Visage Data Processing Addendum
Updated: 22/12/2022
This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (collectively, the “DPA”), sets forth the parties’ obligations with respect to the processing of Personal Data in connection with the Service, and is incorporated into and forms part of the terms and conditions of the Master Service Agreement or any other agreement under which Visage, Inc. (“Visage”) provides services to the party identified as the customer in the Agreement or the Order Form(s) (“Customer”).
Due to the nature of the Service, Visage may process Personal Data as a Processor and/or Controller in the performance of the Service. Therefore, Visage’s responsibilities under this DPA will depend on whether Visage is acting as a Processor or Controller under Data Protection Laws.
Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates. Any capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement.
- Definitions
1.1 “Affiliate” means any entity under the control of a party where “control” means ownership of or right to control greater than 50% of the voting securities of such entity.
1.2 “Controller” means an entity that, alone or jointly with others, determines the purposes and means of processing Personal Data, and include a “Business” as defined under the CCPA.
1.3 “Data Protection Laws” means, as applicable to a party’s processing of Personal Data under the Agreement: (i) European Data Protection Laws; and (iii) US State Privacy Laws.
1.4 “Data Subject” means an identified or identifiable natural person, and includes a “Consumer” as defined under the CCPA.
1.5 “Europe” means, for the purposes of this DPA, the European Economic Area (“EEA”) and its Member States, Switzerland and the United Kingdom.
1.6 “European Data Protection Laws” means all data protection and privacy laws and regulations enacted in Europe, including: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“);and (iv) all applicable national data protection and privacy laws made under or pursuant to (i), (ii), or (iii); in each case, as may be amended, superseded or replaced from time to time.
1.7 “Permitted Affiliate” means any Affiliate of Customer which: (i) is subject to Data Protection Laws; (ii) is permitted to use the services provided by Visage pursuant to the Agreement; and (iii) has not signed its own Order Form or Agreement with Visage and is not a “Customer” as defined under the Agreement.
1.8 “Personal Data” means any information which is protected as “personal data”, “personally identifiable information”, or “personal information” under Data Protection Laws.
1.9 “Processor” means an entity that processes Personal Data on behalf of the Controller, and includes a “Service Provider” as defined under the CCPA.
1.10 “Security Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.11 “Sub-processor” means any third party Processor engaged by Visage to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Visage Affiliates but shall exclude any Visage employee, independent contractor or consultant.
1.12 “US State Privacy Laws” means (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq., and any implementing regulations relating to the same (together, the “CCPA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Data Privacy Act; (v) the Utah Consumer Privacy Act; and (vi) any other US state privacy laws that are modelled on or equivalent to (i)-(v); in each case when effective and as amended, replaced or superseded from time to time.
1.13 The terms “process” (including “processing”, “processes”, “processed” and other variations thereof) and “sale” (including “sell”, “selling”, “sold” and other variations thereof) shall have the meanings given to them under applicable Data Protection Laws.
- Scope and Applicability of this DPA
2.1 Scope. This DPA applies where and only to the extent that either party processes Personal Data that is subject to Data Protection Laws in connection with the Service provided by Visage to Customer pursuant to the Agreement.
2.2 Role of the Parties. The parties acknowledge and agree that:
- a) Customer is a Controller of Customer Profiles and Visage shall process Customer Profiles only as a Processor on behalf of Customer; and
- b) each party is a Controller of Visage Profiles and shall process Visage Profiles in accordance with the Agreement (including this DPA) and applicable Data Protection Laws.
3 Customer Obligations
3.1 Customer Obligations. Customer shall ensure that it: (i) complies with applicable Data Protection Laws in respect of its use of the Service and any processing instructions it issues to Visage; (ii) has an appropriate legal basis to process Personal Data and makes available to Data Subjects a privacy statement that fulfils the requirements of applicable Data Protection Laws; and (iii) has the right to transfer or make available Customer Profiles to Visage and for providing all notice and obtaining all consents necessary under applicable Data Protection Laws for Visage to lawfully process Customer Profiles for the purposes contemplated by the Agreement (including this DPA).
- 3. Processing of Customer Profiles
3.1 Scope of this Section. The terms contained in this Section 3 (Customer Profiles) apply to the extent that Visage processes any Customer Profiles on behalf of Customer in connection with the provision of the Service, as further described in Annex A of this DPA.
3.2 Processing Instructions. Visage shall only process Customer Profiles for the purposes described in the Agreement (including this DPA) and only in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement sets out the Customer’s complete and final instructions to Visage in relation to the processing of Customer Profiles and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Visage shall notify Customer in writing, unless prohibited from doing so under applicable laws, if it becomes aware or believes that any data processing instruction from Customer violates Data Protection Laws.
