OCCUPOP DATA PROCESSING TERMS
IMPORTANT LEGAL NOTICE
This page (together with our Privacy and Cookies Policy and the Agreement) sets out the terms and conditions (the “Data Processing Terms”) on which we, the business trading as Occupop Limited (“we”, “our”, “us” or “Occupop”) process the Applicant Data(as defined below) provided by you (“Client”,“you” or “your”) to us as part of providing our service (the “Services”), or provided to us by an individual candidate(“Applicant”) by submitting an application form through any Occupop System (as defined below).
In relation to Applicant Data we are acting as the data processor in relation to processing of such Applicant Data and collect and process the Applicant Data on your behalf. The provisions of these Data Processing Terms apply to the processing we carry out in relation to the Applicant Data on your behalf.
Please read these Data Processing Terms carefully before ordering our Services as your purchase of any Services offered on our Website is subject to these Data Processing Terms. The Client agrees that clicking the acceptance box to these Data Processing Terms constitutes acceptance of these Data Processing Terms. By ordering Services via the Website(whether now or in the future), you agree to be bound by these Data Processing Terms.These Data Processing Terms constitute the mandatory data processing contract between you as data controller and us as data processor. If you do not accept these Data Processing Terms, you should not proceed to order Services from us.
We recommend that you print a copy of these Data Processing Terms for future reference. These Data Processing Terms are only in the English language.
The following definitions apply in these Data Processing Terms:
Agreement: means the terms and conditions of Occupop Ltd appearing on our Website.
Appropriate Technical and Organisational Measures: has the meaning given to such term in Data Protection Legislation (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).
Applicant: means an individual candidate applying for a job with the Client through the Occupop System.
Applicant Data: means any Personal Data relating to the Applicant.
Authorised Person: a person notified to us by you that can provide instruction in relation to processing of the Client Data.
Business Day: a day other than a Saturday, Sunday or public holiday in Ireland when banks are open for business.
Business Purpose: the purpose of providing our services to you as set out in the Agreement.
Client Data: means the Applicant Data supplied by the Client or the Applicant to us from time to time.
Client Data Breach:means any “personal data breach” as defined in the GDPR in respect of the Client Data caused by Occupop.
Client System: any information technology system or systems owned or operated by the Client from which Occupop Data is received by the Client in accordance with this Agreement.
Occupop System: any information technology system or systems owned or operated by Occupop to which Client Data is delivered or on which the Services are performed in accordance with the Agreement.
Contract Period: has the same meaning as set out in the Agreement.
Data: any data or information, in whatever form, including but not limited to images, still and moving, and sound recordings.
Data Controller: has the meaning given to such term in Data Protection Legislation.
Data Processor: has the meaning given to such term in Data Protection Legislation.
Data Protection Legislation: means the Data Protection Acts 1998 - 2018 and the General Data Protection Regulation (EU 2016/79), any other applicable law or regulation relating to the Processing of Personal Data and to privacy (including the E-Privacy Directive), as such legislation shall be amended, revised or replaced from time to time, including by operation of the GDPR (and laws implementing or supplementing the GDPR).
Data Protection Officer:a data protection officer appointed pursuant to Data Protection Legislation.
Data Subject: an individual who is the subject of Personal Data.
Delete: to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.
GDPR: General Data Protection Regulation (EU) 2016/679.
Normal Business Hours:9 am to 5.30 pm GMT on a Business Day.
DPC: DPC Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32AP23, Ireland.
Personal Data: has the meaning set out in Data Protection Legislation and relates only to personal data, or any part of such personal data, in respect of which the Client is the Data Controller, and in respect of which Occupop is the Data Processor under these Data Processing Terms.
Processed Data: any Client Data that has been Processed.
Processing: has the meaning given to such term in Data Protection Legislation, and Process and Processed shall be interpreted accordingly.
Restricted Transfer:any transfer of Client Data from Occupop to a Sub-processor or any other person or entity, or any onward transfer of Client Data from such Sub-processor,person or entity, in each case where such transfer would be prohibited by Data Protection Legislation (or by the terms of data transfer agreements put in place to address the data transfer restrictions in Data Protection Legislation).For the avoidance of doubt, this includes transfers of Client Data to countries outside the EEA which are not subject to an adequacy decision by the European Commission.
