Visage Data Processing Addendum

Updated: September 20, 2021

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (collectively, the “DPA“), sets forth the parties’ obligations with respect to the processing of Personal Data contained in Customer Profiles and Visage Profiles in connection with the Service, and is incorporated into and forms part of the terms and conditions of the Master Service Agreement or any other agreement under which Visage provides services to Customer (“Agreement“) entered into by and between Visage, Inc. (“Visage“) and the party identified as the customer in the Agreement or the Order Form(s) (“Customer“).

By signing the Order Form(s), Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Permitted Affiliates.  For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates.  

This DPA shall replace any comparable or additional rights or terms relating to the processing of Personal Data contained in any existing data processing addendum to the Agreement.

RECITALS

WHEREAS, in connection with the Service each party may process certain Personal Data, of which Customer or its Affiliates may be a controller or a business (as applicable) and Visage may be a controller or a business (as applicable) or, in certain circumstances, a processor or a service provider (as applicable); and

WHEREAS, the parties want to (i) ensure that both parties comply with Data Protection Laws when processing such Personal Data; and (ii) ensure adequate safeguards are in place to protect such Personal Data when it is processed pursuant to the Agreement.

NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

1.                          Definitions. Any capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement.

1.1                      Affiliate” means any entity under the control of a party where “control” means ownership of or right to control greater than 50% of the voting securities of such entity.

1.2                      Data Protection Laws” means as applicable to a party’s processing of Personal Data under the Agreement: (i) European Data Protection Laws and; and (iii) California Consumer Privacy Act of 2018, Cal. Civ. Code section 1798.100 et seq. (“CCPA“) and its implementing regulations; in each case, as may be amended, superseded or replaced from time to time.

1.3                      Europe” means, for the purposes of this DPA, the European Economic Area (“EEA“) and their Member States, Switzerland and the United Kingdom.

1.4                      European Data Protection Laws” means all data protection and privacy laws and regulations enacted in Europe, including: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“); (iv) Directive 2002/58/EC (the “e-Privacy Directive”); and (v) all applicable national data protection and privacy laws made under or pursuant to (i), (ii), (iii) or (iv); in each case, as may be amended, superseded or replaced from time to time.

1.5                      Permitted Affiliate” means any Affiliate of Customer which: (i) is subject to Data Protection Laws; (ii) is permitted to use the services provided by Visage pursuant to the Agreement; and (iii) has not signed its own Order Form or Agreement with Visage and is not a “Customer” as defined under the Agreement.

1.6                      Personal Data” means any information which is protected as “personal data”, “personally identifiable information”, or “personal information” under applicable Data Protection Laws.

1.7                      Security Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Visage Profiles processed by Customer or Customer Profiles processed by Visage (or any of their respective processors or service providers) under or in connection with the Agreement.

1.8             “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, a copy of which is available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.

1.9                      Sub-processor” means any third party processor engaged by Visage to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.  Sub-processors may include third parties or Visage Affiliates but shall exclude any Visage employee, independent contractor or consultant.

1.10                   The terms “controller“, “data subject“, “processor” and “processing” shall have the meaning given to them in European Data Protection Laws and “process“, “processes” and “processed” shall be interpreted accordingly; and the terms “business“, “consumer“, “sale” (including the terms “sell“, “selling“, “sold” and other variations thereof) and “service provider” shall have the meaning given to them in the CCPA.

2.                         Scope and Applicability of this DPA

2.1                      Scope: This DPA applies where and only to the extent that either party processes Personal Data that is subject to Data Protection Laws in connection with the Service provided by Visage to Customer pursuant to the Agreement:

a)                   Part A (Platform Service) applies to the processing of Customer Profiles in connection with the Platform Service;

b)                  Part B (Crowd Service) applies to the processing of Visage Profiles in connection with the Crowd Service;

c)                   Part C (General Obligations) and the Standard Contractual Clauses apply to the processing of Personal Data (whether in Customer Profiles or Visage Profiles) in connection with the Service. For the avoidance of doubt, Part C shall apply in addition to and not in substitution for the terms in Part A and Part B (as applicable).

2.2                      Role of the Parties: The parties acknowledge and agree that:

a)                   Customer is a controller or business (as applicable) of Customer Profiles and Visage shall process Customer Profiles only as a processor or a service provider (as applicable) on behalf of Customer; and

b)                  each party is a controller or a business (as applicable) of Visage Profiles and shall process Visage Profiles in accordance with and as permitted by this Agreement (including this DPA) and Data Protection Laws.

