General Terms and Conditions

General Terms and Conditions

General Terms and Conditions

  1. General:

1.1 The General terms and Conditions (hereinafter referred to as the “GTC”) apply to all contracts and the entire business relationship between StepStone Österreich GmbH (hereinafter referred to as “StepStone.at”) and its respective contractual partner. The mutual rights and obligations between StepStone.at and the contractual partner are governed according to the contents of the order and these GTC unless expressly agreed otherwise.

1.2 The contractual partner agrees that only the GTC of StepStone.at shall govern the entire business relationship. Any general terms and conditions of the contractual partner that are contrary to, or different from, the GTC of StepStone.at shall apply only insofar as their validity is confirmed in writing by StepStone, so that they can only become part of the contract when a separate agreement has been made by StepStone.at.

 

  1. Advertising contract:

2.1 Definition:

An advertising contract covers the insertion of one or more online advertisements of a job provider or other contracting entity in the online websites of StepStone.at for dissemination in the Internet medium.

2.2 Conclusion of contract:

The advertising contract is concluded when

  1. a) StepStone.at has confirmed the order in writing. The written form requirement is fulfilled by sending a fax or an e-mail, or
  2. b) StepStone.at has disseminated the advertisement on the Internet.

 

The contractual partner is bound by the order it has issued. After receipt of this order by StepStone.at (whether in writing, by fax or by e-mail), the contractual partner cannot revoke (cancel) its order.

2.3 Right of refusal:

StepStone.at reserves the right to refuse to publish advertisements because of their content, origin or technical form. This is especially true if the contents of the advertisement infringe legal or regulatory prohibitions or offends against good morals and/or breaches the GTC of StepStone.at, or such publication would be unreasonable for other reasons. The contractual partner will be informed of this immediately. In the event of legitimate rejection, the contractual partner shall have no claims against StepStone.at. In particular, the contractual partner undertakes to place advertisements in accordance with the Equality Act. The latter also includes the implementation of the applicable collective agreement or the minimum wage governed by law or other standards of collective rights’ law for the advertised job and to indicate their willingness to pay the same when such law exists.

 

2.4 Rights to the advertisement/copyright:

2.4.1 StepStone.at is not responsible for the content of the advertisement or the texts and image material provided. In particular, StepStone.at is not obliged to check the advertisement with respect to the possible infringement of the rights of others. The contractual partner undertakes to hold StepStone.at to be wholly free and blameless in the case of any third-partner claims whatsoever against StepStone.at as a result of the carrying out of the order. If StepStone.at is claimed against, then only StepStone.at shall decide how it shall react without the contractual partner responsible for the content being able to raise any objection with respect to inadequate legal defence.

2.4.2 If protected trademarks are to be used in the context of the publication of the advertisement, approval for their use shall be provided on conclusion of the contract. The contractual partner shall demoinstrate that he is entitled to provide the said approval.

2.4.3 StepStone.at acquires all exclusive copyright and/or other intellectual property rights for advertisements created and published by StepStone.at. With the payment of the fee by the contracting entity, including the creation of the HTML layout by StepStone.at, and unless otherwise agreed in writing, no copyright and/or other intellectual property rights shall be assigned to the contractual partner or an agency acting on its behalf. Insofar as the job advertisement published by StepStone.at, including the HTML source code, is created by the contractual partner itself or an agency acting on its behalf, the contractual partner shall assign exclusive usage rights to StepStone.at with respect to the use of the advertisement for all types of use that arise in connection with the publication of the advertisement. The contractual partner undertakes that he is entitled to assign these rights. In particular, StepStone.at is also entitled to resist unlawful interference with the copyright by third parties in the context of publication on its own behalf and to pursue any resulting claims for damages.

2.4.4 All information (texts, images, etc.) published by StepStone.at are StepStone.at copyright. Excluded from this provision is information that is exclusively published by StepStone.at while the production – including the HTML source code – is provided by the contractual partner itself or by a third partner acting on behalf of the latter and that remains unchanged for publication. The contractual partner undertakes that it is entitled to assign the copyright and undertakes to hold StepStone.at to be wholly free and blameless against any third-partner claims. In particular, StepStone.at is also entitled to resist unlawful interference with the copyright by third parties in the context of publication on its own behalf and to pursue any resulting claims for damages.

