Data Protection

Data Processing Addendum

This Data Processing Addendum (“Addendum”) is incorporated into the agreement(s) between the customer (“Customer” or “Controller”) and the Workable entity contracting with the Customer (“Workable” or “Processor”) for the Customer’s use of the Services (“Agreement”).

This Addendum forms part of and is subject to all provisions of the terms available at workable.com/terms (“Terms”), or other agreements between the Controller and Processor governing the Controller’s use of the Services.

The Controller enters this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if authorized by Workable, acting as a Controller. For clarity, Customer’s Affiliates are permitted to use the Services pursuant to the Agreement but have not signed their separate agreement. All access to and use of the Services by the Affiliates must comply with the terms and conditions of this Addendum and any violation of the terms of this Addendum by an Affiliate shall be deemed a violation by the Controller.

If a Customer has signed a Data Processing Agreement with a Workable entity or has negotiated specific data protection terms in their Workable Quote, this separate agreement shall prevail over this Addendum.

1. Definitions

   1. "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
   2. “Agreement" means the Workable quote or acceptance of the online Terms of Use, whichever is applicable.
   3. “Customer” means the entity identified in the online order form or the Workable Quote, as applicable.
   4. "Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.
   5. “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (ii) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the UK Data Protection Act 2018; (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (v) the revised Federal Act on Data Protection (Switzerland) (the “FDAP”); in each case, as updated, amended or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth in the GDPR.
   6. “Data Subject” means a natural person who can be identified, directly or indirectly, by the Personal Data.
   7. “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
   8. “Instructions” means the Controller’s lawful and reasonable instructions for the Processing of Personal Data as indicated herein, by the Controller’s use of the Service or in writing by the Controller to the Processor;
   9. “Personal Data” means any information relating to an identified or identifiable natural person, including an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
   10. “Processing” or “to Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   11. “SCCs” means i) the EU SCCs, where the GDPR applies, ii) the UK Addendum, where the UK GDPR applies.
   12. “Services” shall have the meaning set out in the Terms.
   13. “Sub-processor” means any third party engaged by the Processor, or its Sub-processor, to Process Personal Data on behalf of the Controller.
   14. “UK Addendum” means the International Transfer Addendum or Addendum to the EU SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022.
   15. “Workable” means the Workable entity as identified in the online order form or the Workable Quote, as applicable.

2. Data processing

   1. The Processor agrees to comply with Data Protection Law, and with any other applicable law to the extent it is not in conflict with Data Protection Law.
   2. The Processor shall only Process the Personal Data in accordance with the Controller’s Instructions.
   3. Notwithstanding any other provision of this Addendum, if the law in the United Kingdom, EU or any EU member state requires the Processor to conduct Processing of the Personal Data other than in accordance with the Controller’s Instructions, such Processing shall not constitute a breach of this Addendum. The Processor shall inform the Controller of such legal requirements before carrying out such Processing unless such notification is prohibited by applicable law on important grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, an Instruction infringes Data Protection Law.
   4. The Processor shall enable the Controller to access, rectify, erase, restrict and transmit the Personal Data Processed by the Processor. The Processor shall comply with any requests by the Controller related to the above without undue delay and in any event within 30 calendar days.
   5. The Processor shall notify the Controller without undue delay as to any contacts with a supervisory authority, concerning or of significance for, the Processing of Personal Data carried out on behalf of the Controller. The Processor may not represent the Controller, nor act on the Controller’s behalf, against any supervisory authority or other third party.
   6. The Processor shall assist the Controller in its contacts with any supervisory authority, including, upon the Controller’s instruction, by providing any information requested by the supervisory authority. For the avoidance of doubt, the Processor may not disclose Personal Data or any information on the Processing of Personal Data without the consent of the Controller.
   7. If a Data Subject requests information from the Processor concerning the Processing of Personal Data, the Data Subject shall be instructed to address the request to the Controller and the Processor shall assist the Controller in responding to such request as obliged by Data Protection Law. The Processor shall use appropriate technical and organisational measures to assist the Controller by, taking into account the nature of the Processing.
   8. In the event that a Data Subject has requested from the Customer to permanently delete all their data, and the Customer has not done so within a reasonable time, and has not notified Workable of any requirement of the Customer for Workable to retain the personal data, Workable reserves the right to remove such personal data and shall not be liable in any way for any loss or damage suffered by Customer arising from such Candidate exercising their rights.
   9. The Processor shall impose adequate contractual obligations regarding confidentiality and security upon its personnel which have been authorised to Process Personal Data.
   10. The Processor shall provide reasonable assistance to enable the Controller to comply with the Controller’s obligations under Data Protection Law, e.g., assist with security measures, data protection impact assessments (including prior consultation), and in situations involving Personal Data breach.
   11. The Processor shall maintain a record of all Processing activities carried out on behalf of the Controller. Upon the Controller’s request, the Processor shall promptly make the record available to the Controller in a generally readable electronic format.
   12. All services, assistance and co-operation provided by the Processor to the Controller, upon Controller’s request, pursuant to this Addendum shall be chargeable at Workable’s then prevailing time and materials rates for professional services or such other charges as may, at the relevant time, be agreed by the parties in writing, unless such request is made by Controller in order to investigate and mitigate the consequences of Processor’s breach of this Addendum or an incident as referred to in Clause 3.2 that has arisen as a result of any breach by the Processor.

