Data Processing Agreement
Data Processing Agreement
This Data Processing Agreement (“DPA”) is by and between Built In, Inc. as identified in the Agreement (“Built In”) and Built In’s customer as identified in the Agreement, (“Premium Employer”), each a “Party” and collectively the “Parties”. This DPA is incorporated into, forms part of, and (to the extent of any conflict) takes precedence over the agreement(s) between the Parties under which Built In provides services to Premium Employer (collectively, together with any statements of work, order forms, or similar documents thereunder, the “Agreement”). Capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Built In and Premium Employer agree as follows:
1. Definitions. For purposes of this DPA:
a. “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data, and for purposes of this DPA, includes the term “Business” as defined under the CCPA and similar U.S. State Privacy Laws, to the extent that such laws apply to the Processing of Personal Data.
b. “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act and related regulations, the Utah Consumer Privacy Act, and similar state privacy laws (collectively, “U.S. State Privacy Laws”), each as updated, amended, or relaced from time to time. For the avoidance of doubt, if a Party’s activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
c. “Services” means the products or services that Built In provides to Premium Employer under the Agreement.
d. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates and includes “consumer” as defined under Data Protection Laws.
e. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj. and completed as set forth herein.
f. “Personal Data” includes “personal data,” “personal information,” and similar terms, as defined by Data Protection Laws, that Premium Employer Processes in connection with the Services.
g. “Process”, “Processing”, and their cognates mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
i. “UK SCCs” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf) and completed as set forth herein.
2. Roles of the Parties
a. This DPA applies to Personal Data provided by Built In to Premium Employer in connection with the Agreement, such as through Built In’s Easy Apply or Candidate Viewer tools, or other services specified in the Agreement and any applicable SOWs.
b. The Parties are independent Controllers of Personal Data. Each Party will comply with the requirements of Data Protection Laws applicable to it as a Controller, and each Party is solely responsible for such compliance.
3. Built In Obligations
a. Within and restricted to the scope of the Agreement, and to the extent required by applicable Data Protection Laws, Built In agrees that it will ensure that disclosures of Personal Data made by Built In to Premium Employer are made with an appropriate legal basis and compliant with Data Protection Laws.
b. Built In retains the right, upon reasonable notice, to (i) take reasonable and appropriate steps to ensure that Premium Employer uses the Personal Data consistent with Data Protection Laws, and (ii) stop and remediate any unauthorized Processing of Personal Data, including any Processing not authorized under this DPA.
4. Premium Employer Obligations
a. Premium Employer will Process Personal Data solely for the limited and specific purposes set forth in the Agreement and as specified in Exhibit A of this DPA.
b. Premium Employer will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Built In’s express written permission.
c. Premium Employer acknowledges that it is responsible for responding to requests from or on behalf of Data Subjects with respect to their Personal Data as required by Data Protection Laws (each a “Data Subject Request”). Built In will comply with requirements under applicable Data Protection Law to inform Premium Employer of Data Subject Requests, and Premium Employer shall comply with such requests to the extent required under Data Protection Laws.
d. Premium Employer will take appropriate technical and organizational measures designed to protect Personal Data against a Security Breach and will lawfully respond to and address potential and confirmed Security Breaches.
e. Premium Employer will provide the same level of protection to Personal Data as Businesses are required to provide under the CCPA, to the extent applicable.
f. Premium Employer will notify Built In if it determines that it is no longer able to meet its obligations under this DPA or Data Protection Laws.
5. Data Transfers
a. The Parties acknowledge that the Processing contemplated under this Agreement may involve the cross-border transfer of Personal Data from Built In to Premium Employer. A party may only engage in cross-border transfers or onward cross-border transfers of Personal Data if it has put in place a data transfer mechanism deemed to be valid under Data Protection Laws.
b. The Parties acknowledge and agree that the legal basis for any transfers of personal data pursuant to this DPA are made on the basis of legitimate interests.
c. To the extent legally required, by executing this DPA, Built In and Premium Employer are deemed to be signing the EU SCCs, which form part of this DPA and (except as described in Section 5(d) and 5(e) below) will be deemed completed as follows:
i. Module One of the EU SCCs applies to transfers of Personal Data from Built In (as an independent Controller) to Premium Employer (as an independent Controller).
