Appendix 3 – Joint Controller Agreement
This Appendix 3 (Joint Controller Agreement) ("Joint Controller Agreement") constitute an appendix to and forms an integral part of the Master Service Agreement including its appendices ("Agreement") entered into between Talentium and the Customer, which applies when Talentium provides Services to the Customer and the Parties act as joint controllers.
1. Background
1.1. The Parties have entered into the Agreement which includes the provision of Talentium's Service(s) to the Customer. Under the Service(s), the Parties will process certain personal data for purposes and means jointly decided by the Parties, as further described in Clause 3.
1.2. The purpose of this Joint Controller Agreement is to document the Parties' arrangement on the allocation of the Parties' respective responsibilities in a contract for compliance with the obligations under the GDPR when acting as joint controllers.
2. Definitions
2.1. The terms in this Joint Controller Agreement shall have the same definition attributed to them as in Appendix 1 (Terms and Conditions) to the Agreement if not expressly defined herein.
2.2. In addition, the terms in this Joint Controller Agreement shall be interpreted in accordance with the GDPR (as defined in Appendix 1), unless otherwise specified.
3. Joint Controllers
3.1. This Joint Controller Agreement sets out the respective obligations of the Parties relating to the joint processing of personal data under the Service(s).
3.2. The joint processing of personal data under the Service(s) concerns the following subject matters, purposes, categories of personal data and data subjects.
| The recruitment search engine | Registration and job application | Matching services | Improving a candidate's application | |
|---|---|---|---|---|
| Subject matter | The subject matter is the Services – the Platform and in particular the recruitment search engine. | The subject matter is the Services – the Platform and in particular the initial registration/application process. | The subject matter is the Services – the Platform and in particular the matching services including the AI Assistant for candidates. | The subject matter is the Services – the Platform and in particular the AI Assistant for potential candidates. |
| Purpose | To create and/or update the data subject's professional candidate profile to enable a mutually beneficial match between the potential candidate and Talentium's business Customer as a potential employer. | To collect and register the data subject's professional information to enable and facilitate future management of professional applications and profiles for recruitment purposes. | To match the data subject's job applications and career profiles with business Customer's job ads to enable a mutually beneficial match between the potential candidate and Talentium's business Customer as a potential employer. | To improve the quality of job applications by matching a potential candidate's application with the business Customer's advertised job. |
| Categories of personal data | The processing includes the following categories of personal data (if any): name, contact details, employer, job title and language skills and current city of residence, job history, education. | The processing includes the following categories of personal data (if any): name, contact details, employer, job title, language skills and current city of residence, job history, education. | The processing includes the following categories of personal data (if any): name, contact details, employer, job title, language skills and current city of residence, job history, education. | The processing includes the following categories of personal data (if any): name, contact details, employer, job title, language skills and current city of residence, job history, education. |
| Categories of data subjects | Potential job candidates included in a recruitment search conducted by the Customer. | Potential job candidates who apply for a job and creates an account at the candidate platform. | Potential job candidates who have an account on the candidate platform and, in some cases, when the registered potential candidate uses the AI Assistant. | Potential job candidates who have an account on the candidate platform and who use the AI Assistant when applying for a job. |
4. Overall Distribution of Responsibilities
Each Party shall fulfil its own regulatory obligations under the GDPR, unless otherwise specified in this Joint Controller Agreement.
5. General Data Protection Principles and Legal Basis for the Processing
5.1. The Parties are separately responsible for complying with the principles of processing personal data as set out in Article 5 of the GDPR.
5.2. The Parties may not process personal data under this Joint Controller Agreement for any other purpose than the purpose jointly defined by the Parties, unless required to do so by Union or EU Member State law to which the Party is subject.
5.3. Notwithstanding the foregoing, Talentium may further process the personal data for the subsequent purposes set out in Talentium's Privacy Notices relating to the processing of personal data for the provision of the Services and other related legitimate processing purposes. The Customer may further process personal data for its own purposes to save or share a candidate profile within the organisation, to download candidate lists and to contact potential candidates.
5.4. The personal data processed under this Joint Controller Agreement is only processed for the purpose specified in Clause 3.2 when:
a) the Customer reviews the result from a search in a web session and the personal data is thereafter deleted by Talentium in relation to this specified purpose,
b) a potential candidate applies to a Customer through their branded page in the Platform and creates an account on the candidate platform based on certain information in the application,
c) when information in the candidate's application and/or their career profile is matched with job ads posted on Customer's branded pages on the Platform and thereafter presented to the potential candidate as job recommendation/-s,
d) when a potential candidate uses the AI Assistant to improve their job application when applying for a job through the business Customer's branded page.
The aforementioned in this Clause 5.4 does not mean that the personal data may not be further processed for other purposes as set out in Clause 5.3.
5.5. The legal basis for the processing by Talentium is legitimate interest. The Customer is responsible for ensuring that it has a legal basis for the processing of personal data and that the legal basis is documented.
