VONQ B.V. | PARTNER | |
Legal form: | a limited liability organized under the laws of the Netherlands | As provided in the HAPI Partnership Agreement. |
Trade registry number: | 24402216 (KvK) | |
Address: | Beursplein 37 (3011 AA) in Rotterdam, the Netherlands | |
Hereafter referred to as: | “VONQ” | “Partner” |
Role: | Processor with respect to Data Processing Clauses and Data Exporter with respect to Standard Contractual Clauses, as defined in section 4. | Controller with respect to the Data Processing Clauses and Data Importer with respect to Standard Contractual Clauses, as defined in section 4. |
Term of the Data Processing Addendum |
The Parties have concluded the HAPI Partnership Agreement (the “Agreement”). This Data Processing Addendum (“DPA”) is made and entered into on the date on which the last Party has signed the Agreement, by and between VONQ and Partner (“Effective Date”). |
THE UNDERSIGNED:
VONQ and Partner, hereinafter being collectively referred to as “Parties” and individually also as “Party”;
WHEREAS:
- VONQ is the expert in smart recruitment marketing. With the use of rich recruitment data, innovative tools and recruitment marketing knowledge, VONQ helps companies to recruit more effectively and efficiently;
- Partner is an entity that has an interest in utilizing the technologies developed by VONQ;
- Partner will assign to VONQ the Processing of Personal Data for Services provided (hereinafter the “Assignment”). The Assignment defines the object / scope of the data processing to be provided by VONQ and is stipulated in the DPA together with any relevant Addendums or Annexes;
- Partner will, by executing the Assignment, provide, directly or indirectly, data to VONQ that might be privacy-sensitive and be qualified as Personal Data as referred to in the Data Protection Laws and Regulations;
- Parties therefore wish to reflect the Parties’ agreement regarding the Processing of Personal Data in compliance with the relevant Data Protection Laws and Regulations;
HAVE AGREED AS FOLLOWS:
-
Interpretation
- Unless otherwise defined, capitalized terms, singular or plural, used in this DPA shall have the meaning as set out below:
Agreement | The HAPI Partnership Agreement including any addendums and the attached annexes. |
Candidate | Individual applying for a job at the company of Partner or Partners Affiliates. |
Data Processor Clauses | Standard contractual clauses, as annexed to the European Commission’s Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council. |
Data Protection Laws and Regulations | All laws and regulations, including laws and regulations of the European Union and their member states, applicable to the Processing of Personal Data, such as but not limited to the GDPR and the laws and regulations implementing the latter within the member states of the European Union. |
European Union | The member states of the European Union and, if and when the GDPR is incorporated within the EEA Agreement, the member states of the European Free Trade Association. |
FADP | Swiss Federal Act on Data Protection of 19 June 1992, and as revised as of 25 September 2020, the “Revised FADP. |
GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC or, where applicable, the UK Data Protection Act 2018 (hereinafter “UK GDPR”) as it forms part of the law of United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). |
Partner Affiliate | Affiliate of the Partner, companies that are customers of Partner. |
Partner Personal Data | Personal Data provided by the Controller and processed by the VONQ on behalf of the Partner or Partners Affiliates in connection with the Service(s). |
Recruitment Marketing Campaign | One or various Job Postings or Publications on Third-Party Platforms. |
Service(s) | Any service provided by VONQ, including but not limited to Hiring API including add-ons (hereinafter “HAPI”). |
SCC | Standard Contractual Clauses and Data Processor Clauses. |
Standard Contractual Clauses | Standard contractual clauses, Sections I, II, III and IV insofar as they relate to Module Four, as annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. |
Sub-Processor | The entity that supports VONQ in the Processing of Personal Data on behalf of Partner or Partners Affiliates. |
Third-Party Platform | Platforms such as but not limited to job portals, job boards, channels and/or media providers on which the Recruitment Marketing Campaigns and/or Job Postings and Publications are placed by VONQ on behalf of the Partner or Partners Affiliates. |
United Kingdom | The United Kingdom of Great Britain and Northern Ireland (England, Scotland, Wales, and Northern Ireland). |
Vacancy Data | Any information voluntarily provided by the Partner or Partners Affiliates to post or update a Job Posting, Job Publication and/or Recruitment Marketing Campaign on a Third-Party Platform. |
- “Controller“, “Data Subject“, “Personal Data“, “Personal Data Breach“, “Processing“ and “Processor“ all have the meanings given to them under the GDPR.
- This DPA is incorporated and forms an integral part of the Agreement, shall be effective and replace any previously applicable data processing and security terms as of the Effective Date. Regarding the Processing of Personal Data the provisions of this DPA supersedes the Agreement and all previous understandings and agreements between the Parties.
