Data Processing Agreement

This Firefish Data Processing Agreement (“DPA”), between the Customer (“the Controller”) and Firefish Software (“the Processor”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Firefish - Terms of Service (the “Agreement”).


This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement and will form a part of the Agreement. We periodically update these terms. If you have an active Firefish subscription, we will let you know when we do via an email or in-app notification. 


Last updated: August 2018


1.  Definitions and Interpretation 


1.1       In this Agreement all words and phrases shall have the meanings provided in the foregoing Agreement and as follows:-


“Data Protection Law” shall mean the Data Protection Act 2018 and any other legislation amending and/or repealing the same, the General Data Protection Regulation 2016/679/EC (“GDPR”) and all relative European Union and Member State data protection legislation in force and as amended or replaced from time to time;


“National Law” shall mean the law of the Member State in which the Processor is established;


"Personal Data" shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;


“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;


"Processing" shall mean any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


"Sub-contract" and "Sub-contracting" shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and "Sub Contractor" shall mean the party to whom the obligations are subcontracted; and


"Technical and Organisational Security Measures" shall mean all reasonable measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored of otherwise processed, and against all other unlawful forms of Processing.



2.  Nature of Processing 


2.1       The Parties hereby acknowledge and agree that the following is an accurate description of the Processing of data to be carried out by the Parties:-


Subject matter and duration of Processing  - The Processor will process Personal Data on behalf of the Controller in the course of providing the Services to the Controller and for as long as the Controller is using the Services provided by the Processor.


Nature and purpose of Processing - The Processor will process Personal Data to provide hosted recruitment services (Software as a Service) to the Controller.


Types of Personal Data to be processed Name, address, email address, telephone number, occupation, employer, remuneration, employment history, CV’s. job seeking activity, marketing subscriptions, work preferences, professional certifications and ID documentation.


Categories of Data Subject to whom Personal Data relates - Candidates and prospective candidates of the Controller.


3.  Consideration 

3.1    The Processor shall comply with the security, confidentiality and other obligations imposed on it under this Agreement and ensure compliance with Data Protection Law and, in particular, process all Personal Data on behalf of the Controller only for the purposes of performing its obligations under this Agreement and in accordance with the written instructions given by the Controller from time to time, and shall not modify or amend Personal Data unless specifically authorised in writing by the Controller.


4.   Security Obligations of the Processor 


4.1     The Processor shall ensure that any system on which the Processor or any Approved Sub-Contractor holds Personal Data, including backup data, is secure and ensures complete data integrity in accordance with the data security requirements and with good industry practice. 

The Processor, as a minimum requirement, shall give due consideration to the following types of security measures listed below;


  • Encryption and pseudonymisation;
  • Penetration testing;
  • Information Security Management Systems;
  • Physical Security;
  • Access Control;
  • Security and Privacy Enhancing Technologies;
  • Awareness, training and security checks in relation to personnel;
  • Incident/Response Management/Business Continuity; and
  • Audit Controls/Due Diligence.


Further information can be seeing in our Data Security Policy.


5. Confidentiality 


5.1     The Processor shall maintain the Personal Data processed by the Processor on behalf of the Controller in confidence. In particular, the Processor shall, save with the prior written consent of the Controller, not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party.


5.2     The Processor shall not make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.


5.3     Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed on it by a regulator or court. The parties shall, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of Personal Data.