PART A: Platform Service

3.                         Processor Terms

3.1                      Processor Obligations: The terms contained in this Section 3 (Processor Terms) apply to the extent Visage processes any Customer Profiles on behalf of Customer in connection with the provision of the Platform Service, as further described in Annex A of this DPA.

3.2                      Customer Obligations. Customer shall be responsible for:

a)                   Complying with all applicable Data Protection Laws, in respect of its use of the Service, its processing of Customer Profiles, and any processing instructions it issues to Visage;

b)                  Ensuring it has the right to transfer, or provide access to, Customer Profiles to Visage for processing pursuant to the Agreement including this DPA; and

c)                   Providing all notice and obtaining all consents necessary under applicable Data Protection Laws for Visage to lawfully process Customer Profiles for the purposes contemplated by the Agreement, including this DPA.

3.3                      Processing Instructions: As a processor or a service provider (as applicable), Visage shall not process, collect, retain, use, or disclose Customer Profiles for any purpose, including a commercial purpose, other than for the specific purposes described in the Agreement (including this DPA) and only in accordance with Customer’s documented lawful instructions.  In no event shall Visage (a) sell any Customer Profiles unless Visage has obtained Customer’s express prior written approval in each instance; (b) retain, use, or disclose Customer Profiles outside of the parties’ direct business relationship. The parties agree that the Agreement sets out the Customer’s complete and final instructions to Visage in relation to the processing of Customer Profiles and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.

3.4                      Sub-processing: Customer agrees that Visage may engage Sub-processors to process Customer Profiles on Customer’s behalf for the purposes of providing the Service. The list of Sub-processors currently engaged by Visage available here: https://visage.jobs/sub-processors-list/ (“Sub-processor List”). Visage shall provide Customer with a mechanism to subscribe to notifications of new Sub-processors, to which Customer may subscribe and if Customer subscribes, Visage shall notify Customer if it makes any changes to its Sub-processor List at least 10 days prior to any such change.  Visage will remain responsible for any acts or omissions of its Sub-processors that cause Visage to breach any of its obligations under this DPA.

3.5                      Deletion on Termination:  Upon termination or expiry of the Agreement, Visage shall as soon as reasonably practicable, delete all Customer Profiles (including copies) in its possession or control, save that this requirement shall not apply to the extent Visage is required by applicable law to retain some or all of the Customer Profiles, or to Customer Profiles it has archived on back-up systems, which Customer Profiles Visage shall securely isolate and protect from any further processing and delete in accordance with its deletion practices, except to the extent required by applicable Law.

3.6                      Security Audits: Visage shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that are necessary to confirm Visage’s compliance with this DPA provided that Customer shall not exercise this right more than once per calendar year.

3.7                      Onsite Audit: Where required by Data Protection Laws or where a competent data protection authority requires this under Data Protection Laws, Visage shall in addition allow Customer or another auditor approved by the parties, on giving at least thirty (30) days’ prior written notice to Visage, to (at Customer’s expense) audit compliance with this DPA and to inspect Visage’s facilities, equipment, documents and electronic data relating to the processing of the Customer Profiles by Visage, provided that: (i) Customer shall not exercise this right more than once every twelve (12) months; (ii) such additional audit enquiries shall not unreasonably impact in an adverse manner Visage’s regular operations and do not prove to be incompatible with applicable legislation or with the instructions of a competent authority. Before the commencement of any such additional audit inquiries, Customer and Visage shall mutually agree upon the scope, timing and duration of the audit. If Customer and Visage cannot agree upon the scope, timing and duration or the audit, then Visage can, at its sole discretion, suspend or the affected Service (without prejudice to any fees incurred by Customer prior to suspension or termination). Where applicable, the parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing Visage to comply with the audit measures described in Sections 3.6 and 3.7 of this DPA.

3.8                      Security Breach Response:  Upon becoming aware of a Security Breach affecting Customer Profiles, Visage shall notify Customer without undue delay and shall provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer.