- In the event of any conflict or inconsistencies between the Agreement, the DPA and/or the SCC, the following order of precedence shall apply (from highest priority to lowest):
- SCC’s where applicable;
- this DPA and any exhibits or annexes hereto;
- the remaining provisions of the Agreement and;
- any other document agreed to between the Parties in writing.
-
Subject Matter
- The subject matter of this DPA concerns the Processing of Personal Data to allow the performance of the Assignment. Any subsequent contract(s) for a new Assignment of additional Services shall be bound by this DPA.
- Any Processing of Personal Data as described in Exhibit B to this DPA shall be subject to this DPA.
- Partner Affiliates shall be, through Partner, beneficiaries under this DPA and able to exercise all rights pertaining to their Partner Personal Data provided by the respective Partner Affiliate. Partner acts as the single point of contact for all communication, notices or requests by Data Subjects and warrants that it is duly mandated by any Partner Affiliate.
-
Scope of Contractual Clauses
- If Partner Personal Data is provided by a Partner or Partner Affiliate whose registered office is located within the European Union, provisions of Annex I of Exhibit A shall apply.
- Together with section 3.1. Annex II of Exhibit A shall apply if Partner Personal Data is provided by a Partner or Partner Affiliate whose registered office is located in the UK.
- Together with section 3.1. Annex III of Exhibit A shall apply if Partner Personal Data is provided by a Partner or Partner Affiliate whose registered office is located in Switzerland.
- If Partner Personal Data is provided by a Partner or Partner Affiliate whose registered office is not located within the European Union and is not recognized by the European Commission as providing adequate protection, provisions of Annex IV of Exhibit A shall apply.
-
Controller Processor Relationship
- Partner is obligated to inform VONQ whether it acts as Controller or Processor of Partner Personal Data.
- In case Partner acts as Controller, Parties hereby determine VONQ to be the Processor for the Processing of Partner Personal Data to perform the Assignment.
- In case Partners Affiliate acts as Controller, Parties hereby determine Partner to be the Processor and VONQ the sub-processor for the Processing of Partner Personal Data to perform the Assignment.
- VONQ shall process Partner Personal Data only on behalf of, under the responsibility of and in accordance with documented instructions from the Controller, communicated by the Partner. The Assignment constitutes such documented initial instructions. The Controller may provide further instructions during the performance of the Assignment, Partner shall act as single point of contact.
-
Specification of Processing
- Processing of Personal Data by VONQ on behalf of the Partner or Partners Affiliates comprises the performance of the Assignment. As stated in the Assignment, Partner entered into an Agreement with VONQ including the use of VONQ’s Services, as specified in the Agreement.
- Data Subjects, data types and the purpose of Processing by VONQ and VONQ’s Services are described in Exhibit B.
- Partner or Partners Affiliate shall have sole responsibility for the accuracy, quality and legality of Partner Personal Data and the means by which Partner or Partners Affiliate acquires and acquired such data, unless this DPA determines obligations for VONQ in relation to such accuracy, quality and legality. In addition thereto, Partner or Partners Affiliate have the sole responsibility for ensuring that Partner Personal Data is collected in accordance with the requirements of the respective contractual clauses referenced in section 3 of this DPA.
-
Confidentiality
- Parties hereby oblige to the confidentiality of Partner Personal Data as transferred under this DPA, save for the situations that any obligation of notification of disclosure flows from applicable law or regulation and save for the transfer of Partner Personal Data that takes place after assignment thereto by Partner or Partners Affiliates.
- Parties hereby both ensure that persons authorised to Process Partner Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
-
Duration
- This DPA enters into effect upon signature by both Parties, is valid for the duration of the Agreement, extends and terminates with the Agreement. The term of this DPA shall correspond to the term of the Agreement. The duration of the Processing equals the duration of this DPA.
- When VONQ possesses, after the termination of the Assignment, any Partner Personal Data, this Personal Data shall be deleted, or – such at the discretion of Partner – be returned to Partner, whereby VONQ shall delete existing copies, the foregoing save for the situation wherein VONQ is obliged to keep the Personal Data on the basis of applicable laws or regulations of the European Union or its members.
- Article 6 (Confidentiality) and article 8 (Miscellaneous) will survive for an unlimited period of time after termination or rescission, no matter the grounds of this termination or rescission, of this DPA.
-
Miscellaneous
- This DPA may be altered or supplemented only in writing and provided any such amendment is signed by the duly authorized representatives of both Parties.
- If any provision of this DPA is held invalid, illegal, or unenforceable for any reason, such provision shall be severed and the remainder of the provisions hereof shall continue in full force and effect as if this DPA has been executed with the invalid provision eliminated.
