Data Processing Agreement (DPA)

September 26, 2024 (updated)

Table of contents

Annex to the TERMS OF SERVICE
The legal entity accepting the TERMS OF SERVICE under https://jboard.io/terms as customer, in its capacity as controller

(hereinafter referred to as “Customer”)

and

the JBoard entity identified in the TERMS OF SERVICE as Company

in its capacity as processor

(hereinafter referred to as “Company”) 

jointly referred to as the “Parties”, individually as “Party” 

enter into the following Data Processing Agreement (hereinafter referred to as “DPA”)

Preamble
This DPA specifies the data protection obligations of the Parties which result from the Processing of Personal Data necessary for the provision of the product “JBoard”, a web application tool, that helps the Customer to create and manage their respective job board (hereinafter defined as the “Service”). 

Services as set forth in the TERMS OF SERVICE.


1. Definitions

Unless and to the extent expressly defined otherwise in this DPA, all terms used shall correspond to the terms of the TERMS OF SERVICE and the GDPR and shall, if and where necessary, be construed in light of the GDPR.

  1. Controller shall mean the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  2. Data Protection Legislation shall mean any laws applicable to the collaboration of the Parties concerned with the protection of Personal Data, in particular but not limited to GDPR, the Swiss Federal Act on Data Protection (FADP) and the UK General Data Protection Regulation (UK GDPR) (hereinafter referred to as “Data Protection Legislation”).
  3. Data Subject Rights shall mean any and all rights granted to Data Subjects under the Data Protection Legislation.
  4. Data Subject shall the identified or identifiable natural persons to whom the Personal Data relates.
  5. GDPR shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  6. Instruction shall mean Customer’s documented requirement (documented by Customer) for Company to Process Personal Data in a specific form (e.g., erasure, storage, pseudonymisation, return), which shall be primarily given through a JBoard API or JBoard Dashboard or by email to support@jboard.io.
  7. Personal Data Breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  8. Personal Data shall mean any information relating to an identified or identifiable natural person.
  9. Processing shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
  10. Processor shall mean a natural or legal person which processes personal data on behalf of the Controller.
  11. Restricted Transfer shall mean any transfer from Member States of the European Union, the EEA, Switzerland or the United Kingdom to a country which the European Commission, the FDPIC or the UK Information Commissioner's Office (as applicable) consider to not ensure an adequate level of protection.
  12. Services shall mean Company’s services listed in Exhibit 1, Section 1, which are provided by Company within the scope of the controller-processor-relationship.
  13. Standard Contractual Clauses shall mean the standard contractual clauses as set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  14. Subprocessor shall mean any third party engaged by Company as a processor who receives Personal Data from Customer intended for Processing activities to be carried out as part of direct provision of the Services on behalf of Customer. For the avoidance of doubt, this shall not include ancillary services, as in particular telecommunications services, postal/transport services, consulting services, user services, the disposal of data carriers or measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data systems.
  15. UK Addendum shall mean the International Data Transfer Addendum to the Standard Contractual Clauses, issued by the Information Commissioner's Office (ICO) and effective from 21 March 2022.


2. Scope of application

  1. In connection with provision of the Services, Company may have access to or gain knowledge of Personal Data originating from Customer's sphere of responsibility.
  2. Customer authorizes Company to Process Personal Data originating from Customer’s sphere of responsibility transmitted by Customer to Company for the following purposes:
    • Execution of the TERMS OF SERVICE during the entire course of the business relationship with Customer including billing and management of Customer contact.
    • Company shall have the right, both during and after the term hereof, to (i) utilize such information and data to enhance and improve the Services, as well as for development, diagnostic, and corrective purposes related to the Services and other Company offerings, and (ii) disclose such data exclusively in aggregate or de-identified form in the context of its business operations. No rights or licenses are granted except as expressly provided herein. 
  3. Any Processing for the purposes of Section 2.2, will be conducted by Company at the exclusive risk and responsibility in Company’s capacity as an independent Controller. Exclusive of Section 1 and Section 2.2, no further terms of this DPA shall apply to the Processing of Personal Data conducted by Company for the aforementioned purposes.
  4. Company shall conduct the Processing set forth in detail in Exhibit 1 to this DPA on behalf of Customer in its capacity as a Processor. To this Processing, this DPA shall apply in its entirety.
  5. This DPA shall come into effect with the acceptance of the TERMS OF SERVICE by the Parties and shall be effective for the duration of the Subscription Period and beyond until Company has fully returned or erased the Personal Data processed on behalf of Customer.
  6. Termination of the Subscription or expiration of the respective subscription term shall also constitute termination of this DPA. A separate termination of this DPA shall not be possible. The right of termination for cause remains unaffected.
  7. In the event of any conflict between the provisions of this DPA and the provisions of the TERMS OF SERVICE, the provisions of this DPA including its Exhibits shall prevail.


