CareerArc GDPR Processing Addendum
This DATA PROCESSING ADDENDUM (“Addendum”), along with the Service Order and/or any other terms incorporated by reference and agreed to by the Parties in writing (collectively, the “Agreement”), is between CareerArc Group LLC (“CareerArc”) as provider of the services more fully described under the Agreement (the “Services”) and the entity purchasing the Services under the Agreement (the “Client”). CareerArc and Client shall hereafter be collectively known as the “Parties” and individually known as a “Party”. To the extent that any of the terms or conditions contained in this Addendum may contradict or conflict with any of the terms or conditions of the Agreement, it is expressly understood and agreed that the terms of this Addendum shall take precedence and supersede the Agreement.
The Parties agree as follows:
For the purposes of this Addendum, the following expressions bear the following meanings unless the context otherwise requires:
“Applicable Data Protection Laws” means, in respect of a Party, any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data, including:
- Directive 2002/58/EC (as amended) (the “e-Privacy Directive”), or the e-Privacy Regulation 2017/003 (COD) (the “e-Privacy Regulation”), and any laws implementing these; and
- Directive 95/46/EC (as amended) (the “Data Protection Directive”) and Regulation 2016/679 (the “GDPR”), and any laws implementing these,
in each case as amended, consolidated, re-enacted or replaced from time to time;
“Data Subject”, “Personal Data”, “Process”, “Processed” or “Processing” shall each have the meaning as set out in the GDPR;
“EU Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data in force in the territory of the European Union, including the Data Protection Directive, the GDPR, the e-Privacy Directive and the e-Privacy Regulation;
“Model Clauses” mean the Standard Contractual Clauses (Controller to Processor) as set out in the Commission Decision of 5 February 2010 (C (2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016;
“Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks as designed by the US Department of Commerce and approved by the European Commission and Swiss Administration (respectively) as having adequate protection under the Data Protection Directive and the GDPR (once it takes effect) and the Swiss 235.1 Federal Act of 19 June 1992 on Data Protection (respectively);
“Regulator” means the data protection supervisory authority which has jurisdiction over a Data Controller’s Processing of Personal Data; and
“Third Country(ies)” means a country or all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this Addendum include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
- The Client acting as data controller wishes to appoint CareerArc to act as its data processor to Process Personal Data, as further described in Schedule 1. For the avoidance of doubt, this Addendum applies only to the Processing of Personal Data as set out in Schedule 1, and does not apply to any Personal Data that may be provided by a Data Subject directly to CareerArc.
To the extent CareerArc Processes Personal Data on behalf of Client, it shall:
- Process the Personal Data only on documented instructions from Client, including with regard to transfers of Personal Data to Third Countries or an international organization, unless required to Process such Personal Data by European Union or Member State law to which CareerArc is subject; in such a case, CareerArc shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
- ensure that its personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement and hold in force for the term of the Addendum appropriate technical and organizational measures for ensuring the security of the Processing as further set out in CareerArc’s Customer Information Security Policy;
- if CareerArc directly receives a request from a Data Subject for access to Personal Data, or for the rectification or erasure of Personal Data or any other request or query from a Data Subject relating to Personal Data (including Data Subjects’ exercising rights under Applicable Data Protection Laws, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making) (a “Data Subject Request”), CareerArc will:
- notify Client immediately and no later than ten (10) business days of the Data Subject Request;
- provide details of the Data Subject Request to Client; and
- provide such reasonable assistance to Client for the purposes of responding to the Data Subject Request;
- carry out a request from Client to amend, transfer or delete any Personal Data Processed by CareerArc on Client’s behalf to the extent necessary to allow Client to comply with its responsibilities as a data controller;
- in so far as possible and at Client’s expense, assist Client in carrying out its obligations under Articles 32 to 36 of the GDPR and any other Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with Regulators. CareerArc shall promptly notify Client about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of Personal Data;
- upon termination of the Processing of Personal Data and at Client’s election, CareerArc shall either (i) delete all Personal Data Processed on behalf of Client, or (ii) return to Client all Personal Data Processed on behalf of Client and delete existing copies unless applicable law requires storage of the Personal Data;
- CareerArc shall upon written request from Client from time to time provide Client with all information necessary to demonstrate compliance with the obligations laid down in this Addendum. CareerArc shall permit Client or a third party authorized by it and which is not a competitor of CareerArc, to carry out audits and inspections of the processing of Personal Data by CareerArc, on reasonable notice in normal business hours and no more than once per calendar year. CareerArc may require a third party auditor to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. Unless such audit or inspection has been necessitated by a material breach by CareerArc of the terms of this Addendum, such audits and inspections shall be subject to a charge at Client’s expense of at least US$5,000 per day.
