This DPA identifies how We will process Your Data in connection with Your use of Our Site and/or Service (collectively “Service”), as well as either party’s obligations with respect to applicable Data Protection Legislation (defined below). This DPA will remain in effect throughout Your use of the Counter Site or Service, and may be updated pursuant to the Modifications provision of the Terms of Service as may be deemed necessary by Counter. In the event You
do not agree with any term of the DPA You are prohibited from accessing Our Site and using the Service.
Counter will process Your Data pursuant to the terms set forth herein and as required by European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation or regulation pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction (“Data Protection Legislation”). Any capitalized, undefined terms that are not defined herein shall have the meaning set forth in the Agreement. For purposes of the DPA “Your Data” shall mean “Personal Data” as defined by the Data Protection Legislation. Additionally, “Controller,” “Processor,” “Data Subject,” “Processing,” “Sub-processor,” and “Appropriate Technical and Organizational Measures” shall also have the meanings specified in the Data Protection Legislation.
DATA PROTECTION LEGISLATION COMPLIANCE
Processor and Controller. The parties agree that Counter and Client are both Processors and Controllers of Personal Data and accordingly agree to process Personal Data: (i) for legitimate business purposes, including for Client specifically only for considering Data Subjects’ employability within Your organisation; (ii) as specified in the Agreement (iii) as permitted by
Data Protection Legislation; and (iv) as otherwise permitted by a Candidate. Appropriate Technical and Organisational Measures. Both parties agree to use Appropriate Technical and Organisational measures to ensure the proper treatment of Personal Data and the ability to accordingly respond to Data Subject requests pertaining to use of Personal Data. Specifically, and among other rights that may be available to Data Subjects, the parties agree that Data Subjects have a right to: consent withdrawal, access to and modification of Personal Data, object to processing of their Personal Data and erasure of their Personal Data. Counter shall implement and maintain appropriate technical and organizational measures to protect Data against unauthorized or unlawful processing, including protecting against loss, destruction, modification, or disclosure. These measures will be reasonable and appropriate with respect to
the Data which Counter processes.
Both parties will comply with Data Subject requests as required by applicable Data Protection Legislation and any other applicable law. Clients agree to immediately forward each Data Subject request to Our Data Protection Officer at [email protected] and promptly notify Counter of all Data Subject disputes and work in good faith to resolve any dispute to the Candidate’s satisfaction. You are not to resolve any dispute or conflict on our behalf.
IMPACT TO THE SERVICE
You understand that a Data Subject’s request may impact their ability to serve as a Candidate. Any Candidate who exercises her or his rights under the Data Protection Legislation after You have viewed or accessed that Candidate’s profile may preclude that Candidate from participating through the Counter Service. Irrespective of the exercise of this right, such Candidates will continue to be counted as an Interview Request and Qualified Introduction.
PERSONAL DATA BREACH
If either party becomes aware of a Potential Data Breach that causes destruction, loss, modification, disclosure, or access to it will immediately notify the other party. The party that was subject to the Personal Data Breach shall notify Data Subjects and appropriate parties as required by the Data Protection Legislative. The party subject to the Personal Data Breach shall
conduct an investigation regarding the same and will use industry standard technology, methods and other related practices to mitigate the effects and to mitigate the effects of any Personal Data Breach and shall use industry standard measures to prevent any further breaches in the future.
In the event either party engages a third-party Sub-processor to assist with the performance of its duties under this DPA that party shall ensure that the Sub-processor complies with applicable laws, rules, and regulations, and maintains no less stringent requirements than those of this DPA. A current list of material third party Sub-processors with respect to Counter’s provision of the Service can be found here: www.joincounter.com/sub-processors (the “Sub-Processor List Page”). In the event of any anticipated or intended change to Counter’s third-party Sub-processors, Counter will update the Sub-processor List Page accordingly, pursuant to the terms and conditions set forth on the Sub-Processor List Page.
Both parties shall, as reasonably requested and reasonable necessary or required by applicable law, allow the other party to conduct an audit or inspection during the term of the Agreement to confirm compliance with this DPA, which may include providing reasonable access to the premises, resources and personnel used by You in connection with the provision of the
Service, specifically to verify the processing Data in accordance with that party’s obligations under the DPA and applicable Data Protection Legislation. Such audit shall consist solely of: (i) written information (such as security policies) and (ii) interviews with personnel as may be reasonably necessary to verify compliance. For clarity, no access to any part of a party’s IT system, data hosting service providers, sites, or centers, or infrastructure will be permitted.
The terms and conditions of this DPA shall prevail over any additional or conflicting terms in the Agreement with respect to the treatment of Personal Data. Unless otherwise modified herein, the remaining terms of the Agreement shall remain in full force and effect. In the event of a conflict between the terms of this DPA and another Agreement provision the terms of this DPA shall control with respect to the treatment of Personal Data.