Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between Hailey HR and the Customer.
Hailey HR will on behalf of the Customer Process Personal Data during the provision of the Services under the Agreement in its capacity as Customer’s data processor. For the purpose of ensuring compliance with the Data Protection Rules, the Parties have entered into this DPA which forms an integral part of the Agreement.
"Data Protection Rules” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”) as well as supplementary local adaptions.
"Data Subject” means the identified or identifiable natural person whom the Personal Data relates to.
"Personal Data” means any information, which directly or indirectly relates to a Data Subject and which Hailey HR Processes on behalf of the Customer under this DPA.
”Processing” means any operation or set of operations which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means.
”Sub-Processor” means any third party that Processes Personal Data on behalf of Hailey HR (including, but not limited to, Hailey HR’s partners and subcontractors)
”Supervisory Authority” means the independent public supervisory authority/supervisory authorities, authorised to conduct supervision of the Processing of Personal Data or considered to be a “supervisory authority concerned” in accordance with the Data Protection Rules.
2.1 Unless otherwise stated, any other term or concept used in capitalised letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Rules and otherwise in the Agreement, unless the circumstances obviously require another interpretation.
3. RESPONSIBILITY AND INSTRUCTION
3.1 The Personal Data that Hailey HR on behalf of the Customer will Process is in particular contact details, terms of employment and employment contracts, as further specified in Sub-Appendix 1 (Data Processing Instructions).
3.2 The Customer is the data controller of all Personal Data Processed by Hailey HR on behalf of the Customer under this DPA. Hailey HR shall comply with the Data Protection Rules applicable to Hailey HR’s Processing.
3.3 Hailey HR, and anyone working under Hailey HR’s supervision, shall only be Processing Personal Data in accordance with the Customer’s documented instructions and not for any other purposes than the purposes the Customer has engaged Hailey HR for under the Agreement. The instructions that apply on the date of signature of this DPA are specified in Sub-appendix 1. In addition, the Agreement constitutes the Customer’s instructions. The Customer shall immediately inform Hailey HR of changes that affect Hailey HR’s obligations according to this DPA. Processing may also be performed where required by EU law or applicable member state law, which Hailey HR or any Sub- Processor is subject to. In the event of such requirement pursuant to EU or applicable member state law, Hailey HR shall inform the Customer of such obligation that is binding on Hailey HR or any Sub-Processor. Such information shall be provided to the Customer prior to the processing of Personal Data for this purpose, unless that law prohibits such information on important grounds of public interest.
4. SECURITY MEASURES
4.1 Hailey HR shall implement technical and organisational measures, as required by the Data Protection Rules, in order to ensure a level of security that is appropriate to the risk and to protect Personal Data being Processed from accidental or unlawful destruction, loss or alteration, or unauthorised disclosure of, or access to, the Personal Data being Processed. Hailey HR shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to Hailey HR.
4.2 Hailey HR shall notify the Customer without undue delay and no later than twenty-four (24) hours after becoming aware of a personal data breach pursuant to Article 33 of the GDPR.
5. DISCLOSURE OF PERSONAL DATA AND INFORMATION ETC.
5.1 Hailey HR shall forward any request to the Customer from the Data Subject, the Supervisory Authority or any other third party, who is requesting receipt of information regarding Personal Data that Hailey HR Processes on behalf of the Customer. Hailey HR, or anyone working under Hailey HR’s supervision, shall not disclose Personal Data, or information about the Processing of Personal Data, without the Customer’s express instruction or as laid down in this DPA, unless required by the Data Protection Rules.
5.2 By technical and organisational measures, which are appropriate taking into account the nature of the Processing, Hailey HR shall assist the Customer, insofar as this is possible based on the information available to Hailey HR, for the fulfilment of the Customer’s obligation to respond to requests from the Data Subject, when the Data Subject exercises its rights in accordance with the Data Protection Rules. Such assistance shall be prompt and in consideration of the limited time period that the Customer has to respond to such requests.