3. General obligations

  1. Where a Party Processes Personal Data as a Controller, such Party shall comply with the obligations assigned to this Party under this DPA and/or the Data Protection Legislation. 
  2. Where Company Processes Personal Data as a Processor, Company shall comply with the obligations that are directly assigned to Company by means of this DPA in its capacity as a Processor or that the Data Protection Legislation specifically imposes on Processors.
  3. Where Company Processes Personal Data as a Processor on behalf of Customer, Customer is the exclusive owner of such Personal Data and may at any time during the term of this DPA and after its termination request the rectification, erasure, restriction of Processing and return of such Personal Data. 
  4. Customer is aware and acknowledges that certain Instructions issued by Customer may have an adverse effect on the validity of evaluations, analyses, data sets and projections carried out with, connected to or on basis of the Personal Data concerned by such Instruction and that evaluations, analyses, data sets and projections may be changed or falsified as a result of such Instruction. 
  5. If Customer issues an Instruction to erase, block, otherwise disregard, modify, amend, correct, or otherwise Process certain Personal Data in a manner similar to any such Instruction in nature or effect, Customer shall bear the exclusive risk of any and all alteration or falsification of the evaluations, analyses, data sets and projections resulting from such Instruction.


4. Technical and organisational measures

  1. Company shall implement appropriate technical and organisational measures taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects to ensure a level of security appropriate to the risk. 
  2. The level of the technical and organisational measures implemented by Company at the time of formation of the DPA is attached to this DPA as Exhibit 3 (technical and organisational measures). 
  3. The Parties agree that changes to Exhibit 2 (technical and organisational measures) may become necessary to adapt them in order to continue to meet the changing technical and legal requirements. 

 

5. Data Subject Rights

  1. Company processes Personal Data exclusively in accordance with Customer’s Instructions as set forth in this DPA or issued at a later date by Customer unless Company is obliged to perform further Processing activities by applicable law. In such case, Company shall inform Customer of these legal requirements prior to Processing, unless the law in question prohibits such notification for reasons of public interest. 
  2. Customer is responsible for fulfilling the Data Subject Rights. If a Data Subject contacts Company directly to exercise its Data Subject Rights, Company shall refer the Data Subject to Customer without delay. Beyond acknowledging receipt of the request of the Data Subject, Company shall not communicate with the Data Subject and will refer solely to Customer for this purpose. 
  3. Given the nature of the Processing, Company shall, where possible, support Customer with appropriate technical and organisational measures to comply with its obligation to respond to requests to exercise Data Subject Rights.
  4. If and where Customer requests support by Company or Company is required to support Customer to fulfil a Data Subject Right, Company shall provide such support as instructed by Customer and Customer shall bear the costs incurred by Company for providing such support to Customer, unless Company's support of Customer is necessary due to a breach of provisions of the Data Protection Legislation specifically addressed to Processors or this DPA by Company.
  5. Within 60 days after end of provision of the Services or upon request by Customer –Company must either return all Personal Data relating to the Processing activities under this DPA or erase such Personal Data in compliance with the Data Protection Legislation in accordance with the decisions of Customer. The same applies to test and scrap material. The erasure report must be presented upon Customer’s request.
  6. The obligation to return or erase Personal Data does not include Personal Data necessary to comply with legal retention periods of the applicable law. The Processing of Personal Data subject to such legal retention periods must be restricted by Company in such a way that Processing is not conducted beyond compliance with the corresponding legal retention periods and the legal obligations connected with these legal retention periods. After expiry of the relevant legal retention periods, this Personal Data must also be erased.

