DATA PROCESSING AGREEMENT
1.1 The purpose of this Data Processing Agreement is to regulate the Data Controllers handling of personal data connecting to services outlined in the main agreement between the Data Controller and Data Processor (“Main Agreement”).
1.2 In case of disagreement or legal uncertainty the Data Processing Agreement takes precedence over the Main Agreement.
1.3 The purpose of the Data Processing Agreement is to ensure that the Data Controller performs according to the obligations laid out in the rules and regulations in force at any point in time for the processing of personal data, including act 1016/679 of 27 April 2016 by the European Parliament and the
European Council (“The EU General Data Protection Regulation”).
2. Legal standing between Data Controller and Data Processor
2.1 Legal standing between Data Controller and Data Processor is governed by regulations stated in appendix 1.
2.2 The Data Processor must ensure that the personal data received as part of the Data Processing Agreement is not used for any other purpose than that stated in the Data Processing Agreement, and is not misused in any way.
If the Data Processor finds or suspects that the directions from the Data Controller potentially become against The EU General Data Protection Regulation, the Data Processor must immediately and without undue delay inform the Data Controller.
3. Provisions for subdata processors
3.1 A subdata processor is a subcontractor engaged by the Data Processor undertaking parts or all of the Data Processing.
3.2 The Data Processor is prohibited from using other subdata processors than
those stated in article 3.3 without the Data Controller having given explicit consent in writing.
3.3 The Data Processor is authorised to make use of the following subdata
3.4 Subdata processor contracts must be in writing and imposed with the same obligations regarding handling of any subject therein as applies to the data processor under the Data Processing Agreement, as well as existing laws at any time.
3.5 The Data Processor is held liable to the data controller for any obligations not met by the subdata processor under existing laws or under the provisions for subdata processors.
3.6 The Data Controller may at any point in time request the Data Processor for documentation regarding subdata processor contracts.
4. Security breach and violation of data
4.1 The Data Processor is responsible for the implementation of appropriate precautionary measures regarding technical and organizational arrangements and installments, taking into account the current technical level, costs of implementation and the type, scope, purpose and coherence of the current data procedure as a whole.
4.2 As a minimum, the appropriate technical and organizational precautions are as follows (but not limited to):
4.3 The Data Processor must inform the Data Controller of any breach of security without undue delay. The information must include:
4.4 Should the Data Controller request assistance from the Data Processor when responding to inquiries regarding the exercise of rights of registered individuals, the Data Processor is entitled to invoice for any such assistance.
The Data Processor must assist the Data Controller in complying with regulations under paragraph 32-36 of The EU General Data Protection Regulation, taking into consideration the nature of the process and the information available to the Data Processor. The Data Processor may invoice for any such assistance.
5. Data processing staff
5.1 The Data Processor is held liable for any staff misconduct relating to Data Processing Agreement and its related legislation or associated guidelines.
5.2 The Data Processor is obligated to restrict the handling of personal data to essential staff and to perform and maintain further staff education on the handling of personal data.
5.3 All data processing staff responsible for the handling of personal data on behalf of the Data Controller is subject to confidential disclosure agreements.
6. Documentation and supervision
6.1 If a written request is produced by the Data Controller, the Data Processor must produce adequate documentation demonstrating that rules and regulations under the Data Processing Agreement are adhered to, as well as existing rules at any time pertaining to personal data. This is to be made available for the Data Controller or an independent supervisory authority. If the Data Processor is acting under paragraph 30 of The EU General Data Protection Regulation to keep records, these records are also to be made available for the Data Controller if he so requests in writing.
6.2 The Data Controller may demand such information presented by the Data Processor as stated in article 6.1 pertaining to subdata processors.
6.3 The Data Processor must accommodate such a request cf. article 6.1 and 6.2 within a reasonable period of time and no later than 5 workdays from the time of the request.
6.4 The Data Processor is obligated to give access to facilities for inspection by the Data Controller, a representative hereof or another appropriate supervisory authority if so requested. Such a request for inspection must be given with a notice of at least 5 workdays. The Data Processor is not entitled to separate remuneration or compensation for this unless the number of inspections or the type of inspections made exceed what is considered to be the standard for an inspection of that type.
6.5 To the extent that the Data Controller requests inspection following article 6.4 to cover the data processing carried out by subdata processors, this is to be agreed upon separately.
7. Termination of Data Processing Agreement
7.1 The Data Processing Agreement is terminable only along with the termination of the Main Agreement.
7.2 The Data Processors authority to process personal data on behalf of the Data Controller is void in case of termination of the Data Processing Agreement whatever the cause of annulment.
7.3 In case of termination of the Data Processing Agreement, the Data Processor and subdata processors must return all personal data to the Data Controller, if these personal data are not already in the possession of the Data Controller. The Data Processor is hereinafter obligated to delete all personal data received from the Data Controller. The Data Controller may request documentation that the information has been deleted.
8.1 Both Parties are liable under existing laws. Both Parties relinquish any responsibility for indirect loss and consequential loss such as operating loss, decreased goodwill, loss of savings and revenues including expenditures made to recover earnings, lost interest rates and lost data. Neither of the Parties may be held liable for circumstances characterized as force majeure.
9. Applicable law and venue
9.1 The Data Processing Agreement is subject to the British Law.
9.2 Disputes relating to the Data Processing Agreement are to be settled in the United Kingdom if the dispute cannot be settled amicably.
10.1 Appendix 1: Data guidelines and data security
Appendix 1 – Data Guidelines and Data Security
1. Data guidelines
When processing personal data transferred from the Data Controller, cf. the Main Agreement, the Data Processor must act in compliance with the guidelines received from the Data Controller.
1.1 We are FirstMind Ltd, a limited liability company registered in England and Wales with company registration number 1245330. Our registered office address is 21 Buckingham Gate, SW1E 6LB.
FirstMind (test provider) provides a web-based and/or app-based platform that offers talent-focused personality assessments to help companies (test sender) make better people decision in regards to recruitment, leadership development, employee development, and team composition. The FirstMind platform enables companies to send out personality assessments to job applicants and employees (test taker) to get greater insights and make more informed people decisions. Test takers are provided with a questionnaire to complete on the FirstMind platform and, on completion, FirstMind generates a personality profile based on FirstMind algorithms derived from neurological and behavioural research. The FirstMind platform can be accessed through the Company’s (test sender’s) personal domain (the “Site”)
1.2 Personal information is processed in the type of categories listed below (mark with a cross/fill in):
1.3 Personal data is processed on the type of information listed below:
2. Security measures
2.1 When processing data, the Data Processor must put the following security measures into practice:
3. Data transmission to non-EU/EEA countries
3.1 The data controller data processing is only to be handled by the data processor or associated subdata processors within the EU/EEA.
3.2 Regardless of regulation listed under section 1 herein, the data controller gives data processor or associated subdata processors explicit consent to the transmission of data to non-EU/EEA countries in accordance with legal requirements under The EU General Data Protection Regulation paragraph 44-50:
4. Specific agreements
4.1 In addition to the processing mentioned above relating to the Main Agreement, it is agreed that the data processor assists with the following:
4.1.1 Assisting on mapping out personal data, impact analysis preparation, compliance with the data controller duty of notification, and handling enquiries from registered individuals
4.1.2 The Data Processor is entitled to a reasonable payment for counsel relating to section 4.1.