DPA

This Data Processing Addendum (“DPA”) forms part of PURMSec Terms of Service (including any Customer Contract and any related documentation), as updated or amended from time to time (“Terms”), between You, and Us. All capitalised terms not defined in this DPA have the meaning set out in the Terms.

This DPA only applies if and to the extent We process Customer Personal Data on Your behalf.

Customer enters into this DPA on behalf of itself and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Customer Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” or “You” shall include Customer and Customer Affiliates. Except as otherwise agreed in the Terms, this DPA will become legally binding upon receipt by Us of the validly completed and signed DPA. For the avoidance of doubt, signature of the DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses.

Data Processing Terms

1. Definitions

In this DPA, the following terms have the following meanings:

data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law;

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity;

Controller means the entity which determines the purpose and means of the processing of personal data;

Customer Affiliate means any Affiliate of the Customer which (a) is subject to the EU GDPR or the UK GDPR; and (b) is permitted to use the Services as a User of the Customer but is not a Customer as defined in this DPA;

Customer Personal Data means any personal data Processed by Us on behalf of You pursuant to or in connection with the Terms including any personal data of Your customers, employees, contractors or other individuals, in circumstances where the EU GDPR or the UK GDPR applies;

EU GDPR means the EU General Data Protection Regulation (Regulation 2016/679) and any EU Member State laws made under these laws or that replaces or amends these laws from time to time;

EU C-to-P Transfer Clauses means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor);

EU P-to-P Transfer Clauses means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor);

Processor means the entity which processes personal data on behalf of the Controller;

Relevant Country means all countries other than those (a) within the EEA, EU or UK; and (b) countries in respect of which an adequacy finding under Article 25(6) of the European Data Protection Directive or Article 45 of the EU GDPR or Schedule 21 of the UK Data Protection Act 2018 has been given;

Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 annexed to the European Commissions Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj as may be amended, superseded or replaced;

Subprocessor means any third party engaged by Us to process Customer Personal Data on Your behalf in connection with the Terms;

PURMSec or Us, We, Our has the same meaning as ‘PURMSec’, ‘Us, ‘We’, or ‘Our’ in the Terms;

UK GDPR means the EU GDPR and the Data Protection Act 2018 as both amended by the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (2019/419), and any UK laws made under these laws or that replaces or amends any of these laws from time to time;

You or Customer has the same meaning as ‘You’ or ‘Customer’ in the Terms.

2. Role of the parties

The parties agree and acknowledge that with regard to the processing of the Customer Personal Data, You are a Controller or a Processor, We are a Processor and We may engage Subprocessors pursuant to the requirements set out in this DPA.

Each party must comply with the obligations that apply to it under Applicable Data Protection Law with respect to performing its obligations under this DPA.

3. Prohibited data  

Unless explicitly requested by Us to do so or expressly permitted in this DPA, You will not disclose (and will not permit any data subject to disclose) any special categories of personal data to Us for processing.

4. Our Processing of personal data

4.1 We shall comply with all Applicable Data Protection Law in the processing of Customer Personal Data.

4.2 We shall process Customer Personal Data in accordance with the EU GDPR and the UK GDPR requirements directly applicable to Our provision of the Service.

4.3 We shall process Customer Personal Data on behalf of and only in accordance with Your documented instructions including such instructions as may be provided by You pursuant to the Service for the following purposes: (i) processing in accordance with and as described in the Terms and applicable Customer Contract; (ii) processing to comply with other documented reasonable instructions provided by You where consistent with the Terms; and (iii) processing initiated by Users in their use of the Service (the Permitted Purpose).

4.4 We shall only otherwise process Customer Personal Data if such processing is required by Applicable Data Protection Law in which case We will to the extent permitted by those laws,  inform You of that legal requirement before the relevant processing of that Customer Personal Data.

4.5 We shall inform You immediately (i) if in Our opinion an instruction from You constitutes a breach of the EU GDPR or UK GDPR and/or (ii) if We are unable to follow Your instructions for the processing of Customer Personal Data.

5. Your processing of personal data.

5.1 You shall in Your use of the Service, process Customer Personal Data in accordance with the requirements of the Applicable Data Protection Law including any applicable requirement to provide notice to data subjects of the use of Us as Processor (including where You are a Processor, by ensuring that the ultimate Controller does so).

5.2 You shall ensure that Your instructions for the processing of Customer Personal Data complies with Applicable Data Protection Law.

5.3 You shall have sole responsibility for the accuracy, quality and legality of Customer Personal Data and the means by which You acquired the Customer Personal Data.

