Data Processing Agreement (DPA)
Jobilla Oy
Data Protection Annex
Version: 15.12.2022
Definitions
In order to achieve the objectives of the agreement (the "Main Agreement") signed between Jobilla (hereinafter "Jobilla") and the organization that acquires services from Jobilla (hereinafter the "Customer"), it is necessary for Jobilla to process the Customer's personal data. This agreement on the processing of personal data (the "Processing Agreement") is an essential and integral part of the Main Agreement between Jobilla and the Customer. Each of Jobilla and the Customer is referred to herein individually as a “Party” and collectively as the “Parties”.
The terms used in this Processing Agreement shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”). Such terms include in particular controller, processor, personal data, data subject, processing and personal data breach.
Rights and obligations of the Parties
In this Processing Agreement, the parties agree that Jobilla, as a processor, will process personal data on behalf of the Customer during the term of the Main Agreement.
The Customer is the data controller in relation to the personal data of its job seekers, i.e. the Customer alone determines what data is collected from the job seekers and the purposes for which and the means by which personal data is processed. The Customer is responsible for complying with the obligations the GDPR and other applicable laws set for data controllers.
Jobilla shall process personal data only on documented instructions from the Customer, unless required to do so by Union or Member State law to which Jobilla is subject. In this case, Jobilla shall inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
During and after the processing, Jobilla may retain and use anonymised data for the development of its activities and products. Anonymisation means the modification of the data in such a way that they can no longer be used to identify individuals by any means.
Jobilla shall immediately inform the Customer if, in Jobilla’s opinion, instructions given by the Customer infringe the GDPR or the applicable Union or Member State data protection provisions.
In addition to this Processing Agreement, each Party undertakes to comply with applicable national data protection laws and the provisions of the GDPR as applicable to its activities.
Nature and purpose of processing
Jobilla processes personal data for the purpose of providing and delivering the products and services to the Customer as specified in the Main Agreement. Jobilla is not entitled to process the Customer's personal data for any other purpose or for the benefit of anyone else.
Categories of data subjects and categories of personal data processed
The personal data processed concerns the Customer's job seekers.
As the Customer has full control over what data is processed about job seekers, the Customer is solely responsible for having the right to process such personal data. Most commonly personal data processed concerns the name, email address, telephone number, job application and CV of job seekers.
Duration and retention period of processing
Jobilla processes personal data for the duration of the Main Agreement.
Jobilla will retain the personal data of the Customer's job seekers for the retention period specified by the Customer. Unless the Customer decides otherwise, the default retention period of personal data is 2 years for each of the Customer’s job seeker, after which the personal data of the job seeker in question will be automatically anonymised.
Sub-processors
Jobilla has the Customer’s general authorisation for the engagement of sub-processors. An up-to-date list of sub-processors is available at [Sub-processors].
If Jobilla plans to make changes to its sub-processors, it will notify the Customer by giving at least 30-days written notice. Jobilla’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, the Customer has the right to object to the intended change in the use of a sub-processor.
If the Customer objects to the intended change and Jobilla cannot reasonably use another sub-processor or another method in processing the personal data, Jobilla shall not be liable to the Customer for any breach of contract or omission resulting from this. In this situation, Jobilla shall be entitled to terminate the Main Agreement in writing to expire when the sub-processor change takes effect.
When using sub-processors for processing personal data, Jobilla agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Processing Agreement. Jobilla is responsible that its sub-processors comply with the requirements of this Processing Agreement.
International data transfers
Jobilla and the sub-processors used by Jobilla will not transfer Personal Data to countries outside the EU or EEA except on the basis of documented instructions provided by the Customer or unless required by law or binding governmental authority. The transfer of personal data must be carried out using adequate safeguards as defined in the GDPR.
Confidentiality
All personal data processed by Jobilla on behalf of the Customer is considered the Customer's confidential information and Jobilla undertakes to keep the data confidential and not to disclose or divulge it to any third party. Jobilla ensures that only such people within its own organization shall have access to the personal data that is necessary for furthering Jobilla’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal data who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Processing Agreement.
