2.1 “Agreement”, “DPA” means this Data Protection Agreement.
2.2 “Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State, and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR and, to the extent applicable, the data protection or privacy laws of any other country.
2.3 “Data Transfer” means a transfer of Personal Data of the Parties to Recann and our wholly owned, subsidiary, and otherwise affiliated entities or a Subprocessor as specified herein;
2.4 “GDPR” means EU General Data Protection Regulation 2016/679;
2.5 “Recann”, “we”, “us”, and “our” means Recann Ltd and all our existing entities under applicable laws with their principal place of business located as mentioned herein.
2.6 “Parties”, “you”, and “your” means Recann, and you the users of the Services collectively or individually as the context suggests.
2.7 “Personal Data” means any information about an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, location data, online identifier, or to one or more factors specific to that person’s Page 2 of 16 physical, physiological, genetic, mental, economic, cultural, or social identity.
2.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by where applicable us, or our Sub-Processors in connection with the provision of the Services. “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
2.9 “Services” means the recruitment services provided by Recann, our online website located at https://www.recann.co.uk/ & https://www.recannintl.com mobile website, APIs, social media, software, and mobile applications related, linked, or otherwise connected thereto collectively.
2.10 “Special categories” of personal data (sensitive personal data) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Special category data can include racial and ethnic origin, health records, criminal record checks etc.
2.11 “Subprocessor” means any person or entity appointed by or on behalf of Recann to process Personal Data on behalf of Recann in connection with the Agreement.
2.12 The terms,“Commission”, “Controller”, “Consumer”, “Processor”, “Data Subject”, “Member State”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
BESIDES THE DEFINITIONS MENTIONED IN THIS SECTION, THIS DOCUMENT CONTAINS DEFINITIONS THROUGHOUT THE AGREEMENT.
The term of this Agreement commences as soon as you utilise any of our Services and/or enter into any contract with us and subsists unless terminated by you or us in accordance with the terms and conditions of the applicable contract between us and you. Termination of this Agreement does not waive any obligations such as “confidentiality” and other terms of similar nature which ought to survive the termination of this Agreement. By clicking on “Accept” or other analogous terms when prompted, you agree to be bound by the terms of this DPA.
4 STATEMENT ON DATA PROTECTION
Recann is the Data Controller and is committed to protecting the rights of Parties in line with the Data Protection Laws. We are committed to keeping the Personal Data of the Data Subjects and any other personal data collected, used, or stored by us as secure and private as possible. Where applicable, the Sub-Processors shall also be bound by the same or stricter obligations applicable to Recann for personal data processing activities.
5 SCOPE AND APPLICATION
This Agreement governs how the Personal Data of the Data Subjects is shared. The rights and obligations of Recann and the Data Subjects are specified herein.
6.1 In accordance with the requirements outlined in the Data Protection Laws, Personal Data will be:
6.1.1 Processed lawfully, fairly and in a transparent manner.
6.1.2 Collected for specified, explicit and legitimate purposes and processed in a manner that is compatible with those purposes;
6.1.3 Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
6.1.4 Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.
6.1.5 Kept no longer than is necessary for the purposes for which the personal data are processed;
6.1.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
7 INFORMATION ABOUT OUR RELATED ENTITIES AND HOW YOUR INFORMATION IS SHARED
Our offices are located worldwide and share the same internal CRM systems. Therefore, your information may be transmitted to any or all of these entities. All the entities mentioned below act as the Controller and determine the purposes for which and the means by which personal data is processed. The following are the entities connected to Recann and our Services (“Recann Affiliates”):
|Recann Ltd||Clarence House, 2 Clarence Street, Manchester, M2 4DW|
|DCG IT Limited||3rd Floor Eastgate, Castle Street, Castlefield, Manchester, M3 4LZ|
|DCG IT GmbH||Beedstraße 54, 40468 Düsseldorf|
|Recann BV||Kabelweg 57, 1014BA, Amsterdam|
|DCG IT Inc||535 Fifth Avenue, New York, NY 10017|
|Recann AB||Box 45087, 104 30 Stockholm|
8.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and risk of varying likelihood and severity for the rights and freedoms of natural persons, Controller shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
8.2 In assessing the appropriate level of security, Controller shall take into account, in particular, the risks that are presented by a Personal Data Breach.
