Start now Start now

Data Processing Agreement

Version 2.5. (12.01.2021)

between

New Work SE
Strandkai 1,
20457 Hamburg
(im ff. „Prescreen“)

and
the customer
(hereafter “Customer“)

and
affiliated companies

together to as the „parties“ or „contracting parties“

 

1. Subject and duration of the processing, scope

This agreement applies to the contractual relationship between Prescreen and the Customer for use of the e-recruiting system “Prescreen” under the domains *.prescreenapp.io and *.jobbase.io (hereafter: “Prescreen.io”), where the Customer can publish job advertisements and receive and manage applications. In this respect, Prescreen is classified as the “processor” in accordance with Article 4 (8) of the EU General Data Protection Regulation (“GDPR”), and the Customer as the “controller” in accordance with Article 4 (7) of the GDPR. Prescreen.io is used by people specially authorised by the Customer (hereafter “company users”).

Prescreen.io is intended to assist the Customer in its personnel search. The Customer can receive and manage applications from candidates using Prescreen.io. Multiple company users may work together to search for personnel and exchange information within a single Prescreen.io access account.

The possible uses of Prescreen.io are detailed in agreement concluded between the contracting parties (here after “main agreement”). The contractual relationship enters into effect upon signing by both contracting parties and continues for as long as the main agreement (concluded by signing the offer) remains in effect. The right to ordinary termination corresponds to the associated provisions of the main agreement.

If other terms concerning the protection of personal data arise from other agreements between the Customer and Prescreen, this Processing Agreement shall take priority, unless the parties expressly agree otherwise.

A complete list of all the appendices referred to in this agreement is to be found at the end of this agreement, including their order of precedence in the event of conflicting provisions.

Prescreen.io is available for use by the affiliated companies of the Customer. The affiliated companies are listed in Appendix 1. If no separate processing agreement has been concluded with these affiliated companies, they are also contracting parties to this Processing Agreement. All provisions of this agreement therefore also apply for the affiliated companies.

Insofar as the terms “data processing” or “processing” (of data) are used in this agreement, the definition of “processing” shall be based on Article 4 (2) of the GDPR.

2. Purpose of the processing

This agreement regulates the processing of personal data (also referred to simply as “data”) carried out by Prescreen on behalf of the Customer. The economic terms and a precise technical description of the services to be provided by the processor are not governed by this agreement. The purpose of this agreement is to satisfy the requirements of the GDPR concerning regulation of the processing by Prescreen on behalf of the Customer.

The purpose of the processing of personal data by Prescreen is to assist the Customer and its candidates within a recruitment setting by providing an online platform for receiving and managing applications and to enable further exchange of information and communication between candidates and the company.

The necessity and the scope of data collection are determined according to the position to be filled, among other factors. More extensive data collection may be required if the desired position is associated with particularly confidential duties, entails significant responsibilities in the areas of human resources and/or finance, or requires certain physical and mental capabilities.

3. Type of data

3.1 Type of data from the perspective of the candidates:

The following data and data categories can be processed within the application process via the online platform Prescreen.io: The exact data and data categories can be freely selected by the Customer and must be adapted directly in Prescreen.io in the data protection declaration for candidates (standard data protection declaration template for candidates: Appendix 2).

● Applicant master data (first name, last name, title, email address, telephone number, address, date of birth, citizenship),
● Qualifications data (cover letter, motivation letter, CV, previous experience, professional qualifications and skills),
● Voluntary information, such as a photo, disability status or other information that the candidate voluntarily shares in the application or voluntarily uploads,
● Additional questions depending on the respective position (e.g. driving licence, citizenship),
● Communication between the Customer and the candidate as well as comments and evaluations concerning the candidate created during the application process,
● Other data / data categories, e.g. publicly accessible professional data such as profiles on professional social media networks like XING or LinkedIn,
● Special categories of personal data in accordance with Article 9 (1) GDPR, e.g. information on health (e.g. disability status) or information that implies sexual orientation, ethnic origin or religion.

