Appendix 1 to the General Terms and Conditions for Business Customers
PREAMBLE
JobCloud processes the personal data of the business customer (hereinafter also referred to as “Customer”) in accordance with JobCloud’s General Terms and Conditions for Business Customers (hereinafter referred to as “GTC”).
This Annex to the GTC specifies the obligations of the contracting parties with regard to data protection. It applies to all of JobCloud’s processing activities on behalf of the Customer.
The purpose of this Agreement for contract data processing of personal data is to ensure that the contract data processing complies with the applicable data protection laws (in particular the Swiss Federal Act on Data Protection).
The following Annexes form an integral part of this Agreement for contract data processing:
Annex 1: Description of Data Processing
Annex 2: Sub-processors
Annex 3: Technical and organisational measures
1. SUBJECT AND TERM OF AGREEMENT
The following services provided under JobCloud’s GTC include the processing of personal data by JobCloud as data processor:
– Programmatic job advertising: If the Customer enters into an agreement for programmatic job advertising, personal data are processed for the performance-based billing, control of distribution and optimization of the effectiveness of job advertisements based on performance data, e.g. the IP addresses and the device type of the persons clicking on the job advertisements or appealing to a job offer. See Annex 1 A.
– Applicant Tracking System (ATS): If the Customer uses an ATS applicant management tool provided by JobCloud or Customer’s ATS integrated into JobCloud’s platforms, JobCloud processes applicants’ personal data. See Annex 1 B.
The data processing activities listed above are specified in Annex 1. Which activities will be used in a specific case will be determined by the services utilized by the Customer pursuant to the GTC.
This Agreement is made for an indefinite period and shall remain in force for as long as the Customer uses JobCloud’s services.
2. RIGHTS AND OBLIGATIONS OF JOBCLOUD
JobCloud shall process personal data exclusively in accordance with the agreements made pursuant to the GTC and written or electronically documented instructions from the Customer. Verbal instructions must be confirmed immediately in writing or electronically. The Customer shall be responsible for complying with the statutory provisions on data protection, in particular the lawfulness of data processing by JobCloud. JobCloud shall inform the Customer immediately if JobCloud is of the opinion that an instruction violates applicable law.
JobCloud shall rectify or erase data that is the subject of this Agreement immediately upon the Customer’s instruction unless JobCloud is obligated under applicable laws to further process the data.
Within its area of responsibility, JobCloud shall design its internal organisation in such a way that JobCloud meets the special requirements of data protection. JobCloud shall have in place the technical and organisational measures specified in Annex 3 to this Agreement to ensure appropriate protection of the Customer’s data. JobCloud shall be entitled to change the security measures, but it must ensure that they do not fall below the agreed level of protection. JobCloud warrants that it will comply with its obligations under the applicable data protection laws and will implement a procedure to regularly review the effectiveness of its technical and organisational measures.
JobCloud shall assist the Customer to the extent possible in fulfilling the queries and claims of data subjects under the applicable data protection laws as well as in complying with legal obligations in connection with reports of breaches of personal data protection and data protection impact assessments, as well as other obligations to the extent that JobCloud is required to do so under applicable data protection laws.
JobCloud warrants that the persons involved in processing the Customer’s personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality.
JobCloud shall notify the Customer immediately if JobCloud becomes aware of any breach of the Customer’s personal data. JobCloud shall take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects and shall consult with the Customer immediately in this regard. In the event of a claim against the Customer by a data subject with regard to any claims under the applicable data protection laws, JobCloud undertakes to support the Customer in defending the claim to the extent possible.
3. OBLIGATION OF THE CUSTOMER
The Customer shall fully inform JobCloud immediately if it detects errors or irregularities with regard to data protection provisions in the results of the processing.
4. DATA SUBJECT REQUESTS
If a data subject contacts JobCloud with a request for rectification, erasure or access, JobCloud shall refer such data subject to the Customer, provided that JobCloud is able to match the data subject to the Customer. JobCloud shall immediately forward the data subject’s request to the Customer. JobCloud shall not be liable if the data subject’s request is not responded to, not responded to correctly or not responded to in a timely manner by the Customer.
