Tengai Data Processing Addendum (DPA)

Addendum in accordance with Article 28(3) of the General Data Protection Regulation (EU) 2016/679[1]

This Data Processing Addendum (“DPA”) supplements the Tengai Terms of Service, as updated from time to time between Customer and Tengai, or other agreement between Customer and Tengai governing Customer’s use of the Service Offerings (the “Agreement”) when the GDPR applies to your use of the Tengai Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and the applicable Tengai Service contracting entity under the Agreement. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 2 of this DPA.

The General Data Protection Regulation (EU) 2016/679 stipulates that there must be a written agreement on the processing of personal data by the Processor on behalf of the Controller.

1. DATA PROCESSING

1.1 Scope and Roles. This DPA applies when Customer Data is processed by Tengai. In this context, Tengai will act as a “processor” to the Customer who may act as a “Controller” or “Processor” with respect to Customer Data (as each term is defined in the GDPR)

2. DEFINITIONS

In addition to the terms defined in the running text of this Data Processing Agreement, the following terms, whether in singular or plural, with the definite or indefinite article, shall have the meaning defined below whenever they are capitalized.

“PROCESSING” – Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“DATA PROTECTION LEGISLATION” – Refers to all privacy and personal data legislation, along with any other legislation (including regulations and directives) applicable to the processing carried out in accordance with this Agreement, including national legislation and EU legislation.
“CONTROLLER” – A natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“INSTRUCTION” – The written instructions that more specifically define the object, duration, type, and purpose of Personal Data, as well as the categories of Data Subjects and special requirements that apply to the Processing.
“LOG” – A Log is the result of Logging
“LOGGING” – Logging is a continuous collection of information about the Processing of Personal Data that is performed according to this Agreement and which can be associated with an individual natural person.
“PROCESSOR” – A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
“PERSONAL DATA” – Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“PERSONAL DATA BREACH” – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed
“DATA SUBJECT” – Natural person whose Personal Data is Processed.
“THIRD COUNTRY” – A state that is not a member of the European Union (EU) or the European Economic Area (EEA).
“SUBPROCESSOR” – A natural or legal person, public authority, agency, or other body which, in the capacity of a subcontractor to the Processor, Processes Personal Data on behalf of the Controller.

3. BACKGROUND AND AIM

3.1 Through this Agreement, the Instructions (Annex 1), and a list of possible Subprocessors (Annex 2) (hereafter jointly referred to as “the Agreement”), the Controller regulates the Processor’s Processing of Personal Data on behalf of the Controller. The aim of the Agreement is to safeguard the freedoms and rights of the Data Subject during Processing, in accordance with what is stipulated in Article 28(3) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

When this Agreement is one of several contractual documents comprising another agreement, the other agreement is referred to as the “Main Agreement” in this Agreement.

3.3 In the event that anything stipulated in items 1, 16, 17, 18.2, 19–22 of this Agreement is regulated otherwise in the Main Agreement, the Main Agreement shall take priority.
3.4 Any reference in this Agreement to national or Union legislation refers to the provisions applicable at any given time.

4. PROCESSING OF PERSONAL DATA AND SPECIFICATION

The Controller hereby appoints the Processor to carry out Processing on behalf of the Controller, pursuant to the provisions of this Agreement.

4.2 The Controller shall give written Instructions to the Processor as to how the Processor shall carry out the Processing.
4.3. The Processor may only perform the Processing in accordance with this Agreement and the Instructions applicable at any given time.

5. OBLIGATIONS OF THE CONTROLLER

5.1 The Controller undertakes to ensure that there is a legal basis for the processing at all times and to issue correct instructions so that the Processor and any Subprocessors can carry out their duties in accordance with this Agreement and the Main Agreement, where applicable.
5.2 The Controller undertakes to inform the Processor without undue delay of any changes in the Processing that may affect the Processor’s obligations pursuant to the Data Protection Legislation.
5.3 The Controller is responsible for informing Data Subjects of the Processing and safeguarding of the rights of Data Subjects in accordance with the Data Protection Legislation, as well as to take every other measure required of the Controller pursuant to the Data Protection Legislation.

