General Terms and Conditions

A. General Part

1. General terms

1.1.

The General Terms and Conditions of Business (hereinafter referred to as “GTC”) apply to all contracts/the entire business relationship between The Stepstone Group Österreich GmbH (hereinafter referred to as “stepstone.at”) and its respective Customer. Unless otherwise expressly agreed, the mutual rights and obligations between stepstone.at and its Customer are determined by the contents of the respective order and these GTC. Where a service consists of the publication and distribution of job offers and job applications, the service shall be qualified as a job placement service in the sense of § 2 paragraph 3 of the Labour Market Promotion Act (AMFG) and may only be directed at job seekers who are in possession of a valid work permit.

1.2.

The Customer agrees that the entire business relationship is governed exclusively by the stepstone.at GTC. Any standard business terms of the Customer that contradict or deviate from the stepstone.at GTC shall only be applicable if this has been expressly confirmed in writing by Stepstone, such that they can only become part of the contract if stepstone.at has given its separate consent.

 

2. Advertising contract:

2.1.

Definition: An advertising contract is a contract for the placement of one or more online adverts from a recruiter or other client in the stepstone.at online Se data for the purpose of distribution via the Internet.

2.2.

Conclusion of contract: An advertising contract is concluded if:

2.2.1.

stepstone.at confirms the order in writing. The written form requirement is satisfied by sending a fax or an e-mail, or

2.2.2.

stepstone.at distributes the job advert via the Internet. The Customer is bound by any order it places. Upon receipt of the respective order by StepStone (whether in writing, by fax or by e-mail), the Customer may not revoke (cancel) its order.

2.3.

Right of refusal: Right of refusal: stepstone.at reserves the right not to publish advertising orders due to their content, origin or technical form. This applies in particular if the content of the job advert violates legal or official prohibitions or specifications as well as morality and/or these General Terms and Conditions of Business or if publication would be unreasonable for stepstone.at on other grounds. The Customer will be informed immediately if this is the case. In the event of a rejection on legitimate grounds, the Customer shall not be entitled to any claims against stepstone.at. Without limitation, the right of refusal also applies if the following requirements are not satisfied:

2.3.1.

The job title and job description have to be correct and must not be misleading or ambiguous.

2.3.2.

Key words, categorisation, title and advertising text of the advert have to be related to the job advertised in the advert.

2.3.3.

The content has to relate to a vacant position or job. Advertising for club memberships is not allowed. Advertising for participation in illegal pyramid schemes is also not allowed.

2.3.4.

Without limitation, the Customer undertakes to create its adverts in compliance with the Federal Equal Treatment Act. This also includes indicating the minimum wage applicable to the job advertised under the collective agreement or the minimum wage applicable by law or other provisions of collective law, and drawing attention to any willingness to overpay, if applicable.

2.3.5.

References to the text and / or links within the advert to further vacancies and other job sites not published on StepStone are not permitted.

2.3.6.

A maximum number of possible entries may apply to job categories, industries and regions; these maximum numbers must be adhered to. We are happy to provide further information on maximum numbers upon request.

2.3.7.

Admissible links are only allowed as so-called “no follow” links; this means they are to be set so that they cannot be used by search engines to calculate the popularity of the link.

2.3.8.

All of the content of an advert has to be immediately visible for the user. Unless they are explicitly offered by StepStone as part of special advertising products, own tracking codes of the Customer and interactive elements which can be controlled for example by clicks or mouseover are not allowed. This does not include links to other sites and e-mail addresses that otherwise comply with the requirements of this subsection. In each and every case links have to be arranged so that it is clear when they link to external sites.

2.3.9.

All content of the advert is to be transferred to StepStone and may not be integrated via frames or other forms of retrieval from other servers.

2.3.10.

Any influence on the search result lists outside of the options provided by StepStone (categorisation, title and visible text of the advert) is not allowed.

2.3.11.

The adverts are created in HTML. Only those file formats permitted by StepStone can be included in the advert text. On request, we will be happy to inform you which file formats are permitted.

2.3.12.

A job advert must contain the company name and description, a job description, the requirements profile, the place of work and an opportunity to apply.

2.3.13.

The job description may not refer to different jobs. It must contain the title of the position and a description of the duties and responsibilities. The job description must describe the vacancy correctly and must not be misleading (see PDF Advertising Guidelines). In such cases, StepStone reserves the right to make additional charges for any violations in lieu of the consequences set out in Section 6.6 of the General Terms and Conditions of Business.

2.4.

Rights to the advert/ Copyrights:

2.4.1.

stepstone.at is not responsible for the content of the texts and images provided for the placement of the advertisement. Without limitation, StepStone is not obliged to check the advert for any infringements of third party rights. The Customer is obliged to indemnify and hold stepstone.at fully harmless from any third-party claims that result in any form from the execution of an order to place an advert by stepstone.at. If a claim is asserted against stepstone.at, it alone is entitled to decide how to respond; the Customer responsible for the relevant content is precluded from asserting a claim of inadequate legal defence.

2.4.2.

If protected trademark rights are used in the context of the publication of the advertisement, permission for their use is granted upon contract conclusion. The Customer warrants that it has the right to grant the such permission.

2.4.3.

stepstone.at acquires the exclusive copyrights and/or other ancillary copyrights to all job advertisements it creates and publishes. Absent agreement to the contrary, payment of the fee by the client, among other things for the creation of the HTML layout by stepstone.at, does not comprise an assignment of copyrights and/or other ancillary copyrights to the contracting party or an agency working for it. If job adverts published by stepstone.at were created by the Customer itself or by an agency acting on its behalf – including the HTML source text – the Customer grants stepstone.at an exclusive license to use the job advert for all forms of use that relate to publication of the job advert. The Customer warrants that it has the right to transfer such rights. Without limitation, stepstone.at is also authorised to defend against claims of unlawful copyright infringement asserted by third parties in its own name and to assert any resulting claims for damages.

2.4.4.

All information published by stepstone.at (texts, images, etc.) are subject to copyrights held by stepstone.at. The exclusive exception to this comprises information published by stepstone.at, the creation of which – including the HTML source code – was accepted for publication without change from the Customer itself or a third party commissioned by the Customer. The Customer warrants that it is authorised to transfer copyrights and that it will indemnify and hold stepstone.at harmless against any third-party claims should this not be the case. Without limitation, stepstone.at is also authorised to defend against claims of unlawful copyright infringement asserted by third parties associated with publication in its own name and to assert any resulting claims for damages.

2.4.5.

The Customer authorises stepstone.at to use its company name and logo as a customer reference in stepstone.at marketing materials provided that Customer does not object to such use.

2.5.