3.3 No Sale or Sharing. Visage shall not (i) retain, use, or disclose Customer Profiles for any purpose, including a commercial purpose, other than for the specific purposes described in the Agreement (including this DPA); (ii) sell Customer Profiles or share Customer Profiles for the purposes of targeted or cross-context behavioral advertising (as defined under applicable US State Privacy Laws); (iii) combine Customer Profiles with information received from another source; or (iv) retain, use, or disclose Customer Profiles outside of the parties’ direct business relationship; in each case except as necessary to provide the Service or as permitted by applicable law. Visage will notify Customer if it can no longer meet its obligations under applicable Data Protection Laws.
3.4 Sub-processing. Customer agrees that Visage may engage Sub-processors to process Customer Profiles on Customer’s behalf for the purposes of providing the Service. The list of Sub-processors currently engaged by Visage available here: https://visage.jobs/sub-processors-list/ (“Sub-processor List”). Visage shall provide Customer with a mechanism to subscribe to notifications of new Sub-processors, to which Customer may subscribe, and if Customer subscribes, Visage shall notify Customer if it makes any changes to its Sub-processor List at least 10 days prior to any such change.
3.5 Sub-processor Obligations. Visage will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Profiles as this DPA and to the extent applicable to the nature of the services provided by such Sub-processor. Visage will remain responsible for any acts or omissions of its Sub-processors that cause Visage to breach any of its obligations under this DPA. For the purposes of Clause 9 of the Standard Contractual Clauses, Customer acknowledges that Visage may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality obligations but Visage shall use reasonable efforts to provide Customer with all information it reasonably can in connection with Sub-processor agreements upon request.
3.6 Objection to Sub-processors. Customer may object in writing to Visage’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Visage promptly in writing within 5 calendar days of receipt of any notice provided by Visage in accordance with Section 3.4. In the event Customer objects to a Sub-processor, the parties shall discuss Customer concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Visage will, at its sole discretion, either (i) not appoint Sub-processor; or (ii) permit Customer to suspend or terminate the affected Service (without prejudice to any fees incurred by Customer prior to suspension or termination).
3.7 Auditing. Visage shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that are necessary to confirm Visage’s compliance with this DPA provided that Customer shall not exercise this right more than once per calendar year. Where required by Data Protection Laws or upon instruction from a data protection authority, Visage shall allow Customer or another auditor mutually approved by the parties to audit Visage’s compliance with this DPA and inspect Visage’s facilities, equipment, documents and electronic data relating to the processing of the Customer Profiles by Visage, provided that: (i) Customer shall provide at least thirty (30) days’ prior written notice to Visage; (ii) such additional audit enquiries shall not unreasonably impact Visage’s regular operations; and (iii) such additional audit enquiries shall be conducted at Customer’s expense. Customer and Visage shall mutually agree upon the scope, timing and duration of any audit. Where applicable, the parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing Visage to comply with the audit measures described in this Section 3.7.
3.8 Confidentiality. Visage shall ensure that any person authorized by Visage to process Customer Profiles shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.9 Security Measures. Visage shall implement appropriate technical and organizational security measures to protect Customer Profiles from Security Breaches and preserve the security and confidentiality of Customer Profiles in accordance in accordance with the Visage security standards described at https://visage.jobs/security-measures/ (“Security Measures”). Visage may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.
3.10 Security Breach Notification. Upon becoming aware of a Security Breach affecting Customer Profiles, Visage shall notify Customer without undue delay and provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer.
3.11 Data Subject Requests. Visage shall promptly notify Customer if it receives any request or correspondence directly from a Data Subject in connection with the processing of Customer Profiles and shall not respond directly to any such request or correspondence except where good faith efforts to contact and involve Customer have failed and/or where a failure to respond may result in liability for Visage under applicable Data Protection Laws.
3.12 Data Protection Impact Assessments. Where required under applicable Data Protection Laws, and to the extent Customer does not already have access to the relevant information, Visage shall provide Customer with reasonably requested information regarding Visage’s processing of Customer Profiles to enable Customer to carry out a data protection impact assessment (or similar assessment) and to engage in prior consultations with data protection regulators.
3.13 Deletion on Termination. Upon termination or expiry of the Agreement, Visage shall delete all Customer Profiles (including copies) in its possession or control as soon as reasonably practicable, except to the extent Visage is required by applicable law to retain some or all Customer Profiles, and Customer Profiles archived in back-up systems, which Customer Profiles Visage shall securely isolate and protect from any further processing and delete in accordance with applicable law and its deletion practices.