 

6. Obligations of Processor

  1. Company shall notify Customer without delay if it believes that any Instruction issued by Customer is illegal. This does not imply any obligation on the part of Company to conduct a legal examination of Customer’s Instructions. If Company deems an Instruction by Customer to be in violation of the Data Protection Legislation, Company has the right to suspend implementation of the respective Instruction until the Instruction has been confirmed or modified in writing by Customer. 
  2. If Company determines or if specific facts justify the assumption that Personal Data processed by Company on behalf of Customer is subject to a Personal Data Breach, Company shall notify Customer without undue delay of the Personal Data Breach. 
  3. The notification sent to Customer must at least comprise the following information:
    • Nature of the personal data breach 
    • The categories and approximate number of Data Subjects concerned 
    • The categories and approximate number of Personal Data records concerned
    • The name and contact details of the data protection officer or other contact point where more information can be obtained
    • The likely consequences of the Personal Data Breach
    • Describe the measures taken or proposed to be taken to address the Personal Data Breach
  4. Where, and insofar as, it is not possible to provide all of the aforesaid information at the same time, the initial notification shall include the information then available and further information shall, as it becomes available, subsequently be provided to Customer.
  5. Company shall provide to Customer upon request the information required for the Records of Activities pursuant to Art. 30 (2) GDPR.
  6. Company shall ensure that persons authorised to process Customer’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation to maintain confidentiality extends beyond the end of the Processing activities conducted on behalf of Customer.
  7. Company shall immediately notify Customer with regard to any inspection activities and measures enacted by a competent supervisory authority to the extent that they are relevant to the Processing of Personal Data on behalf of Customer and insofar as there is no legal prohibition of a corresponding notification.
  8. If Customer is subject to an inspection of its Processing of Personal Data by a supervisory authority, regulatory or criminal proceedings, a liability claim by a Data Subject or a third party or any other claim in connection with the Processing conducted by Company on behalf of Customer, Company shall support Customer to the best of its abilities. 
  9. Notwithstanding any of the foregoing and provided Company Processes Personal Data in its capacity as Processor on behalf of Customer, Company shall assist Customer in ensuring compliance with Customer’s below obligations taking into account the nature of Processing and the information available to Company: 
    • To ensure implementation of technical and organisational measures adequate to the risk of Processing
    • Notification of Personal Data Breaches to the competent supervisory authorities
    • Communication of Personal Data Breaches to the Data Subjects concerned by such Personal Data Breach
    • Data protection impact assessments including – where relevant – prior consultations with the competent supervisory authorities
  10. Customer shall bear the costs incurred by Company for providing any support activities to Customer under this DPA, unless Company’s support of Customer is necessary due to a breach of provisions of the Data Protection Legislation specifically addressed to Processors or this DPA by Company.


7. Obligations of Customer

  1. Customer has the right to issue additional Instructions to Company with regard to the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of data subjects. Instructions can be issued
    • a. via the JBoard Dashboard
    • b. via the JBoard API
    • c. via email to support@jboard.io.
  2. Customer shall notify Company if it detects errors or irregularities concerning the Data Protection Legislation during the inspection of order results. 
  3. Customer stipulates the measures regarding the return and/or erasure of Personal Data after termination of this DPA, either contractually or via Instructions.
  4. Customer shall comply with any and all notification and communication obligations towards the supervisory authorities and/or the Data Subjects in case of a Personal Data Breach.


