Version dated 23 May 2018
DATA PROCESSING AGREEMENT
This Data Processing Agreement (hereinafter "DPA") is entered into by and between CORUSCANT, a limited company (société par actions simplifiée) whose registered office is at 16, rue du Mail – 75002 Paris, duly represented by its chairman Jérémy Clédat, operating under the trade name Welcome To The Jungle (hereinafter the "Data Processor") and you, the company that electronically accepts and agrees to this DPA (hereinafter the "Data Controller"), having already entered and agreed to the General Terms and Conditions of Sales
The Data Processor and the Data Controller are individually referred as a "Party" and jointly as the "Parties".
IT HAS BEEN PREVIOUSLY SET FORTH, AS FOLLOWS
1. The Parties declare and acknowledge that the negotiations that preceded the conclusion of this agreement were conducted in good faith and that they benefited during the pre-contractual negotiation phase from all necessary and useful information to enable them to make an informed commitment and have communicated to each other any information that could determine their consent and that they could legitimately ignore.
2. The Data Controller is a company using the services published by the company Coruscant, namely the Welcome Kit (Application Management Tool) and/or welcometothejungle.com, website dedicated to employment on which the companies can disseminate their job offers. The Data Controller is a company that uses the services published by Coruscant to recruit and manage the Processing of its applications from reception to hiring.
3. The Data Processor offers a WelcomeKit platform dedicated to recruitment. This simple and collaborative ATS (Applicant Tracking System) enable to meet the needs of recruiters, in particular by integrating and managing the job offers of the Data Controller.
THE PARTIES HAVE AGREED AS FOLLOWS:
The purpose of this agreement is to define the conditions in which the Data Processor undertakes to carry out, on the Data Controller's behalf, the personal data processing operations defined below.
As part of their contractual relations, the Parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter "the General Data Protection Regulation").
For the purposes of this agreement, the following terms shall have the meanings set out below:
Data Controller means the entity which determines the purposes and means of the Processing of Personal Data and refers to the company mentioned at the head of this agreement.
Data Processor meansthe entity which processes Personal Data on behalf of the Data Controller and refers to CORUSCANT which operates under the name of "Welcome to the Jungle", under the authority and on instructions of the Data Controller.
Data Subject means the identified or identifiable person to whom Personal Data relates.
Personal Data means any information relating to an identified or identifiable natural person and, an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulations). Personal Data covers any information that can identify an individual such as identification numbers or characteristics such as physical, physiological, mental, economic, cultural, or social identity. Examples include: name, pseudonyms, address, telephone number, identity card number, occupation, salary/compensation, health or personnel records, birth date, financial/bank account information, physical characteristics, etc. Personal Data is each piece of information related to the individual, regardless of the form in which it is expressed and the format in which it is kept in or on the information holder (storage media, paper, tape, film, electronic media, etc.).
Processing means any operation or set of operations by the Data Processor on behalf of the Data Controller, which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
III. Description of the Processing being subcontracted out
The Processor is authorised to process, on behalf of the Controller, the necessary Personal Data for providing the following services:
- Receiving the applications: identity, contact information, curriculum vitae (resume), covering letter, social network, any complementary relevant information that the applicant will address,
- Processing of the applications: emails exchanges, comments, assessments of the applicants by the recruitors;
- Storing the applications.
To perform the service covered herein, the Controller shall provide the Processor with the necessary information, including a detailed description of the processing set out in Appendix 1.
IV. Duration of the agreement
This DPA is effective as of the date of the signature of this agreement by the Data Controller for a period of one year, renewable by tacit agreement. The signature of this DPA is directly made on the Welcome Kit platform by an admin of the recruiter, this being a person duly authorised by the Data Controller to do so.
