General Terms and Conditions for the use of onlyfy one including the agreement on shared data protection responsibility

 

Preamble

The proposal to provide the onlyfy one talent acquisition platform and any accompanying services or third-party services (hereinafter “onlyfy one”) is directed exclusively at business customers.

The contract regarding the use of onlyfy one and shared responsibility when handling personal data is concluded with New Work SE, Am Strandkai 1, 20457 Hamburg. Other contact details, commercial register data and the names of New Work SE authorised representatives can be found in the www.xing.com legal notice.

 

The following General Terms and Conditions of Use, including the agreement on shared data protection responsibility (hereinafter “T&Cs”) shall apply within the scope of the contractual relationship between business customers (hereinafter “Customer”) and New Work SE (individually also “Party” and both together as “Parties”).

 

A. General provisions

 

1. Area of application, scope of services, changes

  1. New Work SE offers the onlyfy one talent acquisition platform under the domains *.onlyfy.io and *.onlyfy.jobs, on which the Customer can place job ads and receive and manage applications. The subject matter of the contract is the use of this software and any accompanying services. onlyfy one helps the Customer to recruit staff. The Customer can use onlyfy one for example to publish and manage job ads, receive and manage applications from candidates, and communicate with applicants via messages, while utilising other services provided by New Work SE and/or third parties for an additional fee.
  2. The precise scope of the user options and services of onlyfy one is based on contractual agreements, these T&Cs, and the product specifications applicable on conclusion of the contract. The aforementioned shall also apply to other services provided by New Work SE and/or third parties to be used on payment of an additional fee.
  3. Restricted to the duration of the contractual relationship with New Work SE, New Work SE shall grant the Customer those non-exclusive, non-sublicensed, and non-transferable rights that are required to allow the Customer to access onlyfy one in accordance with the scope agreed upon within its contractual relationship, and to use its functions as intended.
  4. The Customer’s account can only be used and accessed by those employees of the Customer specifically authorised to do so (hereinafter “Users”). New Work SE offers Users the possibility of bringing Customers and applicants together and only provides technical options which allow a general approach to be made. New Work SE is therefore not responsible for establishing contact between Users and applicants. New Work SE does not involve itself in the content of any communication between the Customer and third parties. If contracts are concluded through the Customer’s account, New Work SE does not get involved in this and does not become a Party to this contract. The Customer bears sole responsibility for the processing and execution of contracts concluded with third parties, and sole liability for any breach of obligations.
  5. New Work SE shall bear no responsibility for the content, data, and/or information provided by members of XING or other services, or for the content of linked external websites. In particular, New Work SE shall not guarantee that this content is true and accurate, that it meets a specific purpose, or that it can serve such a purpose.
  6. New Work SE reserves the right to change the functionality of onlyfy one, its accompanying services and/or its general design, and to offer alternative services insofar as the Customer can be reasonably expected to accept these.
  7. There shall be no entitlement to an offer of other functionality beyond the services described in the product specifications on conclusion of the contract. Functionality or services provided or made available by New Work SE or integrated third-party services beyond the booked scope of services, may be changed or removed again without prior notice from New Work SE.
  8. General Terms and Conditions or supplementary agreements in derogation from or in addition to these T&Cs, and the proposals or framework agreements concluded with the Customer, do not form part of the contract unless there is explicit written consent for this from New Work SE. Unconditional performance of services or silence concerning any of the Customer’s derogating Terms and Conditions shall not be deemed tacit acceptance thereof by New Work SE, even if it has prior knowledge of these.
  9. New Work SE shall reserve the right to amend these T&Cs during the term of the contract between the Customer and New Work SE with effect for the future. New Work SE shall notify the Customer of the amendment to the T&Cs and shall highlight the new provisions as well as the effective date. If an amendment to the T&Cs is affected within four (4) weeks of the notification of the change, the Customer shall have the right to terminate the contract with retroactive effect from the time that the amendment was made by sending a written declaration to New Work SE. This change mechanism shall not apply to amendments to the Parties’ main contractual obligations. The validity of the T&Cs in their current form remains unaffected by the exercising of this right to object.
  10. If specific services are rendered by third parties and the service performance to the Customer is only brokered by New Work SE, the Customer shall conclude a separate contract with the third party. In these cases, New Work SE is not a Party to the contract and is not responsible for this service performance. The Customer’s liability or warranty rights are excluded in this respect, and must be asserted against the third party.
  11. If the Customer posts job ads via additional channels, careers sections, or third-party social media, New Work SE shall reserve the right to change the functionality or scope of services and/or its general design, and/or to offer alternative services and job posting channels. The Terms and Conditions of Use of these channels and services shall apply; these must be consulted on the relevant posting sites and adhered to by the Customer. The Customer notes that New Work SE has no influence on the type of display, reach and/or design of job ads on the additional third-party channels and services.