Start of publication: The job advert will be published at the agreed time. If no publication date has been agreed, publication will take place within one working day after conclusion of the advertising contract. The user is responsible for the complete delivery of error-free, appropriate advertising media. As a rule, stepstone.at is not responsible for delays occurring due to the content of the advertising text provided by the Customer for publication, whether in light of content or on technical grounds.

2.6.

Location of publication / linking / framing:

2.6.1.

On the basis of the advertising contract, stepstone.at is instructed to arrange for publication of job adverts from the Customer on its own websites as well as on platforms operated by stepstone.at cooperation partners within the scope of the respective cooperation.

2.6.2.

stepstone.at is entitled, but not obliged, to publish the job adverts in any print medium freely determinable by StepStone or to have them published by third parties.

2.6.3.

The Customer is aware that, based on the current state of technology, the circumstance that job adverts published by stepstone.at may be copied, linked and/or presented as their own adverts by other Internet providers with the aid of frames cannot entirely prevented. The Customer hereby grants stepstone.at any and all necessary consents in order to enable stepstone.at to prevent any copying, linking and/or framing as referred to above within the realms of what is technically and legally possible. However, in the event of any unauthorised linking and/or framing, the Customer is not entitled to assert any claims against stepstone.at.

2.6.4.

The parties expressly note that, regardless of the advertising contract with stepstone.at, the Customer is entitled to commission third parties to place identical online adverts.

2.7.

Changes to the advert text:

2.7.1.

stepstone.at is obligated, at the request of the Customer, to make changes to the job advert published by it during the publication period, provided that this is technically and substantively reasonable. In any case, changes that affect the identity of the advert, so that in the case of the change, instead of the original, a new job would be advertised, are not permitted.

2.7.2.

Changes that can be made with little effort by the stepstone.at will be made free of charge. Changes that are greater in scope will only be made on payment of a fee that is related to the costs involved. In this case, stepstone.at will inform the Customer in advance and make the desired changes to the job advert only upon corresponding written confirmation from the Customer.

2.7.3.

stepstone.at is not obliged to retain an advert that has been placed following the end of the advertising contract. Any templates provided by the Customer for the job advert may only be retained by stepstone.at upon the express written request of the Customer (maximum 3 months) and then returned.

2.7.4.

Job adverts may be saved in the personal accounts of users who have created a personal account with StepStone for a maximum period of six months and may also be in the account by such users for the agreed contract period.

2.8.

Additional limitations and requirements may apply to adverts that are published on pages that are not operated by StepStone Österreich GmbH. Invitations for speculative applications are not allowed on stepstone.de. Please note that there may also be certain statutory requirements and prohibitions for job adverts in other countries (e.g. in France, all adverts must be published exclusively in French). Such requirements must be complied with. We would be pleased to provide specific information on further requirements and restrictions for the sites not operated by StepStone Österreich upon request.

2.9.

StepStone will integrate a button in the job adverts that is labelled “Apply Now” or similar. Via this link, applicants can use the implemented application form to enter their contact details and upload their CV and other application documents. Depending on the customer’s selection, this button can either a) link to a website indicated by the customer or b) link to a standardised application form operated by StepStone on its platforms. The data requested in the form will be transmitted by the applicant to the customer’s account (“Recruiter Space”) by StepStone and can be received by the customer herein.

2.9.1.

If the customer uses its own application tracking system (“ATS”), applications are transferred directly to its ATS and the customer is the sole controller with respect to candidates’ personal data.

2.9.2.

If the customer does not use an ATS and an unregistered candidate applies for one of its job adverts, Part applies, since StepStone processes personal data on the customer’s behalf within the meaning of Article 28 GDPR. If the customer does not use an ATS and a registered candidate applies for one of its job adverts, applies, since StepStone and the customer process the candidate’s personal data and there is joint controllership.

2.9.3.

StepStone reserves the right to set up a technical connection to the customer’s ATS so that applicant data can be transferred directly into the customer’s ATS via the “Apply now” link, thus eliminating the need for applicants to re-enter their data. The type of technical connection StepStone chooses to implement depends on the customer’s system. StepStone will notify the customer in writing and in advance of the planned implementation of the technical connection.

2.10.

If an application has been transmitted to the Customer’s account within the StepStone Recruiter Space in accordance with Section 2.9.2, the Customer can view the application there and also enter notes on the respective candidate and, if necessary, depending on the functionality, record the status of the application and communicate with the applicant. Within the scope of this service, StepStone processes personal data on behalf of the customer within the meaning of Art. 28 DSGVO, the additional terms and conditions for commissioned processing in section B of these GTC shall apply.

2.11.

In connection with the application, the Customer may also access any candidate profile the applicant might have via applicant administration. However, the candidate profile can only be accessed as long as it is active, that is, if the applicant changes their settings or deletes their profile, it is no longer possible to access the profile. Applicant data sent by the applicant is not affected as a result. The services described herein are not carried out as data processing; StepStone merely provides the content stored by the applicant on the StepStone platform and remains the responsible party under data protection law. Insofar as the Customer uses this data, the Customer may become an additional responsible party.

2.12.

In order to improve compatibility of an advert across all devices, StepStone reserves the right to change the layout of the advert accordingly. We reserve the right to convert advertising content that is not transmitted in http format to https format. We temporarily store http contents sent to us and delete them upon conversion. StepStone strives to ensure user-friendly readability on all devices by optimizing the display of the advert.

 

3. Applicant database:

3.1.

stepstone.at offers Customers password-protected access to the database for job seekers (hereinafter referred to as the “applicant database”), in which all current candidate profiles are collected for a separate fee. This enables Customers to contact the candidates individually via stepstone.at.

Depending on the candidate’s choice, candidate profiles can be accessed either in a form in which only certain data is disclosed (“partially active profile”), or in such a way that all data from their profile can be viewed directly in the database (“open profile”). Customers who book access to the applicant database may directly view personal data associated with open profiles in the database and enter a message, and a contact request in the case of anonymous profiles, which StepStone then forwards to the candidate by e-mail.

3.2.

Furthermore, the Customer may save comments in its account as a free additional service related to candidates whose profiles it can view anonymously or publicly. These comments are stored and processed by StepStone on behalf of the Customer within the meaning of Art. 28 DSGVO subject to the relevant data processing agreement in Part B of these . For sake of clarity, other services provided within the scope of the applicant database are not provided as a contract processor. In such cases, stepstone.at merely provides content saved by the applicant at stepstone.at and remains the controller for data protection purposes. The Customer may be an additional controller to the extent it uses such data. If a candidate deletes or deactivates their candidate profile, the candidate profile may no longer be accessed and comments saved in accordance with Part A Section 3.2 may likewise no longer be accessed.

3.3.

