Online demo
Group
Online demo
Group 7

Data Processing Agreement

Here you can see the data processing agreement that forms the basis for processing personal data when you are a customer of Elvium.
(The data processor agreement is sent for electronic signature when the main agreement has been signed and approved.)

Supplement to main agreement

Between 

The data controller:

CVR

Address

ZIP code and city

Denmark

The data processor

Elvium ApS

CVR 34709459

Flæsketorvet 68

1711 Copenhagen V

Denmark

Background of the data processing agreement

  1. This agreement sets out the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.
  2. The agreement is designed for the purposes of the parties’ compliance with Article 28 (1). 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (Data Protection Regulation ), which sets specific requirements for the content of a data processing
  3. The data processor’s processing of personal data takes place with the purpose to fulfill the parties’ “main agreement”.
  4. The data processing agreement and the “main agreement” are interdependent and cannot be terminated separately. However, the data processing agreement can – without terminating the “main agreement” – be replaced by another valid data processing
  5. This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including in the “main agreement”.
  6. There are three annexes to this agreement. The appendices function as an integral part of the data processor agreement.
  7. Appendix A of the data processing agreement contains further information about the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects, and the duration of the processing.
  8. Appendix B to the data processing agreement contains the data controller’s conditions for the data processor to make use of any sub-data processors, as well as a list of any sub-data processors that the data controller has approved.
  9. Appendix C of the data processing agreement contains further instructions on what processing the data processor must carry out on behalf of the data controller (subject of the processing), which security measures must be observed as a minimum, and how the data processor and any sub-data processors are supervised.
  10. The data processing agreement and associated appendices are kept in writing, including electronically by both parties.
  11. This data processing agreement does not release the data processor from obligations which, directly under the Data Protection Regulation or any other legislation, are directly imposed on the data processor.

Obligations and rights of the data controller

  1. The data controller is responsible to the outside world (including the data subject) as a starting point for the processing of personal data within the framework of the Data Protection Regulation and the Data Protection Act.
  2. The data controller therefore has both the rights and the obligations to make decisions about the purposes and with which aids may be processed.
  3. The data controller is, among other things, responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to carry out.

The data processor acts according to instructions

  1. The data processor may only process personal data in accordance with documented instructions from the data controller, unless required by EU law or the national law of the Member States to which the data processor is subject; in that case, the data processor shall inform the data controller of this legal requirement before processing, unless the court in question prohibits such notification for reasons of important societal interests, cf. art 28, subsection. 3, letter a.
  2. The data controller shall immediately inform the data controller if, in the data controller’s opinion, an instruction is in breach of the Data Protection Regulation or data protection provisions of other Union law or the national law of the Member States.

Confidentiality

  1. The data processor ensures that only those persons who are currently authorized, have access to the personal data that is processed on behalf of the data controller. Access to the information must therefore be shut down immediately if the authorization is revoked or expires.
  2. Only persons for whom it is necessary to have access to the personal data in order to be able to fulfill the data processor’s obligations to the data controller may be authorized.
  3. The data processor ensures that the persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

 

The data processor must, at the request of the data controller, be able to demonstrate that the relevant employees are subject to the above-mentioned duty of confidentiality.

Treatment safety

  1. The Data Processor shall take all necessary measures in accordance with Article 32 of the Data Protection Regulation. It is clear that, taking the current level into account, implementation costs and the nature, scope, coherence and purpose of the treatment in question, as well as the risks of varying probability and seriousness to the rights and freedoms of natural persons, appropriate technical and organizational measures must be taken to ensure a level of security suitable for these risks.
  2. The above obligation implies that the data processor must make a risk assessment, and then implement measures to address identified risks. These may include, if relevant, the following measures:
  3. Pseudonymization and encryption of personal information
  4. Ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services
  5. Ability to timely restore the availability of and access to personal data in the event of a physical or technical incident
  6. A procedure for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure treatment safety
  7. In connection with the above – in all cases – the data processor shall, as a minimum, implement the level of security and the measures specified in more detail in Annex C to this Agreement.
  8. The parties’ possible regulation/agreement on remuneration or similar in connection with the data controller’s or data processor’s subsequent request for the establishment of additional security measures will appear from the parties’ “main agreement” or from Annex D to this agreement.

