Data Processing Agreement (DPA)

by Certif-ID International GmbH for the product TalentSure

Effective Date: January 2025

DATA PROCESSING AGREEMENT (DPA)

Between:

[NAME OF DATA CONTROLLER]

A Sourcing Partner, Employer, or other entity acting as Data Controller under the definitions of the General Data Protection Regulation (GDPR), with principal place of business at [insert address] or other lawful location.

Hereinafter referred to as "Controller" or "Data Controller".

And:

TALENTSURE ("The Platform") ("The Aggregator") ("DATA PROCESSOR")

A global aggregator platform primarily processing personal data of candidates on behalf of Sourcing Partners, Employers, or other authorized parties.

Business Address:
Certif-ID International GmbH
Scheffelstr. 58a
50935 Cologne
Germany

1. INTRODUCTION & PURPOSE

1.1 Context

This Data Processing Agreement ("DPA") sets out the terms under which TalentSure (the "Data Processor") processes personal data on behalf of the Controller (this may be an Employer, Sourcing Partner, or any organization acting as Data Controller under GDPR).

1.2 GDPR Obligations

The main purpose of this DPA is to fulfill the requirements of Article 28 GDPR and establish how the Data Processor follows the Controller's instructions while maintaining strict security and compliance measures.

1.3 Platform as Aggregator

TalentSure provides a global aggregator platform specialized in cross-border recruitment tasks. This environment typically consolidates or processes data from multiple sources – from Sourcing Partners, Employers, or other aggregator roles – with final control always residing with the designated Controller instructing TalentSure.

1.4 Exclusion of Internal Workflows

While TalentSure uses its own internal or proprietary workflows to coordinate tasks, these are not disclosed in this DPA. This document focuses exclusively on GDPR-compliant data processing and associated legal obligations.

1.5 Hierarchy of Agreements

This DPA is part of or attached to a master agreement. In case of conflicts regarding data protection provisions, this DPA takes precedence over general terms and conditions.

2. DEFINITIONS & INTERPRETATIONS

Within this DPA, the following definitions apply:

  • "GDPR": General Data Protection Regulation (EU) 2016/679
  • "Personal Data": Any information relating to an identified or identifiable natural person.
  • "Processing": Any operation performed on personal data, with or without automated means.
  • "Data Controller": The entity that determines the purposes and means of processing.
  • "Data Processor": The entity that processes personal data on behalf of the Controller – here TalentSure.
  • "Data Subject": The natural person whose data is being processed.
  • "Sub-Processor": Any third party engaged by the Processor to process personal data for the purposes set out in this DPA.

3. SUBJECT MATTER & DURATION OF PROCESSING

3.1 Subject Matter

This DPA covers any processing of personal data that the Controller instructs TalentSure to perform. Typically this concerns candidate data in cross-border contexts: resumes, identity documents, language certificates, professional recognition, interview scheduling, or contract acceptance.

3.2 Duration

Processing begins on the date the Controller provides TalentSure with relevant data or instructions, and continues until the DPA or underlying contract is terminated or the Controller issues final instructions for deletion or return of data.

4. NATURE & PURPOSE OF PROCESSING

4.1 Nature

TalentSure stores, collects, organizes, combines, analyzes, and retrieves candidate data according to Controller instructions. This may include sharing with Sub-Processors such as translation services or recognition authorities.

4.2 Purpose

The purpose is to support lawful, cross-border recruitment processes, including qualification verification and connecting candidates with employers.

5. TYPES OF PERSONAL DATA & CATEGORIES OF DATA SUBJECTS

5.1 Types of Personal Data

  • Basic Data: Name, date of birth, contact details, nationality, address
  • Professional Qualifications: Resume/CV, diplomas, references, certificates
  • Language Assessments: Test results, course evidence
  • Recognition Documents: IDs, professional licenses, translations
  • Contract Information: Salary, position, start date (if instructed)
  • Visa/Immigration Data: Passport copies, visa status
  • Communication Data: Email, chat logs

5.2 Categories of Data Subjects

  • Primarily: Candidates
  • Occasionally: References or emergency contacts

6. GDPR ROLES & RESPONSIBILITIES

6.1 Controller

Determines which data is processed for what purpose and ensures a lawful basis (Art. 6 GDPR).

6.2 Data Processor (TalentSure)

Processes data only on instruction from the Controller.

6.3 Other Aggregators

May be involved but remain independent or Sub-Processors.

7. DATA PROTECTION PRINCIPLES

  • Integrity & Confidentiality
  • Lawfulness, Fairness & Transparency
  • Purpose Limitation
  • Storage Limitation
  • Data Accuracy
  • Accountability

8. CONTROLLER RIGHTS & OBLIGATIONS

  • Information obligations to data subjects
  • No exploitation of data subjects
  • Proof of consent, if required
  • Consistency in multi-aggregator scenarios
  • Liability for non-compliance

9. PROCESSOR RIGHTS & OBLIGATIONS

  • Processing only on documented instruction
  • Confidentiality agreements with personnel
  • Implementation of technical & organizational measures (TOMs)
  • Assistance with data subject requests
  • Reporting of unlawful instructions

10. TECHNICAL & ORGANIZATIONAL MEASURES

TalentSure implements robust security measures:

  • Encryption: TLS 1.2 or higher in transit
  • Access Controls: Role-based authorization, password protection
  • Monitoring: Firewalls, intrusion detection systems
  • Backups: Regular backups in separate zones
  • Confidentiality: All employees sign confidentiality agreements

11. INTERNATIONAL TRANSFERS

We prefer data centers/Sub-Processors in the EEA. If a transfer is unavoidable, we rely on Standard Contractual Clauses or recognized adequacy mechanisms. All Sub-Processors/data centers outside the EEA are contractually committed to GDPR-compliant guarantees.

12. CONTACT

For questions regarding the Data Processing Agreement:
Email: admin@certif-id.com

Business Address:
Certif-ID International GmbH
Scheffelstr. 58a
50935 Cologne
Germany