DATA PROCESSING AGREEMENT (DPA) - Issue date September 2025
1. Definitions
1.1 Any capitalised term not defined in this DPA shall have the meaning given to it in the Agreement:
1.1.1 "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.1.2 "Agreement” means the Agreement between the Client and Oleeo for the provision of the Services which this DPA is annexed and incorporates all of the documents referred to in the Agreement;
1.1.3 “Applicable Laws” has the meaning given in the Agreement;
1.1.4 “Client Personal Data" means any Personal Data Processed by Oleeo or a Subprocessor of Oleeo, on behalf of the Client, pursuant to or in connection with the Agreement (as may be more particularly described in Appendix A) and includes “personally identifiable information”, as that term is defined in US State Privacy Laws;
1.1.5 “DPA” means this Data Processing Agreement together with its Appendices
1.1.6 “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom, any amendments, replacements or renewals thereof, applicable to the processing of Personal Data, including where applicable the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020, the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the FADP, US State Privacy Laws and any applicable national implementing laws, regulations and secondary legislation relating to the processing of the Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426);
1.1.7 "EEA" means the European Economic Area;
1.1.8 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation);
1.1.9 “FADP” means the Swiss Federal Act on Data Protection of the 1st of September 2023, and as amended from time to time;
1.1.10 "Restricted Transfer" means (where the context so permits):
(a) where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and
(b) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
(c) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
1.1.11 "Services" means all services, products, software applications and any other activities supplied to or carried out by or on behalf of Oleeo for the Client pursuant to the Agreement;
1.1.12 "SCCs" means:
(a) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, (“EU SCCs”); and
(b) where the UK GDPR applies the international data transfer addendum to the EU SCCs adopted pursuant to Article 46(2)(c) of the UK GDPR and published at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended or replaced, (“UK SCCs”); and
(c) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority; (“Swiss SCCs”)
As they may be amended, superseded or replaced from time to time.
1.1.13 "Subprocessor" means any person (including any third party and any Oleeo Affiliate, appointed directly or indirectly by Oleeo to Process Client Personal Data on behalf of the Client in connection with the Agreement pursuant to this DPA;
1.1.14 “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018;
1.1.15 “US State Privacy Laws” means the following US state data protection or privacy laws and regulations applicable to the party’s Processing of Personal Data: California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA) and the Connecticut Data Privacy Act (CTDPA), the Montana Consumer Data Privacy Act (MCDPA), Consumer Data Protection (Iowa CDPA), the Delaware Personal Data Privacy Act (DPDPA), the Nebraska Data Privacy Act (NDPA), the New Hampshire Expectation of Privacy Act (NHPA) and the New Jersey Act Concerning Online Services, Consumers, and Personal Data (NJDPA), in each case as may be amended or superseded from time to time in each case as may be amended or superseded from time to time.
1.2 The terms "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", “Processor”, "pseudonymisation" and "Supervisory Authority" shall have the same meaning as in applicable Data Protection Law, and their cognate terms shall be construed accordingly.
1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Arrangement between the Parties
2.1 Oleeo has agreed to provide the Services to the Client in accordance with the terms of the Agreement. In providing the Services, Oleeo shall process Client Data on behalf of the Client. Client Data will include Client Personal Data. Oleeo will process and protect Client Personal Data in accordance with the terms of this DPA.
2.2 In providing the Services to the Client pursuant to the terms of the Agreement, Oleeo shall process Client Personal Data only to the extent necessary to provide the Services in accordance with the terms of the Agreement, this DPA and the Client’s instructions documented in the Agreement and this DPA, as updated from time to time.
2.3 Each Party shall Process Personal Data which is professional contact data, in relation to the other party's representatives (in its capacity as a Controller) to administer the Agreement. Each Party shall Process the other Party's contact data for the purposes set out in this paragraph in accordance with that Party's relevant privacy policy. Each Party may be required to share the other Party's contact data with its Affiliates and other relevant parties, within or outside the country of origin, to administer the Agreement but in doing so, each Party will ensure that the sharing and use of the contact data complies with applicable Data Protection Laws.
2.4 The Client represents and warrants that all Affiliates of the Client who use the Services shall comply with the obligations of the Client set out in this DPA.
2.5 The Client acknowledges and agrees that some instructions from the Client including Oleeo assisting with audits, inspections, data privacy impact assessments or providing any assistance under this DPA, may result in additional fees. In such case Oleeo shall notify the Client of its fees for providing such assistance in advance and shall be entitled to charge the Client for its reasonable costs and expenses in providing such assistance, unless agreed otherwise in writing.
