Data Processing Agreement
Last updated June 29th 2022
This Huma Data Processing Agreement ("DPA") accompanies the parties' agreement, including the Huma Subscription Terms of Service (the "Agreement") entered into between you ("Customer") and Huma.
The DPA regulates the processing of personal data by the Processor on behalf of the Controller, as stated in this DPA.
All terms defined elsewhere in the Agreement apply to the DPA as well, but particularly pertinent terms are repeated here for clarity. Terms defined in the GDPR and used in this DPA shall have the same meaning as in the GDPR.
“Data Controller” refers to Customer
“Data Processor” refers to Huma
"GDPR" is the EU General Data Protection Regulation (EU regulation no. 2016/679)
“Personal data” shall have the same meaning as defined in the GDPR Article 4 (1):
"any information relating to an identified or identifiable natural person(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
"Sensitive Personal Information" means any personal data deemed to be in a "special category" as defined in the GDPR Article 9 (1):
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”
and as defined in Article 10
“Processing of personal data relating to criminal convictions and offenses or related security measures”
"Services" means Huma’s proprietary software-as-a-service solution(s), as described on https://www.hu.ma/plans-pricing.
“user” customer, or a person given access to the services by customer, who makes use of the services, whether through the web client, mobile applications, or otherwise.
2. Purpose and Scope of processing
2.1 Purpose of processing
The purpose of the Services and the Data Processor's processing of personal data is to enable the Data Controller to manage a variety of HR-related activities. The Data Controller has the right to use the Services, as established by the Agreement, and the Data Processor provides the Services to facilitate the Data Controller's processing of relevant data.
2.2 Types of information processed
The Services contains functionality, depending on the subscription, for storing and processing personal data including, but not limited to:
- first and last names;
- email address;
- phone number;
- birth date;
- civil status;
- job title;
- employment type;
- employment percentage;
- date of hire;
- first day of work;
- date of termination;
- last day of work;
- employment ID;
- bank account number;
- passport number;
- social security number;
- names and date of birth of children;
- names, relations and phone numbers of emergency contacts;
- uploaded documents regarding personal data;
- dates and types for work absences;
- certifications held and other competence;
- meeting attendance and notes;
- sensitive personal data (to the extent submitted by the Data Controller)
The types of personal data in actuality processed under this DPA depend on the Data Controller’s choices in what functionality to make use of, and how.
2.3 Types of processing
- Storing and making the stored data available to the customer and users the customer has given access.
- Aggregating some types of data to provide the customer with statistics.
- Calculating time frames based on time information. E.g. length of absence, advance warning of a qualification expiring, employee seniority.
- Schedule automated notifications
- Exchange data with third parties on instruction by customer. E.g. integrations.
2.4 Duration of processing
The data we process under this DPA is kept no longer than necessary to provide the services to the customer. The data is deleted once the customer instructs us to delete it, or the Agreement is terminated, as described in section 9. Termination. The customer is normally expected to give such instructions through using the services’ provided tools.
2.5 Subjects of processing
Primarily the employees of the customer, as well as other persons whom the customer processes information about in their role as an employer. E.g. hired consultants, emergency contacts for employees, etc.
2.6 Responsibility for processing
In connection with the use of the Services, personal data is expected to be registered in the Services. The Data Controller is responsible for the registration of personal data in the system, and any withdrawal and use of stored information. The Data Processor is responsible for ensuring that the data is stored in a proper manner and later deleted or anonymized in accordance with this DPA.
3.1 Data Processor
The Data Processor is obliged to comply with requirements for Data Processors as described in GDPR, and implemented in locally applicable law and regulations.
Any personal data processed by the Data Processor on behalf of the Data Controller shall be processed in accordance with the specified purposes and limitations of this DPA. The Data Controller shall process no such data beyond what is required for the purposes defined in this DPA without written agreement with the Data Controller.
