Data Processing Agreement
Personal data processing agreement between Headminer BV, with registered offices at Witherenweg 19 Bus D, 2320 Hoogstraten, Belgium, company number BE 0731.989.021; Hereinafter referred to as the “Processor”; and the Client of Headminer being an User or Company with a registered and verified account on app.headminer.com; Hereinafter referred to as the “Controller”; Hereafter collectively referred to as “Parties”.
I. Subject matter
(1) The Processor shall process personal data for the Controller by order within the meaning of Article 4(2) and Article 28 GDPR. This Agreement governs the rights and obligations associated with this data processing by order. (2) The subject matter of the order and the actual data processing that the Processor performs for the Controller shall be determined by the agreement between the Controller and the Processor which is referred to here and in the Annexes (hereinafter ‘the Main Agreement’).
II. Specification of the order content
a. Method and purpose of the intended personal data processing (1) The method and purpose of the processing of personal data by the Processor are described in detail in the “Overview of the Main Agreement and the processing operations” annex, which refers to the Main Agreement.
(2) The Processor shall not process the data for any other purpose, especially not for its own purposes, and shall not be entitled to pass such data on to unauthorized third parties. b. Nature/categories of personal data The nature of the personal data used is defined in the “Overview of the Main Agreement and the processing operations” annex. c. Categories of data subjects The categories of data subjects affected by the processing are defined in detail in the “Overview of the Main Agreement and the processing operations” annex.
III. Location of the processing
The contractually agreed data processing may be undertaken exclusively in a Member State of the European Union, in another state that is a contracting party to the Agreement on the European Economic Area or in Switzerland. Any change to the location of the processing must be reported by the Processor to the Controller in advance. Any and every transfer of the data processing to a third country – incl. within the Group – shall require the prior approval of the Controller and may only occur if the special conditions under Article 44 et seq. of the GDPR have been fulfilled. This shall include any remote access to such data from a third country. The existence of an appropriate level of protection in the respective third country must be demonstrated by the Processor on the basis of:
• an adequacy decision by the Commission (Article 45(3) GDPR); • binding corporate rules on data protection (Article 46(2)(b) in conjunction with Article 47 GDPR); • standard data protection clauses (Article 46(2)(c) and (d) GDPR); • an approved code of conduct (Article 46(2)(e) in conjunction with Article 40 GDPR); • an approved certification mechanism (Article 46(2)(f) in conjunction with Article 42 GDPR); or • the following measures (Article 46(2)(a) and 46(3)(a) and (b) GDPR):
IV. Technical and organizational measures
(1) The Processor shall design its internal organization in such a way as to comply, within its area of responsibility, with the special data protection requirements. It shall implement suitable technical and organizational measures for the protection of the Controller’s personal data that ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs and the method, scope, context and purposes of the processing as well as the varying likelihood and severity of the risk to the data subjects. The Processor must implement suitable technical and organizational measures that ensure that confidentiality, integrity, availability and resilience of systems and services in connection with the processing are maintained on a permanent basis. The Processor must implement the technical and organizational measures specified in Annex 1 in the form of a level of protection appropriate to the aforementioned risk. (2) Before commencing the processing, the Processor must document its implementation of the required technical and organizational measures that were set out in advance of the placing of the order, especially in regard to the specific execution of the order, and must forward the documentation to the Controller. Upon acceptance by the Controller, the documented measures shall form the basis of the order. If the review or an audit by the Controller determines that an adjustment is required, this must be implemented by mutual agreement. (3) All the measures that are to be carried out are measures to ensure data security and a level of protection appropriate to the risk to the data subjects. The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative measures that offer at least the same protection. Material changes must be documented and reported without delay to the Controller. The Controller has the right to evaluate every change and to communicate any need for adaptation. This is to be implemented by mutual agreement.
