Data processing agreement

Here you can see the current data processing agreement V6.39, which forms the basis for the processing of personal data when you are a customer of Elvium. The agreement is accepted together with the main agreement, which was signed when the customer relationship started.

Addendum to the main agreement

Data processing agreement

Data controller

Company
CVR
Address line
Postal code and city
Denmark

Data processor

Elvium ApS
CVR 34709459
Flæsketorvet 68
1711 Copenhagen V
Denmark

1. Table of contents

2. Background to the data processing agreement

This agreement sets out the rights and obligations that apply when the processor processes personal data on behalf of the controller.
The agreement is designed for the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.
The Data Processor's processing of personal data takes place in order to fulfill the parties' "main agreement"
The Data Processing Agreement and the "main agreement" are interdependent and cannot be terminated separately. However, the Data Processing Agreement may - without terminating the "main agreement" - be replaced by another valid data processing agreement, see section 14 of the Data Processing Agreement.
This Data Processing Agreement takes precedence over any similar provisions in other agreements between the parties, including the "Master Agreement".
There are three appendices to this agreement. The annexes function as an integral part of the Data Processing Agreement.
Appendix A of the Data Processing Agreement contains details of the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
Appendix B of the Data Processing Agreement contains the data controller's conditions for the data processor to use any sub-processors, as well as a list of any sub-processors approved by the data controller.
Appendix C of the Data Processing Agreement contains detailed instructions on what processing the data processor must carry out on behalf of the data controller (the subject of the processing), the minimum security measures to be observed, and how the data processor and any sub-processors are supervised.
The Data Processing Agreement and associated appendices are stored in writing, including electronically by both parties.
This data processing agreement does not release the data processor from obligations directly imposed on the data processor by the General Data Protection Regulation or any other legislation.
This data processing agreement is based on the data processing agreement prepared by the Danish Data Protection Agency, but contains several deviations from the Danish Data Protection Agency's template.

3. Obligations and rights of the controller

The data controller is generally responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Data Protection Act.
The controller therefore has both the rights and the obligations to make decisions about the purposes and means of processing.
Among other things, the controller is responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.

4. The data processor acts on instructions

The processor shall process personal data only on documented instructions from the controller, unless required by Union or Member State law to which the processor is subject, in which case the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such information for reasons of important public interest, cf. Article 28(3)(a).
The data processor shall immediately inform the data controller if, in the opinion of the data processor, an instruction is contrary to the GDPR or data protection provisions of other EU or Member State law.

5. Confidentiality

The data processor shall ensure that only authorized persons have access to the personal data processed on behalf of the controller. Access to the data must therefore be shut down immediately if the authorization is revoked or expires.
Only persons who need access to the personal data in order to fulfill the data processor's obligations to the data controller may be authorized.
The processor shall ensure that the persons authorized to process personal data on behalf of the controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
At the request of the controller, the data processor must be able to demonstrate that the relevant employees are subject to the above obligation of confidentiality.

6. Security of processing

The Data Processor shall implement all measures required under Article 32 of the General Data Protection Regulation, which states, inter alia, that appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risks, taking into account the current level, implementation costs and the nature, scope, context and purposes of the processing concerned and the risks of varying likelihood and severity for the rights and freedoms of natural persons.
The above obligation means that the data processor must carry out a risk assessment and then implement measures to counteract identified risks. This may include, depending on what is relevant, the following measures, among others:

a. Pseudonymization and encryption of personal data
b. Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
c. Ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services
d. A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing
In connection with the above, the Data Processor shall - in all cases - as a minimum implement the security level and measures specified in more detail in Appendix C of this Agreement.
In addition, the processor shall assist the controller in its compliance with the controller's obligation under Article 32 of the Regulation by, inter alia, providing the controller with the necessary information regarding the technical and organizational security measures already implemented by the processor pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.
Any regulation/agreement between the parties on remuneration or similar in connection with the data controller's or data processor's subsequent requirement to establish additional security measures will appear from the parties' "main agreement".

7. Use of sub-processors

The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR to use another data processor (sub-processor).
The data processor may thus not use another data processor (sub-processor) to fulfill the data processing agreement without prior specific or general written approval from the data controller.
In the case of general written authorization, the processor shall notify the controller of any planned changes regarding the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
The data controller's detailed conditions for the data processor's use of any sub-processors appear in Appendix B of this agreement.

