General Data Protection Terms

This document contains the General Data Protection Terms (hereinafter “GDPT”) concerning the service provided by any company of Assessment Systems Group (hereinafter referred to as “AS”) for its Clients (please refer to the GTC or the Agreement for the details).

Processing of Personal Data, Confidentiality

All Personal Data provided by the Client to AS in connection with the operation of the Client qualifies as strictly confidential information. AS is entitled to use the Personal Data only to perform its services based on the Agreement and AS shall not share them with a third party, except for companies from its own group, sub-processors and state or public authorities as the local laws may require. 

„Process/Processing/Processed“, „Data Controller“, „Data Processor“, „Data Subject“, „Personal Data“, „Special Categories of Personal Data“ and any further definition not included under this document shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council („GDPR“). “Data Protection Laws” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council („GDPR“) as well as any local data protection laws. 

1. Data Processing Terms

These GDPT serve as the data processing agreement under the article 28 of the GDPR between the AS (the Processor) and the Client (the Controller).

In the course of providing the Services and/or Products to the Client pursuant to this document, AS (the Processor) may process Client’s (the Controller’s) personal data on behalf of the Client as per the terms needed to fulfil the service(s) in the Agreement.

Processing of the data consists of the processing of the Personal Data and the processing of the psychometric based data (Psychometric Data) that are not considered Personal Data as such, as they cannot be considered as an information relating to an identified or identifiable natural person (‘Data Subject’)

To the extent required by applicable Data Protection Laws, AS shall obtain and maintain all necessary licenses, authorizations and permits necessary to process personal data including personal data related to the services or products used and defined in the Agreement.

AS shall maintain all the technical and organizational measures to comply with the requirements to fulfil the services defined in the Agreement.

2. Processing of Clients Personal Data

AS shall only process Client’s Personal Data for the purposes of the Agreement, i.e. for the purposes of provision of services as defined in the Agreement. AS shall not process, transfer, modify, amend or alter the Client Personal Data or disclose or permit the disclosure of the Client personal data to any third party other than in accordance with Client’s documented instructions, unless processing is required by EU or Member State law or any other applicable legislation to which AS or client is subject to. AS, to the extent permitted by such law, informs the Client of that legal requirement before processing the Personal Data and comply with the Client’s instructions to minimize, as much as possible, the scope of the disclosure.

The Processor shall process Personal Data of Controller’s employees, potential employees or candidates, clients and business partners (hereinafter “Data Subjects”) handed over by the Controller from time to time to the Processor up to the following scope as minimum needed to fulfill the services: (i) first name, surname; (ii) date of birth; (iii) address, telephone number and e-mail address; (iv) working position; (vi) responses from questionnaires; (v) other personal data transferred or made accessible by the Controller or its employees, clients and business partners to the Processor in the framework of the fulfilment of the Agreement.

For the purposes set out in section above, the Client hereby instructs AS to transfer Client Personal Data to the recipients in the Third Countries (Authorized Transfers of Controller Personal Data), always provided that AS shall comply with section Sub-Processing.

3. Reliability and Non–Disclosure

AS shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Client personal data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Client Personal Data.

AS must ensure that all individuals which have a duty to process controller personal data:

• Are informed of the confidential nature of the Client Personal Data and are aware of AS’s obligations under the Agreement in relation to the Client Personal Data;
• Have undertaken appropriate trainings/certifications in relation to the Data Protection Laws or any other training/certifications requested by Client.
• Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
• Are subject to user authentication and logon processes when accessing the Client Personal Data in accordance with this Agreement and the applicable Data Protection Laws.

4. Personal Data Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AS shall implement appropriate technical and organizational measures (Appendix B) to ensure a level of Client Personal Data security appropriate to the risk, including but not limited to:

• Pseudonymization and encryption;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
• In assessing the appropriate level of security, the AS shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data transmitted, stored or otherwise processed.

5. Sub-Processing

As of the GTC or Agreement Effective Date, the Client hereby authorises AS to engage those Sub-processors needed to fulfil the Service defined in the Agreement (standard sub-processors are listed in Appendix A). AS shall not engage any Data Sub-processors to Process Client Personal Data other than with the prior written consent of Client, which Client may refuse with absolute discretion.

With respect to each Sub-processor, AS shall:

• Provide the Client with full details of the Processing to be undertaken by each Sub-processor upon the request.
• Carry out adequate due diligence on each Sub-processor to ensure that it can provide the level of protection for Client Personal Data, including without limitation, sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the GTC or the Agreement and the applicable Data Protection Laws.
• Include terms in the contract between AS and each Sub-processor for processing of personal data which are the same as those set out for the delivery of the service(s) in the Agreement. The same data protection obligations as set out in the Agreement between the Controller and the Processor shall be imposed on the Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR or any other applicable data protection legislation. Where the Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor´s obligations.
• Insofar as that contract involves the transfer of Clients’ Personal Data outside of the EEA, incorporate from the Agreement or such other mechanism as directed by the Client into the contract between AS and each Sub-processor to ensure the adequate protection of the transferred Client Personal Data.