Use of sub-processors

  1. The data processor must meet the conditions set out in Article 28 (1) of the Data Protection Regulation, 2 and 4, to make use of another data processor (sub-data processor).
  2. Thus, the data processor may not make use of another data processor (sub-data processor) to fulfill the data processor agreement without prior specific or general written approval from the data controller.
  3. In the case of general written approval, the data controller shall notify the data controller of any planned changes regarding the addition or replacement of other data processors and thereby give the data controller the opportunity to object to such changes.
  4. The data controller’s detailed conditions for the data processor’s use of any sub-data processors are set out in Appendix B to this agreement.
  5. The data controller’s possible approval of specific sub-processors is set out in Annex B to this Agreement.
  6. Where the data processor has the data controller’s authorization to use a sub-data processor, the data processor shall impose on the sub-data processor the same data protection obligations as those set out in this data processor agreement, through a contract or other legal document under EU or national law, in particular providing the necessary guarantees that the sub-processor will implement the appropriate technical and organizational measures in such a way that the processing complies with the requirements of the Data Protection Regulation. The data processor is thus responsible for – through the conclusion of a sub-data processing agreement – imposing on any sub-data processor at least the obligations to which the data processor itself is subject according to the data protection rules and this data processing agreement with associated annexes.
  7. The sub-processing agreement and any subsequent amendments thereto are sent – at the request of the data controller – in copy to the data controller, who thereby has the opportunity to ensure that a valid agreement has been entered into between the data processor and the sub-processor. Any commercial terms, such as prices, that do not affect the data protection content of the sub-data processor agreement, should not be sent to the data controller.
  8. The data processor shall, if possible, include in its agreement with relevant sub-processors the data controller as a beneficiary third party in the event of the data processor’s bankruptcy, so that the data controller can intervene in the data processor’s rights and enforce them against the sub-processor, e.g. so that the data controller can instruct the sub-processor to delete or return information.
  9. If the sub-data processor does not fulfill its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-data processor’s obligations.

Transfer of information to third countries or international organizations

  1. The data processor may only process personal data in accordance with documented instructions from the data controller, including transfer (transfer, disclosure and internal use) of personal data to third countries or international organizations, unless it is required by EU law or national law which the data processor is subject to; in that case, the data processor shall inform the data controller of this legal requirement before processing, unless the court in question prohibits such notification for reasons of important societal interests, cf. art 28, subsection. 3, letter a.
  2. Without the data controller’s instructions or approval, the data processor may – within the framework of the data processing agreement – therefore not;
  3. pass on the personal data to a data controller in a third country or in an international organization,
  4. leave the processing of personal data to a sub-processor in a third country,
  5. have the information processed in another of the data processor’s departments located in a third country.
  6. Any instructions or approval of the data controller to transfer personal data to a third country will be set out in Annex C to this Agreement.