3.9                      Security: Visage shall implement appropriate technical and organizational security measures as required by Data Protection Laws to protect the Customer Profiles from Security Breaches and to preserve the security and confidentiality of Customer Profiles in accordance in accordance with the Visage security standards described in Annex B (“Security Measures“). Visage may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service. Visage shall ensure that any person who is authorized by Visage to process Customer Profiles shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

3.10                   Additional European Terms: The additional terms in this Section 3.10 only apply where and to the extent Customer is established in Europe or Customer Profiles are otherwise subject to European Data Protection Laws.

a)                   Processing Instructions: Visage shall notify Customer in writing, unless prohibited from doing so under European Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates applicable European Data Protection Laws.

b)                  Sub-processor Obligations.  Visage will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Profiles as this DPA and to the extent applicable to the nature of the services provided by such Sub-processor. For the purposes of Clause 9 of the Standard Contractual Clauses, Customer acknowledges that Visage may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality obligations but Visage shall use reasonable efforts to provide Customer with all information it reasonably can in connection with Sub-processor agreements upon request.

c)                   Objection to Sub-processors. Customer may object in writing to Visage’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Visage promptly in writing within 5 calendar days of receipt of any notice provided by Visage in accordance with Section 3.4. In the event Customer objects to a Sub-processor, the parties shall discuss Customer concerns in good faith with a view to achieving a commercially reasonable resolution.  If no such resolution can be reached, Visage will, at its sole discretion, either (i) not appoint Sub-processor; or (ii) permit Customer to suspend or terminate the affected Service (without prejudice to any fees incurred by Customer prior to suspension or termination).

d)                  Data Protection Impact Assessment. To the extent Visage is required under applicable European Data Protection Laws and/or Customer does not already have access to the relevant information, Visage shall provide reasonably requested information regarding Visage’s processing of Customer Profiles under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by European Data Protection Laws.

PART B: Crowd Service

4.                         Controller Terms

4.1                      Processor Obligations: The terms contained in this Section 4 (Controller Terms) will apply to the extent Visage shares Visage Profiles with Customer in connection with the provision of the Crowd Service, as further described in Annex A of this DPA.

4.2                      Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller or a business (as applicable under Data Protection Laws) and neither party shall be responsible for the other party’s compliance with Data Protection Laws.  In particular, each party shall be individually responsible for ensuring that its processing of Visage Profiles is lawful, fair and transparent, and shall make available to data subjects a privacy statement that fulfils the requirements of Data Protection Laws. Visage shall be responsible for complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws in order to disclose Visage Profiles to Customer to process such Customer Profiles for the Permitted Purpose.

4.3                      Purpose Limitation. Customer shall process Visage Profiles only for the purposes described in Annex A and for purposes that are consistent with the consents (if applicable) given by the data subjects (the “Permitted Purpose“).

4.4                      Restrictions. Except as may be expressly stated in the applicable Order Form, permitted in writing by Visage or where required or necessary under applicable law, Customer will not sell, disclose, or share Visage Profiles (or any part or derivative thereof) with any third party (except for any third parties, including service providers or processors, required to provide the services to Customer.)

4.5                      Alternative Purpose: If Customer wishes to process Visage Profiles for a new or different purpose other than the Permitted Purpose (“Alternative Purpose”), it may do so provided it does all such acts and things as are necessary to ensure that its proposed processing of Visage Profiles for the Alternative Purpose fulfils the requirements of Data Protection Laws (including by obtaining any consents from data subjects, where necessary). Provided such requirements are met, the Alternative Purpose shall be deemed a Permitted Purpose.

PART C: General Obligations

5.                         Correspondences and Cooperation.

5.1                      Correspondence: The parties shall, on request, provide each other with all reasonable and timely assistance and co-operation (at their own expense) to enable the other party to comply with its obligations under Data Protection Laws, including in order to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under Data Protection Laws (including its rights of access, correction, objection, erasure, data portability, and right to opt-out from the sale of their personal information as applicable) in relation to Personal Data processed hereunder; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data  hereunder (collectively “Correspondence“).

5.2                      Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in connection with the processing of Personal Data where the Correspondence relates to the processing conducted by the other party; provided however, that where Visage is acting as a processor or a service provider (as applicable) under this DPA, it shall not respond directly to any Correspondence except where good faith efforts to contact and involve Customer have failed, for requests made by consumers invoking their rights under the CCPA, where Visage shall inform the requestor that the request cannot be acted upon because the request has been sent to a service provider and/or where failure to respond may result in liability for Visage under Data Protection Laws.

