Personal Data Processing Agreement

Personal Data Processing Agreement

This personal data processor agreement (this “Data Processing Agreement”) is entered into on this day between you, the Client, and us, TalentRiver AB.1 .

Introduction

1.1 The Parties have entered into an agreement (the “Agreement”) regarding online human resources services to be provided by TalentRiver AB to the Client.‍1.2 TalentRiver AB will process personal data on behalf of the Client when providing services under the Agreement and therefore act as its data processor. The Client is the data controller.1.3 This Data Processing Agreement constitutes such agreement between the data controller and the data processor as set out in Art 28.3 of the GDPR.‍

2. Definitions

2.1 Terms defined in Applicable Data Protection Legislation, such as "data controller", "data processor", "personal data", "processing", "data subject" and "supervisory authority" shall be interpreted and applied in accordance with Applicable Data Protection Legislation.

2.2 In addition, the definitions below shall have the following meanings:‍"Applicable Data Protection Legislation"
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), "GDPR") and applicable Swedish data protection law.
"Client Personal Data"

‍ Personal data that is transferred to, stored or otherwise processed, by TalentRiver AB on behalf of the data controller under the Agreement, as described in more detail in Appendix 1 (Specification).‍"The Specification" Appendix 1 (Specification) to this Data Processing Agreement.‍

3. Agreement Documents and Applicability

3.1 This Data Processing Agreement consists of this main document and Appendix 1 (Specification), which specifies the subject-matter and duration of the processing performed by TalentRiver AB, the nature and purpose of the processing, the type of Client Personal Data and categories of data subjects. In the event of any conflict or inconsistency between this Data Processing Agreement and the Agreement, the provisions of this Data Processing Agreement shall prevail.‍

4. Processing and Instructions

4.1 TalentRiver AB undertakes to only process Client Personal Data in accordance with this Data Processing Agreement, the Agreement, and the Client's written instructions. Such instructions are set out in this Data Processing Agreement and the Specification in Appendix 1.
‍
4.2 Both parties undertake to comply with Applicable Data Protection Legislation to the extent that such legislation is applicable to the party's obligations under the Agreement.
‍
4.3 If TalentRiver AB considers the Client’s instructions to be in conflict with Applicable Data Protection Legislation, TalentRiver AB shall notify the Client and await further instructions.‍

5. Appropriate technical and organisational measures

5.1 TalentRiver AB shall take appropriate technical and organisational measures as set out in Art 32 of the GDPR to ensure a level of security appropriate to the risks associated with the processing of Client Personal Data. In doing so, TalentRiver AB shall take into account the latest developments, the implementation costs and the nature, scope, context and purpose of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of the data subjects. A description of TalentRiver AB´s security work can be found in Appendix 1 (Specification).

5.2 The Client considers the security measures that follow from this Data Processing Agreement, the Specification and the Agreement constitute appropriate measures for the processing TalentRiver AB shall carry out under the Data Processing Agreement.‍

6. Transfer of personal data to a third country

6.1 All Client Personal Data will be stored on servers within the EU/EEA as further set out in Appendix 1 (Specification).

6.2 TalentRiver AB may only transfer personal data to a location outside of the EU/EEA or a country that is  not subject to an adequacy decision by the European Commission pursuant to Article 45 of the GDPR if (i) TalentRiver AB has obtained the Client's prior, specific consent for such transfer, (ii) such transfer complies with Applicable Data Protection Legislation and is based on a valid transfer mechanism (e.g. standard contractual clauses) and (iii) an assessment of such third country has been made and documented.

