These terms of Personal Data processing an Agreement between a Legal Entity, PEOPLEFORCE LTD, incorporated and operating under the laws of England and Wales, company number 12537808, with its registered office at 10 John Street, London, WC1N 2EB, United Kingdom (that processes Personal Data on behalf of a Data Controller) (hereinafter referred to as the “Data Processor”) and any person or entity (that determines the purposes and means of the processing) (hereinafter referred to as the “Data Controller”) and hereinafter jointly referred to as the Parties.
This Data Processing Agreement lays out requirements for the Data Controller and Data Processor to follow when processing data. This includes setting terms for how data is stored, protected, processed, accessed, and used.
- The Data Processor, as Service Provider makes the PeopleForce Virtual Platform available to the Data Controller, in accordance with the Terms of Service Agreement for the use of the PeopleForce Virtual Platform (hereinafter referred to as the “Service Agreement”) signed by the Parties.
- When using the Services of the Data Processor, the Data Controller will have to upload personal data to the systems of the Data Processor, regarding which the Data Controller acts as a Data Controller and the Data Processor acts as Data Processor.
- Data Protection Legislation, means all applicable legislation in force in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder), and the Privacy and Electronic Communications Regulations 2003 as amended;
- The Parties seek to implement a data processing agreement that complies with Data Protection Legislation;
- The Parties wish to lay down their rights and obligations.
It is agreed as follows:
Definitions and interpretation
- Unless otherwise defined herein, terms and expressions with capitalized first letters used in this Agreement shall have the following meaning:
- “Agreement” means this Data Processing Agreement and all schedules (if any);
- “Data Controller Personal Data” means any Personal Data Processed by Data Processor on behalf of the Data Controller pursuant to or in connection with the Service Agreement and this Agreement;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Contracted Processor” means a Subprocessor;
- “Data Protection Laws” means GDPR and, to the extent applicable, the data protection or privacy laws of any country;
- “EEA” means the European Economic Area;
- “GDPR” means EU General Data Protection Regulation 2016/679, the UK GDPR;
- “Data Transfer” means:
-a transfer of Data Controller Personal Data from the Data Controller to the Data Processor; or
-an onward transfer of Data Controller Personal Data to a Contracted Processor, or between two Contracted Processors;
- “Principal Agreement” means the agreement between the Parties referred to in point (A) above;
- “Services” means the services provided by the Data Processor to the Data Controller in accordance with the Principal Agreement;
- “Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with this Agreement.
- Other terms, including without limitation: “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning ascribed to them in the GDPR, and their cognate terms shall be construed accordingly.
Processing of data controller personal data
2. The Data Processor shall:
- comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and
- not Process Data Controller Personal Data other than on the Data Controller’s documented instructions.
3. If the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences, the Data Processor shall apply specific restrictions and/or additional safeguards.
4. The Data Controller instructs the Data Processor to process Data Controller Personal Data for the specific purpose of providing the Services.
5. Since, when using the Data Processor's Services, the Data Controller independently uploads Personal Data to the Data Processor's systems, in relation to which the Service Provider acts as the Data Processor, the parties have agreed in particular on certain limitations of the Data Processor's liability, namely:
- The Data Controller transfers its Personal Data, and the Data Processor collects the Personal Data of the Data Controller as a data subject solely for the purpose of providing access to the Platform (its modules), in particular, such data as the full name of the user or the full name of the company, registration data, e-mail address, other data necessary for registration;
- After providing the Data Controller with access to the Platform, the Data Controller independently and at its own discretion collects and uploads Personal Data of its employees, recruiters, third parties to the systems of the Data Processor; Therefore, the Data Processor does not collect such Personal Data, but only stores them, and therefore is not responsible for their reliability, accuracy, legality, legal means of collecting them, etc;
- The Data Controller is solely responsible to the Data Subjects whose data the Data Controller independently collects and uploads to the data processor's systems, including Personal Data obtained from systems that integrate with the Platform, namely for their legality, accuracy, reliability, legal way of collecting them, etc.
Subprocessing and processor personnel
6. The Data Processor has the Data Controller's general authorization to engage Subprocessors (also referred to herein as Contract Processors). The Controller has the right to request a list of the Subprocessors engaged by the Data Processor, thereby enabling the Controller to object to the engagement of the relevant Subprocessor(s).
7. Data Controller Personal Data may only be transferred to Contracted Processors if the Data Processor and the Contracted Processor sign a data processing agreement with terms identical to this Agreement. At the Controller's reasonable request, the Data Processor may provide the Controller with a copy of such agreement with the Subprocessor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact parts of the text of the agreement before providing a copy (unless such redaction would make the copy provided to the Controller misleading or incomplete or not fully understandable).
8. Data Processor shall take the necessary steps to ensure the reliability of any employee, agent or contractor of the Data Processor or any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Data Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
9. The Data Processor shall be fully liable to the Controller for the performance of the Contract Processor's obligations under its contract with the Data Processor. The Data Processor shall notify the Controller of any failure of the Contract Processor to fulfil its contractual obligations.
10. The data processing agreement of the Data Processor and the Contracted Processor (mentioned in subsection 7 above) shall include a third-party beneficiary clause based on which - in the event the Data Processor has factually disappeared, ceased to exist in law or has become insolvent - the Data Controller shall have the right to terminate the Contracted Processor’s contract and to instruct the Contracted Processor to erase or return the Data Controller Personal Data.
11. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
12. In assessing the appropriate level of security, the Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
Data subject rights
13. Taking into account the nature of the Processing, Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the obligations of the Data Controller, as reasonably understood by Data Controller, to respond to requests to exercise Data 14. Subject rights under the Data Protection Laws.