 

2. Use of onlyfy one

  1. To use onlyfy one, the Customer must register on *.onlyfy one, and open a company account (hereinafter “Account”) An Account may only be opened by an authorised representative or member of staff with authorisation to represent the Customer. To prevent any problems during use, true and accurate data must be provided, and updated without undue delay if changes occur.
  2. The User’s authorisation is created by entering information into a form in onlyfy one. The Customer shall nominate one or several Users as Account administrators (hereinafter “Administrator” or “Administrators”) who are granted full access to all settings options and administration areas. As onlyfy one is an application of the extensive services provided by XING, the General Terms and Conditions of XING (https://www.xing.com/terms/xing) shall apply for Administrators and authorised Users.
  3. This shall not constitute membership of the XING social networking site.
  4. The Customer shall have the right to revoke a User’s authorisation or to nominate another person to replace the User. The replacement’s authorisation is created by entering information into a form in onlyfy one.
  5. New Work SE shall bear no responsibility for the content, data, and/or information provided by the Customer and applicants, or for the content of linked external websites. In particular, New Work SE shall not guarantee that this content is true and accurate, that it meets a specific purpose, or that it can serve such a purpose.
  6. The Customer shall be responsible for the data and content that it provides. New Work SE does not guarantee that information and job ads are checked for accuracy, viruses, or processability in relation to viruses.
  7. The Customer may not install, upload, or provide access to its own- or third-party data, files or content, such as texts, images, graphics, and links, which
    • a. infringe the applicable legal provisions;
    • b. contain depictions of violence, pornographic, discriminatory, offensive, defamatory, or other content or images which are illegal, breach public morality, or harm the image of New Work SE;
    • c. exclusively or partly depict or include external company logos, trademarks, or other references and other protected marks, unless the Customer is authorised to do so, i.e. if the Customer holds rights to the corresponding logos, publicity photos, and other content or has permission from the holder to use them;
    • d. infringe third-party IP rights or copyright;
    • e. infringe other rights of New Work SE or third parties;
  8. Images or photos of people, such as staff, may only then be published on onlyfy one if these people give consent.
  9. As a rule, New Work SE shall notify the Customer of data, files or content, such as text, images, graphics, and links, whose depiction or publication in the Customer’s Account breaches the provisions of these T&Cs, legal provisions, public morality, or third-party rights, once New Work SE becomes aware of such content. In this event, the Customer shall be obliged to remove the relevant data, files, or content from the Customer’s Account.
  10. New Work SE is essentially authorised to remove data, files or content, such as text, images, graphics, and links, without prior notice, if and to the extent that there are specific indications that the depiction or publication thereof in the Customer’s Account breaches the provisions of these T&Cs, legal provisions, public morality, or third-party rights.
  11. The following actions are prohibited for the Customer:
    • a) The unauthorised use of mechanisms, software or scripts in connection with the use of onlyfy one. However, the Customer may use interfaces or software authorised by New Work SE
    • (b) blocking, overwriting, modifying, copying – unless deemed necessary for the proper use of onlyfy one;
    • (c) any action that is likely to impair the functionality of the onlyfy one infrastructure, in particular to overload it.
  12. If the Customer has published data, files or content via its Account on onlyfy one, which contain specific indications that they represent a breach of the provisions of these T&Cs, legal provisions, public morality, or third-party rights, or breach these T&Cs in any other way, New Work SE can temporarily suspend this Customer’s Account. As a rule, New Work SE shall make the Customer aware of this suspension of the Account by sending a warning. The Customer shall not be entitled to a prior warning. If the Customer is at risk of default or if the Customer commits a particularly serious breach, the Customer’s Account shall, as a rule, be deactivated without undue delay and without prior warning.
  13. If onlyfy one is not used during the contract term, the Customer shall not be entitled to a refund, price reduction, or extension of access beyond the relevant contract period.
  14. The Customer may order other products (for example, additional onlyfy one user options or product upgrades) within the contract term. The contract terms for any additional products are based pro rata on the basic contract. This requires a separate contract between the Parties. The aforementioned shall also apply to other services provided by New Work SE and/or third parties to be used on payment of an additional fee.

