Data Protection Appendix

Please read carefully before accessing the application.

Variation of agreement

1. We refer to the Arctic Shores SaaS agreement between you and us for our provision to you of certain services, (“Agreement”), the terms of which can be found at https://www.arcticshores.com/terms-saas/.

2. The Parties agree that the Agreement shall be subject to the below Terms as an Appendix to it;

DATA PROTECTION APPENDIX

1. Interpretation

In this Appendix:

1.1. the following terms shall have the following meanings, unless the context requires otherwise:

Agreement: the SaaS agreement in respect of which this Appendix forms part;

Appendix: this appendix;

Controller: has the meaning set out in DPA18;

Customer Data: the data inputted by you, your authorised users, or us on your behalf, for the purpose of using the Services or facilitating your use of the Services, and which may include Personal Data;

Data Sharing Summary: the summary at Paragraph 2.12 setting out the scope, nature and purpose of Processing by us, the duration of the Processing, the types of Personal Data that we are to Process, and the categories of Data Subject;

Data Subject: has the meaning set out in DPA18;

Data Protection Laws: in relation to any personal data which is processed in the performance of the Agreement, the General Data Protection Regulation (EU) 2016/679 (“GDPR“) to the extent incorporated into English law, and The Data Protection Act 2018 (“DPA18”), in each case together with any national implementing laws, regulations, secondary legislation and any other applicable or equivalent data protection or privacy laws, as amended or updated from time to time, in the UK, and any successor legislation to such laws;

Party: us or you, and Parties shall mean both of us and you;

Personal Data: has the meaning set out in DPA18, and relates only to personal data, or any part of such personal data, of which you are the Controller and in relation to which we are the Processor and providing services under the Agreement;

Personal Data Breach: has the meaning set out in DPA18;

Processing: has the meaning set out in DPA18, and Process shall be interpreted accordingly;

Processor: has the meaning set out in DPA18;

Special Categories of Personal Data: those categories of data listed in Article 9(1) GDPR;

Supervisory Authority: has the meaning set out in DPA18;

we, us or our: Arctic Shores Limited, a company registered in England and Wales with registered number 08589048 and registered office at Lowry House, 17 Marble Street, Manchester, United Kingdom, M2 3AW; and

you or your: the Company or organisation which has entered into the Agreement with Us for the provision of certain services.

1.2. references to “Paragraphs” are to paragraphs of this Appendix

1.3. any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression, shall be construed as illustrative, shall not limit the sense of the words preceding or following those terms, and shall be deemed to be followed by the words “without limitation” unless the context requires otherwise; and

1.4. a reference to a statute or statutory provision is a reference to such statute or statutory provision as amended or re-enacted. A reference to a statute or statutory provision includes any subordinate legislation made under that statute or statutory provision, as amended or re-enacted.

2. Customer Data

2.1. You shall own all right, title and interest in and to all of the Customer Data and are exclusively responsible for the legality, reliability, integrity, accuracy and quality of the Customer Data.

2.2. The Parties acknowledge that, for the purposes of Data Protection Laws, you are the Controller and we are the Processor of any Personal Data. The scope, nature and purpose of Processing is as set out in the Data Sharing Summary.

2.3. Each Party confirms that it holds, and during the term of the Agreement will maintain, all registrations and notifications required in terms of the Data Protection Laws which are appropriate to the performance of its obligations under the Agreement.

2.4. Each Party confirms that, in the performance of the Agreement, it will comply with the Data Protection Laws.

2.5. We will:

2.5.1. Process Personal Data only on documented instructions from you, unless required to do so by Data Protection Laws or any other applicable law to which we are subject; in such a case, we shall inform you of that legal requirement before Processing, unless that law prohibits us to so inform the you;

2.5.2. ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

2.5.3. ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of our systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by us);

2.5.4. notify you as soon as reasonably practicable before appointing any subcontractor in respect of Processing of Personal Data, and ensure that any such subcontractor complies with the provisions of this Clause 2 as if it was a Party; if you (acting reasonably) disagree with the appointment of the subcontractor for reasons relating to the Processing of Personal Data, you shall have the right to terminate the Agreement on 60 days’ written notice; for the avoidance of doubt, any appointment of subcontractors in the same corporate group or banner as an existing subcontractor (for example, a subsidiary in a different country) shall not require further approval from you; a list of pre-approved sub processors for such purposes are set out in the Data Sharing Summary;

2.5.5. taking into account the nature of the Processing, assist you by putting in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the Data Subject’s rights laid down in Data Protection Laws, to the extent that such requests relate to the Agreement and our obligations under it;

2.5.6. assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

2.5.7. at your option, delete (to the extent practicable) or return all the Personal Data to you after termination of the Agreement or otherwise on your request, and delete existing copies (to the extent practicable) unless applicable law requires our ongoing storage of the Personal Data;

2.5.8. make available to you all information necessary to demonstrate our compliance with this Clause 2.5, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you; and

2.5.9. inform you immediately if, in our opinion, an instruction from you infringes (or, if acted upon, might cause an infringement of) Data Protection Laws.

2.6. Each Party will notify the other Party without undue delay if it becomes aware of a Personal Data Breach relating to either Party’s obligations under the Agreement.

2.7. You shall undertake appropriate data protection impact assessments to ensure that Processing of Personal Data complies with Data Protection Laws. We will provide you with reasonable assistance, where necessary and upon your request, in carrying out any data protection impact assessment and undertaking any necessary prior consultation of the Supervisory Authority.

