General Terms and Conditions

General Terms and Conditions of Business

1. General terms:

1.1 The General Terms and Conditions of Business (hereinafter referred to as “GTC”) apply to all contracts/the entire business relationship between StepStone Österreich GmbH (hereinafter referred to as “StepStone.at”) and its respective contractual partner. Unless otherwise expressly agreed, the mutual rights and obligations between StepStone.at and its contractual partner are determined by the contents of the respective order and these GTC.

1.2 The contractual partner agrees that the entire business relationship is governed exclusively by the StepStone.at GTC. Any standard business terms of the contractual partner that contradict or deviate from the StepStone.at GTC shall only be applicable if this has been expressly confirmed in writing by StepStone, such that they can only become part of the contract if StepStone.at has given its separate consent.

 

2. Advertising contract:

2.1 Definition:

An advertising contract is a contract for the placement of one or more online adverts from a recruiter or other client in the StepStone.at online Se data for the purpose of distribution via the Internet.

2.2 Conclusion of contract:

An advertising contract is concluded if

  1. a) a) StepStone.at confirms the order in writing. The written form requirement is satisfied by sending a fax or an e-mail, or
  2. b) StepStone.at distributes the job advert via the Internet.

The contractual partner is bound by any order it places. Upon receipt of the respective order by StepStone (whether in writing, by fax or by e-mail), the contractual partner may not revoke (cancel) its order.

2.3 Right of refusal:

StepStone.at reserves the right not to publish advertising orders due to their content, origin or technical form. This applies in particular if the content of the job advert violates legal or official prohibitions or specifications as well as morality and/or these General Terms and Conditions of Business or if publication would be unreasonable for StepStone.at on other grounds. The contractual partner will be informed immediately if this is the case. In the event of a rejection on legitimate grounds, the contractual partner shall not be entitled to any claims against StepStone.at. Without limitation, the right of refusal also applies if the following requirements are not satisfied:

  • The job title and job description have to be correct and must not be misleading or ambiguous.
  • Key words, categorisation, title and advertising text of the advert have to be related to the job advertised in the advert.
  • The content has to relate to a vacant position or job. Advertising for club memberships is not allowed. Advertising for participation in illegal pyramid schemes is also not allowed.
  • Without limitation, the contractual partner undertakes to create its adverts in compliance with the Federal Equal Treatment Act. This also includes indicating the minimum wage applicable to the job advertised under the collective agreement or the minimum wage applicable by law or other provisions of collective law, and drawing attention to any willingness to overpay, if applicable.
  • References to the text and / or links within the advert to further vacancies and other job sites not published on StepStone are not permitted.
  • A maximum number of possible entries may apply to job categories, industries and regions; these maximum numbers must be adhered to. We are happy to provide further information on maximum numbers upon request.
  • Admissible links are only allowed as so-called “no follow” links; this means they are to be set so that they cannot be used by search engines to calculate the popularity of the link.
  • All of the content of an advert has to be immediately visible for the user. Unless they are explicitly offered by StepStone as part of special advertising products, own tracking codes of the contractual partner and interactive elements which can be controlled for example by clicks or mouseover are not allowed. This does not include links to other sites and e-mail addresses that otherwise comply with the requirements of this subsection. In each and every case links have to be arranged so that it is clear when they link to external sites.
  • All content of the advert is to be transferred to StepStone and may not be integrated via frames or other forms of retrieval from other servers.
  • Any influence on the search result lists outside of the options provided by StepStone (categorisation, title and visible text of the advert) is not allowed.
  • The adverts are created in HTML. Only those file formats permitted by StepStone can be included in the advert text. On request, we will be happy to inform you which file formats are permitted.
  • A job advert must contain the company name and description, a job description, the requirements profile, the place of work and an opportunity to apply.
  • The job description may not refer to different jobs. It must contain the title of the position and a description of the duties and responsibilities. The job description must describe the vacancy correctly and must not be misleading (see PDF Advertising Guidelines). In such cases, StepStone reserves the right to make additional charges for any violations in lieu of the consequences set out in Section 6.6 of the General Terms and Conditions of Business.

 

2.4 Rights to the advert/ Copyrights:

2.4.1 StepStone.at is not responsible for the content of the texts and images provided for the placement of the advertisement. Without limitation, StepStone is not obliged to check the advert for any infringements of third party rights. The contractual partner is obliged to indemnify and hold StepStone.at fully harmless from any third-party claims that result in any form from the execution of an order to place an advert by StepStone.at. If a claim is asserted against StepStone.at, it alone is entitled to decide how to respond; the contractual partner responsible for the relevant content is precluded from asserting a claim of inadequate legal defence.

2.4.2 If protected trademark rights are used in the context of the publication of the advertisement, permission for their use is granted upon contract conclusion. The contractual partner warrants that it has the right to grant the such permission.

2.4.3 StepStone.at acquires the exclusive copyrights and/or other ancillary copyrights to all job advertisements it creates and publishes. Absent agreement to the contrary, payment of the fee by the client, among other things for the creation of the HTML layout by StepStone.at, does not comprise an assignment of copyrights and/or other ancillary copyrights to the contracting party or an agency working for it. If job adverts published by StepStone.at were created by the contractual partner itself or by an agency acting on its behalf – including the HTML source text – the contractual partner grants StepStone.at an exclusive license to use the job advert for all forms of use that relate to publication of the job advert. The contractual partner warrants that it has the right to transfer such rights. Without limitation, StepStone.at is also authorised to defend against claims of unlawful copyright infringement asserted by third parties in its own name and to assert any resulting claims for damages.