The Controller's approval of specific sub-processors, if any, is set out in Annex B of this Agreement.
Where the processor has the controller's approval to use a sub-processor, the processor shall ensure that it imposes on the sub-processor the same data protection obligations as those set out in this processor agreement by means of a contract or other legal act in accordance with Union or Member State law, in particular providing appropriate guarantees that the sub-processor will implement the appropriate technical and organizational measures in such a way that the processing will meet the requirements of the GDPR.
The data processor is thus responsible for - through the conclusion of a sub-processor agreement - imposing on any sub-processor at least the obligations that the data processor itself is subject to under the data protection rules and this data processing agreement with associated appendices.
The sub-processor agreement and any subsequent amendments thereto shall - at the request of the data controller - be sent in copy to the data controller, which thereby has the opportunity to ensure that a valid agreement has been concluded between the data processor and the sub-processor. Any commercial terms, such as prices, which do not affect the data protection law content of the sub-processor agreement shall not be sent to the data controller.
The processor shall, where possible, include the controller as a third party beneficiary in its agreement with relevant sub-processors in the event of bankruptcy of the processor, so that the controller can subrogate to the rights of the processor and enforce them against the sub-processor, for example, so that the controller can instruct the sub-processor to perform erasure or return of data.
If the sub-processor does not fulfill its data protection obligations, the processor remains fully liable to the controller for the fulfillment of the sub-processor's obligations.

8. Transfer of data to third countries or international organizations

The processor shall only process personal data on the documented instructions of the controller, including as regards the transfer (assignment, disclosure and internal use) of personal data to third countries or international organizations, unless required by Union or Member State law to which the processor is subject, in which case the processor shall inform the controller of this legal requirement prior to processing, unless that law prohibits such notification for reasons of important public interest, see Article 28(3)(a).
Without the data controller's instructions or approval, the data processor may therefore - within the framework of the data processing agreement - not:

a. disclose the personal data to a data controller in a third country or in an international organization
b. entrust the processing of personal data to a sub-processor in a third country
c. have the data processed in another department of the data processor located in a third country.
The Controller's instructions or approval, if any, for the transfer of personal data to a third country will be set out in Annex C of this Agreement.
These Clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these Clauses shall not constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.

9. Assistance to the controller

The data processor shall, taking into account the nature of the processing, assist the controller as far as possible, using appropriate technical and organizational measures, in fulfilling the controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter 3 of the GDPR. This means that the data processor shall assist the controller as far as possible in ensuring compliance with:

a. the obligation to provide information when collecting personal data from the data subject
b. the obligation to provide information if personal data has not been collected from the data subject
c. the data subject's right of access
d. the right to rectification
e. the right to erasure ("right to be forgotten")
f. the right to restriction of processing
g. the right to be informed in connection with rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right to object to the result of automated individual decisions, including profiling

The data processor shall assist the data controller, in addition to the data processor's obligations under Clause 6.3, in ensuring compliance with the data controller's obligations pursuant to Articles 32-36 of the General Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. Article 28(3)(f). This means that the data processor, taking into account the nature of the processing, shall assist the data controller in connection with the data controller ensuring compliance with:

a. the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing in accordance with Article 32 of the GDPR

b. the obligation to notify a personal data breach to the supervisory authority (the Danish Data Protection Agency) without undue delay and, where feasible, no later than 72 hours after the controller has become aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

c. the obligation to notify - without undue delay - the data subject(s) of a personal data breach where such a breach is likely to result in a high risk to the rights and freedoms of natural persons

d. the obligation to carry out a data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons

e. the obligation to consult the supervisory authority (Data Protection Authority) prior to processing where a data protection impact assessment shows that the processing is likely to result in a high risk in the absence of measures taken by the controller to mitigate the risk
Any regulation/agreement between the parties on remuneration or similar in connection with the data processor's assistance to the data controller will appear from the parties' "main agreement".
The parties shall specify in Annex C the necessary technical and organizational measures with which the data processor shall assist the data controller and to what extent and to what extent. This applies to the obligations arising from Clauses 9.1 and 9.2.

