Data Processing Agreement (EN)

1. Scope and purpose of Data Processing Agreement

This Data Processing Agreement (the "DPA") delineates the respective rights and responsibilities of Vouch and and the legal entity that have signed up to the Services, as further described in correspondence with Vouch and each Job Postings (“Customer” or “Data Controller”), when the Data Processor processes personal data on behalf of the Data Controller, as part of the services offered under the Master Customer Agreement (“MCA”).

For processing not covered by the MCA, each party is considered separate controllers under the Applicable Privacy Law, unless otherwise agreed in writing between the Parties.

The DPA comprises of this document and its accompanying by the MCA. In cases of conflict between the MCA and this DPA, the latter shall prevail for matters specifically pertaining to processing of personal data.

2. Definitions

"Applicable Privacy Law" refers to the relevant versions of the EU's General Data Protection Regulation (2016/679) ("GDPR"), the Norwegian Act on the Processing of Personal Data of June 15, 2018 (the Personal Data Act), and any additional legislation concerning the processing and protection of personal data.

“Data Controller” refers to the Customer, when the processing of personal data pertains to the provision of the Services, as described in the MCA.

“Data Processor” refers to Vouch, when Vouch processes personal data on behalf of the Customer in connection with the provision of the Services, as described in MCA.

“Data Transfer” refers to a processing operation that satisfies the following cumulative requirements, as defined by the EDPB:

1. A controller or a processor (“Exporter”) is subject to the GDPR for the given processing.

2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“Importer”).

3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation

“Services” as defined in the MCA.

"Sub-processor" refers to an entity or individual engaged by the Data Processor as a subcontractor to process personal data under the MCA.

Terms not explicitly defined herein shall be interpreted in accordance with Article 4 of the GDPR or the MCA.

3. Scope of processing

3.1. Processing operations and controllership

Vouch will process personal data on behalf of the Customer in connection with providing the Services, as set forth in the MCA. The Customer acknowledges that the Customer is the Data Controller and that Vouch is the Data Processor for the following processing operations:

i) Collection of personal data concerning a Candidate for a specific Job Posting,

ii) Preliminary screening of Candidates for a specific Job Posting,

iii) Query a Candidate’s interest in a specific Job Posting,

iv) Forward personal data concerning a Candidate to the Customer,

v) Access and review of candidate process and the result of the hiring process,

vi) Deletion and erasure of personal data concerning Candidates that requests deletion after a candidate process, and

vii) Use of personal data concerning a Voucher in connection with payment of Referral Rewards.

For any other processing activity not covered by the Services or the DPA, each party shall be considered an individual data controller.

The Customer’s responsibility as Data Controller ceases when a specific candidate process or Job Posting is concluded or ceases to be valid, provided that the Customer transfers the personal data to Vouch, deletes or anonymizes the personal data concerned.

3.2. Categories of personal data

The nature, purpose and categories of personal data subject to this DPA will be:

i) Name,

ii) Contact details,

iii) CV data,

iv) Screening data and evaluations, and

v) Job application history

4. Rights and Responsibilities of the Data Controller

The Data Controller bears the responsibility for processing personal data in compliance with the Applicable Privacy Law. Specifically, the Data Controller must ensure that

i) Processing of personal data has a legal basis,

ii) Data subjects have been adequately informed about how their personal data will be processed,

iii) Where appropriate, risk assessments are performed, and

iv) the Data Processor is provided with unambiguous instructions and sufficient information to fulfil its obligations under this DPA and the Applicable Privacy Law.

5. Instructions from the Data Controller to the Data Processor

The Data Processor shall adhere to the Applicable Privacy Law and the Data Controller's documented instructions. The Data Controller's instructions are detailed in the MCA and this DPA, along with written correspondence between the parties. Should the Data Processor perceive a conflict between these instructions and the Applicable Privacy Law, the Data Processor shall immediately notify the Data Controller.

Changes to these instructions must be documented in writing between the Parties. Vouch may request reimbursement for documented costs incurred due to the implementation of such changes, or a proportional adjustment of the remuneration under the MCA if the amended instructions result in additional costs.