- This DPA is exclusively governed by the laws of the jurisdiction set forth in Annex IV of Exhibit A section 2.3.
- Any disputes that may arise between parties, shall be brought before the court set forth in Annex IV of Exhibit A section 2.4.
Exhibit A
Annex I of Exhibit A - Data Processor Clauses
- Data Processor Clauses
Data Processor Clauses form an integral part of this DPA, are hereby incorporated by reference and shall apply as published in the Official Journal of the European Union, as may be amended, superseded, or replaced, and will be deemed completed with the information set out in this Annex I of Exhibit A.
-
Applicable Data Processor Clauses
- Clause 5: Not applicable.
- Clause 7.7: Option 2.
- As for Clause 7.7 the following shall apply:
- Partner hereby provides its specific written authorisation to VONQ to engage the Sub-Processors for the purpose of performing the Assignment and this DPA. The current list of Sub-Processors engaged in Processing Partner Personal Data can be found on VONQ’s webpage at: https://www.vonq.com/privacy-center-list-of-subprocessors/
- In case VONQ engages another Processor for carrying out specific Processing activities on behalf of Partner, the data protection obligations within this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the GDPR, shall apply to such Sub-Processor.
- VONQ shall inform Partner about any new Sub-Processor a minimum of 30 days in advance via email to the “Notification” email provided on the cover page of this DPA.
- Partner has the right to object to the addition of a new Sub-Processor, for a justified reason within 30 days of receipt of VONQ’s notification, via email to dpo@vonq.com. In such case, Partner shall give VONQ a reasonable time to find a replacing Sub-Processor. If VONQ is unable to find a replacing Sub-Processor (within 60 days) and the use of this specific Sub-Processor cannot be discontinued, Partner shall have the right to terminate the Agreement by written notice before the effective date of the change.
- Should the Partner not object to the addition of a new Sub-Processor within 30 days following the notification, the consent of the Partner shall be deemed to have been given.
- Option 1 shall apply for Clause 1, Clause 8 lit. (c) (4), Clause 9.1 lit. (b) and (c) and Clause 9.2 lit. (c) of the Data Processor Clauses.
- Annex I: Information about the Parties shall be found on the cover page of the Agreement and is hereby incorporated.
- Annex II: Description of the transfer, Data Subjects, data types and purpose of Processing is described in Exhibit B and is hereby incorporated. The frequency of the transfer is on a continuous basis for the duration of the Agreement.
- Annex III: Technical and organisational measures are described in Exhibit C and are hereby incorporated.
Annex II of Exhibit A – UK Clauses
- UK Clauses
The Parties agree that the UK Addendum (Data Protection Act 2018, section 119A) is hereby incorporated by reference and shall apply to UK transfers as set out in Annex II of Exhibit A, together with the Standard Contractual Clauses as set forth in Annex IV of Exhibit A.
- Applicable UK Clauses
Tables of the UK Addendum shall be completed as follows:
- Table 1 (Parties): As stipulated on the cover page of this DPA.
- Table 2 (Selected SCCs, Modules and Selected Clauses): As stipulated in Annex I of Exhibit A.
- Table 3 (Appendix Information): Annex 1A: As stipulated in Annex I of Exhibit A to this DPA.
- Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither Party may end the UK Addendum incorporated herein in the manner set out in section 19 thereto.
- The Alternative Part 2 Mandatory Clauses of the UK Addendum shall apply, as follows:
- Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commission Office (ICO) and laid before the UK Parliament in accordance with section 119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those mandatory clauses.
Annex III of Exhibit A - Swiss Clauses
- Swiss Clauses
The Parties agree that the Standard Contractual Clauses as detailed in Annex IV of Exhibit A shall be adjusted as set out below where the FADP applies to Swiss transfers:
-
Applicable Standard Contractual Clauses
- References to the Standard Contractual Clauses mean the Standard Contractual Clauses as amended by this Annex III of Exhibit A;
- The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss transfers exclusively subject to the FADP;
- The terms “General Data Protection Regulation”, GDPR or “Regulation (EU) 2016/679” as utilized in the Standard Contractual Clauses shall be interpreted to include the FADP with respect to Swiss transfers;
- References to “Regulation (EU) 2018/1725” are removed;
- Swiss transfers subject to both the FADP and the GDPR shall be dealt with by the EU Supervisory Authority named in Annex IV of Exhibit A;
- References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with clause 18(c) of the Standard Contractual Clauses;
- Where Swiss transfers are exclusively subject to the FADP, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP;
Where Swiss transfers are subject to both the FDPA and the GDPR, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FDPA insofar as the Swiss transfer is subject to the FADP.
