Zinc data processing addendum

1. This Data Processing Addendum is between: 

1. Zinc Work Limited a company incorporated and registered in England and Wales (company number is 10961635) with a registered address at Eastcastle House, 27-28 Eastcastle Street, London, United Kingdom, W1W 8DH on behalf of itself and any affiliates (“Zinc”); and
2. The counterparty (“You”, “Your”, “Yours”, “Yourselves” or “Company”) on behalf of itself and any affiliates, whose registered country, address and signature are set out in the Order Form.
   

1. (each a “Party” and together the “Parties”)
2. Zinc may update this DPA from time to time. If this DPA is updated You will be notified in writing by email using the latest contact information You have provided to Zinc. Such updates will take effect 30 days after the date of delivery of notification and Your continued usage of the Zinc Service will be deemed to constitute acceptance of the updated DPA. 

• “Agreement” means this DPA, the Zinc Terms and Conditions and the relevant Order Form signed by You which together govern the agreement between the parties subject to which the Zinc Service is provided. 
• “Candidate” means any Data Subject whose Personal Data You enter into the Zinc Service. 
• “Candidate Data” means Personal Data in regards to Candidate(s) inputted by You into the Zinc Service. 
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed by Zinc. 
• “Data Protection Laws” means applicable laws or regulations relating to the privacy of Data Subjects within the scope of this DPA, including but not limited to the UK GDPR and GDPR. 
• “Data Subject” means an identified or identifiable natural person.
• “Data Subject Request” has the meaning given to it in Clause 8.1.
• “Objection” has the meaning given to it in clause 6.5.
• “Processing” means the gathering, processing or use of Personal Data by Zinc in accordance with the instructions provided by You. 
• “Personal Data” means any information which is related to an identified or identifiable natural person.
• “Redacted Candidate” has the meaning given to it in Clause 3.2.
• “Relevant Candidate” has the meaning given to it in Clause 3.1.
• “Subprocessor” means any Processor engaged by Zinc in connection with the Agreement (where Processor has the meaning as set out in the GDPR). 
• “Zinc Service” means the website www.zincwork.com owned and operated by Zinc, the Zinc API, the Zinc Service web based application with which You interact, and any other related services which Zinc may, from time to time, offer (“Service” as context requires).

• 2.1 This DPA reflects the Parties agreement with respect to the Processing of Personal Data. This DPA is supplemental to the Zinc Service Terms and Conditions and the relevant Order Form and it forms a material part of the Agreement between You and Zinc. 
• 2.2 In the event of a conflict between any of the Terms and Conditions, the Order Form and the DPA, the following order of precedence shall apply in descending order: DPA, Order Form, Terms and Conditions.

• 3.1  This DPA applies only to the Personal Data of Candidates who: 
• (a). undergo a Check through the Zinc Service directly as a result of You inputting their information into the Zinc Service; and
• (b). enter into work with Yourselves (whether such work is paid, voluntary, or otherwise); and 
• (c). remain in work with Yourselves (a “Relevant Candidate”). 
• 3.2 If You enter a Candidate’s information into the Zinc Service but, for any reason, they: 
• (a). do not enter into work with Yourselves; or 
• (b). they enter into work with Yourselves but are subsequently terminated, made redundant, resign, or otherwise cease to work with You (whether such work is paid, voluntary, or otherwise), then that Candidate will not fall under the scope of this DPA (a “Redacted Candidate”). 
• 3.3 In some cases Zinc may provide the Zinc Service to You in respect of a Data Subject whose Personal Data has, independently of You, been previously inputted into the Zinc Service. So long as that Data Subject meets the requirements set out in Clause 3.1, Your inputting of their Personal Data into the Zinc Service will render them a Relevant Candidate for the purposes of this DPA. 
• 3.4 If a Data Subject is rendered a Relevant Candidate who subsequently meets the criteria set out in Clause 3.2, this will immediately render them a Redacted Candidate for the purposes of this DPA.

• 4.1 Zinc will only Process Personal Data in line with Your lawful instructions unless it is required to Process said Personal Data by any applicable law. 
• 4.2 If Zinc becomes aware that it cannot Process Personal Data in line with Your instructions due to a conflict with any applicable law, Zinc shall notify You of said conflict to the extent permitted. 
• 4.3 In the event that Zinc issues notification to You in accordance with Clause 4.2 it may cease all Processing of Personal Data (other than merely storing and maintaining the security of the affected Personal Data) until such time as You provide Zinc with new lawful instructions with which it is able to comply.  
• 4.4 In the event that Zinc issues notification to You in accordance with Clause 4.2 it may cease the provision of the Zinc Service until such time as You provide Zinc with new lawful instructions with which it is able to comply. In the case of such an event Zinc shall in no way be liable to You under the Agreement for its inability to provide the Zinc Service to You. 
• 4.5 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zinc shall implement appropriate technical and organisational measures to protect Personal Data against Data Breaches. This includes but is not limited to the measures set out in Annex III
• 4.6 In the event that Zinc becomes aware of a Data Breach Zinc shall:
• (a). Notify You of the Data Breach without undue delay.
  
• (b). Provide You with reasonable assistance to notify the relevant authorities about said Data Breach as required.
  
• (c). Provide You with reasonable assistance to notify any affected Data Subjects of said Data Breach as required.
  
• (d). Investigate said Data Breach independently and provide reasonable assistance with any investigation You or a relevant authority may choose to carry out.
  
• (e). Take steps as required to remedy any non-compliance with this DPA. 
• 4.7 Zinc will ensure that access to Candidate Data is restricted only to employees who strictly need such access in order to carry out the core function of their role and shall ensure that said employees are informed of the confidential nature of Candidate Data.