V. Rectification, retention and erasure of personal data
(1) The Processor must not decide independently to rectify, erase or limit its processing of the data processed by order, but shall only do so on documented instruction by the Controller. (2) If a data subject contacts the Processor directly, the Processor shall forward such a request immediately to the Controller. The Processor shall support the Controller up to the degree necessary for carrying out its duty to respond to requests from a data subject. (3) To the extent covered by the described scope of services, execution of the right to erasure, right to storage limitation, right to be forgotten, right to rectification, right to data portability and right of access shall be ensured by the Processor directly in accordance with the documented instruction from the Controller.
VI. Quality assurance and other duties of the Processor
(1) If the Processor has appointed a data protection officer who carries out his/her role pursuant to Articles 38 and 39 GDPR, the following rules shall apply: The contact details for the data protection officer are to be provided to the Controller for the purposes of direct contact. Any change of data protection officer must be reported to the Controller immediately. (2) If the Processor is based outside the European Union and has appointed a representative in the European Union pursuant to Article 27(1) GDPR, it shall provide the contact details for the representative. Any change of representative must be reported to the Controller immediately. (3) The Processor shall maintain confidentiality pursuant to Articles 28(3)(b), 29 and 32(4) GDPR. It shall only entrust employees to carry out the work who are bound by confidentiality obligations and who have been made aware of the data protection provisions relevant to them in advance. The Processor and all persons employed by the Processor who have access to personal data must only process such data in accordance with instructions from the Controller, and in accordance with the powers granted under this Agreement, unless the processing is required of them by law. (4) The Controller and the Processor shall cooperate, on request, with the supervisory authority with regard to data protection. (5) The Processor shall inform the Controller immediately of any audit activities/investigations or measures undertaken by a government body to the extent that they relate to this order and shall offer support, to the best of its abilities, insofar as the Controller is involved in official proceedings. (6) The Processor shall regularly monitor the internal processes and also the technical and organizational measures to ensure that processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection legislation and that the rights of the data subject are protected.
(1) Subcontracting within the meaning of this provision is understood to mean services that relate directly to the performance of the principal service. This excludes ancillary services used by the Processor, e.g. telecommunication services, postal and transport services, maintenance and user services. The Processor is under obligation, however, to conclude appropriate, legally binding contractual agreements and to implement monitoring measures to ensure the protection and security of the Controller’s data, including in the case of outsourced ancillary services. (2) The Processor may only commission the Subcontractor (other order processor) after obtaining prior written approval from the Controller. The Processor shall ensure that it chooses or has chosen the Subcontractors with special consideration of the suitability of their implemented technical and organizational measures pursuant to Article 32 GDPR. The relevant inspection documents are to be made available to the Controller on request. The Processor shall conclude a contractual agreement with the other order processors in accordance with Article 28(2) to (4) GDPR, which materially corresponds to the present provisions. In particular, the Controller must be entitled to carry out suitable audits and inspections, also on site, at the Subcontractor if necessary. These can also be executed by third parties commissioned by the Controller. (3) The forwarding of data or the provision of data access to the Subcontractor may only be allowed if all requirements are fulfilled, especially explicit written consent from the Controller, and if the Subcontractor fulfils the obligations according to Article 29 and Article 32(4) GDPR regarding its employees. (4) If the Subcontractor does not fulfil its data protection obligations, the Processor shall be liable vis-à-vis the Controller for fulfilment of the Subcontractor’s obligations. (5) If the Subcontractor performs the agreed service outside the EU, EEA or Switzerland, the Processor shall ensure admissibility under data protection legislation by taking the required measures pursuant to clause III. above. The same applies if service providers within the meaning of clause VII.(1) sentence 2 above must be commissioned. (6) Further outsourcing by the Subcontractor • is prohibited; • requires the explicit consent of the Principal Controller (at least in text form); • requires the explicit consent of the Principal Processor (at least in text form); and all obligations under this Agreement must also be imposed on any further Subcontractor. The Processor shall remain liable vis-à-vis the Controller for any further outsourcing. (7) In the event that the Processor currently engages Subcontractors for processing personal data and the Controller agrees to this, the scope of the subcontracting and the identity of the Subcontractors shall be included in an Annex.
