Journeys Data Processing Agreement

Last updated: November 11th, 2023

This Data Processing Agreement ("Agreement"), effective as of the date of acceptance, is established between the user ("Controller") and 50skills ehf., registration no. 490402-4110 ("Processor"). Herein, each party may be referred to individually as a "Party" and collectively as the "Parties". This Agreement is an integral part of the Terms of Service for Journeys by 50skills, accessible at https://www.50skills.com/terms-of-use-journeys.

BACKGROUND AND PURPOSE OF PROCESSING

On the date the Parties entered into a service agreement (the “Service Agreement”) where Processor undertook to provide HR workflow automation services through Journeys by 50skills to Controller (the “Services”). In relation to the Services, Processor may process information and data which can be considered personal data as defined by data protection legislation, particularly Act No. 90/2018 and Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“Data Protection Legislation”), on behalf of Controller. This Agreement serves to regulate the Parties’ rights and obligations concerning the processing of personal data to ensure secure and compliant processing thereof.

In Journeys, the customer controls who they add as users, and the customer along with those users can create forms requesting information which can then be reused to send messages, emails, and input data into other systems. It is the Controller’s responsibility to inform its users how Journeys operates and to ensure they only collect information necessary for the platform’s usage. This can encompass data such as full name, ID, portrait images, banking information, and various other types of personally identifiable information. Journeys is designed to integrate with third-party products, which can be added by the Controller either through direct integration or by utilizing our API. Processor is not responsible for these third-party products.

1. PROCESSING OF PERSONAL DATA AND CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

A detailed description of the processing operations performed by Processor on behalf of Controller, including the purpose of processing, the categories of personal data being processed, and the categories of the data subjects is as follows:

  • Workflow Design and Execution: Creation and management of automated workflows or 'journeys', consisting of various actions where the completion of one triggers the next.
  • Data Collection and Utilization: Collection of data through forms and its utilization in subsequent actions, including potential integration with third-party systems that the customer adds.
  • Communication: Sending of emails and text messages as part of journey actions.
  • Document Management: Creation and conversion of documents within the system that the customer adds.
  • Data Synchronization and Control: Synchronization of actions and control of workflow based on predefined conditions.

The personal data categories processed include user information (full name, email, phone number), form inputs (text, dates, telephone numbers, email addresses, file uploads), communication data (email addresses, phone numbers), and document data. The data subjects primarily comprise Travellers navigating the journey, Supervisors and HR Managers overseeing the journey, and Third-Party Users involved through integrations.

2. PROCESSOR’S OBLIGATIONS

2.1. Processor shall only process Personal Data on behalf of Controller in accordance with this Agreement or Controller’s documented instructions, except where required by mandatory law. In such cases, Processor shall notify Controller of that legal requirement prior to processing unless prohibited by law.

2.2. Processor shall ensure that individuals with access to Personal Data only process it as instructed by Controller.

2.3. Processor shall promptly comply with any request from Controller to amend, transfer, delete, or return the Personal Data.

2.4. Should Processor believe that an instruction violates Data Protection Legislation, it shall promptly notify Controller.

3. CONTROLLER’S OBLIGATIONS

3.1. Controller represents and warrants that it has the legal authority to process the Personal Data and to grant the processing rights to Processor under this Agreement.

3.2. Controller shall be responsible for ensuring that the processing of Personal Data complies with Data Protection Legislation and other applicable laws.

4. CONFIDENTIALITY AND TRAINING OF EMPLOYEES

As stipulated previously, confidentiality, training, and limitation of access to essential personnel are crucial.

5. SECURITY MEASURES

In alignment with previous outlines, Processor shall implement appropriate technical and organizational measures to ensure the security of the Personal Data processed on behalf of Controller. Processor utilizes third-party products such as Heroku for hosting, Mailgun for emails, Twilio for text messages, and Intercom for customer support. It may add additional similar services to enhance its services to customers.

6. INTERNAL AUDIT

Processor shall conduct regular internal audits of the processing of Personal Data to ensure compliance with this Agreement and Data Protection Legislation.

7. SUB-PROCESSORS

7.1. Should Processor engage a sub-processor, the same data protection obligations set out in this Agreement shall be imposed on the sub-processor.

7.2. Processor remains fully liable to Controller for the performance of the sub-processor's obligations.

8. DATA SUBJECT'S REQUESTS AND THIRD-PARTY RIGHTS

Processor shall assist Controller in responding to requests for exercising data subjects' rights in accordance with Data Protection Legislation.

9. DURATION OF AGREEMENT

This Agreement shall remain valid as long as the Service Agreement is in force or until terminated by Controller.

10. ERASURE OR RETURN OF PERSONAL DATA

Processor shall erase or return Personal Data upon termination of this Agreement or upon Controller's request.

11. INDEMNITY

As outlined previously, indemnity clauses are included to protect both Parties against claims, damages, and penalties related to violations of this Agreement or Data Protection Legislation.

12. AUDITS AND ACCESS TO INFORMATION ON PROCESSING

Processor shall make available all necessary information to demonstrate compliance and shall allow for and contribute to audits conducted by Controller or Controller's designated auditor.

13. APPLICABLE LAW AND JURISDICTION

This Agreement is governed by Icelandic law with exclusive jurisdiction in the District Court of Reykjavík.

14. CONTACTS

Each Party shall nominate a contact person for notifications regarding this Agreement. For Processor: security@50skills.com.

15. OTHER

The clauses concerning other provisions, annexes, and competence validation as outlined previously shall be adhered to.