Cinode Terms and Conditions
1. THE SERVICES
Cinode is a set of services for sales, delivery, talent management, recruitment, and partner and subcontractor management. Cinode offers You a set of services to manage skills, experience, and availability, accessible via a Cinode Account. Your personal data associated with your account is collected in your Cinode Account along with the data stored in your Profile. By logging in, you can always access the data in your Profile. Personal data can be managed in 'My Settings'. If You with your Cinode Account represents an Organization that has signed up for a Company Account (Companies that have signed up for a subscription for Cinode's services) you need legal and formal rights to represent your Company Account when using Cinode's services. By using a Company Account with Cinode, you approve Cinode's Terms of Service.
2. USER CONTENT
You, the account owner, are responsible for all content, both text and graphics that you create or transfer to the Cinode services. By using the Cinode Services you agree to only use the Cinode Services in a lawful and correct manner that is also in accordance with our terms and policies. You agree not to use the Cinode Services in any way that aims to interfere with or interrupt the Cinode services. You are responsible for following local laws and regulations regarding the use of the Cinode services and content management and creation. Cinode reserves the right to refuse to approve, post, show, or transfer content that violates Cinode's terms and policies. You agree that Cinode can use the data in the Cinode services to create statistics and analysis of the use of the Cinode services. Access to the Cinode Services requires the correct submission of personal data and contact details, including a password as part of the registration process. You are responsible for your account details and for making sure that they are not shared with unauthorized people. If you suspect that this has happened you must notify Cinode. Cinode is under no circumstances liable to compensate you for any loss or damage caused by the fact that you did not protect your account details.
3. YOUR CINODE ACCOUNT
By using the Cinode services, you agree that an account will be created for you and that Cinode stores and has access to the data that is stored in the Cinode Services. You understand and agree that other account owners within your organization may be able to read and edit data associated with your Cinode Account. Administrators of the Company Account, under which your Cinode Account is created, may have the right to control what data and features you can access in the Cinode services.
4. INTELLECTUAL PROPERTY RIGHTS
You acknowledge that the Cinode services are protected by applicable Swedish intellectual property rights laws and that you are not entitled to change, rent, lend, or in any other way create an adaptation of the Cinode services. By having a Cinode Account, Cinode grants you a personal and non-transferable right to use the Cinode services for the purpose expressed in Cinode's marketing communication. As an account owner, you are responsible for protecting the intellectual property rights associated with the data you create. All intellectual property rights, such as texts, images, and symbols, belong to Cinode and may not be used without Cinode's written consent.
4. PRIVACY AND DATA PROTECTION
Cinode is not responsible for accidental deletion of any data you have access to via the Cinode services.
The Cinode services may contain links to other websites or resources on the Internet as well as attachments. You agree that Cinode cannot check and control all these resources and you agree that Cinode cannot be held responsible for this content or the damage or loss that can be caused by these external resources.
7. ADDRESSES & PLACES
1.THE PERSONAL DATA CINODE COLLECTS AND USES
Your personal data is used to identify you and to collect and present your skills, experience, merits and availability. As a user of Cinode’s services, you agree that a personal account is created (a Cinode Account). A Profile is included in your Cinode Account where your skills and experience are gathered. Your personal contact details and the personal data you and other authorized users in your organization are collected and managed in your Cinode Account. You also understand and agree that authorized Users connected to the same Organization (“Company Account”) can manage your personal data in your Cinode Account. You also understand and agree that other authorized Users can manage your personal data via other features used via the Cinode Services that are activated in the Company Account, to which your Cinode Account is or has been connected.
2.THE PERSONAL DATA WE PROCESS
When a Cinode Account is created, you are asked to register the personal data and information about you that is necessary for you and other account owners of the same Company Account to be able to use features offered in the Cinode services. Registered information can be managed in “My Settings” or in “Profile”. In addition to the above, personal data can be used for these purposes:
- To present your skills for specific consultant profiles
- To manage you as an Employee
- To manage you as a Subcontractor, Candidate, or as a Partner Consultant
3.THE PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
The purpose of processing the personal data Cinode collects is to offer you services associated with your Cinode Account, and to fulfill the agreement that is made when organizations order any service from Cinode via their Company Account. Cinode’s service offering is presented at www.cinode.com.
4.HOW WE USE YOUR PERSONAL DATA
Your details are used to manage and present you as an Employee, Subcontractor or Candidate for Recruitment, including your skills and your availability. Your data is also used in an aggregated format to analyze and present the company your Cinode Account is created under. Furthermore, your information is available for matching towards various search features. We also use information that is created, uploaded, or generated in the Cinode services to develop and improve Cinode’s offering. Occasionally, we also inform customers about new features and services, or that our terms and conditions have changed or that new terms and conditions have been created.