The Data Processor shall facilitate the Data Controller’s compliance with GDPR by
- Providing necessary information and documentation to demonstrate fulfillment of the obligations in art. 28 (3)
- Assisting the Data Controller in fulfilling their obligations regarding the rights of Data Subjects, as set out in Chapter III
- In the main, Data Processor shall provide Data Controller access to tools in the Services which allow it to (i) access, (ii) edit, or (iii) erase any personal data being processed by Data Processor under this DPA.
- Where such tools prove not reasonably sufficient for allowing Data Controller to fulfill their obligations to Data Subjects, Data Processor shall provide such other assistance as necessary, without undue delay or cost to Data Controller.
- Assisting the Data Controller in fulfilling their obligations according to art. 32-36
- Reporting any data breach to the Data Controller without undue delay, in accordance with applicable legislation. The reporting shall include the information required for the Data Controller to abide by its obligations according to GDPR article 33.3.
The extent of the assistance shall be as required by the Data Controller’s need, the information available to the Data Processor, and the nature of the processing in actuality performed under this DPA.
The Data Processor and its sub-processors are subject to confidentiality regarding all personal data they have access to under the Agreement. This also applies after the termination of the Agreement.
The Data Processor shall not share or otherwise make available any personal data obtained under the Agreement to any external party, unless it follows from the Agreement, is required by applicable law, or has been expressly agreed to in writing by the Data Controller. As described in clause 4 (Sub-processors) and clause 5 (transfer to countries outside the EU/EEA), personal data processed by the Data Processor on behalf of the Data Controller may be transferred to the parties defined therein, including transfer to the countries in which the sub-processor executes its processing.
3.2 Data Controller
The Data Controller is obliged to comply with the requirements for Data Controllers as described in the GDPR, and implemented in locally applicable law and regulations.
The Data Controller confirms that:
- There is sufficient legal basis for processing personal data;
- The Data Controller is entitled to and responsible for the legality of the transfer of personal data to the Data Processor;
- The Data Controller is responsible for the accuracy, integrity, content, reliability and legality of the personal data being processed;
- The Data Controller has informed the Data Subjects in accordance with the current legal requirements;
- This DPA contains all instructions from the Data Controller at the time of signing the Agreement.
The Data Controller shall ensure that personal data is processed in accordance with the GDPR, respond to inquiries from the Data Subjects and ensure that adequate technical and organizational measures are implemented to secure the Personal Data being processed, cf. GDPR Article 32.
The Data Controller is obliged to report data breach to the relevant supervisory authorities and, if applicable, to the Data Subject without undue delay in accordance with applicable legislation.
The Data Controller is responsible for ensuring that custom data fields in their own right, or by their content do not violate any applicable laws and regulations, including regarding personal data. The same applies to the use of combinations of data fields in, for example, reports, etc.
Where the system contains texts, data or other information, etc., which is owned/disposed by the Data Controller, the Data Controller warrants having full ownership or disposal rights for such texts, data, information, etc. and that neither storage nor the actual use of this material implies an infringement of third party rights or violates any law, regulation or other legal rules.
The Data Controller is subject to confidentiality regarding Data Processor's documentation and data that he/she has access to in accordance with this DPA. This provision also applies after the termination of the DPA.
Access to the system is administered by the administrator at the Data Controller. The Data Controller is obliged to ensure that credentials for such access are stored and handled in such a way that they are available only to persons authorized by the Data Controller and entitled to use the Services under the Agreement. The Data Controller is responsible for the use of personal data in the system by the users it has granted access.
The Data Controller handles and processes inquiries from the Data Subjects regarding access, rectification and deletion, etc.
The Data Processor uses subcontractors to fulfill parts of its various obligations, including physical operation of the system. The Data Processor is responsible for the performance of the subcontractor's tasks in the same way as if the Data Processor itself was responsible for the Execution. The Data Processor is obliged to have separate data processing agreements with all its subcontractors to ensure fulfillment of the terms of this DPA and GDPR art. 28.
On confirming acceptance of this DPA, Data Controller accepts Data Processor’s use of the sub-data processors (“Sub-processors”) listed in our list of data processors.
