JobMatch Center – Data Processing Agreement

Agreement between Data Controller and Data Processor

Introduction

Here follows a summary introduction of what this agreement entails. The summary does not replace the agreement.

The Data Processing Agreement is between you as the customer and us, in relation to the handling of personal data in accordance with GDPR in our online test system, JobMatch Center.

The agreement regulates the rights and obligations both parties have to fulfill the requirements of the current Data Protection Regulation EU 2016/679 (GDPR).

The agreement specifies which personal data is recorded and processed in our online test system, JobMatch Center.

As the customer, you are responsible for ensuring that data registered in JobMatch Center is administered in accordance with applicable guidelines. This includes, among other things, ensuring that information is only stored as long as it is relevant and that your test takers have the right to have information removed.

We, as the provider, are responsible for the technical security, such as secure login, encryption, backup, and storing personal data in accordance with GDPR regulations.

As your provider, we will also ensure that you have good features for pseudonymization, anonymization, and deletion of information in JobMatch Center.

In the event of a security incident, it is our obligation to notify you as the customer within 24 hours of the incident.

This agreement is governed by and interpreted in accordance with Swedish law.

1.0 Parties

1.1 Data Controller (DC):

The Data Controller is the legal entity that has entered into a customer relationship with JobMatch Sweden AB for the use of the online service JobMatch Center, JMC (www.jobmatchcenter.com).

1.2 Users

The individuals designated by DC to input and administer Personal Data in the online service JobMatch Center (JMC) and who have previously accepted the Terms of Use for JMC.

1.3 Test Takers

Test takers are defined as the individuals who input personal information about themselves in JMC. This can include, but is not limited to, name, gender, age, email address, social security number, address, CV data, and test responses.

1.4 Data Processor (DP):

JobMatch Sweden AB, org. no. 556781-8330, Box 14001, 400 20 Gothenburg. JobMatch Sweden is the Data Processor by providing an online test system for our customers where personal data can be registered.

The parties agree that this agreement is valid when DC enters into a customer relationship with JobMatch Sweden AB. The agreement is sent via email when a customer relationship is established. The agreement is also available in the customer’s JMC.

Users accept the Terms of Use when they log in to JMC for the first time: www.jobmatchcenter.com.

2.0 Background

The purpose of this agreement is to regulate the rights and obligations of the parties in relation to the registration and processing of Personal Data and other information, in order to ensure that Personal Data is processed in accordance with the provisions of the current Data Protection Regulation EU 2016/679 (GDPR).

a) By establishing a customer relationship, the customer (DC) and JobMatch Sweden AB (DP) have entered into an agreement under which JobMatch Sweden AB provides an online administration system for psychometric testing tools, JMC, through www.jobmatchcenter.com.

b) It is the responsibility of DC’s users and DC to ensure that the information entered into JMC is managed correctly in relation to GDPR guidelines. Terms of Use are accepted online the first time a User logs in to JMC.

c) When Test Takers log in to answer a test, they also receive information about the processing of personal data. Test Takers must confirm that they have read the information before registration begins.

d) JobMatch Sweden guarantees compliance with the technical and organizational guidelines required to comply with GDPR regulations on behalf of DC.

3.0 Definitions

The terms “Data Controller,” “Data Processor,” “Personal Data,” and “Processing” shall have the same meaning as in the General Data Protection Regulation Article 4 EU 2016/679 (“GDPR”).

In this agreement, the term “Applicable Data Protection Legislation” means the legislation in force at any given time in the area, i.e., Article 4 EU 2016/679 (GDPR), and any subsequent legislation that replaces or complements it.

a) “Data Controller”: The individual or entity that alone or jointly inputs Personal Data into JMC.

b) “Data Processor”: Refers to the entity that processes Personal Data on behalf of the Data Controller. In this case, JobMatch Sweden AB through the administration tool JMC.

c) “Processing of Personal Data”: Refers to the processing of Test Takers’ contact information, test responses for calculation of test results, matching against profiles, and generation of reports in both written and graphical form.

d) “Personal Data”: Refers to any information that can directly or indirectly be attributed to a natural person. In JobMatch Center, email, mobile number, name, age, and gender can be registered, and for screening purposes, name, social security number, contact information, messages, and CV information. All information is entered by DC or Test Takers.

