WHEREAS, pursuant to the Agreement, Comeet provides Customer access to use Comeet’s collaborative recruiting and applicant tracking platform (the “Platform”);
WHEREAS, Privacy and data protection laws warrant special contractual arrangements;
THEREFORE, the parties have agreed as follows:
- The parties acknowledge and agree to –
- The Comeet Terms of Service available here http://support.comeet.co/terms-of-service/
- Abide by the Data Processing Addendum set forth below.
Data Processing Addendum
WHEREAS, the Platform involves processing certain personal data of employees and employment candidates of Customer, and the parties wish to regulate Comeet’s processing of such personal data, through this Data Processing Addendum (the “Addendum”).
THEREFORE, the parties have agreed as follows:
1. Customer commissions, authorizes and requests that Comeet provide Customer the Platform, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), referred to as “Data Protection Law”).
2. With respect to those activities of Comeet as a ‘Data Processor’ (as this term is defined and used in Data Protection Law), Comeet will Process the Personal Data only on Customer’s behalf and for as long as Customer instructs Comeet to do so. Comeet shall not Process the Personal Data for any purpose other than the purpose set forth in the next section.
3. The subject matter and purposes of the Processing activities are the provision of a collaborative recruiting and applicant tracking platform, including maintenance, support, enhancement and deployment of the same. The Personal Data Processed may include, without limitation:Name, contact information, biographical and C.V. information, photos, interview scheduling, email communications with candidates/applicants, and any other type of candidate and recruiting process-related information and assessments submitted or uploaded by Customer.Names, titles and contact information of Customer’s employees.
4. The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are: Customer’s job applicants and candidates; Users of the Platform (e.g., employees of Customer and such other individuals who use the Platform for and on behalf of Customer).
5. With respect to those activities of Comeet as a Data Processor, Comeet will Process the Personal Data only as set forth in this Addendum. Customer and Comeet are each responsible for complying with the Data Protection Law applicable to them in their roles as Data Controller (as this term is defined and used in Data Protection Law) and Data Processor, respectively.
6. If the Data Protection Law does not apply to the Customer, then Customer must abide by whatever other data privacy and data security laws and regulations applicable to it, and at a minimum –
- Obtain and maintain valid, any and all authorizations, permissions and informed consents, including those of individuals about whom the Platform may process personal data or personally identifiable information, as may be necessary under applicable laws and regulations, in order to allow Comeet to lawfully collect, handle, retain, process and use the processed data within the scope of the Platform.
- Substantiate the legal basis and legitimize pursuant to applicable law, any and all personal data or personally identifiable information transferred to Comeet, whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer.
7. With respect to those activities of Comeet as a Data Processor, Comeet will Process the Personal Data only on documented instructions from Customer that are provided through the Platform’s various control and configuration options, unless Comeet is otherwise required to do so by law to which it is subject (and in such a case, Comeet shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Comeet shall immediately inform Customer if, in Comeet’s opinion, an instruction is in violation of Data Protection Law. Customer may use the Platform’s various control and configuration options to assist it in connection with its obligations under the GDPR. In light of the GDPR’s requirement under Articles 13 and 14 to have a privacy notice pursuant to the ‘transparency’ and ‘accountability’ principles of the GDPR, Comeet will maintain for the benefit of Data Subjects two dedicated Privacy Notices: one drafted and managed by Comeet which covers the Platform in general matters, and another which the Customer, at its discretion and responsibility, may draft reflecting Customer-specific chosen privacy practices related to the Data Subjects.
8. Customer may only use the Platform to process personal data pursuant to a recognized and applicable lawful basis under Data Protection Law, such as (by way of example only) consent or legitimate basis. Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Comeet and shall provide Comeet only instructions that are lawful under Data Protection Law.
9. Comeet, through the Platform’s various control and configuration options available to Customer, will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Comeet will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Comeet.
10. Additional instructions of the Customer outside the scope of the Platform’s control and configuration options require prior and separate agreement between Customer and Comeet, including agreement on additional fees (if any) payable to Comeet for executing such instructions. If Comeet declines to follow Customer’s reasonable instructions outside the scope of the Platform’s control and configuration options, then Customer may terminate this Addendum and the Agreement, without liability for such premature termination.
11. Comeet will make available to Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law and Israeli data privacy law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Company upon request.
12. Customer acknowledges and agrees that Comeet uses the sub-processors listed in http://support.comeet.co/comeet-sub-processors/ to Process Personal Data.
13. Customer authorizes Comeet to engage another sub-processor for carrying out specific processing activities of the Platform, provided that Comeet informs Customer at least 21 days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, Comeet may not engage that new or substitute sub-processor for the purpose of Processing Personal Data in the provision of the Platform and may terminate the Agreement with the Customer for convenience, without liability to Customer for such premature termination.
14. Comeet and its sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors (e.g., Privacy Shield) recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses).
