Data processing agreement ("AVV" or "Agreement") between Company and JOIN
JOIN has set itself the mission of connecting job seekers and companies worldwide.
JOIN has set itself the mission of connecting job seekers and companies worldwide. Companies can use the JOIN platform at https://join.com (hereinafter referred to as "platform") to advertise vacancies and manage applications received in one central location. Our services are designed to make the recruiting process easier for companies and employees alike, especially for the allocation of suitable candidates and simplifying the job application procedure. The platform also gives candidates the opportunity to search for interesting job offers and find out what vacancies are available.
The Company can manage specific application procedures on the platform using a web-based management tool ("applicant management tool"). In this context, personal data generated by the Company for the respective application process is processed by JOIN acting as the processor for the Company as the controller as defined by the current data protection laws. As for JOIN's other services, such as the allocation of suitable candidates or offers for candidates, personal data is processed by JOIN as the controller as defined by the current data protection laws.
This AVV serves to protect the parties against the improper use of the personal data processed in the applicant management tool, to ensure data protection by JOIN due to personal data that the Company has made known to them, and to comply with the legal requirements in the event that the business relationship between the company and JOIN should be deemed as data processing.
This AVV shall form part of every service agreement between the parties, unless otherwise expressly agreed in a contract to be concluded after the conclusion of this AVV. This document, including all appendices, also specifies the data protection obligations of the parties from the underlying service agreement as follows:
1. Scope and definitions
1.1 The following provisions only apply to JOIN services that qualify as data processing within the framework of the service agreement, in particular the applicant management tool.
1.2 Where the term "data processing" or "processing" of data is used in this agreement, this generally refers to the use of personal data. Data processing or the processing of data means any operation or series of operations performed upon personal data, with or without the aid of automated processes. The term is also defined as such in Art. 4 No. 2 of the General Data Protection Regulation ("GDPR") and Art. 3 (a) of the Swiss Data Protection Act ("DSG") (GDPR and DSG together" applicable data protection laws").
1.3 Reference is made to the other definitions in Art. 4 GDPR and Art. 3 DSG.
2. Subject and duration of the agreement
2.1 Under this AVV, JOIN shall process personal data exclusively on behalf of and in accordance with the Company's instructions. This includes in particular those processing services that JOIN provides for the Company via the applicant management tool solely for application management in accordance with the service agreement. In this service agreement and in Section 4, the parties have specified the details in accordance with Article 28 (3) GDPR, in particular the subject and duration of the data processing, as well as the handling, nature and purpose of the intended data processing, the type of data and those affected.
2.2 The data processing by JOIN on behalf of the Company is carried out in accordance with Art. 28 GDPR and Art. 10 (a) DSG. The company always remains the entity responsible for data processing.
3. Ranking of the contractual agreements
The provisions of this AVV are an integral part of the service agreement between the parties and take precedence over the other contractual agreements of the parties, in particular other contracts that contain provisions that deviate from those of this AVV to the detriment of the Company. Clause 1.1. remains unaffected. The provisions of this AVV do not apply to the processing of personal data that JOIN, as the controller, provides to the company as part of the service agreement.
4. Purpose, scope and nature of data processing
The parties hereby agree that the purpose of the data processing is the fulfilment of the contractual purposes according to the service agreement, in particular the implementation and management of specific application processes, which can be accessed by the Company via the applicant management tool on the JOIN platform. The scope and nature of data collection, processing and/or use of personal data are determined by the provisions of the service agreement as well as the services actually used by the Company.
5. Persons affected
The persons affected by the handling of personal data within the framework of the service agreement include
6. Types of personal data
The following types of data are particularly affected by order processing:
If this data is processed as part of other JOIN services, such as the allocation of suitable candidates or services for candidates, this does not take place within the scope of this AVV. In such cases, JOIN shall process this data as the controller as defined by the current data protection laws.
