Data Processing Agreement

This Data Processing Agreement (DPA) applies to the Services and sets out the terms, requirements and conditions on which The SR Group and its sub-processors will process Personal Data when providing the Services to You. This DPA contains the mandatory clauses required by UK GDPR and EU GDPR. If You request the Services You are deemed to have accepted the terms of this DPA.

Dated: 8 May 2024

Data Processing Agreement

(controller-to-processor)

agreed terms

  1. Definitions and interpretation
  1. We”, “Us” and “Our” mean the member of The SR Group that provides Services to You. “You” and “Your” means the individual, company or other legal entity that we provide or introduce a Temporary to.
  2. Commissioner: the Information Commissioner.
  3. Controller, Data Subject, Personal Data, Process or Processing, Processor: have the meanings given to them in the Data Protection Legislation.
  4. Data Protection Legislation:

a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data:

b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which You or We are subject, which relates to the protection of Personal Data:

c) To the extent the Swiss DPA applies, the law of Switzerland; or

d) To the extent that any the law of another country applies to the Personal Data Processed in connection with the Services, the law of that country.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Services: the Psychometric Assessment Services as set out in the Terms.

Swiss DPA: the Swiss Federal Data Protection Act and its ordinance.
Terms: means the Terms of Business that govern Our provision of the Services to You

Term: the term of this DPA as set out in Clause 10.

UK GDPR: the Data Protection Act 2018 (and any regulations made thereunder)

1.1 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.2 A reference to writing or written includes faxes and email.
1.3 In the case of conflict or ambiguity between any of the provisions of the Terms and this DPA, the provisions of this DPA will prevail. The Terms prevail in all other cases and in particular, the provisions of the Liability clauses shall apply to any loss, liability, damage, cost, claim or expense that arises under this DPA.

2. Personal data types and processing purposes
2.1 We each agree and acknowledge that for the purpose of the Data Protection Legislation:
a) You are the Controller and We are the Processor.
b) You retain control of the Personal Data and remains responsible for Your compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions You give to Us.
c) You are solely responsible for the accuracy, quality and completeness of the Personal Data.
d) ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which We process the Personal Data to provide the Services.

3. Our obligations
3.1 We will only process the Personal Data to the extent, and in such a manner, as is necessary to provide the Services in accordance with Your written instructions. We will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will promptly notify You if, in our opinion, Your instructions do not comply with the Data Protection Legislation.

3.2 We will comply promptly with Your written instructions requiring Us to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 We will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Us to process or disclose the Personal Data to a third party, We will first inform You of such legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless domestic law prohibits the giving of such notice.

4. Our employees
4.1 We will ensure that all of our employees:
a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
b) have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
c) are aware both of Our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

5. Security
5.1 We and our sub processors will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification,  reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.  Our security measures set out in ANNEX A. The security measures put in place by Our sub-processors are available via the links in ANNEX B.  We believe that these are appropriate given the nature of the Personal Data being processed, but You must review these measures to ensure that they are acceptable to You.  You must notify Us before the Services commence if You have any concerns about the security measures of any of Our sub-processors. We will document Our measures in writing and periodically review them to ensure they remain current and complete.

6. Personal Data Breach
6.1 We will notify You without undue delay if We become aware of:
a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data.
b) any accidental, unauthorised or unlawful processing of the Personal Data; or
c) any Personal Data Breach.

6.2 Where We become aware of (a), (b) and/or (c) above, We will, promptly, also provide You with the following information:
a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
b) the likely consequences; and
c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3 At Your request, We will reasonably co-operate with You to enable You to notify the Data Breach to the Relevant Authorities and/or Data Subjects.
6.4 We will not inform any third party of an occurrence as set out in clause 6 without first obtaining Your written consent, except when required to do so by domestic law.
6.5 It is Your sole decision:
a) whether to provide notice of an occurrence as set out in clause 6 to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and
b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7. Cross-border transfers of personal data
7.1 We may only process, or permit the processing, of the Personal Data outside the EEA where We or our sub-processors, participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that We (and, where appropriate, You) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR, and under the Swiss DPA. We identify in ANNEX B the transfer mechanism that enables the parties to comply with these cross-border data transfer.