3.2 Type of data from the perspective of the company users

Use of the Prescreen.io platform requires processing of a variety of personal data pertaining to company users (e.g. for registration of new users).
The following data can be processed during registration:
a) Name,
b) E-mail address,
c) Password,
d) Telephone number.

The following data can be processed during use:
● Messages composed by company users to candidates or other company users,
● Personal comments and evaluations entered by company users,
● Activity data which arise during use (e.g. change of application status, notifications of the need for new job ads, …),
● Other personal data entered by a company user while creating a personal signature or message template.

The following data can be processed when using Prescreen’s support services:
● E-mail address,
● Name,
● Context of the inquiry,
● Other personal data shared with the support team by a company user.

3.3 The following additional data are processed in connection with the use of the platform:

a) Automatically collected usage data from the perspective of the candidates and company users
When accessing Prescreen.io, the web browser of the candidate or company user automatically sends certain usage data for technical reasons. This information is stored separately from other data in log files.

Prescreen collects the following information:
● Date and time as well as duration of the access,
● Browser type/version,
● Operating system,
● URL of the previously visited web page,
● Quantity of data transmitted,
● A GeoIP lookup based on the IP address,
● Names of the accessed files,
● http status code (e.g. “request successful”),
● URL of the accessed web page,
● Access type (GET, POST).

Such data are technically required in order to offer the functions of Prescreen.io and to ensure the stability and security of the system. They are stored by Prescreen for a period of 12 months. Data that must be stored further for documentation purposes (e.g. to comply with statutory regulations) are exempt from this.

b) Cookies
Prescreen uses cookies to make the online application process more user-friendly and efficient. Cookies are technically required in order to operate the website, which is why no option to reject the use of cookies.

The cookies used for the Prescreen tool can be found in our privacy policy: https://prescreen.io/en/privacy-policy/

4. Group of data subjects

The following groups of people are affected by the data processing in the agreement:
● Candidates / applicants of the Customer: Prescreen shall provide the Customer with a data protection declaration template for candidates. The latest version of this template is provided in the tool. It shall serve only as an aid and must be adapted by the Customer directly in Prescreen.io.
● Company users (e.g. employees of the Customer):
The correspondence and information collected from company users as part of an application process will continue to be stored for a period of three years after withdrawal as a company user and remain visible to current and future company users via the company’s Prescreen.io account. Correspondence between candidates and company users will be erased as soon as the candidate is deleted, since this correspondence is linked to the candidate profile.

Information about data processing involving the company users is the responsibility of the Customer.

5. Technical and organisational measures

Prescreen warrants to the Customer that it will comply with the technical and organisational measures required to meet applicable data protection regulations, in particular Article 32 GDPR.

A description of the technical and organisational measures is provided in the tool. We can also send you this description on request.
The technical and organisational measures are subject to ongoing change and development. Prescreen is therefore entitled to implement adequate alternative measures.

However, this may not entail a reduction in the appropriate level of security relative to the defined measures. Significant changes must be documented and shared with the Customer on request.

6. Establishment of rights of data subjects

As controller, the Customer is responsible for safeguarding the rights of data subjects. Prescreen shall ensure the technical and organisational prerequisites so that the Customer can fulfill its data protection obligations with regard to information, access, rectification, erasure, restriction and portability as well as all other obligations vis-à-vis its data subjects that arise from statutory regulations in connection with the processing of personal data within stipulated time limits.

The web application allows the candidates concerned to submit an erasure request or to select erasure of their data. The candidate can only delete the data on its own if the application has not been completed; after that, the candidate can submit a deletion request. If the Customer requires the support of Prescreen to satisfy these requests, it will inform Prescreen immediately (within no more than seven days after becoming aware of the exercise of the rights of the data subjects).

If a data subject contacts Prescreen directly for the purpose of rectification or erasure of the data subject’s data, Prescreen shall immediately forward this request to the Customer. Any further support for the Customer in processing the requests of data subjects beyond this forwarding will be provided by Prescreen within the scope of its capabilities after receiving a written request from the Customer and subject to coverage of the resulting costs by the Customer.

