Start your job search todayJob Search
Data Processing Agreement
Langhill Associates Ltd/ Langhill VPP (“Langhill”) have entered into an agreement or agreements (the “Service Agreement”) pursuant to which Langhill provides Company with a license to post jobs on Langhill’s platform (the “Langhill Services”). In the event Company chooses to use Langhill’s Langhill Studios product to create and post video jobs, this Data Processing Agreement (“DPA”) will apply to Company’s use of Langhill Studios. This DPA supplements the Service Agreement and describes certain data processing and transfer obligations of the parties. In the event of any inconsistency between the DPA and the Service Agreement, the DPA shall control.
- Definitions. In this DPA, the following terms shall have the meanings set out below. Other capitalized terms used but not otherwise defined herein shall have the meanings ascribed to such terms in the Service Agreement.
- “Controller” means the party that determines the purposes and means of the Processing of Personal Data.
- “Content” means video content uploaded by Company.
- “Data Protection Laws and Regulations” means laws and regulations applicable to the Processing of Personal Data under the Agreement, including applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom, including without limitation Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC on Privacy and Electronic Communications (“e-Privacy Directive”) or, the superseding Regulation on Privacy and Electronic Communications (“e-Privacy Regulation”), once effective.
- “Data Subject” means an identified or identifiable natural person, as defined under Data Protection Laws and Regulations.
- “Personal Data” means any information relating to a Data Subject that is Processed by Langhill on behalf of Company pursuant to the terms of the Agreement.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- “Process,” “Processes,” “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means the party which Processes Personal Data on behalf of the Controller.
- “Subprocessor” means any Processor engaged by Langhill in the provision of Langhill Services to Company, as further described in Section 2.4 of this DPA.
- Protection of Personal Data
- Relationship of Parties: For the purposes of the Agreement, Company is the Controller and appoints Langhill as a Processor to Process Personal Data on behalf of Company in connection with Company’s use of Langhill Services pursuant to the Service Agreement. The Processor and Controller shall each comply with their respective obligations applicable to it under the Data Protection Laws and Regulations and this DPA.
- Purpose Limitation: Langhill shall Process Personal Data in order to perform Langhill’s obligations, or as otherwise permitted, under the Agreement as a Processor, and in accordance with the documented instructions of Company, except where otherwise required by applicable Data Protection Laws and Regulations. The purposes of Processing, which constitute Company’s instructions, are as described in the Agreement, including Schedule A to this DPA, and any other exhibits, statements of work or addenda attached to or otherwise incorporated into the Agreement (the “Permitted Purpose”). Langhill shall immediately inform Company if, in its opinion, an instruction infringes applicable Data Protection Laws and Regulations.
- Cross-Border Transfers: If Personal Data is transferred under the Agreement from the European Economic Area or Switzerland by Company as Controller to Langhill as Processor, or otherwise by Langhill as Processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, has determined does not ensure an adequate level of protection of Personal Data, then Langhill will subscribe to an appropriate legal instrument for such transfer (such as the EU-U.S. Privacy Shield Framework) or take such other measures as may be required under applicable Data Protection Laws and Regulations. Langhill shall maintain its Privacy Shield certification for the term of the Langhill Services.
- Company acknowledges and agrees that Langhill may engage Subprocessors in connection with the provision of Langhill Services. A list of approved Subprocessors is available in Schedule B. Langhill will provide an updated list of subprocessors upon request.
- Langhill will enter into a written agreement with each Subprocessor containing data protection obligations no less protective than those in this DPA or as may otherwise be required by applicable Data Protection Laws and Regulations. Langhill shall remain liable for any failure by a Subprocessor to fulfill its obligations in relation to Processing Personal Data.
- Notices and Consents:
- General: Company shall comply with all applicable Data Protection Laws and Regulations, including: (a) providing all required notices and appropriate disclosures to all Data Subjects regarding Company’s, and Langhill’s, Processing and transfer of Personal Data; and (b) obtaining all necessary rights and valid consents from Data Subjects (including Data Subjects within Company’s Content) to permit Processing by Langhill for the purposes of fulfilling Langhill’s obligations, or as otherwise permitted, under the Agreement.
- Children; Sensitive Data: Company is responsible for compliance with all applicable Data Protection Laws and Regulations regarding its Content, including without limitation those that regulate content directed toward children (as defined under applicable Data Protection Laws and Regulations; for example, under 13 years old in the United States or under 16 years old in certain other countries). Company’s use of Langhill Services in connection with the distribution of Content and/or Processing of sensitive Personal Data of a Data Subject (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation) must be in compliance with all applicable Data Protection Laws and Regulations, including obtaining any explicit consent from Data Subjects whose Personal Data is provided to Langhill for Processing.
- Cooperation and Data Subjects’ Rights
- Langhill will provide reasonable and timely assistance, at Company’s request, to enable Company to respond to: (a) a request from a Data Subject to exercise any rights under applicable Data Protection Laws and Regulations (including rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with Processing of Personal Data. If a Data Subject contacts Langhill directly to request access to, or correction or deletion of, Personal Data in connection with services provided to Company by Langhill, Langhill will promptly notify Company of the request.
