Use of Personal Data
Last Updated: November 2023
1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:
As described in Section 2.3 of the DPA.
2. Security of processing
The level of security shall take into account:
The processing involves candidate resumes/CVs, which almost always contain some Data Subject personal data, and job advertisements posted by organizations, which do not contain Data Subject personal data, the data processor shall hereafter be entitled to, and under obligation to, make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller:
As described in Section 3.1 of the DPA
3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:
Because the data processor does not store or retain any personal data processed, the data processor cannot feasibly be of any assistance in assisting the data controller in responding to Data Subjects regarding any matter. The data processor is willing to provide any assistance that might be helpful, but given that the data controller, not the data processor, has sole possession of and access to all Data Subject personal data, it is unlikely that the data processor will be able to assist at all.
4. Storage period/erasure procedures
Because there is never any known personal data retained or stored by the data processor, the data processor cannot delete what it never retained or stored.
5. Processing location
Processing of the personal data under the Clauses will be performed in the data center node to which the data controller sends the personal data to be processed.
6. Instruction on the transfer of personal data to third countries
If the data controller does not in the Clauses or subsequently provide documented instructions pertaining to the transfer of personal data to a third country, the data processor shall not be entitled within the framework of the Clauses to perform such transfer.
7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor
The data processor shall, upon the data controller’s request, and at the data controller’s expense, obtain a report from an independent third party concerning the data processor's compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
Based on the results of such an audit/inspection, the data controller may request further measures to be taken to ensure compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.