Data Processing Agreement
Cognisess prioritises customer trust and data security. Data is important to our customers’ principles and operations and that is why we place great importance on keeping it private and safe. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.
Cognisess supports customers around the world, entrusting us with sensitive company, employee and candidate information, stemming from a wide range of industries and sectors. If a company collects, transmits, hosts or analyses personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.
We help customers maintain control of their privacy and data security in a number of ways:
- Data Security: We provide our customers compliance with high security standards, such as encryption of data over networks, international cloud privacy standards ISO/ IEC 27001 and ISO/IEC 27018 and a Support team that is on-call throughout the year.
- Disclosure of Data: Cognisess only discloses Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
- Access Permissions: Cognisess provides a set of permissions to access features to help customers effectively secure and protect their information when using the platform. We do not use customer content for any purpose other than providing, maintaining and improving the Cognisess services and as otherwise required by law.
- Privacy: The customer is the controller of Data, and Cognisess is a processor. This means that throughout the time that a customer subscribes to services with Cognisess, the customer retains ownership of and control over Data in its account.
This Data Processing Agreement (the ‘DPA’), entered into by the Cognisess customer via the online registration process or applicable Cognisess ordering document for Cognisess services (‘Customer’) and the Cognisess company identified on the ordering document (‘Cognisess’), governs the processing of personal data that Customer uploads or otherwise provides Cognisess in connection with the services and the processing of any personal data that Cognisess uploads or otherwise provides to Customer in connection with the services.
This DPA with EU Standard Contractual Clauses, (the “DPA”) supplements the Agreement between Cognisess and the customer agreeing to these terms (the “Agreement”).
“Controller-to-Controller SCCs” means the Standard Contractual Clauses (Controller to Controller Transfers – Set II) in the Annex to the European Commission Decision of December 27, 2004, as may be amended or replaced from time to time by the European Commission.
“Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission.
“Customer Personal Data” means Personal Data (i) that Customer uploads or otherwise provides Cognisess in connection with its use of Cognisess’ services or (ii) for which Customer is otherwise a data controller.
“Data Controller” means Customer.
“Data Processor” means Cognisess.
“Data Protection Requirements” means the Directive, the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation, and all Privacy Laws.
“Directive” means the EU Data Protection Directive 95/46/EC (as amended).
“General Data Protection Regulation” means the European Union Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the Directive or the General Data Protection Regulation which may apply to the Agreement.
“Personal Data” any information relating to an identified or identifiable natural person including data that Customer chooses to provide to Cognisess from services such as applicant tracking systems (ATSs) or customer-relationships management (CRM) services.
“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“SCCs” means all Controller-to-Processor SCCs and Controller-to-Controller SCCs entered into between the parties under the Agreement.
“Sub processor” means any entity which provides processing services to Cognisess in furtherance of Cognisess’ processing on behalf of Customer.
“Process / Processing” any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation.
“Data Subjects” shall mean the identified or identifiable natural persons whose Personal Data is Processed (an identifiable person is one who can be identified, directly or indirectly, in particular by (but not limited to) reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity), the relevant categories.
PURPOSE AND BACKGROUND
Cognisess and Customer has entered into the Agreement under which Cognisess provides the platform software services to Customer. As part of the provision of services Cognisess Process Personal Data, that may be linked to specific natural persons (Data Subject), for which the Customer is Controller.
In addition to the General Terms and Conditions, the Data Processing Agreement sets out the terms and conditions which apply to Cognisess’ processing of Personal Data.
In providing the Services to the Controller pursuant to the Terms & Conditions, the Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with both the Terms & Conditions and the Controller’s instructions documented in the Terms & Conditions and this DPA.
DATA PROCESSING AND COMPLIANCE
Each party agrees to process Personal Data received under the Agreement only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Appendix 1 to this DPA.
The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with a supervisory data protection authority in the performance of their respective obligations under this DPA
OBLIGATIONS OF THE PROCESSOR
The Processor may collect, process or use Personal Data only within the scope of this DPA. The Processor confirms that it shall process Personal Data on behalf of the Controller and shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach any applicable data protection laws.
The Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate guidance or training on their responsibilities as a data processor; and (iii) are bound by the terms of this DPA.
The Processor shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The technical and organisational measures detailed in “Technical and Organisational measures” section shall be at all times adhered to as a minimum-security standard. The Controller accepts and agrees that the technical and organisational measures are subject to development and review and that the Processor may use alternative suitable measures provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Where Personal Data relating to an EU Data Subject is transferred outside of the EEA it shall be processed only by entities which: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Controller-to-Processor SCCs with the Processor; or (iii) have other legally recognised appropriate safeguards in place.
Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights and the Controller’s compliance with the Controller’s data protection obligations in respect of the processing of Personal Data.
OBLIGATIONS OF THE CONTROLLER
The Controller represents and warrants that it shall comply with the Terms & Conditions, this DPA and all applicable data protection laws.
The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA.
The Controller is responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Terms & Conditions. All Subsidiaries of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA.
The Controller has their own obligations to implement their own appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller.
