Data Processing Agreement

Data Processing Agreement

This Firefish Data Processing Agreement (“DPA”), between the Customer (“the Controller”) and Firefish Software (“the Processor”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Firefish - Terms of Service (the “Agreement”).


This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement and will form a part of the Agreement. We periodically update these terms. If you have an active Firefish subscription, we will let you know when we do via an email or in-app notification. 


Last updated: November 2018




To request a copy of our Data Processing Agreement click here




1.  Definitions and Interpretation 


1.1       In this Agreement all words and phrases shall have the meanings provided in the foregoing Agreement and as follows:-


“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;


“Data Protection Law” shall mean the Data Protection Act 2018 and any other legislation amending and/or repealing the same, the General Data Protection Regulation 2016/679/EC (“GDPR”) and all relative European Union and Member State data protection legislation in force and as amended or replaced from time to time;


“National Law” shall mean the law of the Member State in which the Processor is established;


"Personal Data" shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;


“Personal Data Breach” means:

1 - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; 

2 - any non-conformance with the security standards set out in


“Working Day” means any day other than Saturday, Sunday or a public holiday in the UK.


“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;


“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


"Processing" shall mean any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


"Sub-contract" and "Sub-contracting" shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and "Sub Contractor" shall mean the party to whom the obligations are subcontracted; 


“Sub-Processor” means a Processor engaged by the Supplier to carry out specific Processing activities on behalf of the Company.


“Third Party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;


"Technical and Organisational Security Measures" shall mean all reasonable measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored of otherwise processed, and against all other unlawful forms of Processing.



2.  Nature of Processing 


2.1       The Parties hereby acknowledge and agree that the following is an accurate description of the Processing of data to be carried out by the Parties:-


Subject matter and duration of Processing  - The Processor will process Personal Data on behalf of the Controller in the course of providing the Services to the Controller and for as long as the Controller is using the Services provided by the Processor.


Nature and purpose of Processing - The Processor will process Personal Data to provide hosted recruitment services (Software as a Service) to the Controller.


Types of Personal Data to be processed Name, address, email address, telephone number, occupation, employer, remuneration, employment history, CV’s. job seeking activity, marketing subscriptions, work preferences, professional certifications and ID documentation.


Categories of Data Subject to whom Personal Data relates - Candidates and prospective candidates of the Controller.


3.  Consideration 


3.1    The Processor shall comply with the security, confidentiality and other obligations imposed on it under this Agreement and ensure compliance with Data Protection Law and, in particular, process all Personal Data on behalf of the Controller only for the purposes of performing its obligations under this Agreement and in accordance with the written instructions given by the Controller from time to time, and shall not modify or amend Personal Data unless specifically authorised in writing by the Controller.


4.   Security Obligations of the Processor 


4.1     The Processor shall ensure that any system on which the Processor or any Approved Sub-contractor holds Personal Data, including backup data, is secure and ensures complete data integrity in accordance with the data security requirements and with good industry practice. 

The Processor, as a minimum requirement, shall give due consideration to the following types of security measures listed as a minimum below;


  • Encryption and pseudonymisation;
  • Penetration testing;
  • Information Security Management Systems;
  • Physical Security;
  • Access Control;
  • Security and Privacy Enhancing Technologies;
  • Awareness, training and security checks in relation to personnel;
  • Incident/Response Management/Business Continuity; and
  • Audit Controls/Due Diligence.


Further information can be seeing in our Data Security Policy.


5. Confidentiality 


5.1     The Processor shall maintain the Personal Data processed by the Processor on behalf of the Controller in confidence. In particular, the Processor shall, save with the prior written consent of the Controller, not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party.


5.2     The Processor shall not make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.


5.3     Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed on it by a regulator or court. The parties shall, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of Personal Data.


6. Processor Obligations


  • 6.1     The Processor shall:-
    • 6.1.1     only process or otherwise transfer Personal Data in or to any country outwith the European Union or international organisation with the Controller’s prior written consent;
    • 6.1.2     inform the Controller if, in its opinion, an instruction from the Controller infringes any obligation under Data Protection Laws
    • 6.1.3     maintain written records, including in electronic form, of all Processing activities carried out in performance of the Services or otherwise on behalf of the Controller containing the information set out in Article 30(2) of the GDPR.
    • 6.1.4     provide the Controller with details of the Processor’s Data Protection Officer or other designated individual with responsibility for data protection.
    • 6.1.5     unless prohibited by law, notify the Controller without undue delay if it considers, in its opinion (acting reasonably), that it is required by law to act other than in accordance with the instructions of the Controller
    • 6.1.6     ensure that only those authorised to process Personal Data on behalf of the Processor and approved Sub-Contractors that need to have access to Personal Data are granted access to such Personal Data;
    • 6.1.7     take all reasonable steps to ensure the reliability and integrity of anyone who is authorised by the Processor who shall have access to the Personal Data and shall ensure that any Processor personnel and approved Sub-Contractors who have access to such Personal Data shall comply with the provisions of Data Protection Law and this Agreement, and that appropriate statutory duties of confidentiality exist or appropriate contractually binding confidentiality undertakings have been entered into with those authorised by the Processor who have access to Personal Data and Sub-Contractors which are no less onerous than those set out in this Agreement;
    • 6.1.8     notify the Controller of any actual or suspected Personal Data Breach including any unauthorised or accidental disclosure, loss, alteration unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed made by the Processor or Approved Sub-Contractors, without undue delay on becoming aware of such;
    • 6.1.9     without undue delay provide to the Controller after any of the following events, all available information in its possession concerning:- unauthorised or accidental disclosure of, or access to Personal Data made by Processor personnel or Approved Sub-Contractors; or any actual, suspected Personal Data breach or breach of Data Protection Law and following such a notification support the Controller to implement any measures necessary to restore the security of compromised Personal Data;
    • 6.1.10     provide all reasonable assistance, including by such Technical and Organisational Measures as may be required by the Controller, to comply with its obligations concerning Personal Data including any subject access request and/or responding to any other data subject request made; reporting requirements for personal data breaches; data protection impact assessments or investigation or assessment of Processing initiated by the Information Commissioner in respect of Personal Data;
    • 6.1.11     notify the Controller if it or an approved Sub-contractor receives a data subject request or supervisory authority correspondence and forward same to the Controller. Any data subject request made to the Processor or approved Sub-contractor shall be dealt with by the Controller.