Data security
Jobilla shall implement appropriate technical and organizational measures to protect the personal data in its possession from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms. For the avoidance of doubt, this data security obligation does not concern data systems or software that is owned by the Customer or of which intellectual property rights belong to the Customer or a third party.
Such measures can include, as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
More information on the technical and organizational measures used by Jobilla can be found at [Technical and Organizational Measures].
Personal data breaches
Jobilla must notify the Customer without undue delay about personal data breaches it becomes aware of, so that the Customer can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying the Customer, Jobilla must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the Customer. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
Jobilla must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.
Data protection impact assessment
If Jobilla becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons, it must notify the Customer about this and assist the Customer, if necessary, in conducting a data protection impact assessment.
Data subject’s rights
Taking into consideration the nature of the data processing, Jobilla must reasonably and without undue delay assist the Customer, including by applicable technical and organisational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the GDPR, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability.
If such requests are made directly to Jobilla, it must notify the Customer about the request without undue delay. Jobilla may not respond to the request, unless authorised by the Customer.
Audits
Jobilla shall make available to the Customer all information necessary to demonstrate compliance with the obligations that are set out in this Processing Agreement and in the GDPR. Jobilla shall permit, reasonably assist and participate in audits, including inspections of Jobilla's premises, systems, processes and documentation, by the Customer or another auditor authorized by the Customer, if the Customer deems it necessary to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to Jobilla’s business operation as reasonably possible. Each party shall bear its own costs in connection with the performance of the audit. The Customer shall notify Jobilla at least 30 days in advance of the audit. To avoid unnecessary audits, audits should primarily only be conducted in situations where there is reason to suspect that Jobilla is not complying with the terms of this Processing Agreement or the requirements of the Data Protection Regulation. Jobilla shall also ensure the right of the Customer to audit the subcontractors of Jobilla as required by the GDPR, to the extent that such auditing is reasonably possible.
Other terms
If Jobilla is required to assist the Customer in relation to any breach of the GDPR caused by the Customer, the implementation of data subjects' rights in a manner different from normal processing or the compliance with the provisions of the Data Protection Impact Assessment, Jobilla is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with the hourly rates agreed between the parties. Invoicing the time used for the assistance tasks requires that the Customer has accepted that Jobilla can use time to perform assistance tasks.
Jobilla shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Customer. Where a Party has, in accordance with Art. 82 GDPR, paid full compensation to the data subject for the damage suffered, the Party that has paid the compensation shall be entitled to claim back from the other Party that part of the compensation corresponding to the other Party’s part of responsibility for the damage caused by infringing the GDPR. Jobilla is not liable to the Customer for any other indirect, consequential, or special damages or for claims made by third parties arising from any breach of this Agreement. Jobilla's liability for damages for breaches of contract shall be limited to the aggregate maximum amount specified in the Main Agreement between the Parties as the upper limit of Jobilla's liability for breach of the Main Agreement.
Term and effects of termination
This Processing Agreement comes into force on the same date as the Main Agreement between the Parties and shall thereafter remain in force until the Main Agreement is terminated or expires under its terms.
Within a reasonable time after the termination or expiration of the Main Agreement, Jobilla shall, at the choice of the Customer, delete or return all personal data to the Customer and also delete all copies of the personal data, unless Union or Member State law requires Jobilla to retain some or all of that data. In such an event Jobilla retains the data as required by law without further processing the personal data and continuing to comply with the obligations of this Processing Agreement.
If the Customer has not notified Jobilla about deletion or return of data, Jobilla shall delete all personal data in its possession, including any copies according to the retention period defined in this Processing Agreement, unless Union or Member State law requires Jobilla to retain some or all of that data.
The Customer is obligated to make sure that it has backup copies of the data prior to the end of the retention period if the Customer considers the data still necessary.