4.0 The Mission

JobMatch Sweden AB (DP) works on behalf of the customer (DC). The mission is to provide an online administration system for administering and testing Test Takers. This includes job candidates, employees, and other individuals where psychometric testing is relevant.

The mission includes processing test responses and generating various types of reports (test results), as well as registering Personal Data, such as email, mobile number, name/pseudonym, gender, age, and, in the case of screening tests, possibly social security number, contact information, and CV information.

JobMatch Sweden is also tasked with ensuring that the system and the processing of information comply with applicable GDPR regulations.

JobMatch Sweden AB may use Test Takers’ responses in anonymized form for statistical compilation and various research purposes. No data can be linked to an individual here.

5.0 Processing of Personal Data

5.1 JobMatch Sweden AB (DP) is only entitled to process the Personal Data provided by DC and the Personal Data provided by DC’s Test Takers based on the mission described in this agreement. This Personal Data is stored and processed in JMC.

In JMC, there are features where the User, or an appointed Responsible JMC Administrator, can define rules for anonymizing and deleting test results and Personal Data. JMC administrators can also choose a time setting for automatic anonymization, up to 24 months.

If the JMC administrator does not define rules for anonymization/deletion, JMC will automatically, every month, remind when test results have been in the system for 24 months and encourage anonymization or deletion.

It is DC’s responsibility to delete all test results that are no longer relevant to keep.

Data registered in JobMatch Center includes:

The information provided by DC and/or DC’s Test Takers in JMC at any time.

These provisions include for JobMatch Talent and JobMatch LogiQ:

The test taker’s first and last name, or alternatively, a pseudonym provided by the PuA, gender, age, test date, as well as test responses and results are included. The test taker’s email address is pseudonymized (for example, j**@jo**.com) in relation to the User while the test taker submits their responses to JMC but remains in encrypted form in the system. Test responses are recorded online, but the PuA/User does not have access to them.

For JobMatch Screen:

The registered information may include (optional) the test taker’s full name, email address, personal identification number, contact information, CV information, messages, gender, age, test date, as well as test responses and results. Test responses are recorded online, but the PuA/User does not have access to them.

5.2 JobMatch Sweden AB does not have the right to transfer or provide access to Personal Data to third parties without the customer’s (PuA) express prior consent.

5.3 The operation of the system is carried out by Subcontractor Amazon Web Services, which we have verified complies with GDPR.

5.4 Data storage is carried out by subcontractor Amazon Web Services, which we have verified complies with GDPR.

5.5 In the event that JobMatch Sweden AB (PuB) changes or obtains a new Subcontractor, it is JobMatch Sweden AB’s responsibility to verify that the new Subcontractor complies with GDPR regulations.

5.6 JobMatch Sweden AB (PuB) ensures that all Personal Data is stored within the EU/EEA in accordance with GDPR regulations.

6.0 Security

6.1 JobMatch Sweden (PuB) has implemented technical and organizational measures to protect the Personal Data processed to a level appropriate considering the sensitivity of the Personal Data and in accordance with GDPR guidelines. These include:

  • SSL security certificate on our web services.
  • Encrypted end-to-end communication.
  • Encrypted database – meaning all information is encrypted.
  • Encrypted login with password requirements.
  • Option for two-factor authentication (recommended).
  • Immediate automatic pseudonymization of contact information regarding JobMatch Talent and
    JobMatch LogiQ.
  • Automatic reminder to anonymize/delete test results and data older than 24 months.

6.2 Backup

All information is stored on servers at Amazon Web Services, which guarantees that the servers are located in the EU/EEA. Automatic backup of all information is performed daily. The backups are stored on separate servers under Amazon Web Services. All backup is done through encrypted lines, and all information is encrypted.