6.3 If the prerequisites in Section 6.2. above are met, the Client gives general permission for TalentRiver AB to enter into the required standard contractual clauses with the receiving party when transferring Client Personal Data to locations outside of EU/EEA.‍

7. Information and Disclosure

7.1 TalentRiver AB shall assist the Client by appropriate technical and organisational measures, to the extent possible, so that the Client can fulfil its obligation to respond to requests for the exercise of the data subject's rights in accordance with Applicable Data Protection Legislation.‍

7.2 TalentRiver AB shall assist the Client, taking into account the type of processing and the information available to TalentRiver AB, to ensure compliance with the obligations under Articles 32-36 of the GDPR.‍

7.3 TalentRiver AB shall, in accordance with the Client's instructions, delete or return Client Personal Data to the Client after the processing of Client Personal Data has ended and delete existing copies of Client Personal Data, unless the deletion of the personal data is necessary according to EU member state law or otherwise agreed.‍

7.4 TalentRiver AB shall give the Client access to all information necessary for the Client to  be able to demonstrate that the obligations laid down in Article 28 of the GDPR are complied with.
‍
7.5 The Client acknowledges that their right to conduct audits under GDPR is fulfilled through the fact that TalentRiver AB ensures that an independent third party, appointed by TalentRiver AB, performs a systemic audit of the system on a regular basis. The results of the audit are made available to the Client on request. ‍‍‍

8. Contact with Data Subjects and Supervisory Authorities

8.1 If a data subject, supervisory authority or other third party requests information from TalentRiver AB, that concerns the processing of Client Personal Data, TalentRiver AB shall, without undue delay, refer such request to the Client and await further instructions, unless required to act according to Applicable Data Protection Legislation.‍

9. Subprocessors

9.1 The Client hereby grants TalentRiver AB general prior authorisation pursuant to Art 28 (2) of the GDPR to use sub processors on behalf of the Client for the processing of Client Personal Data. TalentRiver AB shall impose corresponding data protection obligations on the subprocessor that TalentRiver AB has under this Data Processing Agreement. Appendix 1 (Specification) specifies the sub processors that TalentRiver AB has engaged at the time of entering into this Data Processing Agreement.

9.2 TalentRiver AB shall inform the Client of any intended changes concerning the addition or replacement of other subprocessors. Such information will be provided on www.TalentRiver.ai. The Client shall be given the opportunity to object to such changes and have the right to terminate the Agreement prematurely as set out in Section 17.2 of the Agreement.

9.3 If the subprocessor does not fulfil its obligations regarding data protection, TalentRiver AB shall be fully liable to the Client for the performance of the subprocessor's obligations.

----
1 Art 28.3 (d)

10. Confidentiality

10.1 In addition to the confidentiality obligations set out in the Agreement, neither party shall disclose to third parties Client Personal Data or other  information that emerges under this  Data Protection Agreement ("Confidential Information"), unless such obligation exists under Applicable Data Protection Legislation or is instructed by the Client. Neither party will, directly or indirectly, on its own behalf or on behalf of others, use Confidential Information for any purpose other than to fulfil its obligations under Applicable Data Protection Legislation or this Data Processing Agreement.

10.2 TalentRiver AB shall ensure that persons authorised to process Client Personal Data have undertaken to observe confidentiality or are subject to an appropriate statutory obligation of confidentiality.‍

11. Compensation

11.1 TalentRiver AB’s Processing of Client Personal Data is a natural part of providing the services according to the Agreement and will thus be included in the fees for such services. TalentRiver AB is however entitled to additional compensation on a time and material basis for any cost incurred in relation to i) TalentRiver AB assisting the Client as set out in Section 7 or 8 above or ii) TalentRiver AB’s response to any request for information related to a data subject.‍

12. Liability

12.1 If TalentRiver AB or anyone for which TalentRiver AB is responsible for according to this Data Processing Agreement negligently processes Client Personal Data in violation of this Data Processing Agreement or contrary to lawful instructions of the Customer, TalentRiver AB shall reimburse the Client for damages  suffered due to TalentRiver AB´s incorrect processing.

12.2 The Client shall reimburse TalentRiver AB with reasonable amount for damages  incurred as a consequence of the Client's, or anyone for which the Client is responsible for, non-fulfilment of its obligations hereunder.

12.3 A party shall not be liable for the other party’s loss of revenue, business opportunities, goodwill or other indirect damages.

12.4 A party’s obligation to pay damages, laid down in this section 12, only applies, provided that the non-breaching party without delay provides a written notification of any claims against the breaching party and the grounds for such claims.