The Customer undertakes not to disclose personal data of candidates, unless this is necessary to fill a specific vacancy, to treat such data confidentially and to comply with all data protection regulations. Candidate data may only be processed in connection with the filling of a specific vacancy and candidates may only be contacted for this purpose. StepStone assumes that retention is necessary for a maximum of 12 months, also taking into account the defence of potential discrimination claims, so that the Customer undertakes to delete any data related to data subjects it stores that it received from StepStone no later than 12 months after access to the data. StepStone reserves the right to block the Customer’s access in the event of non-compliance.

The Customer is aware that special rules apply to the transfer of data from outside of the European Union or the EEA. Accordingly, the Customer shall only transfer personal data to third countries in accordance with the provisions of Articles 44-49 GDPR.

3.4.

The contract for authorization to access the applicant database is concluded once StepStone has confirmed the order in writing. The written form requirement is also satisfied by sending a fax or an e-mail.
The Customer is bound by any order it places. Upon receipt of the respective order by StepStone (whether in writing, by fax or by e-mail), the Customer may not revoke (cancel) its order.

3.5.

The Customer acknowledges that it must protect its password-protected access from third parties, in particular that it must keep the password secret and not disclose it to third parties. The Customer shall indemnify and hold stepstone.at harmless from and against any and all damages incurred by stepstone.at as a result of actions taken by the Customer within the scope of the Customer’s use of the applicant database.

3.6.

Right of refusal:

Sending contact requests to job seekers within the context of access to the applicant database is prohibited in cases where dubious content is sent, content is morally objectionable, or stepstone.at cannot reasonably be expected to tolerate the content concerned on other grounds. The Customer is obliged to comply with the relevant data protection regulations in connection with its access. In the event of non-compliance and/or the occurrence of the cases/violations referred to above, stepstone.at is entitled to cease performance and block access without prior warning to the Customer. In such cases, the Customer will be informed without undue delay and it shall not be entitled to assert any claims against stepstone.at in the event stepstone.at ceased performance on legitimate grounds.

 

4. Company Hub

Customers can create a company hub. A company profile for the customer may be published in the Company Hub. StepStone provides input fields that the company can fill out itself. The Company Hub is visible to users for as long as the company has a listing online. If a company whose listing is online does not create a Company Hub, StepStone reserves the right to fill in the input fields with publicly accessible company information itself, unless the company expressly objects.

Links to pages and contents of competitors, or the use of content from competitors of StepStone, are not permitted unless the customer is a competitor of StepStone itself and links to its own content.

 

5. StepStone Emotions

5.1.

StepStone Emotions brings the customer’s company to life for its business partners, employees, and potential applicants. StepStone Emotions consists of photo and video products of the customer’s company. The everyday life of the company, the working environment and/or the workplaces of the customer as well as its employees and vacant positions in its company can be presented.

5.2.

StepStone produces the particular product variant selected by the customer independently or through third parties commissioned by StepStone and provides the customer with the finished product variant in accordance with the product-specific right of use. The recordings for the creation of StepStone Emotions take place at the time agreed with the customer (“Recording Date”) at the location agreed with the customer (“Recording Place”).

5.3.

The editing of the photo and video recordings happens after Recording Date. Editing does not go further than post-processing the photos based on the image parameters and minor corrections, such as removing minor image spots or shadows. In the case of video creation, editing includes technical work, in particular editing of individual sequences of video and audio. The customer acknowledges StepStone’s creative and editorial freedom in the creation of photos and videos. There is no claim to post-processing of the photos and videos unless this has been specifically agreed or is listed within the scope of these GTC.

5.4.

StepStone Emotions – Lite includes a video tour, a JobPitch, the creation and supply of photographies.

5.4.1.

During the video tour, the customer’s premises are filmed. The focus is on the customer’s workplaces and environment. The providing of tour videos takes place via an embedded link.

5.4.2.

With the JobPitch video, the presentation of a vacant position in the customer’s company is filmed. The focus is on the company and job description. JobPitch videos are provided via an embedded link.

5.4.3.

StepStone will produce 20 photos at the customer’s premises that portray the workspace. Photo products are provided in JPEG format.

5.5.

The StepStone Emotions – Pure product includes an Insight film and an Image film. 

5.5.1.

The Insight film portrays the customer’s company. The insight film is created on the basis of a script individually designed for the customer. The providing of Insight films takes place via an embedded link.

5.5.2.

The image film will portray the client’s company in an expressive and authentic way. The image film is created on the basis of a script individually designed for the customer, with the cooperation of the customer. The focus is on the company, its aims, employees and the way the company works. The image film is provided in MP4 format.

5.5.3.

In the case of StepStone Emotions – Pure Video Products, the customer is given the opportunity to submit change requests to StepStone within a period of thirty (30) days from the time the final video is provided to the customer by StepStone. After providing the corrected video (“1st correction run”), StepStone implements further change requests of the customer made within a period of fourteen (14) days following the 1st correction run (“2nd correction run”).

5.6.

5.6.1.

StepStone is the originator of the photo and video products and the holder of all associated exploitation and usage rights. StepStone reserves the right to subsequently edit the photo and video products, in particular to cut videos into individual/smaller parts and to reassemble them and/or truncate them as well as to alter image sections of photos.

5.6.2.

As the rights holder, StepStone is entitled to grant sublicenses. However, StepStone undertakes not to license the photo and video products to third parties for use. No third parties are companies affiliated with StepStone, in the sense of §§ 15 ff. AktG.

5.6.3.

StepStone uses the photo and video products for internal and external purposes. External purposes include showing the products to other customers as an example of results, as well as at career fairs. Video sequences of several customers can be combined.

5.6.4.

StepStone publishes photo and video products on StepStone websites, in particular on the Company Hub and in the customer’s job adverts.

5.6.5.

StepStone grants the customer the right to use the photo and video products in the provided form according to the product-specific right of use agreed upon in the individual contract. The right of use is unlimited in time and applies to the final file or version.

5.6.6.

Excluded from the right of use is the alteration and/or retrospective editing of the photos and videos. In particular, the customer is not permitted to cut videos into smaller parts and reassemble and/or shorten them.

5.6.7.

The customer is not entitled to grant sublicenses to third parties. Third parties shall not be companies affiliated with the customer within the meaning of §§ 15 ff. AktG.

5.7.

5.7.1.

The customer undertakes to ensure that all persons shown on the recordings have an effective legal basis for the use of their recordings. The legal basis must include in particular the use in accordance with Part A Clause 6.6.3. of these Terms and Conditions. In addition, the customer must ensure that no rights of third parties are infringed at the place of recording or on objects at the place of recording or that corresponding permits have been granted.

5.7.2.

