This Data Processing Agreement forms an integral part of the Agreement between Magnet.me NL B.V. and the Client who uses Magnet.me Services. The Agreement, as well as this Data Processing Agreement are governed by the Magnet.me Client ToS.
The capitalized terms used in this Data Processing Agreement are the same as those used in the Client ToS, in addition to those that are separately defined in this Data Processing Agreement.
Whereas:
It is agreed as follows:
1.1 Magnet.me takes appropriate technical and organizational measures with respect to the Personal Data to ensure compliance with the GDPR and the protection of the rights of the Data Subjects.
1.2 The purpose of the processing by Magnet.me is to allow Magnet.me to provide the Services and to allow the Client and its Users to use the Services.
2.1 It is the Client’s responsibility to comply with the applicable personal data legislation with respect to the Personal Data. This includes amongst others informing the Data Subjects about the processing of their Personal Data, asking their consent where required and timely responding to requests from Data Subjects with respect to their Personal Data.
2.2 The Client indemnifies and holds Magnet.me harmless from the reasonable costs and damages with respect to third-party claims that are the result of the Client’s breach of the applicable personal data protection legislation.
3.1 Magnet.me will only process the Personal Data on the Client’s written instructions, which consist of the processing activities set out in Annex 1 and as applicable the reasonable instructions otherwise given by the Client in writing (which may include by email).
3.2 The Client gives Magnet.me the instruction/permission to collect Disposition Data from the Personal Data that are extracted through the Client’s Applicant Tracking System for internal purposes.
3.3 When Magnet.me is required to processes Personal Data pursuant to a legal obligation to which Magnet.me is subject, Magnet.me will have to process Personal Data outside the Client’s instructions. In that case, Magnet.me shall notify the Client of such legal requirement, unless it prohibits Magnet.me from such notification on important grounds of public interest.
3.4 Magnet.me shall notify the Client if, in its opinion, an instruction given by Client infringes the GDPR, in which case Magnet.me will not have to comply with the instruction.
4.1 Taking into account the nature of the processing, Magnet.me shall provide the assistance reasonably requested by the Client to assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligations to respond to the Data Subjects’ requests for exercising their rights, in so far as Magnet.me can factually do so in light of the Services. Magnet.me shall in this respect forward requests it may receive from Data Subjects with respect to their Personal Data to the Client, who will further handle such request.
4.2 Taking into account the nature of the processing and the information available to Magnet.me, it shall assist the Client in complying with the Client’s obligations relating to security, notifying Personal Data Breaches (see also article 7), investigations by competent data protection authorities (“Data Protection Authorities”), data protection impact assessments and prior consultations if these are legally required.
5.1 Magnet.me implements appropriate technical and organizational measures pursuant to the GDPR to ensure a level of security appropriate to the risk involved with the processing. In assessing the appropriate level of security, Magnet.me shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks involved for the Data Subjects.
5.2 At the Client’s request, Magnet.me will submit an overview of the security measures in place at the time of the request.
5.3 The Client is responsible for the security of its Accounts.
6.1 Magnet.me shall keep the Personal Data confidential and ensure that persons who have access to the Personal Data under Magnet.me’s responsibility are also bound to confidentiality.
7.1 Magnet.me shall notify the Client without undue delay after becoming aware of a breach of security on the part of Magnet.me or its sub-processors leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data (a “Personal Data Breach”).
7.2 Magnet.me will provide the co-operation and submit the information within its control that are reasonably requested by the Client, with respect to notifying the Personal Data Breach to the Data Protection Authorities, and, as applicable, to the Data Subjects.
8.1 The Client gives Magnet.me its general consent to use sub-processors (e.g. hosting provider, support services) for the processing of the Personal Data, under Magnet.me’s responsibility.
8.2 Magnet.me shall submit to the Client upon its request, to be made with reasonable intervals, a list of its then current sub- processors.
8.3 If Magnet.me wishes to hire a different or new sub- processor, it shall notify the Client thereof timely in advance. The Client may object to the change or addition within fourteen (14) working days after the notification, thereby stating and supporting its reasons for the objection. If the processing of the Personal Data is not adversely affected by such change or addition, the Client will not object so that Magnet.me can continue offering the Services. In case the Client does timely submit its supported objection and Magnet.me cannot amend the Services to accommodate the Client’s objection with fourteen (14) working days of such objection, Magnet.me or the Client may terminate the Agreement.