V. Controller's obligations
The Data Controller acknowledged and ensure:
2. that in the event that the Data Controller processes "sensitive Data" as set out in article 9 of the General Data Protection Regulation (namely the Processing of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic Data, biometric Data for the purpose of uniquely identifying a natural person, Data concerning health or Data concerning a natural person's sex life or sexual orientation), the Data Controller has collected them and require the Data Processor to process them, in accordance with the article 9 of the General Data Protection Regulation;
3. that he will respond, without undue delay, to requests for information from the data protection authority (in France, the CNIL), if appropriate;
4. that he will respond, without undue delay, to requests from Data Subjects and will give appropriate instructions to the Data Processor, in due time.
The Controller undertakes to:
5. provide the Processor with the Data mentioned in Appendix 1 hereof;
6. document, in writing, any instruction bearing on the Processing of Data by the Processor;
7. ensure, before and throughout the Processing, compliance with the obligations set out in the General Data Protection Regulation on the Processor's part.
VI. Processor's obligations
The Processor shall undertake to:
1. process the Data solely for the purposes subject to the sub-contracting, as set out in Appendix 1;
2. where the Processor considers that an instruction infringes the General Data Protection Regulation or of any other legal provision of the Union or of Member States bearing on Data protection, it shall immediately inform the Controller thereof. Moreover, where the Processor is obliged to transfer Personal Data to a third country or an international organisation, under Union law or Member State law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
3. guarantee the confidentiality of Personal Data processed hereunder;
4. ensure that the persons authorised to process the Personal Data hereunder:
- have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- receive the appropriate Personal Data protection training;
5. take into consideration, in terms of its tools, products, applications or services, the principles of Data protection by design and by default;
6. set up and maintain a specific documentation of Personal Data protection legislation and practice;
7. inform its employees of their responsibility regarding Data protection, including confidentiality of the Personal Data;
8. in the event of a legal, administrative or judicial prohibition of Processor's right to process Personal Data, the Data Processor will inform the Data Controller, who could terminate the Agreement, without enabling the Data Controller to entail the Data Processor's liability or ask for damages;
9. cooperate with the supervisory authority.
The Processor may engage another processor (hereinafter "the sub-Processor") to conduct specific Processing activities. In this case, the Processor shall inform the Controller, in writing beforehand, of any intended changes concerning the addition or replacement of other processors. This information must clearly indicate which Processing activities are being subcontracted out, the name and contact details of the sub-processor and the dates of the subcontract. The Controller has a minimum timeframe of 2 months from the date on which it receives said information to object thereto. Such sub-contracting is only possible where the Controller has not objected within the agreed timeframe.
The sub-Processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Controller. It is the initial Processor's responsibility to ensure that the sub-Processor provides the same sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing meets the requirements of the General Data Protection Regulation. Where the sub-Processor fails to fulfil its Data protection obligations, the initial Processor remains fully liable with regard to the Controller for the sub-performance of its obligations.
11. Data Subjects' right to information
It is the Controller's responsibility to inform the Data Subjects concerned by the Processing operations at the time Data are being collected.
12. Exercise of Data Subjects' rights
It is the Controller's responsibility to fulfil its obligation to respond to requests for exercising the Data Subject's rights (right of access, to rectification, erasure and to object, right to restriction of Processing, right to Data portability, right not to be subject to an automated individual decision, including profiling), and will give proper instructions to the Data Processor, in due time, as set out in Article 5-4 of the Agreement.
The Processor shall assist the Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the Data Subject's rights.
Where the Data Subjects submit requests to the Processor to exercise their rights, the Processor must forward these requests as soon as they are received by email to a point of contact of the Data Controller in charge of data protection and privacy.
13. Notification of Personal Data Breach
The Processor shall notify the Controller of any Personal Data Breach without undue delay, and not later than 72 hours after having become aware of it. Said notification shall be sent along with any necessary documentation to enable the Controller, where necessary, to notify this Breach to the competent supervisory authority.
Data Processor shall make reasonable efforts to identify the cause of such a Personal Data Breach and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within Data Processor's reasonable control.
14. Assistance lent by the Processor to the Controller regarding compliance with its obligations
The Processor assists the Controller in carrying out Data protection impact assessments.
The Processor assists the Controller with regard to prior consultation of the Supervisory Authority.