6. OBLIGATIONS OF THE PROCESSOR

6.1 The Processor undertakes to only perform the Processing in accordance with this Agreement and the Instructions and to comply with the Data Protection Legislation. The Processor also undertakes to stay informed of currently applicable laws and regulations in this area.
6.2 The Processor shall take measures to protect the Personal Data against all kinds of Processing that are not in compliance with this Agreement, the Instructions, and the Data Protection Legislation.
6.3 The Processor undertakes to ensure that all-natural persons who work under its supervision comply with this Agreement and the Instructions and that these natural persons are informed about relevant legislation.
6.4 At the request of the Controller, the Processor shall assist the former in ensuring compliance with the obligations pursuant to Articles 32–36 of GDPR and shall respond to requests regarding the exercise of Data Subjects’ rights pursuant to Chapter III of GDPR, taking into consideration the type of Processing and the information available to the Processor.
6.5 In the event that the Processor finds the Instructions to be unclear, in violation of the Data Protection Legislation, or non-existent, and the Processor is of the opinion that new or supplementary Instructions are necessary in order to fulfill its undertakings, the Processor shall inform the Controller of this without delay, temporarily suspend the Processing and await new instructions.
6.6 In the event the Controller provided the Processor with new or amended Instructions, the Processor shall inform the Controller, without undue delay after receiving them, whether the implementation of the new Instructions will entail any changed costs for the Processor.

7. SECURITY MEASURES

7.1 The Processor is obligated to take all technical and organizational security measures required by the Data Protection Legislation in order to prevent Personal Data Breaches, by ensuring that the Processing complies with the requirements of GDPR and that the rights of the Data Subjects are protected.
7.2 The Processor shall continuously ensure that the technical and organizational security relating to the Processing maintains an appropriate level of confidentiality, integrity, availability, and resilience.
7.3 Any future or modified requirements for protective measures coming from the Controller once the Parties have entered this Agreement shall be considered new Instructions in accordance with this Agreement.
7.4 The Processor shall use an authorization control system to allow access to the Personal Data only for such natural persons who work under the supervision of the Processor and who need such access in order to perform their duties.
7.5 The Processor undertakes to continuously Log access to the Personal Data pursuant to this Agreement, to the extent required according to the Instruction. Logs may not be purged until at least five (5) years after the time of Logging unless otherwise specified in the Instruction. Logs shall be subject to the necessary protective measures pursuant to the Data Protection Legislation.
7.6 The Processor shall systematically test, examine and evaluate the effectiveness of the technical and organizational measures that are intended to ensure the security of the Processing.

8. SECRECY/DUTY OF CONFIDENTIALITY

8.1 The Processor and all natural persons who work under its supervision shall observe both secrecy and the duty of confidentiality during Processing. Personal Data may not be used or disseminated for other purposes, neither directly nor indirectly, unless otherwise agreed.
8.2 The Processor is required to ensure that all natural persons working under its supervision who participate in the Processing are bound by a confidentiality agreement regarding the Processing. However, this is not required if those persons are already subject to a statutory duty of confidentiality with criminal liability. The Processor also undertakes to ensure that there is a confidentiality agreement with its Subprocessor, as well as between the Subprocessor and all natural persons working under its supervision who participate in the Processing
8.3 The Processor shall immediately inform the Controller of any contacts with the supervisory authority regarding the Processing. The Processor shall not be entitled to represent the Controller or act on behalf of the Controller vis-à-vis supervisory authorities in matters relating to the Processing.
8.4 If the Data Subject, supervisory authority, or a third party requests information from the Processor regarding the Processing, the Processor shall inform the Controller thereof. Information regarding the Processing may not be divulged to the Data Subject, supervisory authority, or third party without the written consent of the Controller unless the obligation to disclose the information is prescribed by law. The Processor shall assist in the communication of such information as is the subject of consent or legal requirement.