Personal data is protected against unauthorized processing, such as alteration, destruction, or unauthorized access and disclosure. It is the responsibility of the PuA and the PuA’s Users to manage and administer login information and passwords so that no unauthorized person gains access to JMC and the registered information. We recommend two-factor authentication. JobMatch Sweden AB follows IMY decisions on measures to comply with GDPR security requirements. JobMatch Sweden does not disclose Personal Data or any other information about the processing of Personal Data – all is managed by PuA and PuA’s Users.

6.3 PuA has the right to verify that JobMatch Sweden AB (PuB) takes the security measures specified above. JobMatch Sweden AB (PuB) shall provide reasonable assistance for such verification.

6.4 JobMatch Sweden AB (PuB) and its staff shall observe confidentiality in the processing of Personal Data for which PuA is responsible, meaning that information about a physical or legal person shall not be disclosed.

7.0 Confidentiality and Authorizations

JobMatch Sweden AB (PuB) ensures that persons authorized to process the Personal Data are bound by confidentiality. The obligation of confidentiality shall also apply after the termination of this Data Processing Agreement. Access to the Personal Data is limited to those persons who need it to perform their duties.

8.0 Incident Reporting

JobMatch Sweden AB (PuB) shall promptly, but no later than within 24 hours, notify the customer (PuA) of security incidents resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the Personal Data. All such incidents shall be documented by JobMatch Sweden AB (PuB), and the documentation shall be provided to the customer (PuA) without undue delay. JobMatch Sweden AB (PuB) shall immediately, upon becoming aware of the personal data incident, take appropriate remedial action to prevent new incidents. In cases where an incident must be reported to the Supervisory Authority, JobMatch Sweden AB (PuB) shall promptly assist the Data Controller with all requested information.

9.0 Assistance to Fulfill Obligations to Data Subjects

JobMatch Sweden AB (PuB) assists the Data Controller in fulfilling its obligations when data subjects exercise their right to access, rectify, erase, data portability, etc., in accordance with applicable Data Protection Legislation.

9.1 Pseudonymization and Anonymization

In the online system JMC, there are features that allow the customer (PuA) and PuA’s users/JMC administrators to delete information, pseudonymize, and anonymize test results. Each JMC administrator can set how often they want JMC to remind about anonymization/deletion, up to a maximum of 24 months. See further under point 5.0 above.

10.0 Training

JobMatch Sweden AB (PuB) provides appropriate training on privacy protection, confidentiality, and the information security requirements set forth in this agreement to all persons working under the supervision of JobMatch Sweden and who have access to Personal Data covered by this agreement.

11.0 Renegotiation and Amendments

Both parties have the right to request renegotiation of this agreement, including instructions and other appendices, in the event that:

a) the ownership structure of the other party changes significantly. b) applicable legislation or its interpretation changes in a manner affecting the processing of Personal Data covered by this agreement.

11.1 Changes and Additions

Changes and additions to this agreement shall be in writing and may be sent to PuA via email.

12.0 Term of Agreement

This agreement shall remain in force as long as JobMatch Sweden (PuB) processes personal data on behalf of PuA as described in the job description in this agreement. The agreement enters into force on May 25, 2018, or on any later date when a customer/supplier relationship arises between the parties.

13.0 Termination of Processing of Personal Data

Upon termination of JobMatch Sweden’s assignment on behalf of PuA, JobMatch Sweden will, at PuA’s request, anonymize all information regarding testing, leaving only unidentifiable test results. Upon request from PuA to delete all information regarding the customer/supplier relationship, JobMatch Sweden will delete the information within 30 days.

14.0 Choice of Law and Jurisdiction, etc.

This agreement shall be governed by and interpreted in accordance with Swedish law without regard to its principles of conflict of laws. Disputes shall be settled in Swedish general courts, starting with the District Court in Gothenburg.

 

JobMatch