Security Features: any security feature,including any encryption, pseudonymisation, key, PIN, password, token or smart card.
Specific Instructions: instructions meeting the criteria set out in Clause 1.4.
Standard Contractual Clauses: the contractual Clauses dealing with the transfer of Client Data outside the EEA, which have been approved by (i) the European Commission under Data Protection Legislation, or (ii) by the DPC or an equivalent competent authority under Data Protection Legislation.
Start Date: has the same meaning as set out in the Agreement.
Sub-processor: has the meaning given to such term in Clause 12.1.
Term: has the same meaning as set out in the Agreement.
II. DATA PROCESSING
1.1 Occupop is the Data Processor and the Client is the Data Controller under these Data Processing Terms.
1.2 We will Process the Client Data for the Business Purpose only and in compliance with your instructions from time to time, which may be:
1.2.1 Specific Instructions; or
1.2.2 the general instructions set out in the Agreement,
1.3 unless required to do otherwise by law, in which case,where legally permitted, we will inform you of such legal requirement before Processing.
1.4 We will not act on any specific instructions given by you from time to time during the term of the Agreement (the “Term”) unless they are:
1.4.1 in writing (including by electronic means); and
1.4.2 given by an Authorised Person.
1.5 The types of Personal Data to be Processed pursuant to this Agreement shall include the Client’s name, email and address and the Applicants’ CV’s and the categories of Data Subject to whom such Personal Data relates shall include the Client and the Applicant.
1.6 You may reserve the right to make reasonable alterations to the technical arrangements relating to the format, presentation and distribution of the Client Data and we agree to use reasonable endeavours to adjust our systems accordingly.
2.1 Occupop will create a portal for the Client after the Start Date for the management of Client Data and to allow for the engagement with Applicants by the Client. The Client agrees that the Applicant may submit the Applicant Data to the Occupop System for Processing in accordance with this Agreement.
3. Our OBLIGATIONS
3.1 Occupop will:
3.1.1 only make copies of the Client Data to the extent reasonably necessary for the Business Purpose (which, for clarity, includes back-up, security, disaster recovery and testing of the Client Data); and
3.1.2 not extract, reverse-engineer, re-utilise, use,exploit, redistribute, re-disseminate, copy or store the Client Data other than for the Business Purpose.
3.2 We will notify you in writing without delay of any situation or envisaged development that will in any way change the ability of Occupop to Process the Client Data as set out in these Data Processing Terms.
3.3 We will, at your cost and taking into account the nature of our Processing of Client Data, promptly comply with any written request from you requiring us to amend, transfer or Delete any of the Client Data. Excluding the general deletion on expiration of retention periods.
3.4 At your request and cost, we will provide you with a copy of all Client Data held by us in the format and on the media reasonably specified by you.
3.5 At your request and cost, taking into account the nature of our Processing of the Client Data and the information available, we will provide you with such information and such assistance as you may reasonably require, and within the timescales reasonably specified by you, to allow you to comply with your obligations under Data Protection Legislation,including but not limited to assisting you to:
3.5.1 comply with your own security obligations with respect to the Client Data;
3.5.2 discharge your obligations to respond to requests for exercising Data Subjects’ rights with respect to the Client Data;
3.5.3 comply with your obligations to inform Data Subjects about serious Client Data Breaches;
3.5.4 carry out data protection impact assessments and audit data protection impact assessment compliance with respect to the Client Data; and
3.5.5 engage in the consultation with the DPC following a data protection impact assessment, where a data protection impact assessment indicates that the Processing of the Client Data would result in a high risk to Data Subjects.
3.6 Any proposal by Occupop to in any way use or make available the Client Data other than as provided for pursuant to these Data Processing Terms shall be subject to your prior written approval.
3.7 We acknowledge that we are under no duty to investigate the completeness, accuracy or sufficiency of (i) any instructions received from you, or (ii) any Client Data.
