Data Processing Agreement
Pursuant to Article 28(3) of Regulation 2016/679 (General Data Protection Regulation) concerning the Processor’s processing of personal data between the user of IPA PeopleSuite and IPA Nordic ApS CVR 40700048 Borgvold 3 8260 Viby J hereinafter “the Processor” each individually a “Party” and together the “Parties” Have agreed on the following standard contractual clauses (the “Clauses”) in order to comply with the General Data Protection Regulation and to ensure protection of privacy and the fundamental rights and freedoms of natural persons 2. Preamble These Clauses set out the Processor’s rights and obligations when carrying out processing of personal data on behalf of the Controller. These Clauses have been drafted with the aim of the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). In connection with the Processor’s provision of services to the Controller, the Processor processes personal data on behalf of the Controller in accordance with these Clauses. These Clauses shall prevail over any similar provisions in other agreements between the Parties. Four appendices are attached to these Clauses, and the appendices form an integral part of the Clauses. Appendix A contains detailed information about the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing. Appendix B contains the Controller’s conditions for the Processor’s use of sub-processors and a list of sub-processors approved by the Controller. Appendix C contains the Controller’s instructions regarding the Processor’s processing of personal data, a description of the security measures which the Processor as a minimum shall implement, and how supervision of the Processor and any sub-processors is carried out. Appendix D contains provisions relating to other activities which are not covered by the Clauses. The Clauses with appendices shall be kept in writing, including electronically, by both Parties. These Clauses do not release the Processor from obligations imposed on the Processor under the General Data Protection Regulation or any other legislation. 3. The Controller’s rights and obligations The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU law or EEA Member States’ national law, and these Clauses. The Controller has the right and obligation to make decisions about the purposes and means by which personal data may be processed. The Controller is responsible for, inter alia, ensuring that there is a legal basis for the processing of personal data which the Processor is instructed to carry out. 4. The Processor acts on instructions The Processor may process personal data only on documented instruction from the Controller, unless required to do so under EU law or EEA Member States’ national law to which the Processor is subject. Such instruction shall be specified in Appendices A and C. Subsequent instruction may also be given by the Controller while processing of personal data is taking place, but the instruction shall always be documented and kept in writing, including electronically, together with these Clauses. The Processor shall immediately inform the Controller if, in its opinion, an instruction is contrary to the General Data Protection Regulation or data protection provisions in other EU law or EEA Member States’ national law. 5. Confidentiality The Processor may grant access to personal data processed on behalf of the Controller only to persons subject to the Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons granted access shall be continuously reviewed. Based on this review, access to personal data may be revoked if access is no longer necessary, and the personal data shall thereafter no longer be accessible to those persons. Upon request from the Controller, the Processor shall be able to demonstrate that the persons concerned who are subject to the Processor’s authority are bound by the above confidentiality obligation. 6. Security of processing Article 32 of the General Data Protection Regulation provides that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address these risks. Depending on their relevance, this may include: Pseudonymisation and encryption of personal data The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing Pursuant to Article 32 of the Regulation, the Processor shall also – independently of the Controller – assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address these risks. For the purpose of this assessment, the Controller shall provide the necessary information to the Processor to enable it to identify and assess such risks. Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations pursuant to Article 32 of the Regulation by, inter alia, making available to the Controller the necessary information concerning the technical and organisational security measures already implemented by the Processor pursuant to Article 32 and any other information necessary for the Controller’s compliance with its obligations under Article 32. If addressing the identified risks – in the Controller’s assessment – requires implementation of additional measures beyond those already implemented by the Processor, the Controller shall specify the additional measures to be implemented in Appendix C. 7. Use of sub-processors The Processor shall meet the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation in order to make use of another processor (a sub-processor). The Processor may therefore not make use of a sub-processor for the fulfilment of this Agreement without prior general written authorisation from the Controller. The Processor has the Controller’s general authorisation to use sub-processors. The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of sub-processors with at least 1 month’s notice and thereby give the Controller the opportunity to object to such changes before the use of the sub-processor(s) concerned. Longer notice periods for specific processing activities may be specified in Appendix B. The list of sub-processors already approved by the Controller appears in Appendix B. Where the Processor makes use of a sub-processor