Assistance to the data controller

  1. The data processor shall, taking into account the nature of the processing, assist the Data Controller as far as possible by appropriate technical and organizational measures, in complying with the Data Controller’s obligation to respond to requests for the exercise of data subjects’ rights as set out in Chapter 3 of the Data Protection Regulation. The data processor shall, as far as possible, assist the data controller as the data controller is ensuring compliance with:
  2. the duty to provide information when collecting personal data from the data subject
  3. the duty to provide information if personal data has not been collected from the data subject
  4. the data subject’s right of access
  5. the right to rectification
  6. the right to erasure (‘the right to be forgotten’)
  7. the right to restrict treatment
  8. duty to notify in connection with the correction or deletion of personal data or restriction of processing
  9. the right to data portability
  10. the right to object
  11. the right to object to the result of automatic individual decisions, including profiling
  12. The data processor shall assist the data controller in ensuring compliance with the data controller’s obligations under Articles 32 to 36 of the Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. Article 28 (2). 3, letter f. This implies that the data processor, taking into account the nature of the processing, shall, as far as possible, assist the data controller as the data controller is ensuring compliance with:
  13. the obligation to implement appropriate technical and organizational measures to ensure a level of safety appropriate to the risks associated with the processing;
  14. the obligation to report breaches of personal data security to the supervisory authority (Datatilsynet) without undue delay and if possible within 72 hours after the data controller has become aware of the breach, unless it is unlikely that the breach of personal data security poses a risk to the rights of natural persons or freedoms.
  15. the obligation to notify the data subject (s) without undue delay of a breach of personal data security when such breach is likely to involve a high risk to the rights and freedoms of natural persons;
  16. the obligation to carry out an impact assessment on data protection if a type of processing is likely to involve a high risk to the rights and freedoms of natural persons;
  17. the obligation to consult the supervisory authority (Datatilsynet) before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in the absence of measures taken by the data controller to limit the risk;
  18. The parties ‘possible regulation/agreement on remuneration or the like in connection with the data processor’s assistance to the data controller will appear from the parties’ “main agreement”.

Notification of breaches of personal data security

  1. The data processor shall notify the data controller without undue delay after becoming aware that there has been a breach of the data processor’s personal data or any sub-data processor. Data controllers have the opportunity to comply with their possible obligation to report the breach to the supervisory authority within 72 hours.
  2. In accordance with point 9.2 (b) of this agreement, the data processor shall – taking into account the nature of the processing and the information available to it – assist the data controller in notifying the breach to the supervisory authority. This may mean that the data processor i.a. shall assist in providing the following information which, in accordance with Article 33 (2) of the Data Protection Regulation, 3, must appear from the data controller’s notification to the supervisory authority:

  1. The nature of the breach of personal data security, including, if possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data recordings concerned
  2. Likely consequences of the breach of personal data security
  3. Measures taken or proposed to be taken to deal with the breach of personal data security, including, where appropriate, measures to limit its potential harmful effects

Deletion and return of information

  1. Upon termination of the processing services, the data processor is obliged, at the choice of the data controller, to delete or return all personal data to the data controller, as well as to delete existing copies, unless EU law or national law prescribes the storage of personal data.

Supervision and audit

  1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate the Data Controller’s compliance with Article 28 of the Data Protection Regulation and this Agreement and shall enable and contribute to audits, including inspections carried out by the Data Controller or another auditor, who: authorized by the data controller.
  2. The detailed procedure for the data controller’s supervision of the data processor is set out in Appendix C to this agreement.
  3. The data controller’s supervision of any sub-data processors generally takes place through the data processor. The detailed procedure for this is set out in Appendix C to this a
  4. The data processor is obliged to give authorities who, in accordance with the legislation in force at any given time, have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of the authority, access to the data processor’s physical facilities against proper identification.

The parties’ agreements on other matters

  1. Any (special) regulation of the consequences of the parties ‘breach of the data processing agreement will appear from the parties’ “main agreement”.
  2. Any regulation of other relations between the parties will appear from the parties’ “main agreement”.

Entry into force and termination

  1. This agreement shall enter into force upon signature by both p
  2. The agreement may be required to be renegotiated by both parties if changes in the law or inconveniences in the agreement give rise to this.
  3. The parties’ possible regulation/agreement on remuneration, conditions or the like in connection with amendments to this agreement will appear from the parties’ “main agreement”.
  4. Termination of the data processing agreement can take place in accordance with the termination terms, incl. notice of termination, which appears in the “main agreement”.
  5. The agreement is valid as long as the treatment lasts. Notwithstanding the termination of the “main agreement” and/or the data processing agreement, the data processing agreement will remain in force until the termination of the processing and the deletion of the information by the data processor and any sub-data processors.
  6. Signature

On behalf of the data controller

 

Name:

Position:

Date:

Signature:

 

Name: Jesper Andersen

Position: CEO

Date:

Signature:

 

On behalf of the data processor

Contact persons / contact points at the data controller and the data processor

  1. The parties can contact each other via the following contact persons / contact points:
  2. The parties are obliged to keep each other informed of changes regarding the contact person / contact point.

