related data and medical records, users' banking details, etc.
    If the Data Controller (or any data subject) uploads such data, the Data Processor shall not be responsible for the lawfulness of the collection and uploading of such data to the Data Processor's system.
  2. When processing personal data, the Processor undertakes to comply with the provisions on the protection of personal data, in particular the GDPR.
  3. If the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences, the Processor shall apply specific restrictions and/or additional safeguards.
  4. The processor declares that it has the resources, experience, expertise and qualified staff that enable it to properly perform the DPA and implement appropriate technical and organizational measures to ensure that the processing meets the requirements of the provisions of law.
  5. The Processor declares that it has taken effective technical and organizational measures to protect Personal Data against disclosure to unauthorized persons, removal by an unauthorized person, processing in violation of the law and damage, destruction, loss or unlawful modification. The processor declares that the means used by it remain in accordance with the provisions of the GDPR regarding the security of processing, including art. 32.
  6. The Processor undertakes to keep the Personal Data confidential and to introduce measures to secure it, including also the period after termination of the DPA, and undertakes to ensure that its employees and other persons authorized to process entrusted Personal Data, undertake to keep the Personal Data and their security measures secret, including after termination of the DPA.
  7. The Processor undertakes, taking into account the nature of the processing and the information available to him, to help the Data Controller in fulfilling the obligations set out in art. 32-36 GDPR; in particular, the Processor undertakes to provide the Data Controller with sufficient information and to perform its instructions regarding the means of securing entrusted Personal Data, breaches of Personal Data being the subject of the DPA and notifying the supervisory authority or persons to whom the personal data relate, to assist in carrying out data protection impact assessments and in prior consultation with the supervisory authority and implementation of the authority's recommendations.
  8. The Processor undertakes to provide the Data Controller immediately with information about a breach of Personal Data entrusted to the Processor including information necessary for the Data Controller to report the breach to the supervisory authority referred to in art. 33 item 3 GDPR.
  9. The Processor undertakes to assist the Data Controller, as far as possible, by appropriate technical and organizational measures and on the basis of separate arrangements, in fulfilling the obligation to respond to the requests of data subjects in the exercise of their rights set out in Chapter III of the GDPR.
  10. The Processor undertakes to immediately inform the Data Controller if, in the opinion of the Processor, the instructions issued to it constitute a violation of the GDPR or other provisions of law on data protection.
  11. The Processor undertakes to notify the Data Controller immediately about:

a. the initiation of an audit by the supervisory authority dealing with the protection of Personal Data in connection with entrusting the Processor with the processing of Personal Data, as well as any administrative decisions issued with respect to the Processor in connection with the above;

b. initiated or pending administrative, court or preparatory proceedings related to entrusting the Processor with Personal Data processing, as well as to any decisions, orders or judgments issued against the Processor in connection with the above;

c. any incidents concerning the Personal Data entrusted for processing by the Processor, including the accidental or unauthorized access to the Personal Data entrusted, cases of change, loss, damage or destruction of the entrusted Personal Data. 

4. Processor personnel

  1. The Processor shall take the necessary steps to ensure the reliability of any employee, agent or contractor of the Processor or any Subprocessor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. 
  2. In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Data subject rights

  1. Taking into account the nature of the Processing, Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the obligations of the Data Controller, as reasonably understood by Data Controller, to respond to requests to exercise Data in accordance with the Data Protection Legislation. Subject rights under the Data Protection Laws. 
  2. The Processor shall:

a. promptly (but in no case later than within 3 days of receiving such request) notify Data Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Personal Data; and

b. ensure that it does not respond to that request except on the documented instructions of Data Controller or as required by applicable Data Protection Legislation to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform Data Controller of that legal requirement before the sending a response to the request.

7. Data controller’s duties

  1. The Data Controller from the moment of obtaining Personal Data undertakes to perform the obligations imposed on him by the relevant provisions of law, including the GDPR.
  2. The Data Controller undertakes in particular to obtain on its own an appropriate legal basis for the processing of Personal Data provided to the Processor.

