50skills Data Processing Agreement

Last updated: April 25th, 2023

This data processing agreement (the “Agreement”) is made and entered into by 50skills ehf., registration no. 490402-4110, Bjargargata 1, 102 Reykjavík, ICELAND (“Processor”) and Customer (“Controller”). Processor and Controller are hereinafter individually referred to as a “Party” and together as the “Parties”.

BACKGROUND AND PURPOSE OF PROCESSING

This contract acts as an addendum to a service agreement between the Processor and Controller where the Processor undertook to provide the controller with a Software as a Service to be used for hiring efforts.

In relation to the Services Processor may process information and data which can be considered personal data in the meaning of data protection legislation, i.e. the Act No. 90/2018 on the protection of privacy as regards the processing of personal data and Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“Data Protection Legislation”), on behalf of Controller.

Where Processor processes such personal data on behalf of Controller, the Processor is considered a data processor according to Data Protection Legislation and the Controller a data controller.

This Agreement constitutes a data processing agreement in the meaning of Data Protection Legislation. The purpose of this Agreement is to regulate the Parties’ rights and obligations in relation to Processor’s processing of personal data on behalf of Controller, particularly to ensure a secure processing of the personal data.

1. PROCESSING OF PERSONAL DATA AND CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

A detailed description of the processing operations, performed by Processor on behalf of Controller, including the purpose of the processing, the categories of personal data being processed (“Personal Data”) and the categories of the data subjects (“Data Subjects”), can be found in Annex 1 attached hereto.

2 PROCESSOR’S OBLIGATIONS

2.1 Processor is only permitted to process Personal Data on behalf of Controller in accordance with this Agreement or in accordance with Controller’s documented instructions. Processor shall however be authorized to process Personal Data without instructions from Controller if Processor is required to do so by mandatory law. In such events, Processor shall inform Controller of that legal requirement prior to the processing and give Controller an opportunity to object or challenge the requirement, unless the law prohibits such a notice.

2.2 Processor is not permitted to process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation.

2.3 Processor is prohibited from making any unauthorized changes to Controller’s computer system, including deletion or altering of data.

2.4 Processor shall ensure that his employees, and others who have access to the Personal Data, only process the data according to the instructions given by Controller.


2.5 Processor shall give Controller copy or access to the Personal Data processed by Processor on behalf of Controller upon request. Processor shall respond to such request without undue delay.

2.6 If Processor believes Controller’s instructions are not in line with the Data Protection Legislation Processor shall notify Controller immediately. However, Controller can still instruct Processor to continue the processing.


2.7 If Processor’s process of Personal Data interferes with the instructions given by Controller, Processor shall be fully responsible for that processing as if he were the controller of such processing.


3 CONTROLLER’S OBLIGATIONS


3.1 With this Agreement Controller warrants that he has the right to process the Personal Data in question and that he has the right to appoint Processor to process the data on Controller’s behalf.


3.2 Controller shall be responsible for notifying the processing activities to applicable data protection authority and/or acquiring a permit for the processing, where applicable.


4 CONFIDENTIALITY AND TRAINING OF EMPLOYEES


4.1 With this Agreement Processor warrants that he will keep all Personal Data he gets access to and/or knowledge about from Controller, confidential. Processor is prohibited from informing any third party about the processing without the consent of Controller.


4.2 Processor shall ensure that all employees, and others who may have access to the Personal Data, have committed themselves to confidentiality about everything they learn of while processing Personal Data on behalf of Controller.


4.3 The confidentiality shall continue to apply even after this Agreement has been terminated and survive any employee’s employment term.


4.4 Processor shall limit the access to the Personal Data to only those who need it for the purpose of their duties according to this Agreement.


4.5 Processor shall ensure that all employees, who have access to the data from Controller, have received appropriate training on the laws relating to the handling of Personal Data and are aware both of Processors’ duties, as well as their personal duties and obligations under Data Protection Legislation and this Agreement.


5 SECURITY MEASURES


5.1 Processor shall ensure that appropriate technical and organizational measures are implemented to ensure a level of security of the Personal Data processed on behalf of Controller. The measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing as well as the risk of carrying likelihood and varying for the rights and freedoms of natural persons.


5.2 In order to ensure appropriate technical measures cf. Article 5.1., Processor shall, as applicable: a) use pseudonymisation and encryption of Personal Data, b) be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, c) be able to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and d) implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.


5.3 Processor is responsible for the technical and organizational measures adopted at each time, to be appropriate and sufficient. In Annex 1 attached hereto the minimum standard of security measures by Processor are listed.


5.4 In assessing the appropriate level of security, account shall be taken to the risks that are presented by processing, in particular from accidental or unlawful destruction, against accidental loss or alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.