3. Processing of Client Personal Data
3.1 Oleeo shall:
3.1.1 comply with its obligations under all applicable Data Protection Laws in the Processing of Client Personal Data;
3.1.2 not Process Client Personal Data other than on the Client’s documented instructions unless required to do so by Applicable Law in which case Oleeo shall, to the extent permitted by law, inform the Client of that legal requirement before the relevant Processing of that Client Personal Data.
3.2 The Client instructs Oleeo (and authorises Oleeo to instruct each Subprocessor (where applicable)) to Process Client Personal Data and transfer Client Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement.
3.3 If Oleeo becomes aware it cannot process Personal Data in accordance with the Client’s instructions, including due to a legal requirement or if such instructions infringe applicable Data Protection Laws Oleeo will, to the extent permitted by Applicable Law, promptly notify the Client and, where necessary, cease all processing (save for storing and maintaining the security of such Personal Data) until the Client issues new instructions with which Oleeo can comply. Oleeo will not be liable for any failure to perform the Services under the Agreement until the Client issues revised and lawful instructions relating to the processing.
3.4 Appendix A, to this Schedule 1 sets out certain information regarding Oleeo’s Processing of the Client Personal Data as required by Article 28(3) of the EU GDPR. The Client may make reasonable amendments to Appendix A by written notice to Oleeo from time to time as the Client reasonably considers necessary to meet those requirements. Nothing in Appendix A (including as amended pursuant to this paragraph 3.4) confers any right or imposes any obligation on any Party to this Schedule.
3.5 Oleeo and the Client shall take steps to ensure that any natural person acting under the authority of the Oleeo or the Client who has access to Client Personal Data does not process Client Personal Data except on the instructions from the Client, unless required to do so by any Data Protection Law.
3.6 Client shall be solely responsible for:
3.6.1 The accuracy, quality and legality and the means by which the Client acquired the Personal Data;
3.6.2 Complying with its obligations under all applicable Data Protection Laws for the collection and use of Personal Data, including obtaining any necessary consents, particularly for Client’s marketing purposes;
3.6.3 Ensuring that the Client has the right to transfer or provide access to the Client Personal Data in accordance with the terms of the Agreement and this DPA; and
3.6.4 Ensuring that the Clients instructions to Oleeo regarding the processing of Personal Data comply with all Applicable Laws and Data Protection Laws.
3.6.5 The Client agrees to inform Oleeo without undue delay if it is not able to comply with the above or any applicable Data Protection Laws.
4. Confidentiality
4.1 Oleeo shall ensure that all employees, agents, officers and contractors involved in the handling of Client Personal Data:
4.1.1 Are aware of the confidential nature of the Client Personal Data and are contractually bound to keep the Client Personal Data confidential;
4.1.2 Have received appropriate training on their responsibilities as a data processor; and
4.1.3 Are bound by the terms of this DPA.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Oleeo shall, in relation to the Client Personal Data, implement appropriate technical and organisational measures to protect Client Personal Data. Oleeo shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, appropriate to the risk, which may include:
5.1.1 the pseudonymisation and encryption of the Client Personal Data;
5.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.1.3 the ability to restore the availability and access to the Client Personal Data in a timely manner in the event of a physical or technical incident;
5.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.2 In assessing the appropriate level of security in paragraph 5.1, Oleeo shall take account of the risks that are presented by Processing, in particular, from a Personal Data Breach and include, as appropriate, the measures referred to in Article 32(1) of the UK GDPR, including the measures set out in Annex B of this DPA (“Security Measures”) The Client is responsible for independently determining whether the data security provided by Oleeo adequately meets the Clients’ obligations under the Data Protection Laws.
5.3 The technical and organisational measures detailed in Appendix B of this DPA shall at all times be adhered to as a minimum security standard. The Client accepts and agrees that the technical and organisational measures are subject to development and review and that Oleeo may use alternative suitable measures to those detailed in the attachments to this DPA, provided such measures are at least equivalent to the technical and organisational measures set out in Appendix B and appropriate pursuant to Oleeo’s obligations in clauses 5.1 and 5.2 above.
5.4 Oleeo confirms that it and/or its Affiliate(s) have appointed a data protection officer where such appointment is required by Data Protection Laws. The appointed data protection officer may be contacted by email at: dpo@oleeo.com.
