In the context of their commercial relationship, the controller entrusts the processor with the processing of personal data. In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “GDPR”), the Parties undertake to comply with their obligations regarding the protection of personal data.
Any handwritten or other changes to this Data Processing Agreement without the prior written approval of Dispo.work shall have no contractual value to Dispo.work. This agreement supplements the main contract. The main contract means the main subscription contract or any other subscription contract between the Customer and Dispo.work governing the Customer’s access to the Dispo.work software.
1.1 Description of treatments
The Processor is authorised to process on behalf of the controller the personal data necessary for the following purposes:
- Allow talents to update their profile.
- Enable companies to offer employment opportunities.
- Select candidates or talents in the pool.
- Manage assignments (contracts, schedules) of talents.
1.2 Nature of personal data processed
Dispo.work will process the Customer’s personal data on behalf of the Customer as a processor of the Customer’s data. The scope as well as the scope and nature of the processing of the customer’s personal data are for the sole purpose of managing the hiring process for internal and external recruitment of the customer, on behalf of the data controller or its customers.
The personal data processed may include, but is not limited to: First and last name, contact details (address, phone, email) professional information (experience, skills, CV), contract and mission data.
1.3 Duration of treatment
Personal data is processed for the duration of the contractual relationship between the parties, and will be deleted or returned to the controller at the end of this relationship, unless there is a legal retention obligation.
1.4 Obligations of the subcontractor
The Subcontractor undertakes to:
- Process the data only for the purposes specified in this agreement.
- Only process personal data upon documented instruction from the Data Controller.
- Guarantee the confidentiality of the personal data processed.
- Take all appropriate security measures to protect personal data.
- Assist the Data Controller to ensure compliance with security obligations and notification of personal data breaches.
Dispo.work will assist the Customer in a reasonable manner in the impact assessments on data protection, prior consultations with the data protection authorities that the Customer is required to perform under the Data Protection Legislation, the processing of Data Subjects’ requests and any other obligation of assistance required by applicable law
1.5 Rights of data subjects
The Processor undertakes to help the controller to respond to requests to exercise the rights of data subjects (right of access, rectification, erasure, portability, limitation and opposition).
Exclusion of personal accounts. Each individual has the option to create a personal account in the Dispo.work software. With this personal account, the individual is able to coordinate different profiles and application processes for different companies. The collection and processing of personal data for the personal account of an individual is not carried out for the customer but only for the individual by Dispo.work. Therefore, the relationship between an individual and a personal account and Dispo.work is not governed by this Agreement.
Dispo.work only hires personnel who have undertaken to comply with data privacy obligations. The company will regularly train employees to whom it grants access to the Customer’s Personal Data in compliance with security and confidentiality laws.
Dispo.work declares that it has taken the necessary technical and organisational measures in accordance with Article 32 GDPR to ensure the security and protection of personal data against unauthorised or illegal processing and losses, destruction or accidental damage, and undertakes to continue to do so for the duration of this Agreement.
Dispo.work hosts personal data in the European Union.
1.6 Notification of Data Breaches
The processor shall notify the controller of any breach of personal data within a maximum period of 48 hours after becoming aware of it.
1.7 Subsequent Subcontracting
The processor may not engage another processor without the prior written consent of the controller. The processor undertakes to impose on its own subcontractors the same data protection obligations as those stipulated in this agreement.
1.8 Audit Fees
If the customer is the subject of an audit or investigation by a data protection supervisory authority, Dispo.work shall, where required, respond to any request for information, and/or agree to audit its premises and operations, including inspections by the customer and/or the data protection supervisory authority, in each case for the purpose of proving compliance with this Agreement, provided that: (v) the client warrants that all information obtained or generated in connection with a request for information, an audit or an inspection is strictly confidential (unless disclosed to a data protection supervisory authority or required by applicable law)