2.4.4 All information published by StepStone.at (texts, images, etc.) are subject to copyrights held by StepStone.at. The exclusive exception to this comprises information published by StepStone.at, the creation of which – including the HTML source code – was accepted for publication without change from the contractual partner itself or a third party commissioned by the contractual partner. The contractual partner warrants that it is authorised to transfer copyrights and that it will indemnify and hold StepStone.at harmless against any third-party claims should this not be the case. Without limitation, StepStone.at is also authorised to defend against claims of unlawful copyright infringement asserted by third parties associated with publication in its own name and to assert any resulting claims for damages.

2.4.5 The contractual partner authorises StepStone.at to use its company name and logo as a customer reference in StepStone.at marketing materials provided that contractual partner does not object to such use.

2.5 Start of publication:

The job advert will be published at the agreed time. If no publication date has been agreed, publication will take place within one working day after conclusion of the advertising contract. The user is responsible for the complete delivery of error-free, appropriate advertising media. As a rule, StepStone.at is not responsible for delays occurring due to the content of the advertising text provided by the contractual partner for publication, whether in light of content or on technical grounds.

2.6 Location of publication / linking / framing:

2.6.1 On the basis of the advertising contract, StepStone.at is instructed to arrange for publication of job adverts from the contractual partner on its own websites as well as on platforms operated by StepStone.at cooperation partners within the scope of the respective cooperation.

2.6.2 StepStone.at is entitled, but not obliged, to publish the job adverts in any print medium freely determinable by StepStone or to have them published by third parties.

2.6.3 The contractual partner is aware that, based on the current state of technology, the circumstance that job adverts published by StepStone.at may be copied, linked and/or presented as their own adverts by other Internet providers with the aid of frames cannot entirely prevented. The contractual partner hereby grants StepStone.at any and all necessary consents in order to enable StepStone.at to prevent any copying, linking and/or framing as referred to above within the realms of what is technically and legally possible. However, in the event of any unauthorised linking and/or framing, the contractual partner is not entitled to assert any claims against StepStone.at.

2.6.4 The parties expressly note that, regardless of the advertising contract with StepStone.at, the contractual partner is entitled to commission third parties to place identical online adverts.

2.7 Changes to the advert text:

StepStone.at is obligated, at the request of the contractual partner, to make changes to the job advert published by it during the publication period, provided that this is technically and substantively reasonable. In any case, changes that affect the identity of the advert, so that in the case of the change, instead of the original, a new job would be advertised, are not permitted.

2.7.2 Changes that can be made with little effort by the StepStone.at will be made free of charge. Changes that are greater in scope will only be made on payment of a fee that is related to the costs involved. In this case, StepStone.at will inform the contractual partner in advance and make the desired changes to the job advert only upon corresponding written confirmation from the contractual partner.

2.7.3 StepStone.at is not obliged to retain an advert that has been placed following the end of the advertising contract. Any templates provided by the contractual partner for the job advert may only be retained by StepStone.at upon the express written request of the contractual partner (maximum 3 months) and then returned.

2.7.4 Job adverts may be saved in the personal accounts of users who have created a personal account with StepStone for a maximum period of six months and may also be in the account by such users for the agreed contract period.

2.8 Publications on pages operated by our cooperation partners

Additional limitations and requirements may apply to adverts that are published on pages that are not operated by StepStone Österreich GmbH. Invitations for speculative applications are not allowed on stepstone.de. Please note that there may also be certain statutory requirements and prohibitions for job adverts in other countries (e.g. in France, all adverts must be published exclusively in French). Such requirements must be complied with. We would be pleased to provide specific information on further requirements and restrictions for the sites not operated by StepStone Österreich upon request.

2.9 At the contractual partner’s request, StepStone will activate a button in the job advert labelled “Apply Now” or something comparable. Depending on the contractual partner’s selection, this button can either link to a page indicated by the contractual partner or to a standardized application form operated by StepStone on its platforms, with which applicants can have the data requested in the form transmitted to the contractual partner by StepStone. The contractual partner may receive the application at the StepStone Recruiter Space if desired. StepStone will then transfer the application to the contractual partner’s specific applicant administration account within the StepStone Recruiter Space.

2.10 If an application has been transmitted to the contractual partner’s specific applicant administration account within the StepStone Recruiter Space in accordance with Section 2.9, the contractual partner can view the application there and also enter notes on the respective candidate and, if necessary, depending on the functionality, record the status of the application and communicate with the applicant.

2.11 In connection with the application, the contractual partner may also access any candidate profile the applicant might have via applicant administration. However, the candidate profile can only be accessed as long as it is active, that is, if the applicant changes their settings or deletes their profile, it is no longer possible to access the profile. Applicant data sent by the applicant is not affected as a result.