6. Confidentiality of processing

We will treat Customer Personal Data as confidential and ensure that any person We authorise to process the Customer Personal Data will protect the Customer Personal Data in accordance with Our confidentiality obligations under the Terms.

7. International transfers

You acknowledge that in connection with the Service, Customer Personal Data may be transferred from the EEA, EU and the United Kingdom to a Relevant Country. In relation to such a transfer, to the extent that such transfers are subject to Applicable Data Protection Law, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent that such transfers are subject to Applicable Data Protection Law:

(i) the EU C-to-P Transfer Clauses. Where Customer and/or its Customer Affiliate is a Controller and a data exporter of Customer Personal Data and We are a Processor and data importer in respect of that Customer Personal Data, then the Parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in section 1 of Schedule 1; and/or

(ii) the EU P-to-P Transfer Clauses. Where Customer and/or its Customer Affiliate is a Processor acting on behalf of a Controller and a data exporter of Customer Personal Data and We are a Processor and data importer in respect of that Personal Data, the Parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in sections 1 and 2 of Schedule 1.

The parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in Applicable Data Protection Laws.

8. Security 

We will implement technical and organisational measures, as set out in Annex II, which may be amended and updated from time to time, to protect the Customer Personal Data from any (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data (a Security Incident).

9. Subprocessors 

You consent to Us engaging third-party Subprocessors including Our Affiliates to process the Data for the Permitted Purpose provided that:

(i) We maintain an up-to-date list of Our Subprocessors, which is available on Our website www.talentpay.com/purmsec/trust which We will update with details of any change in Subprocessors prior to the change;

(ii) We impose data protection terms on any Subprocessor We appoint that require it to protect the Customer Personal Data to the standard required by Applicable Data Protection Law;

(iii) We remain liable for any breach of this DPA that is caused by an act, error or omission of Our Subprocessor; and

(iv) We will notify you if we add or replace any Subprocessors if you opt-in to receive such notification by subscribing to updates through our email address privacy@talentpay.com with the subject header “Request Notifications on Subprocessor Updates”. You may object to Our appointment or replacement of a Subprocessor within 30 days of receipt of such notification, provided such objection is based on reasonable grounds relating to data protection. In such an event, We will use reasonable efforts to make available to Customer a change in the Services or a commercially reasonable change to Customer’s use of the Services, to avoid processing of personal data by the new Subprocessor or, if We determine at Our sole discretion that this is not reasonably possible, You may suspend or terminate the Terms without penalty by written notice to Us (without prejudice to any fees incurred by You up to and including the date of suspension or termination).

10. Cooperation and data subjects’ rights

We will provide reasonable and timely assistance to You (at Your expense) to enable You to respond to:

(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and

(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Personal Data. If any such request, correspondence, enquiry or complaint is made directly to Us, We will promptly inform You, providing full details.

11. Data Protection Impact Assessment 

If We believe or become aware that Our processing of the Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, We will inform You and provide reasonable cooperation to You in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

12. Security incidents  

If We become aware of a confirmed Security Incident, We will inform You without undue delay and in line with the timelines required by Applicable Data Protection Laws and will provide reasonable information and cooperation to You so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timescales required by) Applicable Data Protection Law.  We will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep You informed of all material developments in connection with the Security Incident.

13. Deletion or return of Customer Personal Data 

We will delete or return the Customer Personal Data in a manner and form decided by Us, acting reasonably and as may be set out in Annex I.  This requirement will not apply to the extent that We are required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data We have archived on back-up systems, which Customer Personal Data We shall securely isolate and protect from any further processing.

14. Audit 

We will maintain an audit program to audit the security of the Service in accordance with applicable standards and shall perform an audit at least annually, by Us or an independent third-party security professional at Our selection and expense. Upon Your request, and subject to the confidentiality obligations set out in the Terms, We will make available to You (provided that You or Your independent, third-party auditor is not a competitor of Us) a copy of the most recent audit report to document compliance with the foregoing requirement.

15. Customer Affiliates

15.1 The parties acknowledge and agree that, by entering into the Terms, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Customer Affiliates, thereby establishing a separate DPA between Us and each such Customer Affiliate subject to the provisions of the Terms and this section 15. Each Customer Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Terms. For the avoidance of doubt, a Customer Affiliate is not and does not become a party to the Terms, and is a party only to this DPA. All access to and use of the Service by Customer Affiliates must comply with the terms and conditions of the Terms and any violation of the terms and conditions of the Terms by a Customer Affiliate shall be deemed a violation by Customer.