2.8. It is your responsibility to ensure that Personal Data is dealt with in a way that is compliant with the “data protection principles” (as defined in DPA18).

2.9. It is your responsibility to ensure that:

2.9.1. you are able to justify the Processing of Personal Data as lawful in accordance with Data Protection Laws (including, where applicable, obtaining any and all consents of Data Subjects required in order to commence the Processing), and that you have recorded or documented this in accordance with the record keeping requirements of Data Protection Laws;

2.9.2. where Personal Data falls within the Special Categories of Personal Data, the Processing of such Special Categories of Personal Data is justified as lawful under Data Protection Laws before Processing takes place;

2.9.3. where the Processing of Special Categories of Personal Data is not justified as lawful under Data Protection Laws, no such data will be sent to us; and

2.9.4. you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to us for the duration and purposes of the Agreement.

2.10. In the event that we:

2.10.1. comply with your instructions in respect of Processing, we shall not have any liability (subject to any liability that we cannot exclude or limit at law) for any damage caused by Processing that Personal Data, or for any consequences in the event that such Processing otherwise infringes Data Protection Laws, to the extent that such damage or consequences result from our compliance with such instructions; and/or

2.10.2. refuse to comply with your instructions in respect of Processing due to concerns that compliance will cause a breach of Data Protection Laws, we shall not have any liability (subject to that we cannot exclude or limit at law) for any failure to follow such instructions.

2.11. Each Party agrees to indemnify, and keep indemnified and defend at its own expense, the other Party, against all costs, claims, damages or expenses incurred by the other Party or for which the other Party may become liable, due to any failure by the first Party or its employees or agents to comply with this Clause 2.

2.12. The following table sets out the scope, nature and purpose of the Processing under the Agreement:

Scope, nature and purpose of Processing  Candidate data is processed by Arctic Shores in connection with providing the behaviour-based assessment services to CUSTOMER to support their recruitment processes. The processing of candidate data is a necessary and integral part of the performance of services. 
Duration of Processing 
  • The earliest expiry / termination date of the Agreement. The candidate data is retained for 12 months and then it is fully anonymised. 
  • The date upon which processing is no longer necessary for the purposes of either party performing its obligations under this agreement. 
Types of Personal Data being Processed
  • Name
  • Email address
  • Candidate ID
  • IP address
  • Psychometric assessment results
  • Optionally provided: age, ethnicity & health information 
Categories of Data Subject in respect of whom Personal Data is being Processed
  • Candidates applying for roles at CUSTOMER
Subprocessors
  • Linode: Host our data 
  • Equinix: data centre (ISO 27001 compliant)
  • SendGrid: SMPT provider (Privacy Shield & DPA in place)
  • Survey Gizmo: survey provider (Privacy Shield in place)
  • AWS: zero knowledge encrypted backup (US, shortly moving to EU)

2.13. In the course of Processing Personal Data, we may derive anonymised, aggregated data based on Personal Data (where, for the avoidance of doubt, such derived data shall not include Personal Data). You acknowledge that we own all such anonymised, aggregated data and that we may use such data as we consider appropriate, at our discretion, including for:

2.13.1. statistical analysis;

2.13.2 development and enhancement of our services and products;

2.13.3. the publication of industry statistics and market trends; and

2.13.4. reporting on benchmarking to third parties;

subject to our continued compliance with Data Protection Laws in respect of such usage.

3. General

3.1. In the event of any conflict between a provision of this Appendix and a provision of the Agreement, the provision of this Appendix shall prevail.

3.2. If any provision or part-provision of this Appendix is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this Paragraph 3.2 shall not affect the validity and enforceability of the rest of this Appendix.

3.3. If any provision or part-provision of this Appendix is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.

3.4. You must not assign, transfer, charge or otherwise encumber, create any trust over, or deal in any manner with, this Appendix or any right, benefit or interest under it, nor transfer, novate or sub-contract any of your obligations under it, without our prior written consent (such consent not to be unreasonably withheld or delayed).

3.5. This Appendix and the Agreement (and any documents referred to in this Appendix or the Agreement) constitute the entire agreement and understanding of the Parties in relation to the subject matter of this Appendix and the Agreement, and:

3.5.1. supersede any previous agreement between the Parties relating to such subject matter; and

3.5.2. shall apply to the exclusion of and prevail over any express terms contained in any standard documentation of either Party.

The Parties acknowledge that they have not entered into this Appendix in reliance upon any statement, representation, assurance or warranty which is not set out in this Appendix.

3.6. Any variation or amendment to this Appendix will not be binding on the Parties unless set out in writing, expressed to amend this Appendix and signed by an authorised representative of each Party.

3.7. Nothing in this Appendix shall constitute a partnership or employment or agency relationship between the Parties.

3.8. A person who is not a Party shall not have any rights under or in connection with this Appendix.

3.9. No failure or delay by either Party to exercise any right or remedy provided under this Appendix or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

3.10. This Appendix and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England.

3.11. The Parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any disputes or claims arising out of or in connection with this Appendix, its subject matter or its formation.

3. Except as set out in paragraph 3 of this letter, the Agreement shall continue in full force and effect.

4. This letter and any dispute or claim (including, without limitation, non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the law of England.

5. The Parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any dispute or claim that arises out of, or in connection with, this letter or its subject matter or formation.