 

3. Visibility and storage of content in the Account

  1. Some content and information (correspondence, conversations, projects, notes, comments, etc.) is shared among all current and future Users in the Customer’s Account either automatically or at the request of a User. Other information is not shared among Users.
  2. Information which a User itself has not shared or which has not been automatically shared or cannot be shared, is not shown in the Customer’s Account to other Users of the Customer’s Account. Conversations which have not begun, been replied to, or shared in the Customer’s Account, are not automatically stored in the Customer’s Account in a manner visible to the Administrator or all Users of this Account, and instead are only shown in the relevant (e-mail) inboxes of those Users who are participants in the respective conversation.
  3. Unless explicitly shared by the User, much of the information and content created by a User in the Account can be read, edited and shared with other current and future Customer Users in the Customer’s Account by the Administrators of the Customer’s Account appointed by the Customer, provided that the Account is active.
  4. If a User loses its right to access the Customer’s Account (e.g. at the request of the Customer because the User has left the Customer’s company, or in the case of a breach of these T&Cs) or the User itself terminates access, the information the User has shared with other Users remains visible to current and future Users in the Customer’s Account. The content can also still be read by administrators of the relevant Account (cf. point 2). If a replacement for a User is nominated by the Customer or an Administrator of the Customer’s Account, all the User’s content shall remain visible to the User whose access has been terminated.

 

4. Availability

  1. onlyfy one is normally available 24 hours a day, 7 days a week. New Work SE guarantees an annual average availability of 99%. Planned maintenance in accordance with Section 4 (2) is excepted from this.
  2. New Work SE is authorised to carry out maintenance work during weekdays between 20:00 and 06:00 CET/CEST, and on public holidays and weekends from 00:00 to 24:00 (hereinafter: “Maintenance Window”) for a total of ten (10) hours in a calendar month. The Customer shall be notified of work in the Maintenance Window with reasonable notice. New Work SE shall be entitled to move or extend the Maintenance Window in exceptional cases in order to rectify or prevent major faults. onlyfy one may provide limited or no access during maintenance work. If maintenance needs to be performed outside the Maintenance Window, this will not impair the overall availability of 99% based on the calendar year.

 

5. Use of the Account, data protection

  1. New Work SE collects and processes data in compliance with the applicable data protection regulations, in particular the GDPR.
  2. The Customer shall be obliged in particular to comply with the applicable data protection regulations, in particular the GDPR.
  3. The Customer must respect third-party rights, especially when sharing content and information. For example, obviously private communication must not be shared with others without the consent of the sender.
  4. The Customer is also prohibited from
    • a. unreasonably harassing applicants (in particular with spam),
    • b. following or promoting anti-competitive practices, including progressive customer advertising (such as chain letters, snowball or pyramid schemes), and
    • c. implementing, advertising or promoting hierarchical marketing programmes (such as multi-level marketing or multi-level network marketing), even if these do not specifically infringe any laws.
  5. If the Customer itself (manually) adds an applicant’s personal data to onlyfy one, the Customer shall be obliged to ensure that its data protection policy reflects this data processing.
  6. New Work SE processes personal data within the scope of these T&Cs, in shared responsibility with the Customer based on the agreement on shared data protection responsibility set out in Section B. pursuant to Article 2 (6) GDPR.
  7. If the Customer breaches these T&Cs, or infringes legal provisions or third-party rights in the course of its activities in its Account, New Work SE may temporarily or permanently deactivate the Customer’s Account by way of a penalty.
  8. This can also be done following complaints by applicants, if there are specific indications that use of the relevant Account breaches legal provisions or public morality, or infringes third-party rights.
  9. As onlyfy one is an application of the extensive services provided by XING, information on processing the data of administrators and authorised Users of onlyfy one can be found in the XING Privacy Policy (https://privacy.xing.com/en/privacy-policy).