7. Rights and obligations of the Company
7.1 The Company alone is responsible for assessing the admissibility of the data processing carried out by JOIN on behalf of the Company and for safeguarding the rights of those affected pursuant to Article 4 No. 7 GDPR and Article 3 (i) DSG. The Company is particularly, but not exclusively, responsible for (1) fulfilling the data protection information obligations with regard to the candidates, (2) obtaining the necessary consent from the candidates for the processing of the data by the Company or JOIN, if this is absolutely required according to the current data protection laws, and (3) to comply with the deletion deadlines applicable to the respective application process.
7.2 As the data controller, the company is entitled at any time to issue instructions on the nature, scope and procedure of the data processing carried out on behalf of the customer. Verbal instructions must be confirmed by the company in writing (including email).
7.3 If the Company deems it necessary, persons authorised to issue instructions may be named. The information must be provided in writing by the Company. In the event that there is a change in the persons authorised to issue instructions at the Company, the Company shall inform JOIN of this in good time, naming the new person or persons in each case.
7.4 The Company shall inform JOIN if errors or irregularities are detected in connection with the processing of personal data by JOIN.
7.5 The Company is entitled check the compliance of the technical and organisational data security measures taken by JOIN in accordance with Section 9 before the start of data processing and then at regular intervals, but no more than once a year, after timely prior notification of at least 30 days during normal business hours and taking into account the interests of JOIN. The Company can also have this check carried out by a third party, provided they have previously concluded a confidentially agreement. The Company is obliged to pay the usual remuneration to the persons entrusted implementing these measures.
7.6 The Company is obliged to inform JOIN about data protection incidents or other breaches of the current data protection laws affecting JOIN's processing activities.
7.7 The Company shall inform JOIN promptly if it becomes aware of specific measures taken by the supervisory authorities affecting the Company, in particular investigative measures by the authorities, provided that this affects data processing for the Company and the Company is not obliged to maintain confidentiality.
8. JOIN's obligations
8.1 Data processing
JOIN is obliged to process personal data under this AVV solely in accordance with this agreement and/or the underlying service agreement and the instructions of the Company.
8.2 Rights of data subject
JOIN will support the Company as far as possible in fulfilling the rights of data subjects, in particular with regard to correction, restriction of processing and deletion, notification and provision of information.
JOIN shall, on the company's instructions, rectify, delete or restrict the processing of the personal data processed on behalf of the Company. This obligation does not apply to personal data that JOIN processes as controller as part of the services it offers via the platform.
If a data subject contacts JOIN directly to request correction, deletion or restriction of processing of his or her personal data, JOIN shall forward this request to the Company immediately upon receipt. The Company shall remain responsible for the execution of the requests.
8.3 Internal control obligations
JOIN shall implement the appropriate control measures, e.g. internal audits, data protection concept, etc., to ensure that the personal data processed under this AVV is processed in accordance with this agreement and the corresponding instructions.
8.4 Duty to inform
JOIN, as the controller, shall inform the Company if, according to its own assessment, an instruction violates legal regulations. JOIN shall then be entitled to suspend the execution of the corresponding instruction until it is amended by the company. This does not hereby justify JOIN's obligation to check or notify.
JOIN shall notify the Company of any breach of data protection regulations, of the regulations made in the service agreement and the agreement and/or the instructions issued, which occurs in the course of the processing of data by it, persons employed by it or other third parties entrusted with the processing, if this triggers the current data protection reporting obligations.
If access to the personal data that the company has transmitted to JOIN for data processing is endangered by measures taken by third parties (e.g. measures taken by an insolvency administrator, confiscation by tax authorities, etc.), JOIN is obliged to notify the company of this.
JOIN shall only pass on information to a party requesting information after prior agreement with the Company, unless JOIN is obliged to provide information by government measures or court decisions.
8.5 Creation of a processing log
Upon request, JOIN shall support the Company in compiling a list of processing activities within the scope of the AVV and the data processing that is taking place and provide the necessary information in a suitable manner.
JOIN shall also maintain its own log of all categories of processing activities carried out on behalf of the Company in accordance with the provisions of the current data protection laws.
8.6 Reporting obligations
JOIN shall support the company upon request in fulfilling the obligations pursuant to Art. 33-36 DSGVO.
