Terms & Conditions

V1.1 - Last edited 28th June 2020

PERSONAL DATA PROCESSING AGREEMENT

This personal data processing agreement  (the Data Processing Agreement) is part of an Agreement between Jobbatical and the Client (each also a Party and collectively the Parties) under which Jobbatical provides to the Client certain services relating to relocation of candidates (the Talents) from one country to the place of employment in another country (the Services).

In connection with the provision of the Services under the Agreement, Jobbatical processes certain personal data for the Client. To ensure the secure, correct and lawful processing of personal data, the Parties have agreed to supplement the Agreement and enter into this Data Processing Agreement as part of the Agreement. 

In case of a conflict between any other document forming part of the Agreement and this Data Processing Agreement regarding the processing of personal data, the Data Processing Agreement shall prevail and apply. 

1. GENERAL PROVISIONS

  1. The terms used in the Data Processing Agreement are used in the meaning given to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the GDPR) or in the meaning given to them in the Agreement.  
  2. In the context of Article 28 of the GDPR, Client is the data controller of the personal data transferred or made available to Jobbatical in the course of the provision of the Services and the Jobbatical is the data processor. 

2. GENERAL OBLIGATIONS OF JOBBATICAL 

  1. Jobbatical shall process personal data only in accordance with the applicable law, the terms of the Agreement, including the terms of this Data Processing Agreement. 
  2. Jobbatical shall process personal data only for the purposes described in this Annex A. 
  3. Jobbatical shall process personal data in accordance with all the instructions given or documented by the Client according to need. 
  4. If required by applicable law, Jobbatical shall designate a competent data protection officer in accordance with the applicable law and shall provide to the Client the name and contact details of the data processing officer. 
  5. Jobbatical shall keep records of all the data processing operations carried out on behalf of the Client. The register of data processing operations shall comply with all the requirements set forth in the applicable law and include at least the following information:

5.1.the name and contact details of the data processor and data controller on whose behalf the data processor is acting;

5.2. the name and contact details of the representative of the data processor and data controller;

5.3. if applicable, the name and contact details of the data protection officer of the data processor and/or data controller;

5.4. categories of processing carried out on behalf of the data controller;

5.5. a general description of the technical and organisational security measures applied for the protection of personal data.

6. Upon the respective request by the Client, Jobbatical shall make available to the Client the register described in section 2.5 regarding the personal data processed on behalf of the Client immediately and free of charge but not later than within 14 (fourteen) business days as of the respective request by the Client. 

7. Jobbatical shall, taking into account the nature of the Processing, provide reasonable cooperation to assist Controller by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Data Processing Agreement. In the event that any such request is made directly to Jobbatical, Jobbatical shall not respond to such communication directly without Client's prior authorization, unless legally compelled to do so. If Jobbatical is required to respond to such a request, Jobbatical shall promptly notify the Client and provide it with a copy of the request unless legally prohibited from doing so.

8. Jobbatical shall assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the Jobbatical.

3. GENERAL OBLIGATIONS OF THE CLIENT

  1. The Client warrants that upon transferring any personal data to Jobbatical (including any personal data concerning the Talent or any family member of the Talent), the Client has acquired all and any all necessary authorisations, consents and permits required by applicable law and the GDPR to submit such personal data to Jobbatical. 
  2. The Client warrants that upon transferring any personal data to Jobbatical (including any personal data concerning the Talent or any family member of the Talent), Jobbatical is entitled to further process such personal data for the purposes of performing the Agreement, including that Jobbatical can contact the Talent, and, when applicable, Talent’s family member(s).
  3. The Client warrants that upon transferring any personal data to Jobbatical (including any personal data concerning the Talent or any family member of the Talent), all personal data submitted by the Client to Jobbatical is accurate, true, relevant and necessary with reference to the performance of the Agreement.

4. CONFIDENTIALITY

  1. Jobbatical shall ensure the confidentiality of the personal data processed on behalf of the Client. 
  2. Jobbatical shall ensure that no unauthorised third parties can access the personal data processed on behalf of the Client, for example, employees present in the Jobbatical’s premises, who do not need access in relation to the performance of their duties or other service providers, for example, IT service providers etc., who in this specific case do not need access to the personal data in relation to the performance of their duties.
  3. Jobbatical shall ensure that all the representatives, employees of Jobbatical and other persons who through Jobbatical come into contact with the personal data processed on behalf of the Client are subject to the confidentiality obligation assumed under a contract or the law and the Jobbatical shall ensure that their representatives, employees and other persons acting for their benefit maintain the full confidentiality of the personal data.
  4. Jobbatical shall ensure that all the representatives, employees of Jobbatical and other persons who through the Jobbatical come into contact with the personal data processed on behalf of Client have received appropriate training and instructions for the processing of personal data in accordance with the Agreement, Data Processing Agreement and the applicable law. 

