Personal Data Processing Agreement Europe

Luca Fankhauser 17, Mar 2022 12 min

Personal Data Processing Agreement Europe

General conditions of the Agreement on personal data processing performed by

Lionstep AG
Dufourstrasse 101
CH-8008 Zurich

the Processor [hereinafter also referred to as “Supplier”]

on behalf of the natural or legal person having closed with the Processor a contract regulated by Lionstep’s General Terms and Conditions

the Controller [hereinafter referred to as “Client”,
jointly as “Parties”]


Through proprietary application, the Supplier provides headhunting and recruiting services, along with a set of tools enabling a more efficient management of recruiting processes. The Parties have closed a contract (hereinafter referred to as “Contract”) regarding the provision of such services to the Client. Such contract, which is attached to this Agreement, constitutes the basis for the processing of personal data according to the provisions of this Agreement.

1. Subject matter and duration of the Agreement

1.1. The subject matter of this Agreement results from the Contract closed by the Parties. In particular, pursuant to such Contract the Client mandates the Supplier to process and save personal data provided by the Client for all purposes specified in the Contract.

1.2. The duration of this Agreement and of the activities performed hereunder corresponds to the duration of the Contract.

2. Specification of the intended processing of data

2.1 The subject matter of the intended data processing is defined in detail as follows:

a.) Extent and Nature of processing

The intended data processing shall take place mainly in Switzerland at Processor’s seat. The adequate level of protection in Switzerland has been decided by the European Commission’s Decision 2000/518/EC. Other data processing may take place in Member States of the European Union and the European Free Trade Association. No transfer of data to other states than those mentioned shall take place without the Client’s prior consent and shall only occur according to the specific Conditions of Article 44 and ff. of the GDPR.

Data provided by the Client shall be processed in order to allow Clients to manage recruitment processes efficiently, compare candidates, communicate with them, perform video interviews of candidates. Such personal data shall not be transferred and sold to or shared with third parties without the data subject’s and the Client’s prior consent.

b.) Type of data processed

The types of data to be processed under this Agreement include: key personal data, contact data, information about current and past employments or activities performed, personal skills and competences, educational background, language skills. In case video interviews are performed according to the Contract, the full image, voice sound and behavioural characteristics of depicted data subjects are processed

c.) Categories of data subjects

Personal data processed under this Agreement shall refer to candidates for specific job positions and people generally looking for an employment, whereby the Client shall act as potential employer or independent recruiter. Furthermore, data of persons actively managing the recruitment process or other activities performed with recourse to the Supplier’s services, e.g. the independent recruiter’s own personal data, may be processed.

3. Technical and Organisational Measures

3.1. The Supplier shall adopt all measures required pursuant to Article 28 Paragraph 3 Sentence 2 Point c and Art. 32 of the GDPR to ensure security of processing and present, upon request, such documented measures to the Client for inspection.

3.2. The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.

3.3. The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced.

4. Rectification, restriction and erasure of data

4.1. The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a data subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.

4.2 If expressly agreed with the Client, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay.

5. Data Protection Officer, Representative in the Union and other duties of the Supplier

5.1. In compliance with the provisions of this Agreement and with applicable statutory law, the Supplier has appointed a Data Protection Officer who can be contacted at

5.2. Furthermore, as the Supplier is established outside of the EU and EEA, the following Representative according to Art. 27 GDPR is designated: Lionstep Deutschland GmbH, Bleichstraße 2-6, 60313 Frankfurt am Main (Germany).

5.3 The Supplier shall entrust only such employees or collaborators with the data processing outlined in this Agreement, who are subject to a confidentiality and non-disclosure obligation and have been informed about the data protection provisions relevant to their work. The Supplier and all persons acting under its authority shall only process personal data according to the provisions of this Agreement or if required to do so by law.

5.4. The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.

5.5. The Client shall be informed of any inspections and measures conducted by the data protection supervisory authority, insofar as they relate to the subject matter of this Agreement. This also applies in case the Supplier should be subjected to investigation or should be party to an investigation by a competent authority in connection with infringements to any civil, criminal or administrative provision regarding the processing of personal data described in this Agreement.