8.4 Magnet.me ensures that sub- processors are bound in writing to comply with, in substance, the same obligations as set out in this Data Processing Agreement, that are relevant in relation to the sub- processor’s processing activities.
9.1 The Personal Data are stored within the European Economic Area (“EEA”).
9.2 Should the Client (its Users) access the Personal Data from a country outside the EEA without an adequate level of protection, provided this can be seen as a transfer to a third country, the Client agrees to be bound to the EU Standard Contractual Clauses, modules Magnet.me to controller, with the following details: (i) the designated Data Protection Authority is the Dutch Autoriteit Persoonsgegevens, (ii) the docking clause applies, (iii) the governing law and dispute resolution are these same as those set out in this Data Processing Agreement and (iv) the description of the Personal Data processing is set out in this Data Processing Agreement.
10.1 Magnet.me shall provide the reasonably requested information and will allow the Client, or its appointed third party under a duty of confidentiality, to inspect its relevant administration, in order for the Client to audit Magnet.me’s compliance with the terms and conditions of this Data Processing Agreement.
10.2 The Client shall not make use of its audit rights under this clause more than once every two calendar years and shall notify Magnet.me at least two weeks in advance of the audit. The Client shall ensure the audit does not unduly affect Magnet.me’s business operations.
11.1 This Data Processing Agreement has the same term as the Agreement and it therefore terminates when the Agreement ends. The obligations set out in article 11.3 below shall survive termination until they have been fulfilled.
11.2 If Magnet.me is in the possession of Personal Data at the end of the Agreement, it shall, provided that all outstanding invoices as well as any collection costs and accrued interest in relation to unpaid invoices have been paid, upon the Client’s request, during a period of (30) thirty days after the Agreement has ended enable the Client to download such Personal Data from its administrator Account in a commonly used format as determined by Magnet.me and to delete it. If the Client has not downloaded the Personal Data and/or requested Magnet.me to delete the Personal Data within the aforementioned term, Magnet.me reserves the right to delete the Personal Data, save where Magnet.me is required to retain Personal Data pursuant to a legal obligation, in which case it shall retain the Personal Data until such legal obligation has ended. For the avoidance of doubt: personal data of Members that is stored in the Member’s account (in the central Magnet.me database) will not be deleted.
11.3 Article 12 as well as the provisions that can be used to interpret this Data Processing Agreement, shall also survive its termination.
12.1 The provisions of the Agreement and the Client ToS apply to this Data Processing Agreement and prevail with regard to the clauses that do not concern data protection, such as liability and amendments.
12.2 In case Magnet.me’s activities in relation to this Data Processing Agreement exceed Magnet.me’s normal activities for the Services, Magnet.me is entitled to a reasonable compensation based on Magnet.me’s then current consulting Fees.
The Client’s Users can view Member’s resume information and communicate with Members through their Accounts. Magnet.me can also realize a connection with the Client’s Applicant Tracking System to invite Members to the Client’s talent network.
The processing for which Magnet.me is a processor relates to:
The categories of Data Subjects and Personal Data are:
Magnet.me acts as Processor in relation to the following categories of processing activities:
Magnet.me processes Personal Data of Members and Users for the purpose of providing the Client and its Users with access to its Accounts and enabling the Client and its Users to use the Platform’s functionalities through the Accounts, including:
In the case the Client chooses the product Company Connect and opts for an ATS integration:
In the case the Client chooses the product (Continuous) Outsourced Messaging:
Magnet.me processes personal data in the Client’s Content (e.g. of Client employees) that is placed on the Platform.
In performing the above activities, Magnet.me processes Personal Data on behalf of the Client as a processor under this Data Processing Agreement. For the avoidance of doubt: when Magnet.me processes personal data for its own purposes, including for the Members to use their accounts and the functionalities of the Platform as well as personal data of employees for Magnet.me’s own marketing and CRM purposes or to enforce compliance with the Agreement, Client TOS or legal obligations, it acts as an independent controller.
This Annex may be updated by notification from Magnet.me to Client to reflect relevant changes. If, however, such notification is not made but the factual information has changed (e.g. additional Personal Data are processed), this information shall be deemed incorporated in this Schedule.