5. SECURITY MEASURES

  1. Jobbatical shall ensure the security of personal data processing for the purposes of protecting personal data from accidental or unauthorised processing, disclosure or destruction.
  2. Taking into account the state of the art and costs of implementation, and the nature, scope, context and purposes of the personal data processing as well as the risk to the rights and freedoms of natural persons, of varying likelihood and severity, that may result from personal data processing, the Jobbatical shall apply appropriate technical and organisational measures upon personal data processing to ensure the security of personal data. 
  3. Upon the application of appropriate technical and organisational measures, Jobbatical shall ensure the capacity of the applied processing measures to ensure the ongoing confidentiality, integrity, availability and resilience of personal data. 
  4. Jobbatical shall inter alia ensure that upon personal data processing, Jobbatical shall use up-to-date information technology solutions, the security of which is regularly tested, ensure that access to Jobbatical’s IT systems and premises is regulated and controlled, ensure the use of up-to-date antivirus and spyware programmes.
  5. Jobbatical shall log all data processing operations carried out on behalf of Client so that there are log entries on viewing, amending, transferring and deleting personal data. 

6. AUDIT

  1. The Client has the right authorise an auditor to audit the activity of Jobbatical regarding the performance of the Data Processing Agreement in accordance with the GDPR.
  2. The Client shall notify Jobbatical of the audit reasonably in advance. The Client or an auditor appointed by the Client shall carry out the audit during regular working hours and so that the audit interferes with the regular business activity of Jobbatical as little as possible. 

7. PERSONAL DATA BREACH

  1. In case of a personal data breach or suspected personal data breach, Jobbatical shall as immediately as possible notify the Client of this. In case of a personal data breach of suspected breach or an incident that is likely to escalate into a personal data breach, Jobbatical shall send to the Client a notification about the personal data breach, which shall include at least the following information: 
  1. a description of the nature of the personal data breach;
  2. the categories and approximate number of data subjects concerned;
  3. the categories and approximate number of personal data records concerned; 
  4. the name and contact details of the data protection officer or other contact person of Jobbatical if applicable;
  5. the likely consequences of the personal data breach, incl. the likely consequences to data subject;
  6. measures taken or proposed to be taken by Jobbatical to address the personal data breach or measures to mitigate its possible adverse effects. 
  1. Jobbatical shall send the notification specified in section 7.1 to the Client immediately and if possible not later than within 24-48 hours as of the occurrence of the personal data breach. 
  2. In case and insofar as Jobbatical is not able to submit the information described in section 7.1 to the Client within the term set forth in section 7.2, Jobbatical may submit the information to the Client in phases but without undue further delay. 
  3. Jobbatical shall cooperate fully with the Client for the purposes of preventing personal data breaches. If a personal data breach occurs, Jobbatical shall cooperate fully with the Client to address the personal data breach as efficiently and quickly as possible and/or mitigate its possible adverse effects. 
  4. Jobbatical shall document all personal data breaches. including the facts relating to the personal data breach, its effects and the remedial action taken.

8. RETURN, DELETION AND DESTRUCTION OF PERSONAL DATA

  1. Upon each request of Client and/or after the termination of the Agreement, Jobbatical shall delete all personal data processed on behalf of the Client unless Jobbatical has a legal basis to retain certain data (for example if the Talent has granted his/her consent to process his/her personal data or if Jobbatical has entered into legal relationship with the Talent in which case Jobbatical shall be considered as data controller in regards of the Talent). 