10. Personal data breach notification

The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred at the data processor or any sub-processor.
The data processor's notification to the data controller shall, if possible, take place immediately after becoming aware of the breach so that the data controller has the opportunity to comply with any obligation to report the breach to the supervisory authority within 72 hours.
In accordance with section 9.2. b) of this agreement, the data processor shall - taking into account the nature of the processing and the information available to it - assist the data controller in the notification of the breach to the supervisory authority.
This may mean that the data processor must, inter alia, assist in providing the following information, which under Article 33(3) of the Data Protection Regulation must be included in the controller's notification to the supervisory authority:

a. The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected

b. Likely consequences of the personal data breach

c. Measures taken or proposed to be taken to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects

11. Erasure and return of data

Upon termination of the processing services, the processor is obliged, at the choice of the controller, to delete or return all personal data to the controller and to delete existing copies, unless EU or national law provides for the storage of the personal data.

12. Supervision and auditing

The data processor shall make available to the data controller all information necessary to demonstrate the data processor's compliance with Article 28 of the General Data Protection Regulation and this agreement and shall allow for and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.
The detailed procedure for the data controller's supervision of the data processor is set out in Appendix C of this agreement.
The data controller's supervision of any sub-processors is generally carried out through the data processor. The detailed procedure for this is set out in Appendix C of this agreement.
The data processor shall be obliged to grant authorities that have access to the data controller's and data processor's facilities under the legislation in force at any time, or representatives acting on behalf of the authority, access to the data processor's physical facilities against proper identification.

13. agreements between the parties on other matters

Any (special) regulation of the consequences of the parties' breach of the data processing agreement will be stated in the parties' "main agreement".
Any regulation of other matters between the parties will be set out in the parties' "main agreement".
The provisions of this data processing agreement will not directly or indirectly contravene the Provisions or impair the fundamental rights and freedoms of the data subject under the General Data Protection Regulation.

14. Entry into force and termination

This Data Processing Agreement forms part of the overall agreement and contractual basis and enters into force upon signature of the "main agreement". The current data processing agreement with appendices is available at any time at elvium.com
The agreement may be renegotiated by either party if changes in legislation or inappropriateness in the agreement give rise to this.
Any regulation/agreement between the parties regarding remuneration, conditions or similar in connection with changes to this agreement will appear from the parties' "main agreement".
The data processing agreement may be terminated in accordance with the terms of termination, including notice of termination, stated in the "main agreement".
The agreement is valid as long as the processing continues. Regardless of the termination of the "main agreement" and/or the data processing agreement, the data processing agreement will remain in force until the end of the processing and the deletion of the data by the data processor and any sub-processors.

The data controller

Account owner registered with Elvium in connection with the conclusion of the Master Agreement.

Data handlers

Jesper Andersen
CEO
(+45) 7199 2860
info@elvium.com

15. contact persons/contact points at the controller and processor

The parties can contact each other via the contact persons/contact points below:
The parties are obliged to keep each other informed of changes regarding the contact person/contact point.

The data controller

Account owner registered with Elvium in connection with the conclusion of the Master Agreement.

Data handlers

Jesper Andersen
CEO
(+45) 7199 2860
info@elvium.com

Appendix A Information about the processing

The purpose of the data processor's processing of personal data on behalf of the data controller
The data controller uses the data processor's HR and recruitment system to collect and process information about candidates for employment with the data controller and/or with the data controller's customers if the data controller provides HR and recruitment services.

When the controller uses the data processor's HR and recruitment system, it is solely the controller who decides for what purpose and with what means the personal data recorded in connection with the use of the HR and recruitment system may be processed.

The Data Processor's processing of personal data on behalf of the Data Controller primarily concerns (the nature of the processing)
The Data Processor makes its HR and recruitment system available to the Data Controller and thereby stores personal data about candidates.
The processing of applications thus includes automatic e-mail responses to candidates (acknowledgement, rejection and invitation), objective sorting of all incoming applicants according to the specific requirements of the position and the questions set by the controller, booking of job interviews, video recruitment (if purchased) and candidate database and import of other possible candidates.
The personal data to which the data controller has access is information about applicants (candidates) that the candidates themselves have entered or attached in the HR and recruitment system and have made available to the data controller.

The processing includes the following types of personal data about the data subjects:
Personal data processed includes information included in recruitment, including typically but not limited to: Name, photo, video, email address, phone number, address, social security number, age, gender, current workplace, skills, education, etc.

