Textkernel

Standard Contractual Clauses

Home / Terms and Agreements / Standard Contractual Clauses

Name of the data exporting organization: the entity identified as Company in the Agreement.
(the data exporter)

And

Name of the data importing organization: the entity identified as Textkernel in the Agreement.
(the data importer)

each a ‘Party’; together ‘the Parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

The Clauses are effective from the date they are incorporated into the Agreement, including the Data Processing Addendum (“Agreement“) that references the Clauses. Entry into the Agreement shall constitute execution of the Clauses (including Appendices 1-4) by the Parties. The Clauses shall be subject to the terms and conditions of the Agreement and shall expire on the termination or expiry of the Agreement.

  1. For the transfer of Company EU Personal Data to Textkernel in the course of providing the Services under the Agreement to a country outside of the EEA or Switzerland, under GDPR, then the Parties shall each comply with their respective obligations as set out in module two of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by European Commission decision of 4 June 2021 and published under document number C/2021/3972 (the “EU C2P Standard Contractual Clauses“) and incorporated herein by reference. Should the EU C2P Standard Contractual Clauses be superseded, the Parties shall amend this DPA to incorporate such updated clauses; or
  2. For the transfer of Company UK Personal Data to Textkernel in the course of providing the Services under the Agreement to a country outside the UK, under UK GDPR, then the Parties shall each comply with their respective obligations as set out in module two of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by European Commission decision of 4 June 2021 and published under document number C/2021/3972, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (the “UK C2P Standard Contractual Clauses“) and incorporated herein by reference. Should the UK C2P Standard Contractual Clauses be superseded, the Parties shall amend this DPA to incorporate such updated clauses.
  3. For the transfer of Company’s customer’s Personal Data to Textkernel in the course of providing the Services under the Agreement to a country outside the EEA or Switzerland, under GDPR, then the Parties shall each comply with their respective obligations as set out in module three of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by European Commission decision of 4 June 2021 and published under document number C/2021/3972 (the “EU P2P Standard Contractual Clauses“) and incorporated herein by reference. Should the EU P2P Standard Contractual Clauses be superseded, the Parties shall amend this DPA to incorporate such updated clauses.
  4. For the transfer of Company’s customer’s UK Personal Data to Textkernel in the course of providing the Services under the Agreement to a country outside the UK, under UK GDPR, then the Parties shall each comply with their respective obligations as set out in module three of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by European Commission decision of 4 June 2021 and published under document number C/2021/3972, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (the “UK P2P Standard Contractual Clauses“) and incorporated herein by reference. Should the UK C2P Standard Contractual Clauses be superseded, the Parties shall amend this DPA to incorporate such updated clauses.
  5. The Parties agree that, for the purposes of the EU P2P Standard Contractual Clauses and EU C2P Standard Contractual Clauses and as referred to and amended in the UK P2P Standard Contractual Clauses and UK C2P Standard Contractual Clauses each as entered into where relevant:
    1. the optional clause set out at Clause 7 (‘Docking clause’) shall not apply;
    2. General Written Authorisation. Option 1 under clause 9 shall apply.
    3. Clause 9(a) (‘Use of sub-processors’), Option 1 shall apply with a time period of ten (10) business days inserted;
    4. the optional clause set out at Clause 11(a) (‘Redress’) shall not apply;
    5. for Clause 13(a) (‘Supervision’) and the Appendix, Annex I(C), the supervisory authority shall be whichever is the competent authority for the relevant data subject or the Textkernel Counterparty under EU GDPR/UK GDPR;
    6. for Clauses 17 (‘Governing law’) and 18(b) (‘Choice of forum and jurisdiction’) the laws and courts of Netherlands shall apply. The Parties further agree to the jurisdiction of the courts of Amsterdam District Court following proceedings in English under the Chamber for International Commercial Matters (“Netherlands Commercial Court” or “NCC”), to the exclusion of the jurisdiction of any other courts. An action for interim measures, including protective measures, available under Dutch law may be brought in the NCC’s Court in Summary Proceedings (“CSP”) (voorzieningenrechter) in proceedings in English. Any appeals against NCC or CSP judgments will be submitted to the Amsterdam Court of Appeal’s Chamber for International Commercial Matters (Netherlands Commercial Court of Appeal or NCCA). Each Party agrees that the Netherlands Commercial Court is the most appropriate and convenient court to settle disputes and accordingly no Party will argue to the contrary.
    7. Data Exports from Switzerland. In case of any transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws”), see Annex 4.
    8. Conflict. The Clauses are subject to the Agreement and the rights and obligations provided by the Clauses will be exercised in accordance with the Agreement, unless stated otherwise. In the event of any conflict or inconsistency between the Agreement and the Clauses, the Clauses shall prevail.