2.12 Within the scope of the services according to Section 2.10 of the General Terms and Conditions of Business, StepStone processes personal data on behalf of the contractual partner within the meaning Art. 28 GDPR; the supplement terms and conditions applicable to contract data processing apply to such an extent. Services described in Section 2.11 do not comprise contract data processing; StepStone merely provides content the applicant has saved with StepStone and remains the controller for data protection purposes. If the contractual partner uses such data it may become an additional controller.

2.13 In order to improve compatibility of an advert across all devices, StepStone reserves the right to change the layout of the advert accordingly. We reserve the right to convert advertising content that is not transmitted in http format to https format. We temporarily store http contents sent to us and delete them upon conversion. StepStone strives to ensure user-friendly readability on all devices by optimizing the display of the advert.

 

3. Applicant database:

3.1 Definition

StepStone.at offers contractual partners password-protected access to the database for job seekers (hereinafter referred to as the “applicant database”), in which all current candidate profiles are collected for a separate fee. This enables contractual partners to contact the candidates individually via StepStone.at.

Depending on the candidate’s choice, candidate profiles can be accessed either in a form in which only certain data is disclosed (“partially active profile”), or in such a way that all data from their profile can be viewed directly in the database (“open profile”). Contractual partners who book access to the applicant database may directly view personal data associated with open profiles in the database and enter a message, and a contact request in the case of anonymous profiles, which StepStone then forwards to the candidate by e-mail.

3.2 Furthermore, the contractual partner may save comments in its account as a free additional service related to candidates whose profiles it can view anonymously or publicly. These comments are stored and processed by StepStone on behalf of the contractual partner within the meaning of Art. 28 DSGVO subject to the relevant additional terms and conditions. For sake of clarity, other services provided within the scope of the applicant database are not provided as a contract processor. In such cases, StepStone.at merely provides content saved by the applicant at StepStone.at and remains the controller for data protection purposes. The contractual partner may be an additional controller to the extent it uses such data. If a candidate deletes or deactivates their candidate profile, the candidate profile may no longer be accessed and comments saved in accordance with Section 1.3 may likewise no longer be accessed.

3.3 The contractual partner undertakes not to disclose personal data of candidates, unless this is necessary to fill a specific vacancy, to treat such data confidentially and to comply with all data protection regulations. Candidate data may only be processed in connection with the filling of a specific vacancy and candidates may only be contacted for this purpose. StepStone assumes that retention is necessary for a maximum of 12 months, also taking into account the defence of potential discrimination claims, so that the contractual partner undertakes to delete any data related to data subjects it stores that it received from StepStone no later than 12 months after access to the data. StepStone reserves the right to block the contractual partner’s access in the event of non-compliance.
The contractual partner is aware that special rules apply to the transfer of data from outside of the European Union or the EEA. Accordingly, the contractual partner shall only transfer personal data to third countries in accordance with the provisions of Articles 44-49 GDPR.

3.4 Contract conclusion:

The contract for authorization to access the applicant database is concluded once StepStone has confirmed the order in writing. The written form requirement is also satisfied by sending a fax or an e-mail.

The contractual partner is bound by any order it places. Upon receipt of the respective order by StepStone (whether in writing, by fax or by e-mail), the contractual partner may not revoke (cancel) its order.

3.5 The contractual partner acknowledges that it must protect its password-protected access from third parties, in particular that it must keep the password secret and not disclose it to third parties. The contractual partner shall indemnify and hold StepStone.at harmless from and against any and all damages incurred by StepStone.at as a result of actions taken by the contractual partner within the scope of the contractual partner’s use of the applicant database.

3.6 Right of refusal:

Sending contact requests to job seekers within the context of access to the applicant database is prohibited in cases where dubious content is sent, content is morally objectionable, or StepStone.at cannot reasonably be expected to tolerate the content concerned on other grounds. The contractual partner is obliged to comply with the relevant data protection regulations in connection with its access. In the event of non-compliance and/or the occurrence of the cases/violations referred to above, StepStone.at is entitled to cease performance and block access without prior warning to the contractual partner. In such cases, the contractual partner will be informed without undue delay and it shall not be entitled to assert any claims against StepStone.at in the event StepStone.at ceased performance on legitimate grounds.

3.7 Video Job Interview Function:

If Stepstone provides the Customer with the free Video Job Interview Function, the following applies: the Video Job Interview function may only be used to conduct interviews with candidates who have applied via Stepstone or a company affiliated with Stepstone for an open job listing of the Customer. Otherwise, the Customer shall be obliged to indemnify Stepstone  from any third party claims and to compensate Stepstone for any damages resulting therefrom. Stepstone will limit the cost-free usage for clients to 100 interviews per month.

 

4. Company Hub

Customers can create a company hub. A company profile for the customer may be published in the Company Hub. StepStone provides input fields that the company can fill out itself. The Company Hub is visible to users for as long as the company has a listing online. If a company whose listing is online does not create a Company Hub, StepStone reserves the right to fill in the input fields with publicly accessible company information itself, unless the company expressly objects.

Links to pages and contents of competitors, or the use of content from competitors of StepStone, are not permitted unless the customer is a competitor of StepStone itself and links to its own content.

 

5. Prices

5.1 Unless otherwise agreed in writing, the StepStone.at prices are based on the then-applicable price lists available online at “www.StepStone.at”. The price list published online by StepStone.at the time the contractual partner’s enquiry is received is decisive.

