DATA PROCESSING AGREEMENT
This Data Processing Agreement (“Agreement“) is made on March 19, 2018 (“Effective Date“)
1. Customer (“Customer”);
2. PSI (“Supplier”);
- Supplier provides certain testing and test related services (“Services“) to Customer. In connection with the Services, the Parties anticipate that Supplier will process Personal Data on behalf of Customer, the data controller for such Personal Data;
- To the extent that the provision of such Services involves the processing of Personal Data, the Parties have agreed to enter into this Agreement for the purposes of ensuring compliance with the applicable Data Protection Laws (as defined below).
THEREFORE, Parties have agreed as follows:
Terms such as “(sub)process/(sub)processing”, “data subject”, “data processor, “data controller”, “personal data breach”, “data protection impact assessment”, “appropriate technical and organisational measures”, “recipient” shall have the same meaning ascribed to them in the Data Protection Laws;
“Authorized Subprocessors” means (a) those Subprocessors set out at https://www.psionline.com/privacy-policy (Authorised Subprocessors); and (b) any additional Subprocessors consented to in writing by Customer in accordance with section 5.1;
“Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Main Agreement, the EU Data Protection Directive 95/46/EC until 25 May 2018 and the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on and from 25 May 2018, in each case together with all laws implementing or supplementing the same and any other applicable data protection or privacy laws;
“EEA” means the European Economic Area;
“Parties” means all signatories to this Agreement.
“Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data, as that term is defined in Data Protection Laws, processed by Supplier or any Subprocessor on behalf of Customer;
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
“Subprocessor” means any data processor (including any third party and any affiliated company) appointed by Supplier to process personal data on behalf of Customer; and
“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
PROCESSING OF THE PERSONAL DATA
Supplier shall process the Personal Data relating to the categories of data subjects for the purposes set forth in this Agreement, which are enumerated in Annex 1 (Details of Processing of Personal Data) to this Agreement. Supplier shall not process, transfer, modify, amend or alter the Personal Data, or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with Customer’s documented instructions (whether in the Agreement or otherwise) except as otherwise required by applicable EU law to which Supplier is subject, in which case Supplier shall, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data.
For the purposes set out in section 2.1. above, Customer hereby instructs Supplier to transfer Personal Data to the recipients in the countries listed at https://www.psionline.com/privacy-policy (Authorised Transfers of Personal Data) provided that Supplier shall comply with section 3 (Subprocessing) and 11 (International Transfers of Personal Data).
Supplier shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Supplier shall implement appropriate technical and organizational measures designed to ensure a level of security of the Personal Data appropriate to the risk and in accordance with Article 32 of the GDPR. Supplier shall assess and evaluate the effectiveness of such measures, as needed, and shall update as applicable, in accordance with Article 32 of the GDPR.
As at the Effective Date, Customer hereby authorizes Supplier to engage those Subprocessors set out athttps://www.psionline.com/privacy-policy.
Authorised Subprocessors. Supplier shall update such list by providing notice to Customer at https://www.psionline.com/privacy-policy. Customer shall be deemed to have consented to such additional or changed subprocessor if Customer does not object within ten (10) calendar days of the date of such notice
With respect to each Subprocessor, Supplier shall (i) provide Customer with full details of the processing to be undertaken by each Subprocessor; and (ii) include terms in the contract between Supplier and each Subprocessor that are equivalent to those set out in this Agreement.
DATA SUBJECT RIGHTS
Supplier shall notify Customer within ten (10) calendar days if it receives a data subject access request, including requests by a data subject to exercise rights in chapter III GDPR, and shall provide full details of that request.
Supplier shall fully co‑operate as requested by Customer to enable Customer to comply with any exercise of rights by a data subject under Chapter III GDPR regarding Personal Data.
Supplier shall notify Customer immediately, and in any case within forty-eight (48) hours, upon becoming aware of a personal data breach. Such notification shall, to the extent known within the notification window: (i) describe the nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects, and the categories and approximate number of personal data records concerned; (ii) the name and contact details of a contact person at Supplier who can provide additional information; (iii) describe, to the extent known, the likely consequences of such personal data breach; and (iv) describe proposed mitigation efforts, as applicable.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Supplier shall provide reasonable assistance to Customer with any data protection impact assessments that are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of Customer or any of its affiliates that are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Supplier on behalf of Customer and taking into account the nature of the processing and information available to Supplier.
DELETION OR RETURN OF CUSTOMER PERSONAL DATA
Supplier shall promptly, and in any event within 20 (twenty) days of the earlier of: (i) cessation of processing of Personal Data by Supplier; or (ii) termination of the Main Agreement, at the choice of Customer either, unless required by applicable EU law: (i) return Personal Data to Customer and securely wipe all other copies of Personal Data processed by Supplier or any Authorised Subprocessor; or (ii) securely wipe all copies of Personal Data processed by Supplier or any Authorised Subprocessor.
Supplier shall make available to Customer on request all information necessary to demonstrate compliance with Data Protection Laws and this Agreement and allow for and contribute to audits, including inspections by Customer or another auditor mandated by Customer of any premises where the processing of Personal Data takes place. Supplier shall permit Customer or another auditor mandated by Customer to inspect, audit and copy any relevant records, processes and systems in order that Customer may satisfy itself that Supplier is in compliance with the Data Protection Laws and this Agreement.
INTERNATIONAL TRANSFERS OF CUSTOMER PERSONAL DATA
Supplier shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Subprocessor to (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection as defined in Data Protection Laws other than in respect of those recipients in such countries listed at https://www.psionline.com/privacy-policy (Authorised Transfers of Personal Data), unless authorised in writing by Customer in advance.
Supplier has certified to the EU-US Privacy Shield Program and shall process Customer Data in the United States. When requested by Customer, and to the extent required by applicable Data Protection Laws, Supplier shall promptly enter into (or procure that any relevant Subprocessor of Supplier enters into) an applicable agreement for data transfer such as the Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the European Economic Area without an adequate level of protection.
In the event of conflict between this Agreement and any other agreement between the Parties, the terms of this Agreement will prevail.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
- Personal data related to Data Subjects for whom Supplier is conducting testing or testing related service at the request of Customer.
- The personal data shall only be held for the length of services contracted by or otherwise requested by Customer except as otherwise required by Data Protection Laws or applicable EU law.
The nature and purpose of the processing of Personal Data
- Processing of data subjects’ data for the purpose of testing or testing related service provided by Supplier at the request of Customer.
The types of Personal Data to be processed
- The types of personal information that PSI may collect in order to provide its services include, but are not limited to: (1) name; (2) address; (3) email address; (4) telephone number; (5) payment card information; (6) scoring, ranking, and assessment data; (7) psychometric test respondent data; (8) Photo ID and (9) and any other information generated from such personal information as a result of PSI providing its services.
The categories of data subject to whom the Personal Data relates
- Testing candidates, which may include Customer’s employees, prospective employees, and other individuals at the direction of the Customer
The obligations and rights of Customer additional to the obligations and rights set out in the Agreement
- Any rights provided for by Data Protection Laws