Annex IV of Exhibit A - Standard Contractual Clauses
- Standard Contractual Clauses
Standard Contractual Clauses form an integral part of this DPA, are hereby incorporated by reference and shall apply as published in the Official Journal of the European Union, as may be amended, superseded, or replaced, and will be deemed completed with the information set out in this Annex IV of Exhibit A.
-
Applicable Standard Contractual Clauses
- Clause 7: Not applicable
- Clause 11 (a): Not applicable.
- Clause 17: Laws of the Netherlands
- Clause 18: Rotterdam, the Netherlands
- Annex I.A. (List of Parties): Information about the Parties shall be found on the cover page of this DPA.
- Annex I.B. (Description of the transfer): Data Subjects, data types and purpose of Processing is described in Exhibit B and hereby incorporated.
Exhibit B
Specification of Processing – Hiring API (HAPI)
- General
Services based on the Hiring API are HAPI Job Marketing (hereinafter “HAPI JM”) and HAPI Job Post (hereinafter “HAPI JP”). Both products, HAPI JM and HAPI JP, can be extended with the HAPI Payments.
-
Data Subjects, Data Types and Purpose of Processing
- HAPI Services
To fulfil the Assignment all HAPI Services process the following Personal Data: Users with valid credentials to HAPI (API Key(s)) are subscribers of HAPI (hereinafter “HAPI-Subscriber(s)”). VONQ processes HAPI-Subscriber IP-addresses for HAPI security, auditability and optimization. VONQ also processes recruiter information if provided by Partner or Partner Affiliates as part of Vacancy Data.
- HAPI JM
To fulfil the Assignment and in addition to 2.1. VONQ processes Personal Data, such as Partners or Partners Affiliates recruiter information (ID, first name, last name and business email address). Data types and Data Subjects are further detailed in subsection 2.5.1.
- HAPI JP
To fulfil the Assignment and in addition to 2.1. and 2.2. VONQ processes Personal Data, such as Partners or Partners Affiliates job board credentials, username and password, for the contract(s) the Partner provides. Data types and Data Subjects are further detailed in subsection 2.5.2.
- HAPI Payment Module
The HAPI Payment Module can be added to HAPI JM and/or HAPI JP. To fulfil the Assignment and in addition to the Personal Data mentioned in sections 2.2. and/or 2.3. VONQ processes Personal Data, such as the Partners or Partners Affiliates billing details (name, first name, phone number, business email address, tax ID, billing address, ID). Data types and Data Subjects are further detailed in subsection 2.5.3.
- Data Types and Data Subjects – HAPI - Complete Overview
- HAPI JM – Overview
Data Subjects | Data Types | Purpose of Processing |
- Partner or Partner Affiliates recruiter information | - ID - first and last name - business email address |
Performance of the Assignment. |
- Partners or Partner Affiliates contact information (as part of Vacancy Data) |
- first and last name (if provided) (if provided) |
Performance of the Assignment. |
- HAPI-Subscribers (if employees or contractors of Partner connect to HAPI with their personal IP-addresses) | - IP-addresses | HAPI security, auditability and optimization. |
- HAPI JP – Overview
Data Subjects | Data Types | Purpose of Processing |
- Partners or Partners Affiliates recruiter information | - ID - first and last name - business email address |
Performance of the Assignment. |
- Partners or Partner Affiliates contact information (as part of Vacancy Data) |
- first and last name (if provided) (if provided) |
Performance of the Assignment. |
Partner or Partners Affiliates customers' job board credentials for the contract(s) the Partner provides |
- username - password |
Performance of the Assignment. |
- HAPI-Subscribers (if employees or contractors of Partner connect to HAPI with their personal IP-addresses) | - IP-addresses | HAPI security, auditability and optimization. |
- HAPI Payment Module - Overview
Data Subjects | Data Types | Purpose of Processing |
All Data Subjects listed in 2.5.1 and/or 2.5.2 respectively. | All data types listed in 2.5.1 and/or 2.5.2 respectively. | Purpose of Processing as listed in 2.5.1 and/or 2.5.2 respectively. |
Partners or Partners Affiliates employees or contractors, if Personal Data of those Data Subjects is provided as part of Partner’s billing details. |
- name, first name - phone number - business email address - tax ID - billing address - customer ID |
Performance of the Assignment. |
Exhibit C
Technical and Organisational Measures
VONQ ensures for its area of responsibility the implementation of and abidance by technical and organizational measures agreed upon, according to this annex. The Partner will implement appropriate technical and organisational measures according to the requirements of the GDPR.