The Customer can independently delete the data of a data subject or provide information. Support for the fulfilment of these activities in the tool with regard to a data subject request is free of charge.

7. Other obligations of Prescreen

Prescreen has appointed a competent and qualified data protection officer, whose name and contact details shall be provided to the Customer on request. The Customer shall be notified of any subsequent change to the data protection officer, where publication of this information on Prescreen’s website shall suffice.

Prescreen undertake to support the Customer in complying with the obligations specified in Articles 32 to 36 GDPR (security of processing; notification of a personal data breach to the supervisory authority and to the data subjects; data protection impact assessment and consultation with the data protection authority), in consideration of the type of processing and the available information.

Prescreen shall inform the Customer of measures taken by the data protection supervisory authority arising in connection with the execution of the main agreement concluded between the contracting parties. The possible measures of the supervisory authority are established in Articles 58, 83 et seq. of the GDPR.
Prescreen shall inform the Customer immediately after becoming aware of a personal data breach.

If the Church Data Protection Act (KDG) and the Church Law on Data Protection by Evangelical Churches in Germany (DSG-EKD) apply to the Customer, Prescreen.io shall also be subject to these laws. This shall include being subject to the duties and authority of the church data protection supervisor.

8. Customer’s power to issue instructions

Prescreen processes personal data only on the basis of documented instructions from the Customer, unless it is obliged to do so according to the law of the Member State or the European Union. The Customer shall immediately confirm any oral instructions (at least in text form). The initial instructions of the Customer are set down in this agreement.

Changes to the subject of the processing and procedural changes must be coordinated between the parties and documented (text form shall suffice). If the instructions of the Customer are not covered by the contractually agreed scope of services, these shall be handled as a request for a change of services. In the event of proposed changes, Prescreen shall inform the Customer of the consequences arising for the agreed services, in particular with regard to the ability to provide the service and the compensation. If Prescreen finds implementation of the instruction to be an undue burden, Prescreen is entitled to reject the respective instruction.

Any such rejection takes place without prejudice to the main agreement, which continues to remain valid, as well as this Processing Agreement.
Prescreen may only provide information to third parties or data subjects after prior approval by the Customer (text form shall suffice) unless this is contravened by a statutory regulation.

The Customer shall name the persons who are authorised to give instructions. These persons authorised to give instructions correspond to the company users registered in Prescreen.io by the Customer with administrator rights. In the event that an person authorised to give instructions is changed by the Customer, the Customer shall implement this change accordingly in Prescreen.io.

Prescreen shall use the data for no purposes other than those agreed upon and is in particular not entitled to share the data with third parties, insofar as this is not regulated by this contract or an instruction of the customer exists. Copies and duplicates shall not be created without the knowledge of the Customer. Backup copies are exempt from this insofar as they are required for ensuring proper data processing; data required to comply with statutory retention obligations are also exempt.

Prescreen undertakes to inform the Customer immediately if Prescreen is of the opinion that an instruction violates the data protection regulations. Prescreen is entitled to refrain from implementing the corresponding instruction until it is confirmed or altered by the controller of the Customer.

Prescreen assures the Customer that all persons acting under its authority shall only process the data processed on behalf of the Customer in fulfilment of this agreement, in fulfillment of an instruction of the Customer or in fulfillment of a statutory obligation.

9. Location of the data processing

Prescreen processes data on behalf of the controller in Member States of the European Union (EU) or the European Economic Area (EEA). Prescreen is also permitted to process data outside the EU or the EEA if processing complies with Articles 44-48 GDPR or in the event of a derogation as stipulated in Article 49 GDPR, and provided the other requirements incumbent upon subcontractors as governed by this agreement are complied with. Point 10 describes the subcontracting processors agreed on at the time of commissioning.

10. Subcontracting processors

The Customer agrees to the engagement of the subcontracting processors listed below subject to a contractual agreement with the subcontracting processors pursuant to Article 28 (2-4) of the GDPR.

1. New Work Austria Xing Kununu Prescreen GmbH, Schottenring 2 – 6, 1010 Vienna, Austria.
2. Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg.

