Start here

Data processing agreement

Here you can see the data processing agreement that forms the basis for the processing of personal data when you are a customer of Elvium.
(The Data Processing Agreement will be sent for electronic signature once the Master Agreement has been signed and approved.)

Addendum to the main agreement

Data processing agreement

Data controller

Company x
CVR x
Address line
Postal code and city
Denmark

Data processor

Elvium ApS
CVR 34709459
Flæsketorvet 68
1711 Copenhagen V
Denmark

1. Table of contents

2. Background to the data processing agreement

  1. This agreement sets out the rights and obligations that apply when the processor processes personal data on behalf of the controller.

  2. The agreement is designed for the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.

  3. The Data Processor's processing of personal data takes place in order to fulfill the parties' "main agreement"

  4. The Data Processing Agreement and the "main agreement" are interdependent and cannot be terminated separately. However, the Data Processing Agreement may - without terminating the "main agreement" - be replaced by another valid data processing agreement, see section 14 of the Data Processing Agreement.

  5. This Data Processing Agreement takes precedence over any similar provisions in other agreements between the parties, including the "Master Agreement".

  6. There are three appendices to this agreement. The annexes function as an integral part of the Data Processing Agreement.

  7. Appendix A of the Data Processing Agreement contains details of the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

  8. Appendix B of the Data Processing Agreement contains the data controller's conditions for the data processor to use any sub-processors, as well as a list of any sub-processors approved by the data controller.

  9. Appendix C of the Data Processing Agreement contains detailed instructions on what processing the data processor must carry out on behalf of the data controller (the subject of the processing), the minimum security measures to be observed, and how the data processor and any sub-processors are supervised.

  10. The Data Processing Agreement and associated appendices are stored in writing, including electronically by both parties.

  11. This data processing agreement does not release the data processor from obligations directly imposed on the data processor by the General Data Protection Regulation or any other legislation.

  12. This data processing agreement is based on the data processing agreement prepared by the Danish Data Protection Agency, but contains several deviations from the Danish Data Protection Agency's template.

3. Obligations and rights of the controller

  1. The data controller is generally responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Data Protection Act.

  2. The controller therefore has both the rights and the obligations to make decisions about the purposes and means of processing.

  3. Among other things, the controller is responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.

4. The data processor acts on instructions

 

  1. The processor shall process personal data only on documented instructions from the controller, unless required by Union or Member State law to which the processor is subject, in which case the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such information for reasons of important public interest, cf. Article 28(3)(a).

  2. The data processor shall immediately inform the data controller if, in the opinion of the data processor, an instruction is contrary to the GDPR or data protection provisions of other EU or Member State law.

5. Confidentiality

  1. The data processor shall ensure that only authorized persons have access to the personal data processed on behalf of the controller. Access to the data must therefore be shut down immediately if the authorization is revoked or expires.

  2. Only persons who need access to the personal data in order to fulfill the data processor's obligations to the data controller may be authorized.

  3. The processor shall ensure that the persons authorized to process personal data on behalf of the controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

  4. At the request of the controller, the data processor must be able to demonstrate that the relevant employees are subject to the above obligation of confidentiality.

6. Security of processing

  1. The Data Processor shall implement all measures required under Article 32 of the General Data Protection Regulation, which states, inter alia, that appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risks, taking into account the current level, implementation costs and the nature, scope, context and purposes of the processing concerned and the risks of varying likelihood and severity for the rights and freedoms of natural persons.

  2. The above obligation means that the data processor must carry out a risk assessment and then implement measures to counteract identified risks. This may include, depending on what is relevant, the following measures, among others:

    a. Pseudonymization and encryption of personal data

    b. Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident

    c. Ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services

    d. A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing


  3. In connection with the above, the Data Processor shall - in all cases - as a minimum implement the security level and measures specified in more detail in Appendix C of this Agreement.

  4. In addition, the processor shall assist the controller in its compliance with the controller's obligation under Article 32 of the Regulation by, inter alia, providing the controller with the necessary information regarding the technical and organizational security measures already implemented by the processor pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.

  5. Any regulation/agreement between the parties on remuneration or similar in connection with the data controller's or data processor's subsequent requirement to establish additional security measures will appear from the parties' "main agreement".

7. Use of sub-processors

 

  1. The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR to use another data processor (sub-processor).

  2. The data processor may thus not use another data processor (sub-processor) to fulfill the data processing agreement without prior specific or general written approval from the data controller.