6. Data Subject Rights

Taking into account the nature of the Processing, AS shall assist the Clientby implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising Data Subject rights as laid down in the EU Data Protection Laws, namely the GDPR or any other applicable data protection legislation.

The AS shall notify within maximum 3 business days the Client if it receives a request from a Data Subject, the Supervisory Authority and/or other competent authority under any applicable Data Protection Laws with respect to Client Personal Data.

The AS as the Processor shall cooperate as requested by the Client as the Controller to enable the Client to comply with any exercise of rights by a Data Subject under any Data Protection Laws with respect to Client Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws with respect to Client Personal Data or the GTC or the Agreement.

7. Personal Data Breach

AS shall notify the Client without undue delay and, in any case, within seventy-two (72) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. AS will provide the Client with sufficient information to allow the Client to meet any obligations to report a Personal Data Breach under the Data Protection Laws.

The AS shall co-operate with the Client and take such reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation and remediation of each Personal Data Breach.

In the event of a Personal Data Breach, the AS shall not inform any third party without first obtaining the Client’s prior written consent, unless notification is required by EU or Member State law to which the AS is subject, in which case the AS shall, to the extent permitted by such law, inform the Client of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Client before notifying the Personal Data Breach.

8. Erasure or return of Client Personal Data

AS shall promptly and, in any event, within 30 (thirty) calendar days of the earlier of: (i) cessation of Processing of Client Personal Data by the AS as Processor; or (ii) termination of the Agreement, at the choice of Client erase or return Personal Data to the Client (such choice to be notified to AS in written form).

AS may retain Client Personal Data for longer time period to the extent required by the EU or Member State law, and only to the extent and for such period as required by the EU or Member State law or any applicable Data Protection Legislation, and always provided that AS shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the EU or Member State law requiring its storage and for no other purpose.

9. Audit rights

AS shall make available to the Controller, upon request, all information necessary to demonstrate compliance with the GTC or the Agreement and allow for, and contribute to audits, including inspections by the Client or another auditor mandated by the Client of any premises where the Processing of Client Personal Data takes place. AS shall provide full cooperation to the Client with respect to any such audit and shall, at the request of the Client, provide the Client with evidence of compliance with its obligations previously agreed in writing. AS shall immediately inform the Client if, in its opinion, an instruction pursuant to this section (Audit Rights) infringes the GDPR or other EU or Member State Data Protection Laws.

10. International Transfers of Controller Personal Data

AS shall not process Client Personal Data nor permit any Authorized Sub-processor to process the Client Personal Data in a Third Country, other than with respect to those recipients in Third Countries (if any) agreed in the Agreement (Authorized Transfers of Controller Personal Data), unless authorized in writing by Client in advance, via the Agreement’s amendment or similar document.

When requested by Client, AS shall promptly enter into (or procure that any relevant Sub-processor of Processor enters into) an agreement with Client including General Terms and Conditions in the Agreement and/or such variation as Data Protection Laws might require, in respect of any processing of Client Personal Data in a Third Country, which terms shall take precedence over those in the GTC or the Agreement.

11. Confidentiality

All information and Personal Data provided by the Client to AS in connection with the operation of the Client qualifies as confidential information and to the extent required by applicable Data Protection Laws. AS is entitled to use the Information and Client Personal Data only to perform its services based on the Agreement and AS shall not share them with third party, except for companies from its own group, Sub-processors and state or public authorities as the local laws may require.

Parties agree to treat all information that become known to them during the term of the Agreement as confidential and not at any time for any reason to disclose or permit to be disclosed to any person (except for cases mentioned in the previous paragraph above) or otherwise make use of or permit to be made use of any information, know-how, business plans or finances or any such information relating to a subsidiary, supplier, customer or client of Principal, including the Client, where the information was received during the period of this Agreement.

The Processor shall ensure that its employees and other staff processing the Client’s Personal Data are informed on their duties related to Personal Data protection, in particular, the Processor shall ensure that his/her employees and other staff processing Personal Data are bound by the obligation of confidentiality in accordance with applicable Data Protection Laws, particularly the GDPR, and informed of possible consequences in case of breach of this obligation. This obligation applies even after the processing of personal data under the Agreement has been completed.

This GDPT is governed by the laws applicable to the GTC and/or the Agreement. Any disputes arising out or in connection with this GDPT shall be brought exclusively before the competent court as agreed upon in the GTC and/or the Agreement.

Appendix A

AUTHORIZED SUB-PROCESSORS

List of Sub-processors as at the GTC  or the Agreement or the Addendum Effective Date is given in the table.

Only applicable Sub-processor, if any, is to be referred as per service provided by AS to the Client.