6. Confidentiality and Duty of Secrecy

The Data Processor must ensure that only authorized personnel have access to the personal data. Authorization should cease immediately if it expires or is revoked.

Access to personal data must be granted solely to those who require it to fulfil their duties under the MCA, this DPA, and any other necessary processing obligations under applicable law.

Individuals authorized by Vouch to process personal data shall be legally bound by a duty preserve confidentiality, either contractually or through applicable law. These obligations shall persist beyond the termination of this DPA and/or employment relationship.

Upon request from the Data Controller, the Data Processor must provide documentation verifying that relevant personnel are bound by confidentiality obligations.

Following the termination of this DPA, the Data Processor must immediately cease all access to personal data processed under this DPA. However, the parties acknowledge that Vouch shall continue to process personal data as a controller for personal data collected in connection with this DPA and MCA, but which will be processed outside the scope and purposes set forth in this DPA and the MCA.

7. Assistance to the Data Controller

Upon request, the Data Processor shall assist the Data Controller in fulfilling the rights of data subjects under Chapter III of the GDPR. This obligation only applies to the extent that it is possible, appropriate, and necessary, considering the nature and scope of data processing under the MCA.

The Data Processor must promptly forward all inquiries from data subjects regarding their rights under the this DPA and Applicable Privacy Law to the Data Controller. Responses to such inquiries can only be provided by the Data Processor upon written approval from the Data Controller.

The Data Processor is also required to assist the Data Controller in ensuring compliance with Articles 32-36 of the GDPR. This includes aiding in data impact assessments and prior consultations with the Norwegian Data Protection Authority.

Should the Data Processor provide assistance beyond what is required to fulfil its obligations under the this DPA and Applicable Privacy Law, the Data Processor may claim reimbursement for all documented costs related to such assistance. These costs will be reimbursed according to the pricing provisions of the MCA.

8. Security of Processing

The Data Processor is obligated to implement appropriate technical and organizational measures to secure a level of safety commensurate with the risk. These measures should be aligned with the current state of technology, the cost of implementation, and the type, scope, and purpose of processing, in addition to the risk and severity it poses to the rights and freedoms of natural persons. At a minimum, the Data Processor must adhere to the following principles and measures:

i) Maintain appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data. This includes, but is not limited, to firewalls, intrusion detection systems, and encryption technologies.

ii) Take reasonable steps to confirm that all Vouch personnel are protecting the security, privacy and confidentiality of personal data

The Data Processor must conduct risk assessments to ensure a consistent level of security. Regular testing, assessment, and evaluation of these security measures are mandatory, particularly to ensure enduring confidentiality, integrity, availability, and robustness in data processing systems and services. Additionally, there must be a quick restoration of data availability in case of an incident.

The Data Processor is required to document these risk assessments and security measures, and make them available to the Data Controller upon request. This also includes allowing for audits as agreed between the Parties, as per section 12 of this DPA.

9. Notification of Personal Data Security Breach

In the event of a personal data breach security, the Data Processor must without undue delay notify the Data Controller. This notification should provide all necessary information and assistance for the Data Controller to report the breach to supervisory authorities in compliance with the Applicable Privacy Law.

Such notifications must include:

i) A description of the nature of the data breach, including the categories and approximate number of data subjects and data records affected.

ii) Contact details for further information.

iii) An assessment of the likely consequences of the breach.

iv) Proposed measures to address and mitigate the breach.

If required, information can be submitted in phases, provided it is without undue delay.

The Data Processor must implement all reasonable measures to rectify and prevent similar data breaches in the future.

The Data Controller bears the responsibility for notifying both the Data Protection Authority and the affected data subjects. The Data Processor is prohibited from informing third parties about the breach, unless mandated by applicable law or expressly instructed in writing by the Data Controller.

10. Use of Sub-processor

The Data Processor is hereby granted general authorization from the Data Controller to use Sub-Processors, as further described on Vouch’s Privacy Policy.

