Data Protection Addendum
Effective Date: June 12, 2018
The terms hereof apply to any agreement (the “Agreement”) in which they have been incorporated by reference.
In compliance with the General Data Protection Regulation ((EU) 2016/679) ("GDPR”). this Data Protection Addendum (this “Addendum”) sets forth the parties’ agreement concerning TMP’s processing of Personal Data (defined below) pursuant to the Agreement. The terms herein apply solely to the extent that Data Processing Legislation applies to the processing of Client Personal Data.
1.1 Terms defined in the Agreement shall have the same meaning when used in this Addendum, unless defined below. In addition, the definitions below apply to this Addendum.
Data Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of Personal Data.
Data Processor: means a natural or legal person, public authority or other body that directly or indirectly processes Personal Data on behalf of the Data Controller.
Data Protection Legislation: means (i) the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time; and (ii) in the United Kingdom, any successor legislation to the GDPR and/or the Data Protection Act 1998.
Data Subject: has the meaning set out within the definition of Personal Data.
Personal Data: means any information relating to an identified or identifiable natural person (“Data Subject”), an identifiable natural person being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use or discourse by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and “process” and processes” will be interpreted accordingly.
2. Data Protection
- 2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
- 2.2The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and TMP is the Data Processor.
- 2.3Article 3 of this Addendum sets out the scope, nature and purpose of Processing by TMP, the duration of the Processing and the types of Personal Data and categories of Data Subject.
- 2.4Without prejudice to the generality of clause 2.1 of this Addendum, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to TMP for the duration and purposes of the TalentBrew Agreement.
- 2.5Without prejudice to the generality of clause 2.1 of this Addendum, TMP shall, in relation to any Personal Data processed in connection with the performance by TMP of its obligations under the TalentBrew Agreement and/or this Addendum:
- Process that Personal Data only on the written instructions of the Client unless TMP is required by the laws of any member of the European Union or by the laws of the European Union applicable to TMP to process Personal Data (“Applicable Laws”). Where TMP is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, TMP shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit TMP from so notifying the Client.
- Ensure that it has in place appropriate technical and organizational measures, reviewed and approved by the Client, to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it).
- Ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
- Not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
- TMP or the transferee has provided appropriate safeguards in relation to the transfer;
- the Data Subject has enforceable rights and effective legal remedies;
- TMP complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred;
- TMP complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data.
- Assist the Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators
- Notify the Client promptly, but in any event within seventy-two (72) hours, on becoming aware of a Personal Data breach.
- At the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the Agreement unless required by Applicable Law to store the Personal Data.
- Will make available to the Client all information necessary to demonstrate compliance with this Agreement and will permit the Client and its third party representatives to audit TMP’s compliance with this Addendum, on not less than five (5) business days’ notice, during the term of the TalentBrew Agreement. TMP will provide the Client and its third party representatives all reasonable and necessary assistance to conduct such audits.
- 2.6Notwithstanding the foregoing, Client acknowledges and agrees that Personal Data will be transferred and processed in the United States by Processor.
- 2.7The Client consents to TMP appointing third party processors of Personal Data as set forth in Article 3 of this Addendum. TMP confirms that it has entered or (as the case may be) will enter with the third party processor into a written agreement incorporating terms which are substantially similar to those set out in this Article 2. As between the Client and TMP, TMP shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this clause 2.7.
3. Processing by TMP
- 3.1In connection with recruitment marketing services, Processor processes Personal Data as follows:
- SCOPE – Information collected through forms submitted via branded job sites and tracking technologies applied to such sites.
- NATURE – TMP will process, including via collection, recordation, structuring, storing, altering, retrieving, using, combining, erasing and destroying Personal Data solely for the purpose of providing services to Client.
- PURPOSE OF PROCESSING – To market job opportunities to candidates and enhance marketing campaigns for open positions and to prepare analytics reports concerning the effectiveness of such marketing.
- DURATION OF THE PROCESSING – Term of the TalentBrew Agreement.
- 3.2Types of Personal Data: First name, last name, email address, location, job preferences, together with application data made available by Client and IT information (IP addresses, usage data, cookies data, device specific information, connection data and location data).
- 3.3Categories of Data Subject: Potential applicants or applicants for employment with Client.
- 3.4Third Party Processors:
- Third party processors retained by TMP. Client acknowledges and agrees to Processor’s use of the third party processors listed on Processor’s website, located at www.tmp.com/gdpr. Any changes to third party processors shall be posted on the website sufficiently in advance to allow Client the opportunity to object to such changes. If Client does not object, Client shall be deemed to have consented to the change.
- Other Data Processors retained by Client. TMP will comply with Client’s reasonable instructions to cooperate with third party processors retained directly by Client, including without limitation placing such third party processors’ tracking tags for Client. Client agrees to ensure that any such third party is compliant with all applicable Data Protection Legislation and shall indemnify and hold harmless TMP from any claims or losses resulting from the failure of such third party processors to comply with all applicable Data Protection Legislation.