5. OPTIONS FOR FURNISHING PROOF
JobCloud shall furnish proof to the Customer using appropriate measures of JobCloud’s compliance with the obligations set forth in this Agreement.
If, in individual cases, inspections by the Customer or an auditor engaged by the Customer should be necessary, these shall be carried out during normal business hours, upon reasonable advance notice and without disruption to JobCloud’s business operations. JobCloud shall be entitled to premise such inspections on the signing of a confidentiality agreement.
6. SUB-PROCESSORS
The Customer agrees that JobCloud may engage subcontractors (sub-processors). JobCloud shall notify the Customer before engaging or replacing any subcontractor and set the Customer a period of 30 days within which to object.
The Customer may object to the change within the 30 days notification period for good cause. If the Customer fails to object within such period, it shall be deemed to have consented to the change.
If JobCloud engages subcontractors, JobCloud shall be obligated to impose its data protection obligations under this Agreement to such subcontractors.
7. MISCELLANEOUS
Amendments or addenda to this Agreement and its constituent parts must be agreed to in writing, which may also be made electronically (in text form); the provisions governing the changes to the GTC do not apply.
If individual parts of this Agreement should be deemed invalid, this shall not affect the validity of the rest of this Agreement.
Zurich, September 2023
ANNEX 1 – DESCRIPTION OF DATA PROCESSING
ANNEX 1 A – PROGRAMMATIC JOB ADVERTISING
1. CATEGORIES OF DATA SUBJECTS
☒ Employee/contact person of Customer
☒ Job seeker
2. CATEGORIES OF PERSONAL DATA
☒ Information about the Customer’s employee/contact person: contact details such as name, position designation, e-mail address and telephone number; dashboard password (one-way encrypted/hashed), devices and browsers used, behavioural data (number and length of visits)
☒ Job seeker: IP address (anonymized after 30 days), behavioural data (on the Customer’s website: number and length of visits, limited to the pages specified by the Customer and related to the apply form, devices and browsers used, last page visited)
3. PURPOSE OF THE PROCESSING
Performance-based publication and payment of job advertisements.
4. TYPE OF PROCESSING
☒ Receipt
☒ Storage
☒ Disclosure
☒ Deletion (as instructed)
☒ Anonymisation (as instructed)
☒ Change (as instructed)
☒ Restriction (as instructed)
☒ Use
5. DATA RETENTION / STORAGE PERIODS
We process the personal data for as long as necessary to perform the services.
ANNEX 1 B – APPLICANT TRACKING SYSTEM (ATS)
1. CATEGORIES OF DATA SUBJECTS
☒ Job seeker
2. CATEGORIES OF PERSONAL DATA
☒ Information about the job seeker in accordance with the job seeker’s specific disclosure; in particular, the following personal data may be affected:
· Postal address:
Number and street, additional lines of address, postcode, town, canton, country
· Personal information:
First name, surname, academic titles, gender, date of birth, place of birth, telephone numbers, fax numbers, e-mail addresses, websites, social media links
· Work and project phases:
Date joined company, date left company, name of company, postal address of company, employment, weekly working times, sector (NACE), job area, position, skills, websites and internet resources
· Education phases:
Date started school, date left school, name of school/academic institution, postal address, subject area/course/focus, type of educational programme, ISCED classification
· Academic publications:
Date of publication, title, topic, institute, conference proceedings, list of authors, postal address of conference, skills, field of work, sector (NACE), websites and internet resources
· Further Information:
Other skills, personal interests/hobbies, written references and recommendations, other websites and internet resources
· Job objectives:
Salary, availability date, position, postal address
3. PURPOSE OF THE PROCESSING
Provision of the ATS and support by management of the job applications.
4. TYPE OF PROCESSING
☒ Receipt
☒ Storage
☒ Disclosure
☒ Deletion (as instructed)
☒ Anonymisation (as instructed)
☒ Change (as instructed)
☒ Restriction (as instructed)
☒ Use
5. DATA RETENTION/STORAGE PERIODS/MISCELLANEOUS
The data shall be deleted by the Customer manually or according to the deletion settings in the ATS used by the Customer.
