Data Processing Agreement
- DEFINITIONS:
In this Agreement:
Checkback/you/your means Checkback International Limited a company incorporated in Ireland with company UID 307324 and registered office address at 6-9 Trinity Street, Dublin 2.
1.1 Client/we/us/our means the party for whom Checkback carries out the Services, as more particularly set out in Schedule 1;
1.2 Client Data means any data or information in any form or medium provided by or on behalf of us to you, or which you are required to process as part of the Services, and including without limitation, any Personal Data;
1.3 Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures have the meanings as defined in the Data Protection Legislation;
1.4 Data Protection Legislation means the Ireland Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);
1.5 Ireland Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in Ireland including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI2003/2426) as amended; and
1.6 Services means the applicant and employee background checking services provided by Checkback to the Client.
- DATA PROTECTION
2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is in addition to, and does not relieve, remove or replace,a party’s obligations or rights under the Data Protection Legislation. In this Agreement, Applicable Laws means (for so long as and to the extent that they apply to Checkback) the law of the European Union, the law of any member state of the European Union and/or Domestic Law Ireland; and Domestic Law Ireland means the Ireland Data Protection Legislation and any other law that applies in Ireland.
2.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Controller and Checkback is the Processor on behalf of the Client in respect of the Client Data for the purposes of providing the Services. The Client determines the purposes for which, and the manner in which, Personal Data is, or is to be, processed by Checkback on the Client’s behalf.
2.3 Schedule 1 sets out the scope, nature and purpose of processing by Checkback, the duration of the processing and the types of Personal Data and categories of Data Subject.
2.4 Without prejudice to the generality of clause 2.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Checkback and/or lawful collection of the Personal Data by Checkback on behalf of the Client for the duration and purposes of this agreement.
2.5 Without prejudice to the generality of clause 2.1, Checkback shall, in relation to any Personal Data processed in connection with the performance by Checkback of its obligations under this agreement:
2.5.1 process that Personal Data only on the documented written instructions of
the Client which are set out in Schedule 1 and in each written instruction given to Checkback by the Client, unless Checkback is required by Applicable Laws to otherwise process that Personal Data. Where Checkback is relying on Applicable Laws as the basis for processing Personal Data, Checkback shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Checkback from so notifying the Client;
2.5.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate,pseudonymising and encrypting Personal Data, ensuring confidentiality,integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
2.5.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
2.5.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) the Client or Checkback has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) Checkback complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(d) Checkback complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;
2.5.5 assist the Client, at the Client’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
2.5.6 Checkback will promptly and without undue delay notify the Client if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable. Checkback will restore such Personal Data at its own expense for any of the following Data breach incidents;
(a) any accidental, unauthorised or unlawful processing of the Personal Data; or
(b) any Personal Data Breach
2.5.7 Where Checkback becomes aware of (a) or (b) above, it shall, without undue delay, also provide the Client with the following information;
(a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
(b) the likely consequences; and
(c) description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
2.5.8 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Checkback will reasonably co-operate with Client in Client’s handling of the matter, including:
- assisting with any investigation;
(b) providing Client with physical access to any facilities and operations affected;
(c) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Client; and
(d) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
2.5.9 at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Personal Data; and permit Client to audit Checkback’s premises, systems, records and procedures once per year upon reasonable advance written notice to verify your compliance with this Agreement and the Data Protection Legislation
2.5.10 maintain complete and accurate records and information to demonstrate its compliance with this Agreement and immediately inform the Client if, in the opinion of Checkback, an instruction infringes the Data Protection Legislation.
2.6 Checkback may engage other processors for the processing of Customer personal data in accordance with this GDPR Addendum. Checkback shall maintain a list of such processors at https://checkback.co.uk/privacy-policy/ which Checkback may update from time to time. At least 14 days before authorising any new such processor to process personal data, Checkback shall update the list on its website. Customer may object to the change without penalty, by initiating the Agreement’s dispute resolution process, or in the absence of a dispute resolution procedure, Checkback shall use reasonable endeavours to change, modify or remove the affected products or services, in order to avoid processing of Customer personal data by such new processor to which Customer reasonably objects.
- GENERAL TERMS
3.1 This letter agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the law of Ireland.
3.2 The parties irrevocably agree that the courts of Ireland have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) that arises out of, or in connection with, this letter agreement or its subject matter or formation.