3.8 You shall:
3.8.1 ensure that you are entitled to transfer the relevant Client Data to us so that Occupop may lawfully use, process and transfer (if applicable) the Client Data in accordance with these Data Processing Terms;
3.8.2 notify Occupop in writing without delay of any situation or envisaged development that shall in any way influence, change or limit the ability of Occupop to process the Client Data as set out in these Data Processing Terms;
3.8.3 ensure that the Client Data that you instruct us to Process pursuant to these Data Processing Terms is:
(a) obtained lawfully, fairly and in a transparent manner in relation to the Data Subject (including in respect of how consent is obtained);
(b) collected and processed for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(d) accurate, and where necessary kept up to date;
(e) erased or rectified without delay where it is inaccurate, having regard to the purposes for which they are processed;
(f) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Client Data are processed (subject to circumstances where Client Data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and subject to the implementation of Appropriate Technical and Organisational Measures);
(g) processed in a manner that ensures appropriate security of the Client Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
3.8.4 provide such information and such assistance to us as we may reasonably require, and within the timescales reasonably specified by us,to allow us to comply with our obligations under Data Protection Legislation;and
3.8.5 not alter the technical arrangements relating to the format, presentation and distribution of the Client Data to us without our prior written approval.
3.9 You agree not to pass any Client Data to us for processing which has been kept by you for a period that is longer than necessary.
4. OCCUPOP EMPLOYEES
4.1 We will take reasonable steps to ensure the reliability of all our employees who have access to the Client Data, and to ensure that such employees have committed themselves to a binding duty of confidentiality in respect of such Client Data.
5.1 We will keep at our normal place of business records(including in electronic form) relating to all categories of Processing activities carried out on behalf of the Client, containing:
5.1.1 the general description of the security measures taken in respect of the Client Data, including details of any Security Features and the Appropriate Technical and Organisational Measures;
5.1.2 the name and contact details Occupop; any sub-contractor;and where applicable our representatives; and where applicable any Data Protection Officer appointed by us;
5.1.3 the categories of Processing by Occupop on your behalf;and
5.1.4 details of any non-EEA Client Data transfers, and the safeguards in place in respect of such transfers.
6.1 Subject to Clause 6.2, 6.3 and 6.5, and to the extent required by Data Protection Legislation, you will have the right to examine and review the use by us of the Client Data provided to us by you only for the purpose of ascertaining that such Client Data has been used and Processed in accordance with the terms of these Data Processing Terms.
6.2 An audit under this Clause 6 shall be carried out no more than once in any twelve (12) month period and shall be conducted during Normal Business Hours during the course of one Business Day and shall only relate to the Client Data. We will grant to you (or representatives of the Client) on reasonable advance notice a right of access to our premises during Normal Business Hours for the purpose of such examination and review, and we will give such necessary assistance to the conduct of such examinations/audits. You will bear the reasonable expenses incurred by us in respect of any such audit and any such audit shall not interfere with the normal and efficient operation of our business. We may require, as a condition of granting such access, that the Client (and representatives of the Client) enter into reasonable confidentiality undertakings with us.
6.3 The scope of any examination and review by you of the use by Occupop of the Client Data shall be agreed in writing prior to the commencement of any such examination and review.
6.4 In the event that the audit process determines that we are non-compliant with the provisions of these Data Processing Terms, you may,by notice in writing, deny further access to the Client Data and the provisions of Clause 12 (Early Termination) of the Agreement and Clause 13 of this Addendum may be, by notice in writing, invoked.
6.5 To the extent permitted under Data Protection Legislation, we may demonstrate our and, if applicable it’s Sub-processors’,compliance with its obligations under these Data Processing Terms through our compliance with a certification scheme or code of conduct approved under Data Protection Legislation.
7. DATA SUBJECT REQUESTS
7.1 Taking into account the nature of our Processing of the Client Data and at your cost, we will assist you by employing Appropriate Technical and Organisational Measures, insofar as this is possible, in respect of the fulfillment of our obligations to respond to requests from a Data Subject exercising his/her rights under Data Protection Legislation.