15. Where Comeet does not have Privacy Shield coverage for its Personal Data Processing activities, Comeet and the Customer hereby subscribe to the standard contractual clauses for the transfer of personal data to processors established in third countries (“Controller to Processor EU Model Clauses”), pursuant to EU Commission Decision 2010/87/EU, which are incorporated hereto by reference. For the purpose of the Controller to Processor EU Model Clauses: Customer shall be the data exporter, an organization recruiting candidates for open positions; Comeet shall be the data importer, developer and operator of a recruiting and applicant tracking platform; The parties contact information shall be as set out in the Agreement; The Data Subjects are as set out in Section 4 above; The categories of Personal Data are as set out in Section 3 above; The processing operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination or otherwise making available, alignment or combination, pseudonymization, erasure; Technical and organizational security measures implemented by the data importer are as set out in Comeet’s IT Security Policy which Customer can request a copy of from Comeet.
16. Comeet will procure that the sub-processors Process the Personal Data in a manner consistent with Comeet’s obligations under this Addendum and Data Protection Law, particularly Article 28 of the GDPR, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
17. In Processing Personal Data, Comeet will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in accordance with Comeet’s IT Security Policy which Customer can request a copy of from Comeet. Comeet will provide Customer means to utilize pseudonymization as a security safeguard in respect of Personal Data. Comeet will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
18. Comeet shall allow for and contribute to audits, including carrying out inspections on Comeet’s business premises conducted by Customer or another auditor mandated by Customer during normal business hours and subject to a prior notice to Comeet of at least 30 days as well as appropriate confidentiality undertakings by Customer covering such inspections in order to establish Comeet’s compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Comeet processes on behalf of Customer. If such audits entail material costs or expenses to Comeet, the parties shall first come to agreement on Customer reimbursing Comeet for such costs and expenses.
19. At Customer’s request, Comeet shall provide to Customer a copy of an annual an audit report from an independent reputable third party regarding Comeet’s data processing and data protection measures. The audit report shall be obtained based on a recognized standard for such audit reports (e.g. ISAE 3000 or SSAE-SOC 2).
20. Comeet shall without undue delay notify Customer of any ‘Personal Data Breach’ (as this term is defined and used in Data Protection Law) that it becomes aware of regarding Personal Data of Data Subjects that Comeet Processes. Comeet will use commercial efforts to mitigate the breach and prevent its recurrence. Customer and Comeet will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
21. Comeet will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Comeet, the parties shall first come to agreement on Customer reimbursing Comeet for such costs and expenses.
22. Comeet will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request.
23. This Section 23 applies to the extent that the Platform involves processing personal information governed by the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §1798.100 et seq.).
- In this Section 23, the following terms shall have the meaning attributed to under the CCPA (Cal. Civ. Code §1798.140): ‘consumer’, ‘personal information’, ‘processing’, ‘selling’, ‘service provider’.
- Comeet is prohibited from retaining, using or disclosing Customer’s personal information for: (i) any purpose other than properly operate the Platform and related services for Customer or as reasonably necessary to provide the Platform and related services to Customer; (ii) ‘selling’ Customer’s personal information; and (iii) retaining, using or disclosing the Customer’s personal information outside of the direct business relationship between the parties. Comeet certifies that it understands the restriction specified in this subsection and will comply with it.
- In processing personal information, Comeet will implement appropriate technical and organizational measures to protect the personal information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in accordance with Comeet’s IT Security Policy which Customer can request a copy of from Comeet.
- The Platform’s various control and configuration options available to Customer are designed to help the Customer accommodate consumer requests seeking to exercise their rights under the CCPA.
- If Comeet receives a request from a consumer about his or her personal information, Comeet shall not comply with the request itself, and shall promptly inform the consumer that Comeet’s basis for denying the request is that Comeet is merely a service provider that follows Customer’s instructions, and promptly inform the consumer that they should submit the request directly to the Customer and provide the consumer with the Customer’s contact information.
24. For the avoidance of doubt, this Addendum does not apply to Comeet’s processing of Customer’s personal information for any of the following:
- Administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);
- Comeet’s marketing activities to the Customer;
- Where Comeet is required, or reasonably believes it is required, by law, to share or disclose information, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. To the extent legally permitted, Comeet will provide the Customer prompt written notice of such obligation and shall reasonably cooperate with the Customer, at the Customer’s expense, as required to obtain confidential treatment for such information.
25. All notices required or contemplated under this Addendum to be sent by Comeet will be sent either by electronic mail to Customer to the email address that Comeet has on file for the Customer’s main contact person, or, at Comeet’s choice, through In-app notices.
26. Upon Customer’s request, Comeet will delete the Personal Data it has Processed on Customer’s behalf under this Addendum from its own and its sub-processor’s systems, or, at Customer’s choice, use the Platform’s tools to obtain the data before its deletion, and upon Customer’s request, will furnish written confirmation that the Personal Data has been deleted pursuant to this section.
27. The duration of Processing that Comeet performs on the Personal Data is for the period set out in the Agreement between the parties. This Addendum shall prevail in the event of inconsistencies between it and the Agreement between the parties or subsequent agreements entered into or purported to be entered into by the parties after the date of this Addendum – except where explicitly agreed otherwise in writing.
28. The parties’ liability under this Addendum shall be pursuant to the liability clauses in the various parts of the Agreement.