Data Processing Policy

Introduction

When TechWolf BVBA (hereinafter ‘TechWolf’) performs Services for the customer (hereinafter the ‘Customer’), it shall (i) have access to Personal Data (as defined hereinafter); (ii) will have to Process Personal Data for which the Customer is responsible as a Controller in accordance with the Privacy Legislation (as defined hereinafter).

This data processing policy (hereinafter ‘Data Processing Policy’) applies to the Processing of Personal Data by TechWolf for the Customer and determines (i) how TechWolf will manage, secure and process the Personal Data, and (ii) Parties’ obligation to comply with the Privacy Legislation.

Relying on the Services of TechWolf entails the approval of the Customer with this Data Processing Policy and consequently of how TechWolf processes the personal data of the Customer.

Definitions

In this Data Processing Policy, the following concepts have the meaning described in this article (when written with a capital letter):

Assignment:

All activities, such as but not limited to the Services, performed by TechWolf for the Customer, and any other form of cooperation whereby TechWolf Processes Personal Data for the Customer, regardless of the legal nature of the agreement under which this Processing takes place;

Controller:

The entity, which determines the purposes and means of the Processing of Personal Data, being in this case the Customer;

Data Subject:

The natural person to whom the Personal Data relates and of whom the Customer wishes to have Personal Data processed by TechWolf;

Data Breach:

Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are Processed by TechWolf on behalf of the Customer;

Privacy Legislation:

(i) the Belgian Privacy Law of 30 July 2018 concerning the protection of individuals with regards to the processing of personal data, (ii) the General Data Protection Regulation 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and/or (iii) the (future) Belgian legislation regarding the implementation of the General Data Protection Regulation;

Process / Processing:

Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

Processor:

The entity which Processes Personal Data on behalf of the Controller, being in this case TechWolf;

Services:

All services, provided by TechWolf to the Customer within the framework of the Assignment, implying the Processing of Personal Data by TechWolf;

Sub-processor:

Any processor engaged by TechWolf.

The Data Processing Policy includes the following annexes:

Annex I:

Overview of (i) the Personal Data, which Parties expect to be subject of the Processing, (ii) the new Personal Data created during the Processing, (iii) the categories of Data Subjects, which Parties expect to be subject of the Processing, (iv) the use (i.e. the way(s) of Processing) of the Personal Data, the purpose and means of such Processing and (v) the term(s) during which the (different types of) Personal Data shall be stored;

Annex II:

Overview and description of the security measures taken by TechWolf under this Data Processing Policy.

1. ROLES OF THE PARTIES

Parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer shall be considered ‘Controller’ and TechWolf ‘Processor’ in accordance with the Privacy Legislation.

2. USE OF THE SERVICES

2.1 - The Customer acknowledges explicitly that:

  • TechWolf purely acts as a facilitator of the Services. Hence, the Customer shall be solely responsible on how and to what extent it makes use of the Services;
  • The Customer is solely liable for (and indemnifies TechWolf for) all acts and ommissions of the people mandated by the Customer to make use of the Services. The Customer shall inform said people of the applicable Privacy Legislation, this Data Processing Policy and/or all other relevant legislation and impose compliant use;
  • TechWolf bears no responsibility with regard to adjustments and/or changes made to the Personal Data on the explicit request of the Customer;
  • The Customer is solely liable and responsible for the material and/or data provided by the Customer, as the Customer is solely liable for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data;
  • The Customer is solely liable and responsible for the data and/or Personal data created by the Services of TechWolf, as the Customer is the Controller of the created data and/or Personal Data and consequently solely liable for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned data and/or Personal Data;
  • The Customer shall be solely responsible to comply with all laws and regulations (such as but not limited with regard to the retention period) imposed on it by making use of the Services.

2.2 - In case of misuse by the Customer of the Services and/or the Personal Data that was created by the Services, the Customer agrees that TechWolf can never be held liable in this respect nor for any damage that would occur from such misuse.

2.3 - The Customer therefore undertakes to safeguard TechWolf when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.