5.5 The Client shall implement appropriate technical and organisational measures to protect Personal Data, taking into account, the state of the art; the costs of implementation; the nature, scope, context and purposes of processing; and the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Client shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
6. Subprocessing
6.1 The Client agrees that Oleeo may engage Subprocessors to assist in providing the Services. Oleeo has, at the date of this Agreement, appointed the subcontractors and its Affiliates listed here as its Subprocessors. Some Subprocessors will apply by default and others apply only if the Client opts-in to the Services that they provide.
6.2 The Client authorises Oleeo to appoint (and permit each Subprocessor appointed in accordance with this paragraph 6 to appoint) Subprocessors in accordance with this paragraph 6 and any restrictions in the Agreement.
6.3 If Oleeo adds or replaces any Subprocessors used in the provision of the Services, it shall give the Client 30 days prior notice by email of the proposed appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor, unless a Subprocessor needs to be added or replaced as a matter of urgency e.g. for security reasons in which case a shorter and reasonable notice period may be given. If, within thirty days of receipt of that notice, the Client notifies Oleeo in writing of any objections, acting reasonably, to the proposed appointment:
6.3.1 Oleeo shall work with the Client in good faith to consider alternatives to any obligations;
6.3.2 Oleeo shall not appoint (or disclose any Client Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by the Client and the Client has been provided with a reasonable written explanation of the steps taken; and
6.3.3 Where an alternative solution cannot be found, notwithstanding anything in the Agreement to the contrary, the Parties, acting reasonably, shall seek to agree a Subprocessor which is acceptable to both of them and if none can be agreed, Oleeo shall appoint a new Subprocessor or permit the Client to suspend or terminate the affected Services in accordance with the termination provisions of this Agreement without liability to either Party, save for any fees incurred by the Client prior to suspension or termination.
6.3.4 If the Client does not raise any objection to a proposed Subprocessor within the 30 day period set out in clause 6.3.3 the new Subprocessor will be deemed to have been agreed to on expiry of such 30 day notice period.
6.4 With respect to each Subprocessor, Oleeo shall:
6.4.1 before the Subprocessor first Processes Client Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Client Personal Data required by the Agreement;
6.4.2 ensure that the arrangement between Oleeo, and the Subprocessor, is governed by a written contract including terms which impose substantively the same obligations on the Subprocessor as this DPA imposes on Oleeo;
6.4.3 if that arrangement involves a Restricted Transfer, Oleeo will ensure that such Subprocessors: (i) are located in a third country or territory recognised by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable SCCs with Oleeo; or (iii) have other legally recognised appropriate safeguards in place; necessary to ensure the transfer is in compliance with the applicable Data Protection Laws ;
6.5 Oleeo shall ensure, to the extent applicable to the nature of the services provided by the Subprocessors, that each Subprocessor performs the obligations under paragraphs 3.2, 4, 5, 7.1, 8.2, 10 and 11.1, as they apply to Processing of Client Personal Data carried out by that Subprocessor, as if it were Party to this Schedule in place of Oleeo.
6.6 Oleeo shall remain responsible for each Subprocessor’s compliance with the obligations set out in this clause 6 above and for acts and omissions of such Subprocessor that causes any breach of this DPA.
7. Restricted Transfers
7.1 The Parties agree that, when a transfer of Client Personal Data occurs between the Client and Oleeo or from Oleeo to a Subprocessor which is a Restricted Transfer, it shall be subject to the applicable SCCs.
7.2 The Parties agree that the EU SCCs shall apply to Restricted Transfers from the EEA. The EU SCCs shall be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
7.2.1 Module Two (Controller to Processor) shall apply where the Client is a Controller of Client Personal Data and Oleeo is processing Client Personal Data;
7.2.2 Module Three (Processor to Processor) shall apply where Oleeo is a Processor of Client Personal Data and Oleeo uses a Sub-processor to process the Client Personal Data;
7.2.3 Module Four (Processor to Controller) shall apply where Oleeo is processing Client Personal Data and the Client is not subject to the EU GDPR or UK GDPR;
7.2.4 In Clause 7 of the EU SCCs, the optional docking clause shall not apply;
7.2.5 In Clause 9 of the EU SCCs, Option 2 applies, and the time period for giving notice of Subprocessor changes shall be 30 days;
