Data Processing Schedule - EU (EN)

Exhibit B

Data Processing Schedule

This Schedule addresses the obligations detailed in the GDPR (defined below) and applies to organisations which are either established in Europe; offer goods and services to individuals in Europe; or who monitor the behaviour of individuals in Europe, using SHL’s Services provided to Company under an Order. If an Order has terms inconsistent with this Schedule, this Schedule takes precedence.

Data Protection Legislation means the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and any other applicable law or regulation relating to the processing of personal data and to privacy, and as such legislation shall be amended, revised or replaced from time to time.

A. Data Processing in accordance with Article 28 (Processor) of the GDPR

1. Article 28 (1) – Appropriate technical and organisational measures

This is addressed in Section 3.3 of the Terms as follows:

As the Data Processor, SHL shall: (i) process Personal Data in accordance with Company’s reasonable instructions or otherwise as permitted under the Agreement, and (ii) implement appropriate administrative, technical, and physical security controls to protect Personal Data from unauthorized access, use, or disclosure, unauthorized modification, or unlawful destruction or accidental loss. SHL Group shall cooperate with any Company request for Personal Data provided by or through Company to SHL Group, as applicable, provided that such request does not violate the terms of the Agreement.

2. Article 28 (2) – Sub-processor authorisation

(a) SHL Group may disclose Personal Data to Third Parties only if a SHL Group company: (i) is party to a merger, acquisition or divestiture; (ii) contracts with a Third Party to provide certain services on behalf of a SHL Group company; or (iii) is required to disclose Personal Data to comply with any legal obligation. Under (i) and (ii) above, SHL or its applicable Affiliate shall contractually require such Third Party to provide the same level of protection for Personal Data required under these Terms and any applicable data protection laws.  

(b) SHL may use its Affiliates or Qualified Subcontractors to perform Services. Affiliates shall not be considered subcontractors. SHL will at all times remain responsible for its Affiliates and Qualified Subcontractors hereunder.

The above provisions are addressed in Section 3.4 and 10.5 of the Terms respectively.

3. Article 28 (3) (a) – Instructions from the controller

SHL shall process the Personal Data only in accordance with the Agreement and Company’s reasonable written instructions, unless required otherwise by applicable laws. In which case, SHL shall promptly inform Company of the legal requirement before processing the Personal Data, unless that law prohibits such information on important grounds of public interest.

4. Article 28 (3) (b) – Confidentiality

SHL shall ensure that any personnel authorised to process Personal Data shall be subject to a duty of confidentiality in respect of such Personal Data.

5. Article 28 (3) (c) – Measures required pursuant to Article 32

(a) SHL has and shall maintain an effective information security program that: (i) includes administrative, technical, and physical safeguards; and (ii) has appropriate technical and organisational measures (“Security Program”). The Security Program is adequate to ensure the security and confidentiality of Personal Data and protects against: (1) anticipated threats or hazards to the security or integrity of Personal Data, (2) unauthorised access to or use of Personal Data, (3) unlawful processing or processing otherwise than in accordance with the Agreement, and (4) accidental loss, destruction, damage, alteration or disclosure of Personal Data.

(b) The Security Program shall be appropriate to protect against the harm that may result from unauthorised or unlawful processing, use or disclosure, or accidental loss, destruction or damage to or of Personal Data and the nature of the Personal Data, and shall include (as a minimum): (i) implementing the measures prescribed by Data Protection Legislation, and/or the Agreement; (ii) taking reasonable steps to ensure the reliability of personnel having access to the Personal Data; and (iii) implementing and maintaining reasonable disposal measures and training of personnel accessing Personal Data.

6. Article 28 (3) (d) – Engaging a Sub-processor

SHL shall, except as set out in the Agreement, not subcontract any processing of Company’s Personal Data without the Company’s prior written consent.

7. Article 28 (3) (e) – Appropriate technical and organizational measures regarding data subject’s rights

SHL shall assist Company, to the extent reasonable possible, fulfil Company’s obligation to respond to requests relating to the exercise of a Candidate’s individual rights, as set out in Chapter III of the GDPR. 

8. Article 28 (3) (f) – Compliance with Articles 32 to 36

SHL shall provide such information and assistance, and within timescales, as reasonably requested by Company, to allow Company to comply with its obligations under the applicable Data Protection Legislation. Such assistance may include, assisting Company to comply with its obligations to: (i) ensure Personal Data is processed and stored securely; (ii) inform Candidates about serious Personal Data breaches; (iii) carry out and audit data protection impact assessments; and (iv) consult with the applicable supervisory authority if required, following a data protection impact assessment.

9. Article 28 (3) (g) – Data deletion

SHL shall, upon Company’s written instruction, promptly and securely: (i) return the Personal Data to Company; or (ii) delete the Personal Data (unless its continued storage by SHL is required by applicable law).

10. Article 28 (3) (h) – Audit

(a) SHL will make available all information necessary for Company to demonstrate compliance with the obligations in Article 28 (Processor) of the GDPR. Company agrees that SHL’s then-current ISO 27001 certification will be used to satisfy any audit or inspection requests by or on behalf of Company, and SHL shall make such reports available to Company on request.

(b) SHL shall inform Company immediately if, in SHL’s opinion, any Company issued instruction breaches any provision of the Data Protection Legislation.

B. Liability

1. Liability for breaches of the GDPR

Subject to the Agreement, SHL’s total aggregate liability arising out of its breach of its obligations as a Data Processor under the GDPR will be limited to the amount directly attributed to SHL’s actions or failure to comply with the GDPR in performing the Services. The following shall be considered direct damages recoverable under the Agreement to the extent they result directly from SHL’s breach of the GDPR: (i) any costs and expenses incurred by Company to investigate and repair damage to Personal Data; (ii) any costs incurred by Company in connection with legally-mandated notices; (iii) fines, penalties and interest assessed against Company due to the breach; and (iv) reasonable attorneys’ fees.

C. Processing Summary

1. The Parties agree the following sets out the information required by the GDPR

Subject matter of processing SHL talent assessment services
Duration of processing Personal Data will be deleted or returned at the request of and as instructed by Company
Nature and Purpose of processing The data subject will take the assessment using SHL’s online assessment systems.  Assessment responses will be evaluated to produce an assessment report with results, which SHL will provide to Company. SHL may perform surveys or other processing operations at Company’s request. Company will have access to candidate data, including assessment results, and the platform interface
Type of personal data Name, Email Address, Gender, Language, Company ID, employee demographic information, responses to assessments or surveys, audio recordings, visual images and any other data requested by Company
Categories of data subjects Company candidates and/or employees