15. Security measures
The Processor undertakes to implement the technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Appendix 2 ("Security measures").
The Data Processor shall at all times have in place appropriate technical and organizational measures to prevent unauthorized access to Personal Data and the use of Personal Data for any purpose other those for which they have been transmitted to the Data Processor.
The Data Processor represents and warrants that the security measures taken shall in no way be less than those required by applicable law or than those a reasonable cautious entity engaged in the same business as the Data Processor would take to protect Personal Data stored by it against unauthorized use or access.
The measures to be taken by the Data Processor includes but not limited to those listed in Appendix 2.
In cases where the Data Processor obtains the prior written approval of the Data Controller for transmitting Personal Data to a third party, the Data Processor shall again take the appropriate level of security measures to ensure a secure transmission of Personal Data.
The Data Processor shall protect and keep safe Personal Data as confidential information. The confidentiality requirements of the Data Processor contained in any and all business and/or confidentiality agreements it signed with the Data Controller shall also apply to Personal Data.
16. End of services
At the end of the service bearing on the Processing of such Data, the Processor undertakes to destroy or anonymize all Personal Data provided by the Data Controller.
17. Record of categories of Processing activities
The Processor states that it maintains a written record of all categories of Processing activities carried out on behalf of the Controller, containing:
the name and contact details of the Controller on behalf of which the Processor is acting, any other Processors and, where applicable, the Data protection officer;
the categories of Processing carried out on behalf of the Controller;
where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures, including inter alia:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
The Processor provides the Controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the Controller or any other auditor it has authorised to conduct audits, including inspections, and for contributing to such audits.
VII. Data protection officer
The Data Processor has appointed, in compliance with article 37 of the General Data Protection Regulation, the following Data protection officer: Camille Fauran
The contact details of the latter are accessible by the Data Controller directly in the Welcome Kit.
The Data Controller specified in the Welcome Kit, in the field dedicated to this purpose, the DPO within his team appointed in compliance with article 37 of the General Data Protection Regulation.
In the event of circumstances unforeseeable when the Agreement was concluded, in compliance with the provisions of article 1195 of the Code civil, the Party that has not accepted to assume an excessively costly execution risk may request renegotiation of the Agreement to his co-contractor.
IX. Termination of the Agreement
The Parties acknowledge that the termination of the Agreement, at any time and for any reason whatsoever, does not relieve them of their obligations under the General Data Protection Regulation and the loi informatique et libertés regarding the Processing in accordance with the Agreement.
Provided that the Data Controller is given the time necessary to find an alternative solution to the Processing, and provided that this solution works satisfactorily, the Data Processor shall, as necessary, delete or anonymize all existing copies of Personal Data collected by the Data Controller, held and processed by the Data Processor.
In the event that, for practical reasons, the Personal Data processed by the Data Controller cannot be deleted or anonymized, the Data Processor shall take the necessary measures to ensure that such data will no longer be processed, or disclose, or used, except to ensure their deletion when it becomes possible.
X. Governing Law – Agreement Language
By express agreement between the Parties, this Agreement is governed by French law, to the exclusion of any other legislation.
It is written in French. In the event that it is translated into one or more languages, only the French text will prevail in the event of a dispute or Agreement interpretation difficulties.
XI. Resolution of disputes
For any dispute arising from the execution of this Agreement, the most diligent Party shall take action before the competent courts.
APPENDIX 1 – DETAILS OF THE PROCESSING SUBJECT TO SUBPROCESSING
This appendix includes a description of the Processing subject to subprocessing:
The nature of operations carried out on the data is:
- Receipt and storage of applications received by the Data Controller;
- Management of the mail exchanges between the Data Controller and the candidate in so far as the mails are sent directly from the Welcome Kit;
- Processing of applications: The Welcome Kit allows the Data Controller to comment, evaluate and process the applications received;
- Creating an application directly in the tool: the Welcome Kit allows the recruiter to create an application directly in the tool or add them directly from social networks.