8. Processor’s duties

  1. Where the Processor acts on behalf of the Data Controller, the Processor is obliged to fulfill duties imposed on the Data Controller by the GDPR, including, but not limited to:
    a. provision  the data subject with information about the processing of personal in accordance with the art. 13 and 14 of the GDPR;
    b. conclusion of agreements for the performance of which it is necessary to process personal data.
  2. In addition to the Processor’s obligation to assist the Data Controller pursuant to subsections above, the Data Processor shall furthermore assist the Data Controller in ensuring compliance with the following obligations, taking into account the nature of the data Processing and the information available to the Processor:
    a. the obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons;
    b. the obligation to consult the competent Supervisory Authority/ies prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk;
    c. the obligation to ensure that personal data is accurate and up to date, by informing the Data Controller without delay if the Processor becomes aware that the personal data it is Processing is inaccurate or has become outdated.
  3. The Processor should be able to demonstrate compliance with the obligations that are set out in this point at the Data Controller’s request.

9. Subprocessing

  1. The Processor is entitled to further entrust the processing of Personal Data to other Subprocessors, to the extent that it is necessary for the provision of services in accordance with the Principal Agreement. This consent includes the entities about the involvement of which the Processor will notify the Data Controller (in a written or electronic form), and to which the Data Controller will not object within 7 days of receiving the notification (in a written or electronic form).
  2. In the event of an objection, the Processor will endeavor to change the involvement of a further entity in accordance with the objection raised. The Data Controller should not object to the appointment of a Subprocessor if the processing of Personal Data with the help of the indicated Subprocessor will be possible without violating the law or will cause a significant risk to the rights or freedoms of persons whose the data is to be entrusted for processing. 
  3. The Processor will ensure that an appropriate data sharing agreement or other instrument will be executed with each Subprocessor and that such agreement or instrument will include appropriate measures to protect Personal Data on a level that is not less stringent that resulting from this DPA.
  4. The Processor may transfer the Personal Data entrusted to it for processing to entities located in countries outside the European Economic Area. The processor will ensure that each time a European Commission decision stating an adequate level of protection has not been issued for such a state, an appropriate mechanism is applied to allow for the lawful transfer of data, as well as appropriate Security Measures, if required. 

10. Personal data breach

  1. The Processor shall notify the Data Controller without undue delay (but in no case later than within 72 hours of the occurrence of such Personal Data Breach) upon Processor becoming aware of a Personal Data Breach affecting Personal Data, providing Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects and Supervisory Authority/ies of the Personal Data Breach under the Data Protection Laws.
  2. In the event of a Personal Data Breach concerning Personal Data and upon specific written request of the Data Controller, the Processor shall assist the Data Controller:
    a. in notifying the personal data breach to the competent Supervisory Authority/ies, without undue delay after the Data Controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
    b. in obtaining the following information which, pursuant to Article 33(3) GDPR, shall be stated in the notification, and must at least include:

    i. the nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
    ii. the likely consequences of the Personal Data Breach;
    iii. the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

    Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
  3. The Processor shall co-operate with the Data Controller and take all necessary steps as directed by the Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

11. Data protection impact assessment, prior consultation and audit rights

  1. The Processor shall provide assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervisory Authority/ies or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or similar provisions of any Data Protection Law, in relation to Processing of Personal Data by Processor, and taking into account the nature of the Processing and information available to the Processor and Subprocessors.
  2. The Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and/or stem directly from the GDPR or other applicable Data Protection Legislation. At the Data Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Data Controller may take into account relevant certifications held by the Processor.
  3. The Data Controller or an external auditor authorised by him has the right to check the Processor's compliance with the rules for the processing of Personal Data referred to in the DPA and in applicable laws, in particular by requesting information on the processing of Personal Data by the Processor necessary to demonstrate compliance with specific obligations in art. 28 GDPR, technical and organizational measures used to ensure that the processing is carried out in accordance with the law or to inspect the Processor, after prior arrangement by the Parties 10 days before the planned control. The Processor will perform the necessary actions to enable the Data Controller to exercise this right.
  4. The Data Controller may make the information referred to in this section, including the results of any audits, available to the competent Supervisory Authority/ies on request.