The processing includes the following categories of data subjects:
The personal data to which the controller has access is information about applicants (candidates) that the candidates themselves have entered or attached in the HR and recruitment system and have made available to the controller. In case of importing personal data about candidates in the HR and recruitment system who have not entered data themselves, it is the responsibility of the data controller to comply with the duty of disclosure in relation to these candidates. The controller is fully responsible for the processing of the personal data transferred to and processed in the controller's own organization and systems and for any disclosure of personal data to third parties.

The Data Processor's processing of personal data on behalf of the Data Controller may commence after the entry into force of this agreement. The duration of the processing is as follows:
The processing is not limited in time and lasts until the agreement is terminated or terminated by one of the parties. Upon expiry of the Main Agreement, the data processor deletes all personal data related to the data controller's use of the HR and recruitment system.

Appendix B Conditions for the data processor's use of sub-processors and list of approved sub-processors

B.1 Conditions for the data processor's use of any sub-processors

The data processor has the data controller's general approval to use sub-processors. However, the Data Processor shall notify the Data Controller of any planned changes regarding the addition or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification must be received by the data controller at least one month before the use or change is to take effect. If the controller objects to the changes, the controller shall notify the data processor within 30 days of receipt of the notification.
The controller may only object if the controller has reasonable, specific reasons for doing so. If the controller's objection is reasonable and specifically justified, the data controller will:

processor continue the provision of the services without the involvement of the sub-processor for the remainder of the period of the
time applicable contract period, or
the controller has the option to terminate the agreement before the end of the applicable contractual period with a notice period of 30 days
and get a refund of any prepaid fees for the service.

For operational reasons, the data processor may have the right to shorten this deadline if a sub-processor of critical function for the provision of the service, due to factors beyond the data processor's reasonable control, must be replaced with a new sub-processor that is generally located within the EU/EEA or at least with a third-country sub-processor that meets the same standard as the sub-processor being replaced. In such cases, the data processor will inform the data controller without undue delay. The data controller will continue to have the right to object in accordance with the above.

If the controller does not object within the set time limit, the notified changes shall be deemed approved.

B.2 Approved sub-processors

The controller has approved the use of the following sub-processors at the entry into force of the data processing agreement:

Name

Amazon Web Services (in discontinuation)

Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855 Luxembourg
Registered in the Luxembourg Trade and Companies Register with registration number: B186284

Amazon Web Services, Danish branch of Amazon Web Services EMEA SARL, Luxembourg
c/o Spaces Ny Carlsberg Vej 80
Copenhagen V, 1799, Denmark
VAT: DK39009323

All data in EU-EEA

Description of treatment:

https://aws.amazon.com (EU/EEA)

Storage of files (e.g. CV and Application)

Links
ISO 27001 certification
General conditions

Transfer basis basis: EU-EEA GDPR
(EU.US DPF)

Name

Scaleway

Scaleway SASBP 43875366 - Paris CEDEX 08
France
VAT number: FR 35 433 115 904
Contact email: sales-admin@scaleway.com
Phone number: +33 1 84 13 13 00 00

All data in EU-EEA

Description of treatment:

https://www.scaleway.com (EU-EEA)

Storing files
Running the Elvium application
Backing up data

Links:
ISO 27001 certification
General conditions

Transfer basis: EU-EEA GDPR

Name

Twilio Ireland Limited
70 Sir John Rogerson's Quay
Dublin 2, D02 R296
Ireland
VAT Registration Number: IE3335493BH

Description of treatment:

https://sendgrid.com (US, migrating to EU-EEA)

Email gateway that ensures high delivery rate of emails to users of the system. General personal data is transferred to third country - USA: The candidate's email address and subject field are stored in an accessible log for 30 days after the data processor has sent the email to the candidate.

