BACKGROUND AND PURPOSE
Cubiks is a specialist supplier of HR assessment tools and services to customers to assist them to find and develop the best people for their business. As part of its services, Cubiks may Process Personal Data of individuals undergoing assessment by the Controller, such as e-mail address, bio-data and results of assessments. The purpose of this Agreement is to ensure that such Processing of Personal Data is carried out securely and in accordance with Applicable Laws.
This Agreement is supplemental to a Services Agreement between the Controller and the Processor with effect from 25 May 2018 and, from that date, it replaces any existing data processing agreement.
1.1 The Controller is the customer of a member of the Cubiks Group;
1.2 The Processor is the member of the Cubiks Group with whom the Controller contracts.
2 OBLIGATIONS OF PROCESSOR
2.1 To comply with Applicable Laws.
2.2 To Process Personal Data only on the written instructions of the Controller and in accordance with the Information for Data Subjects including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Applicable Laws to which the Processor is subject. In such a case the Processor shall inform the Controller of that legal requirement before Processing, unless Applicable Laws prohibit such information on grounds of public interest.
2.3 To Process the Personal Data in accordance with the Information for Data Subjects.
2.4 To ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.5 To ensure that it has in place appropriate technical and organisational measures, in such a manner that Processing by the Processor will meet the requirements of Applicable Laws. Where European Data Protection Laws apply, the Processor will comply with Article 32 of GDPR. Cubiks is ISO 27001 certified for Information Security Management (certificate number IS 639040).
2.6 The Processor may disclose the Personal Data to other members of the Cubiks Group and the trusted third parties as listed in the Sub-Processors List (“Sub-Processors”). The Processor will inform the Nominated Contact of the Controller of any intended changes concerning the addition or replacement of other Sub-Processors involved in the Processing of Personal Data thereby giving the Controller the opportunity to object to such changes. All such Sub-Processors will be subject to the same obligations as the Processor. However, the Processor remains fully responsible to the Controller for their compliance with the terms and conditions herein.
2.7 To assist the Controller in ensuring compliance with its obligations under the Applicable Laws with respect to Data Subject rights, security, breach notifications, impact assessments, Deletion or return of data and consultations with supervisory authorities or regulators. The Processor will provide each Controller with up to 4 hours of support per year free of charge. Additional free hours may be provided (subject to prior agreement) for Controllers with high volumes of Data Subjects. Otherwise, the Processor reserves the right to make a charge for reasonable costs incurred. In discussing any additional support hours which may be required, the parties will take account of whether the Controller has access to the Processor’s online tools and should therefore manage their data, including erasure from the live server.
2.8 Where European Data Protection laws apply, not to transfer any Personal Data outside of the European Economic Area except to a third country which the European Commission considers has an adequate level of protection or as part of the services and the Controller or the Processor has provided appropriate safeguards in relation to the transfer and the Data Subject has enforceable rights and effective legal remedies.
2.9 To notify the nominated contact of the Controller without undue delay and in accordance with Applicable Laws on becoming aware of a Personal Data breach or potential breach by the Processor or any Sub-Processor.
2.10 At the written direction of the Controller, to Delete Personal Data and (at the cost of the Controller) to return Personal Data and copies thereof to the Controller on termination of the agreement unless required by Applicable Laws to store the Personal Data. Unless directed otherwise, pseudonymised Personal Data may be retained by Cubiks subject to compliance with Article 89 of GDPR.
2.11 To maintain complete and accurate records and information to demonstrate its compliance with the Obligations of the Processor in this paragraph 2 and allow for audits by the Controller or the Controller's designated auditor.
2.12 Where the nominated contact of the Controller requests assistance in connection with Data Subject rights (including without limitation right of access, rectification, erasure, restriction of Processing and to object to Processing), the Processor shall co-operate to assist the Controller to comply with its obligations under Applicable Laws. All such requests for assistance should be directed to DataProcessingEnquiries@cubiks.com.
3 OBLIGATIONS OF CONTROLLER
3.1 To comply with Applicable Laws.
3.2 To ensure that it has in place appropriate technical and organisational measures, in such a manner that Processing will meet the requirements of Applicable Laws whilst the Personal Data is subject to Processing by the Controller or on behalf of the Controller by any third party. Where European Data Protection Laws apply, the Controller will comply with Article 32 of GDPR.