5.3 Hailey HR shall inform the Customer of any contacts from the Supervisory Authority that concern the Processing of Personal Data on behalf of the Customer. Hailey HR is not entitled to represent the Customer or act on the Customer’s behalf towards the Supervisory Authority.
5.4 Hailey HR shall assist the Customer in fulfilling potential duties to enable data portability regarding Personal Data, which Hailey HR Processes under this DPA.
6. SUB PROCESSORS
6.1 The Customer hereby gives Hailey HR prior, general authorisation to engage Sub- Processors in the Processing of Personal Data, provided that Hailey HR enters into a data processing agreement with each Sub-Processor, in which data protection obligations are, at a minimum, equally stringent as the ones set out in this DPA are imposed upon the Sub-Processor. Before the Effective Date, Hailey HR shall enter into such corresponding data processing agreements with each Sub-Processor. If the Sub- Processor fails to fulfil its data protection obligations, Hailey HR shall remain fully liable towards the Customer for the performance of the Sub-Processor’s data protection obligations.
6.2 Hailey HR is in particular responsible for ensuring the compliance of Articles 28.2 and 28.4 of the GDPR when engaging Sub-Processors and ensure that Sub-Processors provide sufficient guarantees to implement appropriate technical and organisational measures, in such a manner that the Processing meets the requirements of the GDPR.
6.3 Hailey HR shall inform the Customer in writing of any intended changes concerning an addition or replacement of a Sub-Processor, to which the Customer may object. If the Customer does not issue such objection within twenty (20) days from the receipt of the information, the Customer is assumed to not have made an objection. For the purpose of clarity, Hailey HR commits to promptly provide information regarding the Processing by Sub-Processors when requested by the Customer. Hailey HR has the right to cure an objection from the Customer as described above. If no corrective option is available and if the objection has not been cured by Hailey HR within thirty (30) days, the Parties shall be entitled to terminate the Agreement and/or this DPA, partially or wholly, or in relation to specific additional services, by issuing the other Party thirty (30) days’ notice.
7. AUDITS ETC
Promptly, and in any case without undue delay, upon the Customer’s request, Hailey HR shall make available all information necessary to demonstrate Hailey HR’s compliance with its obligations following from the Data Protection Rules, including as part of the audits or inspections carried out by the Customer or an independent auditor mandated by the Customer and accepted by Hailey HR. For the avoidance of doubt, each Party shall bear its own costs for any audit or inspection pursuant to this section 7 or Article 28(3)(h) GDPR.
8. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA AND DATA PORTABILITY
8.1 Hailey HR shall not transfer personal data to a third country that has not received an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, unless Hailey HR has obtained prior, specific consent for such transfer. If Hailey HR and/or Sub-Processors transfer Personal Data to a location outside of the EU/EEA, Hailey HR and/or Sub-Processor shall ensure that such transfer complies with applicable Data Protection Rules, including but not limited to ensuring that an appropriate assessment of the circumstances of the transfer as well as an assessment of the third country are made and documented prior to the transfer. Hailey HR shall ensure that a transfer is made on the basis of an appropriate safeguard, such as the Commission implementing decision (EU) 2021/914 - of 4 June 2021 - on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council or the decision or clauses that may replace them. Upon an approved transfer, Hailey HR shall obtain a clear mandate from the Customer to enter the aforementioned Standard Contractual Clauses on the Customer’s behalf. Hailey HR shall ensure that appropriate supplementary measures are implemented. Upon request by the Customer, Hailey HR shall provide all relevant information regarding the transfer and the measures undertaken pursuant to Data Protection Rules and this clause 8.1.
9.1 Hailey HR shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This undertaking does not apply to information that the Processor is required to disclose under mandatory law or other statutory rules pursuant to clause 3.3 above. This confidentiality obligation shall remain in force after termination of this DPA.
10.1 If Hailey HR, anyone working under Hailey HR’s supervision or Sub-Processors, Processes Personal Data in violation of this DPA or contrary to lawful instructions of the Customer, Hailey HR shall pay damages to the Customer for the damage (including but not limited to administrative fines) suffered due to incorrect Processing. Hailey HR shall indemnify and keep indemnified the Customer from any damages, costs and expenses, including attorney fees, in the event a data subject or third party claims compensation from the Customer for damages, or if a supervisory authority issues fines, fees or other administrative sanctions against the Customer for processing by Hailey HR in breach of this DPA or the instructions from the Customer.