7.2.6 In Clause 11 of the EU SCCs, the optional language shall not apply;
7.2.7 In Clause 17 of the EU SCCs, Option 1 applies and the EU SCCs shall be governed by Irish law;
7.2.8 In Clause 18(b) of the EU SCCs, disputes shall be resolved by the courts of Ireland;
7.2.9 Annex I of the EU SCCs shall be deemed completed with the information set out in Appendix A of this DPA;
7.2.10 Annex II of the EU SCCs shall be deemed completed with the information set out in Appendix B of this DPA.
7.3 The Parties agree that the EU SCCs as amended in clause 7.2 above, shall be adjusted as set out below where the FADP applies to any Restricted Transfer:
7.3.1 The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) shall be the sole Supervisory Authority for Restricted Transfers exclusively subject to the FADP;
7.3.2 Restricted Transfers subject to both the FADP and the EU GDPR, shall be dealt with by the EU Supervisory Authority named in Appendix A of this DPA;
7.3.3 The term ’member state’ must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
7.3.4 Where Restricted Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP;
7.3.5 Where Restricted Transfers are subject to both the FADP and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP insofar as the Restricted Transfers are subject to the FADP;
7.4 The Parties agree that the UK SCCs shall apply to Restricted Transfers from the UK and the UK SCCs shall be deemed entered into (and incorporated into this DPA by reference), completed as follows:
7.4.1 Table 1 of the UK SCCs shall be deemed completed with the information set out in Appendix A of this DPA;
7.4.2 Table 2 of the UK SCCS shall be deemed completed with the information set out in clauses 7.2.1 – 7.2.8 of this DPA;
7.4.3 Table 3 of the UK SCCs shall be deemed completed with the information set out in Appendices A and B of this DPA; and
7.4.4 Either Party may end the UK SCCs as set out in clause 19 of the UK SCCs.
7.5 In case of any changes to the EU SCCs or UK SCCs, the Parties shall negotiate in good faith necessary amendments to the DPA and the Agreement to ensure compliance with applicable Data Protection Laws.
7.6 In the event that any provision of this DPA contradicts directly or indirectly any SCCs, the provisions of the applicable SCCs shall prevail over the terms of this DPA.
7.7 Should countries other than those in the EEA, UK or Switzerland adopt cross-border data transfer clauses similar to the SCCs, the Client and Oleeo agree to execute such clauses when necessary.
8. Data Subject Access Rights
8.1 Taking into account the nature of the Processing and the information available to Oleeo, Oleeo shall assist the Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws in respect of the processing of Client Personal Data.
8.2 Oleeo shall:
8.2.1 promptly notify the Client and advise the Data Subject to refer their request to the Client if Oleeo receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data (and is such case the Client shall be solely responsible for responding to such Data Subject request);
8.2.2 where Oleeo or any Subprocessor receives a request from any government of any country (or anybody with delegated authority for any of them) or any other third Party for access to any Client Personal Data ("Disclosure Request"), Oleeo shall, where able, notify the Client immediately and provide all available information (at that point or as it is available);
8.2.3 if Oleeo or its Subprocessor is prevented by law from notifying the Client, Oleeo shall seek to obtain a waiver to such prohibition. In any event, Oleeo or its Subprocessor shall review the Disclosure Request and exhaust all remedies to challenge it if Oleeo concludes there are grounds to do so, document its assessment, challenge it, where permitted, make this information available to the Client and where mandated to disclose the Client Personal data, only provide the minimum amount of information possible based on a reasonable interpretation of the Disclosure Request; and
8.2.4 Oleeo shall provide reasonable assistance to the Client to respond to any Data Subject Requests or requests from data protection authorities relating to the processing of Personal Data under this Agreement subject to the Client reimbursing Oleeo for the commercially reasonable costs of providing such assistance.
9. Personal Data Breach
9.1 Oleeo shall notify the Client without undue delay (and no later than twenty-four (24) hours) after Oleeo or any Subprocessor becomes aware of a Personal Data Breach affecting Client Personal Data, providing the Client with relevant information to allow the Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
9.2 In the event of a Personal Data Breach, Oleeo shall implement any measures reasonably necessary to restore the security of the compromised Client Personal Data and mitigate any material adverse effects of such Personal Data Breach.
9.3 In the event of a Personal data Breach, Oleeo shall co-operate with the Client and take such reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach, including any notification needed to the Supervisory Authority and affected Data Subjects, if the Client is required to do so under Data Protection Laws.
