Data processing agreement

VELORA, in its capacity as Data Processor (hereinafter, the “PROCESSOR”), shall process the personal data received from the CLIENT, in its capacity as Data Controller (hereinafter, the “CONTROLLER”), in connection with the performance of the Contract and in accordance with its instructions for the provision of the Services; and pursuant to the following Data Processing Agreement, the parties DECLARE:

I. That the PROCESSOR is a company specialised in human resources processes, designing solutions based on artificial intelligence and neuroscience.

II. That, as a result of the services currently provided or to be provided by the PROCESSOR to the CONTROLLER, the PROCESSOR has or shall have access to personal data belonging to the CONTROLLER.

III. That the provision of services by the PROCESSOR to the CONTROLLER takes place pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter the “GDPR”), and Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (hereinafter the “LOPDGDD”).

IV. That, following the entry into force of the GDPR and the LOPDGDD, the Parties wish to enter into this Agreement in accordance with the following:

CLAUSES

1. PURPOSE

The purpose of this Agreement is to authorise the PROCESSOR to process, on behalf of the CONTROLLER, the personal data necessary to provide the recruitment service and any ancillary services relating to the human resources consultancy services offered.

The PROCESSOR shall process the personal data owned by the CONTROLLER solely for the provision of the aforementioned service and undertakes not to apply or use them for any other purpose.

The personal data provided by the CONTROLLER to the PROCESSOR mainly concern the following categories of data:

  • Identification data (name and surname, ID/Passport, place of residence, postal code, telephone number, email, image/voice and other candidate identifiers).
  • Personal characteristics (marital status, family data, date of birth, place of birth, age, gender, nationality, mother tongue).
  • Academic and professional data (education/qualifications, student record, professional experience, membership of professional bodies or associations).
  • Employment details (profession, job title, employment history, etc.).
  • Results obtained during the selection process.

The personal data correspond to the following categories of data subjects:

  • End clients of the Data Controller.

2. OBLIGATIONS OF THE PROCESSOR

The PROCESSOR and all its staff undertake to:

I. Use the personal data subject to processing, or collected for inclusion, solely for the purpose of this assignment. Under no circumstances may the data be used for its own purposes.

II. Process the data in accordance with the documented instructions of the CONTROLLER.

III. If the PROCESSOR considers that any instruction infringes the GDPR, the LOPDGDD or any other applicable data protection provision of the European Union or Member States, it shall immediately inform the CONTROLLER.

IV. Not disclose the data to third parties, unless it has the prior express written authorisation of the CONTROLLER, in the cases legally established and admissible.

V. The PROCESSOR may disclose the data to other processors of the same controller, in accordance with the instructions of the CONTROLLER. In such case, the CONTROLLER shall identify in advance and in writing the entity to which the data must be disclosed, the data to be disclosed, and the security measures to be applied to the disclosure.

VI. The PROCESSOR shall only transfer personal data to a third country or an international organisation under the documented instructions of the CONTROLLER. If the PROCESSOR is required to transfer such personal data under Union or Member State law applicable to it, it shall inform the CONTROLLER of this legal requirement in advance, unless prohibited by law for reasons of important public interest.

VII. Upon termination of the service, the PROCESSOR undertakes to return to the CONTROLLER the medium or media containing the personal data, or to destroy them at the request of the latter, without retaining any copy thereof.

VIII. Subcontracting

  • The PROCESSOR may entrust certain technical and IT services necessary for the provision of the services, including ancillary services necessary for their proper functioning, to sub-processors.
  • In accordance with the GDPR and the LOPDGDD, any subcontracting carried out by the PROCESSOR must be notified to the CONTROLLER, specifying the processing operations to be subcontracted and clearly identifying the subcontracted company and its contact details. Subcontracting may proceed if the CONTROLLER does not object within the established time frame.
  • The subcontractor, who shall also qualify as a processor, shall likewise be bound by the obligations set out in this Agreement and the instructions issued by the CONTROLLER. The PROCESSOR must enter into a new contract with the subcontractor under the same conditions and requirements regarding the proper processing of personal data and the safeguarding of the rights of data subjects. In the event of non-compliance by the subcontractor, the PROCESSOR shall remain fully liable to the CONTROLLER.

IX. The PROCESSOR may share personal data of the CONTROLLER with service providers, including artificial intelligence providers, with third parties upon the CONTROLLER’s instruction. In such cases, as the PROCESSOR acts on the CONTROLLER’s instructions, no prior notice shall be required, and it shall be the CONTROLLER’s responsibility to ensure that such providers comply with data protection safeguards and applicable regulations.

X. Maintain the duty of confidentiality with regard to the personal data accessed in the course of providing services to the CONTROLLER, even after the termination of the relationship between them.

XI. Ensure that persons authorised to process personal data expressly and in writing commit to confidentiality and compliance with the relevant security measures, of which they must be duly informed.

XII. Keep available to the CONTROLLER the documentation evidencing compliance with the previous obligation.

XIII. Ensure that authorised personnel receive the necessary training in the protection of personal data.

XIV. Assist the CONTROLLER, taking into account the nature of the processing, through appropriate technical and organisational measures, where possible, so that it may comply with its obligation to respond to requests for the exercise of data subjects’ rights.