 

2.5 Start of publication:

The advertisement shall be published at the agreed time. If no publication date has been agreed, the publication will be immediately after the conclusion of the advertising contract. The contractual partner is responsible for the complete supply of clean, suitable advertising material. Delays that occur as a result of the content of the advertisement provided by the contracting entity for publication, whether for content or technical reasons, are generally not the responsibility of StepStone.at.

 

2.6 Location of publication/linking/framing:

2.6.1 On the basis of the advertising contract, StepStone.at shall be commissioned to arrange for the publication of the job advertisement of the contractual partner on its Internet websites, as well as on the platforms of cooperation partners of StepStone.at in the context of cooperation partnerships.

2.6.2 StepStone.at is entitled, but is not obligated, to publish the job advertisement in each of its freely definable print media or to have it published by a third partner.

2.6.3 The contractual partner acknowledges that in the context of current state of the art, it cannot be completely ruled out that job advertisements published by StepStone.at may be copied and published by other ISPs through links and/or using frames and falsely presented as their own offering. The contractual partner shall assign StepStone.at as of now any necessary consents to allow StepStone.at, insofar as is technically and legally possible, to prevent copying, linking and/or framing of job advertisements in the above-mentioned sense. If there should be unauthorised linking and/or framing, the contractual partner may not initiate any claims against StepStone.at.

2.6.4 Irrespective of the advertising contract with StepStone.at, it is acknowledged that the contractual partner may commission third parties for the insertion of an identical online advertisement.

2.7 Changes to advertising copy:

2.7.1 At the request of the contractual partner, StepStone.at is obliged to make changes to the job advertisement of the contractual partner to be disseminated during the publication period, provided that this is reasonable technically and content-wise for StepStone.at. In any case, changes that affect the identity of the advertisement are excluded where such a change would no longer advertise the original job but advertise a new job.

2.7.2 Changes that can be made with little effort by StepStone.at shall be carried out free of charge. Any further changes shall only be carried out for a work-related fee. In this case, StepStone.at shall only carry out the desired changes after having informed the contractual partner of the above fee and a written confirmation has been received from the contract partner.

2.7.3 StepStone.at is not obliged to keep the published job advertisement after the end of the advertisement insertion contract. If need be, StepStone.at shall keep the materials for the advertisement provided by the contractual partner but only at the express written request of the contractual partner (for a maximum of 3 months) and then return them.

 

2.9  Upon contractual partner’s request StepStone will publish a button in relation to the job advertisements that is labeled with “Apply Now” or similar. Depending on the contractual partner’s selection, this button can either link to a page designated by the contractual partner or to a standardized application form operated by StepStone on its platforms, with which the applicants can provide the data requested through the form and have them transmitted by StepStone to the contractual partner. The contractual partner can receive the application at his choice in the StepStone Recruiter Space. StepStone will then submit the application to the specific account of the contractual partner in the applicant management functionality in the StepStone Recruiter Space.

2.10   If an application was submitted to the contractual partner in accordance with para. 2.9 into the specific account of the contractual partner in the applicant management functionality in the StepStone Recruiter Space, the contractual partner can view this application there and also take notes on the respective candidate and, depending on the functionality, set a status of the application and communicate with the applicant.

2.11   In connection with the application, the client can also access the applicant’s candidate profile via the applicant management functionality. However, this accessibility to the MyStepStone profile exists only as long as it is active, i.e. if the applicant changes his settings or deletes his profile, access to the profile is no longer possible. The application data submitted by the applicant remain unaffected.

2.12   Within the scope of the services under para. 2.10, StepStone processes personal data on behalf of the contractual partner as a processor in the sense of Art. 28 GDPR; the Additional Terms and Conditions Data Processor apply in this context. The services under para. 2.11 are not carried out as data processor, StepStone provides the content stored by the applicant at the StepStone platform and remains controller under data protection law; As far as the contractual partner uses this data, he may become a separate and independent controller.