7.2 We will, at your cost, notify you as soon as reasonably practicable if we receive:
7.2.1 a request from a Data Subject for access to that person's Client Data;
7.2.2 any communication from a Data Subject seeking to exercise rights conferred on the Data Subject by Data Protection Legislation in respect of the Client Data; or
7.2.3 any complaint or any claim for compensation arising from or relating to the Processing of the Client Data.
7.3 We will not disclose the Client Data to any Data Subject or to a third party other than at the request of the Client, as provided for in these Data Processing Terms, or as required by law in which case we will to the extent permitted by law inform you of that legal requirement before we disclose the Client Data to any Data Subject or third party.
7.4 We will not respond to any request from a Data Subject exception the documented instructions of you or an Authorised Person or as required bylaw, in which case we will to the extent permitted by law inform you of that legal requirement before we respond to the request.
8. DATA PROTECTION OFFICER
8.1 We will appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation and provide you with the contact details of such Data Protection Officer.
8.2 You shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation and provide us with the contact details of such Data Protection Officer.
9.1 We will, in accordance with our requirements under Data Protection Legislation, implement Appropriate Technical and Organisational Measures to safeguard the Client Data from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage, and that,having regard to the state of technological development and the cost of implementing any measures (and the nature, scope, context and purposes of Processing, as well as the risk to Data Subjects), such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage and to the nature of the Client Data to be protected.
9.2 We will ensure that the Client Data provided by you can only be accessed by persons and systems that are authorised by us and necessary to meet the Business Purpose, and that all equipment used by us for the Processing of Client Data will be maintained by us in a physically secure environment.
10. BREACH REPORTING
10.1 We will promptly inform you if any Client Data is lost or destroyed or becomes damaged, corrupted, or unusable, or if there is any accidental, unauthorised or unlawful disclosure of or access to the Client Data.In such case, we will use our reasonable endeavours to restore such Client Data at our own expense (save where the incident was caused by the Client's negligent act or omission) and will comply will all of its obligations under Data Protection Legislation in this regard.
10.2 We will inform you of any Client Data Breaches, or any complaint, notice or communication in relation to a Client Data Breach, without undue delay. Taking into account the nature of our Processing of the Client Data and the information available to us and at your cost we will provide sufficient information and assist you in ensuring compliance with your obligations, in relation to notification of Client Data Breaches (including the obligation, where relevant, to notify Client Data Breaches to the DPC within seventy two (72) hours), and communication of Client Data Breaches to Data Subjects where the breach is likely to result in a high risk to the rights of such Data Subjects. Taking into account the nature of our Processing of the Client Data and the information available to us and at your cost, we will co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Client Data Breach.
11. RESTRICTED TRANSFERS
11.1 A Restricted Transfer may not be made without your prior written consent, and if such consent has been obtained, the Restricted Transfer may only be made where there are Appropriate Technical and Organisational Measures in place with regard to the rights of Data Subjects (including but not limited to the Standard Contractual Clauses, Privacy Shield, binding corporate rules, or any other model Clauses approved by the DPC).
11.2 Subject to Clause 11.3, in the event of any Restricted Transfer by us to a contracted Sub-processor or otherwise (“Data Importer") for which your consent has been obtained, the obligations of Occupop in Clause 11.1 to ensure that there are Appropriate Technical and Organisational Measures in place will be satisfied if you and the Data Importer enter into the Standard Contractual Clauses (to the extent applicable).
11.3 Clauses 11.1 or 11.2 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which may include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Legislation.
12.1 The Client agrees and acknowledges that we may have the Client Data Processed by any of our affiliates and by any agents and contractors (a “Sub-processor”). We will inform you of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving you the opportunity to object to such changes.
12.2 We will enter into a data processing contract with the Sub-processor (and provide you with an executed copy of such contract on request) which places the same data protection obligations on the Sub-processor as has Occupop in these Data Processing Terms (in particular, providing sufficient guarantees to implement Appropriate Technical and Organisational Measures in such a manner that the Processing will meet the requirements of Data Protection Legislation).
