Annex 1 – Personal data transfer agreement between two independent data Controller
This Agreement is concluded between MAKI and the Client and shall be considered as part of the Terms of Sale (hereafter “ToS”).
The following has been stated
The Parties declare and acknowledge that the negotiation preceding the conclusion of this Agreement were conducted in good faith and that they obtained, during the precontractual negotiation, all the information necessary and useful to enable them to enter this Agreement in full knowledge of the facts, and that they communicated to each other all information likely to determine their consent and of which they could legitimately be unaware.
It has been agreed and determined as follows
1 - Definition
For the need of this Agreement, the terms hereafter shall have the following meaning:
- “Personal Data” refers to any information relating to a specific individual that can be identified, directly or indirectly, such as the surnames, forenames, email and postal addresses of specific individual, his image on a photograph or video, an IP address, a location data, a license plate, etc. To determine whether a person can be identified, it is necessary to consider all the means of identification available or accessible to the Data Controller or any other person.
- “Data Subject” refers to an individual which Personal Data are processed.
- “Data Controller” refers to any legal entity defining the purposes and means of the Personal Data Processing.
- “Data Processor” refers to any legal entity processing Personal Data on behalf of or following the instructions of a Data Controller.
- “Processing” refers to any operation or set of operations relating to Personal Data performed by a Data Processor or a Data Controller, regardless of the process used, and in particular the collection recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as the limitation, deletion or destruction.
- “Personal Data Breach” means a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2 - Object
In the contractual relationship between Maki and the Client, each company acts as independent Data Controller. Thus, the purpose of this Agreement is to define the conditions under which Maki and the Customer undertake to carry out Personal Data transfer operations between them, in compliance with the legislation in force, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018 (hereinafter, "the European Data Protection Regulation"), as well as the Law n°78-17 of 6 January 1978 relating to data processing, files and freedoms (hereinafter, "Data Protection Act"), as amended.
3 - Description of the Processing subject to transfers between Independent Data Controllers
Candidates will be invited to take online tests and assessments on the Platform. Their registration on the Platform can be done in several ways.
In the first case, the Customer will provide Maki with the Candidate's email. In this case, the Client transfers the relevant Personal Data (i.e. first name, last name, email address) to Maki. In this case, Client warrants to Maki that it will make such transfer after having informed the Data Subject prior to the transfer, and in accordance with a lawful legal basis. In this regard, Client indemnifies Maki against any legal or administrative action related to a failure to comply with the applicable law and raised by a Data Subject.
In the second case, the Client invite the Candidate to take an Assessment through an email containing a link to register on the Platform. In this case, Maki directly collects the Candidate’s Personal Data as an independent Data Controller. In the last case, the Candidate directly registered on the Platform to take a test. In that even, Maki is deemed to be the unique Data Controller.
For the performance of the Services subject to this Agreement, Maki may transfer and make available to the Client information relating to Candidates who applied to a Client’s job offer. Thus, Maki remains the Data Controller for this scope of Personal Data, and will previously inform the Data Subjects that their data will be transferred to the Client, as a second independent Data Controller for this strict scope of data.
Each Data Controller may use a Data Processor to carry out specific Processing activities. Insofar as this subcontracting takes place for distinct and specific Processing, it may be carried out without requesting prior respective authorization.
4 - Independent Data Controllers’ obligation
For the performance of the service subject of this contract, the Data Controller shall make available to the second Data Controller the information of which a detailed description of the Processing is set out in Appendix 1.
Each Data Controller declares that it keeps a written record of all categories of Processing activities carried out.