  1. Job seeker database:

3.1 Definition:

Against separate payment, StepStone.at offers contractual parties the possibility of access to the password-protected database for job seekers (“Resume Database”) in which all current candidate profiles are collected. This enables the contractual partner to contact the candidates individually via StepStone.at. Depending on the candidate’s choice it is possible to access the profile either in such way that only partial data is made accessible (“partially active profile”) or that all data of a profile is accessible in the database (“active profile”) The customer purchasing access to the Resume Database may access active profiles and the personal data directly and send a message and may, for partially active profiles make a contact request which will then be transmitted by StepStone via email.

3.2. Furthermore, as an additional cost-free service, the contractual partner can save comments about candidates whose profiles he can view anonymously or publicly. These comments are saved and processed by StepStone on behalf of the contractual partner in the sense of Art. 28 GDPR; the Additional Terms and Conditions Data Processor apply here. For the sake of clarity, it is specified that the other services provided by the Resume Database are not processed as data processor on behalf of the contractual partner. StepStone merely provides the content stored by the candidate at StepStone’s platforms and remains responsible for data protection as controller. As far as the contractual partner uses this data, he may become a separate and independent controller.

3.3. The contractual partner undertakes not to disclose personal data of candidates, unless this is necessary to fill a specific job vacancy, to treat them confidentially and to comply with all data protection regulations. The data of candidates may only be processed in connection with filling a specific job vacancy and the candidates may only be contacted for this purpose. StepStone believes that storage is required not longer than for a maximum period of 12 months, also taking into account any potential claims for alleged discrimination, so the contractual partner undertakes to retain any data stored by StepStone and obtained by StepStone no longer than 12 months and to delete any such data at the latest after 12 months after accessing such data. StepStone reserves the right to block the access of the contractual partner in case of infringement.

The contractual partner knows that special rules apply to the transfer of data outside of the European Union or the EEA. The contractual partner will therefore only transfer personal data to third countries under the conditions of Artt. 44-49 DSGVO.

 

3.4 Conclusion of contract:

The contract for authorisation to access the job seeker database is concluded when StepStone.at confirms the order in writing. The written form requirement is fulfilled by sending a fax or an e-mail.

The contractual partner is bound by the order it has issued. After receipt of this order by StepStone.at (whether in writing, by fax or by e-mail), the contractual partner cannot revoke (cancel) its order.

3.5 The contractual partner undertakes to protect its password access from third parties, in particular to keep the password secret and not to pass it on to third parties. The contractual partner shall hold StepStone.at free and blameless for all damages resulting in connection with the use of the job seeker database due to actions of the contractual partner.

 

3.4 Right of refusal:

The sending of contact messages to job seekers in the context of access to the job seeker database is inadmissible insofar as dubious contents are sent, there is a breach of good morals, or the procedure is unacceptable by StepStone.at for other reasons. In the context of the access, the contractual partner is required, to comply with the relevant data protection laws. In the event of non-compliance or the occurrence of the above-mentioned incidents/breaches, StepStone.at is entitled to end the provision of services and to deny access to the contractual partner without prior notice. The contractual partner will be informed immediately in this case and shall not be entitled to file any claims against StepStone.at with respect to this denial of the provision of services.

 

  1. Prices:

 

4.1 Unless otherwise agreed in writing, the prices of StepStone.at are in accordance with the current price lists, which are available online at the StepStone.at Internet domain at “www.StepStone.at.”. The price list that is available on the Internet at the time of access of the application of the contractual partner of StepStone.at.

 

4.2 All of the prices given by StepStone.at are net of all taxes.

 

  1. Payment terms:

 

5.1 StepStone.at shall create the invoice immediately after the order is placed and send it to the contractual partner. As invoicing address, in addition to the company’s registered address, the address given on conclusion of the contract by the contractual partner itself shall be deemed to be agreed. The invoice is payable immediately upon receipt and payments to StepStone.at shall be made exclusively to the account designated by StepStone.at on the invoice. The timeliness of payment for transfers is determined by the crediting of the account of StepStone.at as given in the invoice.