7.2 In relation to Personal Data that is subject to the Swiss DPA, the standard Contractual Clauses will apply in accordance with clause 7.1 above with the following modifications;

a) References to “regulation EU 2016/679” will be interpreted as references to the Swiss DPA

b) References to “EU Law”, “Union Law od Member State Law” will be interpreted as references to “Swiss Law”; and

c) References to the “Competent Supervisory authority” and “Competent Courts” will be replaced with the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland”.

8. Sub-processors
8.1 The provisions of section 9(a) Option 2 apply to the use of sub-processors.
8.2 Where You consent to the use of a sub- processors:
a) We will enter into a written contract with the sub-processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures;
b) We will maintain control over all of the Personal Data We entrust to the sub-processors; and
c) We will be fully liable to You for the acts and omissions of the sub-processors.
8.3 The sub-processors and the security measures, both as approved by You at the commencement of the Service, are set out in ANNEX B.

9. Complaints, data subject requests and third-party rights
9.1 We will, at Your cost, promptly provide such information to You as You may reasonably require, to enable You to comply with:
a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
b) information or assessment notices served on You by the Commissioner or other relevant regulator under the Data Protection Legislation.
9.2 We will notify You immediately in writing if We receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
9.3 We will notify You if We receive a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 We will give You, at Your cost, our full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 We will not disclose the Personal Data to any Data Subject or to a third party other than in accordance with Your written instructions, or as required by domestic law.

10. Term and termination
10.1 This DPA will remain in full force and effect so long as:
a) the Terms remains in effect; or
b) We retain any of the Personal Data related to the Services in Our possession or control (Term).
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms in order to protect the Personal Data will remain in full force and effect.

11. Data return and destruction
11.1 At Your request, We will give You, or a third party nominated in writing by You, a copy of or access to all or part of the Personal Data in our possession or control in the format and on the media reasonably specified by You.
11.2 On termination of the Terms for any reason or expiry of its term, We will securely delete or destroy or, if directed in writing by You, return and not retain, all or any of the Personal Data related to this DPA in our possession or control.

12. Audit
12.1 In the event that there has been a Personal Data Breach as set out in clause 6.1, We will permit You and Your third-party representatives to audit Our compliance with our DPA obligations, on at least 10 working days’ notice, during the Term. We will give You and Your third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
a) copies of any information held at Our premises or on systems storing the Personal Data;
b) access to and meetings with any of Our personnel or sub-processors reasonably necessary to provide all explanations and perform the audit effectively

c)

13. Notice
13.1 Any notice given to a party under or in connection with this DPA must be in writing and delivered to:
For Us: Data Protection Officer, 5 Fleet Place, London EC4M 7 RD.
For You: the person who commissions the Services at your registered address.

ANNEX A – Personal Data processing purposes and details

Subject matter of processing:

·       Provision of psychometric assessment services to Client in connection with their recruitment process

Duration of Processing:

·       For the period required for performance of the assessment, creation of report on assessment and discussion of report with potential employee and Client.

Nature of Processing:

·       Receiving, storing, analyzing and providing feedback on data

Personal Data Categories:

·       Name, email address, responses to behavioural and/or situational questions contained in assessment

Data Subject Categories:

·       Potential employees of Client

Sensitive Data Transferred:

·       None

Frequency of Data Transfer:

·       One off.  Transfer of data from candidate to Supplier or supplier sub-processor.

ANNEX B – Approved Sub-processors

NameAddressNon-EEA Location(s) where data processed.Applicable  transfer mechanism
SHL Group Limited and its affiliatesThe Pavillion, 1 Atwell Place, Thames Ditton, Surrey, KT7 0NEUSA, India, South Africa For further information see https://www.shl.com/legal/terms-and-conditions/english/shl-data-processing-schedule/SCCs
Psychological Consultancy Limited8 Mount Ephraim, Tunbridge Wells, TN4 8ASUSA   For further information see http://www.psychological-consultancy.com/contact-us/privacy-policy/SCCs
Hogan Assessment Systems Inc. 11 S Greenwood, Tulsa, OK 74120, United States of AmericaUSA For further information see https://www.hoganassessments.com/privacy-policy/gdpr-compliance/  SCCs