The customer is not entitled to grant sublicenses to third parties. Third parties shall not be companies affiliated with the customer within the meaning of §§ 15 ff. AktG .

5.7.3.

The customer guarantees to hold the right of use and/or the right of exploitation as well as other intellectual property rights to the materials provided.

5.7.4.

The Customer warrants that the photographs shall not include any information concerning the Customer’s products and their manufacture or any other confidential information which the Customer’s employees are obliged to keep secret (“commercial secrets”). The customer waives any claims arising from the publication of such information.

5.7.5.

The customer agrees to indemnify and hold StepStone harmless from and against any third-party claims that may arise from a breach of the aforementioned contractual obligations and warranties of the customer.

 

6. Prices

6.1.

Unless otherwise agreed in writing, the stepstone.at prices are based on the then-applicable price lists available online at “www.stepstone.at”. The price list published online by stepstone.at the time the Customer’s enquiry is received is decisive.

6.2.

All prices quoted by stepstone.at are net prices excluding all taxes.

 

7. Terms of payment:

7.1.

stepstone.at issues invoices immediately after commissioning and sends it to the Customer. In addition to the company address, the billing address shall also be the address provided by the Customer when the contract was concluded. Invoices are payable immediately upon receipt. Payments with the effect of discharging obligations to stepstone.at may only be made to the account indicated in the stepstone.at invoice. The credit memo to the account indicated to stepstone.at is decisive for purposes of determining timeliness of payment.

7.2.

To the extent not otherwise agreed, all payments must be made immediately after receipt of the invoice free of any charges or deductions.

7.3.

VAT is to be paid in full based on the price after invoicing, if other terms of payment have also been agreed for payment of the purchase price. The Customer is required to abide by laws governing VAT.

7.4.

In the event of a failure to comply with the payment target, stepstone.at is entitled to charge default interest and compound interest in the amount of 12% p.a. Each dunning notice shall be subject to a fee of € 30.00 plus VAT. In the event of default, the Customer shall be obliged to reimburse not only default interest but also all other court-related and non-court related costs of collection, including the costs of any lawyer engaged by stepstone.at. In addition, any additional damages, including without limitation damages resulting from higher interest rates imposed on stepstone.at credit accounts as a result of the default in payment, must be compensated regardless of fault for the default in payment. Claims asserted against the Customer do not entitle the Customer to withhold agreed payments.

7.5.

In the event of default in payment, any discounts granted to the Customer shall lapse.

7.6.

The Customer may not set-off any counterclaims or exercise any rights of retention – regardless of grounds – absent express agreement.

7.7.

In the event of default of payment or insolvency of the Customer, stepstone.at is entitled to temporarily suspend performance of its contractual obligations until complete payment of all opening invoice amounts. In such cases stepstone.at is also entitled to make advance payment a condition for the provision of services in the case of follow-up contracts. Furthermore, stepstone.at is entitled to revoke the contract in such cases without need to set a grace period.

 

9. Content Notification System and Moderation

9.1.
As part of its legal obligations, Stepstone has introduced an electronic notification and complaint procedure to review suspected illegal content published by third parties on the platform operated by Stepstone. In this respect, users of our platform are free to report third-party content if they are convinced that the notified content is a violation of legal regulations (illegal content) and/or the published content violates our general terms and conditions and/or terms of use.

9.2.
If, after reviewing a notification, it is determined that the reported content does not comply with the applicable legal requirements and/or violates the provisions of these General Terms and Conditions, Stepstone reserves the right to block, remove or otherwise restrict access to the notified content (“moderation measure”). The same applies to content that Stepstone categorises as illegal and/or in conflict with the General Terms and Conditions on the basis of a voluntary investigation and review. However, Stepstone is not obliged to review the content provided in general.

9.3.
Stepstone reserves the right to suspend the processing of a notification if, after careful examination of all circumstances, it is obvious that the reporting person has engaged in abusive behaviour. Such misuse exists in particular if the reporting person repeatedly uses the reporting function for a large number of cases and the review by Stepstone shows that there is no justified reason for the report. Stepstone will inform the reporting person, as far as technically possible, about the suspension of processing.

 

10. Complaints procedure after moderation decision

10.1.
If the person or organisation concerned does not agree with a decision made on the basis of a report via the notification function set up, they generally have the option of submitting a complaint via the internal complaints management procedure set up by Stepstone. The same applies to moderation measures taken on the basis of a voluntary review of the content provided.

10.2.
Access to the complaints procedure is available to persons and organisations (“complainants”) who have reported allegedly unlawful content, but no moderation measures have been taken by Stepstone. There is also access in cases in which the complainant is affected by a specific moderation measure, such as the temporary removal of published content.

10.3.
The person affected have the right to file an internal complaint for a period of six months from the date of Stepstone’s decision on the reported content.

10.4.
Stepstone reserves the right to suspend the processing of a complaint if, after careful consideration of all circumstances, it is obvious that the complaint is being abusively filed by the complainant. In particular, such abuse occurs where the complainant repeatedly raises the complaint for a large number of cases and Stepstone’s review shows that there is no legitimate reason for the complaint. Stepstone will, to the extent technically feasible, inform the complainant of the suspension of processing.

 

11. Warranty, compensation for damages, rescission on grounds of mistake:

11.1.

StepStone.at provides the Customer the opportunity to access its own services as well as those of its national and international partners within the framework of the partner network “The Network ”. StepStone.at does not guarantee the accuracy of data provided by job seekers within the scope of its services. stepstone.at makes every effort to provide the services offered around the clock. The Customer acknowledges and agrees that StepStone.at cannot guarantee 100% uninterrupted availability of the services due to external factors beyond its control.

11.2.

The warranty period is six months . Publication must be examined by the Customer without undue delay, at the latest within three days of publication, subject to notice of the type and scope of any defects. Observable defects must be reported in writing to stepstone.at subject to the exclusion of any other claims upon a failure to do so. If a complaint is not made or is not made in time, the advert is deemed to have been approved. The assertion of warranty or damage claims, as well as the right to claim rescission on grounds of a mistake, are excluded in such cases.

11.3.

stepstone.at reserves the right to satisfy the warranty claim by means of cure/replacement or a price reduction at its option. Price reduction or conversion can only be demanded if no further attempt at cure is reasonable for the Customer.

11.4.

Liability on the part of stepstone.at is limited to damages related to job advert itself, whereby stepstone.at is not liable for damages caused by the partners mentioned in Section 7.1. Liability on the part of stepstone.at for consequential damages, lost profits and other indirect damages is excluded. For all other purposes, liability on the part of stepstone.at for damage due to simple or gross negligence is excluded. Any claims for damages must be asserted in court within six months of the occurrence of the damage; they are otherwise time-barred.

11.5.