3. OBJECT

3.1 - The Customer acknowledges that as a consequence of making use of the Services of TechWolf, the latter shall Process Personal Data as collected by the Customer.

3.2 - TechWolf shall Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.

3.3 - Nonetheless, TechWolf shall only Process the Personal Data upon request of the Customer and in accordance with its instructions, as described in Annex I, unless any legal obligation states otherwise.

3.4 - The Customer owns and retains full control concerning (i) the Processing of Personal Data, (ii) the types of Personal Data Processed, (iii), the purpose of Processing, and (iv) the fact whether such Processing is proportionate (non-limitative).

Moreover, the Customer shall be solely responsible to comply with all (legal) obligations in its capacity as Controller (such as but not limited to the retention period) and shall have the sole responsibility for the accuracy, quality, and legality of the Personal Data, disclosed to TechWolf in the performance of the Assignment, and the means by which it acquired such Personal Data. The responsibility and control concerning the Personal Data, subject to this Data Processing Policy, shall thus never be vested with TechWolf.

4. SECURITY OF PROCESSING

Taking into account the state of the art, TechWolf implements appropriate technical and organizational measures for the protection of (i) Personal Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in Annex II.

5. SUB-PROCESSORS

5.1 - The Customer acknowledges and agrees that TechWolf may engage third-party Sub-processors in connection with the Assignment. In such case, TechWolf shall ensure that the Sub-processors are at least bound by the same obligations by which TechWolf is bound under this Data Processing Policy.

5.2 - TechWolf relies on the following Sub-Processors:

  • Google (for OCR and image recognition capabilities)

It is the Customer’s responsibility to frequently check the list of Sub-Processors and inform TechWolf of any objections. If the Customer wishes to exercise its right to object, it shall notify TechWolf in writing and in a reasoned manner by the latest within thirty (30) days after the list was updated.

5.3 - In the event the Customer objects to a new Sub-processor and such objection is not found unreasonable, TechWolf will use reasonable efforts to (i) make available to the Customer a change in the Services or (ii) recommend a commercially reasonable change to the Customer’s use of the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.

If TechWolf is, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the Assignment / the Services, under the following conditions:

  • The Services cannot be used by the Customer without appealing to the objected new Sub-processor; and/or
  • Such termination solely concerns the Services which cannot be provided by TechWolf without appealing to the objected new Sub-processor;

And this by providing written notice thereof to TechWolf within a reasonable time.

5.4 - TechWolf shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Data Processing Policy.

6. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

6.1 - Any transfer of personal data to a third country or international organization (which is not based on a request or instruction of the Customer) shall be subject to an adequacy decision by the Commission or the following safeguards:

Closing a data transfer agreement with such recipient, which shall contain the standard contractual clauses, as referred to in the 'European Commission decision of 5 February 2010 (Decision 2010/87/EC)', or;

Binding corporate rules, or;

Certification mechanisms (such as but not limited to the EU-US Privacy Shield).

6.2 - A copy of the used safeguards can at all times be requested via privacy@techwolf.ai

7. CONFIDENTIALITY

7.1 - TechWolf shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior written agreement of the Customer, unless when:

Explicit written deviation;

Such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case TechWolf shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.

7.2 - TechWolf ensures that its personnel, engaged in the performance of the Assignment, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. TechWolf ensures that such confidentiality obligations survive the termination of the employment contract.

7.3 - TechWolf ensures that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the Data Processing Policy.

8. NOTIFICATION

8.1 - TechWolf shall use its best efforts to inform the Customer within a reasonable term when it:

  • Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
  • Has the intention to disclose Personal Data to a competent public authority;
  • Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Data.

8.2 - In case of a Data Breach, TechWolf:

  • Notifies the Customer without undue delay after becoming aware of a Data Breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;
  • Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

9. RIGHTS OF DATA SUBJECTS

9.1 - If a Data Subject requests to exercise his/her rights and the Customer itself – in its use of the Services – does not have the ability to correct, amend, block or delete the Personal Data (as required by Privacy Legislation), TechWolf shall – to the extent it is legally permitted to do so – comply with any commercially reasonable request by the Customer to facilitate such actions.