3. Security

   1. The Processor shall implement appropriate technical and organisational security measures to protect the Personal Data in accordance with Data Protection Law. The Processor shall particularly observe the guidelines issued or approved by supervisory authorities.
   2. The Processor, to the extent permitted and required by applicable law, shall notify the Controller, in writing, without undue delay after the Processor has become aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
   3. The Processor must be able to verify its compliance with this Addendum and Data Protection Law and shall maintain adequate documentation verifying the fulfilment of its obligations hereunder. Further, the Controller, or a third party approved by the Controller, may conduct audits to ensure that the Processor is complying with this Addendum and Data Protection Law. Any such audits will be carried out following the provision of reasonable written notice and not more than once in any twelve (12) month period, unless the Controller is required to in order to fulfil its obligations of Data Protection Law or to comply with a decision imposed against the Controller by a supervisory authority or a competent court of justice. The Processor shall, following the Controller’s request and without undue delay, provide necessary assistance and allow inspection of any relevant documentation and, to the extent such documentation is not deemed sufficient, its Processing facilities. Each Party shall bear its own costs related to the audit.

4. Sub-processing

   1. The Controller acknowledges and agrees that the Processor may engage its Affiliates and the Authorised Sub-processors to access and process Personal Data in connection with the Services. The Controller hereby gives the Processor a general written authorisation to engage Sub-processors to Process the Personal Data of the Controller (“Authorised Sub-processors”). A list of Workable’s current Sub-Processors (the “List”) shall be made available to the Controller at the following link https://www.workable.com/subprocessors, via email or through any other means made available to the Controller. The List may be updated by the Processor from time to time. The Processor provides a mechanism to subscribe to notifications concerning updates to the Sub-Processors at the bottom of the Terms of Use Page (https://www.workable.com/terms) and the Controller agrees to subscribe to such notifications where available.
   2. Where Processor intends to add a new Sub-processor it shall make details of such new Sub-processor available on the Website at least 30 days (“Notice Period”) before transferring any personal data to a new Sub-processor. The Controller shall notify the Processor during the Notice Period if it objects to the new Sub-processor. If the Controller does not object to the Sub-processor during the Notice Period, the Controller shall be deemed to have accepted the Sub-processor. If the Controller has raised a reasonable objection to the new Sub-processor and the parties have failed to agree on a solution within the Notice Period, the Controller shall have the right to terminate this Addendum and the Service with a reasonable notice period, without prejudice to any other remedies available under law or contract. During the Notice Period, the Processor shall not transfer any Personal Data to the Sub-processor.
   3. The Processor shall enter into appropriate written agreements with all of its Sub-processors on terms substantially similar to this Addendum, including without limitation the Controller’s right to conduct audits at the Sub-processor in accordance with clause 3.3 above or ensure that the Sub-processor will conduct audits using external auditors at least once per year. The Processor shall remain fully liable to the Controller for the performance or non-performance of the Sub-processor’s obligations.
   4. Upon the Controller’s request, the Processor is obliged to provide information regarding any Sub-processor, including name, address and the Processing carried out by the Sub-processor.

