CoRecruit – Data Processing Agreement

 

Article 1: Introduction

TeamsRecruit B.V. has updated this Data Processing Agreement, which is effective as of the date shown below. Disputes about this DPA and the Services provided by TeamsRecruit B.V are subject to a binding agreement between the Client and TeamsRecruit B.V.

Last updated: September 26, 2022

 

Article 2: General

  1. The Agreement’s provisions shall apply in full to this Data Processing Agreement. If and insofar as the Agreement includes provisions relating to the processing of personal data, the provisions of this Data Processing Agreement shall prevail.
  2. Regarding the processing of personal data within the framework of the Agreement, the Client is regarded as the controller within the meaning of Article 4(7) of the General Data Protection Regulation (“GDPR”) and TeamsRecruit B.V. as the Processor within the meaning of Article 4(8) GDPR.
  3. Terms in the GDPR, such as “process”, “personal data”, “controller”, and “processor”, shall have the same meaning as that ascribed to them in the GDPR.

 

Article 3: CCPA Compliance

  1. Any personal information TeamsRecruit B.V. receives under this DPA will be processed by TeamsRecruit B.V. in its role as a service provider, as that term is defined under the CCPA.
  2. TeamsRecruit B.V. is prohibited from selling personal information it receives under this DPA and collecting, retaining, using, or disclosing such personal information for any purpose other than processing it as set out in this DPA.

 

Article 4: Processing of personal data

  1. TeamsRecruit B.V. shall process personal data for the Client under this Data Processing Agreement. An overview of the categories of personal data, data subjects, and the purposes for which the personal data are processed are listed in Annex 1.
  2. TeamsRecruit B.V. processes personal data exclusively for the benefit of the activities stated in this Data Processing Agreement or the Agreement. TeamsRecruit B.V. guarantees that, without the Client’s explicit and written consent, it shall not use the personal data processed under this Data Processing Agreement and the Agreement in any way unless a legal provision applicable to TeamsRecruit B.V. requires it to process the personal data. In that case, TeamsRecruit B.V. notifies the Client of that legal requirement prior to processing unless this legislation prohibits such notification for reasons of substantial public interest.

 

Article 5: Technical and organizational arrangements

  1. TeamsRecruit B.V. implements or orders the implementation of suitable technical and organizational measures to safeguard personal data against loss or any form of unlawful processing and to ensure a level of security aligned with the risk. These measures guarantee a suitable level of security given the risks associated with the processing and nature of the data to be protected, considering the latest technological developments and the realization costs. The technical and organizational measures adopted by TeamsRecruit B.V. are listed in Annex 2.

 

Article 6: Confidentiality

  1. TeamsRecruit B.V. shall arrange for all its employees involved in the execution of the Agreement to sign a declaration of confidentiality (which may or may not be included in the employment contract with these employees) which states, in any case, that these employees must observe confidentiality regarding the personal data. TeamsRecruit B.V. shall adopt measures, such as staff screening and data media safeguards, to ensure compliance with this declaration of confidentiality.

 

Article 7: Sub-Processors

  1. Within the framework of this Data Processing Agreement and the Agreement, TeamsRecruit B.V. is allowed to use third parties and subcontractors (“Sub-Processors”), as stated in Annex 1. If TeamsRecruit B.V. wishes to engage other Sub-Processors, TeamsRecruit B.V. will inform the Client of the intended changes and allow the Client to object to such changes.
  2. TeamsRecruit B.V. shall be obliged to contractually impose on every Sub-Processor at least the same obligations relating to data protection as those specified in this Data Processing Agreement.

 

Article 8: Liability

  1. Regarding TeamsRecruit B.V.’s liability under this Data Processing Agreement, the provision relating to the limitation of liability set out in the Agreement shall apply in full.
  2. Without prejudice to Article 6.1 of this Data Processing Agreement, TeamsRecruit B.V. is only liable for damage or loss caused by processing if, during such processing, the obligations under the GDPR that are aimed explicitly at TeamsRecruit B.V. have not been met. If TeamsRecruit B.V. has acted outside or in conflict with the Client’s lawful instructions, or if TeamsRecruit B.V. has culpably failed to comply with the Data Processing Agreement.

 

Article 9: Non-Endorsement and Release

  1. You acknowledge and agree that we provide software that enables Candidates and Recruiting Organizations to participate in recruiting activities.
  2. As a result, CoRecruit is not responsible for the accuracy, completeness, appropriateness, legality, or applicability of any content or anything said, depicted, written, or done by other users of the Services, including without limitation, any information that you may obtain by using the Services.
  3. TeamsRecruit B.V. does not endorse anything contained in any content created by users of the Services, or any information, opinion, recommendation, or advice expressed therein, and you understand that you must evaluate and bear all risks associated with the use thereof.
  4. You hereby release and forever discharge TeamsRecruit B.V. from all actions, causes of actions, claims, damages, and liabilities you may incur because of other users of the Services.

 

Article 10: Personal data breach

  1. If TeamsRecruit B.V. becomes aware of a personal data breach, it (i) notifies the Client without undue delay and (ii) takes all reasonable steps to prevent and limit any (further) breach.
  2. To the extent reasonable, TeamsRecruit B.V. shall assist and support the Client in executing its legal obligations regarding the incident identified.
  3. To the extent reasonable, TeamsRecruit B.V. shall support the Client with the Client’s obligation to report the personal data breach to the Data Protection Authority (Autoriteit Persoonsgegevens, “DPA”) and/or the data subject, as referred to in Article 33(3) and Article 34(1) GDPR. TeamsRecruit B.V. is never obliged to independently report a personal data breach to the DPA or the data subject. TeamsRecruit B.V. is never liable for the (correct or timely execution of the) Client’s reporting obligation as referred to in Articles 33 and 34 GDPR.