 

5.2 Unless otherwise agreed, all payments shall be paid immediately in full, free of any charges and deductions, after receipt of the invoice by the contractual partner.

 

5.3 VAT is payable on the total price of the invoice in full, even if other payment terms have been agreed with respect to the purchase price. The contractual partner shall take into account the value added tax laws.

 

5.4 In the event that the payment due date is exceeded, StepStone.at shall be entitled to charge interest for late payment and compound interest at a rate of 12% p.a. There shall be a charge of EUR 30, – plus VAT per reminder. In the event of non-payment, the contractual partner shall be required, in addition to paying the interest, to pay all the other procedural and non-procedural costs of collecting payment, as well as the costs of a lawyer retained by StepStone.at. Moreover, any further damage, especially the damage caused by a failure to pay resulting in correspondingly higher interest on the credit accounts of StepStone.at, shall be reimbursed regardless of where fault may lie in the delay of payment. Any claims against the contractual partner shall not entitle the withholding of the agreed payments by the latter.

 

5.5 Any rebates given to the contractual partner shall be cancelled in the event of delayed payment.

 

5.6 Offset due to any counterclaims or the withholding of payments by the contractual partner – for whatever reason – shall be inadmissible unless explicitly agreed to.

 

5.7 In the event of default or insolvency of the contractual partner, StepStone.at is authorised to temporarily suspend the contractual obligation to carry out orders until full payment of the invoiced amount due. In these cases, StepStone.at shall also be entitled to require an advance payment for subsequent orders as a condition for the provision of services. Furthermore, in such cases, StepStone.at shall be entitled to announce cancellation of the contract without granting a period of grace.

 

  1. Guarantee, damages, claims against errors:

6.1 StepStone.at shall provide the contractual partner with the possibility of accessing its own services as well as those of national and international partners in the partner network “The Network”. StepStone.at assumes no responsibility for the accuracy of the job seeker data specified by its services. StepStone.at makes every effort to provide the services offered around the clock. The contractor acknowledges and agrees that StepStone.at cannot ensure 100% service availability due to external influences beyond its control.

6.2 The guarantee period is 6 months. The advertisement shall be checked by the contractual partner no later than within 3 days following its publication stating the type and extent of the error. Determinable errors shall be detailed in writing to StepStone.at without precluding any claims. If the error is not made or not made in time, the advertisement is deemed to b approved. The assertion of guarantee or damage claims, as well as the right to challenge errors are excluded in these cases.

6.3 StepStone.at reserves the right to satisfy a guarantee claim as it decides by means of amendment/replacement or price reduction. A price reduction shall only be required if any amendment attempt is not deemed to be reasonable by the contractual partner.

6.4 The liability of StepStone.at is limited to damages that occur in the job advertisement itself, whereby StepStone.at is not liable for damage caused by the partners referred to in paragraph 6.1. The liability of StepStone.at for consequential damages, lost profits or other indirect damage is excluded insofar as legally permissible. In addition, liability for damages on account of slight or gross negligence of StepStone.at is excluded. Any damage claims shall be legally made within 6 months following the occurrence of the damage in the case of such preclusion.

6.5 The job advertisement insertion by StepStone.at is based solely on the information provided by the contractual partner and is not checked for accuracy by StepStone.at. StepStone.at cannot, therefore, be held responsible for incorrect information. With respect to the content, in particular its correctness and the legal permissibility of the text and image documents submitted for the advertisements, this is therefore exclusively the responsibility of the contractual partner.

6.6 As the contractual partner uses a log-in name and password, it is responsible for them and is liable for any damage caused by misuse or loss of the same.

6.7 Maintenance work, updating or similar work by StepStone.at shall be carried out as far as possible to avoid downtime. As far as possible, notification of this work shall be given in the network. In the case of interruptions – for whatever reason – no claims shall be made against the operator. Interrupted transfers, which are due to power failures, over which StepStone.at has no influence, and interrupted transfers due to force majeure, shall not justify any claims against StepStone.at.

 

  1. Jurisdiction and applicable law:

7.1 Any dispute arising out of, or in connection with, a contractual relationship in which StepStone.at is involved as a contracual partner, shall be agreed to be the exclusive jurisdiction of the competent court in Vienna.