3.3 Please sign and return the enclosed copy of this letter to acknowledge your agreement to these terms. for and on behalf of the Client We agree to the terms set out above. for and on behalf of Checkback International
Schedule 1
Processing, Personal Data and Data Subjects
- Details of the Client
Company Name:
Company number:
Registered office address:
Name of Authorised Signatory & Position in Company (Director or authorised manager)
Contact Telephone Number
Email Address
Name of Person to correspond with on a day to day basis
Email Address
Processing by Checkback
Nature of processing: Checkback is authorised to access, collect, sort and process Client Data provided by existing or prospective employees of the Client.
Purpose of processing: Checkback processes Client Data solely for the purpose of providing the Services.
Duration of processing: Checkback is authorised by the Client to process Client Data for up to 90 days after receipt of such Client Data, unless requested earlier by the relevant Data Subject.
Types of Personal Data
- Name
- Contact details
- Personal financial information
- Payroll data
- Immigration information
- Recruitment data
- Disciplinary information
- Criminal record.
Categories of Data Subject Existing or prospective employees of the Client.
Schedule of Services Agreement
The Service – See Schedule of services attached
- Scope of Vetting
Includes verification of data as made available by ‘Client’ applicants (Applicant) via the Checkback application vetting form. The Screening product detailed above within schedule of services section a. ‘The Service’ is for new ‘Client’ account set-up purposes only. Any further screening products required may be requested by ‘Client’ in writing (by email) in advance with your Account Manager in Checkback. These will include costs and process. In addition, all checks being considered will be detailed on online application form where applicants will retain explicit rights & control over individual checks being considered and can withdraw consent for either entire vetting process, or for specific checks within the vetting process by simply choosing this option.
Please Note:
‘Send New Alerts’, ‘Outstanding Alerts’ and ‘applicants Pending’ are by default, the sole responsibility of the client ADMIN. Only when client ADMIN notifies screening team that online applications have been submitted fully by their applicant, can the screening team take the lead and commence the vetting process.
The Screening Team can manage this entire process on your ADMINS behalf, and as an add on extra service. This service is not included in your Screening product(s). Please contact your Checkback account manager, if you would like to include this service.
- Service charges are detailed in attached schedule of services
*Clients can request new checks or screening products (SP) as and when required, by simply emailing their Checkback Team lead. Any changes in costs will be agreed by email and in advance of screening start. Data Processors Agreement Terms will apply to subsequent changes All prices are exclusive of VAT and based on a recent Irish Address/reference history. All other states will bepriced on a case by case basis. Checkback will not accept liability for any client bank charges incurred in settlement of invoices. All such client bank charges will be passed back to Client in following months invoicing. As a consequence of inspectorate & Admin charges, once online form has been submitted by client candidates, the charge applies even if screening is cancelled or cannot be completed.
Any additional charges imposed by third parties, will be cleared in advance with client and approved only when written (email) authorisation has been received from client.
- Turnaround Times (TATs)
Where all required information is made available, Checkback will complete and return all basic DBS checks within 10 working days (Targeting 48 hours for basic DBS, financial, identity, sanctions & Anti Fraud checks. Allow 21 days where gap analysis included in screening product). TATs specific to clients SP will be detailed in schedule of service and/or any subsequent correspondence by email with client, where new SP’s are requested. For Data Protection reasons and to remain in compliance to Checkbacks Data Security policy, files older than (84 days) will be deemed incomplete but unable to take further, (where Checkback researchers have exhausted every means of obtaining a reference but not received any response) closed and returned to client as incomplete.
- Online Process
‘Client’ requires Checkback to carry out checks as detailed below. To facilitate this ‘client’ will submit to Checkback relevant ‘Applicant’ information via an online application form, which shall as a minimum include the ‘Applicant’ consent. The link to this application form will be sent to ‘Applicant’ by email and from ‘Client’ online checkback account following a 3 click process.
To use the online service, Checkback will provide ‘Client’with secure login, where using Checkback’s 3 click progress, enter the ‘Applicant’ name, email address, select the required service from our drop-down menu service list and select ‘email the ‘Applicant’. ‘Applicant’ receives a request from Checkback by email and by clicking on the link, completes their application online. ‘Client’’ may track screening in real time as they move through the vetting process
When Candidates screening has finished, files will be available to download from Clients online Checkback Dashboard. Clients will receive an automated text advising them when reports are available for download. Files will expire within 90 days from date client is sent notification that their candidate report is ready for download
- Credit terms
Checkback credit terms will be set at Undisputed invoices that remain outstanding beyond agreed terms, from start of screening date, are subject to a late payment fee of