DATA PROCESSING AGREEMENT

 

This Data Processing Agreement ("Agreement") is entered into by and between:

• Hired1st Ltd,
• Fintech Australia,

Collectively, the Parties.

This Agreement governs the processing of personal data in accordance with applicable data protection laws and is made a part of the general agreement between the Parties for the use of Hired1st Ltd.’s services.

1. DEFINITIONS

1.1 Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

1.2 Data Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, combination, restriction, erasure, or destruction.

1.3 Data Controller: The entity that determines the purposes and means of the processing of Personal Data.

1.4 Data Processor: The entity that processes Personal Data on behalf of the Data Controller, under this Agreement.

1.5 Subprocessor: Any third party authorised by the Data Processor to process Personal Data on its behalf.

1.6 Applicable Data Protection Laws: Refers to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), Data Protection Act 2018 (UK), and other relevant data protection laws applicable to the processing of Personal Data.

1.7 Processing Purpose: The specific purpose(s) for which the Personal Data is processed under this Agreement, as agreed between the Parties.

2. SCOPE OF DATA PROCESSING

2.1 The Data Processor will process Personal Data on behalf of the Data Controller for the following purposes

• Match candidates with job opportunities based on their profiles, skills, experience, and preferences. 

• Provide personalised job recommendations and notify candidates of new opportunities. 

• Rank and score candidates based on their suitability for specific roles. 

• Create candidate profiles to better align with roles in various sectors. 

• Facilitate recruitment processes by integrating with third-party vendors, including EOR/COR providers, payment processors, and immigration specialists. 

2.2 The Data Processor shall process Personal Data only in accordance with the instructions provided by the Data Controller and in compliance with applicable data protection laws.

2.3 The Data Controller shall ensure that the Personal Data provided to the Data Processor for processing is lawful and has been collected in accordance with applicable data protection laws.

3. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

3.1 The Personal Data processed under this Agreement may include the following categories:

• Personal Details: Name, contact information (email, phone, address), location data, social media profiles, etc.
• Employment Details: Position, employment history, qualifications, etc.
• Other relevant personal information depending on the services provided by Hired1st Ltd and the information as provided by the customer and or users of the platform

3.2 The data subjects whose Personal Data is processed under this Agreement may include:

• Job candidates and employees of the Customer.
• Any other individuals whose personal data is shared in connection with the services provided by the Data Controller.
• Third Party vendors.

4. OBLIGATIONS OF THE DATA CONTROLLER

4.1 The Data Controller warrants that it has the legal right to disclose the Personal Data to the Data Processor for processing under this Agreement.

4.2 The Data Controller shall provide instructions to the Data Processor regarding the processing of Personal Data and shall ensure that those instructions comply with applicable data protection laws.

4.3 The Data Controller shall inform the Data Processor of any changes, amendments, or updates to the instructions, or the Personal Data provided.

4.4 The Data Controller shall ensure that it obtains any necessary consent from data subjects for the processing of Personal Data, if required by applicable data protection laws.

5. OBLIGATIONS OF THE DATA PROCESSOR

5.1 The Data Processor shall process Personal Data solely for the purposes described in this Agreement and in accordance with the instructions of the Data Controller.

5.2 The Data Processor shall implement appropriate technical and organizational measures to ensure the security and confidentiality of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

5.3 The Data Processor shall not engage any Subprocessor to process Personal Data without the prior consent of the Data Controller. If the Data Processor uses a Subprocessor, the Data Processor shall ensure that the Subprocessor is bound by the same data protection obligations as those set out in this Agreement.

5.4 The Data Processor shall promptly notify the Data Controller of any Data Breach or suspected Data Breach and shall cooperate with the Data Controller in investigating and remedying such a breach.

5.5 The Data Processor shall assist the Data Controller in complying with data subject rights requests (e.g., access, rectification, deletion, etc.), as required by applicable data protection laws.

5.6 Upon termination of this Agreement, the Data Processor shall return or securely delete all Personal Data, unless retention is required by law.

6. PRINCIPLES OF SHARING PERSONAL INFORMATION

This section describes the data protection principles the parties must comply with when sharing and further processing personal information.  The most important consideration is whether sharing personal information is likely to support meeting the stated purposes.

1. 1. Unless an exemption applies, each party must ensure the sharing and processing of personal information must be lawful and fair, which means being open with people about how personal information is used, and requires each party has and adheres to their own privacy notice, which must include that personal information is shared in accordance with Data Protection Law.
   2. Each party must ensure that personal information is only shared and further used or shared with other recipients for the stated purpose(s).
   3. When taking decisions about what personal information to share, each party must:
      1. consider how much needs to be released and the impact on individuals and any third parties.
      2. ensure it is accurate, relevant, up-to-date, sufficient and necessary for those who need it, and proportionate to the level of risk in sharing it, with proper reference made to the source to allow others to do their job effectively and make informed decisions, such as explaining if the personal information is derived using AI; or historical in nature.
   4. Information must be shared in a timely fashion to enhance decision-making and reduce business risks. Timeliness is key in emergency situations, and it may not be appropriate to seek consent for information sharing if it could cause delays and increase the risk of harm.
   5. Processing that occurs before the sharing of personal information is the responsibility of the originating party, who will deal with any rights requests relating to such a priori processing.  Similarly, it is the responsibility of the receiving party to deal with any rights requests in relation to any processing that occurs after the sharing of personal information, including internal re-use or onward transfers. Joint processing including the sharing of personal information is the responsibility of all parties involved.
   6. In line with each party’s own retention policy, shared personal information should not be kept any longer than is necessary. In some rare circumstances, this may be indefinitely, but if this is the case, there should be a review process scheduled at regular intervals to ensure data is not retained where it is unnecessary to do so.
   7. Each party shall designate a role to be responsible for ensuring adherence to the principles set out in this Agreement.
   8. Each party shall upon reasonable request make available to the requesting party and public authorities such documentation that demonstrates compliance with this Agreement.
   9. Information sharing decisions must be recorded by each party, whether or not the decision Is taken to share.  If the decision is to share, a log must cite reasons including what information has been shared, when and with whom, in accordance with their organisational procedures.  If the decision is not to share, parties should record the reasons for this decision and discuss them with the requester.