In this context, the first Controller acknowledges and guarantees:
1. that the Processing is carried out in accordance with the provisions of the European Data Protection Regulation and the Data Protection Act, in particular, that the Data Subject has been informed of the purpose of the Processing, of his or her rights, of the recipients of the Personal Data and of the policy on the protection of privacy and Personal Data;
2. that in the event that the Data Controller processes "sensitive" data as defined in Article 9 of the European Data Protection Regulation (i.e. the Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person), the Data Controller has collected them regularly and, where applicable, requires the Data Processor to carry out their Processing in full compliance with the provisions of the said Article 9;
3. that s.he will answer in a timely manner to the information request of the French Data Protection Authority (CNIL), if necessary;
4. that s.he will answer in a timely manner to the requests of any Data Subject asking for information about his or her Personal data and that he will give appropriate and timely instructions to the Data Processor;
5. that s.he will inform the second Data Processor of any Personal Data Breach in a timely manner, and at most 72 (seventy-two) hours after becoming aware of it. This notification shall be accompanied by any useful documentation to enable the second Data Controller, if necessary, to notify the competent supervisory authority of the Breach.
6. that s.he will take any necessary action to identify the causes of the Personal Data Breach and use all the means s.he deems necessary to remedy the origin of such Breach where such remedy is within its control.
The Data Controller also undertakes to:
1. provide the Data Processor the Data referred to in Appendix 1 of this Contract;
2. to document in writing any instructions regarding the Processing of Personal Data by the Data Processor;
3. to ensure, beforehand and throughout the Processing, that the obligations provided for in the European Data Protection Regulation regarding the Data Processor;
4. supervise the Processing, including conducting audits and inspections of the Data Processor.
In that context, the second Data Controller undertakes to:
- process the Personal Data for the sole purposes subject to this Personal Data Transfer Agreement and following the Appendix 1;
- if the second Data Controller is located in a third country, he must inform the first Controller of this legal obligation before the Processing;
- ensure the confidentiality of personal data processed under this Agreement
- ensure that persons authorized to process Personal Data under this Agreement:
- undertakes to respect the confidentiality or are submitted to any relevant legal obligation of confidentiality;
- receive the necessary and appropriate training on the protection of personal data;
- take into account the principles of data protection by design and data protection by default for its tools, products, applications or services;
- implement and maintain accurate documentation outlining the protection and confidentiality measures surrounding the Personal Data and their access;
- inform its employees of their responsibility to protect Personal Data, including the confidentiality of such data;
- cooperate with the CNIL in the event of a request for information from the CNIL and that it will comply with any recommendation of the CNIL relating to the Processing.
5 - Data sub-processing
The recruitment process of a Candidate will be monitored by the Client's teams on Maki’s Platform. On that occasion, Maki will process certain Personal Data of the Client’s employees or personnel for the sole purpose of the tracking and managing of the applications. For this specific processing, Maki will act as a Data Processor for the following purposes and data scope:
- For the creation of a Client’s employee account (email, password);
- For the Administrator Account (names of the company's users; status (registered, guest); last period of activity);
- For billing purposes (credit card number, IBAN);
- To interconnect with the ATS/SIRH;
- For the management of assessments by the Client's teams (employee name, recruiter name, status (active, archived, draft), number of candidates processed, last date of activity);
- For the configuration of an Assessment (name of the Hiring Manager, name of the Recruiter, video, author of the assessment);
- For inviting Candidates (name, first name, email);
Maki may then use another Data Processor (hereinafter, "the Sub-Processor") to conduct those specific Processing activities. The Controller acknowledges that it agrees to the use of Sub-Processor by the Data Processor. In the event that the Controller disagrees with the choice of one of the Sub-Processor and in the absence of an alternative found by the Parties within 30 (thirty) days, the Controller may terminate the Contract, without being able to claim any compensation or damages as a result. The Sub-Processor is required to comply with the obligations of this Agreement on behalf of and according to the instructions of the Data Processor. It is the responsibility of the initial Sub-Processor to ensure that the Sub-Processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the European Data Protection Regulation. If the Sub-Processor fails to fulfil its data protection obligations, the original Sub-Processor shall remain fully responsible in regard of the Controller for the Sub-Processor's performance of its obligations.