Appendix

Annex 1

A. List of Parties

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter, Company, as specified in the Agreement.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

The data importer the Textkernel entity as specified in the Agreement.

B. Description of Transfer

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data Controller may submit Personal Data, the extent of which is determined and controlled by the Data Controller in its sole discretion, and which may include, but is not limited to the Personal Data relating to the following categories of Data Subjects:

Data Controller’s customers, prospective customers, business partners, vendors, candidates or prospective candidates (who are natural persons); employees, representatives, consultants, contractors or agents of Data Controller (who are natural persons); employees, representatives, consultants, contractors or agents of Data Controller’s customers, prospective customers, business partners and vendors (who are natural persons); and Data Controller’s users authorized by Data Controller to use the Service (who are natural persons). The Data Subjects may include current, past or prospective Data Subjects identified herein.

Categories of data

The personal data transferred concern the following categories of data (please specify):

Data Controller may submit Personal Data, the extent of which is determined and controlled by the Data Controller in its sole discretion, and which may include, but is not limited to the following categories of data:

Personal information – Included in this category are classes of data which identify the Data Subject and their personal characteristics. Examples are names, addresses, job title, employer, contact details, age, sex, date of birth, physical descriptions, identifiers issued by public bodies, e.g. SSN and NI numbers.

Education and professional training information – Included in this category are matters which relate to the education and professional training of the Data Subject. Examples are academic records, qualifications, skills, training records, and professional expertise.

Employment information – Included in this category are matters relating to the employment of the Data Subject. Examples are business role, line manager, employment and career history, recruitment and termination details, attendance record, health and safety records, performance appraisals, training records, agency employer, security records or other information necessary to determine a Data Subject’s fitness for employment.

Financial details – Included in this category are matters relating to the financial affairs of the Data Subject. Examples are income, salary, billing rate, payments, benefits, or other information necessary to process payroll for a Data Subject.

Goods or services provided – Included in this category are classes of data relating to goods and services which have been provided. Examples are details of the goods or services supplied, licenses issued, agreements and contracts.

IT information – Included in this category is any information relating to a Data Subject’s use of technology or software including IP addresses, any information about the computing or mobile device a Data Subject is using, location data gathered from such devices, connection data, usernames and passwords, and social media handles.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Data Controller may submit special categories of Personal Data, the extent of which is determined and controlled by the Data Controller in its sole discretion, and which may include, but is not limited to the following categories of data:

Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal records and background checks.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis subject to Data Exporter’s use of the Service.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The purpose of processing of Personal Data by Data Importer is the performance of the Services pursuant to the Agreement or in accordance with Data Exporter’s and/or Data Controller’s instructions. Personal Data shall be processed during the Term of the Agreement.

Purpose(s) of the data transfer and further processing

The purpose of processing of Personal Data by Data Importer is the performance of the Services pursuant to the Agreement or in accordance with Data Exporter’s instructions.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Subject to the terms of the MSA, Personal Data will be processed and retained by Data Importer for the duration of the MSA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Subject to the terms of the MSA, Personal Data will be transferred to sub-processors for the duration of the MSA. Subject matter and nature of the processing as set forth above and as set forth at https://www.bullhorn.com/legal/sub-processors/.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

Where Customer is established in an EU Member State or falls within the territorial scope of the application of Regulation (EU) 2016/679, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens, Bezuidenhoutseweg 30, 2594 AV DEN HAAG. Netherlands shall act as competent supervisory authority.

Annex 2

Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

Description of the technical and organisational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons, as applicable to the service provided by data importer.