 

6. Workshops & webinars

  1. To hold workshops, the Customer must provide the trainer with internet access, a projector (“LCD projector”), and a flipchart in the function rooms. To hold seminars, the Customer must ensure that each attendee has a PC or laptop with internet access, headset or speaker, and microphone in order to participate.
  2. In accordance with the agreed workshop content and following consultation between Customer and trainer, each attendee requires a PC or laptop with internet access, as well as access to onlyfy one.
  3. Webinar attendees are given a link to the onlyfy one webinar registration form before commencing the webinar. After successfully registering, each attendee receives a confirmation e-mail with the information required to attend the webinar. Interested parties must first register to attend the webinar. The Customer and attendees must ensure that their system specifications allow them to use the webinar program, and that their PC or laptop meets the system requirements.
  4. The maximum number of attendees and duration of a workshop or webinar can be found in the proposal. Deviations from these numbers shall only be permitted with the written or text-based (e-mail shall suffice) approval of New Work SE.
  5. Workshop or webinar dates are agreed jointly by the Customer and New Work SE following conclusion of the contract. The earliest date on which a workshop or webinar can be held is from a period of two (2) weeks following receipt of the signed order confirmation.
  6. If workshops are held in the Customer’s function rooms, the Customer must pay a flat rate for travel costs in addition to the service fee. This is set out accordingly in the proposal.
  7. If the order is cancelled by the Customer up to 10 days before the start of the workshop or webinar, 50% of the service fee specified in the proposal shall be due. The service fee shall be due in full if the Customer cancels after this date. Customers must submit cancellation to New Work SE in writing.
  8. Neither of the Parties to the contract shall be liable to the other for non-compliance with contractual obligations if non-compliance is due to circumstances beyond their control. This shall apply in particular in cases of force majeure, accident, or illness.
  9. If a deadline for rendering the service cannot be met by New Work SE due to force majeure, trainer illness or accident, or other circumstances for which New Work SE is not at fault, New Work SE shall be entitled to subsequently perform the service on a new date to be agreed with the Customer.
  10. The seminar material and presentations are copyrighted. Any reproduction, transfer to third parties or other commercial use by attendees or the Customer shall only be permitted with the written consent of New Work SE.
  11. New Work SE employees shall not offer legal advice to Customers in their workshops and webinars. Any statement on legal matters shall be non-binding, and it is the Customer’s responsibility to check such statements in the individual case.

 

7. Liability

  1. New work SE bears limited liability for damage that is based on intentional or grossly negligent actions as well as for damage that arises from ordinarily negligent breaches of material contractual obligations. Material contractual obligations are obligations whose fulfilment is a prerequisite for the proper performance of the Contract, and on the fulfilment of which the Customer may regularly rely.
  2. In the event of an ordinarily negligent breach of non-material contractual obligations, New Work SE shall not be liable in as far as it is not a case of Section 6 (1).
  3. However, New Work SE’s liability in the event of personal damages and in accordance with the Product Liability Act as well as legal warranty-related liability remain unaffected in every case.
  4. The above liability restrictions also apply in the event of breaches of obligations by the legal representatives or vicarious agents of New Work SE.
  5. The Customer releases New Work SE from all claims, including claims to reimbursement of expenses and reimbursement of damages that other users of onlyfy one or other third parties, including public authorities, assert against New Work SE due to a breach of their rights by the content published by the Customer on onlyfy one. The Customer shall bear all reasonable costs including reasonable legal defence costs incurred by New Work SE due to a breach of third-party rights by the Customer. All of New Work SE’s further rights as well as claims for compensation for damages remain unaffected.

