Data Protection: All defined terms have their meaning in the Data Protection Acts or the GDPR and in this section:
“Candidate” means an applicant for a temporary, contract or permanent position of employment introduced to the Client by the Company;
“Data Discloser” means the party, which discloses Shared Data to the other party;
“Data Protection Acts” means the Data Protection Acts 1988 and 2003 as amended, revised, modified or replaced from time to time;
“Data Protection Commission” or “DPC” means the data protection authority for the time being in the territory of Ireland;
“Data Recipient” means the party which receives Shared Data from the Data Discloser;
“Data Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Data;
“Data Subject Access Request” or “DSAR” has the same meaning as the “Right of access by the Data Subject” in Article 15 of the GDPR;
“General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data;
“Services” means the recruitment services to be provided by the Company to the Client under these terms of business; and
“Shared Data” means the data, including Personal Data, to be shared between the Company and the Client under this section.
Sharing of Personal Data: This section sets out the framework for the sharing of data, including Personal Data and Sensitive Personal Data or Special Category of Personal Data, between the Company and the Client as Data Controllers. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
Agreed Purposes: The parties agree to only process Shared Data as described below in ‘Types of Data’ (a) to allow the Client to evaluate and recruit Candidates; and (b) to enable the Company to provide the Services.
General Compliance: Each party shall ensure compliance with the Data Protection Acts, GDPR and all other applicable laws and codes of practice and guidance issued by the DPC at all times whilst these terms of business apply between the parties.
Types of Data: The following types of Personal Data will be shared between the parties whilst these terms of business apply between the parties:
a) Candidate name and contact information;
b) Candidate educational and legal qualifications;
c) Candidate employment history;
d) Candidate references; and
e) Salary and remuneration requirements.
No Irrelevant or Excessive Data: The Shared Data must not be irrelevant or excessive with regard to the purposes described under “Agreed Purposes” above.
Fair and Lawful Processing: Whilst these terms of business apply between the parties each party shall ensure that it processes the Shared Data fairly and lawfully in accordance with “Grounds for Processing” below.
Grounds for Processing: Each party shall ensure that it processes Shared Data on the basis of one or more of the following legal grounds:
a) Data Subject has freely given his or her explicit, specific, unambiguous consent;
b) processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the Parties are subject, other than an obligation imposed by contract;
d) processing is necessary in order to protect the vital interests of the Data Subject;
e) processing is necessary for the purposes of the legitimate interests pursued by the Parties except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.
Retention Periods: The parties shall retain or process Shared Data for the longest of the following retention periods that applies:
a) the period that is necessary to carry out the Agreed Purposes; or
b) any period prescribed by applicable law or by best industry practice. Return of Data: The Data Recipient shall ensure that any Shared Data are returned to the Data Discloser or destroyed securely (following which each party shall notify the other that the Shared Data in question has been deleted) in the following circumstances: a) on termination of the Agreement; b) on expiry of the Term of the Agreement; or
c) once processing of the Shared Data is no longer necessary for the purposes they were originally shared for, as set out under “Agreed Purposes”.
Transfers: The Data Recipient shall not disclose or transfer the Shared Data to a third party data controller or processor.
Security and Training: Both parties shall use appropriate safeguards to protect the Shared Data from misuse and unauthorised access or disclosure, including, without limitation:
(a) maintaining adequate physical controls and password protections;
(b) ensuring that data stored on any mobile device (for example, a laptop or smartphone) or transmitted electronically is encrypted; and
(c) taking all other measures reasonably necessary to prevent any use or disclosure of the data other than as allowed under this section.
Data Security Breaches and Reporting Procedures: The parties undertake to notify any potential or actual losses of the Shared Data to each other as soon as possible and, in any event, within two (2) calendar days of identification of any potential or actual loss, and agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Data Security Breach.
Obligation to Inform: In the event of a dispute or claim brought by a Data Subject or the Data Protection Commission concerning the processing of Shared Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
Mutual Warranties: Each party warrants and undertakes that it shall:
a) process the Shared Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations;
b) make available upon request to the Data Subjects who are third party beneficiaries a copy of these terms of business, unless these terms of business contain confidential information;
c) respond within a reasonable time and as far as reasonably possible to enquiries from the Data Protection Commission in relation to the Shared Data;
d) respond to DSARs and all other requests from Data Subjects in accordance with Applicable Data Protection Laws;
e) where applicable, maintain registration with all relevant Data Protection Commission to process all Shared Data for the Agreed Purpose; and
f) take all appropriate steps to ensure compliance with the security measures set out under “Security and Training”.
Indemnity: The Data Recipient shall indemnify and keep indemnified the Data Discloser on demand from time to time from and against all Losses which it causes the Data Discloser as a result of its breach of any of the provisions of this section or arising out of or in connection with all claims, proceedings or actions brought by the DPC, any other competent public authority or a Data Subject against the Data Discloser with respect to the processing of the Shared Data by the Data Recipient.