8. Auditing 

  1. Company shall allow for and contribute to monitoring activities, including inspections, conducted by Customer or an auditor mandated by Customer, solely to verify Company's compliance with its obligations under this DPA and the Data Protection Legislation, subject to the following conditions:
    • a) Customer must provide at least thirty (30) days prior written notice of any intended audit or inspection.
    • b) monitoring activities including inspections shall not occur more than once per calendar year, unless:
      1. specifically required by a binding decision of a competent supervisory authority or required by applicable law.
      2. in the event of a Personal Data Breach attributable to Company.
  2. The scope, duration, and methodology of the monitoring activities shall be mutually agreed upon by both Parties in advance and shall be limited to what is necessary to assess Company's compliance with its obligations under this DPA and the Data Protection Legislation.  
  3. Customer will ensure that any inspections are conducted during regular business hours and in a manner that does not unreasonably interfere with Company’s operations. Customer may conduct the inspections itself or commission an independent auditor. Any third-party auditor must execute a confidentiality agreement acceptable to Company, ensuring that the auditor will maintain the confidentiality of all information accessed during the audit. 
  4. Before deciding on an inspection, Customer shall first review any relevant and current certifications and reports on Company’s compliance with its obligations under this DPA and the Data Protection Legislation provided by Company. Customer agrees that such reports may be sufficient to meet its to requirements of oversight under this DPA and the Data Protection Legislation. 
  5. Company shall not be required to disclose: 
    • any proprietary or confidential information not directly related to the Processing activities under this DPA.
    • information relating to other customers or third parties.
    • internal assessments, internal audit reports, or other internal compliance documents not relevant to Customer's Personal Data
  6. Notwithstanding any provision of this Section, Company shall not be obligated to provide access to any information or facilities to the extent that such access would:
    • cause Company to breach any legal or regulatory obligation, including applicable Data Protection Legislation
    • jeopardize the security or integrity of Company's premises, systems, or data
    • violate the rights or cause the disclosure of confidential information of Company's other customers or any third party.
  7. If any request for information or audit under this Section is, in Company's reasonable opinion, likely to result in a violation of applicable law or an unreasonable risk to Company's business, Company shall suggest alternative measures to provide the required assurance of compliance.
  8. Customer shall bear any and all costs of the any monitoring activites and/or inspections, including the costs incurred to Company, unless the monitoring activities and/or inspections became necessary due a breach of provisions of the Data Protection Legislation specifically addressed to Processors or this DPA by Company or the monitoring activities and/or inspection identifies substantial violations by Company of the provisions of the Data Protection Legislation specifically addressed to Processors or the terms of this DPA by Company, and which were subsequently upheld by a court or the competent supervisory authority of Customer.


9. Subprocessors

    1. Company receives the general authorization of Customer for the appointment of Subprocessors in accordance with the provisions of this DPA. 
    2. Company makes available to Customer the current list of Subprocessors engaged to process Personal Data in Exhibit 4
    3. Customer agrees that Company may engage new Subprocessors, provided that the Company notifies the Customer via email to the email address of Customer’s administrator of the Service as stored in the system or, if no such address has been provided, to the email address of the registered user. The Company will inform the Customer 30 (thirty) days prior to the intended commissioning of Subprocessors.
    4. Customer may object to the change or involvement of the Subprocessors for factual reasons under the Data Protection Legislation for 10 (ten) days after receipt of the notification. The objections including the factual reason for the objection shall be sent to support@jboard.io.  
    5. In the event of a timely and justified objection by Customer, the Parties shall endeavour to resolve Customer’s concerns regarding the Subprocessor in question.
    6. If Customer’s objections cannot be resolved, Company shall make commercially reasonable efforts to - at Company’s sole discretion – either not deploy the Subprocessor affected by the objection or to terminate the Services affected by the objection with fourteen days’ notice in writing.
    7. Where Company engages a Subprocessor, Company shall impose on that Subprocessor substantially the same data protection obligations as those set forth in this DPA.
    8. Where a Subprocessor fails to fulfil its data protection obligations, Company shall remain fully liable to Customer for the performance of that Subprocessor’s obligations.

 

10. Restricted Transfer

  1. Any Restricted Transfer shall be made on the basis of documented Instructions from Customer or to comply with a specific provision under applicable law. 
  2. By means of this DPA Customer issues the Instruction to Company to transfer the Personal Data set forth in Exhibit 1 to Company’s registered business seat and its Subprocessors or notified to Customer in accordance with Section 9 where Company and/or such Subprocessors are located in third countries including an onward transfer to their respective subprocessors.
  3. Any Restricted Transfer shall comply with the Data Protection Legislation applicable to such transfer and shall be undertaken in accordance the applicable transfer mechanism for Restricted Transfers outlined in Exhibit 2.