7. SUBPROCESSING

7.1 The Data Controller authorises the Data Processor to use the following Subprocessors to assist in providing the services under this Agreement:

• Subprocessor 1: TextKernel, EU
• Subprocessor 2: AWS EU, Data Storage & Security

7.2 The Data Processor shall ensure that any Subprocessor complies with the obligations set out in this Agreement and that a written contract is in place between the Data Processor and the Subprocessor.

8. DATA SUBJECT RIGHTS

8.1 The Data Processor shall, upon request, assist the Data Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws, including but not limited to rights of access, rectification, erasure, and objection to processing.

8.2 The Data Processor shall promptly notify the Data Controller if it receives a request directly from a data subject in relation to their Personal Data.

9. SECURITY MEASURES

9.1 The Data Processor shall implement and maintain technical and organizational measures to ensure the security and confidentiality of Personal Data, including but not limited to:

• Data encryption during transmission and storage.
• Access control to limit access to Personal Data to authorized personnel only.
• Regular security audits and vulnerability assessments.

9.2 The Data Processor shall ensure that all personnel authorized to process Personal Data are informed of the confidentiality obligations and receive adequate training on data protection practices.

10. ACCOUNTABILITY

This section describes the requirements for parties to be accountable by conducting their own assurance assessments and audits on a timely basis, in particular with regards to privacy and data protection by design and by default, to ensure appropriate policies, processes and procedures are internally in place for information sharing that in particular:  a.

contain detailed advice about which datasets they can share, including special categories, to prevent irrelevant or excessive information being disclosed;

• set out the lawful basis for each type of personal information being processed, and arrangements for international transfers;
• make sure that the data they are sharing is accurate, for example by requiring a periodic sampling exercise and data quality analysis;
• record data in the same format, abiding by open standards when applicable, including how to record or convert particular data items, for example common industry formats;
• have common rules for the retention and deletion of shared data items, as appropriate to their nature and content, and procedures for dealing with cases where different parties may have different statutory or professional retention or deletion rules;
• have common technical and organisational security arrangements, including the transmission of the data as well as procedures for dealing with any breach in a timely manner;
• ensure their staff are properly trained and are aware of their responsibilities for any shared data they have access to;
• have procedures for dealing with rights requests, complaints, or queries from affected individuals; and
• nominate points of contact within each party to be responsible for ensuring adherence to this Agreement and specific data sharing obligations in particular to agree and monitor the
  1. 1. information to be accessed.
     2. specific processes as set out or referred to in contracts and other arrangements.
     3. roles and responsibilities as laid down in this Agreement.
  2. Where the parties jointly process personal data in relation to the sharing of personal information, the parties shall be bound by written arrangements regarding their respective duties and tasks in meeting their obligations as laid down in Data Protection Law, including collaboration on DPIAs.
  3. Each party shall ensure other joint controllers are bound by similar written arrangements.

11. INTERNATIONAL DATA TRANSFERS

11.1 If the Data Processor transfers Personal Data to a country outside of the European Economic Area (EEA), the United Kingdom, or other applicable jurisdictions with specific data protection laws, the Data Processor shall ensure that such transfers comply with applicable data protection laws and are subject to appropriate safeguards, such as standard contractual clauses or adequacy decisions.

12. TERM AND TERMINATION

12.1 This Agreement shall remain in effect for the duration of the services provided by the Data Processor under the main agreement between the Parties.

12.2 Either Party may terminate this Agreement with written notice if the other Party breaches any material term of this Agreement and fails to remedy the breach within 30 days.

12.3 Upon termination, the Data Processor shall return or securely delete all Personal Data in its possession, unless retention is required by law.

13. LIABILITY AND INDEMNITY

13.1 Each Party shall be liable for its own breach of this Agreement and for any damages, losses, or claims arising from such breach.

13.2 The Data Processor agrees to indemnify and hold harmless the Data Controller from any claims, damages, or losses arising from a breach of this Agreement or any applicable data protection laws by the Data Processor.

14. GOVERNING LAW AND DISPUTE RESOLUTION

14.1 This Agreement shall be governed by the laws of the Republic of Ireland and the applicable laws of the European Union, including the GDPR

14.2 Any dispute arising out of or in connection with this Agreement shall be resolved through negotiation between the Parties. If the dispute cannot be resolved amicably, the dispute shall be referred to mediation or arbitration in Ireland.