in connection with the performance of specific processing activities on behalf of the Controller, the Processor shall, by way of a contract or other legal act under EU law or EEA Member States’ national law, impose on the sub-processor the same data protection obligations as set out in these Clauses, thereby in particular providing sufficient guarantees that the sub-processor will implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of these Clauses and the General Data Protection Regulation. The Processor is therefore responsible for requiring that the sub-processor as a minimum complies with the Processor’s obligations under these Clauses and the General Data Protection Regulation. Sub-processor agreement(s) and any subsequent amendments thereto shall – at the Controller’s request – be provided in copy to the Controller, thereby enabling the Controller to ensure that equivalent data protection obligations as set out in these Clauses have been imposed on the sub-processor. Provisions concerning commercial terms which do not affect the data protection legal content of the sub-processor agreement shall not be provided to the Controller. If the sub-processor does not fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations. This does not affect the rights of the data subjects under the General Data Protection Regulation, including in particular Articles 79 and 82, vis-à-vis the Controller and the Processor, including the sub-processor. 8. Transfer to third countries or international organisations Any transfer of personal data to third countries or international organisations shall be carried out by the Processor only on the basis of documented instruction from the Controller and shall always take place in compliance with Chapter V of the General Data Protection Regulation. If transfer of personal data to third countries or international organisations, which the Processor has not been instructed to carry out by the Controller, is required under EU law or EEA Member States’ national law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before processing, unless such law prohibits such information on important grounds of public interest. Without documented instruction from the Controller, the Processor may therefore not within the framework of these Clauses: transfer personal data to a controller or processor in a third country or an international organisation entrust processing of personal data to a sub-processor in a third country process the personal data in a third country The Controller’s instructions regarding the transfer of personal data to a third country, including the transfer basis under Chapter V of the General Data Protection Regulation on which the transfer is based, shall be specified in Appendix C.6. These Clauses shall not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the General Data Protection Regulation, and these Clauses do not constitute a transfer basis under Chapter V of the General Data Protection Regulation. 9. Assistance to the Controller Taking into account the nature of the processing, the Processor shall, as far as possible, assist the Controller by appropriate technical and organisational measures in the fulfilment of the Controller’s obligation to respond to requests for exercising the data subjects’ rights as set out in Chapter III of the General Data Protection Regulation. This entails that the Processor shall, as far as possible, assist the Controller in ensuring compliance with: the obligation to provide information when collecting personal data from the data subject the obligation to provide information where personal data has not been obtained from the data subject the right of access the right to rectification the right to erasure (“the right to be forgotten”) the right to restriction of processing the obligation to notify regarding rectification or erasure of personal data or restriction of processing the right to data portability the right to object the right not to be subject to a decision based solely on automated processing, including profiling In addition to the Processor’s obligation to assist the Controller pursuant to Clause 6.3, the Processor shall furthermore, taking into account the nature of the processing and the information available to the Processor, assist the Controller with: the Controller’s obligation, without undue delay and, where feasible, not later than 72 hours after having become aware of it, to notify a personal data breach to the competent supervisory authority (Denmark: Datatilsynet), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons the Controller’s obligation to communicate a personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons the Controller’s obligation to carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment) the Controller’s obligation to consult the competent supervisory authority (Denmark: Datatilsynet) prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk 10. Notification of personal data breach The Processor shall notify the Controller without undue delay after becoming aware that a personal data breach has occurred. The Processor’s notification to the Controller shall take place without undue delay and, where feasible, not later than 24 hours after having become aware of the breach, so that the Controller can comply with its obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation. In accordance with Clause 9.2(a), the Processor shall assist the Controller in making the notification to the competent supervisory authority. This means that the Processor shall assist in providing the following information, which pursuant to Article 33(3) shall be included in the Controller’s notification of the breach to the competent supervisory authority: the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned the likely consequences of the personal data breach the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects The Parties shall specify in Appendix C the information to be provided by the Processor in connection with its assistance to the Controller in the Controller’s obligation to notify personal data breaches to the competent supervisory authority. 