9.2 - TechWolf shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. TechWolf shall, however, not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees.

TechWolf shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use of the Services.

To the extent legally permitted, the Customer shall be responsible for any costs arising from TechWolf’ provision of such assistance.

10. RETURN AND DELETION OF PERSONAL DATA

10.1 - Upon termination of the Assignment, the Customer shall be notified by TechWolf of its possibility to export the Personal Data through the available export tools and during a certain term (as mentioned in such notification).

10.2 - Once the aforementioned term regarding export has passed, TechWolf shall anonymize the Personal Data. TechWolf will use the anonymized data for analytical purposes and to further train the TechWolf application and/or models.

11. CONTROL

11.1 - TechWolf undertakes to provide the Customer with all information, required by the Customer to allow verification whether TechWolf complies with the provisions of this Data Processing Policy.

11.2 - In this respect TechWolf shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party.

12. TERM

12.1 - The Data Processing Policy lasts as long as the Assignment has not come to an end.

Annexes

  • Annex I – Overview of Personal Data
  • Annex II – Description of security measures

Annex I – Overview of Personal Data

I. Overview of the Personal Data, which Parties expect to Process:

  • Name
  • First name
  • CV / Biography
  • Motivation (letter)
  • Home address
  • E-mail address
  • Telephone number (land line / mobile)
  • Preferred means of communication
  • Nationality
  • Place and date of birth
  • Gender
  • Social security number
  • All Personal Data voluntarily provided by the Data Subject to the Controller
  • Trainings
  • Internal assessments
  • Internal resume
  • Employee project / work history
  • All other Personal Data relevant to the competences of the Data Subject

II. Overview of the new Personal Data created, based on the structuring and analyzing of the Personal Data of Annex I:

  • Competence fingerprint of the Data Subject, including but not limited to:
    • Set of hardskills
    • Set of softskills
    • Certificates
    • Languages
    • Seniority level
  • Compatibility of the competence fingeprint of the Data Subject with the vacancies of the Controller
  • Compatibility of the competence fingerprint of the Data Subject with the transformation of the workforce of the Controller
  • Analyzing the total amount of competence fingerprints within the Controller

III. The categories of Data Subjects whose Personal Data shall be Processed:

  • Job-seeker using the website/platform of the Customer
  • Visitor of the website/platform of the Customer
  • Employee of the Customer

IV. The use (= way(s) of Processing) of the Personal Data and the purposes and means of Processing:

Use of Personal Data:

  • Collection
  • Structuring and analyzing
  • Storage
  • Retrieval
  • Consultation
  • Use
  • Alignment, combination and creation
  • Erasure and destruction
  • Update

Means of Processing:

  • Software (Skill Engine API and other tools) of TechWolf
  • Software of a third party (Google Vision API)

Purpose of Processing:

  • Transform documents provided/written by job-seekers or employees to accurate competence fingerprints
  • Transform documents provided by the Controller to accurate competence fingerprints
  • Recommend opportunities to job-seekers and employees
  • Compare profiles of job-seekers and employees
  • Predict the impact of courses and traineeships on the skillset of a job-seeker or employee
  • Leverage data to gain actionable labor market and workforce insights
  • Give recommendations related to the transformation of the workforce of the Controller
  • Analyse the complete set of the competence fingeprints within the Controller
  • Database management

V. The term(s) during which the (different types of) Personal Data shall be stored:

TechWolf shall only retain the Personal Data as long as the Assignment between the Customer and TechWolf and/or the agreement has not been terminated, unless when the Customer deviates from this or requests ‘hard deletion’ or anonymization of the Personal Data.

In any case TechWolf shall, once the Assignment and/or agreement has been terminated and the period to export the Personal Data has expired, anonymize the Personal Data.

Without prejudice to the foregoing TechWolf shall, when longer storage of such Personal Data (or part thereof) is obligated under the Privacy Legislation, scramble the Personal Data.

Annex II – Description of security measures

Available on request.

Last updated in July 2019