1. Scope

1.1. For the purpose of clauses 1.1.1 and 1.1.2, Ifajobhub.co.uk shall process personal data on behalf of the Customer within the meaning of Article 59 of the Data Protection Act 2018 (“UK GDPR” or “Data Protection Legislations”). The Customer shall be the data controller and  ifajobhub.co.uk shall function as the data processor in the following circumstances:

1.1.1. Direct Search Database. Ifajobhub.co.uk processes personal data on behalf of the Customer to the extent that the Customer uses the comment function within the Ifajobhub.co.uk Direct Search Database (“Direct Search”). When using the Direct Search function, it is possible for the Customer to view profiles of Jobseekers and, in particular may save comments on the respective profiles. Ifajobhub.co.uk only processes personal data on behalf of the Customer in the event that the comment function is used (storage of the respective comments on a Candidate’s profile).

1.1.2. Applicant Application Manager. Ifajobhub.co.uk processes personal data on behalf of the Customer to the extent that the Customer uses the comment function within Applicant Manager. When using the Applicant Manager, it is possible for the Customer to add comments on the Candidates’ application. Ifajobhub.co.uk only processes personal data on behalf of the Customer in the event that the comment function is used.

1.2. Ifajobhub.co.uk shall process the personal data exclusively in Member of States of the European Union or in another contracting State to the Agreement on the European Economic Area, unless instructions to the contrary have been issued and transmission is permitted in accordance with the provisions of Article 73 of the UK GDPR.

1.3. The processing of personal data will terminate once the use of the respective services has ended. The comments added by the Customer to profiles of Candidates within the scope of the comment function pursuant to clause 1.1.1 of this Agreement, the duration of the processing corresponds to the duration of the application process, with the data being deleted by the system twelve (12) months after receipt of application.

1.4. Within this frame of reference, the data subjects are individuals who apply for specific job roles through Customers’ job adverts or those who have profiles which allow Customers to add their own comments.

2. Ifajobhub.co.uk’s obligations

2.1. Ifajobhub.co.uk will only process the personal data derived from the (i) comments function and (ii) application status (“Personal Data”) to the extent, and in such a manner, as is necessary for the purpose of the Contract and in accordance with the Customer’s written instructions from the agreed authorised persons. Ifajobhub.co.uk will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the UK GDPR. Ifajobhub.co.uk will promptly notify the Customer if, in its opinion, the Customer’s instructions do not comply with the UK GDPR.

2.2. Ifajobhub.co.uk must comply promptly with any Customer written instructions requiring Ifajobhub.co.uk to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

2.3. Ifajobhub.co.uk shall inform the Customer without undue delay if Ifajobhub.co.uk is of the opinion that an instruction from the Customer breaches the Data Protection Legislation. Ifajobhub.co.uk may suspend implementation of the instruction until it has been confirmed that the breach has been rectified by the Customer.

2.4. Ifajobhub.co.uk shall comply with the provisions of this Agreement and relevant applicable Data Protection Legislation, in particular the General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018.

Security

2.5. Ifajobhub.co.uk shall take appropriate organisational and technical measures in accordance with the UK GDPR, including the General Data Protection Regulation (“GDPR”) and in particular Art. 32 thereof, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, nature, scope and purpose of processing as well as the likelihood of occurrence and severity of the risk. These protective measures are recorded in the overview of technical and organisational measures, which can be referred to in Annex 1. The technical and organisational measures are subject to technical progress and further development. In this respect, Ifajobhub.co.uk is required to check the effectiveness of the measures and adapt them accordingly as technology progresses. Alternative protective measures are permitted as long as they do not fall below the protective level of the defined measures.

Data Subject requests

2.6. Ifajobhub.co.uk may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Customer, but only on documented instructions from the Customer. Insofar as a data subject contacts Ifajobhub.co.uk directly concerning a rectification, erasure, or restriction of processing, Ifajobhub.co.uk will immediately inform the data subject’s request to the Customer.

2.7. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be safeguarded by Ifajobhub.co.uk in accordance with documented instructions from the Customer without undue delay.

Cross-Border Transfer of Personal Data

2.8. Ifajobhub.co.uk (and any subcontractors) must not transfer or otherwise process the personal data outside of the United Kingdom or the EEA without obtaining the Customer’s prior written consent.

Subcontractors

2.9. Ifajobhub.co.uk may appoint subcontractors (additional contract processors) only after prior explicit written or documented consent from the Customer.

2.10. Once consent is received, Ifajobhub.co.uk may authorise any third party or subcontractor to process the personal data. Ifajobhub.co.uk shall make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the personal data, even in the case of outsourced ancillary services.

Term and Termination

2.11. The Agreement will remain in full force and effect so long as the Contract remains in effect.

2.12. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Contract in order to protect the personal data will remain in full force and effect.

2.13. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Contract obligations, the parties may agree to suspend the processing of the personal data until that processing complies with the new requirements. If the parties are unable to bring the personal data processing into compliance with the Data Protection Legislation within thirty (30) days, either party may terminate the Contract on not less than thirty (30) working days’ written notice to the other party.

Data Return and Destruction

2.14. At the Customer’s request, Ifajobhub.co.uk will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

2.15. On termination of the Contract for any reason or expiry of its term, Ifajobhub.co.uk will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the personal data related to this Agreement in its possession or control.

2.16. If any law, regulation, or government or regulatory body requires Ifajobhub.co.uk to retain any documents, materials, or personal data that Ifajobhub.co.uk would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials, or personal data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

2.17. Ifajobhub.co.uk will certify in writing to the Customer that it has deleted or destroyed the personal data within thirty (30) days after it completes the deletion or destruction.

