DATA PROCESSING AGREEMENT
This Data Processing Agreement sets out the framework for the processing of Personal Data by Textkernel (the Processor) on behalf of the Company (the Controller). It defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other. The provisions of the Agreement apply in full to this Data Processing Agreement. In case provisions with regard to the Processing of Personal Data are included in the Agreement, the provisions of this Data Processing Agreement prevail.
All capitalized terms not defined below shall have the meaning set forth in the Agreement.
1) DEFINITIONS
1.1) In this Data Processing Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
Annex: the attachment to this Data Processing Agreement which form an integral part of it;
Controller, Processor, Sub Processor, Data Subject, Personal Data, Personal Data Breach and Process/ Processing: all shall have the meanings set out in the GDPR, as amended or replaced from time to time, regardless of whether the GDPR is applicable in any particular circumstance;
GDPR: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data;
2) PURPOSE OF THE PERSONAL DATA PROCESSING
2.1) The Company and Textkernel have concluded the present Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the applicable purposes of Processing, is included in Annex 1.
2.2) The Company is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation. The Company will indemnify and hold Textkernel harmless against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
2.3) Textkernel undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement. Textkernel guarantees that it will not use the Personal Data which it Processes in the context of this Data Processing Agreement for its own or third-party purposes without Company’s express written consent unless a legal provision requires Textkernel to do so. In such a case, Textkernel shall immediately inform the Company of that legal requirement before Processing, unless that law prohibits such information on the grounds of public interest. The Company acknowledges (and to the extent legally required: agrees) that Textkernel processes personal data for various purposes with regard to Textkernel’s Artificial Intelligence and Machine Learning tools.
3) TECHNICAL AND ORGANIZATIONAL PROVISIONS
3.1) Textkernel will, taking into account the nature of the Processing and insofar as this is reasonably possible, assist Company in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. Textkernel will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
4) CONFIDENTIALITY
4.1) Textkernel will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
5) TRANSBORDER DATA PROCESSING
5.1) Textkernel makes available processing nodes physically located in various locations. The Company may request a processing node within the EU and will be provided credentials and a URL endpoint within the EU. With the exception of cases where the Company uses Textkernel’s LLM Parser or FlexRequests services, data sent to the EU node for processing of Personal Data will always be processed within the EU only, and no EU Standard Contractual Clauses are necessary to comply with the GDPR. However, in the case that the Company chooses to send EU Data Subject’s Personal Data to the Services for processing at a node outside the EU or chooses to use Textkernel’s LLM Parser or FlexRequests services then the Standard Contractual Clauses will apply. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.
6) SUB-PROCESSORS
6.1) Textkernel is entitled to outsource the implementation of the Processing Sub-processors, either wholly or in part, which parties are listed in Annex 2. In case Textkernel wishes to enable Sub-processors, Textkernel will inform the Company of any intended changes concerning the addition or replacement of Sub Processors. The Company shall be entitled to object to such changes on the basis of reasonable, objective grounds within 20 Business Days of receipt of the notification. Textkernel will respond to the objection within 20 working days. In the event of a valid objection, Textkernel may appoint another sub processor on an agreed basis to respond to such objection.
6.2) Textkernel obligates each Sub-processor to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Data Processing Agreement.
7) LIABILITY
7.1) With regard to the liability and indemnification obligations of Textkernel under this Data Processing Agreement the stipulation in the Agreement regarding the limitation of liability applies.
7.2) Without prejudice to section 7.1 of this Data Processing Agreement, Textkernel is solely liable for damages suffered by Company and/or third-party claims as a result of any Processing, in the event the specific obligations of Textkernel under the GDPR are not complied with or in case Textkernel acted in violence of the legitimate instructions of Company.
8) PERSONAL DATA BREACH
8.1) In the event Textkernel becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify Company without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.