ANNEX C – Technical and Organisational measures

General Security
• Maintain standardised records for the security of data held within each technology employed within the business
• provide all employees with data security training to ensure that they understand the requirements and can take appropriate actions to protect electronic data
• Track all exceptions to this policy in an exceptions log
• Manage all breaches to this policy through our Problem Management Policy
• Ensure our security footprint and all attack vectors are monitored and reviewed regularly
• Ensure this policy is available via the intranet

We will Not –
• Allow administrative access to servers and services for IT staff with their normal user account

Electronic Data Security
• Employ DLP technologies to track, audit and report on the transfer of data across all business supplied data transfer mechanisms
• Log all DLP incidents centrally for review and will review these regularly. Any incidents will be reviewed by the IT Team in the first instance and where a concern of inappropriate use is suspected these events will be escalated to the appropriate Partner
• Ensure all data storage platforms and mechanisms are secured and available only to appropriate users and groups by granting users access to data based on individual roles and responsibilities in the business. Access to electronic data is granted via permissions given by the IT team at point of entry to the business. This is reviewed periodically or on a change in role or responsibilities
• Ensure all data is backed up following industry standards and can be restored for both business continuity and data integrity purposes. Backups are managed using standard snapshot technology with snapshots of all services being taken at set intervals with set retention periods.
• Ensure that any redundant hardware containing data is destroyed by a 3rd party company using standard degaussing platforms and then destroyed by shredding under IEEE guidelines

We Will Not –
• Assume that a DLP event constitutes evidence that an employee has intentionally or accidentally lost data but that it provides sufficient basis for investigation to ensure data has been appropriately protected
• Allow access to mobile working solutions until the successful completion of a probationary period
• Allow access to mobile working solutions until the completion of the mobile working AUP forms
• Allow files and folders to be downloaded to personal devices

Network Security
• Ensure segmentation of our network in order to provide the relevant services to our disparate user groups
• Only use cabled network connections where essential for the service using it
• Use industry standard network technologies to manage, monitor and maintain our network security
• Update firmware and patches
• Limit the bandwidth available on each connection based on the AP being connected to

We Will Not –
• Allow non corporate devices to connect to the corporate network segment

Server Security
• Ensure all devices lock when no activity is registered for 10 minutes
• Ensure all server devices are protected using industry recommended security software
• Ensure all laptop devices are protected using encryption software
• Ensure all laptop devices are patched regularly

We Will Not –
• Allow administrative access to servers and services for IT staff with their normal user account

User Endpoint Security

• Ensure all corporate devices lock when no activity is registered for 15 minutes
• Ensure all corporate laptops lock when the lid is closed
• Ensure all corporate laptop devices are protected using industry recommended security software
• Ensure all corporate laptop devices are protected using encryption software
• Ensure all corporate laptop devices are patched regularly
• Employ MDM solutions to ensure the centralised management of corporate devices

We Will Not –
• Allow users access to install software on their corporate device without consideration for licensing and impact on the device and the network

User Security
• Provide access to services via groups and permissions that allow only enough access to do the work required
• Employ SSO where possible to limit the number of passwords required, and ensure centralised control to services
• Provide each user with a unique user account for all services
• Disable user access to all data within 1 working day of a user leaving the business

For IT Users only –
• Provide multiple accounts for the work a user will need to complete

We Will Not –
• Share passwords with any other user
• Allow access to your accounts without a suitable reason and without the authorisation of the IT Director
• Allow access to local devices with general accounts

Electronic Mail Security
• Employ suitable technologies to track, audit and report on email usage and transfer of data across all corporate mail systems
• Employ suitable technologies to ensure users are protected from mail-born attacks that could compromise our platforms or users. These include but are not limited to –
• Impersonation attacks
• Spam
• Malware/keyloggers
• Ensure only compliant personal devices can connect to mail services

We Will Not –
• Allow access to users mailboxes or data without sufficient evidence in accordance with our personal mailbox and data access policy
• Allow executables or other dangerous files to be delivered to users
• Allow the transfer of files or information that would expose significant amounts of personal information outside of the business