15.2 Where a Customer Affiliate becomes a party to this DPA with Us, it shall to the extent required under Applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following: Except where Applicable Data Protection Laws require the Customer Affiliate to exercise a right or seek any remedy under this DPA against Us directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Terms shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate, and (ii) the Customer that is the contracting party to the Terms shall exercise any such rights under this DPA.

16. Governing Law

Without prejudice to clauses 17 and 18 of the Standard Contractual Clauses, and subject to sections 1.13 and 1.14 of Schedule 1, the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Terms.

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN / UK DATA TRANSFERS

1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and PURMSec is the data importer and the Parties agree to the following. If and to the extent a Customer Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Customer Personal Data, any references to ‘Customer’ in this Annex, include such Customer Affiliate. Where this section 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

1.1 Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Annex I and Annex II.

1.2 Docking clause. The option under clause 7 shall apply.

1.3 Instructions. This DPA and the Terms are Customer’s complete and final documented instructions at the time of entering into the Terms to PURMSec for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Terms. For the purposes of clause 8.1(a), the instructions by Customer to Process Customer Personal Data are set out in section 4.3 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.

1.4 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by PURMSec to Customer only upon Customer’s written request.

1.5 Security of Processing. For the purposes of clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organisational measures set forth in Annex II meet Customer’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of the Customer Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by PURMSec provide a level of security appropriate to the risk with respect to the Customer Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with section 12 (Security Incidents) of this DPA.

1.6 Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 14 of this DPA.

1.7 General authorisation for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), PURMSec has Customer’s general authorisation to engage Sub-processors in accordance with section 9 of this DPA. PURMSec shall make available to Customer the current list of Sub-processors in accordance with section 9 of this DPA. Where PURMSec enters into the EU P-to-P Transfer Clauses with a Sub-processor in connection with the provision of the Service, Customer hereby grants PURMSec and PURMSec’s Affiliates authority to provide a general authorisation on Controller’s behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Service, as well as decision making and approval authority for the addition or replacement of any such sub-processors.

1.8 Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that PURMSec may engage new Sub-processors as described in section 9 of this DPA. PURMSec shall inform Customer of any changes to Sub-processors following the procedure provided for in section 9 of this DPA.

1.9 Complaints – Redress. For the purposes of clause 11, and subject to section 10 of this DPA, PURMSec shall inform data subjects on its website of a contact point authorised to handle complaints. PURMSec shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. PURMSec shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.

1.10 Liability. PURMSec’s liability under clause 12(b) shall be limited to any damage caused by its Processing where PURMSec has not complied with its obligations under the EU GDPR  or the UK GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR or its UK GDPR equivalent.

1.11 Supervision. Clause 13 shall apply as follows:

1.11.1.  Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

1.11.2.  Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

1.11.3.  Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, Commission nationale de l’informatique et des libertés (CNIL) – 3 Place de Fontenoy, 75007 Paris, France shall act as competent supervisory authority.

1.11.4.  Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK GDPR, the Information Commissioner’s Office shall act as competent supervisory authority.

1.11.5.  Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss data protection laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss data protection laws.

1.12 Notification of Government Access Requests. For the purposes of clause 15(1)(a), We shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.

1.13 Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Terms. If the Terms are not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of France; or (ii) where the Terms are governed by the laws of the United Kingdom, the laws of the United Kingdom.

1.14 Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Governing Law section of the Terms. If the Terms do not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the Terms, the parties agree that the courts of either (i) France; or (ii) where the Terms designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

1.15 Appendix. The Appendix shall be completed as follows:
The contents of Annex I shall form Annex I to the Standard Contractual Clauses
The contents of Annex II shall form Annex II to the Standard Contractual Clauses.

1.16 Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Applicable Data Protection Laws of Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the UK GDPR or the Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK GDPR or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

1.17. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

2. ADDITIONAL TERMS FOR THE EU P-TO-P TRANSFER CLAUSES

For the purposes of the EU P-to-P Transfer Clauses (only), the Parties agree the following.

2.1.  Instructions and notifications. For the purposes of clause 8.1(a), Customer hereby informs PURMSec that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Terms and this DPA, including its authorizations to PURMSec for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from PURMSec to the relevant Controller where appropriate.

2.2.  Security of Processing. For the purposes of clause 8.6(c) and (d), PURMSec shall provide notification of a personal data breach concerning Personal Data Processed by PURMSec to Customer.

2.3.  Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to PURMSec by Customer. If PURMSec receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.

2.4.  Data Subject Rights. For the purposes of clause 10 and subject to section 10 of this DPA, PURMSec shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed), but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.