  3. In the case of general written authorization, the processor shall notify the controller of any planned changes regarding the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

  4. The data controller's detailed conditions for the data processor's use of any sub-processors appear in Appendix B of this agreement.

  1. The Controller's approval of specific sub-processors, if any, is set out in Annex B of this Agreement.

  2. When the data processor has the data controller's approval to use a sub-processor , thedata processor shall ensure that the data processor imposes the same data protection obligations on the sub-processor as those set out in this data processing agreement through a contract or other legal document in accordance with EU law or Member State law, in particular by providing the necessary guarantees that the sub-processor will implement the appropriate technical and organizational measures in such a way that the processing meets the requirements of the Data Protection Regulation.

    The data processor is thus responsible for - through the conclusion of a sub-processor agreement - imposing on any sub-processor at least the obligations that the data processor itself is subject to under the data protection rules and this data processing agreement with associated annexes.

  3. The sub-processor agreement and any subsequent amendments thereto shall - at the request of the data controller - be sent in copy to the data controller, which thereby has the opportunity to ensure that a valid agreement has been concluded between the data processor and the sub-processor. Any commercial terms, such as prices, which do not affect the data protection law content of the sub-processor agreement shall not be sent to the data controller.

  4. The processor shall, where possible, include the controller as a third party beneficiary in its agreement with relevant sub-processors in the event of bankruptcy of the processor, so that the controller can subrogate to the rights of the processor and enforce them against the sub-processor, for example, so that the controller can instruct the sub-processor to perform erasure or return of data.

  5. If the sub-processor does not fulfill its data protection obligations, the processor remains fully liable to the controller for the fulfillment of the sub-processor's obligations.

8. Transfer of data to third countries or international organizations

 

  1. The processor shall only process personal data on the documented instructions of the controller, including as regards the transfer (assignment, disclosure and internal use) of personal data to third countries or international organizations, unless required by Union or Member State law to which the processor is subject, in which case the processor shall inform the controller of this legal requirement prior to processing, unless that law prohibits such notification for reasons of important public interest, see Article 28(3)(a).

  2. Without the data controller's instructions or approval, the data processor may therefore - within the framework of the data processing agreement - not:

    a. disclose the personal data to a data controller in a third country or in an international organization
    b. entrust the processing of personal data to a sub-processor in a third country
    c. have the data processed in another department of the data processor located in a third country.

  3. The Controller's instructions or approval, if any, for the transfer of personal data to a third country will be set out in Annex C of this Agreement.

  4. These Clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these Clauses shall not constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.

9. Assistance to the controller

  1. The data processor shall, taking into account the nature of the processing, assist the controller as far as possible, using appropriate technical and organizational measures, in fulfilling the controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter 3 of the GDPR. This means that the data processor shall assist the controller as far as possible in ensuring compliance with:

    a. the obligation to provide information when collecting personal data from the data subject
    b. the obligation to provide information if personal data has not been collected from the data subject
    c. the data subject's right of access
    d. the right to rectification
    e. the right to erasure ("right to be forgotten")
    f. the right to restriction of processing
    g. the right to be informed in connection with rectification or erasure of personal data or restriction of processing
    h. the right to data portability
    i. the right to object
    j. the right to object to the result of automated individual decisions, including profiling

  1. The data processor shall assist the data controller, in addition to the data processor's obligations under Clause 6.3, in ensuring compliance with the data controller's obligations pursuant to Articles 32-36 of the General Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. Article 28(3)(f). This means that the data processor, taking into account the nature of the processing, shall assist the data controller in connection with the data controller ensuring compliance with:

    a. the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing in accordance with Article 32 of the GDPR


    b. the obligation to notify a personal data breach to the supervisory authority (the Danish Data Protection Agency) without undue delay and, where feasible, no later than 72 hours after the controller has become aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

    c. the obligation to notify - without undue delay - the data subject(s) of a personal data breach where such a breach is likely to result in a high risk to the rights and freedoms of natural persons

    d. the obligation to carry out a data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons

    e. the obligation to consult the supervisory authority (Data Protection Authority) prior to processing where a data protection impact assessment shows that the processing is likely to result in a high risk in the absence of measures taken by the controller to mitigate the risk

  2. Any regulation/agreement between the parties on remuneration or similar in connection with the data processor's assistance to the data controller will appear from the parties' "main agreement".

  3. The parties shall specify in Annex C the necessary technical and organizational measures with which the data processor shall assist the data controller and to what extent and to what extent. This applies to the obligations arising from Clauses 9.1 and 9.2.