7.2 The exclusive applicability of Austrian law to the exclusion of the UN Sales Convention shall be agreed. The language of the contracts, orders, complaints and business is German.

  1. Other:

8.1 Should any provision of these GTC, in whole or in part, be or become invalid, the remaining provisions shall remain unaffected in their effectiveness. Instead of such an invalid provision, a replacement provision shall be agreed that is economically closest in a lawful way.

8.2 There are no subsidiary oral agreements. All agreements, subsequent modifications, amendments, supplements, etc. are only valid when made in writing. This also applies to the dispensing of the writing requirement.

8.3 The contractual partner shall immediately make known any changes to its address in writing. Documents are considered to be received by the contractual partner when they were sent to its last known address.

8.4 The contractual partner gives its express consent, revocable at any time, that it has been informed of StepStone.at contact data for advertising purposes by StepStone.at.

8.5 StepStone.at reserves the right to modify individual provisions of this contract. StepStone.at will publish those changes on the website and will give the contractual partner the possibility of cancelling the contract by giving one month’s notice end of the month, whereby the written form is agreed. If the contractual partner does not make use of this cancellation, this shall be deemed to mean acceptance of the changes.

8.6 The GTC are designed for entrepreneurs as contractual partners. Should the contractual partner also be a consumer, the provisions of these shall apply only insofar as there is no objection under mandatory rules of consumer protection.

 

Additional Terms and Conditions Data Processor

1. StepStone acting as Processor

1.1 In the context of the comment functionality according to para. 3.2 and the applicant management functionality according to Sec. 2.10 of the StepStone General Terms and Conditions StepStone processes personal data as a processor in the manner described in each case for the purpose described therein on behalf of the contractual partner in accordance with Art. 28 GDPR, observing the following provisions.

1.2 StepStone processes the personal data solely within the framework of the contract and in accordance with the documented instructions of the contractual partner unless there is an exceptional case within the meaning of Article 28 (3) (a) GDPR.

1.3 The processing takes place exclusively in member states of the European union or in another contracting state of the agreement over the European economic area, as far as no other instruction was given and a transmission in accordance with the regulations of Artt. 44 to 49 GDPR is allowed. Already upon conclusion of the contract, in the context of the measures to be taken under section 4.3 StepStone is instructed to transfer personal data to the other subcontractor Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA, as described in Section 6 below. The transfer is permissible under Art. 45 GDPR as Akamai Technologies, Inc is Privacy Shield certified and thus an adequate level of protection exists according to the Implementing Decision of the Commission (EU) 2016/1250 (http://eur-lex.europa.eu/legal-content/EN / TXT / HTML /? Uri = CELEX: 32016D1250 & from = DE). The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000Gn4RAAS&status=Active.

1.4 The duration of the processing corresponds with the duration of the use of the Recruiter Space, whereby, at the end of the term of contract about the publication of job adverts or the Direct Search Database, the respective access is disabled, upon conclusion of a new contract, the access is reactivated, unless the contract for the use of the Recruiter Space was terminated in the meantime.

1.5. Data subjects in the context of the applicant management functionality are persons who have applied for a job vacancy with the Contractual partner through the StepStone application form. Data subjects in the context of the Direct Search Database are natural persons who have a profile with StepStone.

1.6. The type of personal data used in the context of the processing for the applicant management functionality consists of CV data, such as contact details, educational records, work experience and knowledge and interests, and any other data submitted by the candidate, and data entered by the contractual partner such as comments created by the contractual partner or an application status created by the contractual partner..

In the context of Direct Search, the types of personal data are the comments made by the contractual partner about the persons concerned in connection with the filling of vacancies.

1.7. The subject matter and purpose of the processing is, in the context of applicant management functionality, that the application data submitted by applicants can be made available and viewed in the StepStone Recruiter Space to the contractual partner after his login in the Recruiter Space. If the contractual partner creates a comment or status of the application (depending on the function) in order to manage it, it will also be saved there. If a status of the application can be created, the contractual partner instructs StepStone when entering a status to inform the applicant immediately about this status.