3.3 Where the Controller instructs the Processor to co-operate with third party application programme interface (“API”) suppliers, integrators or similar parties (“Third Parties”), such Third Parties are not Sub-Processors of the Processor and the Processor does not control their Processing or guarantee their compliance with Applicable Laws. The Controller will enter into any agreement with such Third Parties for the Processing of Personal Data as may be required by Applicable Laws.
3.4 Where the Controller has access to the Processor’s online assessment tools, the Controller will Delete Personal Data when it is no longer required. Where the Controller does not have such access, the Controller will direct the Processor to Delete or return the Personal Data to the Controller.
3.5 Subject to putting in place appropriate safeguards to ensure respect for data minimisation and security, the Processor may process the Personal Data for Research Purposes. If the Processor does not collect bio-data of Data Subjects, the Controller agrees to make it available to the Processor for Research Purposes subject to compliance by the Processor with all the obligations in this Agreement with respect to such bio-data.
3.6 The Controller acknowledges and agrees that (i) the Processing of any Personal Data provided by the Controller to the Processor has been and will continue to be carried out by or on behalf of the Controller in accordance with Applicable Laws and (ii) the Processing of any Personal Data provided by the Processor to the Controller will, subject to (iii), be carried out in accordance with the Information for Data Subjects (iii) The Information for Data Subjects is a standard notification included with Cubiks online assessments by Cubiks on behalf of the customer as Data Controller. The Data Controller should review it carefully to ensure that it meets its overall requirements. If the Controller instructs the Processor to disable or modify the Information for Data Subjects and/or if the Controller Processes Personal Data of a type or in a manner not described in the Information for Data Subjects (for example live or video assessments), it is the responsibility of the Controller to give any further or alternative notification required, obtain consent and take such further steps required to ensure that such Personal Data is Processed lawfully and for the storage and production of evidence of lawful Processing.
3.7 To provide the Processor with accurate details as to the identity and contact details of the Controller and (if appropriate) Controller’s representative and (if appropriate) the contact details of the Controller’s Data Protection Officer and to notify the Processor as to any updates to such details. If the Controller fails to provide information as to the identity and contact details of the Controller, the Processor may inform Data Subjects that the Controller is the person, organisation or company that entered into the agreement for the supply of services.
3.8 To notify the Processor as to any Data Subject request where the Controller requests the support of the Processor within 7 days of receipt of such request and to give appropriate instructions to the Processor in a timely manner.
4 AUTOMATED PROFILING AND AUTOMATED DECISION MAKING
Cubiks online assessments use automated profiling. Automated decision making occurs when a decision is made based on the automated profile without any human involvement. Automated decision making which produces legal effects on a Data Subject or significantly affects him or her may only be done lawfully on certain grounds and it is essential to offer the Data Subject a right to human intervention, if requested. If the Controller proposes to use automated profiles supplied by the Processor for automated decision making (which is not referred to in the Information for Data Subjects), it is recommended that the respective compliance personnel of both the Controller and the Processor are consulted to ensure compliance with the necessary conditions for lawful processing including the supplementary notification requirements.
The Appendices to this Agreement shall form an integral part of this Agreement.
All contacts between the Parties concerning this Agreement shall be between the persons nominated in Appendix 2, and such other persons as the Nominated Contacts may from time to time authorise in writing. Any changes to the Nominated Contacts of one party shall be notified to Nominated Contact(s) of the other.
7 OWNERSHIP OF THE DATA
All Personal Data stored and Processed under the terms of this Agreement by the Processor on behalf of the Controller is and shall remain exclusively the property of Controller.
The consideration for this Agreement shall be as set out in the Services Agreement and the mutual obligations of the parties set out in this Agreement.
9.1 Nothing in this Agreement shall limit or exclude liability which may not be limited or excluded by Applicable Laws.
9.2 Subject to the preceding paragraph, the maximum aggregate liability of the Processor and any Sub-Processor in connection with this Agreement and any Services Agreement shall be limited to one hundred and ten percent (110%) of the sums actually paid by the Controller to the Processor in accordance with the Services Agreement to which this is supplementary during the calendar year when liability arises (or during the term of the Services Agreement if shorter).
9.3 Neither the Processor nor any Sub-Processor shall be liable (i) in case of Force Majeure, (ii) for indirect or unforeseeable damages (including loss of profits, anticipated savings or business opportunity).
10 MEDIATION AND JURISDICTION
10.1 The Parties agree that if there is a dispute between a Data Subject and the Controller and that dispute is not amicably resolved, they will cooperate to offer the Data Subject the opportunity to refer the dispute to mediation by an independent person or, where applicable, by the Supervisor.