5. Transfer of personal data outside the EEA and the UK

   1. If the Processing carried out by the Processor includes the transfer of Personal Data to a country outside of the EEA or the United Kingdom which is not recognised by the European Commission or the United Kingdom to have an adequate level of protection in accordance with Data Protection Laws, one of the transfer mechanisms described in this clause shall be applicable.
   2. Workable participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, Workable (i) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) will notify Customer if Workable makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.
   3. If the Data Privacy Framework does not apply/or is invalidated as a transfer mechanism, the Controller and the Processor agree that such transfer is made pursuant to the EU SCCs Module Two (Controller to Processor), and, if applicable, the UK Addendum, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
      1. The optional docking clause in Clause 7 does not apply;
      2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in clause 4.2 of this Addendum;
      3. In Clause 11, the optional language does not apply;
      4. All square brackets in Clause 13 are hereby removed;
      5. In Clause 17 (Option 1), the EU SCCs will be governed by Greek law;
      6. In Clause 18 (b), disputes will be resolved before the courts of Athens, Greece;
      7. Exhibit B to this Addendum contains the information required in Annex I and Annex III of the EU SCCs;
      8. Exhibit C to this Addendum contains the information required in Annex II of the EU SCCs; and
      9. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement.
   4. If Processing of Personal Data under this Addendum includes the transfer of Personal Data, which is processed in accordance with the UK GDPR, the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the UK Government in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018, such transfers are made pursuant to Module Two of the EU SCCs, as completed above, and to the UK Addendum, which will be completed as follows:
      1. In Table 1 of the UK Addendum, the Parties’ details and key contact information is located in Exhibit B section 1.
      2. In Table 2 of the UK Addendum, information about the version of the Approved EU SCCs, modules and selected clauses which this UK Addendum is appended to is located in clauses 5.1.1 to 5.1.3.
      3. In Table 3 of the UK Addendum:
      4. By entering into this Addendum the Parties are deemed to have signed the UK Addendum incorporate herein, including its Annexes.
   5. If and to the extent there is conflict or inconsistency between the EU SCCs or the UK Addendum and any other terms in this Addendum, or the Workable Terms, the provisions of the EU SCCs or the UK Addendum, as applicable, shall prevail.
   6. If the Processing of Personal Data under this Addendum includes the transfer of Personal Data to a Sub-processor located in a country outside of the EEA or the UK which is not recognised by the European Commission or the United Kingdom to have an adequate level of protection in accordance with Data Protection Law, and the Sub- processor is not self-certified under the Data Privacy Framework, the Processor shall be entitled and obligated to enter into a supplementary agreement with the Sub-processor containing the relevant SCCs, before any Personal Data is transferred to such Sub-processor.

6. Liability

   The liability of each party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Workable Customer Terms and Conditions.

7. Term

   1. The Controller may delete or request the return of all personal data on termination of the Services and the Processor shall act in accordance with the Controller’s instructions. Where the Controller has not deleted the personal data prior to the termination of the Services, Processor may delete all personal data at any time after 90 days following the date of termination unless otherwise required by applicable law. Until personal data is deleted or returned to the Controller, Processor shall continue to ensure compliance with the terms of this agreement.
   2. This requirement shall not apply to the extent that Workable is required by any applicable law to retain some or all of the personal data, in which event Workable shall isolate and protect the Personal Data from any further processing except to the extent required by such law until deletion is possible.
   3. This Addendum is applicable from the date of its execution and until all Personal Data is erased in accordance with clause 7.1 above.

8. Dispute resolution

   1. This Addendum shall be governed by and construed in accordance with the laws as specified in the Agreement. The Parties hereby submit to the jurisdiction of the courts specified in the Agreement.
   2. For any disputes arising out of the Standard Contractual Clauses, where the EU SCCs are applicable, the Greek Courts shall have the exclusive jurisdiction, while where the UK Addendum is applicable, the courts in the United Kingdom shall have exclusive jurisdiction.

9. Conflict

   1. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses, or, where applicable, the UK Addendum; (2) the terms of this Addendum; (3) the Workable Agreement.

10. Updates

    Workable may update the terms of this Addendum from time to time, provided such updates do not degrade or diminish overall Customer’s rights. Any changes Workable may make to this Addendum in the future will be notified and made available to the Customers that have subscribed to be notified for updates in the Agreement.

EXHIBIT A

Data processing descriptions

Under Data Protection Law, the Processor shall only Process Personal Data in accordance with the Controller’s documented Instructions, as regulated in the Addendum. This document forms part of the Controller’s Instructions, directing the Processor on the scope, nature, and purpose when Processing Personal Data on behalf of the Controller.

The Instructions may be amended in writing by the Controller from time to time, as communicated in writing to the Processor by authorized representative of the Controller or through the Controller’s use of the Service.

1. Scope of processing

   The Processor shall Process Personal Data hereunder exclusively within the scope of the provision of the Service.

2. Purpose of processing

   The Processor shall Process Personal Data only for the purpose of enabling the Controller to manage its recruitment processes through the Controller’s use of the Service.