10.2 A Party shall not be liable to the other Party for loss of revenue or other indirect damages. Damages, costs and expenses set forth in Section 10.1 shall be deemed direct damages. For the purpose of clarity, the liability of Hailey HR under this DPA shall not be subject to the limitations set out in section 11 of the Agreement.
10.3 During the term of this DPA, the Customer shall indemnify and hold Hailey HR harmless from any direct or indirect damage, e.g. requirements from the Data Subject and other Controllers of the Personal Data then the Customer, when Hailey HR has suffered such damage due to unlawful instructions from the Customer, or otherwise, depending on the circumstances on the Customer’s side. Customer’s indemnification and holding harmless Hailey HR shall only apply in the event that Hailey HR has informed the Customer that its instructions infringe Data Processing Rules prior to the occurrence of the damage and if, upon such information, the Customer has not amended such instructions.Hailey HR’s obligation to pay damages, laid down in section 10.1 above, only applies, provided that i) the Customer without undue delay informs Hailey HR in writing of any claims against the Customer; and ii) the Customer allows Hailey HR to control the defence of the claim and make independent decisions regarding conciliation. Such defence and decisions made by Hailey HR shall be carried out in good faith and with due care in relation to the Customer.
11. TERM AND TERMINATION
11.1 This DPA enters into force when duly signed by both Parties and remains in force as long as Hailey HR Processes Personal Data on behalf of the Customer.
11.2 Upon termination of the Agreement or this DPA (depending on which is first terminated), Hailey HR shall in accordance with the Customer’s instructions delete the Personal Data that the Customer has transferred to Hailey HR and delete any existing copies, where appropriate, and unless storage of the Personal Data is required by EU law or applicable member state law and ensure that each Sub-Processor does the same. Hailey HR shall certify to the Customer in writing that such deletion has been carried out.
12. CHANGES AND ADDITIONS
12.1 If the Data Protection Rules are changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules that result in this DPA no longer meeting the requirements for a DPA, the Parties shall make the necessary changes to this DPA, in order to meet such new or additional requirements. Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Rules, guidelines, decisions or regulations of the Supervisory Authority.
12.2 Other changes and additions to this DPA, in order to be binding, must be made in writing and duly signed by both Parties.
13.1 This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.
13.2 Swedish law applies in all aspects to Hailey HR’s Processing of Personal Data under this DPA. Any dispute arising out of or in connection with this DPA shall be settled in accordance with the dispute resolution provision in the Agreement.
SUB-APPENDIX 1 – DATA PROCESSING INSTRUCTIONS
In these data processing instructions, all capitalised words shall have the same meaning as defined in the DPA, unless otherwise is expressly stated.
Please specify all purposes for which the Personal Data will be Processed by the Supplier as the Customer’s data processor:
To facilitate normal operation of the Service on Customer’s behalf. The Personal data is not processed by Hailey HR in no other way.
Categories of data
Please specify the Personal Data that will be Processed by the Supplier as data processor:
The following Personal Data may be processed depending on services used by the customer:
- Information related to the data subject’s employment at the customer i.a. name, profile image, social security number, address, phone, scheduling, information related to salary, terms of employment, CV’s, educational history and certificates, notes from feedback sessions and other, for the employment, relevant information.
- Documents associated with the employment of the Data subject at the customer
Special categories of data
Please specify the Special Personal Data that will be Processed by the Supplier as data processor:
The following Special Personal Data may be processed depending on services used by the customer:
- Sensitive information related to the data subject's employment at the customer i.a. notes from rehabcases, absence information and other, for the employment, relevant information.
- Custom fields, defined and set up by the Customer, related to the Customers handling of its employees, may include other types of Special Personal Data.