  • Measures of pseudonymisation and encryption of personal data
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Measures for user identification and authorisation
  • Measures for the protection of data during transmission
  • Measures for the protection of data during storage
  • Measures for ensuring physical security of locations at which personal data are processed
  • Measures for ensuring events logging
  • Measures for ensuring system configuration, including default configuration
  • Measures for internal IT and IT security governance and management, including establish and maintain network and internet security procedures, protocols, security gateways, and firewalls with respect to the Personal Data as may be appropriate
  • Measures for certification/assurance of processes and products
  • Measures for ensuring data minimisation
  • Measures for ensuring data quality
  • Measures for ensuring limited data retention
  • Measures for ensuring accountability
  • Measures for allowing data portability and ensuring erasure
  • Measures for establishing and maintaining safeguards to permit access to the Personal Data only to those of its employees and representatives who (i) have a need to access the Personal Data for the purposes of providing services, and (ii) have agreed to maintain the Personal Data in confidence and only to use it for the purpose of providing the services;
  • Measures to ensure that appropriate technical and organization measures are in place to prevent unauthorized, unlawful, or accidental access to the Personal Data as may be appropriate.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Data Importer will enter into a written agreement with each sub-processor containing technical and organisational measures that provide at least the same level of protection for Personal Data as those in the Agreement, to the extent applicable to the nature of the services provided by such sub-processor.

Annex 3

List of Sub-Processors

The Data Exporter has authorized the use of the sub-processors identified at https://www.bullhorn.com/legal/sub-processors/, as updated from time to time.

Annex 4

Third-Country Addendum to the EU C2P Standard Contractual Clauses and EU P2P Standard Contractual Clauses: Switzerland

  1. For the purposes of these Clauses, the term ‘member state’ shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
  2. Until December 31, 2022, these Clauses shall also protect the data of legal entities in the scope of the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1; “FADP”).
  3. In accordance with Clause 13, for data transfers from Switzerland, the Swiss Data Protection Authority (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter – EDÖB) shall be the supervisory authority and Swiss law shall apply.
  4. All references to the GDPR are to be understood as references to the FADP, insofar as the data transfers are subject to the FADP.

UK Addendum – UK C2P Standard Contractual Clauses and UK P2P Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Start date
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ detailsFull legal name: The entity identified as “Customer” or “Company” in the Agreement (the “Agreement”). Main address (if a company registered address): Address listed in the Agreement.Full legal name: The entity identified as “Textkernel” in the Agreement. Main address (if a company registered address): Address listed in the Agreement
Key ContactContact details as set forth in the Agreement.Job Title: Data Protection Officer
Contact details including email: dpo@bullhorn.com

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe version of the Approved EU SCCs which are detailed below, including the Appendix Information:
Date: Effective Date of the Agreement.
Reference (if any): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Appendix 1(a): List of Parties: See Annex 1, listed above.

Appendix 1(b): Description of Transfer: See Annex 1, listed above.

Appendix 2: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Annex 2, listed above.

Appendix 3: List of Sub processors (Modules 2 and 3 only): See Annex 3, listed above.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:
Data Importer

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  2. Although Annex 1 and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties agree that the UK Addendum is effective from the date it is incorporated into the Agreement between the Parties, including the Data Processing Addendum that reference the Clauses. Entry into the Agreement shall constitute execution of the UK Addendum by the Parties. The UK Addendum shall be subject to the terms and conditions of the Agreement and shall expire on the termination or expiry of the Agreement.

Interpretation of this UK Addendum

  1. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings
AddendumThis International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCsThe version(s) of the Approved EU SCCs, set forth at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914, as set out in Table 2, including the Appendix Information.
Appendix InformationAs set out in Table 3.
Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCsThe Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as set forth https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.
ICOThe Information Commissioner.
Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.
UKThe United Kingdom of Great Britain and Northern Ireland.
UK Data Protection LawsAll laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPRAs defined in section 3 of the Data Protection Act 2018.
  1. This UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
  2. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  3. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  4. If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
  5. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
  2. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

  1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  2. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
  3. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
  4. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
    1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
    2. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
    3. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Appendix 1 where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
    4. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
    5. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
    7. References to Regulation (EU) 2018/1725 are removed;
    8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
    9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
    10. Clause 13(a) and Part C of Annex I are not used;
    11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
    12. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
    13. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
    14. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

  1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  3. From time to time, the ICO may issue a revised Approved Addendum which:
    1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
    2. reflects changes to UK Data Protection Laws;

    The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

  4. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
    1. its direct costs of performing its obligations under the Addendum; and/or
    2. its risk under the Addendum,

    and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  5. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.