The Data Processor shall notify the Controller of any Personal Data Breach as soon as possible and, at the latest, 48 (forty-eight) hours after becoming aware of it. This notification shall be accompanied by any useful documentation to enable the Controller, if necessary, to notify the competent supervisory authority of the Breach. The Data Processor shall take all necessary steps to identify the causes of such Personal Data Breach and take all measures that it deems necessary and reasonable to remedy the origin of such Breach when such remedy is within the control of the Data Processor.
6 - Contract's term
This Agreement shall be effective as of the signing hereof and for the duration of the contractual relationship under the ToS. Certain provisions shall survive the expiration of the Agreement, including those relating to retention periods and the obligations of each of the Parties. The signature of this Agreement is made directly via the Maki Platform by a person duly authorized to represent the Data Controller.
7 - Right to information of Data Subjects
It is the responsibility of each Data Controller to provide information to the persons concerned by the Processing activities at the time of collection of the data, and to allow their transfer to the second Data Controller compliant to all legal requirements. Each Controller shall indemnify the other Party against any action in this respect.
8 - Exercising the rights of the persons concerned
Each Data Controller shall address any requests to exercise the rights of Data Subjects (right to access, rectification, erasure and object, restrict the Processing, data portability, right not to be subject to an automated individual decision, including profiling) concerning him or her.
9 - Security measures
Each Data Controller undertakes to implement technical and organizational measures to guarantee a level of security appropriate to the risks exposed.
Each Data Controller must at all times have technical and organizational measures in place to prevent unauthorized access to Personal Data and the use of Personal Data for purposes other than those agreed upon for their transfer. Each Data Controller must protect and maintain the security of Personal Data as confidential information.
The security measures which must be implemented by each Data Controller to ensure the security of Personal Data collected and processed include, but are not limited to, the following measures:
- All the staff must be trained and regularly informed of developments in data security and Personal Data protection;
- In order to protect the confidentiality of the Personal Data, the Data Processor must include a clause in the employment contracts signed by the staff members who have access to the Personal Data, obliging these staff members to acknowledge their duty to protect the confidentiality of all Personal Data to which they have access to under the Contract;
- Only authorized personnel may have access to Personal Data, provided such access is necessary. Measures to prevent access to Personal Data by unauthorized persons must be implemented;
- A method for accessing Personal Data must be developed, and an appropriate level of authorization must be required;
- Passwords and usernames must be requested before accessing any electronic environment in which Personal Data is stored and an access records must be implemented and kept up to date. The Data Processor must implement a password policy appropriate for accessing Personal Data;
- All devices and software on which Personal Data is stored must be regularly updated and protected against malware and unauthorized access, thanks to protective software (such as antivirus software);
- The Personal Data must not be stored in environments (such as the Internet) accessible to third parties and which are not authorized by the Data Processor;
- Accurate measures (e.g. firewalls etc.) must be implemented to ensure the security of the interface between the environments accessible to third parties and the company's storage areas, as well as measures to fight virtual attacks threatening the security of the data (IDS/IPS etc.);
- Personal Data is deleted thanks to appropriate methods. The deletion of Personal Data stored in an electronic environment must make it impossible to recover the data. Personal Data that is physically stored (documents etc.) is destroyed by using appropriate methods or equipment (shredder etc.).
10 - Contract termination
The Parties acknowledge that termination of the Agreement at any time and for any reason whatsoever does not relieve them of their obligations under the European Data Protection Regulation and the French Data Protection Act concerning Processing in accordance with the Agreement.
11 - Applicable law and language of the Agreement
The Parties expressly agree that this Agreement is governed by French law and that the official language of the contract is French.
In the event of a dispute this English version as well as any other translation shall not be deemed authentic. Pursuant to the provision herein, only the French version is considered as authentic.
12 - Dispute resolution
For any dispute arising from the performance of this Agreement, the most diligent Party shall refer the matter to the competent Courts.