The period for which the Personal Data will be stored is, by default, set to two years; two months before the expiry of the term, an automatic email is sent to the candidate to notify him that it has been two years since the company holds its data; the email invites the applicant to authorize the company to renew his authorization to use his Personal Data for two new years. Without candidate feedback, an automatic email is sent one month before the expiry of the term to warn the candidate that his data will be deleted.
Nota bene: The period for which the Personal Data will be stored is however configurable by the recruiter up to five years. Nevertheless, Coruscant informs its clients of the CNIL's recommendations in this regard – see below:
"According to article 5-e of the GDPR, Personal Data shall be stored for no longer than is necessary for the purposes for which the Personal Data are processed; for your information, the CNIL recommended, in a deliberation n° 02-017 of March 21st, 2002, that the candidate having been the subject of a procedure of recruitment is informed of the period for which the Personal Data concerning him or her will be stored, advocating that it shall not exceed two years after the last contact with that person. As a Data Controller, you are liable for choosing this period for which the Personal Data will be stored. If you wish to configure a different period for which the Personal Data will be stored from that recommended by the CNIL, please ensure that it is proportionate to the aim pursued of your collection. According to article 14-2-a of the GDPR, you must also be able to explain to your candidates the criteria used to determine that period.
The purpose(s) of the Processing is(are) to allow the Data Controller to
- receive applications from profiles applying via the Welcome Kit;
- process applications for recruitment purposes: e-mail exchanges, scoring of candidates, comments of recruiters on applications;
- maintain a pool of candidates over time, within the limits of the recommendations of the CNIL, to support a more efficient recruitment.
The Personal Data processed are the standard data requested as part of a recruitment process: CV, application letter, contact elements and optionally personalized open questions; the Data Controller undertakes to request only information relating to the recruitment of the relevant position for the candidate.
The categories of Data Subjects are:
- n the Data Controller's side: all the persons having access to the Welcome Kit space dedicated to the client company. The accesses(as well as the administration levels) are given by the administrators of the client organization;
- n the candidates' side: any person who has voluntarily submitted his application, after having explicitly consented, to the Data Controller's company.
Appendix 2 – Personal Data Security measures
The Personal Data security measures that the Data Processor is required to take and implement with regard to the Processing of Personal Data include, but are not limited to, the following:
- all the staff members must be provided training and updated regularly on Data security and on how to protect Personal Data;
- with a view to protecting the confidentiality of Personal Data, the Data Processor must include in the employment contracts, signed with its staff members who have access to Personal Data, a clause requiring those staff members to confirm that they are fully aware of and undertake to protect the confidentiality of all Personal Data they have access to as part of the agreement;
- only the authorized staff members must have access to Personal Data, on a need to know basis, and access by unauthorized staff members to Personal Data must be prevented;
- an access method must be developed for access to Personal Data and an appropriate level of access authorization must be required;
- passwords and usernames must be required to access any electronic environment where Personal Data are stored and an access log must be kept. The Data Processor must have in place an appropriate password policy for accessing Personal Data;
- all electronic media and software where Personal Data are stored must be updated regularly and protected against malware and unauthorized access by using protective software (such as anti-virus software) and by an advanced security policy;
- Personal Data must not be stored in environments (such as the Internet) that are accessible by third parties not authorized by the Data Processor;
- appropriate security applications (such as firewall, etc.) must be operated between environments accessible by third parties and the company's Data storage areas, and countermeasures (IDS/IPS, etc.) must be used against virtual attacks that may threaten Data privacy;
- Personal Data must always be transmitted by means of encrypted communication services (e-mail, file transfer protocol (FTP), file sharing, HTTPS, etc.) ;
- environments (servers, Data storage systems, etc.) where Personal Data are stored or kept for the Data Processor must be protected physically and access to them must be controlled and restricted only to authorized staff members;
- suitable methods must be employed to erase Personal Data. Erasure of Personal Data stored in electronic environments must be done in a manner to ensure that Personal Data is not retrievable. Other suitable methods or equipment (paper shredder, etc.) must be used to destruct Personal Data stored in physical environments (documents, etc.).