- Client acknowledges and agrees that CareerArc relies solely on Client for direction as to the extent to which CareerArc is entitled to Process Personal Data on Client’s behalf. Consequently, CareerArc is not liable for any claim brought by Client or a data subject arising from any action or omission by CareerArc to the extent that such action or omission resulted from Client’s instructions.
- Where CareerArc will process Personal Data in, or transfer Personal Data to, any Third Country, CareerArc shall:
- comply with the data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of this Agreement, with the processing details that comprise Appendix 1 to the Model Clauses being those set out in Schedule 1, and the technical and organizational security measures that comprise Appendix 2 to the Model Clauses being those set out in CareerArc’s Customer Information Security Policy, provided Client shall also comply with the obligations of the data exporter as set out in the Model Clauses; and
- if agreed between Client and CareerArc, take any other alternative or additional steps reasonably requested by the Client in order to ensure that appropriate measures are put in place to provide an adequate level of protection for Personal Data with regard to international transfers.
- Client acknowledges and agrees that CareerArc may appoint a third party sub-contractor to process Personal Data in a Third Country, provided that CareerArc must ensure that such processing takes place in accordance with the requirements of the Applicable Data Protection Laws (including Privacy Shield principles or the terms of the Model Clauses as applicable). The parties agree that Personal Data may be transferred to a third party sub-contractor in the United States that is certified to process such data under the Privacy Shield or that agrees to comply with the Privacy Shield principles, or to a third party in any Third Country if the transfer takes place on the terms of, and in compliance with, the Model Clauses.
- Where CareerArc will process Personal Data in, or transfer Personal Data to, any Third Country, CareerArc shall:
- Client hereby consents to the use by CareerArc of the sub-contractors set out in Schedule 2 and for the purposes further described therein. If CareerArc appoints a new sub-contractor to Process Personal Data, it shall provide Client with twenty (20) business days’ prior written notice, during which Client can object to the appointment. If Client rejects the new sub-contractor, CareerArc may terminate this Addendum and the Agreement with immediate effect on written notice to Client. If Client does not object, CareerArc may proceed with the appointment. CareerArc ensures that it has a written agreement in place with all sub-contractors which contains obligations on the sub-contractor which are no less onerous on the relevant sub-contractor than the obligations on CareerArc under this Addendum.
- Client warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to CareerArc and enable the Processing of Personal Data by CareerArc as set out in this Addendum.
- Client agrees that it will indemnify and hold harmless CareerArc on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by CareerArc arising directly or indirectly from Client’s breach of this Clause 6 or any Applicable Data Protection Laws.
- Processing Operations
The Personal Data Processed by CareerArc will be subject to the following basic Processing activities: (1) In the case of CareerArc Outplacement, processing of license activation requests of Client’s former employees provided by Client for use of the Services; and/or (2) in the case of CareerArc Social Recruiting, processing of job applications and inquiries from Client’s job candidates for their use of the Services and processing of Client Content (as defined in the Service Order) in connection with Client’s use of the Services.
The Personal Data Processed by CareerArc will be Processed for the following duration: for the Term of the Agreement or so long as a user maintains an account or registration with CareerArc.
- Data Subjects
The Personal Data Processed by CareerArc concerns the following categories of Data Subjects: Client’s former employees in the case of CareerArc Outplacement and Client’s job candidates and/or employees in the case of CareerArc Social Recruiting.
- Categories of Data
The Personal Data Processed by CareerArc includes the following categories of data: name, email, address, phone number, photo and/or other personally identifying information available in a job application or contained within Client Content as provided by, or on behalf of, Client to CareerArc.
- Special Categories of Data (if appropriate)
The Personal Data Processed by CareerArc concerns the following special categories of data: None.
- Data exporter
The Data Exporter is (please specify briefly your activities relevant to the transfer): Client—please refer to “Processing Operations” above.
- Data importer
The Data Importer is (please specify briefly activities relevant to the transfer): CareerArc—please refer to “Processing Operations” above.
AUTHORIZED SUB-CONTRACTOR LIST
- Amazon Web Services (AWS): Personal Data may be stored and processed using AWS as CareerArc’s hosted services provider.
- Sendinblue: Personal Data may be stored and processed for purposes of sending emails to Data Subjects for use of CareerArc’s services.
- Microsoft: Personal Data may be stored and processed by Microsoft, CareerArc’s internal email provider.