10.2 Paragraph 10.1 shall apply without prejudice to the Data Subject’s rights to seek remedies in a court in accordance with Applicable Laws.
11 TERMINATION OF THE SERVICES AGREEMENT
11.1 The parties agree that the termination of the Services Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Agreement as regards the Processing of Personal Data.
11.2 Subject to a reasonable time interval to ensure that the Controller has made alternative arrangements for Processing the Controller’s Personal Data, and subject to these arrangements working satisfactorily, the Processor shall, insofar as it is practicable, Delete all copies of the Controller’s Personal Data held and Processed by the Processor.
11.3 If the Controller’s Personal Data, for reasons of practicality, cannot be so Deleted, the Processor shall take appropriate action to ensure that such Personal Data will not be further Processed, disclosed, or in any way used, other than by means of later Deletion should that become possible.
12 VARIATION OF THIS AGREEMENT
If the instructions of the Controller are inconsistent with the established functionality of the Cubiks assessment tools, the Parties undertake to negotiate in good faith an additional agreement to meet the Controller’s requirements by other means including reasonable fees based on current Cubiks fee rates. Otherwise, the parties undertake not to vary or modify the terms of this Agreement, other than:
• to correct such deficiencies as may become apparent in this Agreement in relation to (i) the application to the Processing of Applicable Laws including European Data Protection Laws or their interpretation by the Member State to which the Controller is subject or
• any variation necessitated by any relevant subsidiary legislation, or by any amendment to European Data Protection Laws; or
• any variation to the Processing requirements of the Controller; or
• any other change necessitated by law.
Applicable Laws: European Data Protection Laws or Other Applicable Laws, as the case may be.
Contract Year: each period of twelve (12) months, starting with either the commencement date or any renewal date.
Controller: a customer of a member of the Cubiks Group.
Cubiks Group: Cubiks Group Limited and subsidiary companies controlled by it. These companies are listed at https://www.cubiks.com/global-footprint
Data Subject: a living, identified or identifiable person about whom Personal Information is held. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.
Delete: to delete or anonymise Personal Data so that it is no longer identifiable. Deleted and Deletion shall be construed accordingly.
Directive: the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, entitled “on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data” and any modification of such directive or any replacement directive.
European Data Protection Laws: (i) European Directive 95/46/EC and (ii) from 25 May 2018, GDPR which apply to (a) the Processing of Personal Data by a Controller or the Processor within the European Union and/or (b) the Processing of Data Subjects who are within the European Union by a Controller or Processor not established in the European Union where the Processing relates to offering goods or services to Data Subjects in the European Union or monitoring the behaviour of Data Subjects within the European Union.
European Economic Area: the European Union or the European Free Trade Area but excluding Switzerland.
Force Majeure: where either party is prevented, hindered or delayed from observing or performing its obligations due to any act beyond their reasonable control.
GDPR: the General Data Protection Regulation (EU 2016/679) and any national implementing laws.
Information for Data Subjects: the policy referred to in Appendix 1.
Member State: shall mean a state which is a member of the European Economic Area.
Nominated Contact: Please see Appendix 2.
Other Applicable Laws: data protection or privacy legislation which may be applicable to the Controller and/or the Processing other than European Data Protection Laws.
Personal Data: any information relating to a Data Subject. Personal data refers both to data Processed on a computer and to certain kinds of manually Processed data, for example live assessment data during an assessment centre exercise and/or interview material.
Processing: any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction. Process and Processed shall be construed accordingly.
Research Data: Personal Data used for Research Purposes.
Research Purposes: monitoring, validation, statistical, benchmarking, product development, historical and management purposes.
Services Agreement: any agreement to which this Data Processing Agreement applies which is between the Controller and the Processor for the use of HR assessment services (including online tools) delivered in accordance with a Software as a Service (SaaS) agreement, licence or other agreement or order.
Supervisor: the Data Protection Supervisory Authority, as defined in Article 28 of Directive, of the Member State in which the Controller is established. If the Controller is established in more than one Member State, it shall refer to the Data Protection Supervisory Authority for the Member State in which the Controller is acting for the purposes of this Agreement.
Nominated Contacts -
On behalf of the Controller: the Controller’s Data Protection Officer or representative as notified by the Controller to the Processor (in either case with an e-mail address).
On behalf of the Processor: DataProcessingEnquiries@cubiks.com.
© 2018 Cubiks Intellectual Property Limited