Subject matter and purpose of the processing in the context of the Resume Database is, that the contractual partner can save comments about candidates whose profiles the contractual partner can access through the Direct Search.

1.8. References in these Additional Terms and Conditions StepStone Data Processor Agreement to the General Data Protection Regulation (GDPR) shall be interpreted as references to the corresponding provision in the national data protection legislation (DSG 2000) until 24.05.2018. Unless there is a corresponding provision in the national legislation, the said obligation shall not apply until 24.05.2018 and will only apply with effect from 25.05.2018.

2. Obligations of the contractual partner as client

2.1 In accordance with Art. 4 No. 7 GDPR, the contractual partner is controller of the data processed by StepStone in accordance with the contract.

2.2 The contractual partner informs StepStone immediately and completely if it finds errors or irregularities regarding data protection regulations when checking the outcome of the processing.

2.3 The contractual partner keeps a register for processing activities in accordance with Art. 30 para. 1 GDPR.

 

3. Obligations of StepStone as contractor

3.1 StepStone informs the contractual partner immediately if StepStone believes that an instruction violates applicable laws. StepStone may suspend the implementation of the instruction until it has been confirmed or modified by the contractual partner.

3.2 StepStone complies with the terms of this agreement and relevant data protection laws, including the GDPR.

3.3 StepStone shall take appropriate organizational and technical measures in accordance with the relevant data protection laws, including the GDPR and in particular it’s Art. 32, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, nature, extent and purpose of the processing and the likelihood and severity of the risk. These measures are recorded in the overview of technical and organizational measures, which is included below as Appendix 2. The technical and organizational measures are subject to technical progress and further development. To that extent, StepStone may take account of developments in the latest technological standards when reviewing the effectiveness and making corresponding modifications. Alternative security measures are permitted if they at least comply with the security level of the specified measures. Any material modifications must be documented.
Substantial modifications after conclusion of the agreement shall be communicated to the contractual partner without undue delay. If the measures are modified to such an extent that the contractual partner does not consider that StepStone can guarantee equivalent or higher protection of the data, the contractual partner has the right of termination without notice following the issue of instructions to no avail. The same applies in the event of a failure to give notice of such modifications.

3.4 StepStone shall provide the contractual partner with the information required for the records of processing activities under Art. 30 para. 1 GDPR and, to the extent required by law in accordance with Art. 30 para. 2 to 5 GDPR, shall maintain its own record for all categories of processing performed on behalf of the contractual partner.

3.5 All persons who are able to access personal data processed for the contractual partner in accordance with the agreement must be subjected to a duty of confidentiality in accordance with Art. 28 para. 3 b) GDPR and notified of the particular data protection duties arising under this agreement as well as the existing obligation to adhere to instructions and the purpose limitation.

3.6 StepStone has appointed a data protection officer. Its current contact details are easily accessible on the homepage of StepStone.

3.7 StepStone guarantees the protection of the rights of data subjects and shall support the contractual partner in responding to applications for the safeguarding of the rights of data subjects in accordance with Art. 12-23 GDPR.

StepStone informs the contractual partner immediately if data subject directly addresses StepStone for the purpose of accessing, rectification, erasure or to restriction of processing his personal data.

StepStone supports the contractual partner in carrying out data protection impact assessments pursuant to Art. 35 GDPR and the resulting consultation of the supervisory authority in accordance with Art. 36 GDPR to the extent necessary. StepStone supports the contractual partner with regard to ensuring the reporting and notification obligations in the event of data breaches as defined in Articles 33 and 34 GDPR.

3.8 StepStone shall notify the contractual partner without undue delay in text form in the event of any disruptions to the operational processes, the suspicion of data protection breaches under Art. 4 no. 12 GDPR in connection with the data processing or any other irregularities in processing the contractual partner’s data.

3.9 In the case of investigations by the data protection authority at StepStone, the contractual partner is to be informed immediately as far as these investigations concern the subject matter of the contract.