5.SCOPE AND TIME PERIOD
Personal data based on details in your Cinode Account remains until the Organization under which your account belongs deletes the data according to that Organization’s retention policy.
6.RECIPIENTS OF REGISTERED PERSONAL DATA
Depending on the use of Cinode in the Organization to which your Cinode Account is connected, the following categories of recipients can access your personal data: Other Account owners in your Organization can access presented information, for example via the Organization feature. Information in your Profile is also available in search and matching functionalities. You are also included in aggregation, such as skills inventories and age and gender distribution. Your availability is used and calculated in features for utilization planning and resource management. The skills you have entered into your Profile are used when other users in your Organization match assignment requirements. As a recruitment candidate, users can access your personal account details, such as your name, address, and your Profile. In addition, it is possible to register personal details for the purpose of recruitment. When an Organization enables the Talent Partner module, your personal data can be made available to other Organizations using Cinode in order to offer resources to other Organizations with a Company Account activated in Cinode.
7.COOKIES AND OTHER TECHNOLOGY
Cinode’s Services use “cookies”. This enables us to make it easier to use Cinode Services, and it helps us understand how Cinode users use features and services. We process information from cookies and other technology as impersonal data. We also collect data that is stored in our log files. This data can include IP addresses, web browser, language, where the user is from and what time it was when the user accessed our services. Filter choices for your current web browser session are stored in Session Storage in your web browser. We also occasionally send information via e-mail that may include links to our websites. Clicking such a link can provide us with information about your interests or your opinion about our services.
Cinode can share personal data with companies performing services such as customer service and support, and measuring of usage and customer satisfaction. These companies are obligated to protect your data.
Authorized Users within the same Company Account may read and edit the data you have registered, for example your personal details, your skills, your experience, and your availability.
Cinode reserves the right to disclose information to authorities and the Controller of Personal Data when Cinode considers it necessary.
11. HOW CINODE PROTECTS YOUR PERSONAL DATA
Cinode has a variety of security measures in place – administrative, technological, and physical – to protect your personal data from spreading to reaching unauthorized people. Cinode’s Services use SSL (Secure Sockets Layer) encryption on all web pages where personal data are collected. When you use Cinode’s online services, you have to use an SSL compatible web browser, for example Safari, Chrome, Firefox, or Internet Explorer. This protects your personal data when they are sent via the Internet.
12. INTEGRITY AND STORAGE OF YOUR PERSONAL DATA
Cinode strives to make it easy for you and your Organization to keep your personal data updated, complete, and accurate. As a user you approve that Cinode, on behalf of the Organization your Cinode Account belongs, stores your personal data in accordance with the retention policy of the Organization.
13. ACCESS TO PERSONAL DATA
You can verify that your account is correct, complete, and updated by logging into your account via https://app.cinode.com. For other personal data, we make reasonable efforts to enable you to verify those too. Cinode reserves the right to deny processing requests when the effort is deemed unreasonable in relation to the request, when users have managed their data in a negligible manner, when the request can put other users’ integrity at risk, or when requests risk breaking applicable laws or regulations.
14. DELETION AND CORRECTIONS
As a Cinode Account owner, you always have the right to request deletion or correction of erroneous data associated with your account. Cinode will make sure that your account and your associated profiles will be deleted and corrected within 30 days of notice from the authorized contact person in your Organization. You also have the right to request correction of data that is erroneous and that you can’t verify yourself via the Cinode services.
Terms of Service
1.1 “Terms and Conditions” refers to these terms and conditions for providing the Services.
1.2 “Confidential Information” refers to what is outlined in paragraph 16 below.
1.3 “Company Account” is an account registered at Cinode by a company.
1.4 “The Customer” refers to a legal entity with an activated Company Account at Cinode.
1.5 “Cinode Account” refers to an individually registered User account, including User Details, a Profile and other associated features, such as a Resume.
1.6 “Profile” refers to details associated with a Cinode Account, stored in the Profile.
1.7 ”Customer Data” refers to data entered by the Customer into the Services that are stored in the Supplier’s software systems.
1.8 “The Supplier” refers to Cinode AB, org.nr 556825-8668.
1.9 “The Services” refers to the cloud services that are made available for the Customer by the Supplier using a public electronic network.
1.10 “The Web Service” refers to app.cinode.com
1.11 “Service Levels” refers to service levels agreed between both parties in regard to the Supplier providing Services to the Customer.
1.12 “Start Date” refers to the day when delivery of Services shall be initiated in accordance to what has been agreed upon. On the Start Date, the Supplier shall send login details or other activation instructions for Services to the Customer.
1.13 “The Data Controller” is defined according to GDPR article 4.
1.14 “The Data Processor” is defined according to GDPR article 4.
2 ACCEPTANCE OF TERMS
2.1 The Supplier provides the Customer with services through their website, http://app.cinode.com, according to these Terms and Conditions. If you enter into agreement in accordance with these Terms and Conditions as a Company or another form of legal entity, you certify that you have the legal and formal right to enter into agreement in the name of this legal entity.
2.2 If you are not entitled according to paragraph 2.1 or if you don’t agree to the Terms and Conditions, you are not entitled to use the Services.
2.3 The Supplier reserves the right to periodically update these Terms and Conditions.
3 DESCRIPTION OF SERVICES
3.1 The Services consist of (a) access to the Web Service, (b) Cinode’s software modules, which are provided via the Web Service, (c) configuration, settings, and support services, and (d) all software, data, text, images, audio, and video that is made available by using the Web Service. All new or changed features made available via the Services are included in these Terms and Conditions.
4.1 The Services include the number of accounts or other usage specified in the agreement.
4.2 The Services are delivered and produced by the Supplier, via the Supplier’s system. Work on Customer location is included in the Services if a separate Agreement has been entered into between both parties.
5 THE RESPONSIBILITIES OF THE SUPPLIER
5.1 The Supplier undertakes to deliver the Services in accordance with the terms in the agreement, during the term of the agreement.
5.2 The Supplier processes Customer data as a Data Processor in accordance with GDPR article 28 and may only process personal data in accordance with the Data Processing Agreement.
5.3 The Supplier shall at its own expense update and upgrade the included software in the Services to the extent that the Supplier considers necessary for the performance of the Services.
5.4 The Supplier is entitled to hire subcontractors to fulfill the Supplier’s commitments. The Supplier is responsible for the services performed by subcontractors as if they were delivered by the Supplier. For processing of personal data, the Supplier shall obtain a separate permission or a written general permission from the Controller of Personal Data. The customer acknowledges the list of pre-approved subcontractors according to Data Processing Agreement.
6 THE RESPONSIBILITIES OF THE CUSTOMER
6.1 The Customer undertakes to: (i) have access to the software and equipment that has been designated by the Supplier in writing; (ii) have access when needed to the working communication services that has been designated by the Supplier in writing; (iii) take any actions that are the responsibility of the Customer; (iv) ensure that the data that is submitted to the Supplier’s system is in an agreed upon format and is not infected by viruses or anything else that could harm or influence the Supplier’s systems or Services negatively; (v) immediately submit information or documentation relating to the Services if requested by the Supplier; (vi) follow instructions given by the Supplier relating the use of the Services; and (vii) assist the Supplier to a reasonable extent and take reasonable actions to enable the Supplier to deliver Services according to the agreement.
6.2 Login information and other instructions provided to the Customer from the Supplier in accordance to paragraph 6.6 below shall be managed by the Customer with secrecy in accordance to paragraph 15 below. The Supplier is responsible for only providing login information and other instructions to authorized Users. The Customer undertakes to immediately notify the Supplier if the employment for an employee who has authorization to administer company information has ended, or if someone else has or is feared to have been granted unauthorized access to login information or other instructions. The Customer is responsible for their Users’ usage of the Services.
6.3 The Customer agrees that the Services may only be used for legal purposes and the Customer undertakes to keep the Supplier indemnified from all third party claims directed against the Supplier as a result of the Customer’s use of the Services that are in violation of this provision, including but not limited to claims for infringement of third party intellectual property rights.
6.4 The Customer is responsible for Personal Data processed in the Services where the Customer is the Controller of Personal Data following current regulations for protection of Personal Data.
6.5 The Customer is responsible for the content created and managed by the Users that are associated with the Customer.
6.6 The Supplier shall provide the Customer with the Services from the start date by providing the Customer with login information and other instructions. The start date occurs when the Supplier or the Customer has created a Company Account in the Services with the associated login information and other instructions for accessing the Services.
7 CHANGES AND ADDITIONS
7.1 The Supplier may perform continuous changes and additions to the Services. The Supplier shall notify the Customer in regard to significant changes or additions affecting the use of the Services to a large extent.
8 PRICES AND TERMS OF PAYMENT
8.1 The Customer shall pay a fee according to the official price list or quotation.
8.2 Terms of payment are 30 days from the invoice date.
8.3 Fees are stated excluding VAT, taxes, and other charges.
8.4 The Supplier is entitled to revise the default price list and shall in such cases notify the Customer about those changes.
8.5 If the Customer hasn’t paid for the Services in time, the Supplier is entitled to cancel the delivery of the Services until it has been paid in full.
8.6 If, during the term of the agreement, there are law changes, governmental decisions, decisions in regard to changing or imposing taxes or public fees, or if the application of laws and regulations are changed and influence the delivery costs of the Services, the Supplier is entitled to adjust the fee for the Services to cover increased operating costs.
8.7 If the Supplier is charged with additional work or costs due to circumstances for which the Customer is responsible, the Supplier is entitled to charge such costs as per the Supplier’s applicable price list.
9 SERVICE AND MAINTENANCE
9.1 The Customer is aware that the Services occasionally can be made unavailable due to planned and/or unplanned maintenance.
9.2 The Supplier shall notify the Customer in reasonable time before planned maintenance of Services in accordance with current service hours according to 11.1.
9.3 The Supplier shall take reasonable actions to minimize the time for maintenance of the Services.
10 SUPPORT & TROUBLESHOOTING
10.1 The Supplier shall provide users with support. The FAQ shall be maintained continuously and be available for users. If answers are not found in the FAQ, the Supplier shall provide users with Customer support via email@example.com. Cinode shall provide the Customer with advice and assistance in regards to the functionality of the Service.
10.2 After an error report, the Supplier shall rectify errors that hinder functionality of the services during regular working hours, unless otherwise agreed upon between the Parties. Troubleshooting includes, if applicable, directions for circumventing the error.
10.3 The Supplier shall initiate troubleshooting according the service level specified below. The hours in the table below should be calculated within regular working hours.
Classification of ErrorDescriptionInitiating TroubleshootingError Class 1Errors that hinder functionality in the Service, making it impossible for the Customer to use the Service.Within 1 hourError Class 2Errors that significantly hinder functionality in the Service for the majority of the Customer’s use of the Service.Within 3 hoursError Class 3Errors that hinder functionality in the Service for some of the Customer’s users, or errors that cannot be classified as Error Class 1, 2, or 4.Within 8 hoursError Class 4Errors that hinder functionality in the Service to a lesser extent for the Customer/aesthetic errors.Managed after decision by the Supplier within the scope of planned version management.
10.4 If the Customer reports an error and it is found that the problem is not attributable to errors in the Service, Cinode is entitled to charge a fee for time spent on the report as per the Supplier’s regular prices. See Other Services.
10.5 In order to fulfill its obligations under this Agreement, Cinode is entitled to make changes to the Service to the extent Cinode deem necessary.
11 SERVICE LEVELS
11.1 Services shall be available 99 % of the time Monday – Friday 08:00 – 18:00 outside of holidays. The period is measured by calendar month.
11.2 If the parties have no separate agreement regarding Service Level fees, the Customer is entitled to a reasonable reduction in fees in regard to the Services during the period to which the reduced Service Level applies.
11.3 Any compensation claims due to service levels not being met may not exceed thirty (30) % of the monthly fee for the Services unless otherwise agreed upon.
11.4 The Supplier’s obligations under paragraph 5 only apply when the Customer has fulfilled all the obligations stated in paragraph 6 above.
11.5 Furthermore, the Supplier is not responsible for non-fulfillment of agreed upon claims if the failure is caused by: (i) the Customer or a circumstance that the Customer is responsible for; (ii) downtime in communication services; (iii) planned downtime of Services due to maintenance of Services and/or of the Supplier’s systems; or (iv) circumstances that the Supplier could not reasonably avoid, including but not limited to, force majeure according to paragraph 16 below, and viruses or other harmful attacks.
11.6 The Supplier’s responsibilities according to paragraph 5 apply when: (i) the Supplier is made aware of the defect in the Services by the Customer within thirty (30) days from the discovery of the defect, or from when the Customer should have discovered the defect; and (ii) the Customer provides the Supplier with information that is necessary to analyze the defect.
11.7 This paragraph (11) represents the sole responsibility of the Supplier in terms of defects and delays of Services.
12 INTELLECTUAL PROPERTY RIGHTS
12.1 The Supplier and/or the Supplier’s licensor owns all rights, including intellectual property rights, of Services and related software, including but not limited to, patents, copyright, trademark protection, and trademarks. Nothing in the design of the Service or in the correspondence between the Customer and the Supplier shall be construed as the above-mentioned rights, or part of the rights, being transferred to the Customer.
12.2 The Supplier undertakes to indemnify the Customer in respect to third party claims based on the Customer’s use of the Services, or part of the Services, in Sweden and in other countries agreed upon in writing, being in violation of those third parties’ intellectual property rights. The Supplier’s responsibility according to paragraph 5 does however require that the Customer has used the Services in accordance with all terms and conditions.
12.3 The Supplier’s responsibilities according to this paragraph (12) only apply on condition that: (i) the Customer promptly notifies the Supplier regarding claims directed towards the Customer; (ii) the Supplier is given the exclusive right to decide how the process is conducted; and (iii) the Customer complies with the Supplier’s instructions and provides the Supplier with reasonable assistance requested by the Supplier.
12.4 In the event that infringement of third party intellectual property rights has occurred, the Supplier shall, at its own discretion: (i) assure the Customer continued right to use the Services; (ii) change the Services to remove any infringement; (iii) replace the Services, or parts of the Services, with other equivalent services that cannot be considered to be an infringement; or (iv) terminate the Services and after deduction, to the Customer’s reasonable benefit, reimburse the Customer’s paid fee for the Services without interest.
12.5 This paragraph (12) constitutes the sole responsibility the Supplier has towards the Customer in terms of infringement of third party intellectual property rights.
13 CUSTOMER’S DATA
13.1 The Customer holds all rights to the Customer’s Data and the Supplier receives no rights to the Customer’s Data.
13.2 The Supplier is entitled to use information about the use of the Service for business development purposes or for example, but not limited to, providing benchmarking information or other value adding features that can be included in the Service. However, the Supplier is bound to only show aggregated, unidentifiable information that can’t be attributed to an individual Customer or individual User. The Customer is entitled to not include their data in such value adding features, but will then not be able to use such functions.
13.3 Unless otherwise agreed, the Supplier is entitled to compensation for the work required to transfer data to the Customer in accordance with the Supplier’s current price list for corresponding services.
14 RESPONSIBILITY, LIMITATION OF LIABILITY
14.1 With the limitations stated below, the Supplier is liable for harm that the Supplier has inflicted on the Customer by negligence in the performance of the services.
14.2 In no event shall the Supplier be liable for the Customer’s loss of profits, revenue, savings or goodwill, losses due to outage, losses of data, any liability the Customer has in regards to third parties, or indirect damage or consequential damage of any kind.
14.3 The total liability of the Supplier regarding one or more events (whether or not they are related) shall in no case exceed the monthly fee for the services.
14.4 This paragraph (14) is not applicable in relation to the Supplier’s liability for infringement of intellectual property rights according to paragraph 12.
14.5 The Customer shall, in order to not lose their rights, make claims for damages within three (3) months after the Customer noticed or should have noticed the cause for the claim, and no later than six (6) months after the damage occurred.
14.6 The Customer is responsible for all Users using the Services under the trademark of the Customer.
14.7 The Supplier is not responsible for information published by third parties.
15 RIGHTS CLEARANCE
15.1 The party providing material is responsible for obtaining the required rights from the correct rights holder.
16.1 Both parties undertake to not disclose to third parties, without the consent of the other party, information about the other party’s business that could be considered business or professional secrets, or by law be subject to confidentiality (“Confidential Information”). Information that one party has labeled confidential shall always be considered as Confidential Information.
16.2 Parties shall be responsible for the compliance of their respective employees and consultants with the provisions set forth herein and shall by accepting this privacy agreement or other appropriate measures ensure confidentiality compliance.
16.3 The party’s confidentiality obligation according to this paragraph (16) does not apply if such confidential information: (i) is already known by the receiving party; (ii) is or has become public knowledge without violating the confidentiality of the receiving party; (iii) has been obtained in a proper way by the receiving party from a third party that is not bound by confidentiality vis-à-vis the issuing party; or (iv) if it is incumbent on the receiving party to make information public through court orders, government decisions, or if it is in any other way required by law.
16.4 The party’s confidentiality obligation according to the agreement is valid during the term of the agreement and also for a period of three (3) years after the agreement has expired.
16.5 The Supplier shall ensure that people who are authorized to process personal data have agreed to comply with confidentiality.
17 FORCE MAJEURE
17.1 If compliance with any party’s obligation is prevented or obstructed by circumstances beyond the control of each party, such as lawsuits, labor conflicts, mobilization or great military action, government decisions, restrictions on power, goods, and energy or defects or delays in delivery from subcontractors due to circumstances set forth herein, this shall constitute an exemption which implies delays and exemption from penalties, provided that the party that cannot fulfill their obligations immediately have informed the other party about the situation. If the fulfillment of the agreement is delayed more than six (6) months, the other party is entitled to terminate the agreement.
18 TERM OF AGREEMENT
18.1 The agreement will commence when the agreement is accepted. It is valid until further notice.
19.1 The Customer is entitled to terminate the Services with a notice period of 30 days.
19.2 Both parties are entitled to immediately terminate the contract by giving written notice: (i) if the other party substantially violates their responsibilities under the agreement and do not make correction within thirty (30) days after a written request; or (ii) if the other party is put into bankruptcy, enters into liquidation, initiates business reconstruction, resigns their payments or in any other way can be considered insolvent.
19.3 The Customer is upon termination according to the above not entitled to recover any excess of advances paid or any other expenses relating to time after the termination of the agreement.
20.1 In the case of decommissioning of the Service, the Supplier shall to a reasonable extent for compensation assist the Customer in transferring the Customer’s Data to the Customer or to a third party designated by the Customer in a way that creates as little impact as possible for the Customer.
20.2 The Supplier shall upon the Customer’s request delete or return the Customer’s data after the Services have been terminated.
20.3 The Supplier shall be entitled to compensation for the work performed according to this paragraph (20) in accordance with the Supplier’s current price list for corresponding services.
21.1 Termination or other notices shall be sent by courier, registered letter, or electronic messaging to relevant parties.
21.2 The notice shall be considered received by the recipient: (i) if submitted by courier: upon delivery; (ii) if sent by registered letter: two (2) days after handing it over to the postal service; or (iii) if sent as electronic notice: when the electronic message has been delivered to the recipient’s electronic address.
22.1 Disputes concerning interpretation and/or application of the agreement shall be settled in accordance with Swedish law, except for compulsory international private law.
22.2 Disputes shall be settled by a public court where the Supplier has its registered office.
Data Processing Agreement
1. INTRODUCTION AND OBJECTIVE
1.1. This Processor Agreement and Appendices 1 and 2 jointly constitute the “Processor Agreement” or “Data Processor Agreement”. Between the Customer and the Supplier there is an agreement (the "Service Agreement") regarding the services that the Supplier shall provide to the Customer, and this Data Processor Agreement governs the processing of Personal Data in connection with the Service Agreement. The Service Agreement states that the Supplier shall process Personal Data on behalf of the Client, and what the Supplier is responsible for performing.
1.2. Unless stipulated otherwise, the provisions of the Data Processor Agreement shall take precedence over the provisions of the Service Agreement.
1.3. This Agreement is intended to comply with the Data Protection Laws’ rules that there shall be a written agreement on the Processor's Processing of Personal Data on behalf of the Controller. This Data Processor Agreement also governs the technical and organisational measures that the Supplier and its potential Subcontractors are to implement and maintain for the protection of Personal Data.
1.4. This Data Processor Agreement is valid for as long as the Service Agreement is in force between the parties, and thus ends when the Service Agreement ends unless the parties have agreed otherwise.
2.1. “Customer” means the organisation that has contracted under the Supplier's Terms of Service to use the Supplier’s Service Modules.
2.2. “Controller” means the party that determines the purposes and means of processing Personal Data, acting alone or with others.
2.3. “Processor” means the party that processes personal data on the Controller’s behalf.
2.4. “Data Protection Laws” means the applicable laws that aim at protecting the fundamental rights and freedoms of individuals, and specifically their privacy. They include the Customer's national legislation, Directive 95/46/EC and Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), as replaces Directive 95/46/EC.
2.5. “Data Subject” means an identified or identifiable natural person, as defined under the Data Protection Laws.
2.6. “Instruction” means written instructions for the processing of personal data by the Supplier. Such instructions are provided in the Data Processor Agreement, but may be updated or modified from time to time by separate written instructions from the Customer.
2.7. “Personal Data” means any piece of information that refers to an identified or identifiable natural person, as defined under the Data Protection Laws.
2.8. “Processing” means an action or combination of actions concerning personal data, as defined in the Data Protection Laws.
2.9. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that is Processed under the Service Agreement.
2.10. “Subcontractor” means any third party which the Processor engages to carry out its obligations under the Service Agreement and/or this Data Processor Agreement in accordance with Section 6, and which through this engagement Processes Personal Data for which the Customer is the Controller.
2.11. The “Supplier” is Cinode, Corporate ID number 556825-8668, Torsgatan 21, 113 21 Stockholm, Sweden.
2.12. “Transfer” means a cross-border transfer of Personal Data to territories outside the EU in accordance with Section 11.
3. PROCESSING OF PERSONAL DATA
3.1. Purpose and categories of Processing and types of data processed. The nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects covered under this Data Processor Agreement are specified in Appendix 1.
3.2. Controller. The Customer is the Controller for all information that the Customer shares with the Supplier for the Processing of Personal Data under the Service Agreement. The Customer is responsible for ensuring that the Personal Data is collected legally, and for the accuracy and quality of the Personal Data. The Customer holds all rights to the Customer’s Data and the Supplier receives no rights to the Customer’s Data
3.3. Processor. The Supplier and its Subcontractors are Processors for the Processing of Personal Data under the Service Agreement, and shall only process Personal Data on behalf of the Customer and in accordance with the Customer’s Instructions. The Supplier is responsible for ensuring that Subcontractors that it engages only Process Personal Data in accordance with the Data Processor Agreement and the Data Protection Laws.
3.4. Purpose of Processing. The Customer is the party that decides on the purpose of the Processing of Personal Data under the Service Agreement. The purpose of the Processing of Personal Data by the Supplier is limited to
a) Providing the agreed services such as the provision of software, consulting services, maintenance, support and other services in accordance with the Service Agreement;
b) Implementing, managing and monitoring any underlying infrastructure required to provide services under the Service Agreement and to fulfil the stipulated technical and organisational requirements for the protection of Personal Data;
c) Communicating with the Customer and Customer’s personnel;
d) Implement the Customer’s Instructions in accordance with Section 3.5; and
e) Handling service problems, Incidents or Security Breaches.
f) The Supplier is entitled to use information about the use of the Service for business development purposes or for example, but not limited to, providing benchmarking information or other value adding features that can be included in the Service. However, the Supplier is bound to only show aggregated, unidentifiable information that can’t be attributed to an individual Customer or individual User. The Customer is entitled to not include their data in such value adding features, but will then not be able to use such functions.
3.5. Instructions. The Customer is responsible for giving the Supplier Instructions for the Processing of Personal Data under the Service Agreement. The Supplier shall only manage the Customer's Personal Data in accordance with the Data Processor Agreement and Instructions given by the Customer from time to time. If the Supplier deems that an instruction is contrary to the requirements of the Data Protection Laws, the Supplier shall notify the Customer thereof without delay. The Controller’s original Instructions to the Processor regarding the object and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of data subjects are listed in this Data Processor Agreement and in Appendix 1.
4. SUPPLIER’S PERSONNEL
4.1. Confidentiality. The Supplier is responsible for ensuring that Supplier’s and its Subcontractors’ personnel who Process Personal Data for which the Customer is the Controller shall maintain secrecy, have received suitable training on Personal Data and are bound by non-disclosure agreements. The obligation of confidentiality shall remain in force even after this Data Processor Agreement has otherwise cease to be in force. Otherwise, what is stated in the Service Agreement shall apply to the Supplier's obligation of confidentiality.
4.2. Restricted access. The Supplier is responsible for ensuring that only the personnel of the Supplier and the Subcontractor who need the Personal Data to fulfil the Supplier's commitment under the Service Agreement shall have access to the Personal Data.
5. PROTECTION OF PERSONAL DATA
5.1. Technical and organisational measures. The supplier shall take the technical and organisational measures for the protection of the Personal Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. The Personal Data shall be protected from any type of unauthorized Processing such as change, destruction or unauthorised access and dissemination. The Supplier accordingly undertakes to take all the measures stipulated in Article 32 of the GDPR. The Supplier shall be prepared to comply with a competent authority’s decision on measures to comply with the Data Protection Laws’ security requirements.
5.2. Rights of the Data Subject. The Supplier shall notify the Customer without delay if the Supplier receives a request from a Data Subject regarding his or her rights, such as information, correction or deletion of the Data Subject’s Personal Data. The Supplier shall not respond to such a request without the Customer's written consent, except for the purpose of notifying the Data Subject that the request has been received and forwarded to the Customer. The Supplier shall assist and help the Customer in managing Data Subjects’ inquiries and rights, unless the Supplier is prevented from doing so by law or by official decision.
5.3. The Supplier shall assist the Customer in fulfilling his or her duties as a Controller of Personal Data to respond to requests regarding the registered user’s rights
5.4. Official communications. The Supplier shall notify the Customer without delay if a government authority contacts the Supplier regarding or pertinent to the Personal Data managed under the Service Agreement. At the Customer's request, the Supplier shall, to a reasonable extent, help the Customer with such an official communication, and otherwise provide information so that the Customer is able to respond to the official communication within a reasonable period of time. The Supplier has no right to respond on the Customer’s behalf or act in the Customer's Name.
6.1. Use of Subcontractors. The Supplier may engage Subcontractors for the Processing of Personal Data under the Service Agreement subject to what is otherwise stipulated in this Section 6, and only for the purposes specified in Section 3.4.
6.2. Change in Subcontractor. The Supplier has the right to terminate a Subcontractor or engage other appropriate and reliable Subcontractors, provided that the rules in Section 6 are applied. Before engaging a new Subcontractor, the Supplier shall notify the Customer in writing of the new Subcontractor, and upon receipt of the notice the Customer has a right to object to the new Subcontractor in accordance with Section 6.4.
6.3. Contractual obligation. The Supplier is responsible for ensuring that all Processing of Personal Data performed by a Subcontractor is governed by a written agreement with the Subcontractor that corresponds to the requirements of this Data Processor Agreement at least.
6.4. Objections. If Customer has cause to object to any Subcontractor, the Customer shall notify the Supplier of this in writing. If the Customer wishes to exercise its right under Section 6.2 to object to a proposed new Subcontractor, the Customer shall notify the Supplier in writing within ten (10) days of receipt of the supplier's notice in writing.
6.5. Resolution of objections. In the event that the Customer has objected to a Subcontractor in accordance with Section 6.4 above, the parties shall discuss various activities to resolve the reason for the Customer's objection together. If the parties can not agree on any solution within a reasonable period of time, which shall not exceed thirty (30) days, the Customer may terminate the agreement by notifying the Supplier in writing. The supplier shall then refund any payments made in advance for the agreed services under the Service Agreement.
6.6. Supplier’s responsibility. The Supplier is responsible for the Subcontractor's Processing of Personal Data under the Service Agreement, and is fully responsible for Subcontractors who do not fulfil their obligations according to the Data Processor Agreement.
6.7. List of Subcontractors. The Supplier shall maintain a list of all Subcontractors who process Personal Data in connection with the Service Agreement, and shall send a copy of the list upon the Customer’s request.
7.1. Customer’s right to perform an audit. The Supplier shall provide the Customer and Customer’s independent auditors with access to such information and Supplier’s premises as may reasonably be necessary for the Customer to be able to verify that the Supplier its fulfilling its obligations according to the Data Processor Agreement. The Customer shall, within a reasonable period of time (at least thirty (30) days), notify the Supplier before such an audit unless otherwise required by a government authority, or the Customer has reason to suspect that the Supplier or a Subcontractor is not fulfilling its obligations according to the Data Processor Agreement. Each party shall be responsible for its own costs during an audit.
7.2. Audit results. If an audit has shown that the Supplier or a Subcontractor has not fulfilled its obligations according to the Data Processor Agreement, the Supplier shall promptly manage and correct this. Such corrective action does not affect the Customer's other possible claims and rights under the Data Processor Agreement.
8. INCIDENTS AND NOTIFICATION OF SECURITY BREACHES
8.1. Incident management. The supplier shall evaluate and act upon events suspected of possibly resulting in unauthorised access or Processing of Personal Data (“Incidents”). If there is a risk that the Incident may lead to unplanned or illegal deletion, loss, alteration or release to unauthorised persons, the Supplier shall promptly notify the Customer of the Incident and provide all relevant information related to the Incident. The Supplier shall develop appropriate steps to manage the Incident and cooperate with the Customer when appropriate to protect the Personal Data, with the aim of restoring the confidentiality, privacy and availability of the Personal Data.
8.2. Security Breach. The Supplier shall promptly notify the Customer and confirm that the notification was received as soon as a Security breach is discovered that could pose or could have posed a risk to the Personal Data Processed under the Service Agreement. The Supplier shall promptly investigate the Security Breach and take measures to reduce the damage, identify the basic problem and prevent it from happening again. The Customer shall be updated with relevant information related to the Security Breach and the Supplier's work on the Breach while the work is proceeding, and the Supplier shall cooperate with the Customer when appropriate to reduce the damage and protect the privacy of the Data Subjects.
9. RETURN AND DELETION OF PERSONAL DATA
9.1. Return and deletion. Within thirty (30) days of expiration of the Service Agreement, the Supplier shall delete all Personal Data that the Supplier Processed under the Service Agreement, including Personal Data managed in backups and the like, unless otherwise agreed in writing. Before deletion, the Supplier shall return all Personal Data that the Supplier Processed under the Service Agreement upon the Customer's request.
10. LIABILITY AND DAMAGES
10.1. Damages and penalties. If the Supplier fails to fulfil its obligations under this Data Processor Agreement, what was agreed in the Service Agreement regarding liability and damages shall apply, except that: The Supplier is liable for claims and damages from a Data Subject and administrative measures and/or penalties from an authority targeting the Customer based on the failure of a Supplier or a Subcontractor fulfil its obligations according to the Data Processor Agreement.
11. TRANSFER OF PERSONAL DATA
11.1. In general. The Supplier and its Subcontractors shall only process Personal Data under the Service Agreement within the EU and those countries deemed by the Commission to have an adequate level of protection, unless otherwise agreed in writing.
11.2. Transfers. If the Customer has approved the Transfer in writing, the Supplier or its Subcontractors may Process Personal Data outside the EU and those countries deemed by the Commission have an appropriate level of protection only if:
a) The recipient has been deemed to guarantee an adequate level of protection of the Personal Data through certification under the Privacy Shield Agreement, or;
b) The transfer and rights and freedoms of the data subjects are protected through approved Binding Corporate Rules pursuant to Article 47 of the GDPR, or;
c) The transfer and rights and freedoms of the data subjects are protected through the Commission's Standard Contractual Clauses.
APPENDIX 1 TO THE DATA PROCESSOR AGREEMENT
The processing of personal data under the Data Processor Agreement applies to the following categories of data subjects:
- The Customer’s employees
- Customer’s sub-consultants
- Customer’s recruitment candidates
- The Customer’s Customers
- The Customer’s users of the Supplier's products and services
CATEGORIES OF PROCESSED DATA
PURPOSE, NATURE AND OBJECTIVE OF THE PROCESSING
The purpose of the personal data processing is to provide contracted Services offered by the Supplier at any given time to offer Competence & CV management, Sales & Resourcing, Utilization and Partner &/ Personal data is categorized by the following: Employee, Recruitment Candidate, Sub-consultant, Partner Consultant, Personal information such as name, address, age, and gender, and skills and experience according to the Profile features.