Employer Data Processing Agreement (DPA)

Last updated on 

1. Introduction

This Employer Data Processing Agreement ("Agreement") is an integral part of Holedo's commitment to privacy and data protection. It is governed by Holedo's Privacy Policy and Terms and Conditions, and outlines the terms under which personal data is processed when users switch to Career Mode or apply for jobs.

By switching to Career Mode or applying for jobs on Holedo, users ("Data Subjects") consent to the processing of their data by the specific employer, business, recruiter, or headhunter ("Controller") to whom they have applied. This Agreement governs the processing of personal data by that Controller, facilitated by the Holedo platform.

This Agreement is also subject to updates, which will be communicated to Controllers and Data Subjects as required. In the event of a conflict between this Agreement and other agreements between the parties, the terms of this Agreement shall prevail.

2. Definitions

  • Data Subject: The individual whose personal data is processed (i.e., the user of the Platform).
  • Controller: The specific employer, business, recruiter, or headhunter who determines the purposes and means of the processing of personal data.
  • Processor: Holedo, which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, organisation, storage, adaptation, or alteration.

3. Scope of Processing

This Agreement applies to the processing of Personal Data that occurs when:

  • A user switches to Career Mode on the Platform.
  • A user applies for a job through the Platform.
  • The Controller uses the Platform’s Relationship Management Tools to manage interactions with Data Subjects.

4. Roles and Responsibilities

4.1 Data Controller (Employer/Recruiter)
The Controller is responsible for ensuring that the processing of Personal Data complies with GDPR and other applicable data protection laws. This includes:

  • Ensuring lawful consent has been obtained from the Data Subject for processing.
  • Determining the purposes and means of the processing of Personal Data.
  • Ensuring the security of the Personal Data processed through the Platform.

4.2 Data Processor (Holedo)
The Processor shall:

  • Process Personal Data only on behalf of the Controller and in accordance with the Controller's instructions.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in ensuring compliance with obligations concerning Data Subjects' rights (e.g., access, rectification, erasure).
  • Notify the Controller without undue delay after becoming aware of a personal data breach.
  • Delete or return all Personal Data to the Controller after the end of the provision of services, unless required by law to store the data.

5. Sub-processors

The Processor may engage third-party sub-processors to process Personal Data on behalf of the Controller. The Processor shall:

  • Ensure that any sub-processor is bound by the same data protection obligations as the Processor.
  • Remain fully liable to the Controller for the performance of the sub-processor’s obligations.

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

  • Right of access by the Data Subject.
  • Right to rectification.
  • Right to erasure ("Right to be forgotten").
  • Right to restriction of processing.
  • Right to data portability.

7. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

8. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay after becoming aware of the breach.
  • Provide the Controller with sufficient information to allow them to meet any obligations to report or inform Data Subjects of the breach.

9. Termination and Deletion of Data

Upon termination of the service or upon request by the Controller, the Processor shall delete or return all Personal Data to the Controller, unless EU or Member State law requires storage of the personal data.

10. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of Ireland.

Note: This Employer Data Processing Agreement forms part of the broader terms outlined in Holedo’s User Data Management Policy and is referenced within the Privacy Policy and Terms and Conditions.