12.5 The general limitation of liability in section 13 in the Agreement shall also apply to this Data Processing Agreement.‍

13. Changes

13.1 If the Applicable Data Protection Legislation is changed or if the supervisory authority issues guidelines, decisions or regulations concerning Applicable Data Protection Legislation that result in this Data Processing Agreement needs to be amended, TalentRiver AB shall make the necessary changes in order to meet such new or additional requirements and communicate such changes to the Client, taking effect 30 days from the notice.

13.2 TalentRiver AB may also amend the content of the Data Processing Agreement for other reasons (i.e. altered or new services, new processing based on new features, or implementation of new routines). Such amendments will be notified 90 calendar days before coming into effect. The Client can oppose such changes within 30 calendar days from the notice is sent. If the Client opposes the amendment, TalentRiver AB may terminate an affected service(s) and corresponding amendment, or ultimately the Terms of Use Agreement before the amendment comes into effect. If the Client does not oppose the change within 30 days from notice, the amendment is deemed to be accepted.‍

14. Term and Termination

14.1 This Data Processing Agreement applies from its signature and for as long as TalentRiver AB processes Client Personal Data.

14.2 Upon termination of TalentRiver AB´s processing of Client Personal Data, TalentRiver AB shall, in accordance with the Client's instructions (provided storage of such data is not required pursuant to national law or EU law, or TalentRiver AB has legal grounds to process such data), either (i) transfer all Client Personal Data to the Client; or (ii) permanently delete Client Personal Data.‍

APPENDIX 1 - SPECFICATION
‍1. Purpose1.1 This Appendix 1 (Specification) sets out the details concerning the processing of Client Personal Data, which TalentRiver AB processes on behalf of the Client under the Data Processing Agreement. The purpose of this Appendix 1 (Specification) is to clarify which processing and personal data that is covered by the Service Agreement, and to fulfill the requirements of Applicable Data Protection Legislation regarding the obligation to specify the categories of a processor’s processing of personal data, see for example Article 28.3 of the GDPR.‍

2. Contact information

2.1 The Client (the data controller)The Client identified in the Agreement‍

2.2 TalentRiver AB (the data processor)

Company: TalentRiver AB, reg. no. 559455-0005

Adress: Östermalmsgatan 26, c/o SSE BUSINESS LAB, vån 3, 114 26 Stockholm, Sweden

Phone number: +46733592902

E-mail address: tim@talentriver.ai

Data Protection Officer: dpo@talentriver.ai‍

3. Processing of Personal Data‍3.1 Categories of Personal Data

The Supplier may Process the following categories of Personal data:a) Contact information (such as name, address, e-mail, telephone number, working title, workplace)  b) Social security numberc) Education and experienced) Financial information (such as salary, tax and bank account information)e) Information about absence from work (such as leave of absence, holiday, parental leave etc)f) Sensitive personal data (to the extent submitted by the Client)‍

3.2 Categories of Processing

The following categories of Processing may e.g. take place:

Collection, structuring, storage, back-up, testing, incident handling, adaptation or alteration, alignment or combination, restriction, erasure or destruction.‍

3.3 Categories of Data Subjects
‍The following categories of data subjects are included:a) Employees and former employees of the Clientb) Consultants and other individuals working or which have worked on behalf of the data controller‍

3.4 Purpose of the Processing activitiesThe purpose of the Processing activities is for TalentRiver AB to provide the Services to the Client as set out in, and for the duration of, the Agreement.‍

3.5 Duration of the Processing

TalentRiver AB will Process the Personal data during the term of the Agreement and until the Client has retrieved the Personal data, however no longer than 30 days after the Agreement has been terminated.‍

4. Security Measures

4.1 Technical and organisational security measures‍

The Supplier shall take the following technical and organizational security measures:a) Encryption of data at rest and transitb) Control and log of access to the Personal datac) Ensure that availability and access to personal data is restored in case of incidents)

5. Subprocessors

At the time of entering into the Data Processing agreement TalentRiver AB has engaged the following.

The process for changing sub processors is set out in Section 9 of the Data Processing Agreement.

• Microsoft Azure (Germany), Database infrastructure services,

• Microsoft Azure (Germany), Azure Open AI Service

• Datadog (Germany), User analytics

• Sentry (Germany), Issue tracker

• Intercom (Ireland), Support and Analytics
  ‍