• 5.1 You agree that You will be responsible for complying with all applicable Data Protection Laws that apply to You under the Agreement and with respect to the lawful instructions You provide Zinc with. 
• 5.2 You agree that You will be responsible for:
• (a). the accuracy and legitimacy of the Candidate Data You provide; and
  
• (b). the legality of the Candidate Data You provide and in particular the means by which You acquired said Candidate Data; and
  
• (c). complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of Personal Data, in particular, obtaining consent from Candidates to provide their data to Zinc; and
  
• (d). informing us without undue delay if for any reason You are unable to comply with Your obligations under this Clause 5.2.

• 6.1 You grant Zinc the general authority to appoint Subprocessors from the list of service providers in Annex II.
• 6.2 Zinc shall enter into a written agreement with each Subprocessor which contains terms that are substantially the same as those set out in this DPA. 
• 6.3 The use of Subprocessors shall not relieve Zinc of its obligations under this DPA. Zinc shall remain liable to You under this DPA for the acts and omissions of any Subprocessors used in connection with this Agreement as if they were Zinc’s own acts and omissions. 
• 6.4 You agree that Zinc may from time to time modify the list of approved Subprocessors. If Zinc chooses to do so, You shall be provided with at least 30 days written notice of its intention. ‍
• 6.5 You may object to the appointment of any new Subprocessor within 10 working days of their appointment (an “Objection”). If You choose to make an Objection, You must provide full written details documenting Your reasons for doing so. ‍
• 6.6 In the event of an Objection, Zinc shall make reasonable efforts to prevent the Subprocessor from processing Candidate Data.

• 7.1 Zinc and any of its Subprocessors shall not transfer Personal Data outside the UK or the EEA without Your prior written consent.
• 7.2 Where such consent is granted, Zinc shall only Process or permit the Processing of Personal Data outside the UK or EEA under the following conditions:
• (a). Zinc is Processing Personal Data in a territory which is subject to adequate laws or regulations which provide protection for the privacy rights of individuals which are at least equivalent to the protection provided under the Data Protection Laws.
  
• (b). The transfer is lawful under GDPR through any mechanism, including but not limited to, the use of relevant Standard Contractual Clauses (as amended and approved by the ICO for use in respect of transfers subject to UK GDPR); or
  
• (c). The transfer is otherwise based on a mechanism authorised by the ICO. 

• 8.1 Zinc shall notify You within 10 days if it receives a request from a Data Subject to exercise any of their applicable rights under Data Protection Laws (a “Data Subject Request”) and Zinc shall reasonably assist You in complying with any such Data Subject Request. 
• 8.2 Zinc shall notify You immediately if it receives any complaint that relates to the Processing of Personal Data or to either Party’s compliance with Data Protection Laws under this DPA and Zinc shall give You its full co-operation and assistance in responding to such a complaint. 
• 8.3 Unless otherwise prohibited by law or a legally binding order, Zinc shall notify You immediately of any notice or communication arising in connection with this DPA from a governmental body, regulatory body, data protection authority or law enforcement agency and Zinc shall give You its full co-operation and assistance in responding to such a notice or communication.

• 9.1 Zinc shall permit You and an appropriate third party representative to audit its compliance with this DPA once per calendar year so long as You provide at least thirty (30) days written notice. Zinc shall provide its full co-operation in enabling such an audit. 
• 9.2 A reduced written notice period of at least seven (7) days shall apply if You reasonably believe that a Personal Data Breach has or shall imminently occur, or if Zinc is in breach of any of its obligations under this DPA.

• 10.1 This DPA will remain in full force and effect so long as the Agreement remains in effect. 
• 10.2 Any provision of this DPA that, expressly or by implication, should come into, or continue in force, on or after termination of the Agreement in order to protect Personal Data, shall remain in full force and effect. 
• 10.3 A Party’s failure to comply with the terms of this DPA shall be a material breach of the Agreement. In such an event, the non-breaching Party may terminate the Agreement with immediate effect on written notice to the breaching Party without further liability or obligation to the non-breaching Party. 
• 10.4 If a change in any Data Protection Law prevents either Party from fulfilling all or part of its obligations under the Agreement, the Parties may agree to suspend the Processing of the Personal Data until such Processing complies with the relevant Data Protection Law. If the Parties are unable to bring the Processing into compliance with Data Protection Law within 30 days, either Party may terminate the Agreement with immediate effect on written notice to the other Party without further liability or obligation to the other Party.
• 10.5 Upon termination or expiry of the Agreement Zinc shall, except otherwise required under the Data Protection Laws, delete or return to You (as you may elect) all outstanding Candidate Data.

• 11.1 Any notice given to Zinc under or in connection with the Agreement must be in writing and delivered to: hamraj@zincwork.com.
• 11.2 Any notice given to You under or in connection with the Agreement must be in writing and delivered to the email address specified in the relevant Order Form.

Subject matter of processing: The provision of employee reference and background checking services to You as further set out in the Terms and Conditions.

Duration of processing: For the term of the Agreement and thereafter for any periods permitted under the Agreement. 

Nature and Purpose of Processing: Zinc will Process the types Personal Data set out below in order to arrange background and reference checks for Your Candidates.

Personal Data Categories: Identity data (which may include the following Special Categories of Personal Data: biometric data for the purpose of uniquely identifying a natural person)), contact data, background check status data, qualification data, employment history data, sanctions data (which may include criminal offence data), financial data and usage data.

‍

Data Subject Types:

• Your employees, contractors or workers.
• Candidates seeking to work with You (whether that work is paid, voluntary or otherwise).
• Referees providing employment references for applicable Candidates.
• Other third parties upon Your or applicable Candidate’s requests.

Zinc Integrations — only applicable if used by you

The technical and organizational measures. See an overview of security measures on Zinc’s page.