- Confidentiality (article 32 sec. 1 subs. (b) GDPR)
Access control to premises and facilities (physical access control)
Objective: Unauthorised access to premises and facilities must be prevented.
Employees can only gain entry to the office building with a personalized key card | [x] |
Visitors are welcomed at the reception, picked up by a member of the relevant department and escorted by the respective VONQ employee(s). | [x] |
Securing office in out-of-work-hours by site alarm system. | [x] |
CCTV surveillance. | [x] |
Storage of hardware in access-protected cupboards. | [x] |
System access control (hardware access control
Objective: No access to data processing systems by unauthorized persons.
Authentication and authorization are required throughout the entire data-processing system. Entering a username and password is always required. | [x] |
Password is subject to restrictions set forth in the internal Password Policy. E.g.: - after the first login, the password has to be changed, - the password must be changed regularly by the user, - repeated use of the same password is prevented by the system. |
[x] |
Users will be blocked after three incorrect login attempts and can only be unblocked by the internal IT. | [x] |
VONQ utilizes network segmentation (VLAN). Gateways are protected by firewalls and are being monitored. The internal local area network (LAN) is divided into several segments, including a VONQ WiFi segment and a separate public segment for visitors. Production and test systems are separated at an operating system level and placed in different networks. | [x] |
Access control to data (software access control)
Objective: Unauthorised activities in data processing systems outside of assigned authorisations must be prevented.
Based on their username, users are restricted to certain roles for certain applications. | [x] |
Application users can access personal identifiable information (hereinafter “PII”) only to the extent required for the specific role. | [x] |
Additionally PII is stored and transmitted in an encrypted form as far as technically possible. | [x] |
Separation Control
Objective: Data collected for different purposes must be processed separately
Logical data separation per application (one application cannot access other applications). | [x] |
PII is separated logically on a per customer basis. | [x] |
Separation of development, staging, and production systems: Anonymized datasets are being used for development and staging environments. | [x] |
At all times transactional data is kept separate from the PII retained or used for another purpose. | [x] |
- Integrity, availability and resilience of systems (article 32 sec. 1 subs. (b) GDPR)
Transfer control
Objective: Protection of PII from unauthorized reading, modification or deletion.
State of the art encryption is utilized for every PII data transfer, utilizing protocols such as SSH, SFTP, SCP, HTTPS and TLS. | [x] |
Volume and file encryption are utilized whenever possible. | [x] |
Disposal operators destroy discarded hardware, data carriers and printouts. | [x] |
Input control
Objective: Traceability of entries; modification or deletion of data.
Personal Data is inputted via automated processes (i.e. the collection of IP addresses). Every automated input is logged and can be traced. | [x] |
Where data is manually inputted by employees (e.g. name, contact details), identifiable electronic signatures are being utilized wherever possible. | [x] |
Modifications and deletions are marked with identifiable electronic signatures wherever possible. | [x] |
- Availability and access (article 32 sec. 1 subs. (c) GDPR)
Objective: Data loss prevention and recovery in a timely manner.
On an infrastructure level fault tolerant systems are deployed and whenever possible systems are decentralized. | [x] |
Backups are redundant and kept in secure locations on-site and off-site. | [x] |
Restore and retrieval processes are tested on a regular basis. | [x] |
- Procedures for regular testing, assessing, and evaluating (article 32 sec. 1 subs. (d) GDPR)
Control Procedures
Objective: Procedures have to be implemented to ensure regular testing, assessment and evaluation of the effectiveness of the data security measures.
VONQ undergoes an annual penetration test conducted by an independent and external consultant. Feedback is implemented accordingly to improve Services and security. | [x] |
Security measures are subject to internal and external audits. | [x] |
Notification of the Data Protection Officer and the Chief Technology Officer about new or adjusted data processing procedures. | [x] |
VONQ is ISO 27001 certified. | [x] |
Control of Instructions
Objective: Data shall only be processed by service providers, such as subcontractors, in accordance with the instructions of VONQ.
Contracts with Data Protection Agreements according to the requirements of article 28 GDPR are concluded. | [x] |
Contract management through centralised registration of subcontractors. | [x] |
- Pseudonymisation and encryption (article 32 sec. 1 subs. (a) GDPR)
Objective: PII shall be collected, processed and retained encrypted and in a pseudonymous way.
Whenever possible PII collected by VONQ can no longer be attributed to a specific Data Subject without further information. Such additional information is being kept separately. | [x] |
All web applications and communication between networks of VONQ are encrypted via SSL/TLS (data in transfer). As mentioned above, PII is retained on encrypted volumes whenever possible (data in rest). | [x] |