5.5 Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach and in no event later than within fourty-eight (48) hours. The notification shall include information or a description of the nature of the Personal Data breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned. Processor shall also describe the likely consequences of the Personal Data breach and the measures taken or proposed to be taken to address the Personal Data breach. Processor will not inform any third party of any Personal Data breach without first obtaining Controller’s prior written consent, except where required to do so by law.


5.6 Processor shall take every necessary step to reduce the risk and harmful effects of Personal Data breach. This includes that Processor shall restore and/or rectify any Personal Data at its own costs.


5.7 If Controller decides to undertake a risk assessment in connection to certain processing activities, Processor shall assist Controller in accordance with the Data Protection Legislation.


5.8 Processor shall always inform Controller of where the Personal Data is stored. Processor may under no circumstances transfer the Personal Data outside the EEA unless instructed to do so by Controller.


6 INTERNAL AUDIT


6.1 Processor shall conduct an internal audit of the processing of Personal Data to make sure the data is processed in accordance with applicable law and that appropriate security measures have been implemented.


6.2 The internal audit shall be conducted regularly. The frequency and scope of the audit shall be decided depending on the risk involved by the processing, the nature of the data being processed, the technique being used to ensure the security of the data and the cost of the audit. The audit shall be performed at the least once a year.


6.3 Processor shall prepare a report on the performance of the internal audit and provide Controller with a copy of such a report, if requested. The report shall describe the outcome of each element of the audit. The reports shall be securely stored.


7 SUB-PROCESSORS


7.1 Processor shall not engage another processor (sub-processor) in the processing without prior specific or general written authorization of Controller.


7.2 If Processor hires another sub-processor, on the basis of Controller’s authorization, to carry out certain processing activities, Processor shall guarantee, that the same data protection obligations as set out in this Agreement and the Data Protection Legislation, are imposed on the sub-processor. Upon Controller’s request, Processor shall provide Controller with a copy of any data processing contracts with the sub-processor.


7.3 Processor shall always remain fully liable to Controller for the performance of the sub-processor’s obligations.


7.4 On Controller’s request, Processor shall audit a sub-processor’s compliance with its obligations regarding Controller’s Personal Data and provide Controller with the audit results.


8 DATA SUBJECT’S REQUESTS AND THIRD-PARTY RIGHTS


8.1 Processor shall assist Controller by appropriate technical and organizational measures, to the extent possible, to respond to requests for exercising the Data Subject’s rights in accordance with the Data Protection Legislation and other relevant rules on data protection, e.g. access to Personal Data, information on processing, rectification or erasure of data, right to object to processing, limitation of processing, destruction of data and portability of data. The same applies to any requests and enquiries by relevant supervisory authorities.


8.2 Processor shall refer any Data Subjects’ requests which relate to Controller’s data to Controller.


8.3 Processor may not disclose any information relating to the processing of Controller’s Personal Data, to Data Subjects nor any third party without the approval of Controller.


8.4 Processor may not disclose information about the processing to the government or other official parties without permission from Controller, unless based on mandatory legislation or a sufficient court order.


9 DURATION OF AGREEMENT


9.1 The Agreement shall be valid as long as the Service Agreement is in force or the Agreement is terminated by Controller in accordance with Article 9.2.


9.2 In the event of a breach of this Agreement or the Data Protection Legislation, or the relationship between the Parties does no longer include any processing of Personal Data, Controller can terminate the Agreement with immediate effect with a written notice and/or instruct Processor to stop all processing activities on its behalf.


10 ERASURE OR RETURN OF PERSONAL DATA


10.1 Processor shall, in consult with Controller, erase the Personal Data where the data is no longer necessary in relation to the purposes for which they were collected, unless otherwise required by law.


10.2 Controller can at any time instruct Processor to erase or return Personal Data to Controller. Processor shall respond to such instructions without undue delay.


10.3 Upon the termination of this Agreement according to Article 9 Processor shall, at Controller’s choosing, erase or return all Personal Data he stores or has access to, to Controller. Processor shall also erase all copies of the Personal Data, unless Processor is obligated by law to store the data, in that case Processor shall notify
Controller of such obligation.


11 INDEMNITY


11.1 Processor agrees to indemnify and hold Controller harmless of any claim, damages, penalties and any costs or fees, of whatever nature, incurred by Controller or for which Controller may become liable due to any failure by Processor or its employees or agents to comply with any of its obligations under this Agreement or any Data Protection Legislation.


11.2 Controller agrees to indemnify and hold Processor harmless of any claim, damages, penalties and any costs or fees, of whatever nature, incurred by Processor as a result of Controller’s instructions that infringe the Data Protection Legislation.


12 AUDITS AND ACCESS TO INFORMATION ON PROCESSING


12.1 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down by Data Protection Legislation and this Agreement, including access to Processor’s records of processing activities relating to processing based on this Agreement.