No.	Authorized sub- processor (full legal name)	Processing activity	Location of service centre(s).
1.	iPodnik s.r.o.	Data Center provider. Microsoft Partner Ipodnik is providing the support for our CRM system and is service desk (2L) for Microsoft cloud topics. (Details of processing activities may be available upon request)	Ipodnik s.r.o. Radlická 520/117 158 00 Praha 5 – Jinonice (poblíž Galerie Butovice) Czech Republic
2.	Premium Support Kft.	System Administration Support Premium Support is providing system administration of various platforms. They are performing internal InfoSec audits (Details of processing activities may be available upon request)	Premium Support Kft. H-8097 Nadap, Vörösmarty utca 11. Hungary
3.	SWEHQ s.r.o.	Software Development SWEHQ is providing service of software development and optimization. (Details of processing activities may be available upon request)	SWEHQ s.r.o. Štefánikova 248 150 00 Prague 5 Czech Republic
4.	Naucrates s.r.o.	360° Online questionnaire, testing and reports platform – Naucrates is providing software development of the 360 system (Details of processing activities may be available upon request)	Naucrates s.r.o. Hanusova 347/16, Michle (Praha 4), 140 00 Praha Czech Republic
5.	BeCorp Group s.r.o.	xRT Online Questionaires, testing and reports BeCorp Group is providing software development of the xRT system (Details of processing activities may be available upon request)	BeCorp Group s.r.o. Sokolovská 80b, Plzeň, Post Code 323 00 Czech Republic
6.	Hogan Assessments	HOGAN Online psychometric assessments and reports platform Hogan is providing personaluity assessments, based on their patented methodology. (Details of processing activities may be available upon request)	Hogan Assessments 11 S. Greenwood Tulsa, OK 74120 USA
7.	Microsoft Corporation	Cloud and Application Provider Microsoft Corp is used as a main cloud provider with SaaS (e.g. Azure, MS 365 Suite etc.) Only locations in EU are used. (Details of processing activities may be available upon request)	Microsoft Corporation One Microsoft Way Redmond, Washington,  U.S.

Appendix B

AS TECHNICAL AND ORGANISATIONAL MEASURES

1. Organizational security measures

1.1 Security Management

1. Security policy and procedures – AS’s General Personal Data Protection Policy governs the use and storage of your personal data for all the employees, permanent or temporary, and all contractors working on behalf of the AS.
2. Roles and responsibilities：
   1. Roles and responsibilities related to the processing of personal data is clearly defined and allocated in accordance with the security policy.
   1. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
3. Access Control Policy: Specific access control rights are allocated to each role involved in the processing of personal data, following the need-to-know principle.
4. Resource/asset management: AS has a register of the IT resources used for the processing of personal data (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g., DPO or IT Director).
5. Change management: Processor makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. DPO or IT Director). Regular monitoring of this process takes place.

1.2 Incident response and business continuity

1. Incidents handling / Personal data breaches:
   1. An incident response plan with detailed procedures is defined to ensure effective and orderly response to incidents pertaining personal data.
   1. AS will report without undue delay to Client any security incident that has resulted in a loss, misuse or unauthorized acquisition of any personal data.
2. Business continuity: AS establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).

1.3 Human resources

1. Confidentiality of personnel: AS ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.
2. Training: AS ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.

2. Technical security measures

2.1 Access control and authentication

1. An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts.
2. The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
3. When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving the AS’s processing purposes.
4. Where authentication mechanisms are based on passwords, AS requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
5. The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.
   1. Logging and monitoring

Log files are activated for each system/application used for the processing of personal data. They include all types of access to data (view, modification, deletion) without the personal dta itself.

• Security of data at rest
• Server/Database security
  • Database and applications servers are configured to run using a separate account, with minimum OS privileges to function correctly.
  • Database and applications servers only process the personal data that are actually needed to process in order to achieve its processing purposes.
• Workstation security:
  • Users are not able to deactivate or bypass security settings.
  • Anti-virus applications and detection signatures is configured on a regular basis.
  • Users don’t have privileges to install or deactivate unauthorized software applications.
  • The system has session time-outs when the user has not been active for a certain time period.
  • Critical security updates released by the operating system developer is installed regularly.
  • Network/Communication security:
• Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
• Traffic to and from the IT system is monitored and controlled through Firewalls and Intrusion Detection Systems.
  • Back-ups:
• Backup and data restore procedures are defined, documented and clearly linked to roles and responsibilities.
• Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
• Execution of backups is monitored to ensure completeness.
  • Mobile/Portable devices:
• Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use.
• Mobile devices that are allowed to access the information system is pre-registered and pre-authorized.
  • Application lifecycle security:

During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards is followed.

• Data deletion/disposal:
• Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction will be performed.
• Shredding of paper and portable media used to store personal data is carried out on “as needed” basis.
  • Physical security:

The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. Intrusion detection system, chip-card operated turnstile, single-person security entry system, locking system) or organizational measures (e.g., security guard) shall be set in place to protect security areas and their access points against entry by unauthorized persons.