This personal data processing agreement (the Data Processing Agreement) is part of an Agreement between MoveMyTalent and the Client (each also a Party and collectively the Parties) under which MoveMyTalent provides to the Client certain services relating to relocation of candidates (the Talents) from one country to the place of employment in another country (the Services).
In connection with the provision of the Services under the Agreement, MoveMyTalent processes certain personal data for the Client. To ensure the secure, correct and lawful processing of personal data, the Parties have agreed to supplement the Agreement and enter into this Data Processing Agreement as part of the Agreement.
In case of a conflict between any other document forming part of the Agreement and this Data Processing Agreement regarding the processing of personal data, the Data Processing Agreement shall prevail and apply.
1. GENERAL PROVISIONS
- The terms used in the Data Processing Agreement are used in the meaning given to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the GDPR) or in the meaning given to them in the Agreement.
- In the context of Article 28 of the GDPR, Client is the data controller of the personal data transferred or made available to MoveMyTalent in the course of the provision of the Services and the MoveMyTalent is the data processor.
2. GENERAL OBLIGATIONS OF MOVEMYTALENT
- MoveMyTalent shall process personal data only in accordance with the applicable law, the terms of the Agreement, including the terms of this Data Processing Agreement.
- MoveMyTalent shall process personal data only for the purposes described in this Annex A.
- MoveMyTalent shall process personal data in accordance with all the instructions given or documented by the Client according to need.
- If required by applicable law, MoveMyTalent shall designate a competent data protection officer in accordance with the applicable law and shall provide to the Client the name and contact details of the data processing officer.
- MoveMyTalent shall keep records of all the data processing operations carried out on behalf of the Client. The register of data processing operations shall comply with all the requirements set forth in the applicable law and include at least the following information:
- the name and contact details of the data processor and data controller on whose behalf the data processor is acting;
- the name and contact details of the representative of the data processor and data controller;
- if applicable, the name and contact details of the data protection officer of the data processor and/or data controller;
- categories of processing carried out on behalf of the data controller;
- a general description of the technical and organisational security measures applied for the protection of personal data.
- Upon the respective request by the Client, MoveMyTalent shall make available to the Client the register described in section 2.5 regarding the personal data processed on behalf of the Client immediately and free of charge but not later than within 14 (fourteen) business days as of the respective request by the Client.
3. GENERAL OBLIGATIONS OF THE CLIENT
- The Client warrants that upon transferring any personal data to MoveMyTalent (including any personal data concerning the Talent or any family member of the Talent), the Client has acquired all and any all necessary authorisations, consents and permits required by applicable law and the GDPR to submit such personal data to MoveMyTalent.
- The Client warrants that upon transferring any personal data to MoveMyTalent (including any personal data concerning the Talent or any family member of the Talent), MoveMyTalent is entitled to further process such personal data for the purposes of performing the Agreement, including that MoveMyTalent can contact the Talent, and, when applicable, Talent’s family member(s).
- The Client warrants that upon transferring any personal data to MoveMyTalent (including any personal data concerning the Talent or any family member of the Talent), all personal data submitted by the Client to MoveMyTalent is accurate, true, relevant and necessary with reference to the performance of the Agreement.
4. CONFIDENTIALITY
- MoveMyTalent shall ensure the confidentiality of the personal data processed on behalf of the Client.
- MoveMyTalent shall ensure that no unauthorised third parties can access the personal data processed on behalf of the Client, for example, employees present in the MoveMyTalent’s premises, who do not need access in relation to the performance of their duties or other service providers, for example, IT service providers etc., who in this specific case do not need access to the personal data in relation to the performance of their duties.
- MoveMyTalent shall ensure that all the representatives, employees of MoveMyTalent and other persons who through MoveMyTalent come into contact with the personal data processed on behalf of the Client are subject to the confidentiality obligation assumed under a contract or the law and the MoveMyTalent shall ensure that their representatives, employees and other persons acting for their benefit maintain the full confidentiality of the personal data.
