Hikari: Data Protection Agreement

1. Definitions and Interpretation

1.1. Any capitalised terms used in this DPA but not defined shall have the meaning given to them in the Terms. Unless the context requires otherwise, the following definitions and rules of interpretation apply in this DPA:

• 1.1.1. "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach” and "Processing" shall have the meaning as defined in the Data Protection Legislation;
• 1.1.2. "Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time which applies to a party including the EU GDPR, the UK GDPR and the UK Data Protection Act 2018, in each case as amended, updated or replaced from time to time;
• 1.1.3. "EEA" means the European Economic Area.
• 1.1.4. "EU GDPR" means the General Data Protection Regulation ((EU) 2016/679).
• 1.1.5. "Sub-processor" means any Processor appointed by or on behalf of Black Star to Process Personal Data; and
• 1.1.5. "UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2. A reference to writing or written includes email.

1.3. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Terms in relation to the Processing of Personal Data, the provisions of this DPA will prevail.

2. Mutual obligations

2.1. Each party will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.

2.2. The parties acknowledge and agree that for the purposes of the Data Protection Legislation, in respect of the Processing of any Personal Data by Black Star under the Terms, the Customer is the Controller and Black Star is the Processor of such Personal Data on behalf of the Customer.

2.3. Subject to the Terms and the remainder of this DPA, Personal Data will be Processed by Black Star on behalf of the Customer:

• 2.3.1. for the purpose of providing or maintaining the Service to the Customer;
• 2.3.2. for the term of the Customer’s subscription; and
• 2.3.3. &in respect of Data Subjects who are recruitment candidates which the Customer wishes to evaluate via the Service using Personal Data made available on those candidates’ LinkedIn profiles (e.g. name, qualifications, professional experience, hard skills and soft skills).

3. Black Star's Processing obligations

3.1. To the extent that Black Star Processes any Personal Data on behalf of the Customer in connection with Black Star's performance of the Services, Black Star shall:

• 3.1.1. only Process such Personal Data for the purpose of providing the Service to the Customer as set out in the Terms and in accordance with the written instructions of the Customer unless Black Star is required by applicable law to otherwise Process that Personal Data, in which case Black Star shall inform the Customer of that legal requirement before such Processing, unless the applicable law prohibits Black Star from so notifying the Customer;
• 3.1.2. ensure that all personnel who have access to and/or Process Personal Data are obliged to keep the Personal Data confidential;
• 3.1.3. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
• 3.1.4. not transfer any Personal Data outside of the UK or EEA unless the prior written consent of the Customer has been obtained;
• 3.1.5. reasonably assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• 3.1.6. notify the Customer without undue delay on becoming aware of a Personal Data Breach, providing the Customer with sufficient information which allows the Customer to meet its obligations to report a Personal Data breach under the Data Protection Legislation;
• 3.1.7. at the written direction of the Customer at any time and on termination of the Customer’s subscription, delete or return Personal Data and copies thereof to the Customer unless required by applicable law to store the Personal Data;
• 3.1.8. maintain complete and accurate records and information to demonstrate its compliance with this clause; and
• 3.1.9. make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by Customer solely to the extent required by the Data Protection Legislation and taking place no more than once every twelve months.

4. Sub-processors

4.1. The Customer grants a general authorisation to Black Star's use of Sub-processors to perform Processing activities with Personal Data on behalf of the Customer, subject to complying with the following conditions:

• 4.1.1. Black Star enters into a written contract with each Sub-processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts;
• 4.1.2. Black Star maintains control over all of the Personal Data it entrusts to the Sub-processor; and
• 4.1.3. Black Star shall remain liable to the Customer for the acts and omissions of each Sub-processor in relation to the Processing of Personal Data.

4.2. Black Star shall provide a list of its then current Sub-processors to the Customer upon request.

5. Obligations of the Customer

5.1. The Customer shall ensure that it has all the necessary licences, permissions, consents, authority and notices in place to enable lawful transfer of Personal Data to Black Star for the duration and purposes of the Customer’s subscription.

5.2. The Customer shall reasonably cooperate with Black Star to assist Black Star in performing any of its obligations under the Data Protection Legislation in relation to the Personal Data it Processes on behalf of the Customer.