8.7 Place of data processing
Unless otherwise agreed between the parties, the processing and use of the data by JOIN takes place exclusively in Switzerland, the European Union or in another treaty state of the Agreement on the European Economic Area. Any relocation of JOIN's data processing activities to a third country is only permitted if the special requirements of Art. 44 et seq. GDPR or Art. 6 DSG are observed.
8.8 Deletion of personal data after termination of the agreement
After the termination of the service agreement, JOIN is obliged at the request of the Company to hand over to the Company all personal data, documents and processing and usage results that are subject to this AVV and that are related to the contractual relationship as well as delete in compliance with data protection and data security guidelines and in accordance with the company's instructions that which JOIN is not contractually or legally entitled or obliged to continue processing. This obligation to delete does not apply to personal data that JOIN processes as controller as part of the services it offers via the platform.
9. Data protection checks and audit rights
9.1 JOIN hereby agrees that the Company is entitled, after prior mutual agreement, to conduct checks for compliance with data protection regulations and contractual agreements to the necessary extent, either itself or through third parties who have previously concluded a confidentially agreement, in particular by obtaining information and inspecting the stored data and systems as well as other on-site controls. In order to exercise the right to conduct checks, JOIN shall grant the Company the right to visit JOIN's premises during its normal business hours upon notification at least 30 days in advance, provided this does not disrupt the course of business and taking into account JOIN's interests, to gain confirmation of the appropriateness of the organisational and technical measures taken and contractually agreed by JOIN to comply with the requirements of the provisions in place for data processing.
9.2 JOIN shall support the company in carrying out checks to the best of its ability and shall provide swift and complete clarification where necessary.
9.3 JOIN shall accept any control measures by the data protection supervisory authority if there is a legal or obligation to do so. It shall inform the Company in accordance with Section 8.4 after notification or becoming aware of the implementation of the control measure and other enquiries or investigations by the data protection supervisory authority, insofar as the measures or inquiries may affect data processing that JOIN provides for the Company and JOIN is not legally obliged to maintain confidentiality.
9.4 Upon request, JOIN shall confirm in writing compliance with the technical and organizational measures specified in Appendix 1.
10. Subcontracting and Subcontractors
10.1 JOIN is entitled to commission subcontractors with data processing in accordance with the following provisions:
JOIN carefully selects subcontractors based on their suitability and reliability and ensures that the respective subcontractor guarantees an appropriate level of data protection.
If subcontractors are commissioned, a level of protection must always be guaranteed that is comparable to that of this agreement.
JOIN is obliged to draft the contractual agreements with the subcontractors in accordance with the current agreements in the relationship between the Company and JOIN, and to ensure that any supplementary instructions from the Company also apply to the subcontractors.
JOIN shall inform the Company in good time, i.e. no later than two weeks before the start of the planned subcontracting, of any intended change in relation to the involvement or replacement of other processors. If the Company does not object to the subcontracting within two weeks of receiving the information, it is deemed to have been approved. If the Company objects to the subcontracting, the parties shall be entitled to extraordinarily terminate the service agreement and these AVV.
10.2 JOIN shall provide the Company with a copy of the subcontracted processing agreement upon request, provided and insofar as this is not contrary to JOIN’s interests.
10.3 JJOIN shall, at the time of the conclusion of the agreement, cooperate with the subcontractors named in Appendix 2 in the fulfilment of the agreement, the commissioning of which the Company expressly agrees.
11. Data secrecy
11.1 JOIN is obliged to maintain confidentiality and data secrecy when processing data for the Company.
11.2 JOIN shall only use employees or other vicarious agents to fulfil the agreement who are sufficiently committed to data secrecy or confidentiality when handling personal data provided and who have been properly briefed on the data protection requirements.
