Data processing agreement

VELORA, in its capacity as Data Processor (hereinafter, the “PROCESSOR”), shall process the personal data received from the CLIENT, as the Data Controller (hereinafter, the “CONTROLLER”), in relation to the execution of the Contract and in accordance with its instructions for the provision of the Services, and pursuant to the following Data Processing Agreement, the parties STATE:

I. That the PROCESSOR is a company specialised in human resources processes that designs solutions based on artificial intelligence and neuroscience.

II. That, as a consequence of the services currently being provided or that will be provided by the PROCESSOR to the CONTROLLER, the PROVIDER has or will have access to the CONTROLLER’s personal data.

III. The provision of services by the PROCESSOR to the CONTROLLER takes place under the terms of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter “GDPR”), and Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (hereinafter “LOPDGDD”).

IV. That, as a result of the entry into force of the GDPR and the LOPDGDD, the Parties wish to enter into this contract in accordance with the following:

CLAUSES

1. PURPOSE

The purpose of this contract is to authorise the PROCESSOR to process, on behalf of the CONTROLLER, the personal data necessary to provide the recruitment service and any other ancillary services related to the human resources consulting services offered.

The PROCESSOR shall process the personal data owned by the CONTROLLER for the provision of the aforementioned service and undertakes not to apply or use such data for any purpose other than that indicated.

The personal data provided by the CONTROLLER to the PROCESSOR mainly refer to the following categories:

  • Identification data (full name, ID/Passport/NIE, city, postal code, phone number, email, image/voice, and other identifying data of the candidate).
  • Personal characteristics data (marital status, family data, date of birth, place of birth, age, sex, nationality, native language).
  • Academic and professional data (education/qualifications, academic record, professional experience, membership in professional associations).
  • Employment details (profession, job position, employee history, etc.).
  • Results obtained during the selection process.

The personal data correspond to the following category of data subjects:

  • End clients of the Data Controller.

2. Obligations of the Processor

The PROCESSOR and all its personnel undertake to:

I. Use the personal data subject to processing, or those collected for inclusion, only for the purpose of this assignment. Under no circumstances may the data be used for personal purposes.

II. Process the data in accordance with the documented instructions of the CONTROLLER.

III. If the PROCESSOR considers that any instruction infringes the GDPR, LOPDGDD, or any other applicable data protection regulation of the EU or Member States, it shall inform the CONTROLLER immediately.

IV. Not disclose the data to third parties except with prior express written authorisation from the CONTROLLER, or in legally established and admissible cases.

V. The PROCESSOR may disclose data to other processors of the same controller, according to the CONTROLLER’s instructions. In this case, the CONTROLLER shall identify in advance and in writing the entity to which data should be sent, the data to be communicated, and the security measures to apply.

VI. The PROCESSOR shall only transfer personal data to a third country or international organisation under the documented instructions of the CONTROLLER. If the PROCESSOR must transfer such data under Union or Member State law, it shall inform the CONTROLLER beforehand, unless prohibited for reasons of public interest.

VII. The PROCESSOR undertakes to return to the CONTROLLER the medium or media containing the personal data, or to destroy them, upon request and once the service has been completed, without retaining any copy.

VIII. Subcontracting

  • The PROCESSOR may appoint sub-processors for technical and IT services necessary for the services, including auxiliary services required for its proper functioning.
  • Any subcontracting must be communicated to the CONTROLLER, identifying the processing to be subcontracted, the subcontractor, and its contact details. Subcontracting may proceed if the CONTROLLER does not object within the established period.
  • The subcontractor shall be subject to the same obligations as the PROCESSOR. The PROCESSOR shall remain fully liable to the CONTROLLER for the subcontractor’s compliance.

IX. The PROCESSOR may share personal data of the CONTROLLER with service providers, including AI services, following the CONTROLLER’s instructions. In such cases, the PROCESSOR shall not notify the CONTROLLER in advance, and the CONTROLLER shall be responsible for ensuring the provider’s compliance with data protection regulations.