5.2 All prices quoted by StepStone.at are net prices excluding all taxes.

 

6. Terms of payment:

6.1 StepStone.at issues invoices immediately after commissioning and sends it to the contractual partner. In addition to the company address, the billing address shall also be the address provided by the contractual partner when the contract was concluded. Invoices are payable immediately upon receipt. Payments with the effect of discharging obligations to StepStone.at may only be made to the account indicated in the StepStone.at invoice. The credit memo to the account indicated to StepStone.at is decisive for purposes of determining timeliness of payment.

6.2 To the extent not otherwise agreed, all payments must be made immediately after receipt of the invoice free of any charges or deductions.

6.3 VAT is to be paid in full based on the price after invoicing, if other terms of payment have also been agreed for payment of the purchase price. The contractual partner is required to abide by laws governing VAT.

6.4 In the event of a failure to comply with the payment target, StepStone.at is entitled to charge default interest and compound interest in the amount of 12% p.a. Each dunning notice shall be subject to a fee of € 30.00 plus VAT. In the event of default, the contractual partner shall be obliged to reimburse not only default interest but also all other court-related and non-court related costs of collection, including the costs of any lawyer engaged by StepStone.at. In addition, any additional damages, including without limitation damages resulting from higher interest rates imposed on StepStone.at credit accounts as a result of the default in payment, must be compensated regardless of fault for the default in payment. Claims asserted against the contractual partner do not entitle the contractual partner to withhold agreed payments.

6.5 In the event of default in payment, any discounts granted to the contractual partner shall lapse.

6.6 The contractual partner may not set-off any counterclaims or exercise any rights of retention – regardless of grounds – absent express agreement.

6.7 In the event of default of payment or insolvency of the contractual partner, StepStone.at is entitled to temporarily suspend performance of its contractual obligations until complete payment of all opening invoice amounts. In such cases StepStone.at is also entitled to make advance payment a condition for the provision of services in the case of follow-up contracts. Furthermore, StepStone.at is entitled to revoke the contract in such cases without need to set a grace period.

 

7. Warranty, compensation for damages, rescission on grounds of mistake:

7.1 StepStone.at provides the contractual partner the opportunity to access its own services as well as those of its national and international partners within the framework of the partner network “The Network”. StepStone.at does not guarantee the accuracy of data provided by job seekers within the scope of its services. StepStone.at makes every effort to provide the services offered around the clock. The contractual partner acknowledges and agrees that StepStone.at cannot guarantee 100% uninterrupted availability of the services due to external factors beyond its control.

7.2 The warranty period is six months. Publication must be examined by the contractual partner without undue delay, at the latest within three days of publication, subject to notice of the type and scope of any defects. Observable defects must be reported in writing to StepStone.at subject to the exclusion of any other claims upon a failure to do so. If a complaint is not made or is not made in time, the advert is deemed to have been approved. The assertion of warranty or damage claims, as well as the right to claim rescission on grounds of a mistake, are excluded in such cases.

7.3 StepStone.at reserves the right to satisfy the warranty claim by means of cure/replacement or a price reduction at its option. Price reduction or conversion can only be demanded if no further attempt at cure is reasonable for the contractual partner.

7.4 Liability on the part of StepStone.at is limited to damages related to job advert itself, whereby StepStone.at is not liable for damages caused by the partners mentioned in Section 6.1. Liability on the part of StepStone.at for consequential damages, lost profits and other indirect damages is excluded. For all other purposes, liability on the part of StepStone.at for damage due to simple or gross negligence is excluded. Any claims for damages must be asserted in court within six months of the occurrence of the damage; they are otherwise time-barred.

7.5 The job adverts by StepStone.at are based exclusively on the self-disclosure provided by the contractual partner and are not checked by StepStone.at as to the accuracy of their content. StepStone.at can therefore not be held liable for incorrect information. The contractual partner is therefore solely responsible for the accuracy and lawfulness of text and images it has provided for publication of the adverts.

7.6 Since the contractual partners use a log-in name and a password, they bear responsibility for them themselves and are liable for damages resulting from misuse or loss.

7.7 Maintenance, updates or similar work will be done by StepStone.at, if possible, so that downtime does not occur. This work will be announced in the network to the extent possible. No claims may be asserted against the operator in the event of an interruption regardless of grounds. Interruptions in transmission resulting from network outages over which StepStone.at has no control as well as interruptions in transmissions based on a force majeure event, may not be asserted as the basis for claims against StepStone.at.

 

8. Place of jurisdiction and applicable law

8.1 The exclusive jurisdiction of the competent courts in Vienna is agreed for any and all disputes arising under or in connection with a contractual relationship in which StepStone.at is involved as a contractual partner.

8.2 The parties agree that this agreement is exclusively governed by Austrian law with express exclusion of the United Nations Convention on Contracts for the International Sale of Goods. The contract, order, complaint and business language shall be German.

 

9. Miscellaneous:

9.1 Should any of these General Terms and Conditions of Business be wholly or partially invalid, the remaining provisions shall remain unaffected thereby. Any such invalid provision shall be deemed to have been replaced by a valid provision that comes as close as is legally possible to achieving the intended commercial purpose of such invalid provision.