9. INSPECTION, SUPERVISION, AND AUDITING

9.1 At the request of the Controller, the Processor shall without undue delay provide information, as part of its undertakings in accordance with Article 28(1) of GDPR, regarding the technical and organizational security measures used to ensure that the Processing complies with the requirements of this Agreement and Article 28(3)(h) of GDPR.
9.2 The Processor must at least once (1) per year review the security of the Processing through self-monitoring in order to ensure that the Processing complies with the Agreement. The result of this self-monitoring shall be made available to the Controller upon request
9.3 The Controller has the right to inspect or to appoint a third party (who must not be a competitor of the Processor) to inspect the Processor’s compliance with the requirements of this Agreement, the Instruction, and the Data Protection Legislation. In connection with such inspection, the Processor shall assist the Controller or the person carrying out the inspection on behalf of the Controller, with documentation, access to premises, IT systems, and other assets required to verify the Processor’s compliance with this Agreement, the Instructions, and the Data Protection Legislation. The Controller shall ensure that the person carrying out the inspection is subject to secrecy or duty of confidentiality pursuant to law or contract.
9.4 The Processor, as an alternative to the provisions of items 9.2–9.3, may offer other approaches to an inspection of the Processing, such as inspection by an independent third party. In that case, the Controller shall be entitled, but not obligated, to apply this alternative approach to the inspection. In the event of this kind of inspection, the Processor shall give the Controller or the third party the assistance needed to perform the inspection.
9.5 The Processor shall enable the supervisory authority, or other government agency with legal authority, to conduct supervision at the authority’s request and pursuant to the applicable legislation at any given time, even if such supervision would otherwise violate the provisions of the Agreement.
9.6 The Processor shall ensure that the Controller has rights in relation to the Subprocessor which correspond to all the rights that the Controller has in relation to the Processor pursuant to item 9 of the Agreement.

10. HANDLING OF CORRECTIONS, DELETIONS, ETC.

10.1 In the event that the Controller has requested a correction or deletion as a result of incorrect Processing by the Processor, the Processor shall take appropriate measures, without undue delay, no later than thirty (30) days from the date on which the Processor received the required information from the Controller. When the Controller has requested deletion, the Processor may only perform Processing of the Personal Data in question as a part of the correction or deletion process.
10.2 If technical and organizational measures (e.g. upgrades or troubleshooting) are taken by the Processor with regard to the Processing, and these can be expected to affect the Processing, the Processor shall inform the Controller in writing in accordance with the provisions on notifications set out in Section 19 of the Agreement. This information shall be communicated well in advance of the measures being taken.

11. PERSONAL DATA BREACHES

The Processor shall have the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident as defined in Article 32(1)(c) of GDPR.
11.2 In considering the nature of the Processing and the information available to the Processor, the Processor undertakes to assist the Controller in fulfilling its obligations in the event of a Personal Data Breach involving the Processing. At the request of the Controller, the Processor shall also assist in investigating suspicions of possible unauthorized Processing of and/or access to Personal Data.
11.3 In the case of a Personal Data Breach that the Processor has been made aware of, the Processor shall, without undue delay, notify the Controller in writing of the incident. In considering the nature of the Processing and the information available to the Processor, the Processor shall provide the Controller with a written description of the Personal Data Breach.

The description shall include:
1. The nature of the Personal Data Breach, and, if possible, the categories and the number of Data Subjects affected, as well as the categories and number of personal data items affected,
2. the probable consequences of the Personal Data Breach, and
3. measures that have been taken or proposed, as well as measures to mitigate the potential negative effects of the Personal Data Breach.

11.4 If it is not possible for the Processor to provide the entire description as set out in item 11.3 of the Agreement at the same time, the description may be provided in stages without undue additional delay.

12. SUBPROCESSOR

12.1 The Processor is entitled to hire the Subprocessor(s) listed in (the Subprocessor) Appendix 2.
12.2 The Processor undertakes to enter a written agreement with the Subprocessor to regulate the Processing that the Subprocessor carries out on behalf of the Controller and to only hire Subprocessors who provide adequate guarantees to carry out appropriate technical and organizational measures to ensure that the Processing fulfills the requirements of GDPR. When it comes to data protection, such an agreement shall entail the same obligations for the Subprocessor as are set out for the Processor in this Agreement.
12.3 The Processor is fully responsible in relation to the Controller for any Processing carried out by a Subprocessor.
12.4 The Processor is entitled to hire new subprocessors and to replace existing subprocessors.
12.5 When the Processor intends to hire a new subprocessor or replace an existing one, the Processor shall verify the Subprocessor’s capacity and ability to meet their obligations in accordance with the Data Protection Legislation. The Processor shall notify the Controller in writing of

1. the Subprocessor’s name, corporate identity number, and head office (address and country),
2. which type of data and categories of Data Subjects are being processed, and
3. where the Personal Data will be processed.
4. whether the engagement of the Subprocessor would constitute a transfer of Personal Data to a third country or international organization and under what transfer mechanism.