11. Deletion and return of data Upon termination of the provision of services relating to processing of personal data, the Processor shall be obliged to delete all personal data processed on behalf of the Controller and confirm to the Controller that the data has been deleted, unless EU law or EEA Member States’ national law requires storage of the personal data. 12. Audit, including inspection The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Clauses and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The procedures for the Controller’s audits, including inspections, of the Processor and sub-processors are specified in Appendix C. The Processor shall be obliged to grant supervisory authorities, which pursuant to applicable legislation have access to the Controller’s or Processor’s facilities, or representatives acting on behalf of the supervisory authority, access to the Processor’s physical facilities upon presentation of proper identification. 13. Entry into force and termination The Clauses shall enter into force on the date of both Parties’ signature. Both Parties may require the Clauses to be renegotiated if changes in the law or impracticalities in the Clauses give rise thereto. The Clauses shall apply as long as the Processor provides services relating to the processing of personal data. During this period, the Clauses cannot be terminated unless other provisions governing the provision of services relating to processing of personal data are agreed between the Parties. If the provision of services relating to processing of personal data ceases and the personal data has been deleted or returned to the Controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated by either Party by written notice. Appendix A – Information about the processing A.1. The purpose of the Processor’s processing of personal data on behalf of the Controller The purpose of the processing of personal data is the operation of the Processor’s Service, which is made available to the Controller by agreement. In the Service, based on information entered by the Controller and users’ responses to questions, personality analyses, team leader analyses, and role style analyses and variations thereof may be prepared. A.2. The Processor’s processing of personal data on behalf of the Controller primarily concerns (the nature of the processing) Preparation of personality analyses and storage of these. Use of non-personally identifiable and anonymised information for statistics and improvement of the Service. A.3. The processing includes the following types of personal data concerning the data subjects Name, (potential) title, date of birth, contact details (including email address) Responses to questions for the purpose of personality analysis Personality analysis A.4. The processing includes the following categories of data subjects The Controller’s administrators Users, who may be employees of the Controller or candidates for a position with the Controller or candidates for a position with a customer of the Controller A.5. The Processor’s processing of personal data on behalf of the Controller may commence after the entry into force of these Clauses. The processing has the following duration The processing of personal data shall take place as long as the Controller uses the Processor’s Service. Appendix B – Sub-processors B.1. Approved sub-processors Upon the entry into force of the Clauses, the Controller has approved the use of the following sub-processors: skyPIM A/S 21396648 Boulevarden 19E 7100 Vejle Hosting and technical operation of the Service. Country of processing: Denmark, Germany. Upon the entry into force of the Clauses, the Controller has approved the use of the above-mentioned sub-processors for the described processing activity. The Processor may not – without the Controller’s written approval – use a sub-processor for another processing activity than that described and agreed or use another sub-processor for this processing activity. Appendix C – Instructions regarding processing of personal data C.1. Subject matter of the processing/instruction The Processor’s processing of personal data on behalf of the Controller consists of the Processor performing the following: Based on the Controller’s use of the Service made available pursuant to the agreement concluded between the Controller and the Processor, the Processor shall collect information about the Controller or the Controller’s users when such information is entered into the Service and, on that basis, prepare personality analyses for use by the Controller, and such analyses shall also be stored by the Controller. C.2. Security of processing The level of security shall reflect: That the processing does not concern sensitive personal data, but information which may be perceived by the data subjects as having a certain sensitivity. The Processor is thereafter entitled and obliged to make decisions about which technical and organisational security measures shall be implemented in order to establish the necessary level of security. If the Controller wishes other or additional security measures to be implemented, including where this is based on audit/inspection, the Controller shall be responsible for any additional costs for the Processor which this may entail. C.3 Assistance to the Controller Where the Processor provides assistance to the Controller in fulfilling the Controller’s obligations, the Processor shall be entitled to charge remuneration for such work at its applicable hourly rate. C.6 Instruction regarding transfer of personal data to third countries If the Controller does not in these Clauses or subsequently provide a documented instruction regarding transfer of personal data to a third country, the Processor is not entitled within the framework of these Clauses to carry out such transfers. C.7 Procedures for the Controller’s audits, including inspections, of the processing of personal data entrusted to the Processor/sub-processors At