12. Data transfer

  1. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. Each time a European Commission decision stating an adequate level of protection has not been issued for such a state, an appropriate mechanism is applied to allow for the lawful transfer of data, as well as appropriate Security Measures, if required.  To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

13. Confidentiality

  1.  Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA and any Personal Data received from the other Party (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
    a. disclosure is required by law;
    b. the relevant information is already in the public domain (unless it is in the public domain as a result of a breach of confidentiality obligation).

14. Duration of the agreement

  1. The DPA is concluded for the duration of the Principal Agreement between the Parties.
  2. The processing of personal data under the DPA will take place for the period necessary for the performance of the services to the Data Controller, but no longer than until the termination of the DPA or the Principal Agreement. The termination of any of the agreements mentioned in the preceding sentence shall result in the automatic termination of both agreements.

15. Non-compliance with the clauses and termination

  1. Without prejudice to any provisions of the GDPR, in the event that the Processor is in breach of its obligations under this DPA or applicable Data Protection Laws, the Data Controller may instruct the Processor to suspend the Processing of Personal Data until the latter complies with this DPA and the Data Protection Laws or this DPA is terminated. The Processor shall promptly inform the Data Controller in case it is unable to comply with this DPA or Data Protection Laws, for whatever reason.
  2. The Data Controller shall be entitled to terminate this DPA (and the Principal Agreement) if without notice:
    a. the data Processing of Personal Data by the Processor has been suspended by the Data Controller and the Data Protection Laws is not restored within a reasonable time and in any event no later than within 14 days following suspension;
    b. the Processor is in material or persistent breach of this DPA or its obligations under GDPR;
    c. the Processor fails to comply with a binding decision of a competent court or the competent Supervisory Authority regarding its obligations pursuant to this DPA and/or GDPR and/or other Data Protection Laws.
    The reasons for termination above shall not be construed as limitation to any right to terminate the Principal Agreement as laid down therein.
  3. The Processor shall be entitled to terminate this DPA if, after having informed the Data Controller that its instructions infringe applicable legal requirements, the Data Controller insists on compliance with the instructions.

16. Deletion or return of personal data

  1. The Processor shall promptly after the cessation of any Services involving the Processing of Data Controller Personal Data (including without limitation the deletion of the account of the Data Controller, in accordance with the Principal Agreement or the termination of this Agreement), at the choice of the Data Controller, delete all Personal Data processed on behalf of the Data Controller and certify to the Data Controller that it has done so, or return all the Personal Data to the Data Controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the Data Processor shall continue to ensure compliance with this Agreement.

17. Miscellaneous provisions

  1. The Parties agree that the liability of the Processor to the Data Controller shall arise as a result of a proven direct or indirect breach or failure to comply with any obligation specified in this DPA related to data protection (including, without limitation, the provisions of this DPA or the GDPR) by the Processor.
  2. The Parties agree that the Processor is not responsible for the actions of the Data Controller, namely for the collection by the Data Controller and uploading to the Processor's systems, Personal Data of employees, recruiters, any third parties of the Data Controller, including Personal Data that the Data Controller collects from systems that integrate with the Processor's Platform.
  3. All notices and communications provided under this DPA must be in writing and will be sent by email to the address contact@peopleforce.io or our DPO security@peopleforce.io.
  4. This DPA shall be read and interpreted in the light of the provisions of the GDPR. This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the Data Subjects.

Last updated on: 29th February 2024