- Investigations and Audits
- Regulatory Audit. Langhill shall reasonably assist and support Company in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to Langhill’s Processing of Personal Data.
- Company Audit. Upon at least 30 days’ advance written request by Company, at mutually agreed times and subject to Langhill’s reasonable audit guidelines, Langhill shall provide to Company, its authorized representatives and/or independent inspection body designated by Company: (a) reasonable access to records of Langhill’s Processing of Personal Data; and (b) reasonable assistance and cooperation of Langhill’s relevant staff for the purpose of auditing Langhill’s compliance with its obligations under this DPA. Langhill reserves the right to restrict access to its proprietary information, including but not limited to its network architecture, internal and external test procedures, test results and remediation plans. Company will use best efforts to minimize disruption to Langhill Services and Langhill’s business operations. Company further agrees that: (i) personnel (or designated third parties) performing said audits will be bound by the confidentiality obligations set forth in the Agreement; (ii) all findings will be deemed Langhill’s Confidential Information; (iii) Company will share all findings with Langhill; and (iv) Langhill will classify and remediate all findings in accordance with Langhill’s risk management program.
Company is limited to one audit in any 12-month period, except (i) if and as required by a competent data protection authority; or (ii) Company believes a further audit is necessary as a result of a Personal Data Breach relating to Langhill Services.
- Data Protection Impact Assessment. Langhill shall, upon Company’s written request, provide Company with reasonable cooperation and assistance to fulfill Company’s obligations under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Company’s use of Langhill Services.
- Notice of Non-Compliance
- If required by applicable Data Protection Laws and Regulations, in the event that Langhill is unable to comply with its obligations in this DPA, Langhill shall promptly notify Company, and if Langhill is unable to take reasonable and appropriate steps to remediate the non-compliance within a mutually-agreed upon timeframe, Company may take any one or more of the following actions: (a) suspend the transfer of Personal Data to Langhill; (b) require Langhill to cease Processing Personal Data to the extent technically possible; (c) demand the return or destruction of Personal Data; and/or (d) terminate this DPA in accordance with the Service Agreement.
- Data Security
- Langhill shall ensure that all personnel with access to Personal Data are subject to written obligations of confidentiality and that Personal Data is Processed only for the Permitted Purpose.
- Security Measures. Langhill shall establish measures to ensure the confidentiality, security, and integrity of Personal Data and to ensure that Personal Data is not disclosed or accessed contrary to the provisions of the Service Agreement, this Personal Data Protection Agreement or any applicable Privacy Requirements. Langhill shall implement and maintain appropriate administrative, technical and physical safeguards and other appropriate security measures designed to ensure that Langhill and its employees, agents, and subcontractors (i) maintain the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; (iii) protect against any Personal Data Breach.
- Breach Notification. If Langhill becomes aware of a Personal Data Breach involving Langhill Services, Langhill will: (a) promptly, and without undue delay following Langhill’s discovery thereof, notify Company of such Personal Data Breach; (b) investigate, remediate and mitigate the effects of the Personal Data Breach; (c) reasonably cooperate with Company’s investigation of the Personal Data Breach to the extent that such cooperation does not compromise Langhill’s security; (d) take any additional actions and provide any additional cooperation to Company as may reasonably be required under applicable Data Protection Laws and Regulations; and (e) upon resolution, provide Company with a written incident report describing the breach, actions taken during the response and plans for future actions to prevent a similar breach from occurring in the future.
- Deletion or Return of Personal Data
- Upon termination or expiration of the Agreement or at any time at Company’s written request, Langhill shall: return to Company or destroy all Personal Data, except as otherwise permitted by applicable Data Protection Laws and Regulations.
- This DPA will terminate automatically when the Service Agreement terminates or expires, without further action required by either party. Provisions of this DPA that by their nature and on their face should survive, will survive any such termination or expiration.
- This DPA shall be governed by and construed in accordance with the governing law set forth in the Service Agreement, except where otherwise required by applicable Data Protection Laws and Regulations.
Data Processing Description
This Schedule A forms part of the DPA and describes the Processing that Langhill shall perform on behalf of Company.
Controller (Company) uploads video Content to Langhill Services.
Processor (Langhill) is a provider of job posting services which include video job postings. Langhill Services may include analytics and other usage data relating to Company’s use of Langhill Services.
The Personal Data to be Processed concerns the following categories of Data Subjects:
- Individuals who appear in videos uploaded by Company
Categories of data
The Personal Data to be Processed include the following categories of data (some or all of which may not be considered Personal Data under applicable Data Protection Laws and Regulations):
- Images of persons included in videos uploaded by Company
- Accompany text describing persons included in such videos, including names, job titles, or other personal data
Special categories of data (if appropriate)
The Personal Data to be Processed concern the following special categories of data:
- None, as images are not special categories of data when used for Services.
“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.” – GDPR Recital 51
The Personal Data will be subject to the following basic Processing activities:
- Video Content will be hosted, distributed, and published by Langhill Services