Records

2.18. Ifajobhub.co.uk will keep detailed, accurate, and up-to-date written records regarding any processing of the personal data, including but not limited to, the access, control, and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in 3.5 (“Records”).

2.19. Ifajobhub.co.uk will ensure that the Records are sufficient to enable the Customer to verify Ifajobhub.co.uk’s compliance with its obligations under this Agreement and the Data Protection Legislation, and Ifajobhub.co.uk will provide the Customer with copies of the Records upon request.

2.20. Ifajobhub.co.uk will permit the Customer and Customer’s representatives to audit Ifajobhub.co.uk’s compliance with its Agreement obligations, on at least sixty (60) days’ notice during the Term defined in the Order Form. Ifajobhub.co.uk will give the Customer and Customer’s representatives all necessary assistance to conduct such audits at no additional cost to the Customer by permitting the Customer to inspect all Records and infrastructure, electronic data or systems, facilities, equipment, or application software used to process the personal data.

2.21. Both parties shall warrant and represent that:

2.21.1. its employees, agents, and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;

2.21.2. it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards, and other similar instruments;

2.21.3. it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Contract and/or services; and

2.21.4. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to the Personal Data, and ensure a level of security appropriate to:

(a) the harm that might result from such accidental, unauthorised, or unlawful processing and loss or damage;

(b) the nature of the Personal Data protected; and

(c) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in 3.5.

Annex 1
SECURITY MEASURES

Processor to insert description of its technical and organisational data security measures such as:

During the past decade, Ifajobhub.co.uk has enforced the security of its websites and databases with the help of technical and organizational measures.

Regarding UK GDPR, these security measures can be considered as appropriate for the protection of Ifajobhub.co.uk’s customers, candidates and employees’ personal data.

• Physical Access Controls

All Ifajobhub.co.uk buildings are equipped with an alarm system, activated when the building is not occupied (nights & weekends), with motion detectors placed all around.

Ifajobhub.co.uk uses ISO27001 certified datacenters for the hosting of some applications. These datacenters are compliant with ISO27001 regarding physical security.

• Perimeter Security

For its websites, Ifajobhub.co.uk uses Norton as Content Delivery Network, which acts as a proxy between the clients and the servers, caches the websites’ static content, and protects them behind a Web Application Firewall (WAF). The WAF inspects each request sent to the website and blocks or monitors it if it is not compliant with the WAF policy.

Ifajobhub.co.uk uses a Next Generation Firewall that not only does packet filtering (like a traditional firewall), but also has an Intrusion Prevention System (IPS), antivirus, antibot and is identity access based.

Akamai offers also a DDOS Protection for Ifajobhub.co.uk’ websites. DDOS, or Distributed Denial Of Services, is a type of attack where an attacker floods a website with an enormous amount of traffic, rendering the website unusable for the rest of the users.

Ifajobhub.co.uk services are also protected with a bot detection device. A bot is a software application that runs automated tasks, faster than a human. Some of these bots may conduct malicious activities, like sending SPAM emails, viruses or DDOS attacks.

• Network Security

Access to the network is identity based. It means that for each access to the network, Ifajobhub.co.uk can identify the human behind it.

Ifajobhub.co.uk also uses a Security Incident and Event Management (SIEM) solution. It helps Ifajobhub.co.uk to identify anything that happens on its information systems, reports it in a readable format, and understand if it is legitimate or not.

Log correlation helps Ifajobhub.co.uk to identify and regroup events that have a common source (a hacker entering the network, then some folders were deleted…), and report alerts if necessary.

In Ifajobhub.co.uk, IT Environments are segregated (Development, Test, Q&A, Production). New functionalities are thoroughly tested before being pushed to production, to reduce the risks of compromising the production environment’s integrity or availability.

• Host Security

Operating systems of Ifajobhub.co.uk’ employees’ laptops are automatically patched with critical updates once a week.

Each laptop is equipped with anti-virus/malware.

Laptop’s hard drives are fully encrypted. USB key must be encrypted before use.

• Data Access Controls

Ifajobhub.co.uk uses an Identity and Access Management system (IAM), ensuring that the right individual accesses the right resource, at the right time and for the right reasons.

Private data, like personal data (sensitive or not) are always encrypted.

Ifajobhub.co.uk relies on the need to know principle, meaning that restricted access is the norm. No one has access to everything, but rather access to only what he/she needs to have access to, to perform his/her job duties.

Every access to any of Ifajobhub.co.uk’ system is being logged and monitored.

• Application Security

Communications between the client and the application server are mandatorily encrypted with Secure Sockets Layer (SSL), it ensures that the server is authenticated, as well as the confidentiality and integrity of exchanged data between the server and its client.

Ifajobhub.co.uk’ applications are hardened, meaning that vulnerabilities are regularly being scanned and fixed, data are encrypted in transit and at rest, unused server ports are closed, access to the systems are restricted through authentication and authorization processes.

Penetration tests are regularly being conducted on Ifajobhub.co.uk’ application, to simulate a hacker attack on the system, and find application flaws that are fixed afterwards.

• Policies, Procedures & Awareness

Although Ifajobhub.co.uk is not ISO 27001 certified and does not currently intend to be, we have established a set of security policies, guidelines, and procedures inspired by ISO 27002 security domains and controls: information security policy, access control policy, backup policy, incident management policy and procedure, etc. These policies are approved by the management, communicated to the appropriate audiences and reviewed regularly.

Based on these policies, Ifajobhub.co.uk assesses regularly the level of compliance of each entity within the group.

Regular awareness e-learning sessions are sent to all personnel with mandatory attendance.