Prescreen is entitled to make use of other subcontracting processors or to replace existing subcontracting processors as long as the following conditions are met:
● Prescreen informs the Customer of this outsourcing to subcontracting processors in writing or in text form with reasonable advance notice of at least 14 days,
● The Customer does not object to the planned ,outsourcing in writing or in text form within 7 days of receiving this notification
● A contractual agreement is concluded pursuant to Article 28 (2-4) of the GDPR.

An objection may not be made without good reason (e.g. engagement of competitors of the Customer or prior data protection breaches at the subcontracting processor). If an objection is made despite Prescreen complying with the above conditions, this entitles Prescreen to extraordinary termination of the contractual relationship without notice. The objection can be withdrawn by the Customer in text form at any time.

Ancillary services engaged by Prescreen from third parties for assistance in executing the agreement shall not be considered subcontracting relationships as covered by this provision. These include, for example, telecommunication services, maintenance and user services, cleaning services, auditors or the disposal of data carriers. However, Prescreen is obliged, in order to ensure the protection and security of the Customer’s data, to conclude appropriate and legally compliant contractual agreements with respect to such ancillary services and to carry out sufficient oversight.

11. Customer’s rights of audit

The Customer has the right to audit processing, in agreement with Prescreen, as described in point 6 of Appendix 3 in accordance with Article 32 GDPR or to have such inspections exercised by auditors to be named in the specific instance, as long as these parties are not in competition with the processor and the processor has no other legitimate reasons to object to this.

The Customer has the right to carry out spot checks of the compliance with this agreement by Prescreen at Prescreen’s operating location with provision of at least 14 days advance notice. The Customer shall ensure that the audits do not exceed the necessary scope in order to avoid disproportionate disruption of Prescreen’s operations. The parties expect that such audits will be required no more than once per year.

Additional audits must be justified by the Customer, stating the grounds for requesting additional audits. Each party shall bear its own costs associated with these audits. If Prescreen’s participation in these audits extends significantly beyond the necessary scope (e.g. excessive frequent audits without cause), the resulting costs can be invoiced at rates typcial for the industry. Prescreen obliges to provide the Customer, upon request, the information required to comply with the Customer’s obligation to audit processing and to supply corresponding evidence.

With regard to audits by the Customer prior to the start of the data processing and during the course of the agreement, Prescreen shall ensure that the Customer can verify compliance with the established technical and organisational measures. To this end, Prescreen shall establish proof to the Customer, upon request, of the implementation of the technical and organisational measures described in Appendix 3.

The processor can also provide evidence of the implementation of the technical and organisational measures by presenting a current certificate or report (e.g. from a certified public accountant, internal auditing, data protection officer, IT security department, data protection auditors, quality auditors), a current certification (e.g. as per ISO/IEC 27001, VdS 10000, BSI-Grundschutz), a data protection seal or data protection mark as per Article 42 of the GDPR, or a data protection or IT security concept that corresponds to the requirements of the GDPR.

12. Notification of infringements

If Prescreen becomes aware of a personal data breach or an infringement of a contractually defined obligation, it will notify the Customer immediately.
Furthermore, Prescreen shall assist the Customer in complying with the Customer’s obligation to notify the supervisory authority and the data subjects of the personal data breach within the stipulated period. Prescreen shall provide to the Customer all necessary information for this purpose.

For notifications relating to data protection and for data protection incidents, the Customer must name a special data protection contact directly using the tool in Prescreen.io.

13. Erasure of data by Prescreen upon termination of the contractual relationship

After the provision of processing services has been terminated, Prescreen shall lock down the personal data and store it for a duration of three months. Within this period, the Customer has the option of downloading from Prescreen.io all personal data processed on the Customer’s behalf.

After the end of this period, Prescreen shall immediately erase the data unless a statutory obligation to store the personal data exists.

Documentation for the purpose of providing evidence of proper data processing as ordered can be retained by Prescreen beyond the expiration of the contract in accordance with the respective retention periods.