11. Liability

  1. In relation to the Data Subjects and/or the supervisory authority, the Parties shall be liable in accordance with the statutory provisions of the Data Protection Legislation.
  2. In the internal relationship between the Parties, the Parties shall be obliged to compensate each other for any damage exceeding their respective share of fault in the occurrence of the damage; this shall be subject to the proviso that the provisions regarding the limitation of liability of the Parties made in the TERMS OF SERVICE underlying this DPA shall also apply mutatis mutandis to the above compensation claims. The aforesaid shall also apply to legally enforceable fines imposed by the supervisory authorities.


12. Duties of disclosure, written form requirement, choice of law

  1. Company must notify Customer without delay if the safety of the Personal Data processed on behalf of Customer is threatened by a levy of execution, confiscation or insolvency or settlement proceedings or other events or measures enacted by third parties. Company will notify all responsible parties in this respect without undue delay that Customer is the exclusive owner of the Personal Data processed by Company on Customer’s behalf.
  2. Any modifications and amendments of this DPA shall be made in writing and such modification or amendments shall expressly state that these are modifications and/or amendment of this DPA. This also applies to the modification, amendment, or waiver of this requirement of the written form.
  3. If any provision in this DPA is invalid, the remaining provisions shall remain unaffected thereby. The Parties shall undertake in good faith to replace the invalid provision or any unintended missing provision in the DPA with a provision coming as close as possible to the mutually intended purpose of both Parties.


Exhibit 1: Order and Processing details

1. Subject of the Order
The order placed by Customer with Company comprises the following works and/or services: provision of the product “JBoard”, a web application tool, that helps the Customer to create and manage their respective job board.

2. List of Parties
Data exporter(s): 
Name: Customer
Address: Registered business seat of Customer
Contact person’s name, position and contact details: The registered user of Customer accepting the TERMS OF SERVICE
Activities relevant to the data transferred under these Clauses: As set forth in the Exhibit 1 to the DPA („3. Description of Transfer“). 
Signature and date: Shall have the same effective date as the acceptance of the TERMS OF SERVICE
Role (controller/processor): Controller 

Data importer(s): 
Name: Company
Address: JBoard Inc, 651 N Broad St., Suite 201, Middletown, Delaware, 19709 USA
Contact person’s name, position and contact details: Marty Aghajanyan, CEO, support@jboard.io
Activities relevant to the data transferred under these Clauses: As set forth in the Exhibit 1 to the DPA („3. Description of Transfer“).
Signature and date: Shall have the same effective date as the acceptance of the TERMS OF SERVICE
Role (controller/processor): Controller or Processor

 

3. Description of Transfer

Categories of data subjects whose personal data is transferred: 

  • Customer’s employees and former employees
  • Customer’s customers and employees of Customer’s endcustomers
  • Job applicants of Customer and Customer’s endcustomers


Categories of personal data transferred: 

  • User Data, in particular: Username, surname, last name, email-addresses, user activity, log files, IP addresses
  • Contact Data, in particular: Surname, last name, email-address, postal address, telephone number
  • Key contract data, in particular: Licensing information, billing, invoicing and payment data;
  • Communication data: Email and other types of messages between the Customer and their end users
  • Application data, in particular: Job applications, resumes, work history, education history
  • Further data as uploaded to the system by Customer and end user 

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Not applicable 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis.

Nature of the processing and Purpose(s) of the data transfer and further processing:

The purpose of the Processing is the provision of the Services in accordance with the TERMS OF SERVICE.

