Product
About
Terms and conditions applicable to data sharing and data processing in connection with the provision by inploi of recruitment technology services

INTRODUCTION

(A) inploi is a provider of online services that support employers seeking to advertise job opportunities and/or undertake recruitment campaigns, offering a dedicated landing point and application experience for individuals interested in work and career opportunities.

(B) Inploi and the Company have entered into a contract (“the Services Contract”) which comprises the terms and conditions of business of inploi and one or more Order Forms under which inploi is to provide Services to the Company. In order to assure the lawful performance of the Services Contract inploi is required to facilitate the procurement and the processing of personal data which is then made available to the Company. 


(C) Certain of the data may already be held by inploi or when procured is to be treated as Shared Personal Data.

(D) These terms and condition constitute a legally binding framework for the procuring and sharing of personal data by inploi in connection with the Agreed Purpose (as defined below) when providing Services to the Company. This document is referred to as the “Data Addendum” and forms part of the Services Contract.


(E) The Parties acknowledge that for the purposes of the Data Protection Law, the Company is the “Data Controller” and inploi is the “Data Processor” in relation to Company Data (which includes personal data) procured by inploi in accordance with the requirements of the Services Contract and in relation to Shared Personal Data each Party is separately a Data Controller.

  1. INTERPRETATION
    1.1 In this Data Addendum the following words and expressions have the following meanings:
Agreed Purpose

processing of personal data for the purpose of the proper performance of the Services Contract.

Article

an article of the UK GDPR.

Company Data

data provided to the Company by inploi under instructions from the Company in connection with performance of the Services Contract as described at paragraph 2.2 of the Schedule to this Data Addendum.

Data Protection Law

1. the Data Protection Act 2018 to the extent that it relates to processing of personal data and privacy;
2. the Privacy and Electronic Communication (EC Directive) Regulations 2003; and
3. the retained EU law version of the General Data Protection Regulation (Regulation (EU) 2016/679) (“UK GDPR”),
each as amended and updated from time to time.  

Data Sharing Code of Practice

the Code of Practice published by the UK Information Commissioner on 14 September 2021 pursuant to s125 of the Data Protection Act 2018.

Data Subject Request

a request from a data subject relating to the exercise of his or her legal rights under Data Protection Law.

Shared Personal Data

the personal data to be shared by inploi under this Data Addendum as described at paragraph 2.1 of the Schedule to this Data Addendum.

SPoC

the person appointed by each Party pursuant to Clause 2.4.

Term

Such period as the Services Contract is in effect subject to any obligation under this Data Addendum which is expressed to continue thereafter so continuing.

Working Days

means Monday to Friday excluding any bank and Statutory holidays in England when banks in London are closed for business.

1.2. The terms “personal data”, “data breach”, “data subject”, “processor”, “controller”, “processing”, “personal data, “pseudonymisation” and “supervisory authority” will have the meanings given them by Data Protection Law.

1.3. Unless the context otherwise requires references to persons shall include natural persons, bodies corporate, unincorporated associations, governments, states, trusts and partnerships, in each case whether or not having a separate legal personality.  References to the word “include” or “including” are to be construed without limitation.

1.4. References to Schedules and Clauses are to the schedules and clauses of this Addendum unless otherwise specified.

1.5. References in this Data Addendum to any statute or statutory provision (“legislation”) include a reference to that legislation as amended, extended, consolidated or replaced from time to time and include any former legislation which it re-enacts, consolidates or replaces and any order, regulation, instrument or other subordinate legislation made under the relevant legislation.

1.6. Any reference to “writing” or “written” includes email but does not include any other electronic form of communication including any digital format.

1.7. Terms set out in the Services Contract where used in this Data Addendum shall be construed in like manner unless expressly stated to the contrary.

2. AGREED PURPOSE

2.1. The Parties consider the procuring and subsequent provision of personal data to the Company is necessary in order to achieve the Agreed Purpose.  The aim of the data sharing and procuring and provision of Company Data to the Company is to facilitate the transfer of expressions of interest and other related data from potential candidates who may seek employment with the Company.  The data sharing will benefit individuals through the ease with which access to work opportunities become available.

2.2. The Company acknowledges that it may only process Shared Personal Data in a manner that is compatible with the relevant privacy policy of the Company as made available to inploi and accessible accordingly to individuals whose data inploi thereupon processes subject to the Company obtaining in a lawful manner any further consents that it requires from data subjects. The Company shall not process Shared Personal Data in a way that is incompatible with the Company’s relevant privacy policy without subsequently securing additional rights to do or using any other lawful basis for processing available to the Company under Data Protection Law.