10. Personal data breach notification

  1. The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred at the data processor or any sub-processor.
    The data processor's notification to the data controller shall, if possible, take place immediately after becoming aware of the breach so that the data controller has the opportunity to comply with any obligation to report the breach to the supervisory authority within 72 hours.

  2. In accordance with section 9.2. b) of this agreement, the data processor shall - taking into account the nature of the processing and the information available to it - assist the data controller in the notification of the breach to the supervisory authority.
    This may mean that the data processor must, inter alia, assist in providing the following information, which under Article 33(3) of the Data Protection Regulation must be included in the controller's notification to the supervisory authority:

    a. The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected

    b. Likely consequences of the personal data breach

    c. Measures taken or proposed to be taken to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects

11. Erasure and return of data

  1. Upon termination of the processing services, the processor is obliged, at the choice of the controller, to delete or return all personal data to the controller and to delete existing copies, unless EU or national law provides for the storage of the personal data.

12. Supervision and auditing

  1. The data processor shall make available to the data controller all information necessary to demonstrate the data processor's compliance with Article 28 of the General Data Protection Regulation and this agreement and shall allow for and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.

  2. The detailed procedure for the data controller's supervision of the data processor is set out in Appendix C of this agreement.

  3. The data controller's supervision of any sub-processors is generally carried out through the data processor. The detailed procedure for this is set out in Appendix C of this agreement.

  4. The data processor shall be obliged to grant authorities that have access to the data controller's and data processor's facilities under the legislation in force at any time, or representatives acting on behalf of the authority, access to the data processor's physical facilities against proper identification.

13. agreements between the parties on other matters

  1. Any (special) regulation of the consequences of the parties' breach of the data processing agreement will be stated in the parties' "main agreement".

  2. Any regulation of other matters between the parties will be set out in the parties' "main agreement".

  3. The provisions of this data processing agreement will not directly or indirectly contravene the Provisions or impair the fundamental rights and freedoms of the data subject under the General Data Protection Regulation.

14. Entry into force and termination

  1. This Agreement shall enter into force upon signature by both parties.

  2. The agreement may be renegotiated by either party if changes in legislation or inappropriateness in the agreement give rise to this.

  3. Any regulation/agreement between the parties regarding remuneration, conditions or similar in connection with changes to this agreement will appear from the parties' "main agreement".

  4. The data processing agreement may be terminated in accordance with the terms of termination, including notice of termination, stated in the "main agreement".

  5. The agreement is valid as long as the processing continues. Regardless of the termination of the "main agreement" and/or the data processing agreement, the data processing agreement will remain in force until the end of the processing and the deletion of the data by the data processor and any sub-processors.

  6. Your signature

On behalf of the data controller

On behalf of the data processor

Jesper Andersen
CEO
Date xx/xx xxxx

15. contact persons/contact points at the controller and processor

  1. The parties can contact each other via the contact persons/contact points below:

  2. The parties are obliged to keep each other informed of changes regarding the contact person/contact point.

On behalf of the data controller

On behalf of the data processor

Jesper Andersen
CEO
(+45) 7199 2860
ja@elvium.com

Appendix A Information about the processing

The purpose of the data processor's processing of personal data on behalf of the data controller is:

The Controller uses the Processor's recruitment system to collect and process information about candidates for employment with the Controller and/or with the Controller's customers if the Controller provides recruitment services.

When the controller uses the data processor's recruitment system, it is solely the controller who decides for what purpose and with what means the personal data recorded in connection with the use of the recruitment system may be processed.

The Data Processor's processing of personal data on behalf of the Data Controller primarily concerns (the nature of the processing):
The Data Processor makes its recruitment system available to the Data Controller and thereby stores personal data about candidates.

The processing of applications thus includes automatic email responses to candidates (acknowledgement, rejection and invitation), objective sorting of all incoming applicants according to the specific requirements of the position and the questions set by the controller, booking of job interviews, video recruitment (if purchased) and candidate database and import of other possible candidates.

The personal data to which the controller has access is information about applicants (candidates) that the candidates themselves have entered or attached in the recruitment system and have made available to the controller.


The processing includes the following types of personal data of the data subjects:

Personal data processed includes information included in recruitment, including typically but not limited to: Name, e-mail address, telephone number, address, social security number, age, gender, current workplace, skills, education, etc.