12.6 The Controller is entitled within thirty (30) days of the notice pursuant to item 12.5 to object to the Processor’s hiring of a new subprocessor and, due to such an objection, to cancel this Agreement to be terminated in accordance with the provisions of item 17.4 of this Agreement.
12.7 When the Processor stops using the Subprocessor, the Processor shall notify the Controller in writing that they will no longer be using the Subprocessor.
12.8 At the Controller’s request, the Processor shall send a copy of the agreement regulating the Subprocessor’s Processing of Personal Data in accordance with item 12.2.

13. LOCALISATION AND TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY

13.1 The Processor shall ensure that Personal Data is processed within EU/EEA by a natural or legal person, who is established in the EU/EEA, and not transferred to a third country or international organization unless the Controller consents in writing to such transfer and the transfer are in compliance with Chapter V of the GDPR and the Instructions.
13.2 The Controller consents to transfer of Personal Data (i) under Controller’s Instruction; (ii) in compliance with the conditions stipulated in item 12 and here in item 13; and (iii) to Subprocessor(s) as listed and agreed on in Annex 2.
13.3 The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the Controller (the data exporter) may provide a general consent to onward sub-processing by the Processor.
13.4 Accordingly, the Controller mandates the Processor to sign Model Clauses 2010/87/EU with their non-EEA-based sub-processors in the name and on behalf of the Controller. The latter remains the data exporter and the subprocessor is the data importer under those terms. The Controller also agrees, in advance, to the content of Appendices 1 and 2 of Model Clauses 2010/87/EU.
13.5 At the request of the Controller, the Processor shall provide a copy of the agreement or other legal act concerning the processing of Personal Data on behalf of the Controller, entered into between the Processor and the Subprocessor.

14. LIABILITY FOR DAMAGES IN CONNECTION WITH THE PROCESSING

14.1 In the event that compensation for damages in relation to Processing is payable to the Data Subject, through a legally binding judgment or settlement, due to a violation of the Agreement, Instructions, and/or applicable provision of the Data Protection Legislation, Article 82 of GDPR is applicable.
14.2 Fines in accordance with Article 83 of GDPR or Chapter 6, Section 2 of the Data Protection Act (2018:218) shall be paid by the party to this Agreement that has been levied such a fee.
14.3 If either party becomes aware of circumstances that could be detrimental to the other party, the first party shall immediately inform the other party of this and work actively with the other party to prevent and minimize the damage or loss.
14.4 Notwithstanding any of the provisions of the Main Agreement, items 14.1 and 14.2 of this Agreement take precedence over other rules regarding the allocation between the parties of claims regarding the Processing.

15 CHOICE OF LAW AND DISPUTE RESOLUTION

15.1 Swedish law shall apply to this agreement. Any interpretation or dispute arising from the Agreement which the parties cannot resolve on their own shall be settled by a Swedish general court.

16. CONCLUSION, TERM, AND TERMINATION OF THE AGREEMENT

16.1 The Agreement shall enter into force from the time the Agreement has been signed by both parties and until further notice. Either party has the right to terminate the Agreement with thirty (30) days’ notice.

17. AMENDMENTS, TERMINATION WITH IMMEDIATE EFFECT, ETC.

17.1 Each party to the Agreement shall be entitled to invoke a renegotiation of the Agreement if there is a major change of the ownership of the other party or if applicable legislation or the interpretation thereof changes in a way that significantly affects the Processing. The invoking of a renegotiation pursuant to the first sentence does not mean that any part of the Agreement will cease to be in effect but only means that a renegotiation of the Agreement will commence.
17.2 Additions and amendments to the Agreement must be made in writing and signed by both parties.
17.3 If either party becomes aware that the other party is acting in violation of the Agreement and/or Instructions, the first party shall inform the other party without delay of the actions in question. The party is then entitled to suspend the performance of its obligations pursuant to the Agreement until such time as the other party has declared that the actions have ceased, and the explanation has been accepted by the party that made the complaint.
17.4 If the Controller objects to the Processor using a new subprocessor, pursuant to item 12.6 of this Agreement, the Controller is entitled to terminate the Agreement with immediate effect.