10. Data Protection Impact Assessment and Prior Consultation
Oleeo shall provide reasonable assistance to the Client, at the Client’s cost, to the extent that the required information is reasonably available to Oleeo and is not otherwise accessible to the Client, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Client reasonably considers to be required of itself by Data Protection Law, in each case solely in relation to Processing of Client Personal Data.
11. Deletion or return of Client Personal Data
11.1 Subject to paragraphs 11.2 and 11.3, Oleeo shall, and shall procure that any Subprocessor shall, following the cessation of any Services involving the Processing of Client Personal Data (the "Cessation Date"), promptly delete and procure the deletion of all copies of Client Personal Data.
11.2 Subject to paragraph 11.3, the Client may in its absolute discretion by written notice to Oleeo, require Oleeo to (a) return a complete copy of all Client Personal Data to the Client by secure file transfer at the Client’s cost; and (b) delete and procure the deletion of all other copies of the Client Personal Data Processed by Oleeo.
11.3 Oleeo may retain Client Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by that law and always provided that Oleeo shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Agreement and for the duration of the Agreement.
11.4 If the Client requests, Oleeo shall provide written certification to the Client that Oleeo has fully complied with this paragraph 11.
12. Audit rights
12.1 Subject to paragraphs 12.2 and 12.3, Oleeo shall make available to the Client all information reasonably necessary to demonstrate compliance with Oleeo’s Processing obligations, and shall allow for and contribute to audits, including inspections by the Client or an independent auditor mandated by the Client (at the Client’s cost) in relation to the Processing of the Client Personal Data by Oleeo.
12.2 Information and audit rights of the Client only arise under paragraph 12.1 to the extent that this Agreement does not otherwise give it information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, clause 8.3 Module Four of the SCCs).
12.3 The Client shall give Oleeo reasonable notice of any audit or inspection to be conducted under paragraph 12.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Oleeo's premises, equipment, personnel and business while the Client or auditor’s personnel are on those premises in the course of such an audit or inspection. Oleeo need not give access to its premises for the purposes of such an audit or inspection:
12.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;
12.3.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Client has given notice to Oleeo before attendance begins outside of those hours; or
12.3.3 for the purposes of more than one audit or inspection, in respect of Oleeo, in any calendar year, except for any additional audits or inspections which:
(a) the Client reasonably considers necessary because of genuine concerns as to Oleeo's compliance with this DPA; or
(b) the Client is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory; and
(c) where the Client has identified its concerns or the relevant requirement or request in its written notice to Oleeo of the audit or inspection.
13. Liability
13.1 The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA or a Party’s obligations under applicable Data Protection Law.
13.2 The Parties agree that the Client shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Client itself.
13.3 The Parties agree that Oleeo shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Subprocessors to the same extent Oleeo would be liable if performing the services of each Subprocessor directly under the terms of the DPA, subject to any limitations on liability set out in the terms of the Agreement.
13.4 Subject to the financial caps on liability set out in the Agreement, each Party shall be liable to the other for any damages it causes to the other Party by breach of its obligations under this DPA or applicable Data Protection Law provided that it is evidenced not to have complied with its respective obligations under applicable Data Protection Laws or under this DPA.
13.5 Neither Party shall be entitled to recover more than once in respect of the same loss.
14. Term and Termination
14.1 Oleeo shall only process Client Personal Data for the term of this DPA. The term of this DPA shall commence on the effective date of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.
15. Deletion and Return of Personal Data
15.1 Oleeo shall at the choice of the Customer, upon receipt of a written request received within 30 days of the end of the provision of the Services, delete or return Client Personal Data to the Client.
16. Order of precedence
16.1 Nothing in this DPA reduces Oleeo’s obligations under the Agreement in relation to the protection of Personal Data or permits the Processing of Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the SCCs, the SCCs shall prevail.
16.2 Subject to paragraph 17.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and (except where explicitly agreed otherwise in writing and signed on behalf of the Parties) any agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
17. General
17.1 The Client shall notify Oleeo within a reasonable time, of any changes to any Applicable Law which may affect the contractual duties of Oleeo under this DPA. Oleeo shall respond within a reasonable timeframe in respect of any changes that need to be made to the terms of this DPA or to the technical and organisational measures to maintain compliance. If Oleeo is unable to accommodate necessary changes, the Client may terminate the part or parts of the Services which give rise to the non-compliance. To the extent that other parts of the Services provided are not affected by such changes, the provision of those Services shall remain unaffected.
17.2 The Parties and, where applicable, their representatives, shall cooperate, on request, with a Supervisory Authority in the performance of their respective obligations under this DPA and Data Protection Law.