Name:

Position:

Telephone:

Email:

 

Name: Jesper Andersen

Position: CEO

Phone: +45 71 99 28 60

Email: info@elvium.com

Appendix A – Information on treatment

The purpose of the data processor’s processing of personal data on behalf of the data controller is:

The data controller uses the data processor’s recruitment system to collect and process information about candidates for employment with the data controller.

When the data controller uses the data processor’s recruitment system, it is solely the data controller who decides for what purpose and with what aids the personal data registered in connection with the use of the recruitment system may be processed.

 

The data processor’s processing of personal data on behalf of the data controller is primarily about (the nature of the processing):

The data processor makes its recruitment system available to the data controller and thereby stores personal information about candidates.

The processing of applications thus includes automatic e-mail responses to candidates (receipt, rejection and summons), objective sorting of all incoming applicants in relation to the specific requirements of the position and the questions posed by the data controller, booking job interviews, video recruitment (if purchased ) and candidate database as well as imports of other possible candidates.

The personal information that the data controller has access to is information about applicants (candidates) that the candidates themselves have entered or attached to the recruitment system and have made available to the data controller.

In the case of the import of personal data about candidates in the recruitment system who have not entered data themselves, it is the data controller’s responsibility to comply with the duty to provide information in relation to these candidates.

The data controller has the full responsibility for the processing of the personal data that is transferred to and processed in the data controller’s own organization and own systems and for any disclosure of personal data to third parties.

 

The processing includes the following types of personal information about the data subjects:

Personal information that is processed includes information that is part of recruitment, including typically but not limited to:

Name, e-mail address, telephone number, address, civil registration number, age, gender, current workplace, competencies, education, etc.

 

The processing includes the following categories of data subjects:

The personal information that the data controller has access to is information about applicants (candidates) that the candidates themselves have entered or attached to the recruitment system and have made available to the data controller. In the case of the import of personal data about candidates in the recruitment system who have not entered data themselves, it is the data controller’s responsibility to comply with the duty to provide information in relation to these candidates. The data controller has the full responsibility for the processing of the personal data that is transferred to and processed in the data controller’s own organization and own systems and for any disclosure of personal data to third parties.

 

The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of this agreement. The treatment has the following duration:

The processing is not limited in time and lasts until the agreement is terminated or terminated by one of the parties. Upon termination of subscription, the data processor deletes all personal information related to the data controller’s use of the recruitment system.

Appendix B – Conditions for the data processor’s use of sub-processors and list of approved sub-processors

B.1 – Conditions for the data processor’s use of any sub-data processors

The data processor has the data controller’s general approval to make use of sub-data processors. However, the data controller shall notify the data controller of any planned changes regarding the addition or replacement of other data processors and thereby give the data controller the opportunity to object to such changes. Such notification must be received by the data controller at least 1 month before the application or change is to take effect. If the data controller has objections to the changes, the data controller must notify the data processor within 30 days of receipt of the notification. The data controller can only object if the data controller has reasonable, concrete reasons for this. The data processor may, for operational reasons, have been forced to shorten this deadline.

If the data controller does not object within the stipulated time limit, the notified changes are considered to have been approved.

If the data controller can not recognize a new sub-data processor, the subscription is considered canceled – and thus the main agreement as terminated. However, regardless of the cancellation, the data controller is obliged to pay for the service and use of the software until the time at which the data controller could have terminated the subscription at the earliest.

