Codility Data Processing Agreement
This Codility Data Processing Agreement (DPA) entered into by the Customer and Codility Limited, and Codility Polska sp. z o.o. (Codility) (the parties) governs the processing of personal information in connection with the Service. This DPA is incorporated into the relevant Codility Terms of Service in order to demonstrate the parties’ compliance with the EU General Data Protection Regulation (EU) 2016/679. Collectively, the DPA, the Codility Terms of Service, and any other applicable ordering document, are referred to in this DPA as the Agreement.
- “Personal Information,” shall mean any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity. Personal Information includes Sensitive Personal Information;
- “Process” or “Processing” shall mean any operation or set of operations which is performed upon personal information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination or otherwise making available, alignment or combination, restriction, transfer, and erasure or destruction;
- “Special Categories of Personal Information” shall mean racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited;
- “Personal Data Breach” shall mean any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal Information transmitted, stored or otherwise processed;
- “Applicable Laws” means all relevant laws, rules, Directives, and Regulations in all relevant jurisdictions, including the United States and European Union, including all applicable privacy, data protection, data security, and data breach notification laws, rules, Directives, and Regulations;
- “EU General Data Protection Regulation” or “GDPR” shall mean the Regulation (EU) 2016/679 adopted by the European Parliament and the Council of the European Union on 27 April 2016, and effective 25 May 2018.
Other words and expressions used in this DPA but not defined herein shall have the meaning giving to such words and expressions in the GDPR.
2. Details of Processing
Categories of Data Subjects and Types of Personal Information. Customer and/or Customer’s individual employees, potential employees/candidates, contractors, or agents may submit Personal Information to Codility through the Services, which may include Personal Information relating to the individual employees, potential employees/candidates, contractors, or agents. The Personal Information transferred from Customer to Codility concern the following types of data: contact information; personal identifiers, such as name and email address, educational information, and professional experience; and other identifiers such as IP address.
Subject Matter and Nature of Processing. The Personal Information transferred by Customer will be processed by Codility to provide the Services to Customer and Customer’s individual employees, potential employees/candidates, contractors, or agents in accordance with the Agreement and Customer may make Personal Information available to Codility in connection with this purpose. The Personal Information may be subject to the following processing activities: providing the Codility service, communicating with Customers and candidates, creating and sending candidate evaluation reports, providing technical support, and storing information for the duration of the Customer relationship.
Purpose and Duration. Codility will process Personal Information to provide the Services during the term of the Agreement (except as otherwise permitted by this DPA or required by law).
3. Customer Obligations
The Customer agrees:
- that it determines the purposes for which Personal Information are being or will be processed, and the manner in which they are or will be processed;
- that the processing, including the transfer itself, of the Personal Information to Codility has been and will continue to be carried out in accordance with the relevant provisions of the Applicable Laws, including the GDPR for controllers, including that Customer will:
- establish and maintain a procedure for the exercise of the rights of the individuals whose Personal Information are processed on behalf of Customer;
- ensuring compliance with the provisions of this Agreement by its personnel or by any third-party accessing or using Customer Personal Information on its behalf;
- process only information that has been lawfully and validly collected and ensuring that such information will be relevant and proportionate to the respective uses; and
- ensure compliance with the provisions of the Agreement by its personnel or by any third-party accessing or using Personal Information on its behalf.
4. Codility Obligations
- to process the Personal Information only on behalf of Customer and in compliance with Customer’s instructions, unless Codility is required to process the Personal Information by law. If in Codility’s opinion an instruction from Customer infringes Applicable Laws, Codility will inform Customer;
- that it will take all reasonable steps to ensure that: (i) persons employed by Codility; and (ii) other persons engaged at Codility’s place of business who may process Personal Information are aware of and comply with this DPA;
- that it will comply with confidentiality obligations with respect to Personal Information and take all appropriate steps to ensure Codility’s employees, authorized agents, and any sub-processors comply with and acknowledge and respect the confidentiality of Personal Information, including after the end of their employment, contract or at the end of their assignment;
- that it will take all measures required pursuant to Article 32 of the GDPR;
- that it will inform Customer of:
- any legally binding request for disclosure of Personal Information by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities, or unless otherwise prohibited;
- any personal data breach within the meaning of Applicable Laws relating to Personal Information from the Customer which may require a notification to be made to a supervisory authority or data subject under Applicable Laws;
- any investigation by a supervisory authority relating to Personal Information, unless otherwise prohibited; and
- any requests for access to, or the rectification, erasure, restriction, blocking, or deleting of Personal Information received directly from a data subject without responding to that request.
- that it will provide reasonable cooperation and assistance to Customer with respect to Customer’s obligations regarding:
- requests from data subjects in respect to access to or the rectification, erasure restriction, blocking, or deletion of Personal Information;
- the investigation of any personal data breach within the meaning of Applicable Laws relating to Personal Information from Customer and Customer’s individual employees, potential employees/candidates, contractors, or agents in the European Union, and the notification to the supervisory authority and data subject in respect of such a personal data breach;
- the preparation of legally required data protection impact assessments with respect to Personal Information and, where applicable, consulting with a supervisory authority with respect to such assessments, taking into account the nature of processing and the information available to Codility;
- that if required by law to process Personal Information, to take reasonable steps to inform Customer of this requirement in advance of any processing, unless Codility is prohibited from informing Customer; and
- upon reasonable request, make available to Customer information necessary to demonstrate compliance with the obligations in this Section.
Codility agrees, at the request of Customer, to submit to audits to ascertain and/or monitor Codility’s compliance with this DPA. Customer will bear the fees of any auditor and any expenses incurred by Codility in complying with this Section and Section 4(f). Any audits shall be carried out no more than once in any 12 month period with reasonable notice and during regular business hours and in a manner which is not disruptive to Codility’s business, and under a duty of confidentiality, by Customer and/or by a third party appointed by Customer and accepted by Codility. The scope of such an audit will be agreed in advance and shall not involve physical access to the servers on which Customer Personal Information is hosted. Customer hereby agrees that an audit may only be conducted if necessary to prove facts which Codility cannot verify by providing Client with independent evidence of its compliance with a third party certification program. The results of any audit will be considered Codility confidential information.
Codility may engage third parties to act on its behalf for the purpose of satisfying its obligations to provide the Service and may delegate all or part of the processing activities to such sub-processors. Codility shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for in this DPA and the Agreement. For the purposes of this Section, Customer hereby consents to Codility engaging sub-processors reasonably required to assist Codility for the purposes of providing the Service. Codility shall inform Customer of any intended changes concerning the addition or replacement of sub-processors.
7. Data Transfers
For transfers of EU Personal Information to Codility for processing by Codility in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing adequate data protection, Codility agrees it will use Standard Contractual Clauses or another lawful transfer mechanism.
8. Post-termination Obligations
On the termination of the Service, Codility and any sub-processors shall, at the choice of Customer (subject to the limitations described in the Agreement or as required by law), securely destroy or return all Personal Information from Customer and Customer’s employees, contractors, or agents, with the exception of any Customer Personal Information which may exist in backups or logs maintained by Codility and which Codility will destroy in accordance with its normal data retention policies and practices . In the event that Codility must retain the Personal Information based on Union or Member State Law, and to the extent that Personal Information is contained within backups or system logs, Codility agrees to preserve the confidentiality of the Personal Information retained by it.