the request of the Controller, the Processor shall, at the Controller’s expense, obtain an audit statement from an independent third party concerning the Processor’s/sub-processor’s compliance with the General Data Protection Regulation, data protection provisions in other EU law or EEA Member States’ national law and these Clauses. The Parties agree that the following types of audit statement may be used in accordance with these Clauses: ISAE 3000 audit statement or another similar type of assurance statement. The Controller or a representative of the Controller shall furthermore have access to carry out inspections, including physical inspections, of the premises from which the Processor/sub-processor processes personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the Controller finds it necessary. Any expenses of the Processor and sub-processor in connection with supervision of the personal data processing at the Processor or sub-processors or physical inspection of the Processor’s or sub-processor’s premises shall be borne by the Controller. [1] References to “Member State” in these Clauses shall be understood as references to “EEA Member States”.
Terms & Conditions
IPA TERMS & CONDITIONS These Terms & Conditions apply to IPA Nordic ApS’ (“IPA”) services provided to the Customer. 1. Right of Use 1.1 By entering into an agreement with IPA, the Customer obtains the right, in accordance with these Terms & Conditions, to use IPA’s service in the agreed version (“the Service”). Unless otherwise specifically agreed, the Customer is entitled to use the Service internally within its company, including when the Customer carries out recruitment work for third parties, provided that the Customer may grant users outside its company, who are candidates for employment with the Customer or with a company for which the Customer carries out recruitment work, access to use the Service in connection with answering questions, cf. clause 1.2. 1.2 The Customer is entitled to use the Service as intended and may grant employees and others (“Customer’s Users”) access to the Service and related analyses as provided. Users may be ordinary users who answer questions for use in the Service or administrators with access to the cockpit and prepared analyses. 1.3 The Customer’s administrators must be employed by the Customer’s company and must at all times be certified in the use of the analyses to which the Customer has access via the Service. IPA provides certification in the analyses covered by the Service as specified on IPA’s website or otherwise communicated. 2. Implementation 2.1 IPA or one of IPA’s partners implements the Service for the Customer, meaning that the Customer can access the Service as agreed at the agreed time. 2.2 IPA or IPA’s partner is entitled, to a reasonable extent, to make changes to the agreed implementation time, provided that such changes are communicated to the Customer. 2.3 The Customer must, to the relevant extent, participate in the implementation, including providing IPA or IPA’s partner with the necessary and correct information required for implementation and granting access to IT resources as needed. 3. Operation 3.1 The Service is hosted and accessed online by the Customer. IPA will seek to ensure that the Service is available to the Customer at all times but does not guarantee any specific uptime. 3.2 The Customer is responsible for providing the equipment, applications, and network connections necessary for the use of the Service. Upon the Customer’s request, IPA will provide information on any special specifications for equipment, applications, etc. 3.3 IPA may, without liability, temporarily or partially suspend the Customer’s or the Customer’s Users’ access to the Service: a) if necessary for maintenance, repair, or updating of the Service. Such suspension will, as far as possible, be conducted outside normal business hours and will be notified to the Customer in advance, although in certain situations it may be necessary to suspend access without notice, even during normal business hours. b) if there is reason to believe that the Customer’s or the Customer’s Users’ access is being misused by third parties. Restoration of access may require that the Customer’s Users’ usernames and/or passwords are changed. c) if the Customer’s actions or circumstances, for which the Customer is otherwise responsible, have caused or are expected to cause damage to the Service, including to other customers or users of the Service, or if the Service is reasonably believed to be used for unlawful purposes. Access to the Service will be restored once these issues have been resolved to IPA’s satisfaction. d) if the Customer does not comply with the certification requirement for administrators, cf. clause 1.3, and the requirement has not been met for 60 days. e) if the Customer is in default of payment to IPA. 3.4 If IPA suspends access as per clause 3.3, IPA will notify the Customer as soon as possible, including the reason for the suspension and when and under which conditions access can be restored. Such suspension does not constitute a breach of the Agreement and does not entitle the Customer to a refund or other remedies for breach. 3.5 The Customer is responsible for ensuring backup of any data processed in the Service. IPA may, under a separate agreement, assist the Customer with creating backups and restoring data from backups. IPA is entitled to remuneration for such work based on IPA’s prevailing hourly rates and any third-party costs. 4. Use of the Service 4.1 The Customer is responsible for entering its own information into the Service and ensuring the data is correct and valid. IPA is not responsible for whether the Service and its use are suitable for the Customer’s purposes. This responsibility lies solely with the Customer. 4.2 IPA is responsible for ensuring that IPA’s service complies with Danish law. The Customer is responsible for ensuring that its use of the Service, including data processing, is lawful and complies with all legal requirements, including data protection, and for any use of the Service under the usernames and passwords assigned to the Customer and the Customer’s Users. 