9. SUBPROCESSORS AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

  1. The Client grants Jobbatical a general authorization to subcontract the personal data processing conducted under this Data Processing Agreement to subprocessors provided that:
  1. the engagement of the subprocessor is necessary for the provision of the Service; 
  2. Jobbatical has entered into a written agreement containing data protection obligations no less protective than those in this Data Processing Agreement. Jobbatical shall be liable for any breaches by the subprocessor in accordance with the terms of this Data Protection Agreement;
  3. Jobbatical will evaluate the security, privacy and confidentiality practices of a subprocessor prior to selection to establish that it is capable of providing the level of protection of personal data required by this Data Processing Agreement. When the Personal Data is transferred outside European Economic Area, Jobbatical ensures that either the Personal Data is transferred to a country in relation to which European Commission has decided that the country ensures an adequate level of protection or if there is no adequacy decision about the country, territory or sector for the transfer, Jobbatical shall ensure the transfer is subject to appropriate safeguards listed in the GDPR.
  1. In the case of general written authorization, Jobbatical will inform the Client of any intended changes concerning the addition or replacement of other subprocessors, thereby giving the Client the opportunity to object to such changes. The Client is considered to be accepted with the changes in subprocessors provided that the Client has not submitted its objection within 2 calendar days as of the receipt of the notice. 
  2. If Jobbatical uses subprocessors, Jobbatical shall assume full liability for the subprocessor to process personal data in accordance with the applicable law and this Data Processing Agreement.

10. LIABILITY JA COMPENSATION FOR DAMAGE

  1. Jobbatical shall assume liability for damage, administrative fines or any other claims with regard to Jobbatical’s violation of the Agreement, Data Processing Agreement or requirements of the applicable law. 
  2. Jobbatical shall not be liable in any case for an administrative fine imposed on the Client, damage caused to the Client or a claim submitted with regard to the Client if these are based on a violation by the Client and/or if Jobbatical has not committed such violation. 
  3. The Client shall assume liability for damage, administrative fines or any other claims with regard to the Client’s violation of the Agreement, Data Processing Agreement or requirements of the applicable law. 

11. VALIDITY

  1. The Data Processing Agreement shall be valid from acceptance of the Terms of Service (i.e. as the moment of conclusion of the Agreement) by the Client until Jobbatical is processing personal data on behalf of Client or until the end of the term of Agreement, whichever is the later.

12. FINAL PROVISIONS

  1. The Data Processing Agreement shall be governed by the laws of the Republic of Estonia. 
  2. Disputes arising from the Data Processing Agreement shall be resolved by negotiations or in Estonian courts, Harju County Court being the court of first instance. 

ANNEX A to the Data Processing Agreement

  1. PURPOSE OF DATA PROCESSING

Provision of the relocation services to the Client in accordance with the Agreement.

  1. DATA SUBJECTS 

Talents and family members of the Talent’s, as defined by the Agreement. 

  1. CATEGORIES OF PERSONAL DATA 

About the Talent

Identification data: first name, family name, date of birth, personal ID code, nationality, passport data, photo

Contact data: address, place of residence, e-mail, phone

Work related data: country of destination, employer, place of work, occupation, education, criminal background

Family data: marital status, data concerning family members 


About the family member of the Talent:

Identification data: first name, family name, date of birth, personal ID code, nationality, passport data, photo

Contact data: address, place of residence, e-mail, phone

Work related data: country of destination, employer, place of work, occupation, education

Family data: marital status, data concerning family members 

  1. PROCESSING OPERATIONS 

Jobbatical processes the date in Jobbatical system in order to support all the immigration and relocation procedures and operations in accordance with the terms of the Agreement. 

In the course of the performance of the Agreement, depending on the scope of the services orders by the Agreement in respect of each Talent and/or family member of the Talent, Jobbatical might need to share data with the following institutions, authorities and entities: police and other state authorities,  embassies, population registry, tax authority, banks, family doctor clinics, kindergartens and schools, etc. 

  1. PROCESSING PERIOD

The term of the Agreement and maximum 3 years after the termination of the Agreement, unless pursuant to applicable law Jobbatical has the right or obligation to retain data for longer period. 

  1. SECURITY MEASURES

Our infrastructure is hosted in a Google data center in Hamina, Findaland, which is protected with several layers of security to prevent any unauthorized access to our data. They use secure perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. In addition, they enforce a strict access and security policy at their data centers and ensure all staff is trained to be security minded.

Our applications and APIs are protected by a Auth0, a third-party authentication and authorization service that manages users, roles, and scopes as main security measures following the best practices in the industry.

Our database instances are deployed in a unique Virtual Private Cloud (VPC) to ensure network isolation. Other security features include IP whitelisting or VPC Peering, always-on authentication, encryption at rest and encryption in transit, sophisticated role-based access management, and more. This is provided by MongDB Atlas service.