- Processing of Visage Profiles
4.1 Scope of this Section. The terms contained in this Section 4 (Visage Profiles) apply to the extent that Visage shares Visage Profiles with Customer in connection with the provision of the Crowd Service, as further described in Annex A of this DPA.
4.2 Purpose Limitation. Customer shall process Visage Profiles only for the purposes described in Annex A and (if applicable) consistent with any consents given by the Data Subjects (the “Permitted Purpose”). If Customer wishes to process Visage Profiles for a new or different purpose other than the Permitted Purpose (“Alternative Purpose”), it may do so provided it does all such acts and things as are necessary to ensure that its proposed processing of Visage Profiles for the Alternative Purpose fulfils the requirements of Data Protection Laws (including by obtaining any consents from Data Subjects, where necessary). Except as may be expressly stated in the applicable Order Form, permitted in writing by Visage or where required or necessary under applicable law, Customer will not sell, disclose, or share Visage Profiles (or any part or derivative thereof) with any third party (except for Customer’s Processors or Permitted Affiliates).
4.3 Compliance with law. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller and neither party shall be responsible for the other party’s compliance with Data Protection Laws. In particular, each party shall be individually responsible for ensuring that its processing of Visage Profiles is lawful, fair and transparent. Visage shall be responsible for complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws in order to disclose Visage Profiles to Customer to process such Customer Profiles for the Permitted Purpose.
4.4 Correspondence. Each party shall promptly inform the other if it receives any request, complaint or correspondence (“Correspondence”) from a Data Subject, data protection regulator or other third party where the Correspondence relates to the processing of Visage Profiles conducted by the other party. The parties shall, on request, provide each other with all reasonable and timely assistance and co-operation (at their own expense) to enable the other party to respond to Correspondence.
- International Transfers
5.1 Processing Locations. Customer acknowledges and agrees that Visage may transfer and process Customer Profiles to and in the United States and other locations in which Visage, its Affiliates or its Sub-processors maintain data processing operations. Visage shall at all times ensure such transfers are made in compliance with the requirements of applicable Data Protection Laws and this DPA.
5.2 Cross Border Transfers. If either party’s processing of Personal Data in connection with the Agreement involves a transfer of Personal Data that is subject to European Data Protection Laws to a country or territory outside Europe that is not deemed adequate under European Data Protection Laws, the parties agree to comply with the relevant cross border transfer mechanism set out in Annex C.
- Miscellaneous
6.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA.
6.2 Customer acknowledges that Visage may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, a European data protection authority, or any other US or European judicial or regulatory body upon their request.
6.3 Notwithstanding anything to the contrary in the Agreement, Visage may periodically make modifications to this DPA as may be required to comply with Data Protection Laws. In the event that Visage is required to update or modify this DPA to comply with new requirements under Data Protection Laws, Visage will publish the updated DPA at least 5 days in advance of the effective date of such updates or modifications.
6.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Annex A – Description of Processing
Parties’ details
Customer | Visage | |
Name: | The Customer’s name as set out in the Agreement or the applicable Order Form. | Visage, Inc. |
Address: | The Customer’s address as set out in the Agreement or the applicable Order Form. | Visage Inc., 200 Wylie KuyKendall Ln, Kyle, TX 78640, United States
|
Contact person’s name, position and contact details: | The Customer’s contact information as set out in the Agreement or the applicable Order Form. | privacy@visage.jobs |
Details of Processing
Customer Profiles | |
Categories of data subjects: | The Personal Data concern Candidates who represent a potential good fit for a position that the Customer aims to fill and sourced by Customer or its third-party service providers and employees of Customer who use the Platform Service. |
Categories of personal data: | · Contact details (including names, email address, phone number);
· Location data (such as country, state and city of residence); · Academic and professional qualifications (such as degrees, titles, skills, language proficiency, training information, employment history, CV/résumé); · Comments made by Customer on candidate profiles; · Customer review information of the candidate profiles; · Conversations sent by Customers to the candidates. |
Sensitive data: | N/A |
Frequency: | Continuous |
Nature and subject matter: | Visage and/or its Sub-processors are providing services and support or fulfilling contractual obligations towards Customer as described in the Agreement. These services may include the processing of Personal Data by Visage and/or its Sub-processors and performing services on devices that may contain Personal Data. |
Purpose(s): | The Personal Data is processed for the following purposes:
· to allow Customer to manage and evaluate the adequacy of the candidates selected and decide on moving or not each candidate forward in the recruiting process; · to allow Customer to manage their candidate pipeline; · to allow Customer to contact their candidates; · to allow Customer to collaborate with their team during the recruitment process. |