 

8. Contractual term & renewal, termination and price adjustment

  1. Fees for the use of onlyfy one are due for payment immediately upon invoicing in each case for the entire period or renewal periods, unless an alternative agreement has been put in place between the parties in writing. Payment can be made using the payment methods offered.
  2. Fees for the use of New Work SE’s functions or services granted or available via the booked scope of services, or integrated service offerings from third parties, are immediately due for payment in advance upon invoicing in each case for the entire period or renewal periods, unless an alternative agreement has been put in place between the parties in writing. Payment can be made using the payment methods offered.
  3. The contract concerning the chargeable use of onlyfy one or supplementary services by New Work SE or third parties is concluded for the term agreed in the proposal or framework agreement. The contractual relationship between New Work SE and the Customer extends in each case by one (1) year upon expiry of the term. The following regulations apply with respect to termination of the chargeable contract:
    • a. Contractual relationships can be terminated by either party by declaration in written or text form (e-mail shall be sufficient) with a termination notice period of three (3) months to the end of the respective contractual term.
    • b. The right to extraordinary termination and termination without notice for cause remains unaffected. New Work SE is entitled to termination for cause in particular if: the use of the services by the Customer breaches the law and/or third-party rights; or the Customer breaches other material contractual provisions.
  4. The contract concerning the chargeable use of onlyfy one Go (in particular “onlyfy one Go”) is concluded for an unlimited term. The following regulations apply with respect to termination of the non-chargeable contract:
    • a. Contractual relationships can be terminated by either party by declaration in written or text form (e-mail shall be sufficient) with a termination notice period of two (2) weeks, at any time.
    • b. The right to extraordinary termination and termination without notice for cause remains unaffected. New Work SE is entitled to termination for cause in particular if: the use of the services by the Customer breaches the law and/or third-party rights; or the Customer breaches other material contractual provisions.
  5. In the case of termination, New Work SE shall be entitled to deactivate the Customer’s account, the Customer’s Users’ profile, and the Customer’s onlyfy one access after expiry of the agreed term of the contractual relationship. Associated with this, New Work SE will also delete existing applications in the Customer’s company account and deactivate active the Customer’s job ads. In the case of termination for cause, New Work SE shall be entitled to effect deactivation immediately. For 90 days after the expiry of the contractual term, New Work SE has the option of safeguarding the master data for the Customer’s applicants in electronic and machine-readable form from onlyfy one for the Customer.
  6. In the event of a contract renewal, the price is calculated in accordance with the list price applicable at the time of the renewal; there shall be no claim to renewal of any granted quantity-related or other discount on the basis of the renewed product items. If a basic contract in which the additional New Work SE product items have been booked by the Customer in accordance with Section 2 (12) is extended within the contract term, the overall allocation shall automatically extend by the contractual term booked in the basic contract.
  7. New Work SE reserves the right to adjust the list price and resulting fee with effect from the next renewal period in each case. New Work SE shall notify the Customer about any change of this type by means of the invoice sent to the Customer concerning the renewal period. If a price increase is affected within four (4) weeks of the date on the invoice, the Customer shall have the right to dissolve the contract with retroactive effect from the time it was renewed, by sending a written declaration to New Work SE. The discontinuation of the granted discounts at the time of contract renewal is not a price increase and does not grant the Customer any special right to termination.

 

9. Closing provisions

  1. If the Customer, as the recipient of New Work SE’s services, has its registered office outside Germany, the Customer must provide notification of its VAT ID number without delay after contract conclusion. Due to reversal of the tax liability, the Customer is the party liable for VAT (reverse charge procedure) and must invoice for the service using the reverse charge procedure for the purposes of VAT.
  2. The law of the Federal Republic of Germany applies to the exclusion of private international law and the UN Convention on Contracts for the International Sale of Goods.
  3. The place of jurisdiction for all legal disputes arising from the contractual relationship between New Work SE and the Customer is Hamburg. In addition, New Work SE also has the right to utilise the court with subject matter jurisdiction at the Customer’s registered office to decide disputes.
  4. If a provision in these T&Cs is or becomes ineffective or unenforceable, this shall not affect the efficacy of their remaining conditions. In place of the ineffective regulation, the parties commit to agreeing a new, effective regulation that comes as close as possible to the spirit and purpose of the ineffective regulation. The same applies for gaps in these T&Cs.