12.3 With respect to each Sub-processor, the we will, before the Sub-processor first Processes Client Data, ensure that the Sub-processor is capable of providing the level of protection for Client Data required by these Data Processing Terms.
12.4 We will remain fully liable to you in respect of any failure by the Sub-processor to fulfill its data protection obligations in this regard.
13. TERMINATION PROVISIONS
13.1 On any termination of the Agreement for any reason or on the expiry of the Contract Period or the Term:
13.1.1 at the choice of the Client, Occupop will Delete or return all Client Data to the Client and Delete existing copies of such Client Data,unless legally required to store the Client Data for a period of time. If you make no such election within a thirty (30) day period of termination of the Agreement or expiry of the Contract Period or Term, we shall Delete any of the Client Data in our possession, unless legally required to store the Client Data for a period of time; and
13.1.2 if you elect for destruction rather than return of the ClientData under Clause 13.1.1, you agree to, as soon as reasonably practicable, ensure that all Client Data is Deleted from the Occupop System, unless legally required to store the Client Data for a period of time.
13.2 We will provide written confirmation of compliance with Clause 13.1.1 in the form of a letter signed by an authorised representative no later than fourteen (14) days after termination of the Agreement or expiry of the Contract Period or Term.
14.1 We warrant and undertake to you that:
14.1.1 we will Process the Client Data in compliance with the Data Protection Legislation;
14.1.2 we will maintain Appropriate Technical and Organisational Measures against the unauthorised or unlawful Processing of Client Data and against the accidental loss or destruction of, or damage to, Client Data;and
14.1.3 we will discharge our obligations under these Data Processing Terms with all due skill, care and diligence.
14.2 You warrant and undertake to us that:
14.2.1 you have complied with and shall comply with your obligations under Data Protection Legislation;
14.2.2 you have the right to transfer the Client Data to us in accordance with the terms of these Data Processing Terms;
14.2.3 as far as you are aware, the Processing of the Client Data under these Data Processing Terms will not infringe the Intellectual Property Rights of any third party;
14.2.4 the Client Data contains nothing that is defamatory or indecent;
14.2.5 your instructions that are set out in these Data Processing Terms accurately reflect the instructions of the Data Controller to the extent that Occupop is a Data Processor of the Data Controller;
14.2.6 you will ensure appropriate notices are issued to Candidates confirming the processing by Occupop;
14.2.7 you shall not, by act or omission, cause Occupop to violate any Data Protection Legislation, notices provided to, or consents obtained from, Data Subjects as a result of Occupop or its Sub-processors Processing the Client Data; and
15.1 Both parties agree to indemnify each other and keep indemnified and defend at their own expense against all costs, claims, damages or expenses incurred for which either party may become liable due to any failure by one or other employees or agents to comply with any of the obligations under these Data Processing Terms and/or under Data Protection Legislation.
15.2 If any third party makes a claim against us, or notifies an intention to make a claim against us, we shall: (i) give written notice of the claim against Occupop to you as soon as reasonably practicable;(ii) not make any admission of liability in relation to the claim against us without your prior written consent; (iii) at your request and expense, where you have requested to conduct the defense of the claim against us including settlement; and (iv) at your expense, co-operate and assist to a reasonable extent with your defense of the claim against us.
16. LIMITATION OF LIABILITY
16.1 Unless required to do so by the DPC or any other competent supervisory authority or Court, we will not make any payment or any offer of payment to any Data Subject in response to any complaint or any claim for compensation arising from or relating to the Processing of the Client Data,without your prior written agreement.
16.2 You acknowledge and agree that we are reliant on you for direction as to the extent to which we are entitled to use and process the Client Data. Consequently, we will not be liable for any claim brought by a Data Subject arising from any action or omission by us, to the extent that such action or omission resulted directly from your instructions and/or the transactions contemplated by these Data Processing Terms.
17. GOVERNING LAW AND JURISDICTION
17.1 These Data Processing Terms shall be governed by and construed in accordance with the laws of Ireland. Disputes or claims arising in connection with these Data Processing Terms (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the courts of Ireland.