9.2 There are no verbal agreements in place. Any and all modifications, subsequent additions, and ancillary agreements shall be invalid unless made in writing. This applies likewise to any waiver of this written form requirement.

9.3 The contractual partner must immediately provide notice of changes of address in writing. Documents are deemed to have been received by the contractual partner if they were sent to its last known address.

9.4 The contractual partner gives its express consent, which may be revoked at any time, to be informed at any time when StepStone uses contact details it has provided to StepStone for marketing purposes.

9.5 StepStone reserves the right to amend specific provisions of this agreement. StepStone.at will publish any such changes on its website and will thus give the contractual partner the opportunity to terminate the contract at the end of the month on one month’s notice, whereby written form is deemed to have been agreed. If the contractual partner does not exercise this option to terminate the contract, this shall be deemed to be consent to the respective changes.

9.6 The contract conditions are intended for entrepreneurs as contractual partners. If, however, the contractual partner is a consumer, these terms and conditions shall only apply to them to the extent they do not conflict with mandatory provisions of consumer protection law.

 

Supplemental terms for contract data processing

1. Contract data processing

1.1 Within the scope of the comment function according to Section 3.2 and the services according to Section 2.10 and the services under Section 3.7 of the General Terms and Conditions of Business, StepStone processes personal data on behalf of the contractual partner within the meaning Art. 28 GDPR for the relevant purpose and in the relevant manner described in the respective provision and subject to compliance with the provisions set out below.

1.2 StepStone processes personal data exclusively within the scope of the contract and in accordance with the documented instructions of the contractual partner unless an exception within the meaning of Article 28(3)(a) GDPR applies.

1.3 Contract data processing is performed exclusively in Member States of the European Union or in another Contracting State to the Agreement on the European Economic Area, unless instructions to the contrary have been issued and transmission is permitted in accordance with the provisions of Articles 44 to 49 GDPR. Upon conclusion of the contract, the instruction is given to transfer personal data to the other contract processor Akamai Technologies, Inc. 150 Broadway, Cambridge, 02142 MA, USA as part of the measures to be implemented in accordance with Section 3 as provided in Section 6, below. This transfer is permitted under Art. 45 GDPR as Akamai Technologies, Inc is Privacy Shield certified and therefore has an adequate level of data protection under Commission (EU) implementing decision 2016/1250 (http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE). The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000Gn4RAAS&status=Active.

1.4 The duration of the contract data processing corresponds to the duration of use of the customer centre and the Video Job Interview Function, whereby respective access to advert placement and use of the applicant database (DirectSearch Database) will be deactivated at the end of the contract term; access will be reactivated upon conclusion of a new contract if the contract related to the use of the customer centre has not been previously terminated.

1.5 Within the content of applicant administration, data subjects are persons who have applied for an open position with the contractual partner via the StepStone application form and, within the content of Direct Search, persons who have created a profile at StepStone or participate in a Video Job Interview.

1.6 Within the scope of applicant administration, the type of personal data is CV data, in particular contact data, information on education, professional experience and knowledge and interests, as well as any other data provided by the respective candidate along with data collected by the contractual partner with regard to the application such as comments by the contractual partner or status of the application noted by the contractual partner.
In the context of Direct Search, the type of personal data includes the comments made by the contractual partner regarding the data subjects in connection with the filling of vacancies.
In the context of the Video Job Internet function, the type of personal data are the recorded candidate videos.

1.7 Within the scope of applicant administration, the subject and purpose of processing is to permit application data submitted by applicants to be available to the contractual partner in the Step Recruiter Space after the contractual partner logs in and may be viewed by there by the contractual partner. If the contractual partner creates enters comment or sets a status for the application (function-dependent) in order to manage it, this will also be saved there. If it is possible to set a status for an application, the contractual partner instructs StepStone to inform the applicant of the respective status immediately upon its entry.

1.8 The subject and purpose of the processing within the framework of the applicant database is to enable the contractual partner to store comments on applicants that it may access via Direct Search. In the context of the Video Job Interview function, the object and purpose of the processing is to transmit the Video Interview created by the applicant to the client. The transmission takes place by making the videos available in the customer-specific account.

1.9 References in these additional terms regarding contract processing to the General Data Protection Regulation (GDPR) shall be interpreted as references to the corresponding provision in the Federal Data Protection Act 2000 (BDSG 2000) through 24 May 2018. If there is no corresponding provision in the Federal Data Protection Act 2000, the aforementioned obligation is not applicable through 24 May 2018 and is first effective from 25 May 2018.

 

2. Duties of the contractual partner as client

2.1 Pursuant to Art. 4(7) GDPR, the contractual partner is the controller under data protection laws with regard to personal data processed by StepStone in accordance with the terms of the contract.

2.2 The contractual partner must inform StepStone immediately and completely if it discovers errors or irregularities with regard to data protection regulations when reviewing the results of the processing.

2.3 The contractual partner shall keep a record of processing activities pursuant to Art. 30(1) GDPR.

 

3. Duties of StepStone as contractor

3.1 StepStone shall inform the contractual partner immediately if StepStone is of the opinion that an instruction violates applicable laws. StepStone may suspend implementation of the instruction until it has been confirmed or modified by the contractual partner.