6. Rights of Data Subjects
According to the GPDR, the data subjects have a number of rights in relation to the Parties, including:
- information obligation when collecting personal data from the data subject (Article 13);
- information obligation when personal data have not been collected by the data subject (Article 14);
- right of access by the data subject (Article 15);
- right to rectification (Article 16);
- right to erasure ("right to be forgotten") (Article 17);
- right to restriction of processing (Article 18);
- notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19);
- right to data portability (Article 20); and
- right to object (Article 21).
7. Distribution of Responsibilities
7.1. The Parties have a shared obligation to ensure the data subjects' rights as set out in Clause 6, unless otherwise specified in Clauses 7.2–7.4.
7.2. The Parties are responsible for assisting each other to the extent that this is relevant and necessary for them to comply with the obligations towards the data subjects.
7.3. Talentium shall inform the data subjects about the joint processing of personal data. Regarding the processing of personal data subsequent to the collection, each Party has a responsibility to provide information to data subjects of its own subsequent processing as an independent data controller.
7.4. Talentium is responsible for handling data subject requests regarding the rights as set out in Clause 6.1. Upon the Customer's request, Talentium will provide the necessary information to the Customer. Talentium is responsible for providing information to the data subjects that Talentium serves as the point of contact for the exercise of the data subject rights.
7.5. Irrespective of the content of the arrangement as set out in this clause, the data subject may contact either of the Parties to exercise his or her rights in accordance with Article 26(3) of the GDPR.
8. Security Measures
8.1. The Parties are responsible for complying with Article 32 of the GDPR concerning security of processing. This means that each Party shall take appropriate technical and organisational measures to ensure a level of security proportionate to the risk, taking into account the current technical level, the implementation costs and the nature, extent, coherence and purpose of the processing concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of natural persons.
8.2. Each Party shall comply with the requirement to ensure privacy by design and privacy by default under Article 25 of the GDPR.
9. Data Processors and Sub-Processors
9.1. Talentium is entitled to use data processors and sub-processors in connection with the joint processing under this Joint Controller Agreement. In such case, Talentium shall comply with the requirements under Article 28 of the GDPR.
9.2. Talentium shall inform the Customer, upon request, of whether the personal data is processed by data processors and, if relevant, sub-processors.
10. Record of Processing Activities
Each Party shall be obliged to maintain a record of processing activities in compliance with Article 30 of the GDPR.
11. Notification of Personal Data Breaches
11.1. The Parties are responsible to observe Article 33 of the GDPR concerning notification of a personal data breach, relating to the processing under this Joint Controller Agreement, to the supervisory authority. Upon becoming aware of such personal data breach, the Party affected by the personal data breach shall notify the other Party without undue delay. The Party affected by the personal data breach shall then, in consultation with the other Party, take the necessary measures to fulfil the requirements under Article 33 of the GDPR. The Parties are responsible for assisting each other to the extent that this is relevant and necessary for the Party affected by the personal data breach to comply with the obligations under Article 33 of the GDPR.
11.2. Talentium is responsible to communicate a notification of a personal data breach, relating to the processing under this Joint Controller Agreement, to the data subjects in accordance with Article 34 of the GDPR. The Customer is responsible for assisting Talentium to the extent that this is relevant and necessary for Talentium to comply with the obligations under Article 34 of the GDPR.
12. Data Protection Impact Assessments
12.1. The Parties are responsible to observe the requirements in Article 35 of the GDPR concerning data protection impact assessments. This means, that the Parties, where a type of processing, in particular using new technologies and taking in to account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data or to document that such an assessment is not necessary.
12.2. The Parties are responsible to observe the requirement in Article 36 of the GDPR concerning prior consultation with the supervisory authority, when appropriate, and shall consult with each other prior to any contact with the supervisory authority.
13. Third Country Transfers
The Parties have jointly agreed that Talentium may decide to transfer personal data to third countries. In such case, Talentium is responsible to observe the requirements of Chapter 5 in the GDPR.
14. Point of Contact
Talentium acts as the point of contact for data subjects in relation to this Joint Controller Agreement.
15. Information to Other Parties
The Parties shall inform each other about significant matters that affect the joint processing and this Joint Controller Agreement.
16. Entry Into Force and Termination
This Joint Controller Agreement is valid for the duration of the joint processing of the personal data under the Joint Controller Agreement.
17. Liability
17.1. Each Party shall indemnify and hold the other Party harmless from all claims, sanctions, damages, expenses (including reasonable attorney's fees) and direct losses arising out of or relating to any failure by that Party and its employees, agents or subcontractors to comply with the provisions of this Joint Controller Agreement.
17.2. Should a liability to pay under Clause 17.1 arise, a Party's liability is limited, per calendar year, to a total sum equal to fifteen percent (15%) of the annual fee for the Services in question.
17.3. The Parties' liability for compensation in accordance with this Clause 17 will apply even if the Joint Controller Agreement is terminated or otherwise cease to apply.
18. Governing Law and Dispute Resolution
The provisions regarding governing law and dispute resolution in the Agreement also apply to this Joint Controller Agreement.
19. Miscellaneous
This Joint Controller Agreement constitutes an integral part of the Agreement. In case of any conflict between this Joint Controller Agreement and the Agreement, the Joint Controller Agreement shall prevail between the Parties in relation to rights and obligations related to the processing of personal data under this Joint Controller Agreement and to the extent of such conflict or inconsistency.