The processing includes the following categories of data subjects:

The personal data to which the data controller has access is information about applicants (candidates) that the candidates themselves have entered or attached in the recruitment system and have made available to the data controller. In case of importing personal data of candidates in the recruitment system who have not entered data themselves, it is the data controller's responsibility to comply with the duty of disclosure in relation to these candidates. The controller is fully responsible for the processing of the personal data transferred to and processed in the controller's own organization and systems and for any disclosure of personal data to third parties.


The Data Processor's processing of personal data on behalf of the Data Controller may commence after the entry into force of this agreement. The duration of the processing is as follows:
The processing is not limited in time and lasts until the agreement is terminated or terminated by one of the parties. Upon expiry of the Main Agreement, the data processor deletes all personal data related to the data controller's use of the recruitment system.

Appendix B Conditions for the data processor's use of sub-processors and list of approved sub-processors

B.1 Conditions for the data processor's use of any sub-processors

The data processor has the data controller's general approval to use sub-processors. However, the Data Processor shall notify the Data Controller of any planned changes regarding the addition or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification must be received by the data controller at least one month before the use or change is to take effect. If the controller objects to the changes, the controller shall notify the data processor within 30 days of receipt of the notification.
The controller may only object if the controller has reasonable, specific reasons for doing so. If the controller's objection is reasonable and specifically justified, the data controller will:

  1. processor continue the provision of the services without the involvement of the sub-processor for the remainder of the period of the

    time applicable contract period, or

  2. the controller has the option to terminate the agreement before the end of the applicable contractual period with a notice period of 30 days

    and get a refund of any prepaid fees for the service.

For operational reasons, the data processor may have the right to shorten this deadline if a sub-processor of critical function for the provision of the service, due to factors beyond the data processor's reasonable control, must be replaced with a new sub-processor that is generally located within the EU/EEA or at least with a third-country sub-processor that meets the same standard as the sub-processor being replaced. In such cases, the data processor will inform the data controller without undue delay. The data controller will continue to have the right to object in accordance with the above.

If the controller does not object within the set time limit, the notified changes shall be deemed approved.

B.2 Approved sub-processors

The controller has approved the use of the following sub-processors at the entry into force of the data processing agreement:

Name

Amazon Web Services EMEA SARL

Description of treatment:

https://aws.amazon.com (EU/EØS)

Storing files (Hosting) Running the Elvium application Backing up data
Links

ISO 27001 certification General conditions

Name

Twilio Sendgrid

Description of treatment:

https://sendgrid.com (US)

Email gateway that ensures high deliverability of emails to users of the system. Common personal data is transferred to third country - USA: The candidate's email address is stored in an accessible log for 30 days after the data processor has sent the email to the candidate.

Standard Contractual Clauses (SCC)

Name

Ziggio B.V.

Description of treatment:

https://ziggeo.com (EU-EØS)

Processing video files, converting video, storing video, playing video.Terms

Name

Zendesk Inc.

Description of treatment:

 

https://www.zendesk.com (EU/EØS + US)

Handling of customer and candidate support. General personal data transferred to third country - USA: A small part of the content, and thus also personal data, from the data processor's support ticket system

Standard Contractual Clauses (SCC)

Name

Cloudconvert
Lunaweb GmbH

Description of treatment:

https://cloudconvert.com (EU-EØS) Konvertering af vedhæftede filer til PDF Provence Statement

At the entry into force of the data processing agreement, the data controller has specifically approved the use of the above-mentioned sub-processors for the specific processing described next to the party. The data processor cannot - without the data controller's specific and written approval - use the individual sub-processor for "other" processing than agreed.

Appendix C Instructions for the processing of personal data

C.1 Subject of treatment/ instruction

The data processor's processing of personal data on behalf of the data controller takes place by the data processor performing the following:

The Data Processor provides the Data Controller with a recruitment system where the Data Controller can perform tasks of the following nature, but not limited to:

  • Create job ads

  • Publish job ads

  • Receive consent to process data in connection with recruitment

  • Receive applications (documents, video, images, etc.)

  • Sort and rank applications

  • Send emails to candidates

  • Communicate with candidates

  • Import candidates and notify them (notification obligation)

  • Invite candidates

  • Hire and onboard candidates

  • Delete candidates within the deadline


C.2 Processing security

The security level must reflect:

The Data Processor secures the personal data through technical and organizational security measures that meet the requirements of the General Data Protection Regulation on security and protection of the data subject's (candidate's) rights.