3.2 StepStone shall comply with the provisions of this contract and relevant data protection rights, including the GDPR.

3.3 StepStone shall take appropriate organisational and technical measures in accordance with the relevant data protection laws, including the GDPR and in particular Article 32 thereof, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, type, scope and purpose of processing as well as the probability of occurrence and severity of the risk. These protective measures are recorded in the overview of technical and organisational measures, which can refer to in Annex 2. The technical and organisational measures are subject to technical progress and further development. In this respect, StepStone is entitled to check the effectiveness of the system and adapt it accordingly if progress is made in accordance with the state of the art. Alternative safety measures are permitted as long as they do not fall below the safety level of the defined measures. Significant changes must be documented and reported to the contractual partner without undue delay. If the measures are changed in such a way that from the contractual partner’s point of view StepStone cannot guarantee equivalent or higher levels of data protection, the contractual partner has the right to terminate the contract extraordinarily after issuing instructions without result. The same applies if notice of such changes is not provided.

3.4 StepStone shall provide the contractual partner with the information necessary for the record of processing activities pursuant to Art. 30(1) GDPR and shall keep a separate list of all categories of processing activities carried out on behalf of the contractual partner pursuant to Art. 30(2) to (5) GDPR.

3.5 All persons who can access personal data processed on behalf of the contractual partner in accordance with the contractual partner’s order shall be bound to confidentiality in accordance with Art. 28(3)(b) GDPR and shall be informed of the special data protection obligations resulting from this order as well as binding instructions and/or purpose limitations.

3.6 StepStone is obliged to appoint a company data protection officer. The current contact details are easily accessible from StepStone’s homepage.

3.7 StepStone guarantees the protection of the rights of data subjects and supports the contractual partner to the necessary extent in responding to requests for the exercise of rights of data subjects pursuant to Art. 12 – 23 GDPR. StepStone shall inform the contractual partner immediately if a data subject contacts StepStone directly for the purpose of providing access, rectification, erasure or restricting the processing of their personal data.

StepStone shall support the contractual partner in preparing data protection impact assessments pursuant to Art. 35 GDPR and the resulting consultation with supervisory authorities pursuant to Art. 36 GDPR to the extent necessary. StepStone shall support the contractual partner with regard compliance with reporting and notification obligations in the event of personal data breaches within the meaning of Articles 33 and 34 GDPR.

3.8 StepStone shall immediately inform the contractual partner in text form in the event of operational disruptions, suspected personal data breaches pursuant to Art. 4(12) GDPR in connection with data processing or other irregularities in the processing of the data for the contractual partner. In consultation with the contractual partner, StepStone shall take appropriate measures to secure the data and to minimise possible adverse consequences for data subjects insofar as the personal data breach was StepStone’s responsibility.

3.9 In the event that the data protection authority investigates StepStone, the contractual partner must be informed immediately to the extent the investigation relates to the subject matter of the contract.

3.10 In the event that StepStone intends to process data from the contractual partner – including transfer to a third country or an international organisation – without having been instructed to do so by the contractual partner, i.e. because StepStone is obliged to do so pursuant to Art. 28(3)(a) GDPR, StepStone will inform the contractual partner immediately of the purpose, legal basis and data concerned, unless and to the extent that such a notification is prohibited by law.

 

4. Audits including inspections

4.1 StepStone shall provide the contractual partner all necessary information to verify the obligations set out in the contract. StepStone shall permit the contractual partner to conduct audits, including inspections in accordance with Art. 28(3)(h) GDPR, before the commencement and during the term of this agreement after reasonable prior notice and during normal business hours (9:00-18:00). The contractual partner is entitled to satisfy itself directly, or through suitable third parties bound to professional secrecy, of the observance of the technical and organisational measures before commencement and during contract data processing, after timely notification at the business premises during normal business hours without disturbing the course of business. The result of these audits shall be documented and signed by both parties.

4.2 As verification of the technical and organisational measures, StepStone may also submit current certificates, reports or report extracts from independent bodies (e.g. auditors, internal auditors, data protection officers, IT security department, data protection auditors, quality auditors) or a suitable certification by IT security or data protection audit (e.g. in accordance with BSI Basic Protection).

 

5. Additional contract data processors

5.1 The sub-contractors included in the list of sub-contractors available in Annex 1 are approved as sub-contractors upon award of the contract. StepStone may award contracts to other contract data processors (sub-contractors) by informing the contractual partner in advance of the inclusion or replacement of new sub-contractors by notification in text form of the change to the subcontractor directory provided the contractual partner does not provide notice of an objection within four weeks. In the event of an objection, StepStone is entitled to disable the comment function pursuant to Section 3.2 or applicant data administration pursuant to Section 2.10 of the General Terms and Conditions of Business.

5.2 StepStone will impose the same data protection obligations on the sub-contractors as those set out in these product-related Terms and Conditions for StepStone contract data processing, so that such processing complies with the requirements of the GDPR.

5.3 Further outsourcing by the subcontractor requires the express consent of the primary contractor (at least in text form); all contractual provisions in the contract chain must also be imposed on the additional subcontractor.

