Data Processing Agreement

This Data Processing Agreement (“Agreement“) is made on January 1st, 2019 (“Effective Date“)




1. Customer (“Customer”);




2. Equitas App Ltd. (“Supplier”);




  1. Supplier provides certain interviewing and assessment, and interview and assessment related services (“Services“) to Customer. In connection with the Services, the Parties anticipate that Supplier will process Personal Data on behalf of Customer, the data controller for such Personal Data;

  2. To the extent that the provision of such Services involves the processing of Personal Data, the Parties have agreed to enter into this Agreement for the purposes of ensuring compliance with the applicable Data Protection Laws (as defined below).


THEREFORE, Parties have agreed as follows:




Terms such as “data subject”, “data processor, “data controller”, “personal data breach”, “data protection impact assessment”, “appropriate technical and organisational measures”, “recipient” shall have the same meaning ascribed to them in the Data Protection Laws;


“Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Main Agreement and the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on and from 25 May 2018, in each case together with all laws implementing or supplementing the same and any other applicable data protection or privacy laws;


“EEA” means the European Economic Area;


“Parties” means all signatories to this Agreement;


“Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data, as that term is defined in Data Protection Laws, processed by Supplier on behalf of Customer;


“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;


“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.




Supplier shall process the Personal Data relating to the categories of data subjects for the purposes set forth in this Agreement, which are enumerated in Annex 1 (Details of Processing of Personal Data) to this Agreement. Supplier shall not process, transfer, modify, amend or alter the Personal Data, or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with Customer’s documented instructions (whether in the Agreement or otherwise) except as otherwise required by applicable EU law to which Supplier is subject, in which case Supplier shall, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data.




Supplier shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.




Supplier shall implement appropriate technical and organisational measures designed to ensure a level of security of the Personal Data appropriate to the risk and in accordance with Article 32 of the GDPR. Supplier shall assess and evaluate the effectiveness of such measures, as needed, and shall update as applicable, in accordance with Article 32 of the GDPR.




Supplier shall notify Customer within ten (10) calendar days if it receives a data subject access request, including requests by a data subject to exercise rights in chapter III GDPR, and shall provide full details of that request.


Supplier shall fully co‑operate as requested by Customer to enable Customer to comply with any exercise of rights by a data subject under Chapter III GDPR regarding Personal Data.




Supplier shall notify Customer immediately, and in any case within forty-eight (48) hours, upon becoming aware of a personal data breach. Such notification shall, to the extent known within the notification window: (i) describe the nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects, and the categories and approximate number of personal data records concerned; (ii) the name and contact details of a contact person at Supplier who can provide additional information; (iii) describe, to the extent known, the likely consequences of such personal data breach; and (iv) describe proposed mitigation efforts, as applicable.




Supplier shall provide reasonable assistance to Customer with any data protection impact assessments that are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of Customer or any of its affiliates that are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Supplier on behalf of Customer and taking into account the nature of the processing and information available to Supplier.




Supplier shall promptly, and in any event within 20 (twenty) days of the earlier of: (i) cessation of processing of Personal Data by Supplier; or (ii) termination of the Main Agreement, at the choice of Customer either, unless required by applicable EU law: (i) return Personal Data to Customer and securely wipe all other copies of Personal Data processed by Supplier; or (ii) securely wipe all copies of Personal Data processed by Supplier.




Supplier shall make available to Customer on request all information necessary to demonstrate compliance with Data Protection Laws and this Agreement and allow for and contribute to audits, including inspections by Customer or another auditor mandated by Customer of any premises where the processing of Personal Data takes place. Supplier shall permit Customer or another auditor mandated by Customer to inspect, audit and copy any relevant records, processes and systems in order that Customer may satisfy itself that Supplier is in compliance with the Data Protection Laws and this Agreement.




Supplier shall not (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection as defined in Data Protection Laws other than in respect of those recipients in such countries listed at (Authorised Transfers of Personal Data), unless authorised in writing by Customer in advance.


When requested by Customer, and to the extent required by applicable Data Protection Laws, Supplier shall promptly enter into an applicable agreement for data transfer such as the Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the European Economic Area without an adequate level of protection.




In the event of conflict between this Agreement and any other agreement between the Parties, the terms of this Agreement will prevail.




This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.


Subject matter and duration of the processing of Personal Data


  • Personal data related to Data Subjects for whom Supplier is conducting interviewing and assessment or interview and assessment related service at the request of Customer.

  • The personal data shall only be held for the length of services contracted by or otherwise requested by Customer except as otherwise required by Data Protection Laws or applicable EU law.


The nature and purpose of the processing of Personal Data


  • Processing of data subjects’ data for the purpose of interviewing and assessment or interviewing and assessment related service provided by Supplier at the request of Customer.


The types of Personal Data to be processed


  • The types of personal information that Supplier may collect in order to provide its services include, but are not limited to: (1) name; (2) address; (3) email address; (4) telephone number; (5) scoring, ranking, and assessment data; (6) psychometric test respondent data; (7) Photo ID and (8) and any other information generated from such personal information as a result of Supplier providing its services.


The categories of data subject to whom the Personal Data relates


  • Assessing candidates, which may include Customer’s employees, prospective employees, and other individuals at the direction of the Customer


The obligations and rights of Customer additional to the obligations and rights set out in the



  • Any rights provided for by Data Protection Laws

If you have any questions on this policy, please get in contact:

By email:

Or by writing to:

Data Protection Officer

Equitas App,

Ormeau Baths,

18 Ormeau Avenue,

Belfast BT2 8HS