 

B. Agreement on shared responsibility under data protection law

 

1. Object of the agreement

  1. The contractual relationship (“Main Contract”), establishes shared processing of personal data within the Customer’s company accounts. onlyfy one is part of the comprehensive XING service provided by New Work SE, which pursues the purpose of using a variety of different applications (onlyfy one as well as the XING social network, kununu etc.) to contribute to improving and simplifying the professional life of users, as well as making the world of work more fulfilling for individuals and at the same time making companies even more successful. onlyfy one, as part of the comprehensive XING service, is an online platform on which and via which talented individuals and companies come together. On or respectively via onlyfy one, companies can for example publish job ads, identify interesting talented individuals (where applicable including from the XING professional network), receive and manage applications, and enter into dialogue with talented individuals and applicants. New Work SE supports this coming together of talented individuals and companies on and via onlyfy one. This takes place through, for example, talented individuals being recommended in the Customer’s company account, as well as through the generation and provision of recruitment-relevant information and analysis based on data that New Work SE processes in onlyfy one and, where applicable, in other XING applications or outside them.
    The precise scope of services is based on the Main Contract. The parties agree that, with respect to this collaboration in the company account in the sense of Article 4 (7) GDPR, they jointly determine the purposes and means of processing and that in this respect there is shared responsibility.
  2. This Contract represents the agreement between the shared controllers as defined by Article 26 GDPR, between the parties. In this Contract, regulations are implemented as to who fulfils which obligations under the GDPR in connection with shared processing of personal data.
  3. For data processing instances for which there is no shared determination of the purposes and means, each contractual party is the independent controller in the sense of Article 4 (7) GDPR. This applies in particular to any data processing outside the company account as well as to product support provided to the Customer or the Customer’s company account by New Work SE, as well as Customer support. This Contract does not apply for these instances of data processing.

 

2. Description of data processing

  1. The purpose, type and scope of processing of personal data arise from Section 1 as well as the Main Contract concluded between the parties and in that respect where applicable additionally included contractual regulations.
  2. The type of data as well as the categories of data subjects can be found in Annex 1 to this contract.

 

3. Responsibilities for processing steps/phases

  1. In Annex 2 to this Contract, the parties have described the processing steps that are subject to shared responsibility, and assigned the respective responsibilities. If no disclosure is provided and the Contract also does not assign any other responsibilities, it must be assumed that both parties are equally responsible for the processing of the respective data type(s).
  2. In Annex 2, the parties have furthermore determined responsibilities for the processing and implementation of measures that must be implemented for reasons of the exercising of data subject rights arising from Articles 15 to 21 GDPR, as well as in terms of certain additional requirements of the GDPR. If no disclosure is provided and the Contract also does not assign any other responsibilities, it must be assumed that both parties are equally responsible.
  3. Regardless of the regulations in Paragraphs 1 and 2, the parties agree that the data subjects may contact either party for the purpose of exercising data subject rights that are due to them in each case. In such a case, the respective other party is obliged to immediately forward a data subject’s request to the party responsible in accordance with Annex 2 of this Contract. The parties will mutually appoint contact addresses for this purpose and provide notification of any change immediately in text form.

 

4. Implementation of data subject rights

  1. Each party is obliged to fulfil the information obligations arising from Articles 12 to 14 GDPR and Article 26 (2.2) GDPR with respect to the data subjects in as far as the respective party is responsible for the processing step(s) as per Section 3 of this Agreement. The parties shall ensure that this information is available online and shall, on request, mutually provide the web addresses at which the respective information can be accessed.
  2. Data subjects must be provided with the required information in a precise, transparent, understandable, and easily accessible form, in clear and simple language, free of charge.

 

5. Data security

  1. New Work SE is solely responsible for implementation of the technical and organisational measures required in accordance with Article 32 GDPR with respect to the security of covered products and services for which there is shared responsibility in the sense of Article 26 GDPR. New Work SE shall implement the measures to be taken at its own discretion. The Customer will receive a description of these technical and organisational measures on request. New Work SE can adapt the technical and organisational measures at any time at its own discretion and without separate notification, in as far as the resulting changes cause no falling short of the respective legal specifications for data security.
  2. The Customer bears sole responsibility in terms of correct technical implementation and configuration of the covered products for which there is shared responsibility in the sense of Article 26 GDPR.

