relating to the provision of recruitment services
BACKGROUND
- Solas IT Recruitment is a provider of services in the field of recruitment, including recruitment consultancy, introduction services and advertising services.
- Solas IT Recruitment and the Customer are parties to an agreement /or are in consideration for the provision of recruitment services, which the Recruiter has agreed to provide certain recruitment services to the Customer upon the terms and subject to the conditions of the Recruitment Agreement/The Recruiter provides or will provide certain recruitment services to the Customer.
- In order to provide the Customer with the services, the Parties wish to exchange certain data relating to Candidates.
- Each of the parties agrees to disclose and receive data in accordance with the provisions of this protocol.
INTERPRETATION
Defined Terms:
‘Candidate’ means an applicant for a temporary, contract or permanent position of employment introduced to the Customer by the Recruiter;
‘Shared Data’ means the data, including Personal Data and Sensitive or Special Category Personal Data to be shared between the Parties.
‘Data Discloser’ means the party, which discloses Shared Data to the other party, namely Solas IT Recruitment.
‘Data Recipient’ means the party which receives Shared Data from the Data Disclose, in this case it refers to you as our customer.
“Data Subject Access Request” or “DSAR” has the same meaning as the “Right of access” in Article 15 of the GDPR.
“Data Protection Commission” or “DPC” means the data protection authority in the territory of Ireland;
PURPOSE
Sharing of Personal Data: This protocol sets out the framework for the sharing of data, including Personal Data and Sensitive Personal Data or Special Category of Personal Data, between the Parties as Data Controllers. It defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.
Aim: The Parties consider this data sharing initiative necessary as part of the provision by the Recruiter of the Services. The aim of the data sharing initiative is to facilitate the provision to the Customer of information on Candidates by the Recruiter in order to enable the Customer to recruit employees/contractors as part of the Services.
COMPLIANCE WITH NATIONAL DATA PROTECTION LAWS
General Compliance: Each Party shall always ensure compliance with Applicable Data Protection Laws .
Registration with DPC: If applicable the customer shall ensure that it has a valid registration with the DPC which covers the intended data sharing pursuant to this protocol.
SHARED DATA
Types of Data: The following types of Personal Data will be shared between the parties:
- Candidate contact information;
- Candidate educational and legal qualifications;
- Candidate employment history;
- Candidate Salary / daily rate expectation;
- Candidate references;
FAIR AND LAWFUL PROCESSING
Fair and Lawful Processing: each party shall ensure that it processes the Shared Data fairly and lawfully.
Grounds for Processing: Each party shall ensure that it processes Shared Data on the basis of one or more of the following legal grounds:
- Data Subject has freely given his or her explicit, unambiguous consent;
- processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
Privacy Statement: Each Party shall, in respect of Shared Data, ensure that their privacy statements are clear and provide sufficient information to the Data Subjects for them to understand what of their personal data the Data Discloser is sharing with the Data Recipient, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of the Data Recipient or a description of the type of organisation that will receive the personal data.
Information Obligation: Each Party undertakes to inform the Data Subjects, in accordance with Applicable Data Protection Laws, of the purposes for which it will process their personal data and provide all of the information that it must provide, in accordance with applicable laws, to ensure that the Data Subjects understand how their personal data will be processed by the Data Recipient.
DATA SUBJECTS’ RIGHTS
The parties acknowledge that:
- Information and Access Rights: Data Subjects have the right to obtain certain information about the processing of their Personal Data through a DSAR.
- Rectification Right: Data Subjects have the right to request the rectification of inaccurate personal data and the right to have incomplete data completed.
- Erasure Right: Data Subjects also have the right to obtain, under certain circumstances, the erasure of Personal Data concerning them without undue delay.
- Right to Object: Data Subjects have the right, under certain circumstances, to object to the processing of their Personal Data. Where the Data Subject’s objection to the processing is justified, the Data Controller shall no longer process the Personal Data in question.
- Restriction of Processing Right: Data Subjects have the right to obtain from the Controller the restriction of processing. Where such a restriction has been obtained, the Data Subject shall also have the right to be informed by the Controller before the restriction is lifted.
- Data Portability: A Data Subject has the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller.