8.3 Encryption method such as SSL is utilized to protect Personal Data. We utilise Avast Business CloudCare Suite (“Avast”) to protect your personal information in our possession acquired through your consent. Avast contains tools enabling Recann to protect your Personal Data as per industry standards. The following Avast tools (non-exhaustive) are utilised by Recann:
8.4 File Shield: Monitors all files and blocks any dangerous or malicious files.
8.5 Behaviour Shield – Identifies apps acting suspiciously in real-time
8.6 Mail Shield – monitors mail in and out and blocks infected mail.
8.7 Web Shield – stops malware and spyware from websites.
8.8 Real Site – stops browsing to forged websites.
8.9 Anti-spam – blocks spam from mailboxes.
8.10 Firewall – monitors in-bound and out-bound activities.
8.11 VPN – gives a secure connection when using public hotspots.
8.12 Data Shredder – overwrites files with encrypted data to permanently delete.
To manage the Services, we constantly monitor via the cloud and alert administrators of detected threats, disabled components, missed scans, and updates, among others. We place high importance on data security and have established physical, electronic, and managerial measures to protect the data collected through our Services. Our steps to secure your data include:
8.13 Identifying and taking offline compromised hardware.
8.14 Investigations of compromised hardware will be carried out to identify the cause.
8.15 We will determine the scale of the breach and detail what has been compromised, and how and by whom.
8.16 We will then carry out relevant work to secure hardware.
8.17 A full Report will be given to our GDPR officer.
8.18 You can expect a full report of your data that has been compromised within 3 working days.
Notwithstanding the security measures that We take, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting to Us data via the internet.
9 DATA PROTECTION IMPACT ASSESSMENT
Recann will conduct data protection impact assessments (“DPIA”) and prior consultations with Supervising Authorities or other competent data privacy authorities, which Recann reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law. The DPIA must be conducted before the start of the relevant data processing activity. The Controller shall document the results of the DPIA, including any identified risks and the measures taken to mitigate those risks.
10 DELETION OR RETURN OF PERSONAL DATA
10.1 Subject to this section, Recann and Parties shall promptly and in any event within a reasonable time of cessation of any Services, or upon the request of a Data Subject involving the Processing of Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Personal Data.
10.2 Notwithstanding the foregoing, For the purposes of keeping records, Recann retains Personal Data for a period of at least 5 (five) years.
Recann implements appropriate technical and organizational measures to demonstrate that data is processed in line with the principles set out in Data Protection Laws. Recann provides comprehensive, clear, and transparent privacy notices to its employees, workers, consultants, contractors, and clients. Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences. Data protection impact assessments are used, where appropriate.
12 DATA PROTECTION OFFICER (DPO)
12.1 Recann has an appointed DPO who will:
12.1.1 Inform and advise Recann and its staff about their obligations to comply with the Data Protection Laws and other data protection laws.
12.1.2 Monitor Recann’s compliance with the Data Protection Laws, including managing internal data protection activities, advising on data protection impact assessments, conducting internal audits, and providing the required training to staff members.
12.1.3 Recann has a Data Protection Officer who can be contacted using the information provided below. The individual appointed as DPO will have professional experience and knowledge of data protection law. The DPO will report to the highest level of management at Recann. The DPO will operate independently and will not be dismissed or penalized for performing their task.
13 ACCESS TO PERSONAL DATA
Recann strives to maintain the highest security standards with respect to the Personal Data of data subjects. As such, the Personal Data is shared strictly for the purposes for which it was collected. The Personal Data is not shared with any individual or entity not bound by strict confidentiality obligations in writing. Within Recann, the Personal Data of Data Subjects is shared with our employees for providing Services and within the bounds of which the Personal Data is intended to be utilized. More specifically, the support staff of Recann may also be provided Personal Data for the purpose of providing assistance to Data Subjects where requested or required.
14 DATA SHARING AND USAGE STATEMENT
Your personal information will be kept on our CRM database and may be accessible by employees in various offices worldwide, all of which follow GDPR guidelines. Our personnel are bound by strict non-disclosure obligations. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. This includes staff engaged in, among other things, our recruitment services, and the provision of support services. Your data may also be shared with third parties during a business sale or transfer, or if required by law, to protect Recann, its customers or other parties' rights and assets. We may be obligated to reveal your personal information for legal compliance, defence of our business, enforcement of agreements, or protection of Recann's rights, property, customers, or parties. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our Services; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
15 INDIVIDUAL’S RIGHTS
15.1 Individuals may have the following rights pertaining to their personal data as per applicable Data Protection Laws:
15.1.1 To be informed – that means an individual has the right to be informed about the collection and use of their personal data.