4.3 The Customer and the Customer’s Users must at all times protect their usernames and passwords for the Service. If the Customer becomes aware of or suspects misuse of access or that third parties have obtained usernames or passwords, the Customer must immediately notify IPA. 4.4 IPA is entitled to monitor the use of the Service and use any information from the Service in anonymized form for statistical purposes and maintenance of the Service. 5. Changes to the Service 5.1 IPA is entitled to make changes to the Service and its design. IPA will seek to notify the Customer of such changes with at least 30 days’ notice before changes take effect, although in some cases notice may be shorter, e.g., for security-related changes. 5.2 If IPA makes significant changes to the Service such that it can no longer be considered the same service (e.g., if fundamental or frequently used features are removed), the Customer may terminate the agreement with 30 days’ notice and will receive a proportionate refund of any prepaid fees for the period after termination. 6. Other Consulting Services 6.1 IPA provides consulting services beyond implementation, as separately agreed. Consulting services are provided in accordance with good practice without result liability, and the Customer is responsible for ensuring that the service is suitable for its purposes. 6.2 Such consulting services are considered delivered when IPA confirms completion or when the Customer begins using the results. 7. Prices and Payment 7.1 The Customer pays for access to the Service for a twelve-month period in advance from the implementation date, unless otherwise agreed. 7.2 Implementation services are invoiced by IPA or IPA’s partner upon delivery. Certification services may be invoiced upon the Customer’s order. Other consulting services are invoiced upon delivery or monthly in arrears. 7.3 IPA’s invoices are payable 14 days after issuance. Late payment incurs interest of 2% per month. 7.4 Any agreed reduced prices apply for 12 months from the agreement date, after which IPA’s standard price list applies. 7.5 IPA may adjust its price list once per year according to the net price index and additionally due to legislative changes or changes in third-party products required for delivery. IPA will provide at least 30 days’ notice of such changes. 8. Intellectual Property Rights 8.1 IPA owns and retains all proprietary and intellectual property rights, including copyrights, to the Service and related materials, such as manuals and guides. The Service and related materials may contain elements or components to which third parties hold intellectual property rights. In such cases, IPA has the necessary rights to make the Service and related materials available to the Customer. 8.2 The Customer, based on the agreement, cf. clause 1, and during its term, obtains a right of use for the Service and related materials as made available by IPA for the intended purposes. The Customer acquires no rights beyond the stated right of use to processes or similar elements included in the Service. 8.3 The Customer obtains an unlimited right of use for materials produced via the Service based on the Customer’s data and use of the Service. This includes the right to modify and reproduce such materials. 8.4 The Customer retains ownership and intellectual property rights to data entered into the Service. The Customer grants IPA a non-exclusive, royalty-free right to use such data for fulfilling the Agreement. 8.5 For consulting services, including their results, delivered by IPA to the Customer, IPA retains ownership and intellectual property rights, respecting the Customer’s rights and confidentiality. The Customer is granted a right of use during the Agreement to apply the consulting services and results internally within its company. 9. Confidentiality 9.1 Each Party must maintain the confidentiality of the other Party’s internal information, including trade secrets and agreements, and may not use or disclose such information for purposes other than intended in connection with the provision of information, without prior consent. IPA also maintains confidentiality of personal data entered into the Service by the Customer as described in the data processing agreement between the Parties. 9.2 Notwithstanding clause 9.1, IPA may disclose the Customer’s information, including internal information, to IPA’s subcontractors as necessary for delivering IPA’s services, provided such subcontractors are bound by similar confidentiality obligations. The Parties are also entitled to disclose information if required by court order or a valid authority request. 9.3 Confidentiality obligations do not apply to information that is publicly available, received from third parties without confidentiality obligations, obtained independently without using the other Party’s information, or developed independently. 9.4 The confidentiality provisions in this clause remain in effect for 5 years after termination of the Agreement, regardless of the reason for termination. 10. Data Processing 10.1 IPA processes personal data in the Service, including data entered by the Customer. Personal data processing is regulated in the data processing agreement between the Customer and IPA. 11. Breach 11.1 If the Customer wishes to claim deficiencies in IPA’s services, this must be done immediately, and for consulting or implementation services, no later than 30 days after delivery. IPA is always entitled to provide re-performance. 11.2 If a Party materially breaches the Agreement and the breach is not remedied within 30 days after notification by the non-breaching Party, the non-breaching Party is entitled to terminate the Agreement in writing. 12. Liability 12.1 The Parties are liable to each other under Danish law with the following limitations. 