5.6. The Supplier will periodically monitor and assess internal processes as well as the technical and organisational measures referred to at sec. 3 of this Agreement to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and consistent with the progress of technology.

6. Subcontracting

6.1. Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service.

6.2. The Client acknowledges and accepts that the Supplier will outsource part of the processing of personal data relevant to this Agreement in compliance with the provisions of Art. 28 GDPR to the subcontractors mentioned in the list attached to this Agreement (“Subcontractors’ list”).

6.3. The Supplier may commission further subcontractors (additional contract processors) or change the current subcontractors if the following conditions are met:

  • The Supplier informs the Client about such outsourcing in text form with appropriate advance notice; and
  • The Client has not objected to the planned outsourcing in writing or in text form within the deadline set by the Supplier in the afore-mentioned communication and in any case before handing over the interested data to the Supplier; and
  • The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.

6.4. If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures.

6.5. Further outsourcing by the subcontractor requires the express consent of the Supplier. All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

7. Supervision through Client

7.1. According to Art. 28 Paragraph 3 Point h the Supplier shall make available to the Client information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, upon the Client’s request.

7.2. In these regards, the Supplier shall immediately inform the Client if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

7.3 Evidence of such general measures, which concern not only this specific Agreement, may be provided by any suitable and recognised method, including

  • compliance with approved Codes of Conduct pursuant to Article 40 GDPR;
  • certification according to an approved certification procedure in accordance with Article 42 GDPR;
  • current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor)
  • a suitable certification by IT security or data protection auditing

7.4 The Client shall bear all costs connected with the performance of the activities described at sec. 7.1. In addition, the Supplier reserves the right to charge a service fee.

8. Support to the Client in case of infringements

8.1. According to Art. 28 Paragraph 8 Point f the Supplier shall support the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR.

8.2. The Supplier may charge a service fee for such support services as long as they’re not required due to its own failures.

9. Client’s instructions

9.1. In case the performance of any activity under this Agreement and/or the Contract should require instructions from the Client, the Client shall deliver them in writing and immediately confirm oral instructions.

9.2. The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall suspend the execution of the relevant instructions until the Client confirms or changes them.

10. Deletion and return of personal data

10.1. Unless otherwise specified in this Agreement or in the Contract, no copies of personal data provided by the Client shall be created, with the exception of back-up and/or technical copies and such copies required to meet regulatory requirements to retain data.

10.2. After termination of the Contract and subsequent termination of this Agreement as of sec. 1.2, or earlier upon request by the Client, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilisation results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner.

10.3. Documentation which is used to demonstrate that data processing has taken place in accordance with the Agreement, the Contract or applicable law shall be stored after termination of the Contract by the Supplier in accordance with the respective retention periods. The Supplier may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.

Appendix – Technical and Organisational Measures

1. Confidentiality (Article 32 Paragraph 1 Point b GDPR)

  • Electronic Access Control

No unauthorised use of the Data Processing and Data Storage Systems, e.g.: secure passwords, automatic blocking/locking mechanisms, encryption of data carriers/storage media

  • Internal Access Control (permissions for user rights of access to and amendment of data)

No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events

  • Isolation Control

The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing;

  • Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

2. Integrity (Article 32 Paragraph 1 Point b GDPR)

  • All data is store on Servers within the EU. Internal VPN Network is in place.
  • Data Entry Control

Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)

  • Availability Control

Prevention of accidental or wilful destruction or loss, e.g.: Daily backups on Google Cloud), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning

  • Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);

4. Procedures for periodical testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)

  • Data Protection Management;
    Procedure for reacting to Data Subject Request
  • Incident Response Management;
  • No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Agreement Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.

Sub-Processors’s list:

  • Google Cloud: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America
  • Salesforce: SFDC Ireland Limited, 3rd and 4th Floor, 1 Central Park Block G, Central Park, Leopardstown, 18 Dublin, Ireland
  • Salesloft: Salesloft Inc, 1180 West Peachtree St NW, STE 600, Atlanta, GA 30309, United States of America
  • Autopilot: AutopilotHQ Inc, 40 2nd Street 5th Floor San Francisco, CA 94105, United States of America
  • Twilio: Twilio Inc, 375 Beale St, San Francisco, CA 94105, United States of America