3. 10 In the event that StepStone intends to process data from the contractual partner, including transmission to a third country or to an international organization, without having been instructed by the contractual partner, i.e. because StepStone is obliged to do so in accordance with Article 28 (3) sentence 1 a GDPR, StepStone will inform the contractual partner without delay about the purpose, legal grounds and data concerned, unless prohibited by law.

 

4. Audits including inspections

4.1 StepStone shall provide the contractual partner with all information required to evidence the obligations set down in this agreement and , subject to adequate prior notice and during standard business hours (9:00 a.m. – 6.00 p.m.), shall enable the contractual partner prior to and during the term of this agreement to perform checks, including inspections, in accordance with Art. 28 para. 3 h) GDPR. Before and during the data processing, the contractual partner is entitled to satisfy itself that the technical and organisational measures are being complied with, or it may retain suitable third parties with an obligation of professional confidentiality to do so, at StepStone’s business premises during regular business hours subject to timely notification without disrupting business operations. The outcome of these checks will be documented and signed by both parties.

4.2 The technical and organisational measures may also be evidenced by presenting current certificates, reports or extracts of reports by independent bodies (e.g. external auditors internal auditors, Data Protection Officer, IT security team, data protection auditors, quality auditors) or a suitable certification by IT security or data protection audit (e.g. based on BSI principles) for this purpose.

 

5. Other processors

5.1 With conclusion of the contract, the subcontractors listed in Appendix 1 below are approved. StepStone may assign agreements to subprocessors if it notifies the contractual partner in writing in advance of the involvement or replacement of new subprocessors and the contractual partner raises no objection within 4 (four) weeks. If contractual partner objects, then StepStone may cease to provide the comment functionality according to para. 3.2, respectively the applicant management functionality according to Sec. 2.10 of the StepStone General Terms and Conditions.

5.2 StepStone shall impose the same data protection obligations as set out in this agreement on the subprocessors so that the processing will meet the requirements of the GDPR. If the subcontractor fails to comply with its data protection obligations, StepStone shall be liable to the contractual partner under Art. 28 para. 4 sent. 2 GDPR for that subcontractor’s compliance with its obligations

5.3 Further outsourcing by the subcontractor requires the express consent of the main processor (at the minimum in text form. All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

5.4 Services that are procured from third parties as an ancillary service to support the performance of the agreement shall not be deemed subcontracted. These include e. g. telecommunication services, maintenance and user service, cleaners, auditors or the disposal of data media. However, in agreement to guarantee the protection and the security of the contractual partner’s data, StepStone is also obliged to enter into adequate and legally compliant agreement and to perform checking measures for ancillary services that are procured from third parties

 

6. Erasure and return

Upon request from the contractual partner, StepStone will delete data processed on behalf of the contractual partner. StepStone will delete all data processed on behalf of the contractual partner when the contract for the use of the Recruiter Space terminates. In the application management functionality, StepStone will delete the data at the latest one year after receipt of the application in the applicant management functionality.

 

Appendix 1 – List of subprocessors to the Terms and Conditions StepStone Data Processor Agreement

The contractual partner consents to the use ot the following subprocessors:.

Company Address Services
StepStone GmbH Axel-Springer-Str. 65,
10969 Berlin
Germany
–      hosting and associated security services

–      back up services

–      Customer service support for trouble-shooting

StepStone Continental Europe GmbH Völklinger Straße 1, 40219 Düsseldorf
Germany
–      hosting and associated security services

–      back up services

–      Customer service support for trouble-shooting

StepStone N.V. Koningsstraat 47 Rue Royale,
1000 Brussel
Belgium
–      hosting and associated security services

–      back up services

–      Customer service support for trouble-shooting

StepStone Services sp. z o.o. ul. Domaniewska 50, 02-672 Warschau,
Poland
Customer service support for trouble-shooting
Akamai Technologies GmbH Parkring 20-22
85748 Garching
Germany
StepStone uses Akamai as part of the technical and organizational measures as Web Application Firewall and therefore delivers its webcontent to website users through Akamai to protect its systems.

