Data Protection

  • Data Processing Addendum
  • CCPA/CPRA Data Processing Addendum
  • Sub-processors List
  • Technical and Organisational Security Measures

Data Processing Addendum

This Data Processing Addendum (“Addendum”) is incorporated into the agreement(s) between the customer (“Customer” or “Controller”) and the Workable entity contracting with the Customer (“Workable” or “Processor”) for the Customer’s use of the Services (“Agreement”).

This Addendum forms part of and is subject to all provisions of the terms available at workable.com/terms (“Terms”), or other agreements between the Controller and Processor governing the Controller’s use of the Services.

The Controller enters this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if authorized by Workable, acting as a Controller. For clarity, Customer’s Affiliates are permitted to use the Services pursuant to the Agreement but have not signed their separate agreement. All access to and use of the Services by the Affiliates must comply with the terms and conditions of this Addendum and any violation of the terms of this Addendum by an Affiliate shall be deemed a violation by the Controller.

If a Customer has signed a Data Processing Agreement with a Workable entity or has negotiated specific data protection terms in their Workable Quote, this separate agreement shall prevail over this Addendum.

Data processing descriptions

Under Data Protection Law, the Processor shall only Process Personal Data in accordance with the Controller’s documented Instructions, as regulated in the Addendum. This document forms part of the Controller’s Instructions, directing the Processor on the scope, nature, and purpose when Processing Personal Data on behalf of the Controller.

The Instructions may be amended in writing by the Controller from time to time, as communicated in writing to the Processor by authorized representative of the Controller or through the Controller’s use of the Service.

  1. Scope of processing

    The Processor shall Process Personal Data hereunder exclusively within the scope of the provision of the Service.

  2. Purpose of processing

    The Processor shall Process Personal Data only for the purpose of enabling the Controller to manage its recruitment processes through the Controller’s use of the Service.

  3. Categories of data subjects

    Employees, including current and former employees, trainees and interns, pre-hires, applicants and sourced candidates.

    External recruitment consultants

  4. Types of personal data

    The Controller may choose to store additional information on candidates.

  5. Special categories of personal data

    Processor does not anticipate processing any data falling into the special categories of data as set out in the GDPR, however, it is not possible for Processor to control the information that candidates or authorized users of the Controller choose to share with each other using the Service.

  6. Processing activities

  7. Duration of processing

    Personal Data shall not be Processed for a period longer than is necessary for serving its purpose. In respect of all Processing activities other than storage of the Personal Data, the Processing shall cease on expiry or termination of the Services. In relation to storage of the Personal Data, the Processing shall cease in accordance with clause 7 above.

  8. Sub-processor

    The Processor has engaged sub-processor(s) for carrying out specific Processing activities on behalf of the Controller. A full list of those sub-processor(s) can be found at the webpage presented below:

    https://www.workable.com/subprocessors
  9. Processing location

    Processing takes place in the following country/countries: United Kingdom, United States, Greece

The following includes the information required by Annex I and Annex III of the EU SCCs and Table 1 and 4 of the UK Addendum.

  1. List of parties

    Data exporter(s):

    Name: Customer’s entity as identified in the online order form or the Workable Quote, as applicable

    Address: Customer’s address as identified in the online order form or the Workable Quote, as applicable

    Contact person’s name, position and contact details: As identified in the online order form or the Workable Quote, as applicable

    Signature and date: The date of execution of the online order form or the Workable Quote.

    Role (controller/processor): Controller

    Data importer(s):

    Name: The Workable entity identified in the online terms or the Workable Quote, as applicable.

    Address: The address identified in the online terms or the Workable Quote, as applicable

    Contact person’s name, position and contact details: support@workable.com attn of DPO

    Activities relevant to the data transferred under these Clauses: ATS and HRIS service provider

    Signature and date: The date of execution of the online order form or the Workable Quote.

    Role (controller/processor): Processor

  2. Description of transfer

    Categories of data subjects whose personal data is transferred

    The personal data transferred concern the following categories of data subjects (please specify):

    Categories of personal data transferred

    The personal data transferred concern the following categories of data (please specify):

    The Exporter may choose to store additional information on candidates.

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    The Importer does not anticipate processing any data falling into the special categories of data as set out in the GDPR, however, it is not possible for the importer to control the information that candidates or authorized users of the Exporter choose to share with each other using the Service.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    The frequency of the transfer is a continuous basis for the duration of the Agreement.

    Nature of the processing

    The Importer will process and access personal data on a routinely basis as necessary to provide the Services as described in the Workable Terms. The below processing activities take place:

    Purpose(s) of the data transfer and further processing

    The Importer will process Personal Data as necessary to provide the Services under the Agreement.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    The Importer will process Personal Data for the purpose of providing the Services for the duration of the Services as identified in the Quote or until the Exporter elects to delete such Personal Data via the Workable Platform. In relation to storage of the Personal Data, the Processing shall cease in accordance with the Addendum.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    The transfer to sub-processors is on continuous basis for the duration of the Services.

  3. Competent supervisory authority

    Identify the competent supervisory authority/ies in accordance with Clause 13

    Hellenic Data Protection Authority

  4. List of authorised subprocessors

    The Exporter has authorized the use of the sub-processors identified at: https://www.workable.com/subprocessors

Description of the Technical and Organisational Security Measures implemented by the Data Processor/Importer

The following security measures include the information required by Annex II of the EU SCCs and Table 3 of the UK Addendum:

https://www.workable.com/static/downloads/technical-and-organisational-security-measures.pdf