3. Categories of data subjects

   Employees, including current and former employees, trainees and interns, pre-hires, applicants and sourced candidates.

   External recruitment consultants

4. Types of personal data

   • Name (name and surname)
   • Address
   • Nationality
   • Password
   • User name
   • E-mail address
   • Telephone number
   • Salary
   • Employment terms (incl salary and benefits)
   • IP-address
   • Links to social profiles
   • Resume
   • Videos

   The Controller may choose to store additional information on candidates.

5. Special categories of personal data

   Processor does not anticipate processing any data falling into the special categories of data as set out in the GDPR, however, it is not possible for Processor to control the information that candidates or authorized users of the Controller choose to share with each other using the Service.

6. Processing activities

   • Collection
   • Registration
   • Storing
   • Accessing, reading or consultation
   • Erasure or destruction

7. Duration of processing

   Personal Data shall not be Processed for a period longer than is necessary for serving its purpose. In respect of all Processing activities other than storage of the Personal Data, the Processing shall cease on expiry or termination of the Services. In relation to storage of the Personal Data, the Processing shall cease in accordance with clause 7 above.

8. Sub-processor

   The Processor has engaged sub-processor(s) for carrying out specific Processing activities on behalf of the Controller. A full list of those sub-processor(s) can be found at the webpage presented below:

   https://www.workable.com/subprocessors

9. Processing location

   Processing takes place in the following country/countries: United Kingdom, United States, Greece

EXHIBIT B

The following includes the information required by Annex I and Annex III of the EU SCCs and Table 1 and 4 of the UK Addendum.

1. List of parties

   Data exporter(s):

   Name: Customer’s entity as identified in the online order form or the Workable Quote, as applicable

   Address: Customer’s address as identified in the online order form or the Workable Quote, as applicable

   Contact person’s name, position and contact details: As identified in the online order form or the Workable Quote, as applicable

   Signature and date: The date of execution of the online order form or the Workable Quote.

   Role (controller/processor): Controller

   Data importer(s):

   Name: The Workable entity identified in the online terms or the Workable Quote, as applicable.

   Address: The address identified in the online terms or the Workable Quote, as applicable

   Contact person’s name, position and contact details: support@workable.com attn of DPO

   Activities relevant to the data transferred under these Clauses: ATS and HRIS service provider

   Signature and date: The date of execution of the online order form or the Workable Quote.

   Role (controller/processor): Processor

2. Description of transfer

   Categories of data subjects whose personal data is transferred

   The personal data transferred concern the following categories of data subjects (please specify):

   • Employees, including current and former employees, trainees and interns, pre-hires, applicants, and sourced candidates.
   • External recruitment consultants

   Categories of personal data transferred

   The personal data transferred concern the following categories of data (please specify):

   • Name (name and surname)
   • Address
   • Nationality
   • Password
   • User name
   • E-mail address
   • Telephone number
   • Salary
   • Employment terms (incl salary and benefits)
   • IP-address
   • Links to social profiles
   • Resume
   • Videos

   The Exporter may choose to store additional information on candidates.

   Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

   The Importer does not anticipate processing any data falling into the special categories of data as set out in the GDPR, however, it is not possible for the importer to control the information that candidates or authorized users of the Exporter choose to share with each other using the Service.

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

   The frequency of the transfer is a continuous basis for the duration of the Agreement.

   Nature of the processing

   The Importer will process and access personal data on a routinely basis as necessary to provide the Services as described in the Workable Terms. The below processing activities take place:

   • Collection
   • Registration
   • Storing
   • Accessing, reading or consultation
   • Erasure or destruction

   Purpose(s) of the data transfer and further processing

   The Importer will process Personal Data as necessary to provide the Services under the Agreement.

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   The Importer will process Personal Data for the purpose of providing the Services for the duration of the Services as identified in the Quote or until the Exporter elects to delete such Personal Data via the Workable Platform. In relation to storage of the Personal Data, the Processing shall cease in accordance with the Addendum.

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   The transfer to sub-processors is on continuous basis for the duration of the Services.

3. Competent supervisory authority

   Identify the competent supervisory authority/ies in accordance with Clause 13

   Hellenic Data Protection Authority

4. List of authorised subprocessors

   The Exporter has authorized the use of the sub-processors identified at: https://www.workable.com/subprocessors

EXHIBIT C

Description of the Technical and Organisational Security Measures implemented by the Data Processor/Importer

The following security measures include the information required by Annex II of the EU SCCs and Table 3 of the UK Addendum:

https://www.workable.com/static/downloads/technical-and-organisational-security-measures.pdf