12.2 IPA’s total liability to the Customer shall never exceed the fees paid by the Customer to IPA for the Service within the 6 months preceding the claim. IPA is never liable for indirect losses, including but not limited to lost profits, lost revenue, expected savings, or loss of goodwill. 12.3 The limitation in clause 12.2 does not apply in cases of gross negligence or intent. 13. Force Majeure 13.1 Neither Party is responsible for fulfilling obligations under the Agreement if non-fulfillment is due to force majeure, defined as circumstances beyond the Party’s reasonable control, including subcontractor force majeure, which the Party could not have foreseen at the time of entering the Agreement. If a force majeure situation lasts longer than 30 days, the unaffected Party may terminate the Agreement without notice. 14. Termination of the Agreement 14.1 The Customer may at any time terminate the Agreement with 12 months’ notice at the end of a calendar month. Termination cannot occur before 12 months; thus, the minimum total period is 24 months. IPA may terminate the Agreement with at least 12 months’ notice at the end of a calendar month. 14.2 Prepaid fees are non-refundable upon Customer termination. If IPA terminates the Agreement, a proportionate refund of prepaid fees corresponding to the period after termination will be made. 15. Transfer of Data to the Customer 15.1 Upon Customer request, IPA will assist in transferring all Customer data in the Service to the Customer or a designated third party in a commonly used format, provided the Customer requests this no later than at the termination of the Agreement. 15.2 IPA may charge for time spent assisting with data transfer according to IPA’s current hourly rates and costs. IPA may also require any outstanding payments and a reasonable advance for assistance. 16. Marketing 16.1 IPA is entitled to use the Customer’s name and trademark as a reference in general physical and/or digital marketing materials. 16.2 If IPA wishes to refer potential customers to contact the Customer for reference calls or meetings, this must be agreed separately. 17. Subcontractors 17.1 IPA may use subcontractors to fulfill its obligations to the Customer. IPA is responsible for subcontractors’ services as if they were its own. Subcontractors must maintain confidentiality of the Customer’s information, cf. clause 9.1. 18. Assignment 18.1 Neither Party may assign its rights or obligations under the Agreement to third parties without the other Party’s written consent. Such consent shall not be unreasonably withheld. IPA may, however, assign rights and obligations in connection with a complete or partial sale or corporate restructuring. 19. Amendments 19.1 The Agreement may only be amended by the Parties through written agreement, unless otherwise stated in the Agreement. 20. Dispute Resolution 20.1 In case of a dispute arising from the Agreement, the Parties must seek to resolve it amicably. If not resolved within a reasonable time, either Party may submit the dispute to the ordinary Danish courts with IPA’s jurisdiction as the venue. 20.2 The Agreement is governed by Danish law, excluding Danish conflict-of-law rules.
Data Security and Ethics
Data Security and Ethics in the Use of IPA Nordic Personality Analyses – information for test takers IPA Nordic and the individuals who use our analyses commit to complying with a number of rules and guidelines regarding the processing of personal data and the ethics of using work-related personality analyses. As a test taker, under the law on the processing of personal data, you have, among others, the following rights: Your analysis result must be kept confidential and may only be disclosed with your consent. Your analysis result may not be stored beyond a defined period. You have the right at any time to request that your analysis results be anonymized. IPA Nordic has, in cooperation with a number of other assessment providers and interest organizations, established a set of quality requirements regarding professional personal assessment in public and private companies. These quality requirements incorporate the Danish Psychological Association’s ethical guidelines for the use of personality analyses in business and concern both the quality of the assessment tool itself as well as fairness in connection with feedback and interpretation/use of your analysis results. For example, it is stipulated that: You must have explicit knowledge of the content of what is reported and how it is reported from the assessment process. You must be informed of the consequences of opting out of the assessment before deciding whether to take it. The analysis result must be regarded as a set of hypotheses forming the basis for further dialogue, and decisions or advice must never be based solely on the analysis result. The person providing feedback on the analysis must communicate with respect for you and any other involved parties. Oral and written reporting of analysis results and the content of the feedback conversation must only include information relevant to the purpose for which you have been assessed. There must be consistency between the choice of analysis and the purpose of the testing, and the person administering the test must have thorough knowledge of the test, including awareness of its strengths and weaknesses. Documentation must exist for the validity of the analysis used, and your test results must be evaluated based on comparison with test results from a relevant group. All individuals authorized to use IPA Nordic’s personality analysis are trained and examined in the use of the tests by IPA Nordic and have obtained their authorization on the condition that the above guidelines are followed. With regard to requirements concerning the quality of the test tool, IPA Nordic continuously conducts validation and documentation of the tests’ validity and continuously provides an updated basis for comparison of individual test results. The quality of the test tool in these areas is of mutual interest to both you and the person testing you: high quality counteracts erroneous interpretations and randomness in the assessment of your test results. You