The job adverts by stepstone.at are based exclusively on the self-disclosure provided by the Customer and are not checked by stepstone.at as to the accuracy of their content. stepstone.at can therefore not be held liable for incorrect information. The Customer is therefore solely responsible for the accuracy and lawfulness of text and images it has provided for publication of the adverts.

11.6.

Since the Customers use a log-in name and a password, they bear responsibility for them themselves and are liable for damages resulting from misuse or loss.

11.7.

Maintenance, updates or similar work will be done by stepstone.at, if possible, so that downtime does not occur. This work will be announced in the network to the extent possible. No claims may be asserted against the operator in the event of an interruption regardless of grounds. Interruptions in transmission resulting from network outages over which stepstone.at has no control as well as interruptions in transmissions based on a force majeure event, may not be asserted as the basis for claims against stepstone.at.

 

12. Place of jurisdiction and applicable law

12.1.

The exclusive jurisdiction of the competent courts in Vienna is agreed for any and all disputes arising under or in connection with a contractual relationship in which stepstone.at is involved as a Customer.

12.2.

The parties agree that this agreement is exclusively governed by Austrian law with express exclusion of the United Nations Convention on Contracts for the International Sale of Goods. The contract, order, complaint and business language shall be German.

 

13. Miscellaneous:

13.1.

Should any of these General Terms and Conditions of Business be wholly or partially invalid, the remaining provisions shall remain unaffected thereby. Any such invalid provision shall be deemed to have been replaced by a valid provision that comes as close as is legally possible to achieving the intended commercial purpose of such invalid provision.

13.2.

There are no verbal agreements in place. Any and all modifications, subsequent additions, and ancillary agreements shall be invalid unless made in writing. This applies likewise to any waiver of this written form requirement.

13.3.

The Customer must immediately provide notice of changes of address in writing. Documents are deemed to have been received by the Customer if they were sent to its last known address.

13.4.

The Customer gives its express consent, which may be revoked at any time, to be informed at any time when StepStone uses contact details it has provided to StepStone for marketing purposes.

13.5.

StepStone reserves the right to amend specific provisions of this agreement. stepstone.at will publish any such changes on its website and will thus give the Customer the opportunity to terminate the contract at the end of the month on one month’s notice, whereby written form is deemed to have been agreed. If the Customer does not exercise this option to terminate the contract, this shall be deemed to be consent to the respective changes.

13.6.

The contract conditions are intended for entrepreneurs as Customers. If, however, the Customer is a consumer, these terms and conditions shall only apply to them to the extent they do not conflict with mandatory provisions of consumer protection law.

13.7.

Where individual performance elements relate to a performance comparison, average values are relevant. The ration is determined by taking the average of a significant number of products without the relevant performance element in relation to those with the relevant performance element.

 

B. Supplemental terms for contract data processing

1. Processing of personal data by Stepstone on the Customer’s behalf – Data Processing Agreement (DPA)

1.1.

Within the scope of clauses 1.1.1. and 1.1.2. of this DPA, Stepstone processes personal data on behalf of the Customer within the meaning of Art. 28 of the General Data Protection Regulation (“GDPR”):

1.1.1.

Stepstone processes personal data on behalf of the Customer to the extent that the comment function of the Stepstone Direct Search Database is used by the customer. With the help of the Direct Search Database, it is possible for the Customer to view profiles of Candidates and, in particular, to save comments on the respective profiles. Stepstone only processes personal data on behalf of the Customer in the event that the comment function is used (storage of the respective comments on a Candidate’s profile). In addition, it is stated that the further services within the scope of the DirectSearch Database are not carried out as data processing under this DPA; in this case, Stepstone merely provides the content stored by Candidates at Stepstone and remains the person responsible under data protection law. Insofar as the Customer uses this data, it shall become a further data controller, if applicable.

1.1.2.

In the Stepstone Customer Center, the customer can create a customer account that can also be accessed by several of the customer’s users. In the Stepstone Customer Center, the customer can create job advertisements and publish them on the Stepstone platform. When candidates apply for these positions via the Stepstone platform, these applications are sent to the Stepstone Customer Center to be managed by the client. As part of this application management, the customer can create notes about the applicants in the customer account, make the applications accessible to members of the customer’s organization, send messages, arrange job interviews, as well as reject and accept candidates.

1.2.

Stepstone processes personal data only under a contract and in accordance with the Customer’s documented instructions, unless a derogation within the meaning of Art. 28 (3) (a) GDPR applies.

1.3.

Contract data processing is performed exclusively in Member States of the European Union or in another Contracting State to the Agreement on the European Economic Area, unless instructions to the contrary have been issued and transmission is permitted in accordance with the provisions of Artt. 44 to 49 GDPR.

1.4.

The duration of the commissioned processing corresponds to the duration of the use of the respective services. With regard to comments added by the Customer to profiles of candidates within the scope of the comment function pursuant to Section 1.1.1. of this DPA, the duration of the commissioned processing corresponds to the duration of the application process, with the data being deleted by the system 12 months after receipt of an application.

With regard to the personal data of the candidates within the framework of the Stepstone Customer Center in accordance with Section 1.1.2 of this DPA, these will be deleted 3 months after the end of the application process, but no later than 6 months after receipt of the respective application, if there are no indications for the termination of the application process.

1.5.

In this context, the data subjects are individuals who apply for Customers’ jobs and whose applications are processed within the Stepstone Customer Center or those whose User Profiles Customers can add their own comments to.

1.6.

In the case of the comment function pursuant to section 1.1.1. of this DPA, such additional personal data about candidates that the Customer has obtained about candidates and added to the profiles will be processed.

Within the Customer Center, the personal data of the candidates is processed, which they provide to the customer with their application. This includes, in particular, name, contact details and their CV, as well as other notes on the candidates, which the customers make for the respective candidates within the Stepstone Customer Center, as well as the application status.

1.7.

The processing of personal data in the cases referred to in sections 1.1.1 and 1.1.2 is carried out for the purpose of organising the application process and to facilitate the application management for the customer.

 

2. Obligations of the Customer as client

2.1.

Pursuant to Art. 4 No. (7) GDPR, the Customer is the controller under data protection law for personal data collected and processed by Stepstone in accordance with the terms of the contract.

2.2.

The Customer shall comprehensively inform Stepstone without undue delay if it discovers errors or irregularities with regard to data protection regulations when reviewing the results of the processing.

2.3.

The Customer shall keep a record of processing activities pursuant to Art. 30 (1) GDPR.

 

3. Duties of Stepstone as contractor

3.1.

Stepstone shall inform the Customer without undue delay if Stepstone is of the opinion that an instruction from the Customer breaches applicable laws. Stepstone may suspend implementation of the instruction until it has been confirmed as being permitted or modified by the Customer.