JobCloud uses services from third parties that process data on its behalf (“sub-processors”) for processing data on behalf of the Customer. These are the following companies:
| Company | Location of data processing | Services |
|---|---|---|
| Aiven Oy Ltd | EU | Data transfer between different technical applications. incl. job ads and job applications |
| Amazon Web Services, Luxembourg | EU | Hosting; data retrieval (job application data and references to CV’s) |
| eRecruiter GmbH | EU | ATS provider (for jobcloud.ai platform) |
| IP-Max SA | Switzerland | Hosting for ATS (for jobup.ch platform) |
| SMG Swiss Marketplace Group AG | Switzerland | Hosting for ATS (for jobscout24.ch platform) |
| Netiva GmbH | Switzerland | Product Development (jobscout24.ch platform) |
| Joveo Inc. | US | Click pixels, in cases where job ad was displayed on an external job platform (for Programmatic clients) |
| Snowflake Computing Netherlands B.V. | EU | Data warehouse; Statistics data from job ads (for Programmatic clients) |
| ScyllaDB ltd Israel | EU | Database, Data storage for Jobs data (for Programmatic clients) |
ANNEX 3 – TECHNICAL AND ORGANIZATIONAL MEASURES
Physical access control:
· Ensured by server hosting provider (DPA available).
System access control:
· The system automatically generates a password for the platform(s) at the time of the Customer’s registration in accordance with guidelines considered secure under the current state of the art, and the password is disclosed only to the Customer. The initial transmission of the password is done over a secure channel.
· The Customer can change the password after having logged in to the platform via a secure connection or the password may be reset by its supervisor or a system administrator. Access is ensured by at least 2-factor authentication and a password, which must meet minimum requirements for password length and complexity.
· In addition to password authentication, token-based authentication is also used for accessing the web service.
· Access to these servers is restricted to specified networks and computers. For authentication either public key authentication or a password procedure is used. Both processes are in accordance with guidelines considered secure under the current state of the art.
· The stored data is saved exclusively in encrypted form. In addition, there are processes, guidelines and key management. There is a written authorisation concept, which is used internally and subjected to regular reviews.
Data access control:
· Partially ensured by server hosting provider.
· Staff engaged to perform administrative tasks only have access rights and permissions to the data that is specific to them. Rules on substitutes are defined.
· Measures to ensure that the persons authorised to use the data for data processing processes are only able to access the data according to their data access authorisation include:
· Authorisation mechanisms with the possibility to make precise differentiations
· Audit-proof, binding process for granting authorisations to JobCloud staff
· Segregation of approval of authorisation (organisational) by head of department/management/executives and assignment of authorisation (technical) by IT department
· Measures have been defined to identify unauthorised access attempts and attacks by third parties via the Internet (e.g. firewall logs). In addition, platform screenings have been implemented to identify and prevent conspicuous or potentially improper behaviour (e.g. intrusion detection).
· There are processes in place that govern the handling of potential personal data breaches and other incidents.
Transport control:
· Communication between the platform(s) and third party sources happens exclusively via https or via SSL or TLS.
· For each IT system with personal data in or with an externally connected network, transmission data is logged and controlled.
Input control:
· All successful attempts to use the web services are stored in the user administration system for accounting purposes. Invalid access attempts are stored for 72 hours to prevent misuse or damage.
· Input rights are documented and follow the internal instructions from management.
Processing control:
· The Agreement contains detailed information about the purpose limitation of the Customer’s personal data.
Availability control:
· Partially ensured by server hosting provider.
· There is a backup and recovery concept with periodical backups of all relevant data and disaster-proof storage of the encrypted data media.
· There is expert deployment of data protection software (virus scanners, firewalls, encryption programs, SPAM filters) and monitoring of all relevant servers
· There are physical controls in place with respect to unauthorised access attempts, fire, flooding and power failure.
· The effectiveness of these precautions is periodically tested and documented (vulnerability test).
· There is a written concept for monitoring security-relevant incidents (security event monitoring).
· There are processes in place for handling potential incidents (incident response).
Principle of separability:
· Data are logically separated from other data when processed. It is ensured at all times that customers have access only to their own data.
· Measures have been taken in order to ensure the integrity of the data at all times during processing and transfer.
Tests and audits:
· JobCloud subjects the technical and organisational measures described above to regular testing and audits in order to assess their effectiveness and appropriateness (e.g. web application penetration tests).