12.2 Processor shall enable Controller to conduct, or deploy a third party to conduct on its behalf, audits on Processor’s processing of Personal Data and provide appropriate assistance in conducting such audits. Controller shall notify Processor of any such audits at least 5 weeks in advance. The purpose of such audits is to make sure that Processor fulfils his obligations laid down in this Agreement and the Data Protection Legislation, e.g. concerning internal audits, security and obligations set out in Data Protection Legislation.


13 APPLICABLE LAW AND JURISDICTION

This Agreement is governed by Icelandic law. The exclusive jurisdiction shall be the District Court of Reykjavík.


14 CONTACTS


14.1 All notifications according to this Agreement shall be in writing. Each Party shall nominate a contact person to receive any such notifications, by mail or e-mail.


14.2 Notifications to Controller: contract-signer.


14.3 Notifications to Processor: security@50skills.com


15 OTHER


15.1 This Agreement shall prevail over other agreements in relation to Processor’s processing of Personal Data on behalf of Controller and other related obligations. Any other provisions of the Service Agreement shall remain in effect.


15.2 Annexes to this Agreement are an integral part of it.


15.3 By signing this Agreement, Processor confirms that he has the ability and competence to fulfil the obligations set out in this Agreement.

Annex 1

Description of the Personal Data Processed and Processing Operations


The Processor is hereby authorized to Process on behalf of the Controller, the personal information necessary for the provision of the following services relating to recruiting new employees: • Sourcing candidates • Candidate selection process • Candidate hiring process • Onboarding hired candidates • Communication with candidates • Provide integrations with selected 3rd party vendors approved by Controller


1 NATURE OF PROCESSING

1.1 Processor’s processing of Personal Data on behalf of Controller involves: Facilitating the Controllers recruiting and hiring process.


2 DATA SUBJECTS

2.1 The Personal Data processed by Processor belong to the following categories of Data Subjects:

a) Employees
b) Job applicants and prospects
c) All users that the controllers adds to the 50skills admin system, e.g. 3rd party recruiting agencies.


3 CATEGORIES OF PERSONAL DATA

3.1 Processor processes the following categories of Personal Data on behalf of Controller:
a) Names
b) Phone numbers
c) Social Security numbers
d) Pictures
e) E-mail addresses
f) Social media information shared willingly by the applicant
g) In-company referrals and reviews
h) Other questions that Controller feels important to ask potential applicants to facilitate a hiring decision.

4 PURPOSE OF PROCESSING

The purpose of the Processing is to help the Processor to source and filter out potentially new employees for clients including the Controller, and to simplify the onboarding process post a hiring decision.

5 SECURITY OF PERSONAL DATA

5.1 In the purpose of preventing and limiting damage caused by human error, theft, fraud and other abuse, Processor shall:
a) Personal information from applicants is automatically deleted after 180 days unless requested otherwise by data controller
b) Personal information can be deleted, extracted and or corrected upon request by the Controller. If a prospects contacts the Processor with a request the Controller must verify the request.

The Processor shall take appropriate technical and organizational security measures to ensure the security of the personal information that he processes on behalf of the Controller.

Security measures should take into account the latest technologies, cost of implementation, scope, context and purpose of processing and risk.

The Processor must implement the following safeguards:
• Encryption of information where required,
• The ability to ensure continued confidentiality, reliability, availability and load resistance of the systems used and the services offered;
• Be able to restore timely availability and access to personal data in case of an anomaly, whether realistic or technical.
• Set up a process to regularly test and evaluate the effectiveness of technical and organizational measures to ensure the safety of processing.

When assessing security, account should be taken of the risks involved, in particular in the case of unintentional or unlawful destruction of personal information, transmitted, stored or otherwise processed, or lost, modified, displayed or granted access to them for unauthorized purposes.

7 SUB-PROCESSORS

7.1 Processor is allowed to engage a sub-processor to perform the following processing activities according to the data processing agreement:
The processor may use Heroku as a subcontractor for hosting in the cloud. Heroku utilizes Amazon Web Services which hosts the service through data centers in Ireland. The operations of AWS data centers have been certified through ISO 27001, SOC 1, SOC 2 / SSAE 16 / ISAE 3402 (formerly SAS 70 Type II), PCILevel1, FISMAModerateogSarbanes-Oxley (SOX).

The processor may use other sub-processors that data may pass through as a side effect of using 50skills’s services. Here is our list of our other sub-processors that may be used:
• Amazon AWS, USA, Cloud Infrastructure for parts of our apps and services
• Intercom, USA, Customer Support & Site Analytics
• Google Analytics, USA, Site Analytics
• Mailgun, USA, Transactional email API's.
• Tableau, USA, Interactive data visualization

Processor might add more sub-processors to improve it’s services – Controller may at any time ask which sub-processors are being used and get a response within 14 days.

Need a copy? Got questions? Please contact us at security@50skills.com or at our company address: at Bjargargata 1, 102 Reykjavik, Iceland, with any questions regarding this DPA.