3.2.

Stepstone shall comply with the provisions of this data processing agreement and relevant applicable data protection laws, in particular the GDPR.

3.3.

Stepstone shall take appropriate organisational and technical measures in accordance with the relevant data protection laws, including the GDPR and in particular Art. 32 thereof, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, nature, scope and purpose of processing as well as the likelihood of occurrence and severity of the risk. These protective measures are recorded in the overview of technical and organisational measures, which can be referred to in Annex 2. The technical and organisational measures are subject to technical progress and further development. In this respect, Stepstone is required to check the effectiveness of the measures and adapt them accordingly as technology progresses. Alternative protective measures are permitted as long as they do not fall below the protective level of the defined measures. Significant changes must be documented and reported to the Customer without undue delay. If the measures are changed in such a way that, from the Customer’s point of view, Stepstone cannot guarantee equivalent or higher protection of the data, the Customer has the right to extraordinary termination after unsuccessful issuance of instructions with regard to the services covered by these additional conditions for contract data processing. The same applies if notice of such changes is not provided.

3.4.

Stepstone shall provide the Customer with the information necessary for the record of processing activities pursuant to Art. 30 (1) GDPR and shall keep a separate list of all categories of processing activities carried out on behalf of the Customer pursuant to Art. 30 (2) to (5) GDPR.

3.5.

All persons who can access personal data processed on behalf of the Customer in accordance with the Customer’s contract shall be bound to confidentiality in accordance with Art. 28 (3) (b) GDPR and shall be informed of the special data protection obligations resulting from the contract as well as the existing binding instructions and/or purpose.

3.6.

Stepstone is required to appoint a company data protection officer. The current contact details are easily accessible from Stepstone’s website.

3.7.

Stepstone guarantees protection of data subject rights and supports the Customer to the necessary extent in responding to requests to exercise data subject rights pursuant to Art. 12 – 23 GDPR. Stepstone shall inform the Customer without undue delay if a data subject contacts Stepstone directly for the purpose of providing access, rectification, erasure or restricting the processing of their personal data.

Stepstone shall support the Customer in carrying out data protection impact assessments pursuant to Art. 35 GDPR and the resulting consultation of the supervisory authority pursuant to Art. 36 GDPR to the necessary extent. Stepstone shall support the Customer with regard to compliance with reporting and notification obligations in the event of data protection breaches within the meaning of Art. 33 and 34 GDPR.

3.8.

Stepstone shall inform the Customer in text form without undue delay in the event of operational disruptions, suspected personal data breaches pursuant to Art. 4 No. 12 GDPR in connection with data processing or other irregularities in the processing of the data for the Customer. In consultation with the Customer, Stepstone shall take appropriate measures to secure the data and to minimize possible adverse consequences for data subjects insofar as the personal data breach was Stepstone’s responsibility.

3.9.

In the event that the data protection authorities investigate Stepstone, the Customer must be informed without undue delay to the extent the investigation relates to the subject matter of the contract.

3.10.

In the event that Stepstone intends to process data from the Customer – including transfer to a third country or an international organisation – without having been instructed to do so by the Customer, i.e. because Stepstone is required to do so pursuant to Art. 28 (3) first sentence (a) GDPR, Stepstone will inform the Customer without undue delay of the purpose, legal basis and data concerned, unless and to the extent that such a notification is prohibited by law.
Stepstone

 

4. Audits including inspections

4.1.

Stepstone shall provide the Customer all necessary information to verify the obligations set out in the contract. Stepstone shall permit the Customer to conduct audits, including inspections in accordance with Art. 28 (3) (h) GDPR, before the commencement and during the term of this agreement after reasonable prior notice and during normal business hours (9:00-18:00). The Customer is entitled to satisfy itself directly, or through suitable third parties bound to professional secrecy, of the observance of the technical and organisational measures before commencement and during contract data processing, after timely notification at the business premises during normal business hours without disturbing the course of business. The result of these audits shall be documented and signed by both parties.

4.2.

As verification of the technical and organisational measures, Stepstone may also submit current certificates, reports or report extracts from independent bodies (e.g. auditors, internal auditors, data protection officers, IT security department, data protection auditors, quality auditors) or a suitable certification by IT security or data protection audit (e.g. in accordance with BSI baseline protection).

 

5. Additional processors

5.1.

By placing the order, the subcontracted processors listed in the subcontractor list available under Appendix 1 below are approved. Stepstone may place orders with additional order processors (subcontractors) by informing the customer in advance about the addition or substitution of new subcontractors by notifying the customer in text form about the change in the subcontractor list and the customer does not raise an objection within 4 weeks. In the event of an objection, Stepstone is entitled to discontinue the services outlined in clause 1.1.1. and 1.1.2. of this DPA.

5.2.

Stepstone will impose the same data protection obligations on the subcontractors as those set out in this data processing agreement, so that the processing complies with the requirements of the GDPR.

5.3.

Further outsourcing by the subcontractor requires the express consent of the primary contractor (at least in text form); all contractual provisions in the contract chain must also be imposed on the additional subcontractor.

5.4.

Services used by third parties as ancillary services to assist in the execution of the contract processing shall not be deemed to be subprocessors. These include, for example, telecommunications services, maintenance and User service, cleaning staff, inspectors or the disposal of data media. Stepstone is, however, required to make appropriate and lawful contractual agreements as well as take control measures with such service providers for the assurance of the protection and security of the Customer’s data; this also applies to outsourced ancillary services.

 

6. Erasure and return

Stepstone will delete the personal data in accordance with Section 1.4 or at the request of the Customer. 

 

Annex 1 to the Data Processing Agreement – Sub-contractor list

StepStone’s sub-contractors listed below are deemed to have been approved upon placement of the order:

 

Company Address Services
The Stepstone Group GmbH Axel-Springer-Str. 65,
10969 Berlin
Germany
– Hosting and related security services

– Back-up services

– Customer service & troubleshooting support

– Hosting and related security services

The Stepstone Group EMEA GmbH Völklinger Straße 1, 40219 Düsseldorf
Germany
– Back-up services

– Customer service & troubleshooting support

– Hosting and related security services

The Stepstone Group Belgium NV Wolstraat 70 Rue aux Laines,
1000 Brussel
Belgium
– Back-up services

– Customer service & troubleshooting support

The Stepstone Group Polska
sp. z o.o..
ul. Domaniewska 50, 02-672 Warsaw,
Poland
Customer service-Troubleshooting support

 

 

Annex 2 to the Data Processing Agreement – Overview of technical and organizational measures

Technical and organisational measures

1. Confidentiality (Art. 32(1)(b) GDPR)

1.1.