15.1.2 Rights to access and port data - that means an individual has the right to access their personal data and supplementary information.
15.1.3 To rectify - that means an individual is entitled to have personal data rectified if it is inaccurate or incomplete.
15.1.4 To erase - is also known as ‘the right to be forgotten’. That means right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
15.1.5 To restrict individual’s data – that means an individual has a right to ‘block’ or suppress processing of personal data.
15.1.6 To object to processing.
15.1.7 To withdraw consent if processing is based on consent.
16 AUDIT RIGHTS
16.1 The purpose of the audit right is to allow Supervisory Authorities to assess the data protection practices of organizations, identify any shortcomings, and take enforcement action if necessary. During an audit, the Supervisory Authorities may review records, systems, and procedures related to data processing.
Data controllers are required to cooperate with supervisory authorities during an audit, including providing access to relevant information and facilities and responding to questions and requests for information.
16.2 Information and audit rights by Supervisory Authorities only arise under Section 17.1 GDPR to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
16.3 Recann shall retain Personal Data for a period of at least 2 years for the purpose of performance of any audits.
17 PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENTS
Where applicable, Recann will act in accordance with the Data Protection Laws by adopting a privacy-by-design approach and implementing technical and organizational measures which demonstrate how Recann, has considered and integrated data protection into processing activities. DPIAs will be used to identify the most effective method of complying with Recann’s data protection obligations and meeting individuals’ expectations of privacy.
18 RECANN AFFILIATES AND THIRD-PARTY SUBPROCESSORS
We may contract with third parties to supply some services to you on our behalf. These may include payment processing, search engine facilities, advertising, and marketing. In every circumstance, your data will be encrypted and only contractors who have been thoroughly vetted will be able to see your data. Where any of your data is required for such a purpose, We will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, obligations, and the obligations of the third party under the law. We currently contract with the following Sub-Processors:
18.1 Bullhorn CRM- https://www.bullhorn.com/privacy
18.2 CBS- https://cbsnw.uk
18.3 CDA Business Services Ltd- http://www.cdabs.co.uk
18.4 Docusign- https://origin.docusign.com/privacy
18.5 Xero- https://www.xero.com/us/legal/privacy/#:~:text=We'll%20retain%20you r%20personal,sure%20it's%20deleted%20or%20anonymised.
18.6 Telleroo- https://www.telleroo.com/privacy-policy
18.7 Bankline- https://bankline.info/privacy-policy/
18.8 Broadbean- https://www.broadbean.com/privacy-policy/
18.9 Sourcebreaker- https://www.sourcebreaker.com/privacy-policy/#:~:text=If%20we%20need%20to%20use,required%20or%20per mitted%20by%20law.
18.10 Lusha- https://www.lusha.com/legal/gdpr
18.11 Hunter.io- https://help.hunter.io/en/articles/1890029-gdpr-compliance
18.12 Reed- https://www.reed.co.uk/policies
18.13 CV Library- https://www.cv-library.co.uk/gdpr-statement
18.15 Monster Jobs- https://www.monster.co.uk/inside/fullpolicy/inside2.aspx
18.16 Cognism- https://www.cognism.com/b2b-data
18.17 Zoominfo- https://www.zoominfo.com/about-zoominfo/privacy-policy
18.18 Selligence- https://www.selligence.com/privacy-policy
18.20 Contactout- https://contactout.com/privacy_policy
18.21 SignalHire- https://www.signalhire.com/privacy
19 PERSONAL DATA BREACH NOTIFICATION: DATA CONTROLLER TO SUPERVISORY AUTHORITY
When the personal data breach or suspected data breach affects personal data that is being processed by the Company as a data controller, the following actions are performed by the Data Protection Officer:
19.1 The Recann will establish whether the personal data breach should be reported to the Supervisory Authority.
19.2 In order to establish the risk to the rights and freedoms of the data subject affected, the Data Protection Officer will perform a Data Protection Impact Assessment on the processing activity affected by the data breach.
19.3 If the personal data breach is not likely to result in a risk to the rights and freedoms of the affected data subjects, no notification is required. However, the data breach shall be recorded in the Data Breach Register.
19.4 The Supervisory Authority shall be notified with undue delay within 72 hours if the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach. Any possible reasons for delay beyond 72 hours shall be communicated to the Supervisory Authority.