2.3. The Company agrees to process Company Data in compliance with Data Protection Law and in a manner provided for by a privacy policy that is notified to and accessible by data subjects at the point of collection of the personal data by inploi.

2.4. Each Party shall appoint a single point of contact with responsibility for the administration of this Addendum and oversight of the processing hereunder, in the case of inploi as set out in the Schedule and in the case of the Company as set out in any Order Form or otherwise notified in writing by the appointing Party to the other Party.

3. DATA PROCESSOR OBLIGATIONS

3.1. Schedule 1 describes the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types which inploi may process under this Data Addendum in connection with the Agreed Purpose.

3.2. Inploi shall comply with all applicable requirements of Data Protection Law.

3.3. This Addendum is in addition to, and does not relieve, remove or replace, Inploi’s obligations under Data Protection Law.

3.4. Without prejudice to the generality of Clause 3.3, Inploi undertakes:

3.4.1. to process the Company Data and where for the benefit of the Company, Shared Personal Data under documented instructions except insofar as required to do otherwise by Data Protection Law.

3.4.2. to treat as documented instructions associated with the performance of the Services the purpose(s) specified in the Schedule to this Data Addendum.  If Inploi considers, in its opinion, that an instruction breaches Data Protection Law or any other law in relation to the processing of the personal data, it shall immediately inform the Company.  In addition, if Inploi is required by any Data Protection Law to process personal data in a manner not anticipated by the Company’s instructions, inploi shall promptly notify the Company of this before performing the processing required, unless the law prohibits the Data Processor from notifying the Company;

3.4.3. to ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

3.4.4. to ensure that all personal data is kept confidential;

3.4.5. to ensure that all personnel who have access to and/or processes personal data are obliged to keep the personal data confidential and have undertaken the necessary training in relation to handing personal data;

3.4.6. not to transfer any personal data outside of the United Kingdom unless the United Kingdom government have adjudged the date protection laws of the territory to which such data is transferred to be adequate in its protection of personal data and the transfer is made in a manner that is lawful under Data Protection Laws unless in any other case the following conditions are fulfilled:

3.4.6.1. the Company or Inploi on its behalf has provided appropriate safeguards in relation to the transfer;

3.4.6.2. the data subject has enforceable rights and effective legal remedies;

3.4.6.3. the relevant data processor complies with its obligations under equivalent data protection laws in that territory by providing an adequate level of protection to any personal data that is transferred; and

3.4.6.4. the relevant data processor complies with reasonable instructions notified to it in advance by inploi on behalf of the Company with respect to the processing of the personal data;

3.4.7. to assist the Company at the Company’s cost, in responding to any request from a data subject If a data subject contacts inploi to exercise any of their rights in respect of their personal data where the request includes a request for Company Data, then inploi shall promptly notify (and in any case no later than three Working Days after receipt of the request) to the Company’s SPoC;

3.4.8. to notify the Company’s SPoC without undue delay (but in any event in all cases within 48-hours) on becoming aware of a data breach that concerns or includes Shared Personal Data obtained in connection with the provision of the Services or Company Data.  The notification must be accompanied by any useful information to allow the Company, if necessary, to notify the data breach to the relevant supervisory authority.  As a decision of the Company after having first consulted with inploi the Company shall have responsibility for the notification of the data breach to each of the affected data subjects.  The information to the data subjects may describe, in clear and plain language, the nature of the data breach and (i) the contact details where more information can be obtained; (ii) the likely consequences of the data breach; and (iii) any measures taken or proposed to be taken by the Company to address the data breach and mitigate any possible adverse effects;

3.4.9. to assist the Company in performing impact assessments and consultations with supervising authorities and regulators;

3.4.10. to maintain complete and accurate records and information to demonstrate its compliance with this Addendum and allow for audits by the Company or the Company’s designated auditor;

3.4.11. to notify the Company of the name and contact details of its data protection officer if it has appointed one in accordance with Data Protection Law;

3.4.12. to promptly provide the Company with notice and full details of any compensation claim that it receives from any person relating to processing of personal data that is either Shared Personal Data or Company Data, and not make any admission of liability not agree any settlement or compromise of the relevant claim (to the extent that it concerns any alleged disclosure of Company Data) without the Company’s prior written consent and in relation to Shared Personal Data act reasonably and only in accordance with legal advice make any admission in relation to Shared Personal Data nor agree any settlement or compromise of the relevant claim, and to consult fully with the Company prior to taking any action; and

3.4.13. to indemnify the Company against any direct loss or damage (but not loss of profit or any consequential loss) that it suffers in relation to any breach by inploi of its obligations under this Addendum.

