In accordance with clause 4 of Product Terms & Conditions (”T&C”), the Customer and Safehire.ai Ltd (“Safehire”) agree that Safehire shall process the Customer Personal Data on the terms set out below.
1.1 The following definitions and rules of interpretation shall apply.
“Business Purposes” the Services to be provided by Safehire to the Customer as and any other purpose agreed by the parties in writing.
“Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing”: have the meanings given in the Data Protection Laws.
“EU GDPR” the General Data Protection Regulation ((EU) 2016/679).
“EEA” the European Economic Area.
“Records” has the meaning given in Clause 12 of T&Cs.
“Term” this DPA’s term as defined in Clause 10 of T&Cs.
“UK GDPR” has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This data processing agreement (“DPA”) forms part of (and is incorporated into) the T&Cs. Interpretations and defined terms set forth in the T&Cs apply to the interpretation of this DPA.
1.3 The annex forms part of this DPA and shall have effect as if set out in full in the body of this DPA and the T&Cs. Any reference to this DPA or the T&Cs includes the annex.
1.4 A reference to writing or written includes email.
2.1 The Customer and Safehire agree and acknowledge that for the purpose of the Data Protection Laws:
2.1.1 the Customer is the Controller and Safehire is the Processor.
2.1.2 Safehire acts solely as a Data Processor and does not determine the purposes or means of processing Personal Data. Safehire shall not be responsible for any processing activities performed by the Customer outside the scope of this DPA.
2.1.3 the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and ensuring it has a valid legal basis for processing the Personal Data (which may require express consent), and for the written processing authorisation and instructions it gives to Safehire.
2.1.4 The annex describes the subject matter, duration, nature and purpose of the processing, the Personal Data categories and Data Subject types that Safehire will process to provide the Services. Changes may be made to the annex by Safehire, reflecting changes to the processing or security measures implemented by Safehire to the Services. The Customer will be notified of such changes in writing by Safehire and in the event that Customer is not able to accept the changes, their recourse shall be limited to terminating the Services under the T&Cs and the Processing under this DPA.
3.1 Safehire shall provide the Customer with information relating to the Software and method of processing of Customer Personal Data by the Software used in the provision of Services, to enable the Customer to provide appropriate information to Data Subjects.
3.2 Safehire will only process the Personal Data to the extent, and in such a manner, in accordance with the Business Purposes and in accordance with the Customer’s written authorisation and instructions. Safehire will not process the Personal Data for any other purpose or in a way that does not comply with the T&Cs, this DPA or the Data Protection Laws. Safehire agrees to promptly notify the Customer if, in its opinion, the Processing does not comply with the Data Protection Laws.
3.3 Safehire must comply promptly with any Customer written instructions requiring Safehire to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.4 Safehire will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner or other supervisory authority). If a domestic or EU law, court or regulator (including the Commissioner) requires Safehire to process or disclose the Personal Data to a third-party, Safehire must first inform the Customer of such legal or regulatory requirement and where possible, give the Customer an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.
3.5 Safehire will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Laws, taking into account the nature of Safehire’s Processing and the information available to Safehire, including in relation to Data Subject rights, data protection impact assessments and reporting to, and consulting with, the Commissioner or other supervisory authority under Data Protection Laws.
3.6 Safehire must notify the Customer promptly of any changes to the Data Protection Laws that may reasonably be interpreted as adversely affecting Safehire’s performance of the Services under the T&Cs or compliance with this DPA.
3.7 Safehire will collect and Process Personal Data for the Customer in the provision of Services, as described in the annex. In so doing, Safehire may appoint sub processors (in accordance with clause 8) and may receive Personal Data from third party Controllers on behalf of the Customer (in accordance with clause 8).
4.1 Safehire will ensure that all of its employees:
4.1.1 are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
4.1.2 have undertaken training on the Data Protection Laws and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
4.1.3 are aware both of Safehire’s duties and their personal duties and obligations under the Data Protection Laws and this DPA.