- MoveMyTalent shall ensure that all the representatives, employees of MoveMyTalent and other persons who through the MoveMyTalent come into contact with the personal data processed on behalf of Client have received appropriate training and instructions for the processing of personal data in accordance with the Agreement, Data Processing Agreement and the applicable law.
5. SECURITY MEASURES
- MoveMyTalent shall ensure the security of personal data processing for the purposes of protecting personal data from accidental or unauthorised processing, disclosure or destruction.
- Taking into account the state of the art and costs of implementation, and the nature, scope, context and purposes of the personal data processing as well as the risk to the rights and freedoms of natural persons, of varying likelihood and severity, that may result from personal data processing, the MoveMyTalent shall apply appropriate technical and organisational measures upon personal data processing to ensure the security of personal data.
- Upon the application of appropriate technical and organisational measures, MoveMyTalent shall ensure the capacity of the applied processing measures to ensure the ongoing confidentiality, integrity, availability and resilience of personal data.
- MoveMyTalent shall inter alia ensure that upon personal data processing, MoveMyTalent shall use up-to-date information technology solutions, the security of which is regularly tested, ensure that access to MoveMyTalent’s IT systems and premises is regulated and controlled, ensure the use of up-to-date antivirus and spyware programmes.
- MoveMyTalent shall log all data processing operations carried out on behalf of Client so that there are log entries on viewing, amending, transferring and deleting personal data.
6. AUDIT
- The Client has the right to authorise an auditor to audit the activity of MoveMyTalent regarding the performance of the Data Processing Agreement in accordance with the GDPR.
- The Client shall notify MoveMyTalent of the audit reasonably in advance. The Client or an auditor appointed by the Client shall carry out the audit during regular working hours and so that the audit interferes with the regular business activity of MoveMyTalent as little as possible.
7. PERSONAL DATA BREACH
- In case of a personal data breach or suspected personal data breach, MoveMyTalent shall as immediately as possible notify the Client of this. In case of a personal data breach of suspected breach or an incident that is likely to escalate into a personal data breach, MoveMyTalent shall send to the Client a notification about the personal data breach, which shall include at least the following information:
- a description of the nature of the personal data breach;
- the categories and approximate number of data subjects concerned;
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact person of MoveMyTalent if applicable;
- the likely consequences of the personal data breach, incl. the likely consequences to data subject;
- measures taken or proposed to be taken by MoveMyTalent to address the personal data breach or measures to mitigate its possible adverse effects.
- MoveMyTalent shall send the notification specified in section 7.1 to the Client immediately and if possible not later than within 24-48 hours as of the occurrence of the personal data breach.
- In case and insofar as MoveMyTalent is not able to submit the information described in section 7.1 to the Client within the term set forth in section 7.2, MoveMyTalent may submit the information to the Client in phases but without undue further delay.
- MoveMyTalent shall cooperate fully with the Client for the purposes of preventing personal data breaches. If a personal data breach occurs, MoveMyTalent shall cooperate fully with the Client to address the personal data breach as efficiently and quickly as possible and/or mitigate its possible adverse effects.
- MoveMyTalent shall document all personal data breaches. including the facts relating to the personal data breach, its effects and the remedial action taken.
8. RETURN, DELETION AND DESTRUCTION OF PERSONAL DATA
- Upon each request of Client and/or after the termination of the Agreement, MoveMyTalent shall delete all personal data processed on behalf of the Client unless MoveMyTalent has a legal basis to retain certain data (for example if the Talent has granted his/her consent to process his/her personal data or if MoveMyTalent has entered into legal relationship with the Talent in which case MoveMyTalent shall be considered as data controller in regards of the Talent).