3.5. inploi further undertakes:

3.5.1. not to engage another person to process any of the Company’s personal data (a “sub-processor”) without the Company’s prior specific or general written authorisation;

3.5.2. in the case of a general written authorisation, to inform the Company of any intended changes concerning the addition or replacement of any sub-processor (and allow the Company reasonable opportunity to object to such change);

3.5.3. to ensure that its sub-processor(s) are engaged on terms equivalent to those to which inploi is itself subject under this Schedule (and any other confidentiality or similar obligations contained in this Addendum);

3.5.4. to ensure that any sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Law (including the requirements relating to security, integrity and confidentiality); and

3.6. where a sub-processor fails to fulfil its data protection or confidentiality obligations, inploi agrees that it remains fully liable to the Company for the performance of (or failure to perform) those obligations.

4. SHARED PERSONAL DATA

4.1. Each Party shall, when processing Shared Personal Data:

4.1.1. ensure compliance with Data Protection Law at all times;

4.1.2. without prejudice to the generality of the foregoing comply at all times  with relevant requirements of the Data Sharing Code of Practice

4.1.3. process Shared Personal Data only on the basis of a lawful ground for processing as set out in Article 6 or Article 9 as applicable,
and each Party’s lawful grounds for processing, and legal power under which it is permitted to share the Shared Personal Data in connection with this Addendum is set out in the Schedule.


4.2. Where a Party relies on consent as its lawful ground for processing Shared Personal Data, it shall:

4.2.1. obtain that consent in a lawfully appropriate form; and

4.2.2. cease processing and notify the other Party as soon as reasonably practicable in the event that any data subject withdraws their consent for the processing.

4.3. The Shared Personal Data processed by the Company must not be irrelevant or excessive with regard to the Agreed Purpose. 

5. RIGHTS OF DATA SUBJECTS

5.1. Each Party shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the data subjects of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 13.

5.2. Notwithstanding that each Party remains responsible for compliance with its obligations in respect of the rights afforded to data subjects under Data Protection Law, if a Party (the “Requested Party”) receives a Data Subject Request, the other Party (the “Assisting Party”) shall (without undue delay and taking into account the duty of the Requested Party to respond to the data subject within one month) provide the Requested Party with any information and assistance reasonably required by the Requested Party in order to comply with its obligations in respect of the Data Subject Request.

5.3. Subject to the obligations of the Assisting Party under this Clause 5, the Requested Party shall be responsible for ensuring that Data Subject Requests received by it are responded to in compliance with Data Protection Law.

5.4. Each Party shall maintain a record of Data Subject Requests, the decisions made and any information that was provided to the data subject in response to Data Subject Requests.

6. DATA RETENTION

6.1. The Company shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes save that the Company may:

6.1.1. store such copies as it is required to store to comply with a requirement imposed by applicable law to the extent necessary to meet that requirement. 

6.1.2. store and further process the Shared Personal Data under conditions lawfully permitted where it has assumed responsibility as a Data Controller in respect of that Shared Personal Data.

6.2. Notwithstanding Clause 6.1, the Company may continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in its respective countries and/or industries.

6.3. Subject to Clauses 6.1 and 6.2, the Company shall ensure that any Shared Personal Data are (at inploi’s option) deleted or returned (along with any copies of the same) upon:

6.3.1. processing of the Shared Personal Data by the Company no longer being necessary for the Agreed Purposes;

6.3.2. termination of this Addendum; or

6.3.3. expiry of the Term,
and the Company shall on request certify to inploi in writing that it has deleted or returned such personal data in accordance with this Clause 6.

7. TRANSFERS

7.1. For the purposes of this Clause 7, transfers of personal data shall mean any sharing of Company Data by inploi with a third party, including subcontracted processing of, and granting a third party controller access to, the Shared Personal Data.

7.2. inploi’s sub contractors at the date of this Data Addendum are as set out in inploi’s privacy notice.