B.2 – Approved sub-processors

Upon the entry into force of the data processor agreement, the data controller has approved the use of the following sub-data processors: (name, description of processing)

  • Sendgrid

    https://sendgrid.com(US)
    Email gateway ensuring high deliverability of emails to system users.
    Transfer of standard personal data to third country – USA:
    A candidate’s email address is stored in an accessible log for 30 days after the Data Processor has emailed the candidate.
    Standard Contractual Clauses (SCC)
 
  • Zendesk

    Processing customer and candidate support. Transfer of standard personal data to third country – USA:
    A small section of data, including personal data, from the Data Processors support ticket system.
    Standard Contractual Clauses (SCC)

  • Ziggio

    Processing of video files, conversion of video, storage of video, playing of video.

The Data Controller shall upon the commencement of this Data Processing Agreement specifically approve the use of the above sub-processors for the processing described for that party. The Data Processor shall not be entitled – without the Data Controller’s explicit written consent – to engage a sub-processor for “different” processing than the one that has been agreed.

Appendix C – Instructions regarding the processing of personal data

C.1 – Object / instruction of treatment

The data processor’s processing of personal data on behalf of the data controller takes place by the data processor performing the following:

The data processor makes a recruitment system available to the data controller, where there can be performed tasks of the following nature, but not limited to:

  • Create job ads
  • Publish job ads
  • Receive consent for processing data in connection with recruitment
  • Receive applications (documents, video, photos, etc.)
  • Sort and rank applications
  • Send emails to candidates
  • Communicate with candidates
  • Import candidates and notify them (notification obligation)
  • Invite candidates
  • Hire and onboard graduates
  • Delete candidates within the right time

 

C.2 – Treatment safety

The level of security must reflect:

The data processor secures the personal data via technical and organizational security measures that comply with the Data Protection Regulation’s requirements for security and protection of the data subject’s (candidate’s) rights.

All data handled in the data processor’s software is stored and processed without access by unauthorized persons at the ISO 27001 certified hosting center, cf. Appendix B above under point B.2. The high level of data processing security is documented by certificates and authorized declarations that can be delivered to the data controller on request.

All pages run on SSL encrypted web pages (https).

The data controller is responsible for ensuring that the data controller’s users process information in the system correctly and confidentially. The data controller and the users are obliged to keep their usernames and passwords secret, and their misuse of access to the system is beyond the control of the data processor. If the data controller or a user loses their username/password, or there is a risk that these have come to the knowledge of unauthorized persons, they can be changed by contacting the data processor.

 

C.3 – Storage period / deletion routine

The personal information is stored with the data processor until the data controller requests that the information is deleted or returned.

Upon termination of subscription, the data processor deletes all personal information related to the data controller’s use of the recruitment system.

 

C.4 – Locality for treatment

The processing of the personal data covered by the agreement cannot be done without the data controller’s prior written consent at locations other than the following:

  • EU / EEA

 

C.5 – Instructions or approval regarding the transfer of personal data to third countries

If the data controller has not specified in this section or by a subsequent written notice an instruction or approval regarding the transfer of personal data to a third country, the data processor may not make such a transfer within the framework of the data processor agreement.

The table above under Annex B.2 shows who processes and where personal data is processed outside the EU / EEA area.

 

C.6 – The data controller has thus granted approval for the transfer of personal data to third countries. Procedures for the data controller’s supervision of the processing carried out by the data processor and sub-data processors

The entire application is hosted by Amazon Web Services which is ISO 27001 certified.

In addition, the data controller or a representative of the data controller has access to supervise, including physical supervision, with the data processor when, in the data controller’s assessment, a need arises. The costs of the data controller in connection with a physical inspection are borne by the data controller himself. However, the data processor is obliged to set aside the resources (mainly the time) necessary for the data controller to carry out his/her supervision.

Elvium ApS

E-mail: info@elvium.com
Phone: +45 71 99 28 60
Flæsketorvet 68
1711 København

CVR: 34709459

Cases
About us
Recruiting software
World goals
News
Career

Press
Terms and Conditions
Privacy Policy
Data Processing Agreement
Contact us
Support

Copyright © Elvium 2023