17.3 This DPA sets out the entire understanding of the Parties with regards to the subject matter herein.
17.4 Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.
17.5 Subject to any provision of the SCCs to the contrary, this DPA shall be governed by the laws of England and Wales. The courts of England shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA.
17.6 The Parties agree that this DPA is incorporated into and governed by the terms of the Agreement.
Appendix A
List of Parties, Description of Processing and Transfer of Personal Data, Competent Supervisory Authority
A. LIST OF PARTIES
The Exporter: jNot Applicable if the Customer is based only in the UK]
| means the Client. | |
| Address: | As set out for the Client in the Agreement. |
| Contact person’s name, position and contact details: | As provided by the Client in its account and used for notification and invoicing purposes. |
| Activities relevant to the data transferred under the SCCs: | Use of the Services for the purposes of recruitment and recruiting-related purposes. |
| Signature and date: | By entering into the Agreement, the Exporter is deemed to have signed the SCCs incorporated into this DPA including its Appendices, as of the date of the Agreement. |
| Role: | Data Controller. |
| Name of Representative (if applicable): | Any UK or EU representative named in the Exporter’s privacy policy. |
The Importer:
| means Oleeo Limited | |
| Address: | 5-7 Bridgeworks, The Crescent, Wimbledon, SW19 8DR, United Kingdom. |
| Contact details: | dpo@oleeo.com |
| Activities relevant to the data transferred under the SCCs: | The provision of cloud computing solutions to the Exporter under which the Importer processes Personal Data upon the instructions of the Exporter in accordance with the terms of the Agreement. |
| Signature and date: | By entering into the Agreement, the Importer is deemed to have signed the SCCs, incorporated into this DPA, including its Appendices, as of the date of the Agreement. |
| Role: | Data Processor. |
B. DESCRIPTION OF PROCESSING AND TRANSFERS - Client to review and where this needs editing to include an up to date table within Schedule 7 of the Agreement
| Description | Details |
| Categories of Data Subjects | Employees, agents, advisors, consultants, freelancers of the Controller (who are natural persons). Client Users, Affiliates and other participants authorised by the Controller to access or use the Services in accordance with the terms of the Agreement. Candidates. Other individuals to the extent identifiable in the context of emails of their attachments or in archiving content. |
| Categories of Personal Data | During the recruitment process Data Subjects may be required to provide the following types of data: Personal Details First name, middle name and surname, e-mail addresses, home postal address, phone numbers. Screening/Selection Information CV / Resume, education results, work experience, significant achievements, etc. Some of this information may include enough information to personally identify a Candidate e.g., Data Subject’s CV/Resume. Evaluation Data Information provided by other people involved in the recruitment process about a Candidate’s suitability for employment and status within the recruitment process. User feedback on the recruitment process Optional information consisting of feedback on the recruitment process. Special Requirements Optional information provided by Candidates e.g., medical needs, dietary requirements, disability, dyslexia, study abroad. Candidate Contractual Information Information provided by Candidates which is required for final contract (in addition to Personal Details). Includes acceptance of offer. Other Contractual Information Information added by the employer in order to draw up a contract e.g., salary, job title, hours. On-Boarding Information Additional information supplied by the Candidate in order to complete the hiring process and may include bank details, proof of right to work, next of kin, etc. Equal Employment Opportunity (EEO) Information Gender, Race, Religion, Veteran, Disability, or other diversity information Other Information collected from all Data Subjects: Unique identifiers such as username, account number or password IP address Personal Data derived from a user’s use of the Services such as records and business intelligence information Meta data including sent, to, from, date, time, subject, which may include Personal Data. Geolocation based upon IP address. File attachments that may contain Personal Data. Survey, feedback and assessment messages. Information offered by users of the Services as part of support enquiries. Other data added by the Data Controller from time to time. |
| Sensitive Data | Personal Data transferred includes but is not limited to the following special categories of Personal Data:
|
| The frequency of the processing and transfer | Continuous basis for the duration of the Agreement. |