ii. Clause 7 (the optional docking clause) is not included.
iii. Clause 11 (Redress): The optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body is not included.
iv. Clause 17 (Governing law): The Parties choose Option 1 and select the law of Ireland.
v. Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland.
vi. Annex I is completed as set forth in Exhibit A of this DPA.
vii. Annex II is completed as set forth in Exhibit B of this DPA.
d. To the extent legally required, by executing the Agreement, the Parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables in UK SCCs are deemed completed as follows:
i. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in Exhibit A of this DPA.
ii. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 5(c) of this DPA.
iii. Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively.
iv. Table 4: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
e. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth above, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
f. To the extent that transfers of Personal Data are subject to Data Protection Laws other than the GDPR or FADP that require the use of standard contractual clauses to facilitate such transfers, the Parties are deemed to have entered into such standard contractual clauses to the extent legally required.
6. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Premium Employer Processes Personal Data.
Exhibit A
ANNEX I TO THE EU SCCS
MODULE ONE: Transfer controller to controller
A. LIST OF PARTIES
Data Exporter(s)
- Name: Built In, as identified in the DPA.
- Address: 222 Merchandise Mart Plaza, Suite 2010, Chicago, IL 60654
- Contact person’s name, position, and contact details: Alexander Miller, Security Manager, [email protected]
- Activities relevant to the data transferred under these Clauses: The data exporter provides the Services to the data importer pursuant to their underlying Agreement.
- Signature and date: The Parties agree that execution of the Agreement or continuing to provide Services under the Agreement shall constitute execution of the DPA and these EU SCCs by Built In.
- Role: Controller
Data Importer(s)
- Name: Premium Employer, as identified in the Agreement.
- Address: As identified in the Agreement.
- Contact person’s name, position, and contact details: See contact information of signatory for Premium Employer in the order form
- Activities relevant to the data transferred under these Clauses: The data importer receives the data exporter’s Services pursuant to their underlying Agreement.
- Signature and date: The Parties agree that execution of the Agreement or continuing to receive Services under the Agreement shall constitute execution of the DPA and these EU SCCs by Premium Employer.
- Role: Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The personal data transferred concerns Data Subjects that are Built In’s users, which may include actual or potential candidates for employment with Premium Employer.
Categories of personal data transferred: The personal data transferred concern the following categories of data: Personal Data contained in Data Subject’s Built In user profile and, to the extent applicable, Data Subject’s employment application to Premium Employer.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement.
Nature of the processing: Premium Employer shall process the Personal Data solely for the purpose of considering the candidacy of the data subject for employment at Premium Employer, and for related administrative purposes (e.g., job onboarding and retention of application materials to comply with applicable law).
Purpose(s) of the data transfer and further processing: The purpose of the transfer and further Processing of Personal Data are defined in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained by each Party in accordance with the Party’s data retention policies.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above.
C. COMPETENT SUPERVISORY AUTHORITY
The Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
Exhibit B
PREMIUM EMPLOYER’S DATA SECURITY MEASURES
For the term of the Agreement, Premium Employer shall maintain an Information Security Program that includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Data (“Personnel”), including at minimum the following:
1. Information Security Policies and Standards. Premium Employer will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that process Personal Data.
2. Physical Security. Premium Employer will maintain commercially reasonable security controls to safeguard the physical security of devices that access Personal Data. Premium Employer shall ensure that all subcontractors that process Personal Data maintain commercially reasonable physical security controls over any system that processes Personal Data.
3. Organizational Security. Premium Employer will maintain information security policies and procedures addressing media disposal, data classification, and incident response protocols.
4. Network Security. Premium Employer maintains commercially reasonable requirements for secure network connections.
5. Access Control. Premium Employer agrees that: (1) only authorized Premium Employer staff can grant, modify or revoke access to an information system that processes Personal Data; and (2) it shall require Personnel to create and maintain strong passwords for all systems that process Personal data.
6. Virus and Malware Controls. Premium Employer protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on laptops that process Personal Data.
7. Personnel. Personnel are required to agree to follow established security policies and procedures and to maintain the confidentiality of Personal Data. Disciplinary process is applied if Personnel fail to adhere to relevant policies and procedures.