 

6. Notification obligations in the event of data protection breaches

(1) New Work SE is responsible for review and processing of all breaches of the protection of personal data as defined by Article 4 (12) GDPR (Personal data breach), including the fulfilment of any and all therefore existing obligations to report to the responsible supervisory authority in accordance with Article 33 GDPR or to data subjects in accordance with Article 34 GDPR, which occur with respect to the covered products and services for which there is shared responsibility in the sense of Article 26 GDPR. The Customer is accordingly responsible for data protection breaches that occur with respect to the correct technical implementation and configuration of the covered products and services for which there is shared responsibility in the sense of Article 26 GDPR.

(2) If the responsible party notifies a data protection breach to the responsible supervisory authority or to the data subject, that party shall then inform the other party immediately. If needed and at the request of the responsible party, the parties shall mutually support each other in the fulfilment of reporting obligations and shall immediately mutually provide all information in connection with the data protection breach as is needed to review the data protection breach and its consequences, as well as for the fulfilment of any reporting obligations in accordance with Articles 33 and 34 GDPR.

 

7. Shared obligations

Both parties must inform each other immediately and in full if errors or irregularities in data processing or breaches of provisions of this Contract or applicable data protection law (in particular the GDPR) are identified.

 

8. Commissioned processor

  1. Both parties may at their own discretion use commissioned processors as defined by Article 4 (8) GDPR. In this process, the parties commit to comply with the specifications of Article 28 GDPR in each case. New Work SE is responsible for the selection, commissioning and management of service providers and commissioned processors with respect to the covered products and services.
  2. Insofar as the processing of personal data takes place in a third country, the respective party shall on request demonstrate to the other party the existence of guarantees for an appropriate level of data protection in the third country.
  3. The commissioned processors utilised in each case by New Work SE with respect to processing steps for which there is a shared determination of purposes and means are listed at the following link: https://onlyfy.com/de/onlyfy-one-subcontractors

 

9. Collaboration with supervisory authorities

  1. Each party is obliged to immediately inform the respective other party if a supervisory authority for data protection contacts it in the context of this Contract, the collaboration, or data processing, and in as far as this specifically refers to the processing of personal data that are processed jointly by the parties. However, New Work SE is explicitly not obliged to inform the Customer if a supervisory authority for data protection contacts New Work SE generally with respect to the covered products and services for which shared responsibility exists in the sense of Article 26 GDPR in accordance with this Contract, and/or if the request does not directly concern this Contract.
  2. In as far as possible, the parties shall mutually consult before any requests from responsible supervisory authorities for data protection are followed and/or information in connection with this Contract, the collaboration, or data processing is shared with responsible supervisory authorities for data protection. This does not apply in cases of Paragraph 1 Sentence 2.

 

10. Liability

  1. The parties are liable to the data subjects in accordance with the legal stipulations.
  2. In their interior relationship, the parties release each other from any liability if the cause triggering liability is solely the responsibility of one party in the framework of responsibility in accordance with Section 3 of this Agreement. This also applies with respect to any fine imposed against a party due to a breach of data protection specifications, with the stipulation that the party to which the fine is assigned must initially have exhausted legal remedy against the decision concerning the fine.

 

11. Closing provisions

  1. The regulations of the Main Contract apply for the duration and termination of the Contract. In the case of contradictions between this Contract and other agreements between the parties, in particular the Main Contract, the regulations of this Contract shall take precedence.
  2. Should individual provisions in this Contract be or become ineffective or contain a gap, the remaining provisions shall remain unaffected by this. In the place of the ineffective regulation, the parties commit to agreeing a legally permissible regulation that comes as close as possible to the purpose of the ineffective regulation and that best fulfils the requirements of Article 26 GDPR.
  3. German law including the GDPR applies.