7. Sub Contracting 


  • 7.1     The Processor shall be permitted to appoint Sub-Contractors, and to disclose Personal Data to such Sub-Contractors for Processing in accordance with this Agreement provided always that:
    • 7.1.1     the Processor provides the Controller with full details of the proposed Sub-contractor (including the results of the due diligence undertaken in accordance with this Agreement) before its appointment;
    • 7.1.2     the Processor undertakes due diligence on the proposed Sub-contractor;
    • 7.1.3     the sub-contract is on terms which are substantially the same as, but no less onerous than, the terms of this Agreement;
    • 7.1.4     the Processor will without undue delay notify the Controller in the event that it becomes aware of any breach of Data Protection Law by any of the Approved Sub-Contractors in connection with this Agreement; and
    • 7.1.5     the Sub-contractor's right to Process Personal Data terminates automatically on expiry or termination of the Contract for whatever reason.
  • 7.2     The Processor shall not, and shall procure that any approved Sub-Contractor and Processor personnel shall not, disclose any Personal Data to any third party (including for the avoidance of doubt the Data Subject but excluding any approved Sub-Contractor), in any circumstances other than at the Controller’s specific written request, or where required to do so by law (provided that the Processor shall use reasonable endeavours to notify the Controller in advance of such disclosure or immediately thereafter, unless prohibited by law).
  • 7.3     The Processor shall procure that any approved Sub-Contractor takes such Technical and Organisational Security Measures as are required under its own National Law to protect Personal Data processed by the Processor on behalf of the Controller against unlawful forms of processing.
  • 7.4     The Processor shall inform the Controller in writing of any intended changes regarding any Sub-contractor.


8. Term and Termination 


8.1       This Agreement shall continue in full force and effect for so long as the Processor is Processing Personal Data on behalf of the Controller under the Terms of Services.


8.2       This Agreement shall terminate automatically on termination of provision of services by the Processor to the Controller.


8.3        On cancellation of this Agreement, the Processor shall promptly (and in any event within 5 working days of termination) cease Processing the Personal Data (whether provided by the Controller or which are derived from Personal Data provided by the Controller) and permanently and securely destroy the Personal Data so that it is no longer retrievable. The Processor shall provide such information as is necessary to enable the Controller to satisfy itself of the Processor’s compliance with this clause.




9 . Personal Data Breach


Firefish Software Ltd has an established process for reporting breaches of information security to regulatory bodies, the Data Controller and/or to customers affected by the breach.


9.1 Investigation & Communication - Immediately on identification of a breach, the issue is flagged to our Head of Current Version and internal Data Protection Officer.  The breach is investigated with urgent priority to establish what the issue is and who is affected.  If immediate action is possible – for example, a password change – this will be done straight away.


The relevant Client Success Champion will be advised of the issue, what is being done, and timeframes around this as soon as we become aware.  They will then contact the affected client/s within 24 hours to provide as much information as is possible around the data security breach.  Where feasible, this information will be provided on a telephone call involving the Client Success Champion, DPO, and the affected client/s.  This telephone call will be followed up with an email confirming the information that has been provided.


If it is not feasible to convey the information in a time-sensitive manner (e.g. due to the number of clients affected or availability of client contact) full information relating to the details of the breach, what is being done to resolve the issue and timeframes around this will be provided by email to the client system Superusers. 


If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will provide details of those individuals potentially affected and the risk, so that the client can inform them of the details of the breach. 

In cases where a breach affects all Firefish client sites, an announcement and relevant updates will be available on our Announcements page




If data has been lost, we can restore a backup of the database and files directly from our internal backups and aim to do so within a 2-hour period of notification of the event occurring.

The most recent Database Backup will be restored from internal backups to return the data to its state prior to the fault occurring (up to 30 minutes’ data loss) and any missing files will be restored from the secondary file backups (up to 7 days’ data loss). 


9.2 Notification - In instances of the occurrence of a data security breach where it is likely that there will be a risk to people’s rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 3 days of becoming aware of the essential facts of the breach.   The information we provide to the ICO will include a description of the nature of the personal data breach including, where possible:


•     the categories and approximate number of individuals concerned

•     the categories and approximate number of personal data records concerned

•     the name and contact details of our data protection officer or other contact point where more information can be obtained

•     a description of the likely consequences of the personal data breach

•     a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.


Whether a data security breach is reported to the ICO or not, it will be recorded internally.  We will document the facts relating to the breach, its effects and the remedial action taken.   

The outcome of the investigation will be reviewed at management level, and corrective steps implemented, where appropriate, to ensure as much as is possible that a recurrence is prevented.



Contact - Our data protection lead may be contacted in relation to any queries or concerns or you have regarding your Personal Data or if you wish to exercise any of your rights.  Please contact Richard Mullan at or by calling 0141 648 8520.


To request a copy of our Data Processing Agreement click here