X. Maintain the duty of confidentiality regarding all personal data accessed, even after termination of the service relationship.

XI. Ensure that authorised personnel commit in writing to confidentiality and compliance with security measures.

XII. Keep documentation available to demonstrate compliance with the above obligation.

XIII. Ensure adequate training in data protection for authorised personnel.

XIV. Assist the CONTROLLER with appropriate technical and organisational measures to respond to data subject rights requests.

XV. When data subjects exercise their rights directly before the PROCESSOR, it must notify the CONTROLLER by email.

XVI. Notification must be immediate and no later than the next business day.

XVII. The CONTROLLER is responsible for the duty to inform data subjects at the time of collection.

XVIII. Notification of personal data breaches.
The PROCESSOR shall notify the CONTROLLER without undue delay, and in any case within 36 hours, of any personal data breach.

Notification is not required when the breach is unlikely to pose a risk to the rights and freedoms of individuals.

The notification must include:

a) Description of the nature of the breach, categories and approximate number of data subjects and records affected.
b) Contact details of the DPO or contact person.
c) Description of possible consequences.
d) Description of measures taken or proposed to address the breach.

If information cannot be provided simultaneously, it shall be provided without undue delay as it becomes available.

XIX. Support the CONTROLLER in conducting Data Protection Impact Assessments.

XX. Support the CONTROLLER in prior consultations with supervisory authorities.

XXI. Make available all necessary information to demonstrate compliance and enable audits or inspections.

XXII. Security Measures.
The PROCESSOR undertakes to apply appropriate security measures in accordance with Articles 24 and 32 GDPR.

XXIII. Data disposition.
The PROCESSOR undertakes to destroy the data once the service is completed. However, blocked copies may be kept while liabilities may arise.

3. Obligations of the Data Controller

The CONTROLLER undertakes to:

I. Be responsible for the personal data processed.

II. Carry out Data Protection Impact Assessments when required.

III. Conduct prior consultations when appropriate.

IV. Ensure compliance with GDPR and LOPDGDD by the PROCESSOR.

V. Notify changes in the structure of the data that may affect security measures.

VI. Provide access to the PROCESSOR only to adequate, relevant, and non-excessive data.

VII. Ensure that appropriate technical and organisational measures have been adopted under Article 24 GDPR.

VIII. Inform data subjects of personal data breaches without undue delay when the breach may pose a high risk to their rights and freedoms.

The notice must:

a) Explain the nature of the breach.
b) Provide contact details of the DPO or relevant contact person.
c) Describe possible consequences.
d) Describe measures taken or proposed to address the breach.

IX. Ensure that third-party providers to whom the PROCESSOR communicates data under the CONTROLLER’s instructions comply with data protection guarantees.

4. DURATION

This contract remains valid for the entire duration, including any extensions, of the main service agreement to which it relates.

5. INDEPENDENCE OF THE PARTIES

The Parties acknowledge their mutual independence. Nothing in this agreement shall be construed as creating an employment relationship between them.

6. APPLICABLE LAW AND DISPUTE RESOLUTION

The Parties, expressly waiving any jurisdiction that may correspond to them, agree to submit any dispute arising from the interpretation or performance of this contract to the Courts and Tribunals of the city of Madrid.

icon-close-black

Velora Assessment: 
Work as always evaluate like never

Effortlessly integrate all the power of Velora into your talent software and enjoy all its advanced AI-powered features.

Request demo
pruebas-candidato-evaluacion

We make it easy for you:
fast integration.

Take your selection processes to the next level and integrate Velora Assessment's evaluation sequences with the full potential of AI.

Request demo
integraciones-assessment
jobflow-evaluaciones
Functionalities

Generate your jobflows
for each position

Create personalized evaluation test sequences for each position. Velora evaluates your candidates in a matter of minutes!


Stop wasting time with curricular screening and activate screening with AI.
Telephone interviews are a thing of the past! Design conversational chatbots in a few clicks and launch automated interviews.
Configure your video interviews, language tests, skills and much more with Velora Assessment!

Request demo
modal-bg