The same data protection obligations outlined in this DPA must be imposed on the Sub-processor through a written contract. The Data Processor can only engage Sub-Processors that have implemented adequate technical and organizational measures to ensure compliance with the Applicable Privacy Law. The Data Processor is obligated to assess and confirm that satisfactory measures have been implemented by the Sub-Processors and must be able to provide assessment reports to the Data Controller upon request.

Should the Data Controller object to a new Sub-Processor, both Parties must negotiate in good faith to reach a reasonable solution, including the apportionment of any costs between them. An agreement must be reached before any changes in Sub-Processor usage can be made.

If a Sub-Processor fails to meet its data protection obligations, the Data Processor remains liable to the Data Controller as if the Data Processor itself were responsible for the processing.

Upon request, the Data Processor must disclose agreements with Sub-Processors to the Data Controller. This applies only to portions relevant to data processing and is subject to statutory or regulatory limitations. Commercial terms are not required to be disclosed.

11. Transfer of Personal Data to Countries Outside the EEA

The transfer of personal data to countries outside the European Economic Area (EEA), or to international organizations, requires written approval from the Data Controller. The Data Controller herby grants the Data Processor authorization to transfer personal data to Sub-Processors already granted general authorization under 10, provided that the Transfer complies with Applicable Privacy Law and especially GDPR chapter 5. A decision by the European Commission confirming an adequate level of data protection, as per Article 45 of the GDPR.

12. Audit

Upon request, the Data Processor must provide the Data Controller with all necessary information to demonstrate compliance with Article 28 of the GDPR and this DPA.

The Data Processor must facilitate and contribute to inspections and audits conducted by or on behalf of the Data Controller and by relevant supervisory authorities. Audits of any Sub-Processors shall be carried out by the Data Processor unless otherwise specifically agreed.

If an audit reveals a breach of obligations under the Applicable Privacy Law or this DPA, the Data Processor is required to rectify the breach promptly. The Data Controller may demand that the Data Processor temporarily halt all or part of the data processing activities until the breach is rectified and approved by the Data Controller.

The Customer shall bear the costs for annual audits. However, if the audit uncovers significant breaches of obligations under the Applicable Privacy Law or this DPA, Vouch shall bear the Customer’s reasonable audit-related costs.

13. Erasure and Return of Information

The parties acknowledge that Vouch shall continue to process personal data as a controller for personal data collected in connection with this DPA and MCA, but which will be processed outside the scope and purposes set forth in this DPA and the MCA.

Upon the termination of this DPA, the Data Processor is obligated to return and delete all personal data processed on behalf of the Data Controller, within the scope of this DPA and MCA. The Data Controller will specify the format in which the data return should occur. If no format is specified, Vouch will use a standard, machine-readable format (e.g., CSV, JSON). The Data Processor's documented costs related to the data return shall be borne by the Data Controller, unless covered by the remuneration under the MCA.

The Data Processor must confirm in writing to the Data Controller that personal data, processed for purposes set forth in this DPA and MCA, has been deleted, rendered inaccessible or has ceased.

14. Breach and Suspension Orders

In case of a breach of this DPA or the Applicable Privacy Law, the Data Controller and relevant supervisory authorities may instruct the Data Processor to immediately cease all or part of the data processing activities, subject to this DPA and MCA.

Failure to comply with the terms of this DPA or the Applicable Privacy Law shall be considered a breach of the MCA. The obligations, deadlines, sanctions, and limitations of liability outlined in the MCA shall apply, unless otherwise explicitly agreed.

15. Duration and Expiry

This DPA becomes effective upon the date of acceptance and creation of a Customer Account. It remains in effect for as long as the Data Processor processes personal data on behalf of the Data Controller.

Termination rules specified in the MCA shall also apply to this DPA, where relevant. This DPA may not be terminated as long as the MCA remains in effect, unless replaced by a new DPA.

16. Miscellaneous

Section 6 and 11 in the MCA applies in so far as these provisions are compatible with this DPA and Applicable Privacy Law.

This DPA shall be governed by, and construed in accordance with, the provisions relating to Governing Law and Dispute Resolution as stipulated in the MCA.