This GDPR Data Processor Data Protection Addendum is entered into by TalentQuest LLC (“Processor”) and TalentQuest Client agreeing to these terms (“Controller”). To the extent that Processor engages in the processing of Personal Data on behalf of Controller in the course of carrying out Processor’s obligations under the Agreement, Processor shall comply with European Union Regulation 2016/679 (the General Data Protection Regulation or “GDPR”), the UK Data Protection Act of 2018 and the Swiss Federal Act on Data Protection, as amended (“Data Protection Laws”) to the extent applicable to Personal Data processed by Processor. Unless otherwise specified all terms used herein shall have the same meaning as under the applicable Data Protection Laws.
Without limiting the foregoing, the Parties agree:
- Processor shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of the data subject.
- Controller grants Processor general authorization to engage other processor(s) (i.e. sub-processor(s)), including those identified at http://www.talentquest.com/sub-processors/, provided, however, that Processor shall comply with the requirements of Section 3, and also shall provide Controller with prior written notice of any intended changes concerning the addition or replacement of other processor(s) by posting such changes at http://www.talentquest.com/sub-processors/, thereby giving the Controller the opportunity to object to such changes. Controller shall have 10 days from the date of notice of a new sub-processor by posting to the aforementioned internet URL to object to the use of such a sub-processor. Controller may only object in the event that Controller believes that the sub-processor is unable to safeguard Personal Data in accordance with the requirements of this Addendum and applicable law. Processor may not utilize the processor(s) that are the subject of the objection. In the event that Controller objects to a sub-processor, Processor may seek to find a substitute sub-processor or, in its sole discretion, terminate the Agreement without penalty to Processor, with Controller responsible for any amounts then outstanding in accordance with the terms of the Agreement.
- Processor has performed an internal Privacy Impact Analysis related to general processing activities and will continue to do so as required.
- Where Processor engages another processor for carrying out specific processing activities on behalf of Controller, the same data protection obligations as set out in the Agreement and herein shall be imposed on that other processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and other applicable law. Where that other processor fails to fulfil its data protection obligations, Processor shall remain fully liable to Controller for the performance of that other processor’s obligations.
- Processing may only be undertaken for purposes set forth in the Agreement and any exhibits, statements of work or addenda executed between the parties or written instructions the Controller (“Instructions”). Attachment A sets out the subject-matter and duration of the processing to be undertaken, the nature and purpose of the processing, the type of Personal Data and categories of data subjects to be processed. Consent to process data related to a data subject has been provided and the processor must abide by the scope and limitations of that consent.
- Processor shall:
(a) process the Personal Data only on documented lawful instructions from the Controller that are consistent with the terms of the Agreement and any applicable statement of work, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;(b) ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) secure all Personal Data, including taking all measures required pursuant to GDPR Article 32 and other applicable Data Protection Laws;
(d) only engage another processor in compliance with the terms set forth in Sections 2 and 3;
(e) Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR (GDPR Articles 12-23) and other applicable Data Protection Laws, provided, however, that such assistance may result in additional charges to Controller at Processor’s then prevailing hourly rates;
(f) Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 and other Data Protection Laws taking into account the nature of processing and the information available to the processor, provided, however, that such assistance may result in additional charges to Controller at Processor’s then prevailing hourly rates;
(g) at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing and delete existing copies unless applicable Data Protection Laws requires storage of the Personal Data;
(h) make available to the Controller all information necessary to demonstrate compliance with the obligations set forth herein and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, provided, however, that such assistance may result in additional charges to Controller at Processor’s then prevailing hourly rates; and
(i) Processor shall immediately inform Controller if, in its opinion, an instruction infringes GDPR requirements or other European Union, Member State, UK or Swiss data protection provisions.
- To the extent that Processor receives personal data from Controller that Controller has transferred, transfers, or causes or caused to be transferred from the European Economic Area, United Kingdom or Switzerland for processing under the Agreement, Controller and Processor agree to the terms of the Controller to Processor Standard Contractual Causes approved by the European Commission, set forth in Attachment A and incorporated into this Addendum by reference.
- In the event of a conflict between a provision of this Addendum and the Agreement, the terms of the Addendum shall control. All other provisions of the Agreement remain in effect and unchanged.