XV. When data subjects exercise their rights of access, rectification, erasure, objection, restriction of processing, data portability and the right not to be subject to automated decision-making, directly with the PROCESSOR, the PROCESSOR shall notify the CONTROLLER by email to dpo@velorahr.com. Such communication shall be made immediately and no later than the following business day after receipt of the request, including, where applicable, any other information relevant to resolve the request.

XVI. Duty to inform. It shall be the responsibility of the CONTROLLER to provide the information notice at the time of data collection.

XVII. Notification of data security breaches. The PROCESSOR shall notify the CONTROLLER without undue delay, and in any event within a maximum of 36 hours, by means of a simple communication, of any data security breach it becomes aware of, together with all relevant information and documentation regarding the incident.

Notification shall not be required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. At a minimum, the notification shall include:
a) Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
b) The name and contact details of the data protection officer or other point of contact from whom more information may be obtained.
c) Description of the likely consequences of the personal data breach.
d) Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide the information simultaneously, it shall be provided in phases without undue delay.

XVIII. Support the CONTROLLER in conducting data protection impact assessments, where appropriate.

XIX. Support the CONTROLLER in carrying out prior consultations with the supervisory authority, where appropriate.

XX. Make available to the CONTROLLER all information necessary to demonstrate compliance with its obligations and to allow audits or inspections carried out by the CONTROLLER or another auditor authorised by it.

XXI. Security measures. The PROCESSOR undertakes to apply the necessary security measures to personal data to prevent their alteration, loss, unauthorised processing or access, taking into account the state of the art, the nature of the stored data and the risks to which they are exposed, whether from human action or physical or natural environment. In this regard, pursuant to Articles 24 and 32 of the GDPR, the PROCESSOR is required to have in place appropriate technical and organisational security measures.

XXII. Final disposition of data. The PROCESSOR undertakes to destroy the data once the service has been provided. Nevertheless, the PROCESSOR may retain a copy with the data duly blocked, for as long as liabilities may arise from the execution of the service.

3. OBLIGATIONS OF THE CONTROLLER

The CONTROLLER undertakes to:

I. Be liable for the personal data subject to processing.
II. Carry out, where appropriate, a data protection impact assessment of the processing operations to be carried out by the PROCESSOR.
III. Conduct prior consultations where applicable.
IV. Ensure, prior to and throughout the processing, that the PROCESSOR complies with the GDPR and the LOPDGDD.
V. Communicate any changes to the basic data structure that may affect the application of security measures.
VI. Provide the PROCESSOR only with data that are adequate, relevant and not excessive in relation to the purpose of the contracted service.
VII. Guarantee to the data subjects, depending on the nature, scope, context and purposes of the processing, and pursuant to Article 24 of the GDPR, that appropriate technical and organisational measures have been adopted to maintain the security of the personal data provided.
VIII. Notify data subjects of personal data breaches, as soon as possible, where such breaches are likely to result in a high risk to the rights and freedoms of natural persons. Such communication shall be in clear and plain language and at least:
a) Explain the nature of the data breach.
b) Indicate the name and contact details of the data protection officer or other point of contact.
c) Describe the possible consequences of the personal data breach.
d) Describe the measures taken or proposed by the controller to remedy the breach, including, where appropriate, measures to mitigate its possible adverse effects.
IX. Ensure that service providers or third parties to whom the PROCESSOR discloses personal data on the CONTROLLER’s instructions comply with data protection safeguards and other applicable legislation, and shall be liable to the PROCESSOR in this respect.

4. TERM

The term of this Agreement shall cover the entire duration, including any extensions, of the service agreement from which this Agreement arises.

5. INDEPENDENCE OF THE PARTIES

The Parties acknowledge each other as independent entities, acting with full autonomy in the performance of their own activities, and no employment relationship shall be deemed to exist between them at any time.

6. GOVERNING LAW AND JURISDICTION

The Parties, expressly waiving any other jurisdiction to which they may be entitled, agree to submit to the Courts and Tribunals of the city of Madrid in respect of any dispute that may arise regarding the interpretation and performance of this Agreement.

icon-close-black

Velora Assessment: 
Work as always evaluate like never

Effortlessly integrate all the power of Velora into your talent software and enjoy all its advanced AI-powered features.

Request demo
pruebas-candidato-evaluacion

We make it easy for you:
fast integration.

Take your selection processes to the next level and integrate Velora Assessment's evaluation sequences with the full potential of AI.

Request demo
integraciones-assessment
jobflow-evaluaciones
Functionalities

Generate your jobflows
for each position

Create personalized evaluation test sequences for each position. Velora evaluates your candidates in a matter of minutes!


Stop wasting time with curricular screening and activate screening with AI.
Telephone interviews are a thing of the past! Design conversational chatbots in a few clicks and launch automated interviews.
Configure your video interviews, language tests, skills and much more with Velora Assessment!

Request demo
modal-bg