VIII. Monitoring rights of the Controller
(1) The Controller shall have the right, with the Processor’s consent, to carry out audits or to have audits carried out by auditors appointed in individual cases. The Controller shall have the right to obtain information and to assure itself of the Processor’s compliance with this Agreement in the latter’s activities by means of spot checks. The Controller must generally give timely notice of such spot checks. (2) Evidence of technical and organisational measures that not only affect the specific order can be provided by • compliance with approved codes of conduct pursuant to Article 40 GDPR; or • certification according to an authorized certification procedure in accordance with Article 42 GDPR; or • current attestations, reports or report extracts provided by independent bodies (e.g. chartered accountants, auditors, data protection officers, IT security departments, data protection auditors and quality auditors); or • a suitable certification by IT security or data protection auditors (e.g. in accordance with ISO 27001, BSI IT Baseline Protection).
IX. Cooperating obligations of the Processor
(1) The Processor shall support the Controller in complying with the duties specified in Articles 32 to 36 of the GDPR regarding the security of personal data, notification requirements in the event of data breaches, data protection impact assessments (DPIAs) and corresponding prior consultations. In particular, this includes: • assurance of an appropriate level of protection by means of technical and organizational measures, which take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a possible violation of personal data protection and enable an immediate identification of relevant violations; • immediate reporting of actual or suspected data breaches, violations affecting this Agreement as well as irregularities in the processing of personal data to the Controller; • the obligation to support the Controller with regard to its duty to provide information to the supervisory authority with regard to data protection or to the data subjects and, in this respect, to make all relevant information available to the Controller immediately; • support for the Controller in its data protection impact assessment (DPIA); • support for the Controller with regard to prior consultations with the supervisory authority. (2) For further support services that are not included in the service description or which cannot be attributed to misconduct on the part of the Processor, the Processor can claim remuneration.
X. Authority of the Controller to issue instructions
(1) The Processor shall process the personal data exclusively within the framework of the agreements made and according to the documented instructions of the Controller. The Controller reserves a comprehensive right to issue instructions regarding the nature, scope and methods of data processing. (2) The Controller’s right of instruction has to be exercised in written form. Oral instructions are to be confirmed by the Controller immediately in written form. (3) The Processor must inform the Controller immediately if it believes that an instruction violates data protection regulations. The Processor shall be entitled to suspend the execution of the relevant instruction until it is either confirmed or changed by the Controller. (4) Persons with the right of instruction on behalf of the Controller shall be included in an Annex. (5) Persons with the right to receive instructions on behalf of the Processor shall be included in an Annex.
(6) In case of a change to the contact persons, or if a contact person shall be prevented from issuing or receiving instructions for a long time, the contracting party must be informed of the successors or representatives immediately and, in principle, in written form or via email.
XI. Erasure and return of personal data
(1) No copies or duplicates of the data may be created without the knowledge of the Controller. This does not apply to backup copies to the extent that they are required to ensure proper processing of the data, nor does it apply to data required for compliance with statutory retention obligations. (2) After conclusion of the contractually agreed work, or earlier upon request from the Controller and, at the latest on termination of the Main Agreement, the Processor must hand over to the Controller all data, documents, outputs produced from processing and utilization, and data sets related to the contractual relationship that have come into its possession or into the possession of Subcontractors or, after prior consent, destroy these or arrange for them to be destroyed by the Subcontractor in accordance with data protection legislation. The same applies to test and discarded materials. The deletion log must be submitted on request. (3) Documentation that is used to demonstrate data processing in accordance with the order must be stored by the Processor after expiry of the contract in compliance with the respective retention periods. In order to relieve itself of this obligation, the Processor may hand such documentation over to the Controller on termination of the contract.
XII. Confidentiality and further obligations of secrecy
The Processor shall undertake to observe the rules of secrecy and confidentiality that are relevant to this order.
XIII. Duration and termination
The duration of this Agreement (term) corresponds to the term of the Main Agreement, and the corresponding provisions relating to termination apply.