5.4 Services used by third parties as ancillary services to assist in the execution of the contract processing shall not be deemed to be sub-processors. These include, for example, telecommunications services, maintenance and user service, cleaning staff, inspectors or the disposal of data media. StepStone is, however, obliged to make appropriate and lawful contractual agreements as well as take control measures with such service providers for the assurance of the protection and security of the contractual partner’s data; this also applies to outsourced ancillary services.

 

6. Deletion and return

At the end of the contract for the StepStone Recruiter Space, StepStone will delete data processed for the contractual partner. Otherwise, StepStone will delete the data at the latest one year after receipt of the application in the applicant management system and otherwise upon request of the contractual partner.

 

Sub-contractor list for the additional terms and conditions for StepStone contract data processing.

StepStone’s sub-contractors listed below are deemed to have been approved upon placement of the order:

Company Address Services
StepStone GmbH Axel-Springer-Str. 65,
10969 Berlin
Germany
– Hosting and related security services

– Back-up services

– Customer service & troubleshooting support

– Hosting and related security services

StepStone Continental Europe GmbH Völklinger Straße 1, 40219 Düsseldorf
Germany
– Back-up services

– Customer service & troubleshooting support

– Hosting and related security services

StepStone N.V. Koningsstraat 47 Rue Royale,
1000 Brussel
Belgium
– Back-up services

– Customer service & troubleshooting support

StepStone Services sp. z o.o. ul. Domaniewska 50, 02-672 Warsaw,
Poland
Customer service-Troubleshooting support
Akamai Technologies GmbH Parkring 20-22
85748 Garching
Germany
StepStone uses Akamai as a web application firewall as part of its technical and organizational protection measures and therefore delivers content to website visitors via Akamai in order to protect its systems.
Akamai Technologies, Inc. 150 Broadway, Cambridge, 02142 MA, USA Akamai Technologies GmbH uses Akamai Technologies, Inc as a sub-contractor.
Amazon Webservices, Inc. 410 Terry Drive Ave North
WA 98109-5210 Seattle
USA
Hosting and related security services (provided exclusively within the EU)
Cammio GmbH 25 Rather Str.
40476 Düsseldorf
StepStone uses Cammio to conduct Video Job Interviews.

 

 

Overview of technical and organizational measures for the additional terms and conditions for StepStone contract data processing

  1. Confidentiality (Art. 32(1)(b) GDPR)

Technical and organisational measures

  • Entry control

No unauthorised access to the data-processing facilities, e.g.: Magnet or chip cards, keys, electric door openers, site security or porter, alarm system, CCTV;

The data centres have a multi-layered security structure. The exterior areas of the data centres are equipped with high-security fences and walls. The entrances are protected by security personnel 24 hours a day, seven days a week. The facilities are monitored by security cameras. Access to the server rooms is secured by magnetic cards. The systems are stored in locked server cabinets.

Comprehensive security measures are also in place at the respective StepStone sites. Access is only possible by means of magnetic cards and visitors must be granted special access.

  • System access control

No unauthorised system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media;

The contractual partner can only access the data processed on its behalf after logging into the customer area using the password it is specified. StepStone only stores the log-in details in encrypted form.

By default, the data flow between users and the system is end-to-end encrypted using the Transport Layer Security (TLS) protocol

StepStone uses Akamai’s services as a Web Application Firewall for its systems.

StepStone has an internal password policy for its employees that requires, among other things, that passwords must be at least eight characters long and be changed regularly, must not be identical or similar to the user name, must contain at least three of the four following characters: i) upper-case letters, ii) lower-case letters, iii) digits, iv) symbols.

  • Data access control

No unauthorised reading, copying, changing or removal within the system, e.g.: authorisation concepts and needs-driven access rights, logging of access;

The access rights of the contractual partner are strictly limited to data that is actually processed on behalf of the respective contractual partner. Only specifically defined StepStone personnel can access data that is processed on behalf of the contractual partner, provided this is required for system administration and customer service purposes at the request of the respective contractual partner.

The system logs all events related to data processing on behalf of the contractual partner.

  • Separation control

Separate processing of data collated for separate purposes, e.g. multi-client capability, sandboxing;

The StepStone customer centre is multi-client capable, so that every single logged in contractual partner can only see the data that is connected to its account.

  • Pseudonymisation (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)

The processing of personal data such that it cannot be allocated to a specific data subject without using additional information, provided this additional information is stored separately and is subject to corresponding technical and organisational measures;

Not relevant, as the contractual partner requires non-pseudonymised access to the data.

 

2. Integrity (Article 32(1)(b) GDPR)

  • Transfer control

No unauthorised reading, copying, changing or removal on electronic transfer or transport, e.g.: Encryption, virtual private networks (VPN), electronic signature;

All data sent over publicly accessible networks is end-to-end encrypted using the Transport Layer Security (TLS) protocol

  • Data entry control

Establishing whether and by whom personal data was entered into, amended on or removed from data processing systems, e.g.: logging, document management

The StepStone system logs the activities of each log-in and log-out as well as any processing, addition, modification and deletion of data by the respective user, as well as the relevant time (by time stamp).

 

3. Availability and resilience (Art. 32(1)(b) GDPR)

  • Availability control

Protection against accidental or wilful destruction or loss, e.g. backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), anti-virus protection, firewall, reporting channels and emergency plans;

Anti-virus programs and firewalls are used. StepStone uses Akamai’s services as a Web Application Firewall for its systems.