Entry control
No unauthorised access to the data-processing facilities, e.g.: Magnet or chip cards, keys, electric door openers, site security or porter, alarm system, CCTV;
The data centres have a multi-layered security structure. The exterior areas of the data centres are equipped with high-security fences and walls. The entrances are protected by security personnel 24 hours a day, seven days a week. The facilities are monitored by security cameras. Access to the server rooms is secured by magnetic cards. The systems are stored in locked server cabinets.
Comprehensive security measures are also in place at the respective Stepstone sites. Access is only possible by means of magnetic cards and visitors must be granted special access.

1.2.

System access control
No unauthorised system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media;
The Customer can only access the data processed on its behalf after logging into the customer area using the password it is specified. Stepstone only stores the log-in details in encrypted form.
By default, the data flow between users and the system is end-to-end encrypted using the Transport Layer Security (TLS) protocol
Stepstone has an internal password policy for its employees that requires, among other things, that passwords must be at least eight characters long and be changed regularly, must not be identical or similar to the user name, must contain at least three of the four following characters: i) upper-case letters, ii) lower-case letters, iii) digits, iv) symbols.

1.3.

Data access control
No unauthorised reading, copying, changing or removal within the system, e.g.: authorisation concepts and needs-driven access rights, logging of access;
The access rights of the Customer are strictly limited to data that is actually processed on behalf of the respective Customer. Only specifically defined Stepstone personnel can access data that is processed on behalf of the Customer, provided this is required for system administration and customer service purposes at the request of the respective Customer.
The system logs all events related to data processing on behalf of the Customer.

1.4.

Separation control
Separate processing of data collated for separate purposes, e.g. multi-client capability, sandboxing;
The Stepstone customer centre is multi-client capable, so that every single logged in Customer can only see the data that is connected to its account.

1.5.

Pseudonymisation (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)
The processing of personal data such that it cannot be allocated to a specific data subject without using additional information, provided this additional information is stored separately and is subject to corresponding technical and organisational measures;
Not relevant, as the Customer requires non-pseudonymised access to the data.

 

2. Integrity (Article 32(1)(b) GDPR)

2.1.

Transfer control
No unauthorised reading, copying, changing or removal on electronic transfer or transport, e.g.: Encryption, virtual private networks (VPN), electronic signature;
All data sent over publicly accessible networks is end-to-end encrypted using the Transport Layer Security (TLS) protocol

2.2.

Data entry control

Establishing whether and by whom personal data was entered into, amended on or removed from data processing systems, e.g.: logging, document management
The Stepstone system logs the activities of each log-in and log-out as well as any processing, addition, modification and deletion of data by the respective user, as well as the relevant time (by time stamp).

 

3. Availability and resilience (Art. 32(1)(b) GDPR)

Availability control
Protection against accidental or wilful destruction or loss, e.g. backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), anti-virus protection, firewall, reporting channels and emergency plans;
Anti-virus programs and firewalls are used.
The hosting environment is equipped with fire detectors, water leakage detectors and raised floors. Temperature and humidity are constantly monitored to maintain predefined values. There is an uninterrupted power supply for at least 72 hours.

3.2.

Rapid recoverability (Art. 32(1)(c) GDPR)
Rapid recoverability is ensured via

– Backup procedures;
– Uninterruptible power supply (UPS);
– Segregated storage;
– Virus protection and firewalls;
– Contingency plans and crisis planning;
– Employee training;

 

4. Process for regular testing, assessment and evaluation (Art. 32(1)(d); Art. 25(1) GDPR)

4.1.

We organize regular audits with external service providers to check our data security standards and processes. Network penetration tests are carried out regularly.

4.2.

We track and verify protocols at two levels before the request reaches our application servers. This is done on a firewall and a web application firewall level. This allows us to analyse and block any unusual queries to the database at the data provisioning level, preventing SQL injection attempts. The system itself logs incorrect log-on attempts if the request was made by firewall and WAF.

4.3.

Our data protection measures are continuously reviewed in a PDCA cycle.

 

C. Processing of personal data by Stepstone and the customer under joint controllership within the meaning of Article 26 (1), first sentence GDPR

1. Purpose of this joint controllership arrangement

1.1.

This arrangement governs the rights and obligations of the controllers (hereinafter also referred to as “Parties”) when jointly processing personal data. This arrangement relates to all activities where employees of the Parties or processors they have commissioned process personal data for the controllers. The Parties jointly determine the means and purposes of the processing activities detailed below.

1.2.

In order to select and manage suitable applicants for one or more jobs advertised by the customer, personal data is processed in the Stepstone applicant tracking system. Depending on the process stage, such processing takes place in the Stepstone Recruiter Space as referred to in Part In this respect, the Parties determine the process stages in which personal data is processed under joint controllership (Article 26 GDPR).

1.3.

For the remaining process stages, where the purposes and means of individual phases of the data processing are not jointly determined, each contracting party is a single controller within the meaning of Article 7 No. 4 GDPR. Insofar as the contracting parties are joint controllers within the meaning of Article 26 GDPR, the following arrangements apply:

 

2. Areas of activity of the Parties

2.1.

Under joint controllership, Stepstone is responsible for the processing of personal data pertaining to users registered for Stepstone in the context of the application process for jobs advertised by the customer (area of activity A). The data that is processed, the legal basis for which in accordance with Article 6 (1) lit. b GDPR is the contract with users registered for Stepstone, is all personal and personally identifiable data, which has been given and transmitted by applicants. This generally encompasses all CV-related data, such as name, address, telephone number, date of birth and details concerning education and professional experience.

2.2.

Under joint controllership, the customer is responsible for the processing of personal data pertaining to applicants after applications are received in the Recruiter Space (area of activity B). The legal basis for this processing, in accordance with Article 6 (1) lit. a GDPR is the applicant’s consent to the processing of their application. The data that is processed is all personal and personally identifiable data, which has been given and transmitted by applicants. This generally encompasses all CV-related data, such as name, address, telephone number, date of birth and details concerning education and professional experience. Furthermore, data captured by the customer regarding the application may be added to such data. This includes information that the customer enters when using the comment function or note function or by assigning an application status, and where the Video Interview Service is used, a) the recorded applicant videos, when an application video is created by the applicants in accordance with Part B, clause 9.1 lit. a of these GTC, or b) the e-mail address and name of the applicant for conducting a live interview in accordance with Part B, clause 9.1 lit. b of these GTC.

 

3. Lawfulness of data processing

Each Party warrants compliance with the statutory provisions, in particular the lawfulness of the processing it also carries out under joint controllership. The Parties will take all technical and organisational measures necessary to ensure that the rights of data subjects, in particular within the meaning of Articles 12 to 22, can be or are satisfied within the statutory periods of time.