7.3. inploi shall not transfer Company Data that it processes under the Company’s documented instructions nor shall the Company transfer Shared Personal Data that it processes to a third party unless:

7.3.1. it has a written contract in place with such third-party imposing conditions on the third party that are at least equivalent to the that Party’s obligations under this Data Addendum;

7.3.2. where the third party is located outside the EEA, either:

7.3.2.1. the United Kingdom government has determined that the country or organisation to which the personal data is to be transferred ensures adequate protection under Article 45;  or


7.3.2.2. other appropriate safeguards are in place pursuant to Article 46; or

7.3.2.3. one or more of the derogations in Article 49 applies
and that appropriate safeguards are taken in accordance with the requirements of UK GDPR or otherwise under arrangements made with the consent of the Company;

7.3.3. In the case of transfers to a third-Party data processor, it complies with Article 28 and Article 30,
and in respect of any transfer the relevant Party shall remain liable to the other Party for the acts and omissions of the third Party.

8. SECURITY AND TRAINING

8.1. The Parties shall implement and maintain appropriate technical and organisational measures to:

8.1.1. prevent unauthorised or unlawful processing of, and accidental loss or destruction of, or damage to, personal data and in the case of inploi the Company Data; and

8.1.2. ensure a level of security appropriate to the risk and the nature of the personal data, and to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage.

8.2. In assessing the appropriate level of security measures to be taken under Clause 8.1 above, each Party shall take account of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

8.3. Each Party shall subject to clause 3.4.8 in the case of inploi comply with its obligations to report any data breach to the appropriate supervisory authority and (where applicable) data subjects under Article 33, and shall each:

8.3.1. inform the other Party of any data breach without undue delay irrespective of whether there is a requirement to notify any supervisory authority or data subject(s), and thereafter provide details of the data breach including, where possible in the case of Shared Personal Data, the categories and  approximate number of data subjects and in the case of inploi where relevant  Company Data concerned, the likely consequences of the data breach, and the measures it has taken or proposes to take in to address and mitigate the data breach;


8.3.2. provide the other Party with any information and assistance reasonably required by that other Party in connection with any data breach; and

8.3.3. maintain a record of data breaches, the data and data subjects affected, and the actions taken in response to the data breach.

8.4. Each Party shall ensure that its employees and any other persons with access to the Shared Personal Data and in the case of inploi the Company Data:

8.4.1. have received, and shall continue to receive on a regular basis, appropriate training in their and the Company’s obligations under Data Protection Law and in the care and handling of personal data, and that they have been appropriately trained to handle the personal data in accordance with the technical and organisational measures implemented in accordance with Clause 8.1; and

8.4.2. are subject to binding obligations of confidentiality relating to the processing of personal data.

9. TERM

9.1. This Data Addendum shall continue until the expiry of the Term as applicable to the Services Contract or until it is terminated earlier in accordance with its terms.

9.2. The Parties shall review the effectiveness of this data sharing initiative every 12 months, having consideration to the aims and purposes set out in Clause 2.1 and the Agreed Purpose.  The Parties shall continue or where appropriate vary this Data  Addendum, as agreed between the Parties depending on the outcome of this review.

9.3. Each Party reserves the right to inspect the other Party’s arrangements for the processing of personal data (save that neither Party shall be required to disclose or permit access to any of its or any third party’s confidential information) and to terminate this Data Addendum and the Services Contract where it considers that the other Party is not processing personal data in accordance with this Data Addendum.

10. SUPERVISORY AUTHORITIES

Each Party shall cooperate with any requests made by a supervisory authority in connection with this Data Addendum and shall notify the other Party in writing as soon as reasonably practicable of the content of and response to any such request.

11. LIABILITY

11.1 Each Party shall bear its own costs of performing this Data Addendum

11.2. Each Party undertakes to indemnify the other Party and defend at its own expense the other Party against all costs, claims, damages or expenses incurred by that Party or for which that Party may become liable due to any failure by the other Party or its employees, subcontractors or agents to comply with any of its obligations under this Data Addendum or Data Protection Law and as to the consequences of any Data Breach the cause of which is substantially a failure on the part of the indemnifying party to comply with its obligations under this Data Agreement.

11.3. Any limitation of liability set forth in the Services Contract will not apply to this Addendum indemnity or reimbursement obligations.

12. GENERAL

Conflict

12.1. If there is an inconsistency between any of the provisions of this Data Addendum and the provisions of:

12.1.1. the Services Contract; or

12.1.2. any later agreement (including any Order Form under the Services Contract) entered into between the parties;

the provisions of this Data Addendum shall remain in force and take priority.  This Clause 12.1 shall apply unless any such later agreement is in writing and expressly and specifically:

12.1.3. refers to this Data Addendum; and

12.1.4. states how it is to be superseded, extinguished or varied. 