6. Processor Obligations

  • 6.1     The Processor shall:-
    • 6.1.1     only process or otherwise transfer Personal Data in or to any country outwith the European Union or international organisation with the Controller’s prior written consent;
    • 6.1.2     inform the Controller if, in its opinion, an instruction from the Controller infringes any obligation under Data Protection Laws
    • 6.1.3     maintain written records, including in electronic form, of all Processing activities carried out in performance of the Services or otherwise on behalf of the Controller containing the information set out in Article 30(2) of the GDPR.
    • 6.1.4     provide the Controller with details of the Processor’s Data Protection Officer or other designated individual with responsibility for data protection.
    • 6.1.5     unless prohibited by law, notify the Controller without undue delay if it considers, in its opinion (acting reasonably), that it is required by law to act other than in accordance with the instructions of the Controller
    • 6.1.6     ensure that only those authorised to process Personal Data on behalf of the Processor and approved Sub-Contractors that need to have access to Personal Data are granted access to such Personal Data;
    • 6.1.7     take all reasonable steps to ensure the reliability and integrity of anyone who is authorised by the Processor who shall have access to the Personal Data and shall ensure that any Processor personnel and approved Sub-Contractors who have access to such Personal Data shall comply with the provisions of Data Protection Law and this Agreement, and that appropriate statutory duties of confidentiality exist or appropriate contractually binding confidentiality undertakings have been entered into with those authorised by the Processor who have access to Personal Data and Sub-Contractors which are no less onerous than those set out in this Agreement;
    • 6.1.8     notify the Controller of any actual or suspected Personal Data Breach including any unauthorised or accidental disclosure, loss, alteration unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed made by the Processor or Approved Sub-Contractors, without undue delay on becoming aware of such;
    • 6.1.9     without undue delay provide to the Controller after any of the following events, all available information in its possession concerning:- unauthorised or accidental disclosure of, or access to Personal Data made by Processor personnel or Approved Sub-Contractors; or any actual, suspected Personal Data breach or breach of Data Protection Law and following such a notification support the Controller to implement any measures necessary to restore the security of compromised Personal Data;
    • 6.1.10     provide all reasonable assistance, including by such Technical and Organisational Measures as may be required by the Controller, to comply with its obligations concerning Personal Data including any subject access request and/or responding to any other data subject request made; reporting requirements for personal data breaches; data protection impact assessments or investigation or assessment of Processing initiated by the Information Commissioner in respect of Personal Data;
    • 6.1.11     notify the Controller if it or an approved Sub-contractor receives a data subject request or supervisory authority correspondence and forward same to the Controller. Any data subject request made to the Processor or approved Sub-contractor shall be dealt with by the Controller.

7. Sub Contracting 

  • 7.1     The Processor shall be permitted to appoint Sub-Contractors, and to disclose Personal Data to such Sub-Contractors for Processing in accordance with this Agreement provided always that:
    • 7.1.1     the Processor provides the Controller with full details of the proposed Sub-contractor (including the results of the due diligence undertaken in accordance with this Agreement) before its appointment;
    • 7.1.2     the Processor undertakes due diligence on the proposed Sub-contractor;
    • 7.1.3     the sub-contract is on terms which are substantially the same as, but no less onerous than, the terms of this Agreement;
    • 7.1.4     the Processor will without undue delay notify the Controller in the event that it becomes aware of any breach of Data Protection Law by any of the Approved Sub-Contractors in connection with this Agreement; and
    • 7.1.5     the Sub-contractor's right to Process Personal Data terminates automatically on expiry or termination of the Contract for whatever reason.
  • 7.2     The Processor shall not, and shall procure that any approved Sub-Contractor and Processor personnel shall not, disclose any Personal Data to any third party (including for the avoidance of doubt the Data Subject but excluding any approved Sub-Contractor), in any circumstances other than at the Controller’s specific written request, or where required to do so by law (provided that the Processor shall use reasonable endeavours to notify the Controller in advance of such disclosure or immediately thereafter, unless prohibited by law).
  • 7.3     The Processor shall procure that any approved Sub-Contractor takes such Technical and Organisational Security Measures as are required under its own National Law to protect Personal Data processed by the Processor on behalf of the Controller against unlawful forms of processing.
  • 7.4     The Processor shall inform the Controller in writing of any intended changes regarding any Sub-contractor.

8. Term and Termination 


8.1       This Agreement shall continue in full force and effect for so long as the Processor is Processing Personal Data on behalf of the Controller under the Terms of Services.


8.2       This Agreement shall terminate automatically on termination of provision of services by the Processor to the Controller.


8.3        On termination of this Agreement, the Processor shall promptly (and in any event within 5 working days of termination) cease Processing the Personal Data (whether provided by the Controller or which are derived from Personal Data provided by the Controller) and permanently and securely destroy the Personal Data so that it is no longer retrievable. The Processor shall provide such information as is necessary to enable the Controller to satisfy itself of the Processor’s compliance with this clause.