5.3                      Visage cooperation: Visage shall provide the assistance and co-operation described in Section 5.2 to the extent that Customer is unable to independently access the relevant Personal Data within the Service. To the extent legally permitted, Customer shall be responsible for any costs related to Visage’s provision of such services.

6.                         International Transfers.

6.1                      Processing Locations.  Customer acknowledges and agrees that Visage may transfer and process Customer Profiles to and in the United States and other locations in which Visage, its Affiliates or its Sub-processors maintain data processing operations.  Visage shall at all times ensure such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

6.2                        Transfers of Customer Profiles. Where Customer transfers (directly or via onward transfer) Customer Profiles protected by European Data Protection Laws to Visage located in a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree that the Standard Contractual Clauses shall be incorporated by reference and apply and form part of the Agreement as follows: (i) Visage shall be deemed the “data importer” and Customer shall be deemed the “data exporter”; (ii) the Module Two terms shall apply; (iii) in Clause 7, the optional docking clause shall apply; (iv) in Clause 9, Option 2 shall apply and the list of Subprocessors and time period for notice of changes shall be as agreed under Section 3.4 of the DPA; (v) in Clause 11, the optional language shall be deleted; (vi) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by [Irish] law; (vii) in Clause 18(b), disputes shall be resolved before the courts of the [Ireland]; (viii) Annex I and Annex II shall be deemed completed with the information set out in Annex A and Annex B of this DPA respectively; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.    

6.3              Transfers of Visage Profiles. Where Visage transfers (directly or via onward transfer) Visage Profiles protected by European Data Protection Laws to Customer located in a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree that the Standard Contractual Clauses shall be incorporated by reference and apply and form part of the Agreement as follows: (i) Customer shall be deemed the “data importer” and Visage shall be deemed the “data exporter”; (ii) the Module One terms shall apply; (iii) in Clause 7, the optional docking clause shall apply; (iv) in Clause 11, the optional language shall be deleted; (v) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by [Irish] law; (vi) in Clause 18(b), disputes shall be resolved before the courts of the [Ireland]; (vii) Annex I and Annex II shall be deemed completed with the information set out in Annex A and Annex B of this DPA respectively; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

6.4                        UK and Swiss Transfers. In relation to Personal Data that is subject to the UK Data Protection Laws or Swiss DPA, the Standard Contractual Clauses shall apply in accordance with Sections 6.2 and 6.3 above and the following additional modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to UK Data Protection Laws or the Swiss DPA and the equivalent articles or sections therein (as applicable); (ii) references to “EU”, “Union” and “Member State” shall be replaced with references to the “UK” or “Switzerland” (as applicable); (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable); and (iv) in Clause 17 and Clause 18(b), the Standard Contractual Clauses shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales or Switzerland (as applicable).

6.4             Alternate Data Transfer Mechanisms. To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with Section 6.3 of the DPA cannot be relied on to lawfully process Personal Data in compliance with UK Data Protection Laws, the applicable standard data protection clauses issued, adopted or permitted under UK Data Protection Lawsshall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Annex A and Annex B of this DPA. Additionally, in the event that (i) European Data Protection Laws  and/or a relevant regulator or court of competent requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of Personal Data outside of Europe, both parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which the Personal Data is transferred).

7.                         Miscellaneous

7.1                      Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.  If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA.

7.2                      Customer acknowledges that Visage may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, a European data protection authority, or any other US or European judicial or regulatory body upon their request.

7.3                      Notwithstanding anything to the contrary in the Agreement, Visage may periodically make modifications to this DPA as may be required to comply with Data Protection Laws.

7.4                      This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

 

 

Annex A – Description of Processing

Annex A(A): Platform Service

List of parties

Data Exporter

Data Importer

Name:

The Customer name as set out in the Agreement or applicable orders for the Service.

Visage, Inc.

Address:

The Customer address as set out in the Agreement or applicable orders for the Service.

Visage Inc., 200 Wylie KuyKendall Ln, Kyle, TX 78640, United States

 

Contact Person’s Name, position and contact details:

The Customer’s contact information as set out in the Agreement or applicable orders for the Service.

privacy@visage.jobs  

Activities relevant to the transfer:

Provision of the Service by Visage to Customer pursuant to the Agreement.