9. SUBPROCESSORS AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
- The Client grants MoveMyTalent a general authorization to subcontract the personal data processing conducted under this Data Processing Agreement to subprocessors provided that:
- the engagement of the subprocessor is necessary for the provision of the Service;
- MoveMyTalent has entered into a written agreement containing data protection obligations no less protective than those in this Data Processing Agreement. MoveMyTalent shall be liable for any breaches by the subprocessor in accordance with the terms of this Data Protection Agreement;
- MoveMyTalent will evaluate the security, privacy and confidentiality practices of a subprocessor prior to selection to establish that it is capable of providing the level of protection of personal data required by this Data Processing Agreement.
- In the case of general written authorization, MoveMyTalent will inform the Client of any intended changes concerning the addition or replacement of other subprocessors, thereby giving the Client the opportunity to object to such changes. The Client is considered to be accepted with the changes in subprocessors provided that the Client has not submitted its objection within 2 calendar days as of the receipt of the notice.
- If MoveMyTalent uses subprocessors, MoveMyTalent shall assume full liability for the subprocessor to process personal data in accordance with the applicable law and this Data Processing Agreement.
10. LIABILITY AND COMPENSATION FOR DAMAGE
- MoveMyTalent shall assume liability for damage, administrative fines or any other claims with regard to MoveMyTalent’s violation of the Agreement, Data Processing Agreement or requirements of the applicable law.
- MoveMyTalent shall not be liable in any case for an administrative fine imposed on the Client, damage caused to the Client or a claim submitted with regard to the Client if these are based on a violation by the Client and/or if MoveMyTalent has not committed such violation.
- The Client shall assume liability for damage, administrative fines or any other claims with regard to the Client’s violation of the Agreement, Data Processing Agreement or requirements of the applicable law.
11. VALIDITY
- The Data Processing Agreement shall be valid from acceptance of the Terms of Service (i.e. as the moment of conclusion of the Agreement) by the Client until MoveMyTalent is processing personal data on behalf of Client or until the end of the term of Agreement, whichever is the later.
12. FINAL PROVISIONS
- The Data Processing Agreement shall be governed by the laws of the Republic of Estonia.
- Disputes arising from the Data Processing Agreement shall be resolved by negotiations or in Estonian courts, Harju County Court being the court of first instance.
ANNEX A to the Data Processing Agreement
1. PURPOSE OF DATA PROCESSING
Provision of the relocation services to the Client in accordance with the Agreement.
2. DATA SUBJECTS
Talents and family members of the Talent’s, as defined by the Agreement.
3. CATEGORIES OF PERSONAL DATA
About the Talent:
Identification data: first name, family name, date of birth, personal ID code, nationality, passport data, photo
Contact data: address, place of residence, e-mail, phone
Work related data: country of destination, employer, place of work, occupation, education, criminal background
Family data: marital status, data concerning family members
About the family member of the Talent:
Identification data: first name, family name, date of birth, personal ID code, nationality, passport data, photo
Contact data: address, place of residence, e-mail, phone
Work related data: country of destination, employer, place of work, occupation, education
Family data: marital status, data concerning family members
4. PROCESSING OPERATIONS
MoveMyTalent processes the date in MoveMyTalent system in order to support all the immigration and relocation procedures and operations in accordance with the terms of the Agreement.
In the course of the performance of the Agreement, depending on the scope of the services orders by the Agreement in respect of each Talent and/or family member of the Talent, MoveMyTalent might need to share data with the following institutions, authorities and entities: police and other state authorities, embassies, population registry, tax authority, banks, family doctor clinics, kindergartens and schools, etc.
5. PROCESSING PERIOD
The term of the Agreement and maximum 3 years after the termination of the Agreement, unless pursuant to applicable law MoveMyTalent has the right or obligation to retain data for longer period.
6. SECURITY MEASURES
Our infrastructure is hosted in Google’s Europe data centers, protected with several layers of security to prevent any unauthorized access to our data. They use secure perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. In addition, they enforce a strict access and security policy at their data centers and ensure all staff is trained to be security minded.
You can read more about our security and data protection measures, our data centers’ certifications and data security processes and practices in our privacy policy.