14. The Data Processor shall:
- promptly (but in no case later than within 48 hours of receiving such request) notify the Data Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of Data Controller or as required by applicable Data Protection Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by applicable laws inform Data Controller of that legal requirement before the sending a response to the request.
15. In addition to the Data Processor’s obligation to assist the Data Controller pursuant to subsections above, the Data Processor shall furthermore assist the Data Controller in ensuring compliance with the following obligations, taking into account the nature of the data Processing and the information available to the Data Processor:
- the obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons;
- the obligation to consult the competent Supervisory Authority/ies prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk;
- the obligation to ensure that personal data is accurate and up to date, by informing the Data Controller without delay if the Data Processor becomes aware that the personal data it is Processing is inaccurate or has become outdated.
Personal data breach
16. he Data Processor shall notify the Data Controller without undue delay (but in no case later than within 24 hours of the occurrence of such Personal Data Breach) upon Processor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects and Supervisory Authority/ies of the Personal Data Breach under the Data Protection Laws.
17. In the event of a Personal Data Breach concerning Data Controller Personal Data, the Data Processor shall assist the Data Controller:
- (upon specific written request of the Data Controller) in notifying the personal data breach to the competent Supervisory Authority/ies, without undue delay after the Data Controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
- in obtaining the following information which, pursuant to Article 33(3) GDPR, shall be stated in the notification, and must at least include:
- the nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- the likely consequences of the Personal Data Breach;
- the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
18. The Data Processor shall co-operate with the Data Controller and take all necessary steps as directed by the Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data protection impact assessment, prior consultation and audit rights
19. The Data Processor shall provide assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervisory Authority/ies or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or similar provisions of any Data Protection Law, in relation to Processing of Data Controller Personal Data by the Data Processor, and taking into account the nature of the Processing and information available to the Data Processor and Contracted Processors.
20. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations that are set out in this Agreement and/or stem directly from the GDPR or other applicable Data Protection Laws. At the Data Controller’s request, the Data Processor shall also permit and contribute to audits of the processing activities covered by this Agreement, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Data Controller may take into account relevant certifications held by the Data Processor.
21. The Data Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
22. The Data Controller may make the information referred to in this section, including the results of any audits, available to the competent Supervisory Authority/ies on request.
23. Subject to this section, the Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement and applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.
Deletion or return of Data Controller Personal Data
24. The Data Processor shall immediately and in any case no more than three (3) calendar days upon written request of the Controller or no more than ninety (90) calendar days from the date of termination of any Services related to the processing of the Controller's Personal Data, delete all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, or return all Personal Data to the Controller and delete existing copies, unless the law of the Union or a Member State requires the retention of personal data. Until the data is deleted or returned, the Processor shall continue to ensure compliance with this Agreement.
25. The Data Processor shall not transfer or authorize the transfer of Data Controller Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the prior separate written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
26. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement and any Personal Data received from the other Party (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
- disclosure is required by law;
- the relevant information is already in the public domain (unless it is in the public domain as a result of a breach of confidentiality obligation).
Non-compliance with the clauses and termination
27. Without prejudice to any provisions of the GDPR, in the event that the Data Processor is in breach of its obligations under this Agreement or applicable Data Protection Laws, the Data Controller may instruct the Data Processor to suspend the Processing of Data Controller Personal Data until the latter complies with this Agreement and the data Protection Laws or this Agreement is terminated. The Data Processor shall promptly inform the Data Controller in case it is unable to comply with this Agreement or Data Protection Laws, for whatever reason.
28. The Data Controller shall be entitled to terminate this Agreement (and the Principal Agreement) if without notice:
- the data Processing of Data Controller Personal Data by the Data Processor has been suspended by the Data Controller and the Data Protection Laws is not restored within a reasonable time and in any event no later than within 14 days following suspension;
- the Data Processor is in material or persistent breach of this Agreement or its obligations under GDPR;
- the Data Processor fails to comply with a binding decision of a competent court or the competent Supervisory Authority regarding its obligations pursuant to this Agreement and/or GDPR and/or other Data Protection Laws.
The reasons for termination above shall not be construed as limitation to any right to terminate the Principal Agreement as laid down therein.
29. The Data Processor shall be entitled to terminate this Agreement if, after having informed the Data Controller that its instructions infringe applicable legal requirements, the Data Controller insists on compliance with the instructions.
30. The Parties agree that the liability of the Data Processor to the Data Controller shall arise as a result of a proven direct or indirect breach or failure to comply with any obligation specified in this Agreement related to data protection (including, without limitation, the provisions of this Agreement or the GDPR) by the Data Processor.
31. The Parties agree that the Data Processor is not responsible for the actions of the Data Controller specified in clause 5, namely for the collection by the Data Controller and uploading to the Data Processor's systems, Personal Data of employees, recruiters, any third parties of the Data Controller, including Personal Data that the Data Controller collects from systems that integrate with the Data Processor's Platform.
32. All notices and communications provided under this Agreement must be in writing and will be sent by email to the address listed on the PeopleForce website.
33. This Agreement shall be read and interpreted in the light of the provisions of the GDPR. This Agreement shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the Data Subjects.
34. The Data Processor shall immediately inform the Data Controller if, in the Data Processor’s opinion, instructions given by the Data Controller infringe the GDPR or other applicable Data Protection Laws.
35. The Parties shall be able to demonstrate compliance with this Agreement.
36. The provisions of this Agreement shall be governed by and interpreted in accordance with English Law and the parties submit to the exclusive jurisdiction of the English Courts.