DPO will send Notifications to the Supervisory Authority that will include the following:
19.5 A description of the nature of the breach.
19.6 Categories of personal data affected.
19.7 The approximate number of data subjects affected
19.8 Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer.
19.9 Consequences of the personal data breach.
19.10 Measures taken to address the personal data breach.
19.11 Any information relating to the data breach.
In the event of any data breach, disruptions, or unavailability of our Services (collectively “Disruptive Events”), you may notify us by contacting us at email@example.com or the contact information of the DPO as provided below, as soon as you discover a Disruptive Event. We will strive to resolve any Disruptive Events reported by you as soon as possible depending upon the nature of the Disruptive Event.
We will notify you beforehand of any scheduled maintenance or downtimes which may occur with respect to our online platform or Services by displaying information regarding the same on our Services. We may also notify you of scheduled maintenance or downtimes on your registered email addresses and other contact details we have on file.
Notwithstanding anything herein, we shall not be responsible for notifying you of unscheduled or unanticipated Disruptive Events which may occur due to no fault of ours.
21 DATA TRANSFER
21.1 Purpose of Transfer. The Controller will transfer the Personal Data of Data Subjects to its affiliate entities located outside the European Union (“Recipient”) for the purpose of providing Services to the Data Subjects and conducting its business operations
21.2 Transfer Mechanisms. The Controller will only transfer Personal Data to the Recipient in accordance with the provisions of the General Data Protection Regulation (GDPR) and other applicable data protection laws. The Controller will implement appropriate safeguards to ensure the security and protection of the Personal Data, including but not limited to the use of EU-approved standard contractual clauses, binding corporate rules, or approved codes of conduct.
21.3 Cooperation with Supervisory Authorities. The Controller and the Recipient will cooperate with the relevant supervisory authorities in the event of any investigation or complaint regarding the transfer of Personal Data.
22.1 Each Party must keep the information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
22.1.1 Disclosure is required for the provision of the Services.
22.1.2 Disclosure is required by law.
22.1.3 The relevant information is already available in the public domain.
23 PERSONAL DATA OF MINORS
Recann only allows individuals who are 18 or older (or at least the age of majority in your jurisdiction) to use its Services and will not accept personal information from minors. Recann values protecting the privacy of minors and does not seek to collect personal data from them. Parents and guardians of minors are encouraged to supervise their children's online activities, including email usage. If you find that we have unintentionally or otherwise collected any Personal Data of minors, please contact us at firstname.lastname@example.org or the contact information of the DPO as provided below, and we shall delete such Personal Data from our servers and other locations wherever we store Personal Data within a reasonable time.
Recann shall have the right to make modifications or replace any of our policies, or suspend, change, or discontinue the Services (including but not limited to, the availability of any featured content, or database,) at any time or instance by posting a notice through the Services. We may also do so by sending you a notice via email, via the Services, or by any other means of communication. We reserve the right to impose limits on certain features and services. We may if required to do so restrict your access to parts or all of the Services without notice or liability. We endeavour to try and provide notice of modifications to this Agreement. However, you also agree that it is also your responsibility to make reasonable efforts to be aware of such modifications
All notices under this Agreement shall be in writing unless otherwise specified in this Agreement. Notices to Recann shall be sent by email to email@example.com You may be required to ensure written confirmation of receipt for the notice to be effective. Notices to you shall be sent to your last known email address (or the email address of your successor, if any) and/or to any email address that would be reasonably likely to provide notice to you, and such notice shall be effective upon transmission.
26 NO WAIVER
Recann’s failure to enforce any part of this Agreement shall not constitute a waiver of our right to later enforce that or any other part of this Agreement. Waiver of compliance in any particular instance does not mean that we will waive compliance in the future.
The headers are provided only to make this agreement easier to read and understand.
28 GOVERNING LAW
The Parties agree that the validity, operation, and performance of these Terms shall be governed by and interpreted in accordance with the laws of the United Kingdom applicable therein (notwithstanding conflict of law rules). The Parties do expressly and irrevocably concede to the jurisdiction of courts located in Manchester with respect to any matter or claim, suit, action, or proceeding arising under or related to this Agreement.
If you have any queries on any aspect of our DPA, please contact our Data Protection Officer on the details below:
Address: Recann Clarence House Ground Floor Suite A, Clarence St, Manchester M2 4DW
For general enquiries: firstname.lastname@example.org
Data Protection Officer (DPO) Email: email@example.com