Data processing conditions
1. Scope
1.1 These Data Processing Terms (“DataProcessing Terms“) shall apply to the processing of personal data relatedto the Services Contract by Paul's Job or its Subprocessors. These DataProcessing Terms shall supplement the Paul's Job End User License Terms (“Terms”)as per Clause 12.2 of the Terms.
1.2 Under these Data Processing Terms Paul's Job provides the following data processing services to Controller (“DataProcessing”): Storing and processing of personal data for candidate and employee management, execution of registration processes, and sending of messages to candidates and employees.Messages are sent by Paul's Job on behalf of Customer. Further details are set out in the Services Contract.
1.3 In the course of the Data Processing Paul'sJob may process the following personal data:
Professional Background: Resume/CV, cover letter/motivation letter, professional experience, educational background, skills and qualifications, professional preferences, professional certificates, school certificates, letters of recommendation, further education/training, professional social network profiles (e.g., LinkedIn)
Additional Personal Details: Hobbies, driver's license, criminal record certificate, information on disability status, religious affiliation, trade union membership
Account Information: Date and time of registration
Technical Data: Access and activity logs (domain name of the website, web browser used, operating system used, IP address of the requesting computer, timestamp of access to the software), error logs (domain name of the website, web browser and version, operating system, IP address, timestamp of error occurrence, error message/specification)
Candidates: Job applicants, interestedparties
Further details are set out in the Services Contract.
2. GeneralRights and Obligations
2.1 The Data Processing shall be conducted by Paul'sJob on behalf of Customer. Customer shall be responsible for compliance with applicable data protection laws.
2.2 Paul's Job may process personal data only in accordance with Customer’s instructions and the terms of this Agreement, unless required otherwise by the laws of the European Union or its Member States to which Paul's Job is subject.
2.3 Verbal instructions are permissible only in urgent cases and must be immediately confirmed by Customer at least in text form.
2.4 Paul's Job shall process personal data exclusively within the territory of a Member State of the European Union or a contracting state of these DataProcessing Terms on the European Economic Area. Any transfer of personal data to a third country shall require Customer’s prior written consent and shall only occur if the conditions of Chapter V of the EU General DataProtection Regulation of the European Union (“GDPR”) are met.
2.5 Paul's Job shall regularly audit its internal processes and data protection security mechanisms for compliance with applicable data protection laws, including the GDPR.
2.6 If required by applicable law, Paul's Job shall designate a data protection officer. Paul's Job shall provide Customer with the contact details of its data protection officer to facilitate direct communication.
2.7 Paul's Job shall within its capabilities assist Customer in fulfilling Customer’s obligations under Chapter III GDPR and Art.32 through 36 GDPR. The costs thereof shall be borne by Customer.
2.8 Paul's Job may only delegate the Data Processing to such employees who are bound by confidentiality obligations or who are under an appropriate statutory duty of confidentiality. Persons subordinated to Paul'sJob, having access to personal data of Customer, shall process such data exclusively in accordance with Customer’s instructions, unless they are legally obliged to process such data.
2.9 Upon completion of the Data Processing and upon termination of the Services Contract in its entirety at the latest, Paul's Job shall, at the choice of the Customer, and as far as Paul's Job is not bound by statutory retention duties, either return all personal data as well as all documents, data and copies obtained in connection with these Data Processing Terms to Customer, or upon the prior written consent of Customer, delete or destroy such personal data, documents, data and copies.
3. Information Obligations
3.1 Paul's Job shall immediately notify Customer if, in its opinion, an instruction of Customer infringes any data protection laws. Paul'sJob may suspend the execution of such instruction until it is confirmed or modified in writing by Customer.
3.2 Paul's Job shall immediately notify Customer of(A) any personal data breach, (B) any requests from data subjects exercising their data subject right; and (C) any inquiries or investigations by investigating and supervisory authorities, in each case, where relating to the Data Processing.
4. Technical and Organizational Measures
4.1 Paul's Job shall implement technical and organizational measures for the protection of personal data appropriate to comply with the requirements of the GDPR, in particular measures ensuring confidentiality, integrity, availability and resilience of the systems and services used for the Data Processing (each individually “TOM“, jointly “TOMs“).
4.2 The particular TOMs implemented by Paul's Job are further described in Attachment1 hereto.
4.3 Paul's Job may update or replace any of the implemented technical and organizational measures at any time with alternative measures that provide a comparable level of protection.
5. Subprocessors
5.1 Paul's Job shall be entitled to engage subprocessors for the Data Processing (“Subprocessors”) only withCustomer’s prior written consent. Customer shall not withhold its consent unless on important grounds of data protection law.
The Processor shall be liable for any damages resulting from its non-compliance with GDPR or this Agreement, including direct and indirect damages arising from data breaches. The Processor shall indemnify the Controller for all costs, fines, and claims incurred due to theProcessor’s negligence or misconduct.
5.2 Customer hereby consents to the engagement of Subprocessors by Paul's Job as follows:
5.3 Clauses Error! Reference source not found. and Error! Reference source not found. shall apply mutatismutandis to the replacement of Subprocessor by Paul'sJob and to the further subcontracting of the DataProcessing to another third party by Subprocessor.
6. ComplianceVerification
6.1 Paul's Job shall allow Customer or an external auditor commissioned by Customer to verify Paul's Job’s compliance with these Data Processing Terms (including the implementation of the TOMs pursuant to Clause Error!Reference source not found.). Paul's Job may demonstrate compliance with these Data Processing Terms by providing suitable evidence.
6.2 If compliance with these Data Processing Terms cannot be demonstrated through the means described in Clause Error!Reference source not found., Customer may conduct on-site inspections at Paul's Job’s premises, subject to the following conditions: (A) Inspections may only be conducted once per calendar year with at least 14 business days’ prior written notice; (B) inspections shall be conducted during normal business hours without disrupting Paul's Job’s business; (C) inspections shall only be performed by independent external auditors; (D) auditors shall not access Paul's Job’s trade secrets or confidential information or any data not subject to these DataProcessing Terms; (E) Paul's Job may object to an auditor for reasonable cause, such as if the auditor is a competitor of Paul's Job; and (F) Customer shall bear the costs of any inspections and any associated support provided by Paul's Job.