18. MEASURES IN THE EVENT OF TERMINATION OF THE AGREEMENT

18.1 Upon termination of the Agreement, the Controller shall, without undue delay, request that the Processor transfers all Personal Data to the Controller or deletes them, according to the preference of the Controller. If the Personal Data are transferred, this must take place in an open and standardized format. “All Personal Data” means all Personal Data that has been the subject of Processing, as well as other related information such as Logs, Instructions, system solutions, descriptions, and other documents that the Processor received through an exchange of information pursuant to the Agreement.
18.2 Transfers and deletions pursuant to item 18.1 of the Agreement shall be carried out no later than thirty (30) days from the time notice of termination was given in accordance with item 16.1 of this Agreement.
18.3 Processing performed by the Processor after the time specified in item 18.2 shall be considered unauthorized Processing.
18.4 The provisions regarding secrecy and confidentiality in item 8 of this Agreement shall remain in effect even if the Agreement otherwise ceases to apply.

19. NOTIFICATIONS WITHIN THE PURVIEW OF THIS AGREEMENT AND THE INSTRUCTIONS

19.1 Notifications regarding the Agreement and its administration, including termination, shall be sent to the respective party’s contact person for the Agreement.
Notifications regarding the parties’ cooperation on data protection, as it applies to the Processing, shall be sent to the respective party’s contact person for the parties’ cooperation on data protection.
19.3 Notifications within the purview of the Agreement and Instructions shall be sent in writing. A notification shall be considered to have been received by the addressee no later than one (1) working day after the notification has been sent.

20. CONTACT PERSONS

20.1 Each party shall appoint one contact person for the Agreement
20.2 Each party shall appoint one contact person for the parties’ data protection collaboration.

21. RESPONSIBILITY FOR INFORMATION REGARDING PARTIES, CONTACT PERSONS, AND CONTACT INFORMATION

21.1 Each party is responsible for ensuring that the information provided in item 1 of the Agreement is up to date. Changes to the information in item 1 shall be communicated in writing pursuant to item 19.1 of the Agreement.

 

Annex 1 – Personal Data Controller’s Instruction for the processing of Personal Data

In addition to what is already stipulated in the Personal Data Processor Agreement, the Personal Data Processor shall also follow the instructions set out below:

1. Purposes, object, and type
  •  Candidate data for the purpose of interpreting audio to text, scoring questions, storage, and back-up.
2. The processing involves the following types of Personal Data
Personal Data in the system consists of:

 

  • Candidate Name
  • Candidate Email
  • Candidate interview answers

Personal Data Processor (s) are also responsible for transferring, through technical integration, the following information to system(s):

  • ELASTX, Private cloud hosted in Sweden (See Annex 2)
3. The Processing shall include the following categories of Registered Persons:
  • Candidates (Job seekers)
4. Specify special security processing requirements that will apply to the Processing of Personal Data that is carried out by the Personal Data Processor(s)
  • The audio stream should be encrypted in transit and leave the sub processor’s server as soon as it has been processed (translated into text).
  • The data should be sent over HTTPS with a combination of Secure Sockets Layer (SSL)/Transport Layer Security (TLS). The data sent from the service should be sent over an HTTPS connection secured by a 2048-bit SSL certificate.
5. Specify technical and organizational security measures that apply to the Processing of Personal Data by Personal Data Processor(s)
  • Before the interview, the candidate will get written information about GDPR. 
6. Specify special requirements relating to Logs that apply to the Processing of Personal Data, as well as System Architects.
  •   All transactions should be traceable in an audit log, which means that every change can be tied to a specific user.
7. Localization and transferring the Personal Data to a Third Country
  • Data files should only be identified by a unique id (pseudonymized) when in transit or processed by a sub-processor in a third country.
  • The processor should make available an updated text, referred to in item 5, above, describing risks and security measures in place for personal data in transit to/from and/or processed by sub-processor in third countries.

Annex 2 – Subprocessors (Processor subcontractors)

The Controller specifically authorizes the engagement of sub-processors as listed below. The countries in which the respective companies are established and from which personnel can process Personal Data are indicated in parentheses, followed by the transfer mechanism under Chapter V of GDPR for sub-processors outside of the EU/EEA.

Company Name Type of Service Url   Data Center Location Data they handle
Elastx File Hosting https://elastx.se/en/

 

 

  Sweden For processing assignments and candidate’s data
Microsoft ASR - Automatic Speech to text https://azure.microsoft.com  

No storage

Streamed voice to text
Sinch Email-provider https://www.mailgun.com/legal/privacy-policy/   Within EU/EES Email-addresses
RASA NLU - Natural Language Understanding https://rasa.com   No storage Dialogue text and intents

Copyright Tengai AB © 2024