 

Annex 1 to the agreement on shared responsibility under data protection law

 

Categories of data subject

Group of persons who are the subject of data processing:

  • The Customer’s talented individuals and applicants
  • The Customer’s company users
  • XING users
  • Other users of New Work SE
  • Where applicable, third parties

 

Type(s) of personal data

The following data types are regularly the object of processing:

  1. With respect to the Customer’s talented individuals and applicants, this includes, among other data
    • master data (e.g. name, contact details, date of birth, etc.)
    • qualification data (CVs, etc.)
    • Voluntary information (application photo, information on disability status or other information, additional questions depending on the relevant job advert, etc.)
    • communication data
    • where applicable, other data (social media profiles at XING or LinkedIn etc.)
    • Special categories of personal data in accordance with Article 9 (1) GDPR, e.g. information on health (e.g. disability status) or information that permits conclusions to be drawn about sexual orientation or ethnic origin or religion.
    • Usage data, tracking data, including using cookies and similar technologies
    • Data in the framework of support services (e-mail address, name, context of request, other personal data, etc.)
  2. With respect to the Customer’s company users, this includes in particular
    • Registration data (e.g. name, e-mail address, password, phone number)
    • Communication data as well as personal comments and assessments made by company users
    • Activity data that is created during use (e.g. status changes for applications, purchase requisitions for new job ads, etc.).
    • Other usage data, tracking data, including using cookies and similar technologies

 

Annex 2 to the agreement on shared responsibility under data protection law

 

Primary responsibility in the framework of shared responsibility

  Processing step under shared responsibility Responsibility in the framework of shared responsibility Comments
1 Processing in the framework of recruitment by the Customer (classic “application data” processing), i.e. of job ad data as well as data concerning talented individuals/applicants and company users, including dialogue between talented individuals/candidates/applicants and company users in as far as it takes place in and via the company account Customer The processing of data concerning applicants and company users by the Customer outside the company account, as well as the upload process for such data by the Customer into the company account, take place outside shared responsibility, in the sole responsibility of the Customer. Shared responsibility applies as soon as data are included in the company account. 
2 Display and recommendation of talented individuals in the company account  New Work SE Data processing outside the company account takes place outside shared responsibility, in the sole responsibility of New Work SE.
3 Collection of usage data, tracking, including using cookies and similar technologies New Work SE  
4 Provision of “Insights”: generation and provision of recruitment-relevant information and analyses based on data from the company account New Work SE  
5 Adoption of data that is created/processed in the company account, including usage data/automatically collected data, including using tracking technologies/cookies, for proprietary purposes such as performing analysis for product improvement, etc. or the optimisation of recommending talented individuals. New Work SE The adopted data are (further) processed by New Work SE outside shared responsibility, in sole responsibility
6 Product support for talented individuals concerning the covered products and services, including information on product changes, etc. New Work SE  

 

 

 

 

 

7

Selection and implementation of third-party provider tools that are provided to the Customer for use in the framework of the covered products and services, as well as associated processing of data by commissioned processors and/or disclosure of data

 

 

 

 

 

New Work SE

 

 

Responsibility in terms of exercising data subject rights and certain additional requirements arising from the GPDR

Data subject right/
requirement

New Work SE

 

 

Customer 

 

Article 6: Requirement for a legal basis for shared processing

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

Information obligations arising from Articles 13 and 14 GDPR   

 

(plus information specified and permanently integrated by New Work SE concerning shared responsibility as well as with respect to New Work SE’s area of responsibility.)

Right of access by the data subject (Article 15 GDPR),

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Right to rectification (Article 16 GDPR),

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Right to erasure (“Right to be forgotten”) (Article 17 GDPR),

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Right to restriction of processing (Article 18 GDPR)

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Right to data portability (Article 20 GDPR),

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Right(s) to object (Article 21 GDPR), 

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Article 26 (2) GDPR: Make the essence of this addendum available for controllers  

 

(by link to this Contract, which is accessible online, is included in the information specified by New Work SE concerning the information obligations arising from Articles 13 and 14 GDPR (see above) concerning shared responsibility.)

Right to obtain human intervention, to express a person’s own point of view, and to contest a decision in the event of automated decision-making in an individual case with legal/restrictive effect (Article 22 (3) GDPR). X  
Creation of the documentation for the record of processing activities in accordance with Article 30 (1) GDPR,

New Work SE with respect to its area of responsibility

 

The Customer with respect to its area of responsibility

 

Implementation of Privacy by Design (Article 25 GDPR) and/or Risk assessment for processing X  
Performance of a data protection impact assessment in accordance with Article 35 et seq. GDPR If a data protection impact assessment is required in accordance with Section 35 GDPR, the parties shall mutually support one another to a reasonable extent.