XIV. Final provisions
Belgian law shall apply to this Agreement. Belgian courts shall have exclusive jurisdiction to hear any disputes relating to this Agreement.
Annex 1 – Technical and organizational measures
- Confidentiality • Physical access control: Prevent unauthorized access to data processing facilities, e.g. magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video monitoring, access to rooms with data processing systems (e.g. computer centers) must be assigned restrictively; • Electronic access control: Ensure that those authorized to use an automated processing system only have access to personal data covered by their access authorization; • User control: Prevent the use of automated processing systems by unauthorized persons using data transfer equipment; • Data media control: Prevent the unauthorized reading, copying, modification or erasure of data media; • Separability control: Ensure that personal data collected for different purposes can be processed separately; • Pseudonymization (Article 32(1)(a) GDPR; Article 25(1) GDPR): Ensure that personal data are processed in such a way that the data can no longer be associated with a specific data subject without the assistance of additional information, making sure that this additional information is stored separately and is subject to appropriate technical and organizational measures; • Encryption (Article 32(1)(a) GDPR): Ensure the encryption of personal data for data in motion as well as data at rest pursuant to the Controller’s requirements.
- Integrity • Data integrity: Ensure that stored personal data cannot be corrupted by means of a malfunctioning of the system; • Storage control: Prevent the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data; • Transfer control: Ensure that it is possible to verify and establish where personal data has been or may be transferred or made available to by means of data transmission facilities; • Data entry control: Ensure that it is subsequently possible to verify and establish which personal data have been entered into automated data processing systems, as well as when and by whom; • Transport control: Ensure that the confidentiality and integrity of personal data are protected during transfers of personal data and during transport of data media.
- Availability and reliability • Availability control: Ensure that personal data are protected against destruction or loss; • Reliability: Ensure that all functions of the system are available and that any failures that arise are reported; • Timely restoration (Article 32(1)(c) GDPR): Ensure that the systems installed can be restored in the event of a failure.
Annex 2: Overview of the Main Agreement and the processing operations
Headminer will process data of the registered and verified account on app.headminer.com and its users or managers, temporary work offers (also known as “gigs”), needed profiles, workers to be exchanged and their documents, messages, connections, suggestions with all related data and metadata.
Headminer does this to create a worldwide company network that allows for exchanging manpower between companies within a predefined temporary job opportunity, project or “gig”. Headminer offers various privacy options when it comes to publishing gigs, uploading documents or exchanging workers.
All registered users, being “managers” or “admins” will take full responsibility for their company and all related workers. They will be held accountable for creating contingent work opportunities, exchanging workers or making a company profile.
Annex 3: Special Personal Data
If the Processor shall process one or more categories of Special Data, it shall additionally undertake to fulfil the following obligations.
If the Processor shall not process any Special Data, this Annex 3 shall not apply.
List of persons with access to the Special Data The Processor shall keep a list of the categories of persons with access to the Special Data. The capacity of these (categories of) persons must also be included in this list. This list must be kept at the disposal of the Controller and of the supervisory authority.
Data Protection Impact Assessment (DPIA) If the Processor shall process Special Data on a large scale, it shall not start the processing until a data protection impact assessment has been performed. In that case, the Processor shall undertake to provide the information set out in Annex 3 to the Controller.
Technical and organizational measures In view of the sensitive nature of the Special Data, the Processor shall undertake to implement the safest technical and very extensive organizational measures.
Annex 4: Data Protection Impact Assessment (DPIA)
If a data protection impact assessment must be carried out, the Processor shall supply the Controller with the following information as soon as possible: (i) A systematic description of the envisaged processing operations; (ii) An assessment of the necessity and proportionality of the processing operations in relation to the purposes included in the Main Agreement; (iii) An assessment of the risks to the rights and freedoms of the data subject(s); (iv) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the General Data Protection Regulation. This shall take into account the rights and legitimate interests of the data subject(s) and other persons concerned.