Duration and retention period: | The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of Customer Profiles by Visage in accordance with the terms of the Agreement, including this DPA. |
Visage Profiles | |
Categories of data subjects: | The Personal Data concern Candidates who represent a potential good fit for a position that the Customer aims to fill and sourced by Visage or its third-party service providers as part of the Crowd Service. |
Categories of personal data: | · Contact details (including names, email address, phone number);
· Location data (such as country, state and city of residence); · Academic and professional qualifications (such as degrees, titles, skills, language proficiency, training information, employment history, CV/résumé); · Comments made by Customer about the candidate profile added by Visage or its third-party service providers. |
Sensitive data: | N/A |
Frequency: | Continuous |
Nature and subject matter: | Visage and/or its Sub-processors are providing services and support or fulfilling contractual obligations towards Customer as described in the Agreement. These services may include the processing of Personal Data by Visage and/or its Sub-processors and performing services on devices that may contain Personal Data. |
Purpose(s): | The Personal Data is processed for the following purposes:
· to allow Customer to evaluate the adequacy of the candidates selected and decide on moving or not each candidate forward in the recruiting process; · to allow Customer to manage their candidate pipeline; · to allow Customer to contact their candidates. |
Duration and retention period: | The data will be processing and deleted in accordance with Customer’s data retention practices. |
Annex B – Security Measures
Visage’s Security Measures to protect Customer Profiles can be found here: https://visage.jobs/security-measures/
Annex C – Cross Border Transfer Mechanism
- Definitions
1.1 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, a copy of which is available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
1.2 “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office; as amended, replaced or superseded from time to time.
- Standard Contractual Clauses
2.1 Transfers of Customer Profiles. Where Customer transfers (directly or via onward transfer) Customer Profiles protected by European Data Protection Laws to Visage located in a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree that the Standard Contractual Clauses shall be incorporated by reference and apply and form part of the Agreement as follows: (a) Visage shall be deemed the “data importer” and Customer shall be deemed the “data exporter”; (b) the Module Two terms shall apply.
2.2 Transfers of Visage Profiles. Where Visage transfers (directly or via onward transfer) Visage Profiles protected by European Data Protection Laws to Customer located in a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree that the Standard Contractual Clauses shall be incorporated by reference and apply and form part of the Agreement as follows: (a) Customer shall be deemed the “data importer” and Visage shall be deemed the “data exporter”; (b) the Module One terms shall apply.
2.3 Completion of the Standard Contractual Clauses. For each Module, the following applies where applicable:
(a) in Clause 7, the optional docking clause shall apply;
(b) in Clause 9 of Module Two, Option 2 shall apply and the list of Sub-processors and notice period for changes shall be as agreed under Section 3.4 of the DPA;
(c) in Clause 11, the optional language shall be deleted;
(d) in Clause 13, the competent supervisory authority is the Irish Data Protection Commissioner;
(e) in Clause 17, Option 1 shall apply and the SCCs shall be governed by Irish law;
(f) in Clause 18, disputes shall be resolved before the courts of Ireland;
(g) Annex I and Annex II shall be deemed completed with the information set out in Annex A and Annex B of this DPA respectively;
(h) by entering into the DPA, each party is deemed to have signed the SCCs (including their Annexes) as of the effective date; and
(i) if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
3 Swiss Transfers
In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses shall apply in accordance with Section 2 above and the following modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) references to “EU”, “Union” and “Member State” shall be replaced with references to “Switzerland”; (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; and (iv) in Clause 17 and Clause 18(b), the Standard Contractual Clauses shall be governed by the laws of and disputes shall be resolved before the competent courts of Switzerland.
4 UK Transfers
In relation to Personal Data that is subject to UK Data Protection Laws, the Standard Contractual Clauses shall apply in accordance with Section 2 and as amended by the International Data Transfer Addendum issued by the Information Commissioner’s Office, which shall be incorporated by reference as follows: (i) in Table 1, the parties’ details are set out in Annex A of this DPA; (ii) in Table 2, the selected modules and clauses are indicated by Section 2 above; (iii) in Table 3, the appendix information shall be deemed completed with the information set out in this DPA; and (iv) in Table 4, ‘neither party’ is selected.
5 Alternate Cross Border Transfer Mechanism
To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with this DPA cannot be relied on to lawfully process Personal Data in compliance with Data Protection Laws, and/or a relevant regulator or court requires the parties to adopt additional measures (“Additional Measures”) or an alternative data export solution (“Alternative Transfer Mechanism”) to enable the lawful transfer of Personal Data, the parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which the Personal Data is transferred).