"12" August 2022

General description:

To comply with the General Data Processing Regulation (GDPR), this agreement defines how the parties organise, share and process personal data.  

This Joint controllership Agreement (“JCA”) together with the Master Subscription Agreement, General Terms and Conditions (“GTCs”), DPA (globus.ai/dpa), accepted by the Customer, constitute legally binding commitment between Globus AI AS («Controller 2» or “Globus”) and it’s customer (“Controller 1, Customer”), effective from the date the MSA is signed.

Globus processes personal data to provide its virtual staffing assistance services as a Processor under globus.ai/dpa. In this arrangement the parties determine how and why personal data is being processed in other cases described below. These terms  apply unless otherwise stated by the law.

1. Training of ML algorithms

In order to effectively match candidates Globus requires AI algorithms to recommend suitable candidates for assignments (ML component of the Product).  

The main goals and main activities are:

For the Customer/Controller 1 – to place candidates for suitable positions.

For Globus/Controller 2 – to train its artificial intelligence and machine learning algorithms to power the development of the machine learning models. Such improvements may benefit each separate customer whose data were used in any specific instance.

The category of data subjects / the group of people to whom the data relates - Candidates.

Legal basis – legitimate interest.

The processing starts on the Go-live date and ends when the MSA is terminated or a candidate effects their data protection rights, such as the right to erasure, the right to restrict processing, and the right not to be subject to a decision based solely on automated processing.

2. Analysis of customers’ use of the Product

The main goals and main activities are:

For the Customer/Controller 1 – to optimize work of its recruiters – users of Globus SaaS.

For Globus/Controller 2 – to analyse how customers/users interact with the Product, so Globus can improve, develop and personalise it’s products and services.  

The category of data subjects / the group of people to whom the data relates - Users.

Legal basis – legitimate interest or consent of the users.

The processing starts on the Go-live date and ends when the MSA is terminated or a user effects their data protection rights, such as the right to erasure, the right to restrict processing, and the right not to be subject to a decision based solely on automated processing, or withdraws their consent.

***

Controller 1 acknowledges that as per the compatibility test it evaluated that the processor’s new purposes described above are “compatible” with the initial processing purpose of placing candidates at jobs and hereby the Controller 1 grants explicit permission to process the personal data for the described above purposes. 

‍

Obligations

• The parties are aware of the General Data Protection Regulation and will endeavor to meet all requirements of the GDPR.  

• Each party will make sure that data subjects receive the required information (as described in article 13 and 14 of the GDPR) when personal data is collected by that party. They will make sure that data subjects have the name of the controller, the data protection officer, the purposes of data processing, the legal basis for processing and who receives the data. This can for instance be done in a privacy statement/notice.  

Globus describes the processings in the notice within the candidate portal (a static webpage with the list of available assignments) also published on globus.ai/privacy.

• Each party agrees to takes reasonable, appropriate technical and organizational measures to protect the personal data, so that the risk of data breaches in minimized.  

• Each party will inform all other parties immediately in the case of a serious information security incident. This way, each party can determine if the serious information security incident is a data breach that must be reported. Parties will keep each other informed whether they have reported the data breach as the controlling party, and if and how they have informed data subjects.  

• Each party will make sure that that data subjects can make a request to exercise their GDPR rights, including the right of access to data, rectification, erasure, restriction of processing and data portability if applicable.  

• Whenever a party receives a GDPR request from a data subject, it will inform other party of the request. All parties will then work together so that the request is fully and completely handled. The first party receiving the request will communicate with the data subject.  

• If one party is audited by their supervisory authority (e.g. the Datatilsynet, ICO) for a joint activity, the other parties will support the audited party, for instance by providing information that is requested by the supervisory authority.  

Amendments

The latest version of this JCA is available at globus.ai/jca.  

Globus may amend this JCA and inform the Customer thereof. Such amendments shall apply beginning ten (10) days from the date of posting it on globus.ai/jca and informing the Customer.