Data Protection Policy
Data Protection Annex
Version: Aug 25, 2020
These terms become applicable between Jobilla Oy (“Jobilla”, "data processor", or "processor") and a customer ("customer", "data controller" or "controller") with whom Jobilla has concluded an agreement if Jobilla is considered as data processor and the customer a data controller in the meaning as given in EU General Data Protection Regulation.
The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”). Such terms include without limitation controller, processor, personal data, data subject, processing and personal data breach.
With these terms, the parties agree that the customer, the controller, appoints Jobilla as its data processor to process customer’s personal data during the term of an agreement under the terms agreed herein.
Processor shall process the personal data only to further its obligations set forth in an agreement and in accordance with the written instructions provided by the controller.
Controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that the data is kept accurate. If and to the extent the legal basis for processing personal data is individual’s consent, the controller is liable for obtaining the consent and managing it as provided in the Regulation.
The processor is not entitled to process the personal data for any other purpose or for anyone else. The processor is entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers. Processor must immediately notify the controller, if it considers that the written instructions provided by the controller for processing personal data are in violation of the Regulation or national data protection laws. In addition to the terms of this annex, the parties agree to comply with the Regulation as applicable to each party.
Additional details regarding processing may be described in the agreement or in a separate document.
The processor is entitled to use sub-processors for processing personal data. Additional information about sub-processors can be provided at request. If the processor plans to make changes to its sub-processors, it will notify the controller by giving at least 5-days written notice. Processor’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, the controller has the right to object to the intended change in the use of a sub-processor. If the controller objects to the intended change and the data processor cannot reasonably use another sub-processor or another method in processing the personal data, then the processor is not liable for damages or harm caused by such objection. In this situation the processor is entitled to terminate the agreement by giving at least 1-month’s written notice to the controller.
When using sub-processors for processing personal data, the processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex. Processor is fully liable that its sub-processors comply with the requirements of this Annex.
All personal data processed by the processor on behalf of the controller is considered the controller's confidential information and the processor shall not disclose the personal data to anyone or use it for any other than agreed purpose. Processor ensures that only such people shall have access to the personal data that is necessary for furthering processor’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Agreement.
The processor shall implement appropriate technical and organisational measures to protect the personal data in its possession from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms. For the avoidance of doubt, this data security obligation does not concern data systems or software that is owned by the controller or of which intellectual property rights belong to the controller or a third party.
Such measures can include, as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Personal data breaches
Processor must notify the controller without undue delay about personal data breaches it becomes aware of, so that controller can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying the controller, the processor must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the controller. The processor must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.
Data protection impact assessment
If the processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify the controller about this and assist the controller, if necessary, in conducting a data protection impact assessment.
Data subject’s rights
Taking into consideration the nature of the data processing, the processor must reasonably and without undue delay assist the controller, including by applicable technical and organisational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability. If such requests are made directly to the processor, it must notify the controller about the request without undue delay.
The processor shall permit the controller to audit the processor's compliance with these terms, and shall provide access and make available to the controller all systems, premises, resources, information and staff as necessary for the controller to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to processor’s business operation as reasonably possible. The controller must also provide at minimum 20 days’ advance notification of planned audits. Both parties are responsible for their own costs and expenses relating to an audit. To avoid unnecessary audits, audits should be performed only in situations where there is reason to believe that the processor is in violation of these terms or the applicable privacy laws.
If the processor must assist the controller in fulfilling the controller’s obligations related to data breaches, data subjects’ rights and data protection impact audits, the processor is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with the hourly rates agreed between the parties. Invoicing the time used for the assistance tasks requires that the controller has accepted that the processor can use time to perform assistance tasks.
Jobilla is not liable to the customer for any indirect, consequential or special damages or for claims made by third parties. The liability of Jobilla to the customer in respect of any claim for loss, damage, cost or expense that is attributable to a specific order, shall in no event exceed the amount specified as a liability cap in the limitation of liability provisions of the commercial agreement concluded by and between the parties.
Term and effects of termination
These terms come into force on the same date as the agreement between the parties and shall thereafter remain in force until the agreement is terminated or expires under its terms.
Within a reasonable time after the termination or expiration of the agreement, the processor shall delete or return all personal data to the controller and delete also all copies of the personal data, unless national or EU or member state law requires the processor to retain some or all of that data. In such an event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
If the controller has not notified the processor about deletion or return of data within 12 months from the termination or expiration of the agreement, the processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires the processor to retain some or all of that data. In such an event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
DESCRIPTION OF THE PROCESSING
Nature of processing:
Provision of Jobilla’s services to its customers. Jobilla collects, processes and stores personal data relating to its customers in accordance with the agreement, the applicable laws and these terms. The customer controls what data is entered into Jobilla's service, so the data may include for instance the following categories of personal data: name, email address, phone, job application, resume and other data. The personal data mainly concerns such data subjects that are customer's job seekers.