The Services work involves the following types of Processing of Personal Data:

  • Storing (e.g. by saving and archiving backups if applicable)
  • Modifying (e.g. via changes to the data records made by the users in the course of troubleshooting)
  • Use (e.g. creation of reports for the authorized users)
  • Transmitting (e.g. in the course of VPN-accesses)
  • Restricting (e.g. by deactivating individual data records in the course of troubleshooting)
  • Erasure (e.g. by erasing individual data records in the course of troubleshooting)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: See § 5 to the DPA

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: See § 9 to the DPA

 

4. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13: As set forth in Exhibit 2, Section 2.1


Exhibit 2: Restricted Transfer

2.1 Restricted Transfers from the EEA
Where Personal Data is transferred out of the EEA as part of a Restricted Transfer, the following provisions of the Standard Contractual Clauses shall apply.

The Standard Contractual Clauses are hereby entered into and incorporated by reference as between Controller and Processor. The following Modules and optional clauses apply: 

   

Clause 7

Clause 9a

Clause 13

Clause 17

Clause 18

Module 1 

Applies when Company acts as Controller pursuant to § 2.2 of this DPA

Not included

-

Supervisory authority is to be determined in accordance with Clause 13

Germany

Germany

Module 2

Applies when Company acts as Processor pursuant to § 2.4 and Exhibit 1 of this DPA

Not included

General Authorization;  30 days 

Supervisory authority is to determined in accordance with Clause 13

Germany

Germany

 

2.2 Restricted Transfers from the UK
Where Personal Data is transferred out of the UK as part of a Restricted Transfer, the following provisions of the UK Addendum and International Data Transfer Addendum to the Standard Contractual Clauses shall apply.


Table 1: Parties 

Start Date 

This UK Addendum shall have the same effective date as the DPA. 

The Parties  

Exporter 

Importer 

Parties’ Details 

Customer

Company

Key Contact  

As set forth in the TERMS OF SERVICE

As set forth in the TERMS OF SERVICE


Table 2: Selected SCCs, Modules and Selected Clauses 

EU SCCs 

See 2.1 to this Exhibit (“Restricted Transfers from the EEA”)


Table 3: Appendix Information 
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in: 

Annex 1A: List of Parties 

See 2.1 to this Exhibit (“Restricted Transfers from the EEA”)

Annex 2B: Description of Transfer 

Exhibit 2 to the DPA 

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: 

Exhibit 3 to the DPA 

Annex III: List of Sub processors (Modules 2 and 3 only): 

See § 9 to the DPA


Table 4: Ending this UK Addendum when the Approved UK Addendum Changes  

Ending this UK Addendum when the Approved UK Addendum changes 

 

 

Importer Exporter 
 

 

Neither Party  


Entering into this UK Addendum: 

  1. Each party agrees to be bound by the TERMS OF SERVICE set out in this UK Addendum, in exchange for the other party also agreeing to be bound by this UK Addendum. 
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making ex-UK Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs. 

Interpretation of this UK Addendum 

  1. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings: 

Addendum  

This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. 

Addendum EU SCCs 

The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. 

Appendix Information

As set out in Table 3. 

Appropriate
Safeguards 

The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. 

Approved
Addendum 

The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. 

Approved EU SCCs  

The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. 

ICO 

The Information Commissioner. 

Restricted Transfer 

A transfer which is covered by Chapter V of the UK GDPR. 

UK  

The United Kingdom of Great Britain and Northern Ireland. 

UK Data Protection 
Laws  

All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, 
 

including the UK GDPR and the Data Protection Act 2018. 

UK GDPR  

As defined in section 3 of the Data Protection Act 2018. 


  1. The UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.  
  2. If the provisions included in the UK Addendum amend the Approved EU SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in the UK Addendum and the equivalent provision of the Approved EU SCCs will take their place. 
  3. If there is any inconsistency or conflict between UK Data Protection Laws and the UK Addendum, UK Data Protection Laws applies. 
  4. If the meaning of the UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.  
  5. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after the UK Addendum has been entered into.  

Hierarchy: 

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for ex-UK Transfers, the hierarchy in Section 10 below will prevail. 
  2. Where there is any inconsistency or conflict between the Approved UK Addendum and the EU SCCs (as applicable), the Approved UK Addendum overrides the EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum.  
  3. Where this UK Addendum incorporates EU SCCs which have been entered into to protect ex-EU Transfers subject to the GDPR, then the parties acknowledge that nothing in the UK Addendum impacts those EU SCCs.  

