DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) is entered into, BETWEEN:
- Vinter AI Recruitment Ltd. (“Vinter AI” or “Company”), a private company with limited liability incorporated under the laws of the England and Wales, with its principal place of business in registered at 74a High Street, Wanstead, London, Greater London, United Kingdom, E11 2RJ, registered in England and Wales with company number 15387315, and,
- The Vinter AI customer party thereto (herein, referred to as “Customer”) pursuant to which Vinter AI provides and Customer purchases a subscription to access and use Vinter AI’s services (“Services”) as further described in the Subscription Agreement (“Subscription Agreement”).
Under this Addendum, Vinter AI and the Customer are individually referred to as a “Party”, and collectively as the “Parties”.
WHEREAS:
- The Customer and Vinter AI entered into Subscription Agreement that may require Vinter AI to process Personal Data on behalf of the Customer. The terms and conditions outlined in this Data Processing Addendum (“Addendum”) shall be mutually binding upon the Parties by mutual execution of Subscription Agreement which includes reference to this Addendum (“Effective Date”).
- This Addendum sets out the additional terms, requirements and conditions on which Vinter AI will process Personal Data when providing Services under the Subscription Agreement. This Addendum contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
AGREED TERMS
1. Definitions and interpretation
Unless stated otherwise in this Addendum, capitalised terms in the Addendum have the meaning as defined in the Subscription Agreement.
Authorised Persons: the persons or categories of persons that the Customer authorises to give Vinter AI Personal Data processing instructions and from whom Vinter AI agrees to accept such instructions.
Business Purposes: the Services to be provided by Vinter AI to the Customer as described in the Subscription Agreement.
UK ICO: the United Kingdom Information Commissioner’s Office.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and Recipient: have the meanings given to them in the applicable Data Protection Legislation.
Controller Personal Data: the Personal Data processed by Processor on Controller’s behalf pursuant to this Addendum.
Data Protection Legislation: all applicable data protection and privacy legislation concerning privacy, security, protection, and the handling of Personal Data. This includes, without limitation, the UK GDPR, the Data Protection Act 2018 (DPA 2018), the EU GDPR, or any legislation of a member state of the European Union applicable to the Customer or Vinter AI concerning the protection of Personal Data. Additionally, it encompasses all other legislation and regulatory requirements in force from time to time, which apply to a party regarding the use of Personal Data.
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
Personal Data: means any information relating to an identified or identifiable living individual that is processed by Processor on behalf of the Customer in connection with the provision of the Services under the Subscription Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
Standard Contractual Clauses: (i) international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office for the transfer of Personal Data from the UK to Third Countries; (ii) the agreement pursuant to the European Commission's Implementing Decision 2021/914 published on 4 June 2021 on standard contractual clauses for the transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and any replacement, amendment, or restatement of the foregoing issued by the European Commission (the “EU Standard Contractual Clauses”, “SCC”)) ; (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.
Security Incident: the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access of Personal Data. However, it excludes unsuccessful attempts or activities that do not compromise Personal Data security, such as pings, port scans, denial of service attacks, or unsuccessful login attempts. Additionally, incidental disclosure or access to Personal Data, where no reasonable suspicion of theft, fraud, or malicious intent exists, is not considered a Security Incident unless required by applicable Data Protection Legislation.
Sub-Processor: another processor than Processor, engaged by Processor. Sub-Processors explicitly do not include any third parties that receive Personal Data or that are deployed by Processor at the explicit request of Controller.
Third Country: a country that, where required by applicable Data Protection Legislation, has not received an adequacy decision from an applicable authority relating to cross-border data transfers, including regulators such as the European Commission, UK ICO.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
2. Personal Data types and processing purposes
3. Controller Obligations
3.1 The provisions of this Addendum apply to all Processing of Controller Personal Data on behalf of Controller by Processor.
3.2 Controller hereby instructs Processor to process Controller Personal Data on behalf of Controller for the purposes of performing the Subscription Agreement. The instructions of Controller are described in more detail in this Addendum and, in certain cases, additionally in the Subscription Agreement. Controller can provide supplementary instructions or changed instructions.
3.3 Controller must comply with all applicable Data Protection Legislation regarding the disclosure or access to Personal Data, as well as any processing instructions issued to Processor.