These requirements shall not be satisfied by such later agreements simply stating that they supersede or extinguish earlier agreements, statements or representations between the Parties.

Notices

12.2. Any notice required or permitted to be given by either Party to the other under this Data Addendum shall be in writing addressed to that other Party at its registered office or principal place of business or such other address as may at the relevant time have been notified pursuant to this Clause to the Party giving the notice and may be delivered personally, by first class recorded delivery post or first class airmail letter.  A notice shall be deemed to have been served, if personally delivered, at the time of delivery or (if sent by first class recorded delivery post) forty-eight hours after posting or (if sent by first class airmail letter) ninety-six hours after posting.

Variation

12.3. No variation of this Data Addendum shall be of any effect unless it is agreed in writing and signed by or on behalf of each Party.

Third Party Rights

12.4. No third party shall have the right to enforce any provision of this Data Addendum pursuant to the Contracts (Rights of Third Parties) Act 1999.

Waiver

12.5. No waiver of any right or remedy under this Data Addendum shall be deemed to be a waiver of any subsequent or other right or remedy and no failure to exercise or delay in exercising any right or remedy under this Data Addendum shall constitute a waiver of that right or remedy.  No single or partial exercise of any such right or remedy shall preclude or impair any other or further exercise of it or the exercise of any other right or remedy provided by law or under this Data Addendum.

Invalidity

12.6. If any provision is or becomes illegal, invalid or unenforceable in any respect, the legality, validity or enforceability of the remaining provisions of this Data Addendum shall not in any way be affected or impaired by it and the provision shall apply with such deletions as are necessary to make it legal, valid and enforceable.  If any provision or part-provision is deemed deleted under this Clause 12.6 the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision and any failure to so agree is to be regarded a dispute to be resolved under the terms of the Services Contract.

Entire Agreement

12.7. This Data Addendum is supplemental to the Services Contract and constitutes together with the Services Contract and any Order Forms entered into under the Services Contract the entire agreement between the Parties relating to its subject matter and supersedes and extinguishes any drafts, agreements, undertakings, representations, warranties and arrangements of any nature whatsoever, whether or not in writing, between the Parties in connection with the subject matter of this Data Agreement.  Each of the Parties acknowledges and agrees that in entering into this Data Agreement it does not rely on, and shall have no remedy in respect of, any undertaking, promise, assurance, statement, representation (whether innocent or negligent), warranty or understanding (whether in writing or not) or any person (whether party to this Data Agreement or not) other than as expressly set out in this Data Agreement.

No Partnership/Agency

12.8. Nothing in this Data Addendum is intended to or shall operate to create a partnership between the Parties, or to authorise either Party to act as agent for the other, and neither Party shall have authority to act in the name or on behalf of or otherwise to bind the other Party in any way.

Governing Law and Jurisdiction

12.9. This Data Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of England. Each Party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any such dispute or claim.

SCHEDULE

Data Sharing Details

1. Agreed Purpose of the Processing and Subject Matter

The facilitation of the introduction of individuals expressing interest in work and career opportunities with the Company. The subject matter of the processing under this Data Addendum is the applicant’s personal data.

2. Categories of Personal Data to be Processed

2.1. The Shared Personal Data includes the following categories of personal data:

2.1.1. Name (first and last)

2.1.2. Email address

2.1.3. Telephone number

2.1.4. Location data including postcode

2.1.5. Job/work preferences

2.1.6. Use behaviour

2.2. The Company Data is:

2.2.1. Tracking information relating to the data subject’s site visit

2.2.2. Resume CV files and/or data

2.2.3. Uploaded images and videos

2.3. The Shared Personal Data will not include special category data

3. Categories of Data Subjects
Prospective candidates seeking work and career opportunities with the Company

4. Lawful Grounds for Processing relevant to this Data Addendum

4.1. Inploi
Preparation for and the performance of a contract with the Company

4.2. Company
Legitimate Interest 

5. Retention Periods
In the case of the Company not to exceed 12 months in relation to Shared Personal Data unless the Company assumes responsibility as a Data Controller in respect of that Shared Personal Data.

6. Single Point of Contact


6.1. For inploi:
Name: Daniella Willberg
Job title: Data & Operations Analyst
Email: [email protected] with subject ATTN: Daniella Willberg + your request

6.2. For the Company as detailed in any Order Form relating to the provision of the Services.

Product
Help
Follow
Privacy
Copyright © 2022 inploi. All rights Reserved.