All data handled in the data processor's software is stored and processed without unauthorized access at ISO 27001

certified hosting center cf. Appendix B above under point B.2. All pages run on SSL encrypted web pages (https). The high level of data processing security is documented by certificates and authorized statements that can be provided to the controller on request:

- AWS SOC, System and Operations Control 1 report - AWS SOC System and Operations Control 2 report - AWS ISEA 3000 Type 2 report (PiTuKri)
- AWS ISEA 3000 Type 2 report (FINMA)
- AWS C5 Continued operations letter
- AWS DPA EU 2022
- AWS FINMA Circular 2013/03 - Auditing - Information Technology - Elvium GDPR L-6 Contingency plan
- Elvium GDPR L-4 Data protection handbook
- Elvium GDPR L-3 Data protection policy
- Elvium annual compliance package

The controller shall be responsible for ensuring that the controller's users process data in the system correctly and confidentially. The data controller and users are obliged to keep usernames and passwords secret, and their misuse of access to the system is of no concern to the data processor. If the data controller or a user loses their username/password, or if there is a risk that these have come to the knowledge of unauthorized persons, they can be changed by contacting the data processor.


C.3 Retention period/deletion routine

The personal data is stored by the data processor until the data controller requests the data to be deleted or returned.

Upon subscription termination, the data processor deletes all personal data related to the data controller's use of the recruitment system.


C.4 Location of treatment

Processing of the personal data covered by the agreement may not, without the prior written consent of the data controller, take place at locations other than the following:

- EU/EEA


C.5 Instruction or approval for the transfer of personal data to third countries

If the controller has not specified in this section or by a subsequent written communication an instruction or approval for the transfer of personal data to a third country, the data processor may not make such a transfer within the framework of the data processing agreement.

It appears from the table above under Appendix B.2 who processes and where personal data is processed outside the EU/EEA area.
The data processor may not transfer or authorize the transfer of personal data processed on behalf of the data controller to countries outside the EU/EEA without prior consent from the data controller. If personal data is transferred from a country within the EU/EEA to a country outside the EU/EEA, the parties must ensure that personal data is adequately protected in accordance with Chapter V of the GDPR. To achieve this, the transfer of personal data must, unless otherwise agreed, be based on EU Commission's Standard Contractual Clauses, including supplementary measures.

The controller hereby authorizes the transfer of personal data to the approved sub-processors and the associated processing locations as specified in section B.2.

C.6 Procedures for the controller's supervision of the processing carried out by the processor and sub-processors

The entire application is hosted by Amazon Web Services, which is ISO 27001 certified.

The data controller or a representative of the data controller shall also have the right to carry out supervision, including physical supervision, at the data processor's premises when, in the data controller's assessment, a need arises. Any expenses incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its supervision.

graphics
  • Elvium Aps.

Flæsketorvet 68
1711 Copenhagen
CVR: 34709459
+45 7199 2860

graphics
  • Navigation
  • Stay up to date
Linkedin Youtube Instagram Facebook

Copyright © Elvium 2024

Where are you in your HR journey?

We want to give you the best experience. That's why you can choose below where you are on your HR journey, so we can give you what you need.

I am new to systems
I am looking for knowledge about HR
I am looking for a new system
I would like to try Elvium
XLBYG
Sport24
Babysam
FCK
Scouting
Eltel
Bolius
ILLUM
VIPP
Øresund Bridge
Local trains
Primagaz
Silvan
Sahva
Greenhouse

Login to Elvium

Recruiter sign in
Candidate sign in
Elvium HR

Unlock your HR library 📚

Get a personal demo

Explore your benefits and potential with one of our experts for a no-obligation chat. The meeting will be based on your unique needs. Book in the calendar below.

XLBYG
Sport24
Babysam
FCK
Scouting
Eltel
Bolius
ILLUM
VIPP
Øresund Bridge
Local trains
Primagaz
Silvan
Sahva
Greenhouse

Contact sales

stock

Select time in the calendar

Explore your benefits and potential with one of our experts for a no-obligation chat. During the meeting, we will focus on your unique needs.

XLBYG
Sport24
Babysam
FCK
Scouting
Eltel
Bolius
ILLUM
VIPP
Øresund Bridge
Local trains
Primagaz
Silvan
Sahva
Greenhouse

We'll give you a quick shout 📞

Get a short, no-obligation intro phone call where we introduce you to your options with Elvium.

stock

Explore our demos to find out more

Here you can choose which guided tour you want to see.

See recruitment system
See HR System

...or book a personal demo