can become acquainted with the full wording of the law on the processing of personal data and the quality requirements for personal assessment to which IPA Nordic adheres by following the links below. If you continue reading on this page, IPA Nordic will elaborate on aspects relating to confidentiality and storage of your test responses and attempt to clarify some of the questions you as a test taker may have in connection with the terms of your testing. The Danish Data Protection Agency (here you will find “the law on the processing of personal data”) www.personvurdering.dk (ethical guidelines and quality requirements) How long is information about me stored? Your name and contact information are automatically deleted from the system’s database 6 months after your login. After this, the company testing you will have no possibility of retrieving you or your test results again in the system. If the company prints reports and stores them for later use, the person responsible for testing must inform you how long these papers are stored before they are destroyed. As test results have limited validity, there will rarely be justification for storing them for more than 6 months. Note also that you have the right at any time to have your test results deleted, regardless of whether they are in paper or electronic form. If you wish to have your test results deleted, you must contact the person who tested you. Who has access to my test results? The only person who automatically has access to your personal test results in the system is the person who tests you and who has emailed you a test link. The system allows this person to grant one or more other users access to your test results, for example if the testing process takes place in cooperation between several people, or if the person is unable to provide feedback and must pass the task on to a colleague. For printouts from the system, the same rules for storage and confidentiality apply as for electronic data. Access must be limited to trusted personnel, and your test results must be stored securely under lock. The confidentiality of your test results – i.e. which persons/companies have access to your test results, which persons are informed about them, and to what extent – must in all cases be specified to you by the person responsible for your testing. Any subsequent disclosure of information about you to persons or companies not initially specified to you may only take place with your prior consent. The person(s) and company(ies) responsible for your testing and feedback are responsible for ensuring that legislation regarding confidentiality and storage is complied with in relation to authorized access and printouts of test results. Violations will have consequences for the test user’s right to use IPA Nordic’s personality tests and may be reported to the Danish Data Protection Agency. How is electronic access to my test results secured? It is IPA Nordic’s responsibility to implement security measures to ensure access to data with regard to electronic storage in our data system. IPA Nordic must ensure that only authorized persons can gain access to the system and that communication between your computer and the system’s server cannot be intercepted by third parties. The system is secured at all stages with passwords, ensuring full control over who has access to what and to what extent. As an additional security measure, all communication between the system and your computer is encrypted. The encryption takes place using so-called SSL (Secure Socket Layer), symbolized by a small padlock in the lower right corner of the browser. SSL encryption ensures that the data transmitted between your computer and IPA Nordic’s server is meaningless to anyone who might intercept this communication along the way. It also ensures that messages you receive from our server do not originate from a third party. You can therefore be certain that you are in fact logged into IPA Nordic’s website and that your data does not end up elsewhere. SSL encryption is available in different strengths. IPA Nordic uses an encryption strength (256-bit) that is currently considered practically unbreakable. If you use a very old browser version, it may only support a weaker encryption standard (128-bit), which nevertheless also meets the requirements of the Danish Data Protection Agency for the type of data processed in this system. However, if you have an older browser version, you should consider upgrading to a newer version, as a higher level of security will also benefit you in other contexts. I must give consent for my responses to be included in IPA Nordic’s statistics. What will IPA Nordic use this for, and what information is included in the statistics? When you complete a test, your responses are transferred to IPA Nordic’s statistical database. All responses you provide in connection with the test – except your name, username, password, and contact information – are stored in this database. This includes gender, age, level of education, job title (optional), job level, etc. These data are used to establish averages for different population groups and are necessary for our work to ensure the quality of the tests and their further development. It is not possible to identify you personally in this database, and it is only accessible to those individuals at IPA Nordic who work with ensuring the statistical quality of the tests. Since the data exist only in anonymized form in this database, it is not possible to specify deletion of responses for an identified individual, and unlike your personal test response, we cannot withdraw your test responses from our statistics once the test has been completed. We hope that you have found answers to any questions you may have regarding the terms of testing or the protection of your test responses and feel confident using our system. If you have further questions regarding data security, confidentiality, or ethics, you are welcome to contact IPA Nordic directly. You can contact them via the email address steen @ ipanordic.dk