14. Processing for Prescreen’s own purposes

14.1 Analysis of usage behaviour

Prescreen is entitled to anonymise the personal data from this processing relationship and to carry out all processing steps required for anonymisation.

Prescreen may analyse such anonymised data for its own purposes, such as carrying out business or industry comparisons, statistical analyses, benchmarking, product improvements, new product development and for other similar purposes, including anonymised sharing with Prescreen users and third parties. With regard to point 14.1 Prescreen is the responsible party.

14.2 Notifications to company users and storage

We process personal data of company users for marketing purposes (such as event information in the form of newsletters and product information) if the company user has granted us separate consent or if Prescreen can refer to another statutory authorisation.

We store the data for a maximum duration of three years, starting with the day of the last contact with the company user, since it can be assumed for this period that the company user could be interested in further use of one of Prescreen’s services or may wish to continue use of the Prescreen.io access. This processing described in point 14.2. in the first paragraph is carried out by Prescreen in the role of the controller.
As long as a business relationship remains intact, the personal data of the company users will continue to be stored if this is necessary for the fulfillment of contractual obligations.

Storage periods longer than those specified can also arise if the data is required for the establishment, exercise or defence of legal claims before an authority, or if statutory retention obligations exist. The data will be stored for as long as necessary for the fulfillment of these purposes.

15. Obligation of secrecy

The parties agree to handle confidentially all knowledge of operating and business secrets as well as data security measures of each party of which they become aware in the course of the processing relationship. Operating and business secrets are understood to be all facts, circumstances and procedures relating to the company of one of the parties that are not public, are only accessible to a limited group of persons and for which the respective party has a legitimate interest in limiting disclosure. Measures for data security are understood as all technical and organisational measures within the meaning of Article 32 GDPR that have been taken by a party. This obligation of secrecy remains in effect after termination of this agreement.

Prescreen assures that it will only entrust persons with the processing of the Customer’s data who have obliged to protect the confidentiality of the data or who are subject to an appropriate statutory obligation of confidentiality. In particular, this confidentiality obligation remains in effect without limitation in time even after the end of their related work and after their depature from Prescreen. The confidentiality obligation must also be observed with respect to data that refers to specific or identifiable legal persons or groups of persons.

16. Limitation of liability

Prescreen is liable to the Customer for damages resutlting from data processing only if Prescreen fails to comply with its special obligations as laid out in this agreement.

Prescreen is not liable to the Customer for damages caused by Prescreen as a result of slight negligence.

If the Customer has the rights of recourse against Prescreen on the basis of a breach of obligations by Prescreen, the Customer must assert these claims within one year of becoming aware of the damages that have occurred. After this period, the Customer’s rights of recourse against Prescreen expire.

If Prescreen is of the opinion that a provision of this agreement or an instruction of the Customer violates the data protection provisions of the European Union or Germany, Prescreen is obliged to inform the Customer of this immediately.

17. Other provisions

This agreement must be concluded in writing. Any supplementary agreements or amendments to this agreement must also be in writing to be effective. A departure from the requirement of written form is inadmissible – even if this is set in writing.

This agreement is subject to German law, under exclusion of conflict of law rules and the UN Convention on Contracts for the International Sale of Goods. Place of jurisdiction is Hamburg, Germany. In addition, Prescreen shall also have the right to decide disputes by taking recourse to the competent court at the Customer’s place of business.

Should any provision of this agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions. The parties undertake to agree on a new, effective provision in place of the invalid provision which comes closest to the meaning and purpose of the invalid provision. The same applies to any gaps in this agreement.

This Processing Agreement is an integral component of the main agreement, which derives from the original offer. Termination of the main agreement also results in termination of this agreement in accordance with the termination periods established in the main agreement. The Customer can terminate the main agreement and this agreement at any time without notice (“extraordinary termination”) if Prescreen has committed a serious infringement of data protection regulations or the provisions of this agreement, if Prescreen cannot or will not carry out a legal instruction of the Customer, or if Prescreen refuses to grant the Customer its rights of control in violation of this agreement.