Data Protection
This Data Processing Addendum (“Addendum”) is incorporated into the agreement(s) between the customer (“Customer” or “Controller”) and the Workable entity contracting with the Customer (“Workable” or “Processor”) for the Customer’s use of the Services (“Agreement”).
This Addendum forms part of and is subject to all provisions of the terms available at workable.com/terms (“Terms”), or other agreements between the Controller and Processor governing the Controller’s use of the Services.
The Controller enters this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if authorized by Workable, acting as a Controller. For clarity, Customer’s Affiliates are permitted to use the Services pursuant to the Agreement but have not signed their separate agreement. All access to and use of the Services by the Affiliates must comply with the terms and conditions of this Addendum and any violation of the terms of this Addendum by an Affiliate shall be deemed a violation by the Controller.
If a Customer has signed a Data Processing Agreement with a Workable entity or has negotiated specific data protection terms in their Workable Quote, this separate agreement shall prevail over this Addendum.
The liability of each party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Workable Customer Terms and Conditions.
Workable may update the terms of this Addendum from time to time, provided such updates do not degrade or diminish overall Customer’s rights. Any changes Workable may make to this Addendum in the future will be notified and made available to the Customers that have subscribed to be notified for updates in the Agreement.
Under Data Protection Law, the Processor shall only Process Personal Data in accordance with the Controller’s documented Instructions, as regulated in the Addendum. This document forms part of the Controller’s Instructions, directing the Processor on the scope, nature, and purpose when Processing Personal Data on behalf of the Controller.
The Instructions may be amended in writing by the Controller from time to time, as communicated in writing to the Processor by authorized representative of the Controller or through the Controller’s use of the Service.
The Processor shall Process Personal Data hereunder exclusively within the scope of the provision of the Service.
The Processor shall Process Personal Data only for the purpose of enabling the Controller to manage its recruitment processes through the Controller’s use of the Service.
Employees, including current and former employees, trainees and interns, pre-hires, applicants and sourced candidates.
External recruitment consultants
The Controller may choose to store additional information on candidates.
Processor does not anticipate processing any data falling into the special categories of data as set out in the GDPR, however, it is not possible for Processor to control the information that candidates or authorized users of the Controller choose to share with each other using the Service.
Personal Data shall not be Processed for a period longer than is necessary for serving its purpose. In respect of all Processing activities other than storage of the Personal Data, the Processing shall cease on expiry or termination of the Services. In relation to storage of the Personal Data, the Processing shall cease in accordance with clause 7 above.
The Processor has engaged sub-processor(s) for carrying out specific Processing activities on behalf of the Controller. A full list of those sub-processor(s) can be found at the webpage presented below:
https://www.workable.com/subprocessorsProcessing takes place in the following country/countries: United Kingdom, United States, Greece
The following includes the information required by Annex I and Annex III of the EU SCCs and Table 1 and 4 of the UK Addendum.
Data exporter(s):
Name: Customer’s entity as identified in the online order form or the Workable Quote, as applicable
Address: Customer’s address as identified in the online order form or the Workable Quote, as applicable
Contact person’s name, position and contact details: As identified in the online order form or the Workable Quote, as applicable
Signature and date: The date of execution of the online order form or the Workable Quote.
Role (controller/processor): Controller
Data importer(s):
Name: The Workable entity identified in the online terms or the Workable Quote, as applicable.
Address: The address identified in the online terms or the Workable Quote, as applicable
Contact person’s name, position and contact details: support@workable.com attn of DPO
Activities relevant to the data transferred under these Clauses: ATS and HRIS service provider
Signature and date: The date of execution of the online order form or the Workable Quote.
Role (controller/processor): Processor
Categories of data subjects whose personal data is transferred
The personal data transferred concern the following categories of data subjects (please specify):
Categories of personal data transferred
The personal data transferred concern the following categories of data (please specify):
The Exporter may choose to store additional information on candidates.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The Importer does not anticipate processing any data falling into the special categories of data as set out in the GDPR, however, it is not possible for the importer to control the information that candidates or authorized users of the Exporter choose to share with each other using the Service.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The frequency of the transfer is a continuous basis for the duration of the Agreement.
Nature of the processing
The Importer will process and access personal data on a routinely basis as necessary to provide the Services as described in the Workable Terms. The below processing activities take place:
Purpose(s) of the data transfer and further processing
The Importer will process Personal Data as necessary to provide the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The Importer will process Personal Data for the purpose of providing the Services for the duration of the Services as identified in the Quote or until the Exporter elects to delete such Personal Data via the Workable Platform. In relation to storage of the Personal Data, the Processing shall cease in accordance with the Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The transfer to sub-processors is on continuous basis for the duration of the Services.
Identify the competent supervisory authority/ies in accordance with Clause 13
Hellenic Data Protection Authority
The Exporter has authorized the use of the sub-processors identified at: https://www.workable.com/subprocessors
The following security measures include the information required by Annex II of the EU SCCs and Table 3 of the UK Addendum:
https://www.workable.com/static/downloads/technical-and-organisational-security-measures.pdf