Incorporation and Changes to the EU SCCs: 

  1. This UK Addendum incorporates the EU SCCs which are amended to the extent necessary so that: 
    • a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; 
    • b) Sections 9 to 11 above override Clause 5 (Hierarchy) of the EU SCCs; and 
    • c) the UK Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales. 
  2. Unless the parties have agreed alternative amendments which meet the requirements of Section 12 of this UK Addendum, the provisions of Section 15 of this UK Addendum will apply. 
  3. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 of this UK Addendum may be made. 
  4. The following amendments to the EU SCCs (for the purpose of Section 12 of this UK Addendum) are made:  
    • a) References to the “Clauses” means this UK Addendum, incorporating the EU SCCs; 
    • b) In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”, 
    • c) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”; 
    • d) Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”; 
    • e) Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;” 
    • f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws; 
    • g) References to Regulation (EU) 2018/1725 are removed; 
    • h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”; 
    • i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”; j) Clause 13(a) and Part C of Annex I are not used;  
    • k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”; 
    • l) In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 
      17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;  
    • m) Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales;” 
    • n) Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales.” A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.”; and 
    • o) The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.  

Amendments to the UK Addendum 

  1. The parties may agree to change Clauses 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland. 
  2. If the parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards. 
  3. From time to time, the ICO may issue a revised Approved UK Addendum which:  
    • a) makes reasonable and proportionate changes to the Approved UK Addendum, including correcting errors in the Approved UK Addendum; and/or 
    • b) reflects changes to UK Data Protection Laws; 

      The revised Approved UK Addendum will specify the start date from which the changes to the Approved UK 

      Addendum are effective and whether the parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified.  
  1. If the ICO issues a revised Approved UK Addendum under Section 18 of this UK Addendum, if a party will as a direct result of the changes in the Approved UK Addendum have a substantial, disproportionate and demonstrable increase in:  
    • c) its direct costs of performing its obligations under the UK Addendum; and/or  
    • d) its risk under the UK Addendum,  
      and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum. 
  1. The parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.

2.3 Restricted Transfers from Switzerland

In its communication of August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) recognized the new SCCs issued by the European Commission in accordance with Regulation (EU) 2016/679 as a legal basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.

Therefore, this Schedule 2 to the Data Processing Addendum incorporates by reference the Standard Contractual Clauses in Schedule 1 and its Annexes I through III, except that: 

  1. All references to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) must be understood and interpreted as references to the Swiss Data Protection Act in the context of data transfers abroad that are subject to the Data Protection Act; 
  2. Any reference to a supervisory authority shall refer to the Swiss Federal Data Protection and Information Commissioner; and 
  3. With regards to Clauses 17 and 18, these clauses shall be governed by the law of Switzerland and the Participating Entities agree to the jurisdictions of the courts of Switzerland with regard to any disputes that arise from these Clauses.

2.4 California Consumer Privacy Act (CCPA)

Where the Personal Data is subject to requirements regarding Processing under the CCPA the following provisions shall apply:

  1. For the purpose of the CCPA, Customer is the Business and Company is the Service Company.
  2. Company shall Process Personal Data on behalf of the Customer as a Service Company under the CCPA and shall not: (i) Sell or Share the Personal Data; (ii) retain, use or disclose the Personal Data for any purpose other than for a Business Purpose specified in the DPA; or (iii) combine the Personal Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
  3. If, and to the extent applicable Company shall assist Customer in respect of a Consumer request to limit the use of its Sensitive Personal Information by Company.
  4. Company certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Personal Data from the Customer.



Exhibit 3: technical and organisational
data protection measures implemented by Company

The Company’s technical and organizational measures for data security are described in detail and accessible via the following link: https://jboard.io/security


Exhibit 4: Subprocessors

For information about the subprocessors used by the Company, please refer to the following link: https://jboard.io/docs/subprocessors

JBoard Logo

JBoard is a no-code job board builder which allows you to easily create and manage your job board without any technical skills — trusted by hundreds of organizations around the world.

Company
SUPPORT
Highlighted Posts

2024 © JBoard - All rights reserved.