Transfer basis: SCC

Name

Ziggio

915 Broadway
19th Floor
New York, NY 10011
United States
Department of State (DOS) ID Number: 4308127

Data Center, Dublin, Ireland
All data in EU-EEA, only contract with US based company

Description of treatment:

https://ziggeo.com (EU-EEA)

Processing video files, converting video, storing video, playing video.Terms

Transfer basis: EU-EEA GDPR
(EU.US DPF)

Name

Zendesk

Zendesk, Inc.181 Fremont St,17th Floor
San Francisco, CA94105
United States

(DOS) ID number is 4810559
Datacenter, Dublin, Ireland

Description of treatment:

https://www.zendesk.com (EU-EEA + US)

Handling of customer and candidate support. General personal data transferred to third country - USA: A small part of the content, and thus also personal data, from the data processor's support ticket system

Transfer basis: EU.US DPF

Name

Cloudconvert

Lunaweb GmbH
Nördliche Münchner Straße 47
82031 Grünwald
Germany
Mail: info@cloudconvert.com
VAT ID: DE316913979

Description of treatment:

https://cloudconvert.com (EU-EEA)
Converting attachments to PDF
Provence Statement

Transfer basis: EU-EEA GDPR

At the entry into force of the data processing agreement, the data controller has specifically approved the use of the above-mentioned sub-processors for the specific processing described next to the party. The data processor cannot - without the data controller's specific and written approval - use the individual sub-processor for "other" processing than agreed.

Appendix C Instructions for the processing of personal data

C.1 Subject of treatment/ instruction

The data processor's processing of personal data on behalf of the data controller takes place by the data processor making an HR and recruitment system available to the data controller, where the data controller can perform tasks of the following nature, the list is not exhaustive:

Create job ads
Publish job ads
Receive consent to process data in connection with recruitment
Receive applications (documents, video, images, etc.)
Sort and rank applications
Send emails to candidates
Communicate with candidates
Import candidates and notify them (notification obligation)
Invite candidates
Hire and onboard candidates
Delete candidates within the deadline

C.2 Processing security

The security level must reflect:
The Data Processor secures the personal data through technical and organizational security measures that meet the requirements of the General Data Protection Regulation on security and protection of the data subject's (candidate's) rights.
All data handled in the Data Processor's software is stored and processed without unauthorized access at ISO 27001 certified hosting center cf. Appendix B above under point B.2. All pages run on SSL encrypted web pages (https). The high level of data processing security is documented by certificates and authorized statements that can be provided to the controller on request

- Elvium GDPR L-6 Contingency Plan
- Elvium GDPR L-4 Data Protection Handbook
- Elvium GDPR L-3 Data Protection Policy
- Elvium Annual Compliance Package

The controller shall be responsible for ensuring that the controller's users process data in the system correctly and confidentially. The data controller and users are obliged to keep usernames and passwords secret, and their misuse of access to the system is of no concern to the data processor. If the data controller or a user loses their username/password, or if there is a risk that these have come to the knowledge of unauthorized persons, they can be changed by contacting the data processor.

C.3 Retention period/deletion routine

The personal data is stored by the data processor until the data controller requests that the data be deleted or returned.
Upon subscription termination, the data processor deletes all personal data related to the data controller's use of the HR and recruitment system.

C.4 Location of treatment

Processing of the personal data covered by the agreement cannot, without the prior written consent of the data controller, take place in locations other than, primarily in the EU/EEA and to a limited extent, the United States with a valid transfer basis, currently the European Commission's adequacy decision for the so-called EU-U.S. Data Privacy Framework. See above in Appendix B, section B.2.

C.5 Instruction or approval for the transfer of personal data to third countries

If the controller has not specified in this section or by a subsequent written notice an instruction or approval regarding the transfer of personal data to a third country, the data processor may not make such a transfer within the framework of the data processing agreement.
It appears from the table above under Appendix B.2 who processes and where personal data is processed outside the EU-EEA area.
The data processor may not transfer or approve the transfer of personal data processed on behalf of the controller to countries outside the EU-EEA without prior consent from the controller. If personal data is transferred from a country within the EU-EEA to a country outside the EU-EEA, the parties must ensure that personal data is adequately protected in accordance with Chapter V of the GDPR. To achieve this, the transfer of personal data must, unless otherwise agreed, take place under EU-approved conditions, such as the European Commission's adequacy decision for the so-called EU-U.S. Data Privacy Framework. The controller hereby authorizes the transfer of personal data to the approved sub-processors and the associated processing locations as specified in section B.2.

C.6 Procedures for the controller's supervision of the processing carried out by the processor and sub-processors

The entire application is hosted at Scaleway, which is ISO 27001 certified.

The data controller or a representative of the data controller shall also have the right to carry out supervision, including physical supervision, at the data processor's premises when, in the data controller's assessment, a need arises. Any expenses incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its supervision.