| Nature of the processing | Processing operations include but are not limited to: 1. Personal Contact data is used to communicate with Candidates and employees during the recruitment process. 2. Screening/Selection data is used to decide on Candidate suitability for jobs which are applied to, or to identify jobs for which Candidates may be more suitable. Screening may be manual or automatic or a combination of both. 3. Evaluation data is used to record assessment of Candidate suitability for jobs that the Candidate is being considered for, including status within the recruitment process. 4. Candidate feedback and application source data is used to improve the recruitment process. 5. Special Requirements data is used to make accommodation in the recruitment process for any needs participants may have. 6. Candidate Contractual Information and Other Contractual Information is used to compile contractual documentation (e.g. job offer and contract) and to record the contract. Candidate data may also be transferred to other systems that are under the control of the data controller, data processor and subcontractors (e.g., payroll systems, reporting tools). 7. On-Boarding Information is used to prepare for new hires starting work including setting up payroll information, benefits, and proof of right to work, including the transfer of information to other systems and subcontractors e.g., payroll systems, background checking agencies. 8. EEO Information is used to monitor the recruitment process to ensure recruitment practices are fair. 9. Data is used as part of aggregate data used by decision analytics, algorithms and reports to provide analysis, insights and predictions to help improve recruitment and drive efficiencies. Aggregated insights, analysis, and learnings are shared completely anonymised. In carrying out the above, the data is processed as follows:
Nature and purposes of the processing for Parsing Services (where used)
In carrying out the above, the data is processed as follows:
In the event where Oleeo hosts the Parsing technology then the following applies:
Where Client wishes Oleeo to send data to third parties which provide additional services to the Client, e.g., HR, payroll integration, assessment provider services. Where AI functionality to match candidates in a talent pool to jobs is used, CV/Applications & Jobs (input) are fed into an algorithm. Skills (output)are extracted from CV/apps & Jobs and are tagged to the CV or Job. A Job's skills tags are fed into a search window, where they are adjusted by a recruiter. These skills are fed into a second algorithm that ranks the set of skills associated with each CV, thus ranking CVs. Where AI functionality to allow a candidate to search for jobs using their CV/Resume is used, CV/Applications & Jobs (input) are fed into an Algorithm. Skills (output)are extracted from CV/apps & Jobs and are tagged to the CV or Job. A candidate’s skills tags are fed into a search window, where they are adjusted by the candidate. These skills are fed into a second algorithm that ranks the set of skills associated with each job, thus ranking jobs. |
| The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: | The Client may specify the period of time for which Personal Data may be retained. Unless agreed otherwise in writing, as per the above, Personal Data will be retained for the duration of the Agreement, and the provisions of the “Plan for return and destruction” set out below. |
| Plan for return and destruction of the data once the processing is complete | Controller may download data from Processor’s systems and request the return of Personal Data provided outside of the Processor’s systems. Data shall be deleted in accordance with the following: (i) Subject to (ii), Client may in its absolute discretion by written notice to Oleeo require Oleeo to (a) return a complete copy of all Client Personal Data to Client by secure file transfer at Client’s cost; and (b) delete and procure the deletion of all other copies of Client Personal Data processed by Oleeo or any Subprocessor; (ii) Oleeo or any Subprocessor may retain Client Personal Data to the extent required by Applicable Law and only to the extent and for such period as required by that law and always provided that Oleeo shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Law requiring its storage and for no other purpose. Upon request, the Processor’s system can be configured to auto-anonymise or auto-delete data after a period specified by the Client in the vacancy. (Additional Costs apply). Alternatively, deletion can be achieved by the Client through a manually audited process at a period specified by the Client. Where Parsing is used by the Client and the Parsing technology is hosted by a Subprocessor, the data held by the Subprocessor will be erased within a maximum of 48 hours further to completion of processing. |
| For transfers to (Sub-) processors, also specify subject matter, nature and duration of the processing: | The Subprocessor list published in Appendix C of this DPA sets out the Personal Data processed by each or and the services provided by each Subprocessor. |
C. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies (e.g. in accordance with Clause 13 of the SCCs) | Where the EU GDPR applies, the Irish Data Protection Authority - Data Protection Commission, (DPC). Where the UK GDPR applies, the UK Information Commissioner's Office, (ICO). Where the FADP applies, the Swiss Federal Data Protection and Information Commissioner, (FDPIC). |
Appendix B
Security Policy
Technical and Organisational Security Measures (Including Technical and Organisational Measures to Ensure the Security of Data)
Below is a description of the technical and organisational measures implemented by Oleeo (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Where applicable this Appendix B will serve as Annex II to the SCCs.