The hosting environment is equipped with fire detectors, water leakage detectors and raised floors. Temperature and humidity are constantly monitored to maintain predefined values. There is an uninterrupted power supply for at least 72 hours.

  • Rapid recoverability (Art. 32(1)(c) GDPR)

Rapid recoverability is ensured via

– Backup procedures;
– Uninterruptible power supply (UPS);
– Segregated storage;
– Virus protection and firewalls;
– Contingency plans and crisis planning;
– Employee training;

 

4. Process for regular testing, assessment and evaluation (Art. 32(1)(d); Art. 25(1) GDPR)

We organize regular audits with external service providers to check our data security standards and processes. Network penetration tests are carried out regularly.

We track and verify protocols at two levels before the request reaches our application servers. This is done on a firewall and a web application firewall level. This allows us to analyse and block any unusual queries to the database at the data provisioning level, preventing SQL injection attempts. The system itself logs incorrect log-on attempts if the request was made by firewall and WAF.

Our data protection measures are continuously reviewed in a PDCA cycle.

 

Technical and organisational measures

  • Entry control

No unauthorised access to the data-processing facilities, e.g.: Magnet or chip cards, keys, electric door openers, site security or porter, alarm system, CCTV;

The data centres have a multi-layered security structure. The exterior areas of the data centres are equipped with high-security fences and walls. The entrances are protected by security personnel 24 hours a day, seven days a week. The facilities are monitored by security cameras. Access to the server rooms is secured by magnetic cards. The systems are stored in locked server cabinets.

Comprehensive security measures are also in place at the respective StepStone sites. Access is only possible by means of magnetic cards and visitors must be granted special access.

  • System access control

No unauthorised system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media;

The contractual partner can only access the data processed on its behalf after logging into the customer area using the password it is specified. StepStone only stores the log-in details in encrypted form.

By default, the data flow between users and the system is end-to-end encrypted using the Transport Layer Security (TLS) protocol

StepStone uses Akamai’s services as a Web Application Firewall for its systems.

StepStone has an internal password policy for its employees that requires, among other things, that passwords must be at least eight characters long and be changed regularly, must not be identical or similar to the user name, must contain at least three of the four following characters: i) upper-case letters, ii) lower-case letters, iii) digits, iv) symbols.

  • Data access control

No unauthorised reading, copying, changing or removal within the system, e.g.: authorisation concepts and needs-driven access rights, logging of access;

The access rights of the contractual partner are strictly limited to data that is actually processed on behalf of the respective contractual partner. Only specifically defined StepStone personnel can access data that is processed on behalf of the contractual partner, provided this is required for system administration and customer service purposes at the request of the respective contractual partner.

The system logs all events related to data processing on behalf of the contractual partner.

  • Separation control

Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing;

The StepStone customer centre is multi-client capable, so that every single logged in contractual partner can only see the data that is connected to its account.

  • Pseudonymisation (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)

The processing of personal data such that it cannot be allocated to a specific data subject without using additional information, provided this additional information is stored separately and is subject to corresponding technical and organisational measures;

Not relevant, as the contractual partner requires non-pseudonymised access to the data.

 

5. Integrity (Article 32(1)(b) GDPR)

  • Transfer control

No unauthorised reading, copying, changing or removal on electronic transfer or transport, e.g.: Encryption, virtual private networks (VPN), electronic signature;

All data sent over publicly accessible networks is end-to-end encrypted using the Transport Layer Security (TLS) protocol

  • Data entry control

Establishing whether and by whom personal data was entered into, amended on or removed from data processing systems, e.g.: logging, document management

The StepStone system logs the activities of each log-in and log-out as well as any processing, addition, modification and deletion of data by the respective user, as well as the relevant time (by time stamp).

 

6. Availability and resilience (Art. 32(1)(b) GDPR)

  • Availability control

Protection against accidental or wilful destruction or loss, e.g. backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), anti-virus protection, firewall, reporting channels and emergency plans;

Anti-virus programs and firewalls are used. StepStone uses Akamai’s services as a Web Application Firewall for its systems.

The hosting environment is equipped with fire detectors, water leakage detectors and raised floors. Temperature and humidity are constantly monitored to maintain predefined values. There is an uninterrupted power supply for at least 72 hours.

  • Rapid recoverability (Art. 32(1)(c) GDPR)

Rapid recoverability is ensured via

– Backup procedures;
– Mirroring of hard drives, e.g. RAID procedures;
– Uninterruptible power supply (UPS);
– Segregated storage;
– Virus protection and firewalls;
– Contingency plans and crisis planning;
– Employee training;

We organize regular audits at least once a year to check our data security standards and processes. Network penetration tests are carried out regularly.

Process for regular testing, assessment and evaluation (Art. 32(1)(d); Art. 25(1) GDPR)
We track and verify protocols at two levels before the request reaches our application servers. This is done on a firewall and a web application firewall level. This allows us to analyse and block any unusual queries to the database at the data provisioning level, preventing SQL injection attempts. The system itself logs incorrect log-on attempts if the request was made by firewall and WAF.

Our data protection measures are continuously reviewed in a PDCA cycle.

 

Vienna, 20.04.2020