VEREMARK DATA PROCESSING STANDARD
The terms of this Data Protection Standard shall apply in any instance where Veremark (Supplier) acts as a DataProcessor on behalf of a Customer.
1.1 For the purposes of this Schedule, in addition to the terms defined in the Agreement, the following terms shall have the following meanings:
(a) Agreement: means the version of the Supplier’s terms in place between it and the Customer
(b) Schedule: means this document(the Data Protection Standard);
(c) controller: shall have the meaning of ‘controller’ set out in the Data Protection Legislation;
(d) processor: shall have the meaning of ‘processor’ set out in the Data Protection Legislation;
(e) Data Subject:shall have the meaning of ‘data subject’ set out in the Data Protection Legislation;
(f) DPA: means the Data Protection Act 2018;
(g) EEA; means the nations which make up the European Economic Area, plus Switzerland and theUnited Kingdom;
(h) GDPR: means Regulation (EU)2016/679 and/or such legislation as may replicate it, replace it, or give effect to its terms in England and Wales;
(i) Personal Data: shall have the meaning of ‘personal data’ set out in the Data Protection Legislation and, where used in this Agreement shall mean the personal data transferred between the parties to this Agreement as described in clause 3; and
(j) Personal Data Breach: shall have the meaning of‘ personal data breach’ set out in the Data Protection Legislation.
2. Application of this Schedule
2.1 The terms of thisSchedule shall apply during any period of time in which the Supplier acts as a processor on behalf of the Customer, irrespective of the Customer’s status as a controller or processor in respect of the Personal Data undergoing processing.
2.2 For the avoidance of doubt, and without prejudice to the terms of the Agreement, the Supplier shall act as a processor on behalf of the Customer where the Customer uses theSoftware to initiate a Request in relation to any Candidate, including in respect of all Candidate Data supplied by the Customer to the Supplier or which the Supplier may obtains for the Customer’s benefit in the course of carrying out any Request.
2.3 The Parties acknowledge that the terms of this Schedule are in addition to, and do not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
3. Scope of Processing
3.1 The Parties agree that the conduct of Requests will cause the Supplier to process some or all of the following types of Personal Data:
(a) Details of eachCandidate’s identity, including their name, address and contact e-mail;
(b) Details of the position applied for at the Customer by the relevant Candidate (where a Request applies to a job application)
(c) Details of any referees selected by a Candidate, including those individuals’ names, contact details, and professional position;
(d) Results of background checks conducted by third parties (such as a ‘pass/fail’ result received after the conduct of a criminal record check, or of an authenticity check conducted in respect of an identification document);
(e) Images of identity documents, academic certificates, and other similar items, provided byCandidates for verification and authentication as described above; and
(f) Details of consents provided by Candidates authorising Supplier to approach specified third parties for verification of the authenticity of specified documents, to conduct background checks, or to seek a reference or similar statement made in respect of the consenting Candidate.
3.2 The Personal Data specified in clause 3.3 will relate to the following categories of data subjects:
(a) Candidates specified by the Customer in the course of making Requests;
(b) Individuals who may be named as referees in relation to those Candidates;
(c) Individuals who are otherwise required to confirm or verify particular details that relate to those Candidates.
3.3 The Personal Data specified in clause 3.3 will be processed by Processor for the following purposes.
(a) Verifying that information supplied by Candidates to the Customer is accurate;
(b) Notifying theCustomer of the outcome of background checks (such as criminal record checks)performed by third parties;
(c) Providing reports to the Customer which set out which Candidate Data it has and has not been able to verify, as well as passing on copies of Candidate Data obtained on theCustomer’s behalf (such as references or other details provided by previous employers and academic institutions);
(d) Where requested by an individual Candidate, to enable that Candidate to store the results of historic verifications conducted in relation to their Candidate Data (and such storage will be conducted outside of the Supplier’s role as the Customer’s processor).
4. Obligations of the Processor.
4.1 The Processors hall:
(a) only process thePersonal Data for the performance of its obligations under and pursuant to the Agreement and in accordance with the written instructions of the Supplier which are set out therein; unless required to do so by the law of a state located within the EEA to which the Processor is subject. In such a case, Processors hall inform controller of that legal requirement before processing, unless that law prohibits such disclosure from being made;
(b) ensure that persons with access to the processed Personal Data are subject to a strict duty of confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) assist theSupplier in responding to any request from any Data Subject identified by thePersonal Data which purports to exercise any right enjoyed by that Data Subject under the term of the GDPR;
(d) assist in ensuring compliance with Supplier’s obligations under Articles 32 to 36 of theGDPR, including in respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify Controller without undue delay on becoming aware of any Personal Data Breach that affects, or which it has reason to suspect may affect, the Personal Data;
(f) ensure that thePersonal Data is not transferred outside of the EEA without first receiving written authorisation for the relevant transfer from the Supplier, or directly from the Data Subject to which the Personal Data to be subject to the relevant transfer relates;
(g) at the written instruction of Supplier securely delete or return Personal Data and copies thereof to Controller on termination of this Agreement unless the law of a state located within the EEA to which the Processor is subject requires ongoing storage of the Personal Data; and
(h) maintain records of all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and grant Supplier and its auditors access to those records to the extent necessary to conduct audits of compliance with this Agreement’s terms on reasonable notice; and
(i) immediately inform Supplier if, in its opinion, an instruction given by Supplier infringes the GDPR or other Union or Member State data protection provisions.
5.1 The Supplier will appoint third party processors to assist it in performing the processing described in clause 3. The Customer authorises such sub-processing and specifically acknowledges that Requests which entail the checking of any given Candidate’s identity documents, visa status, criminal history, and/or academic credentials will cause the relevant aspects of their Personal Data to be processed by an organisation or authority capable of giving an authoritative verification.Customer acknowledges that the making of such Requests represent specific instructions given by it to have such processing performed. Supplier shall take steps to ensure that each such sub-processor has provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that their respective processing meets the requirements of the GDPR and ensures the protection of the rights of Data Subjects.
6. Security of thePersonal Data
6.1 In order to ensure that the Personal Data is properly secured against unauthorised access and/or processing, the Supplier shall put in place, and keep subject to regular review, appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, having regard to the state of technological developments, the likely risk to Data Subjects, and the costs of implementing any such measures.
6.2 For the avoidance of doubt, the type of measures anticipated by clause 6.1 may include without limitation;
(a) measures to ensure the pseudonymisation and encryption of Personal Data;
(b) measures to monitor the ongoing confidentiality, integrity, availability and resilience of relevant data processing systems and services;
(c) systems to ensure that Personal Data is not processed for longer than is necessary to deliver the obligations of the Supplier set out in the Agreement;
(d) a process for regularly testing, assessing and evaluating the effectiveness of such security measures.