 

Akamai Technologies, Inc. 150 Broadway, Cambridge, 02142 MA, USA Akamai Technologies GmbH schaltet als Subunternehmer Akamai Technologies, Inc ein.
Amazon Webservices, Inc. 410 Terry Drive Ave North
WA 98109-5210 Seattle
USA
Hosting and associated security services (within the EU)

 

 

Appendix 2 – Overview of technical and organizational measures to Terms and Conditions StepStone Data Processor Agreement

1.      Confidentiality (Article 32 Paragraph 1 Point b GDPR)  
  • Physical Access Control

No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

 

The data centers have a multi-layered security structure. The perimeter of data centers is protected by high security fencing and walls. The entrances are staffed with security guards, 24×7 hours. Surveillance cameras are used to monitor the locations. Access to the computer room is protected by a magnetic card system. The equipment is stored in locked cabinets.

The outer boundary of the data centers is secured by high-security fences and walls. The entrances are guarded around the clock, video camera systems are used for full surveillance. Access to the computer rooms is protected by a card-based access control system.

 

Extensive safety precautions also exist at the relevant locations StepStone. Card-based access control systems are used and visitors will have to be granted access.

  • Electronic Access Control

No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

The Contractual partner can only access the data processed on its behalf after logging in to the contractual partner space with the password that was defined by the user. StepStone stores the user authentication details in encrypted form, only.

 

By default, the user-system data flow is end-to-end encrypted using the Transport Layer Security (TLS) protocol.

StepStone uses Akamai’s services as a web application firewall to its systems.

 

StepStone has an internal password policy for it’s employees which requires i.a. passwords to be at least 8 characters long, not to be the same or similar to the user name, to contain at least 3 of the following 4: i) Upper case letters e.g. A,B,C, ii) Lower case letters e.g. a,b,c , iii) Numbers e.g. 1,2,3 iv) Symbols e.g. @,#,+, to be regularly changed.

 

  • Internal Access Control (permissions for user rights of access to and amendment of data)

No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events

 

The Contractual partner’s access rights are strictly limited to access only such personal data that is actually processed on its behalf. Only selected StepStone personnel can access the personal data processed on behalf of the Contractual partner on a need to know basis within pre-defined rights and only for the purposes of system administration and customer service purposes on request of the contractual partner.

 

The system logs all events about the data processed on behalf of the contractual partner.

 

 

  • Isolation Control

The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing;

The StepStone Recruiter Space is multi-client capable so that each individual logged in contractual partner can only see data associated with the contractual partner’s account

 

  • Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

 

Does not apply, because the contractual partner needs to see the full details of an applicant.
   
2.      Integrity (Article 32 Paragraph 1 Point b GDPR)  
  • Data Transfer Control

No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;

 

All data sent over public networks is end-to-end encrypted using the Transport Layer Security (TLS) protocol.

 

 

  • Data Entry Control

Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

 

The StepStone systems log the activities of any login and logout as well as the editing, adding, altering, and deleting by recording user, actions and time (through a timestamp).
3.      Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)

 

 
  • Availability Control

Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning

 

 

Antivirus as well as Firewall and other security solutions in place to guarantee safety. StepStone uses Akamai’s services as a web application firewall to its systems.

The hosting environment is equipped with fire detection system, water leak detection system in rooms below the raised floor. Temperature and humidity are constantly monitored to ensure that the pre-defined specifications are continuously met. Hosting infrastructure is equipped with continuous supply with  life span from at least 72 hours.

 

 

  • Rapid Recovery   (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);

 

Rapid recovery is ensured by

 

·        Back-up procedure;

·        Encryption;

·        Uninterrupted power supply (USV);

·        Separate storage;

·        Virus protection, Firewall;

·        Emergency plan, disaster recovery;

·        Organisational / Employee Training;

 

4.      Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR) We have regular audits of our Information Security standards and processes with external providers. Network penetration scans are performed regularly.

 

We track and review logs at two levels before any requests reach our application servers. These are at a firewall level and at a WAF (Web Application Firewall) level.

This allows us to track all unordinary presentation layer requests to database being analysed and actively blocked, preventing SQL injection attempts. The application itself tracks any failed login attempts if the request has gone through the Firewall and WAF.

 

Data protection measures are continuously reviewed in a PDCA cycle.

 

 

02-05-2018