In the case that subcontractors are added or replaced, the Data Controller shall be notified of the upcoming change at least 30 calendar days before the new subcontractor starts processing personal data and may within the 30 calendar days oppose the change. If the Data Controller opposes the change, the Data Processor will consider the objection. If the Data Controller cannot reasonably satisfy the objection, the Data Controller may terminate the Agreement with immediate effect. Notification of termination must be given by the end of the notification period. If the Data Controller does not terminate the Agreement, the new subcontractor is deemed to be accepted.
In the case that a subcontractor is removed from the Sub-processors list, Data Processor must ensure the former subcontractor has deleted all personal data the subcontractor processed on behalf of Data Processor from its systems.
5. Transfer to countries outside the EU/EEA
The Data Processor may only transfer personal data to a country outside the EU/EEA on documented instructions by the Controller. The Controller agrees to transfers to approved Sub-processors as specified in the list of data processors. The Data Processor shall ensure that all transfers have a valid basis in accordance with Chapter V of the GDPR.
On the request of the Data Controller, the Data Processor is required to provide the Data Controller with information on the legal basis for the transfer, including, if relevant, a copy of the signed Standard Contractual Clauses.
Notwithstanding the paragraph above, Personal Data may in exceptional cases be transferred if necessary, to fulfill obligations under EU law or the national law of an EU or EEA country.
The Data Processor shall ensure appropriate information security in all processing of personal data, in accordance with GDPR art. 32. This includes taking reasonable planned, systematic, organizational and technical measures to maintain an appropriate level of confidentiality, integrity and availability. Such measures include, as appropriate:
- The pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The Data Processor shall have the capacity to provide documentation of such security measures, and shall make it available at the Data Controller's request.
The Data Processor shall implement processes to detect and follow up on threats to data security ("Deviation"), and shall without undue delay notify the Data Controller of any such Deviation that affects or identifies a risk to Data Controller’s data. If a Deviation is caused by the Data Controller, the Data Processor may invoice the Data Controller for reasonable and substantiated costs incurred by the follow-up.
The Data Controller is responsible for reporting data breached to the relevant authorities in accordance with applicable law. The Data Processor shall.as set out in clause 3.1.IV above provide necessary information for the Data Controller to comply with such requirements.
The Data Processor provides regular data backups.
The Data Processor strongly recommends any personal data transmitted from the Data Controller to the Data Processor outside the Services happen only in encrypted form.
7. Security audits
The Data Controller acknowledges that the Data Controller's right to conduct audits, under GDPR art. 28 (3), is fulfilled through the fact that the Data Processor ensures that an independent third party appointed by the Data Processor performs a systemic audit of the system on a regular basis. A security audit report shall cover all information necessary to demonstrate compliance with the obligations laid down in GDPR art. 28.
The conclusions of the audit shall be made available to the Data Controller on request.
Claims from a party as a result of the other party's failure to comply with the DPA shall be subject to the same liability regulations and limitations of liability as provided by the Agreement.
This DPA shall apply from the date of Data Controller’s acceptance of the Agreement until the Agreement expires or until the Data Processor's obligation to perform services under the Agreement terminates for any reason, except for the provisions of the Agreement and the DPA that continue to run after termination. In the event of a material breach of the DPA, the Data Controller may impose on the Data Processor to stop further processing of personal data with immediate effect. The Data Processor can upon reasonable prior notice allowing the Data Controller to remedy the breach, if capable of remedy, stop all processing on behalf of the Data Controller.
After the expiry of the Agreement, the Data Processor is obligated to delete all personal data covered by this DPA, unless it can be sufficiently anonymized as to no longer constitute personal data. Subsequent to this, the Data Processor shall provide the Data Controller with a written statement guaranteeing that the Data Processor has not retained any copy of Data Controller’s personal data in any medium, to assist Data Processor’s compliance with GDPR art. 5 (2).
The Data Controller is expected to use the Services to export personal data as necessary prior to termination. If this is not reasonably achievable, the Data Processor shall, upon request from the Data Controller, provide an export of such data, given that the request is made prior to the Data Processor fulfilling its obligations of deletion as described in section 9 of this DPA.