Provision of the Service by Visage to Customer pursuant to the Agreement.

Role:

Controller

Processor

 

Description of the processing

Description

Categories of data subjects:

The Personal Data concern Candidates who represent a potential good fit for a position that the Customer aims to fill and sourced by Customer or its third-party service providers and employees of Customer who use the Platform Service.

Categories of personal ‌‌data:

·           Contact details (including names, email address, phone number);

·           Location data (such as country, state and city of residence);

·           Academic and professional qualifications (such as degrees, titles, skills, language proficiency, training information, employment history, CV/résumé);

·           Comments  made by Customer on candidate profiles;

·           Customer review information of the candidate profiles;

·           Conversations sent by Customers to the candidates.

Sensitive data:

N/A

Frequency:

Continuous

Nature and subject matter:

Visage and/or its Subprocessors are providing services and support or fulfilling contractual obligations towards Customer as described in the Agreement. These services may include the processing of Personal Data by Visage and/or its Subprocessors and performing services on devices that may contain Personal Data.

Purpose(s):

The Personal Data is processed for the following purposes:

·           to allow Customer to manage and evaluate the adequacy of the candidates selected and decide on moving or not each candidate forward in the recruiting process;

·           to allow Customer to manage their candidate pipeline;

·           to allow Customer to contact their candidates;

·           to allow Customer to collaborate with their team during the recruitment process.

Duration and retention period:

The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of Customer Profiles by Visage in accordance with the terms of the Agreement, including this DPA.

 

Competent supervisory authority

 

For the purposes of Clause 13 of the Standard Contractual Clauses, the competent supervisory authority is either (i) where Customer is established in the EEA, the supervisory authority responsible for ensuring Customer’s compliance with the GDPR; or (ii) where Customer is not established in the EEA, the supervisory authority in the EEA member state where Customer’s EU representative has been appointed pursuant to Article 27(1) of the GDPR or where the data subjects relevant to the transfer are located. In relation to Personal Data that is subject to UK Data Protection Laws and/or the Swiss DPA, the competent supervisory authority is the UK Information Commissioners Office or the Swiss Federal Data Protection and Information Commissioner (as applicable).        

 

 

Annex A(B) Crowd Service

List of parties

Data Exporter

Data Importer

Name:

Visage, Inc.

The Customer name as set out in the Agreement or applicable orders for the Service.

Address:

Visage Inc., 200 Wylie KuyKendall Ln, Kyle, TX 78640, United States

 

The Customer address as set out in the Agreement or applicable orders for the Service.

Contact Person’s Name, position and contact details:

privacy@visage.jobs  

The Customer’s contact information as set out in the Agreement or applicable orders for the Service.

Activities relevant to the transfer:

Provision of the Service by Visage to Customer pursuant to the Agreement.

Provision of the Service by Visage to Customer pursuant to the Agreement.

Role:

Controller

Controller

 

Description of the processing

Description

Categories of ‌data ‌subjects:

The Personal Data concern Candidates who represent a potential good fit for a position that the Customer aims to fill and sourced by Visage or its third-party service providers as part of the Crowd Service.

Categories of ‌personal ‌‌data:

·           Contact details (including names, email address, phone number);

·           Location data (such as country, state and city of residence);

·           Academic and professional qualifications (such as degrees, titles, skills, language proficiency, training information, employment history, CV/résumé);

·           Comments made by Customer about the candidate profile added by Visage or its third-party service providers.

‌Sensitive data:

N/A

Frequency:

Continuous

‌Nature and subject matter:

Visage and/or its Subprocessors are providing services and support or fulfilling contractual obligations towards Customer as described in the Agreement. These services may include the processing of Personal Data by Visage and/or its Subprocessors and performing services on devices that may contain Personal Data.

Purpose(s):

The Personal Data is processed for the following purposes:

·           to allow Customer to evaluate the adequacy of the candidates selected and decide on moving or not each candidate forward in the recruiting process;

·           to allow Customer to manage their candidate pipeline;

·           to allow Customer to contact their candidates.

Duration and retention period:

The data will be processing and deleted in accordance with Customer’s data retention practices.

 

Competent supervisory authority

 

The Irish Data Protection Commissioner        

 

 

 

 

Annex B – Security Measures

Visage’s Security Measures to protect Customer Profiles against Security Breach can be found here: https://visage.jobs/security-measures/