 

Article 11: Assistance

  1. To the extent reasonably possible, TeamsRecruit B.V. assists the Client with fulfilling the latter’s obligation under the GDPR to respond to requests relating to exercising a data subject’s rights. TeamsRecruit B.V. will forward any complaint or request from a data subject relating to processing personal data as soon as possible to the Client, who will be responsible for handling such.
  2. To the extent reasonably possible, TeamsRecruit B.V. assists the Client with fulfilling the latter’s obligation under the GDPR to conduct a data protection impact assessment.
  3. TeamsRecruit B.V. shall provide the Client with any information needed to demonstrate that TeamsRecruit B.V. is meeting its obligations under the GDPR. In addition, at the Client’s request, TeamsRecruit B.V. shall enable audits, including inspections, to be conducted by the Client or by an inspector authorized by the Client in consultation, and shall contribute to such.
  4. TeamsRecruit B.V. shall be entitled to charge any costs associated with the provisions of this article to the Client.
  5. Without prejudice to the specific provisions of the Agreement, at the Client’s request, TeamsRecruit B.V. shall immediately erase all personal data or return such to the Client and remove any existing copies unless TeamsRecruit B.V. is legally obliged to store the personal data.
  6. To the extent reasonably possible, TeamsRecruit B.V. will assist the Client with fulfilling the latter’s obligation under the GDPR to respond to requests relating to exercising a data subject’s rights. TeamsRecruit B.V. shall forward any complaint or request from a data subject relating to processing personal data as soon as possible to the Client, who shall be responsible for handling such.
  7. To the extent reasonably possible, TeamsRecruit B.V. shall assist the Client with fulfilling the latter’s obligation under the GDPR to conduct a data protection impact assessment (Articles 35 and 36 GDPR).

 

Annex 1: Overview of personal data

  1. Type of personal data
    1. Name and address
    2. Contact details
    3. Training and education details
    4. Occupation and employment
    5. Financial information (billing)
    6. Data on preferences (and purchases/participation)
    7. Identification details
  2. Categories of data subjects
    1. Applicants/candidates
    2. Customers
    3. Marketing contacts
    4. Employees
    5. Suppliers
  3. Purposes for which personal data shall be processed
    1. Recruitment purposes
    2. Marketing purposes
    3. Payment purposes
    4. Administrative purposes
    5. Statistical purposes
    6. Protection, improvement, and development of the Service and Application
    7. Assessment and acceptance of (future) customers
    8. Execution of agreement or contract
  4. Sub-Processors
    The processor shall use the services of the following sub-processor:
    1. Yourit bv, De Bouw 115, 3991 SZ Houten, The Netherlands

 

    Annex 2: Specification of security and sub-processors

    Description of the technical and organizational measures adopted by TeamsRecruit B.V.

    1. Author of this document

    Name: V. Sleutels

    Role: Director

    Department: Management

    Contact details: vera@corecruit.com

    Sign-off date:

    September 26, 2022
    2. Data security official or IT manager

    Name: V. Sleutels

    Role: Director

    Department: Management

    Contact details: vera@corecruit.com

    Sign-off date:

    September 26, 2022
    3. Corporate IT Security Policies
    • Computer and IT Policies
    • Security and Network Guidelines
    • Password Management
    • Security Risk Analysis Policy

    4. Access Control of Processing Areas

    to prevent unauthorized persons from getting physical access to the information systems, the data processing device, and the confidential files and data medium
    • Alarm system
    • PIN access
    • Key locked server cabinets

    5. Access Control to Data Processing Systems

    to prevent data processing systems from being used unauthorized
    • Access is limited to authorized personnel only
    • User access is logged

    6. Access Control to Use Specific Areas of Data Processing Systems

    to ensure that users entitled to use a data processing system have access only to the data to which they have a right of access
    • Users have the least necessary access based on their roles
    • Only CTO, IT manager, System administrator, and lead senior developers have access to data processing systems
    • User access is logged

    7. Transmission Control measures

    to ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport
    • Every remote access is done through IPsec VPN
    • Although sensitive information should not transit through wireless, our WiFi uses WPA2 encryption
    • The preferred connection type, during data transport, is SSL encryption

    8. Input control measures

    to ensure to determine who has entered, modified, or removed data from the systems
    • User access is logged
    • Email alerts are sent to IT Response Team on suspicious page access
    9. General corporate security measures concerning availability control against accidental loss or destruction of electronic data, files, and data medium
    • The data is properly backed up

    10. Segregation control measures

    to guarantee that all personal data are separated from other data and systems so that accidental use of the data for other purposes is excluded
    • The data from all the various environments are segregated from each other in separate systems and databases (Dev, Test, Staging, Pre-Production, Production, Corporate network).
    • Each environment has its own access authorizations.

    11. Job control measures

    to ensure Processor shall not access data exporter’s Personal Data, except for support purposes on request by data exporter; data Processor shall implement suitable measures to monitor access restrictions to Processor’s system administrators and to ensure that they act in accordance with instructions received
    • Individual appointment of system administrators
    • Adoption of suitable measures to register system administrators’ access logs to the infrastructure and keep them secure and accurate.
    • Keeping an updated list with system administrators’ identification details (e.g. user type(s), function(s), or organizational area) and tasks assigned and providing it promptly to the data exporter upon request.
    • The IT Manager is responsible for controlling external service providers, which may have access to personal data. Currently, no service provider has access to personal data