8.2) Textkernel will, insofar as reasonable, provide all reasonable cooperation requested by Company in order for Company to comply with its legal obligations relating to the identified incident.
8.3) Textkernel will, insofar as reasonable, assist Company with Company’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Articles 33(3) and 34(1) of the GDPR. Textkernel is never held to report a personal data breach with the Data Protection Authority and/or the data subject.
8.4) Textkernel will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Articles 33 and 34 of the GDPR.
9) COOPERATION
9.1) Textkernel will, insofar as reasonably possible, provide all reasonable cooperation to Company in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Article 15 of the GDPR), rectification (Article 16 of the GDPR), erasure (Article 17 of the GDPR), restriction (Article 18 of the GDPR), data portability (Article 20 of the GDPR) and the right to object (Articles 21 and 22 of the GDPR). Textkernel will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Company as soon as possible, as the Company is responsible for handling the request. Textkernel is entitled to charge any costs associated with the cooperation with the Company.
9.2) Textkernel will, insofar as reasonably possible, provide cooperation to the Company in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Articles 35 and 36 of the GDPR). Textkernel is entitled to charge any costs associated with the cooperation with the Company.
9.3) Textkernel will provide the Company with all the information reasonably necessary to demonstrate that Textkernel fulfills its obligations under the GDPR. Furthermore, Textkernel will – at the request of Company – enable and contribute to audits, including inspections by Company or an auditor that is authorized by Company. In case Textkernel is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, Textkernel will inform the Company immediately.
10) TERMINATION AND MISCELLANEOUS
10.1) This Data Processing Agreement shall be valid for the duration of the provision of the services within the Agreement or any pursuant agreements regarding the provision of services similar to the ones described within the Agreement.
10.2) With regard to the termination under this Data Processing Agreement the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, Textkernel will, at the first request of the Company, delete or return all the Personal Data, and delete all existing copies, unless Textkernel is legally required to store (part of) the Personal Data.
10.3) The Company will adequately inform Textkernel about the (statutory) retention periods that apply to the Processing of Personal Data by Textkernel.
10.4) The obligations laid down in this Data Processing Agreement which, by their nature, are designed to continue after termination will remain in force also after the termination of this Data Processing Agreement.
10.5) The choice of law and competent court comply with the applicable provisions of the Agreement.
ANNEX 1
OVERVIEW PERSONAL DATA
TYPE OF PERSONAL DATA:
• Name (incl. first name, last name)
• Date of birth
• Address Data (incl. street, city, zip code, state, country)
• Contact details (incl telephone and e-mail data)
• Job application data (incl. information on the professional career, education and qualifications of candidates)
• Performance review data
CATEGORIES OF DATA SUBJECTS:
• Job Applicants/Job Candidates/Job seekers
• Employees
PURPOSES OF PROCESSING:
• Providing Parsing Service to turn CVs/resumes and social media profiles into complete and searchable candidate records
• Providing a Semantic Search and Match Engine to find the right candidates and jobs in client or external databases
• Providing a Semantic Search and Match Engine to automatically match candidate profiles and job descriptions
• Providing Skills Intelligence Services to identify, extract and normalize the skills found in CVs/Resumes, social media profiles or HR documents and turn them into a machine-readable format
• Providing Candidate Engagement Services through multiple communication channels
• Providing Mid-Office Services for automating staffing processes such as onboarding, time registration, managing sick leave and provisioning materials
• Maintenance and support with respect to the tools and services that Textkernel provides to its customers
ANNEX 2
OVERVIEW OF SUB PROCESSORS
Textkernel Sub Processors:
The Sub processors mentioned below are applicable to the Textkernel Services, excluding Mid-Office and Candidate Engagement Services:
Mid-Office Services Sub Processors:
The Sub processors mentioned below are applicable to Textkernel’s Mid-Office Services:
Candidate Engagement Service Sub Processors:
The Sub processors mentioned below are applicable to Textkernel’s Candidate Engagement Services: