SCC

HIRECHAIN - STANDARD CONTRACTUAL CLAUSES

These Hirechain standard contractual clauses apply where there is a transfer of Candidate Data from Hirechain to the Client outside the UK and EEA to a country that does not have an adequacy decision from the EU Commission or UK Secretary of State, as applicable.

  1. The following definitions apply in these standard contractual clauses:

Candidate Data” as defined in the Client Terms;

Client” as defined in the Client Terms;

Client Terms” means the Hirechain Client Terms of Business entered into by Hirechain and the Client;

EU SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021;

Hirechain” means Hirechain Ltd, a company incorporated in England and Wales with company number 14408241 and having its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ;

SCCs” means the EU SCCs and the UK Addendum.

UK Addendum” means the Approved Addendum, being the template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.

  1. The relevant provisions contained in the SCCs are incorporated by reference and are an integral part of these standard contractual clauses. For the purposes of these standard contractual clauses, Hirechain is the “data exporter” and the Client is the “data importer”.
  2. EU SCCs. The parties shall comply with the EU SCCs sections I, II, III and IV (as applicable) as set out in Module One (Controller to Controller), amended as follows:
  1. The option under clause 7 (Docking Clause) shall apply.
  2. For the purposes of clause 11 (Redress), the optional wording in clause 11(a) does not apply.
  3. Clause 13 shall apply as follows: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C of Part 1 of Annex 1, shall act as competent supervisory authority. 
  4. The governing law for the purposes of clause 17 shall be the laws of Ireland and the courts under clause 18 shall be the courts of Ireland.
  5. The Appendix shall be completed as set out in Appendix 1.
  1. UK Addendum. The parties shall comply with the Mandatory Clauses of the UK Addendum, as it is revised under Section ‎18 of those Mandatory Clauses, as follows:
  1. The information required for Tables 1 to 3 of Part One of the UK Addendum is set out in Appendix 2. 
  2. For the purposes of Table 4 of Part One of the UK Addendum, either party may end the UK Addendum.

APPENDIX 1

ANNEX I 

A. LIST OF THE PARTIES

Data exporter: Hirechain as defined in the Client Terms.

Data importer: the Client as defined in the Client Terms.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The categories of the data subjects will be candidates applying for client vanancies or being put forward for work on a speculative basis.  

Categories of personal data transferred

The types of personal data will include first names, surnames, gender, disability related information, employment history, education history, qualifications, salary and salary expectations, right to work information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Some limited sensitive data may be transferred such as disability related information to make reasonable adjustments and right to work information.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The data related to each candidate will be transferred during the recruitment process. 

Nature of the processing

The nature of the processing will include receiving, storing, accessing, sharing, using, viewing, updating and deleting the personal data.

Purpose(s) of the data transfer and further processing

The purpose of the data transfer is for the candidates to be submitted for vacancies or speculatively for work with the data importer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

The duration of the processing is for the length of the recruitment process plus an additional period of time necessary for the data importer to be satisfied that no claims will arise out of the recruitment process. 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

DATA PROTECTION COMMISSION (IRELAND)

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data 

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services 

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing 

Measures for user identification and authorisation 

Measures for the protection of data during transmission 

Measures for the protection of data during storage 

Measures for ensuring physical security of locations at which personal data are processed 

Measures for ensuring events logging 

Measures for ensuring system configuration, including default configuration 

Measures for internal IT and IT security governance and management 

Measures for certification/assurance of processes and products 

Measures for ensuring data minimisation 

Measures for ensuring data quality 

Measures for ensuring limited data retention 

Measures for ensuring accountability 

Measures for allowing data portability and ensuring erasure

APPENDIX 2

TABLE 1: PARTIES

EXPORTER: Hirechain as defined in the Client Terms

IMPORTER: The Client as defined in the Client Terms

TABLE 2: SELECTED SCCS MODULES AND SELECTED CLAUSES

The version of the Approved EU SCCs to which this Addendum is appended to, including the Appendix Information.

TABLE 3: APPENDIX INFORMATION

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set out in the Approved EU SCCs.

Annex 1B: Description of Transfer: As set out in the Approved EU SCCs.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in the Approved EU SCCs.