Mutual Assistance: The Parties agree to provide reasonable assistance as is necessary to each other to enable them to comply with data subject Rights requests and to respond to any other requests, queries or complaints from Data Subjects. The Parties further agree to use reasonable endeavours to exchange records insofar as is necessary for each party’s compliance with the protocol and its obligations under applicable law.
DATA RETENTION
Retention Periods: The Parties shall retain or process Shared Data for the longest of the following retention periods that applies:
- the period that is necessary to carry out the Agreed Purposes; or
- any period prescribed by applicable law or by best industry practice.
DATA SECURITY BREACHES AND REPORTING PROCEDURES
Notification: Parties undertake to notify any potential or actual losses of the Shared Data to each other at a senior management level as soon as possible and, in any event, within one calendar day of identification of any potential or actual loss to enable the Parties to consider what action is required in order to resolve the issue in accordance with the Applicable Data Protection Laws and guidance.
Mutual Assistance: The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Data Security Breach in an expeditious and compliant manner.
RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR THE DATA PROTECTION COMMISSION
Obligation to Inform: In the event of a dispute or claim brought by a data subject or the Data Protection Commission concerning the processing of Shared Data against either or both parties, the parties will inform each other about any such disputes or claims and will cooperate with a view to settling them amicably in a timely fashion.
Obligation to Abide: Each party shall abide by a decision of a competent court or of the Data Protection Commission which is final and against which no further appeal is possible.
Data Protection Warranties: Each party warrants and undertakes that it shall:
- process the Shared Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations;
- make available upon request to the Data Subjects who are third party beneficiaries a copy of this Agreement, unless the Clause contains confidential information;
- respond within a reasonable time and as far as reasonably possible to enquiries from the Data Protection Commission in relation to the Shared Data;
- respond to DSARs and all other requests from Data Subjects in accordance with applicable law;
- where applicable, maintain registration with the Data Protection Commission and any and all other relevant data protection authorities to process all Shared Data for the Agreed Purpose;
Security Measures Warranty: The Data Recipient warrants and undertakes that its security measures shall on a continuing basis meet or exceed the requirements of Applicable Data Protection Laws;
Discloser Warranty: The Data Discloser warrants and undertakes that it will use reasonable endeavours to ensure that the Shared Data are accurate.
Recipient Warranty: The Data Recipient warrants and undertakes that it will not disclose or transfer the Shared Data to a third-party located outside the EEA.
INDEMNITY
Indemnity: The Data Recipient shall indemnify and keep indemnified the Data Discloser on demand from time to time from and against all Losses which it causes the Data Discloser as a result of its breach of any of the provisions of this protocol or arising out of or in connection with all claims, proceedings or actions brought by the DPC, any other competent public authority or a Data Subject against the Data Discloser with respect to the processing of the Shared Data by the Data Recipient.
Solas IT Recruitment not Liable for Customer’s Negligence: In so far as Solas IT Recruitment is deemed to be the Data Controller under this protocol, Solas IT Recruitment shall only indemnify the Customer against any Losses suffered as a result of its acts or omissions as Data Controller but shall not be liable for the Customer’s negligent acts or omissions in relation to its responsibilities under this Agreement.
CONFIDENTIALITY
Keep Confidential: Each party shall keep confidential the other party’s Confidential Information and shall not, without the prior written consent of the other, use, disclose, copy or modify the other party’s Confidential Information other than as necessary for the exercise of its rights, and performance of its obligations, under this protocol.
Employees & Agents: Each party undertakes to disclose the other party’s Confidential Information only to those of its officers, employees, agents and contractors to whom, and to the extent to which, such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this protocol, and to procure that such persons are made aware of, and agree to observe the obligations of confidentiality.
Notify Misuse: Each party shall give notice to the other of any unauthorised use, disclosure, theft or other loss of that other party’s Confidential Information immediately upon or as soon as is practicable after becoming aware of it.
Mandatory Disclosure: If a party is required by law or by any order of any court or governmental or regulatory authority to disclose the Confidential Information of the other party, it shall promptly notify that other party of receipt of notice of that requirement and, at the request and cost of that other party, shall assist it in opposing any such disclosure.