| Measure | Description |
| Measures of pseudonymisation and encryption of Personal Data | For the purpose of transfer control, an encryption technology is used (e.g. remote access to the Oleeo network via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose. The Controller’s archived data is encrypted at rest using FIPS 140-2 compliant AES256 bit encryption Data in transit is protected by Transport Layer Security (“TLS”) 1.2 or above ciphers |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person. To maintain data access control, encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | The Processor maintains redundancy throughout its IT infrastructure in order to minimize the lack of availability to or loss of data. Backups are maintained daily in accordance with our backup procedures. The Processor maintains a disaster recovery policy and at least once per calendar year practice executing the policy. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | The Processor conducts multiple internal audits based on various frameworks (CIS, NIST etc.). The Processor obtains an external security and compliance audit once per calendar year. |
| Measures for user identification and authorisation | Oleeo offers Single Sign on, Multi-factor Authentication and username and password. Oleeo can also offer IP address restriction. Access to sensitive data is based on need to know, based on least privilege, managed through configuration. Access to each Clients’ environment can be limited to configuration or production environment only or a combination of both. Access will be based on each Clients’ requirements |
| Measures for the protection of data during transmission | Data in transit is protected by Transport Layer Security (“TLS”) v1.2 or above or Secure Shell Protocol (SSH). |
| Measures for the protection of data during storage | The Controller’s archived data is encrypted at rest using AES256 bit encryption and data in transit is protected by Transport Layer Security (“TLS”). |
| Measures for ensuring physical security of locations at which Personal Data are processed | Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorisations. Third party data centres are monitored by security personnel and have 24/7 CCTV coverage. Access for employees is only possible with an encoded ID with a photo on it, biometrics and key pin pad entry. All other persons have access only after having registered before (e.g. at the main entrance). Access to special security areas for remote maintenance is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centres. |
| Measures for ensuring events logging | All requests and request processing are logged therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted. |
| Measures for ensuring system configuration, including default configuration | Oleeo’s base solution includes default configuration that has been through robust Quality Control measures. Oleeo’s Quality Control processes are ISO9001 certified. From the point of implementation onwards, Oleeo ensures client specific system configuration through a process of quality control, managed by Oleeo and/or the Client dependent on whether the Client is managing their own System Configuration. System configuration is pushed from the Configuration environment to the Production environment further to testing by the Client and or Oleeo as appropriate. |
| Measures for internal IT and IT security governance and management | Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems. The Controller’s Personal Data is stored in a way that logically separates it from other customer data. Data is stored in separate databases and file system directories secured by application access control. Application access control prevents cross-querying more than one individual client system. |
| Measures for certification/assurance of processes and products | The Processor is ISO 27001 certified and will continue to maintain these certifications for the term of the Agreement. The technical and organisational measures defined herein are implemented on the basis of the international standard ISO 27001. The Processor shall maintain controls materially as protective as those provided in the ISO 27001. The Processor utilises third party data centres that maintain current ISO 27001 certifications. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. Upon the Controller’s written request (no more than once in any 12 month period), the Processor shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties The Processor is Cyber Essentials and Cyber Essentials Plus certified and will continue to maintain these certifications for the term of the Agreement. |
| Measures for ensuring data minimisation | Oleeo provides manual and/or automated deletion facilities for the controller to manage their deletion requirements in line with their data minimisation policy. |
| Measures for ensuring data quality | The Processor does not assess the quality of the data provided by the Controller or Users. The Processor provides reporting tools within our product to help the Controller understand and validate the data that is stored. |
| Measures for ensuring limited data retention | Oleeo provides manual and/or automated deletion facilities for the controller to manage their deletion requirements in line with their data minimisation policy. |
| Measures for ensuring accountability | The Processor internally reviews its information security policies semi-annually to ensure they are still relevant and are being followed. All employees that handle sensitive data must acknowledge the information security policies. These employees are assessed on information security policies once per year. A disciplinary policy is in place for employees that do not adhere to information security policies. |
| Measures for allowing data portability and ensuring erasure | The Services have built-in tools that allow the Controller to export and permanently erase data. |
| Measures to be taken by the (Sub-) processor to be able to provide assistance to the Controller (and, for transfers from a Processor to a Sub-processor, to the Data Exporter). | The transfer of Personal Data to a third party (e.g. customers, subcontractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCCs. |
Appendix C
Subprocessors
This Appendix sets out the Subprocessors Oleeo uses to help provide the Services.
Oleeo engages the following Subprocessors and the Client agrees all of these Subprocessors may have access to Client Personal Data in line with the Services and functionality used, as listed in the Oleeo Subprocessor table.
https://community.oleeo.com/p/subprocessor-table