3.4 Controller must guarantee that it does not disclose nor allow any Data Subject to disclose any sensitive data categories to Processor. Controller must guarantee that it does not disclose (nor allow any Data Subject to disclose) any sensitive data categories to Processor for processing unless expressly requested in writing by Processor.
3.5 Controller must obtain all necessary notices and consents from Data Subjects to fulfil Controller's compliance obligations under relevant Data Protection Legislation. This includes, but is not limited to, ensuring that template consent and notice statements provided by Processor for Controller's review are approved to satisfy such obligations.
4. Processor Obligations
4.2 Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Addendum or the Data Protection Legislation. Processor must promptly notify the Customer if, in its opinion, Controller’s instructions do not comply with the Data Protection Legislation.
4.5 Vinter AI will maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or this Addendum specifically authorises the disclosure, or as required by domestic law, court or regulator (including the UK ICO). If a domestic law, court, or regulator requires Vinter AI to process or disclose the Personal Data to a third party, Vinter AI must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
4.6 Processor agrees to provide Controller reasonably assistance, at no additional cost, in fulfilling Controller’s compliance obligations under the Data Protection Legislation. This assistance will consider the nature of Processor’s processing and the information available to Processor, including Data Subject rights, data protection impact assessments and reporting to and consulting with the UK ICO or other relevant regulator under the Data Protection Legislation. Processor will inform Controller if Processor determines that it is no longer able to meet its obligations under Data Protection Legislation or where in Processor’s reasonable opinion, any of Controller’s instructions infringes any Data Protection Legislation.
4.7 Processor commits not to merge the Customer Personal Data with data obtained from other sources or collected from other individuals or interactions. However, Processor may merge Personal Data as necessary to fulfill the Business Purposes required for providing the Services.
4.8 Processor is authorized to pseudonymize Personal Data. Any data that still carries the risk of being re-identified will be treated as Personal Data. Once Personal Data has been pseudonymized and is not reasonably expected to be re-identified, it will be considered de-identified. Processor undertakes not to re-identify any pseudonymized or aggregated data used for internal purposes.
4.9 Processor will ensure that all of its employees:
(d) Processor’s duties and their personal duties and obligations under the Data Protection Legislation and this Addendum.
5. Security
(a) the pseudonymisation and encryption of Personal Data;
6. Data Breach Reporting and Security Incident Management
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(b) the likely consequences; and
(a) assisting with any investigation;
6.5 Processor agrees that Controller has the sole right to determine:
7. Cross-border transfers of Personal Data
7.2 In order to comply with the transfer of Personal Data to Third Countries, subject to the use of Standard Contractual Clauses (SCCs) or other measures, the Parties agree to promptly implement such measures and document the corresponding implementation requirements.
8. Engaging Sub-Processors
8.1 Processor is authorised to engage Sub-Processor for carrying out specific Processing activities on behalf of Controller under this Addendum and Controller hereby gives it revocable general authorisation to engage such Sub-Processors, provided that Processor duly notifies Controller of all Sub-Processors it intends to add or replace, whereby Controller has the opportunity to object to such changes. If Processor cannot reasonably be asked to not make such changes, Processor may terminate the Subscription Agreement without incurring any liability in connection therewith.
9. Complaints, Data Subject requests and third-party rights
10.1 This Addendum will remain in full force and effect so long as:
(a) the Subscription Agreement remains in effect; or
11. Data return and deletion
11.2 This requirement will not apply if any law, regulation, or government or regulatory body mandates Processor to retain any documents, materials or Personal Data that Processor would otherwise be required to return or delete, or to Personal Data archived on backup systems, provided the same remains protected under confidentiality obligations and subject to Data Protection Legislation.
12. Audit
12.2 The audit should also be reasonable in scope and duration, and to the extent practicable, Controller will rely on Processor’s security reports and information instead of conducting an independent audit of such controls.
12.3 Processor will give Controller and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
13. Miscellaneous
13.1 This Addendum is subject to the terms of the Subscription Agreement and is incorporated into the Subscription Agreement. This Addendum shall be effective as of the Effective Date and shall remain into effect for the same period as the Subscription Agreement remains into effect. If and insofar the Subscription Agreement is legally terminated, this Addendum shall without any liability whatsoever be terminated by operation of law without any notice of termination to the other Party being required.
13.2 In the event of differences between the provisions of this Addendum and the Subscription Agreement, the provisions of this Addendum shall take precedence, unless explicitly agreed otherwise in the Subscription Agreement.
13.3 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.