 

4. Data minimisation

The Parties will ensure that only personal data is collected which is absolutely necessary for the lawful handling of the process and for which the purposes and means of processing are prescribed by Union law or the law of the Member States. For the rest, both contracting parties will observe the principle of data minimisation within the meaning of Art. 5 (1) lit. c GDPR.

 

5. Rights of data subjects

5.1.

The Parties undertake to make available to data subjects, free of charge, the information required under Art. 13 and Art. 14 GDPR in a concise, transparent, easy to understand and easily accessible manner and in clear and plain language. The Parties agree that Stepstone will provide such information with regard to the processing of personal data in area of activity A and the customer will provide such information with regard to the processing of personal data in area of activity B.

5.2.

Data subjects are able to assert the rights afforded to them by Art. 15 to Art. 22 GDPR against both contracting parties. Where a data subject, in exercising their rights as a data subject, contacts one of the Parties, in particular with a view to obtaining, rectifying and deleting their personal data, the Parties undertake to forward this request without undue delay to the other Party, irrespective of any obligation to satisfy the data subject’s rights.

5.3.

The Parties undertake to fulfil the obligation to provide information as referred to in Art. 15 GDPR and to make available to data subjects, upon request, the information to which they are entitled under Art. 15 GDPR. As a matter of principle, the information will be given to data subjects by the contracting party to which the request was made. Where necessary, the Parties will make available to each other the necessary information from their respective area of activity. The point of contact of the respective Party responsible in this respect is a person from the respective Party’s organisation who is tasked with data protection. Any change to the respective point of contact must be notified to the other Party without undue delay. The Parties are also deemed to have fulfilled their obligation under the fifth sentence, when the person tasked with data protection as indicated in the privacy policy or legal notice of a Party is contacted.

5.4.

Where personal data is to be deleted, the Parties will notify each other beforehand. The respective other Party may object to the deletion where a legitimate reason exists, for instance where it is subject to a statutory obligation to retain the data.

 

6. Obligations to inform each other

The Parties will inform each other without undue delay and in full, if they discover errors or irregularities with respect to data protection provisions when auditing processing activities or the results of contract data processing.

 

7. Making available of this arrangement

The Parties undertake to make available to data subjects in accordance with Art. 26 (2) GDPR the essence of this arrangement on joint controllership. Stepstone will make a current version of this arrangement publicly available at https://www.stepstone.de/e-recruiting/allgemeine-geschaftsbedinungen/.

 

8. Notification and communication

Both Parties are subject to the obligations arising from Art. 33 and 34 GDPR to notify the supervisory authority of a personal data breach and to communicate a personal data breach to the data subject for their respective area of activity. The Parties will inform each other without undue delay of any notification of a personal data breach to the supervisory authority and will forward to each other the information required for conducting the notification.

 

9. Data protection impact assessment

If a data protection impact assessment within the meaning of Art. 35 GDPR is required, the Parties will assist each other in this respect.

 

10. Documentation and storage obligations

10.1.

Documentation that demonstrates compliance within the meaning of Art. 5 (2) GDPR is to be stored by each Party in accordance with their legal powers and obligations to do so beyond the end of the contract.

10.2.

The Parties have their own responsibility for ensuring that they comply with all statutory retention obligations in place in relation to the data. To this end, they are to take appropriate data protection precautions (Art. 32 ff. GDPR). This applies in particular in the event that the collaboration comes to an end.

10.3.

When the main contract comes to an end, Stepstone will delete the data contained in the applicant tracking system, no later than one year after the application was received in the applicant tracking system. The customer may ask Stepstone at any time to delete data in its own area of activity. Stepstone will perform the deletion without undue delay, unless Stepstone is authorised or obligated to retain the data.

 

11. Data secrecy and confidentiality of data

The Parties will ensure, within their area of activity, that all employees involved in the data processing maintain the confidentiality of the data in accordance with Articles 28 (3), 29 and 32 GDPR in the period in which they are employed as well as after their employment comes to an end and that said employees, before commencing their work, will be accordingly obligated to data secrecy and instructed in the data protection provisions that are relevant to them.

 

12. Privacy by design and technical and organisational measures

12.1.

Systems are to be implemented, operated and configured with default settings taking into account the specifications of the GDPR and other rules and regulations, in particular taking into account the principles of privacy by design and by default and using suitable, state-of-the-art technical and organisational measures.

12.2.

The Parties shall take suitable organisational and technical measures in accordance with the relevant data protection laws, including the GDPR and in particular Art. 32 thereof, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, type, scope and purpose of processing as well as the probability of occurrence and severity of the risk. The technical and organisational measures are subject to technical progress and further development. In this respect, the Parties are required to check the effectiveness of the measures and adapt them accordingly as technology progresses. Alternative protective measures are permitted as long as they do not fall below the protective level of the defined measures. Significant changes must be documented and reported to the other Party without undue delay.

12.3.

The personal data to be processed in the course of providing services on the Stepstone platform or in the Recruiter Space is stored on specially protected servers.

 

13. Data Processors

13.1.

The data processors listed in Annex 1 provide services on Stepstone’s behalf. The Parties may place orders with other processors and will provide the respective other Party with an up-to-date list of processors for information purposes, insofar as the scope of this arrangement is concerned as a result. Reference to the publication of an up-to-date list on the respective Party’s own website will suffice in order to fulfil this obligation to provide information. If the other Party lodges an objection against the amendment within four weeks of notification, the changing Party is required to discontinue the service in its area of activity, without this giving rise to any right to terminate the main contract. An objection against an amendment can be lodged only where good cause exists, in particular if a data transfer to a third country is necessary for performing the data processing contract.

13.2.

When engaging data processors within the scope of this arrangement, the Parties undertake to conclude a contract in accordance with Art. 28 GDPR and to commission only those subcontractors who meet the requirements of data protection law and the specifications of this contract.

13.3.

Services provided by third parties as ancillary services to assist in the execution of the contract data processing are not deemed to be data processors. These include, for example, telecommunications services, maintenance and user service, cleaning staff, inspectors or the disposal of data media. The Parties are, however, required to make appropriate and lawful contractual agreements and take control measures to ensure the protection and security of the data, including where ancillary services are outsourced.

 

14. Records of data processing activities

The Parties will maintain a record of data processing activities in accordance with Art. 30 (1) GDPR, including and in particular noting the nature of the processing operations under joint or sole controllership.

 

15. Liability

Externally, the Parties shall be jointly and severally liable, without prejudice to the provisions of this contract, for damage to data subjects, which is caused by processing which is not compliant with the GDPR. Internally, the Parties shall be liable, without prejudice to the provisions of this contract, only for damage arising within their respective area of activity.

 

 

Vienna, 02.2024