The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible.
The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data from the Processor, may result in additional fees. In such case, the Processor will notify the Controller of such fees in advance unless otherwise agreed.
Each party will, to the extent that it, along with the other party, acts as data controller, as the term is defined in applicable Data Protection Requirements, with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the General Data Protection Regulation and in other Data Protection Requirements. Where both parties each act as data controller with respect to Personal Data, and the transfer of data between the parties’ results in a transfer of EU Personal Data to a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the Controller-to-Controller SCCs.
If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of Personal Data , the parties agree that the following terms apply: (i) Data subjects for whom a Customer processes EU Personal Data are third-party beneficiaries under the Controller-to-Controller SCCs; (ii) Appendix 1 to this DPA shall apply as Annex B of the Controller-to-Controller SCCs; and (iii) for purpose described in this DPA, the data importer will process the EU Personal Data, at its option, in accordance with “the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data.” The parties acknowledge and agree that each is acting independently as Data Controller with respect of Personal Information and the parties are not joint controllers as defined in the General Data Protection Regulation.
For transfers of EU Personal Data to Cognisess for processing by Cognisess in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Cognisess agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the form of the Controller-to-Processor SCCs. If data transfers of this DPA rely on Controller-to-Processor SCCs to enable the lawful transfer of EU Personal Data, the parties agree that data subjects for whom a Cognisess entity processes EU Personal Data are third-party beneficiaries under the Controller-to-Processor SCCs. If Cognisess is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of Customer. Cognisess shall promptly notify Customer of any inability by Cognisess to comply with the provisions of this section.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
- The Data Processor shall perform its obligations and actions under this DPA with all due skill, care and diligence.
- The Data Processor shall use technical and organizational security measures appropriate to prevent the harm which might result from any unauthorized or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected.
- Should the Data Processor become aware of any non-conformity with the security requirements, either within its own or within the subcontractor’s organization, such non-conformity shall be notified to the Data Controller in accordance with the Personal Data Breach procedure.
THIRD PARTY DATA PROCESSORS
The Data Processor or Data Controller in case of Controller-to-Controller scenario shall ensure that a data processor agreement is entered into with any third-party data processor before such third-party data processor processes any Personal Data.
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its processing obligations and allow for and contribute to audits and inspections. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Cognisess expends for any such audit, in addition to the rates for services performed by Cognisess.
Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Controller, the Controller may at its own expense conduct a more extensive audit which will be: (i) limited in scope to matters specific to the Controller and agreed in advance with the Processor; (ii) carried out during UK business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iii) conducted in a way which does not interfere with the Processor’s day-to-day business. The Processor may charge a fee (based on its reasonable time and costs) for assisting with any audit. The Processor will provide the Controller with further details of any applicable fee, and the basis of its calculation, in advance of any such audit.
This clause shall not modify or limit the rights of audit of the Controller, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.
TERM AND TERMINATION
The Data Processing Agreement will take effect from the subscription registration date or of the last signature on the Agreement and will continue in force until Cognisess no longer Process Personal Data on behalf of the Customer. The parties agree that on the termination of the data processing services or upon Customer’s reasonable request, Cognisess shall, and shall cause any Sub processors to, at the choice of Customer, securely destroy the Customer Personal Data and demonstrate to the satisfaction of Customer that it has taken such measures, unless Data Protection Requirements prevent Cognisess from returning or destroying all or part of the Customer Personal Data disclosed. In such case, Cognisess agrees to preserve the confidentiality of the Customer Personal Data retained by it and that it will only actively process such Customer Personal Data after such date in order to comply with applicable laws.
This DPA shall be governed by the laws of England and Wales, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in England and Wales.
ANNEX B – DESCRIPTION OF THE TRANSFER
The data exporter is the customer of Cognisess Limited.
The data importer is Cognisess Limited, (a company organized and existing under the laws of the England and Wales), a people software company.
Depending on the services used by the data exporter, the personal data transferred concern the following category of data subjects:
- Job seekers and candidates
- Third parties that have, or may have, a commercial relationship with the data exporter (e.g. customers and contractors).
Categories of data
The Personal Data of data subjects broadly belongs to following categories:
- Contact details including address, phone and email
- Educational information
- Employment information
- Work experience and skills
- Demographic information
- Performance Information including KPIs and workforce metrics
- Behavioural Information
- Uploaded Content & Documents including videos, CV, cover letters and work permits
- Responses to questions for interviews, appraisals or assessment centres
- Scores and results from psychometric games, assessments & surveys
- Self-recorded audio and video files
Special categories of data
The personal data transferred concern the following special categories of data: Health information as part of our commitment to fairer assessments and information required by employment regulations.
Related to performance metric this also includes: physical, metabolic, and biometric / bio-mechanical performance data, including, but not limited to Heart Rate, brain activity levels (EEG), cardiological data (ECG), and similar metrics.
The personal data transferred will be subject to the following basic processing activities: collection, recording, storage, retrieval, consultation, use, alignment or combination, erasure or destruction.
All rights reserved. © Cognisess 2019
Last Updated: May 21st 2018