Categories of data subjects
Please specify the categories of data subjects whose Personal Data will be Processed by the Supplier as data processor:
Employees and board members at the Customer. Relevant consultancy agreements.
Please specify all Processing activities to be conducted by the Supplier as data processor:
Processing operations are limited to modules used by the Customer and usually include HR-master and onboarding at a minimum. Compensation- and feedback related processes.
Location of processing operations
Please specify all locations where the Personal Data will be Processed by the Supplier as data processor and – when applicable – by Sub-processors:
All personal data is stored at Upcloud, a Finnish limited liability company, with business ID 2431560-orgnummer, a fully GDPR-compliant partner with data centers in the EU and a parent company registered in the EU.
Other data, considered not to be personal data, may be stored in Azure Data Centers in the EU, primarily in Amsterdam with failover to Dublin.
Retention requirements When applicable
Please specify the retention time of Personal Data stored by the Supplier:
Personal data is retained until removal is requested by Customer. Backups may be kept up to 30 days.
INFORMATION SECURITY MEASURES
Technical and Organisational security measures
Security policies and procedures
We have an Information security policy that is based on the ISO-standard ISO27001. This policy provides guidelines for management, and mitigation of threats to information security at Hailey. It encompasses the entire organisation and all employees at Hailey. The main purpose of this document is to ensure proper handling of information and mitigation of security risks. All employees signs the policy.
The Information policy is revised and internally controlled twice a year to review and improve security controls and practices to ensure they are effective and up-to-date with evolving threats and risks.
Security awareness training
All employees at Hailey take a course in IT security and GDPR as part of their onboarding. All developers further take a course in security related to risks arising during development and deployment. All employees take a refresher course in IT security and GDPR yearly.
Hailey has two factor authentication turned on for all employees, requiring SMS or authenticator code validation, in addition to password protection.
Regular software updates and patches
Computors and mobile devices are updated continuously to keep software updated and latest security patches installed in order to address known vulnerabilities and protect against cyberattacks.
Regular security assessment
Vulnerability scans are made continuously, and external penetration tests are made twice a year.
Security monitoring and logging
Azure Application Insights is used for monitoring all applications, including data access. The monitoring only contains technical data and no personal data is stored.
Data backup and recovery
Backups are facilitated by our sub-processors and may be kept up to 30 days. Backups are retained offsite, i.e. geographically separate, from where databases and file storages are located. Backups are tested twice a year. As part of the Information security policy we have a disaster recovery plan defined. Disaster recovery is tested every six months.
Incident response plan
As part of the Information security policy we have an incident response plan defined.
Data classification and retention
Personal data in Hailey is classified based on its sensitivity and an appropriate retention policy is implemented to ensure it is disposed of when no longer needed.
Personal data is destroyed using crypto shredding.
Encryption of data communication
TLS 1.2 is used for data in transit and AES256 for data at rest to help protect sensitive information from unauthorized access or theft.
Firewalls, separation of environments and antivirus Protection
Firewalls environments and antivirus is provided by UpCloud. UpCloud has ISO27001 certification.
Service and repair of devices where Personal Data is stored
All Personal data is stored in Upcloud. Upcloud facilitates service and repair of devices. UpCloud has ISO27001 certification.
All services are protected by OIDC and a centralized login.
Authorisation and permissions
Roles are limited to Employees, Managers, People officers and Company administrators, each having a range of permissions to use the Service. Apart from system administrators at Hailey HR, who have access at a database level, there is no way for anyone at Hailey HR to access Personal data.
Sub-Appendix 2 – Sub-Processors
Our main sub-processor is Upcloud, a Finnish limited liability company, with business ID 2431560, a fully GDPR-compliant partner with data centers in the EU and a parent company registered in the EU. All personal data is stored at Upcloud and is encrypted.
Other data, not personal data, may be stored in Azure Data Centers in the EU, primarily in Amsterdam. Computing is done in Microsoft Azure servers before sent for storage in UpCloud.
Bitio Services is our sub-processor for electronic signatures of documents
Flowmailer is our sub-processor for e-mail services and is used when activities trigger Hailey to send emails to users.