12. Technical and organisational measures
12.1 The technical and organisational measures outlined in Appendix 1 are obligatory.
12.2 JOIN shall observe the principles of proper data processing in accordance with Article 32 in conjunction with Article 5 (1) GDPR and Article 7 in conjunction with Article 4 DSG. It guarantees the contractually agreed and legally prescribed data security measures outlined in Appendix 1. For the duration of the contractual relationship, JOIN shall take all necessary measures to secure the data and the security of the processing, in particular taking into account the current technology standards, as well as to reduce possible disadvantageous consequences for the data subjects. In order to always be able to guarantee an appropriate level of security for data processing, JOIN shall ensure that the measures implemented are regularly reviewed and, if necessary, upgraded. JOIN is free to make such changes to the technical and organisational measures that increase the agreed level of security. JOIN shall inform the Company of changes made to these measures in good time.
13. Form clause
13.1 Any amendments or additions to this AVV or other agreements made between the parties with reference to it, or any declaration that directly amends the content, scope of the services or obligations of either party under this AVV must be in written form to be effective. This also applies to an amendment to this clause.
13.2 All declarations by the parties, in particular notifications, announcements, statements and other information to be transmitted to the other party, must be in written form to be effective. At the request of the receiving party, which must be asserted in writing promptly after receipt of the declaration, a declaration sent in writing must be confirmed in writing by the declaring party. If the confirmation is not issued, the declaration made in writing is deemed not to have been made.
14. Place of jurisdiction
14.1 The sole place of jurisdiction, also internationally, for all disputes arising directly or indirectly from this AVV shall be the court having jurisdiction for JOIN’s registered office. The agreement on the place of jurisdiction does not apply if the dispute relates to claims other than pecuniary claims or if a sole place of jurisdiction has already been established for the dispute in accordance with the statutory provisions.
14.2 JOIN is entitled to take legal action against the Company at its general place of jurisdiction.
15.1 In the event of any inconsistency between the provisions of this agreement and the provisions of the service agreement, the provisions of this agreement shall prevail.
15.2 This agreement is governed by Swiss law to the exclusion of the UN Convention on Contracts for the International Sale of Goods and conflict of laws. For customers based in the European Union, the law of the member state in which the Company has its registered office applies.
APPENDIX 1 to the AVV
Technical and organisational measures
JOIN assures that it has taken the following technical and organizational measures:
1. Measures to ensure confidentiality
1.1. Access control
Measures that physically prevent unauthorised persons from accessing IT systems and data processing systems that process personal data, as well as confidential files and data carriers.
1.2 Access control
Measures to prevent unauthorised persons from processing or using data protected by data protection law.
1.3 Access control
Measures that ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation, so that data cannot be read, copied, amended or removed without authorisation during processing, use and storage.
1.4 Separation requirement
Measures to ensure that data collected for different purposes is processed separately and is separated from other data and systems in such a way that this data cannot be inadvertently used for other purposes.
Measures that reduce personal data being directly attributed to a specific data subject during processing in such a way that the identification of a specific data subject is only possible with the inclusion of additional information. This additional information must be stored separately from the pseudonym using suitable technical and organisational measures.
2. Measures to ensure integrity
2.1 Transfer control
Measures to ensure that personal data cannot be read, copied, amended or removed without authorisation during electronic transmission or during their transport or storage on data carriers, as well as measures that can be used to check and determine to where personal data is to be transmitted.
2.2 Data entry control
Measures that ensure whether and by whom personal data has been accessed, amended or removed in the IT systems can be subsequently checked and determined.
3. Measures to ensure availability and reliability
3.1 Availability control
Measures to ensure that personal data is protected against accidental destruction or loss.
3.2 Rapid recoverability
Measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.
4. Measures to regularly evaluate data processing security
Measures to ensure data protection-compliant and secure processing.
5. Measures to ensure reliability
Measures to ensure that all functions of the system(s) are available and that any malfunctions that occur are reported.
6. Measures to ensure reliability
Measures to ensure that personal data collected for different purposes can be processed separately.
APPENDIX 2 to the AVV
List of subcontractor processors commissioned by JOIN
Amazon Web Services Europe
Cloud service provider
Cloud service provider
Marketing and mailing platform
Stripe Payments Europe Ltd.
Payment service provider