This Data Processing Agreement (the “DPA”) is incorporated into the agreement(s) entered into by you (“Partner”) and the LinkedIn company identified on the agreement(s) (“LinkedIn”), that govern data sharing between Partner and LinkedIn (but excluding customer agreements between Partner and LinkedIn that govern Partner’s purchase of LinkedIn products and services) (“Partner Agreement”).
This DPA governs the processing of: (1) personal data that Partner uploads or otherwise provides to LinkedIn in connection with the Partner Agreement; and (2) personal data that LinkedIn (or its members) uploads or otherwise provides to Partner in connection with the Partner Agreement.
Collectively, the DPA (including the SCCs, as defined below) and the Partner Agreement are referred to in this DPA as the “Agreement”. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs; (b) this DPA; and (c) the Partner Agreement. Except as specifically amended in this DPA, the Partner Agreement remains unchanged and in full force and effect.
RECITALS
WHEREAS, in connection with the Partner Agreement, LinkedIn and Partner may each be Data Processors of Joint Customer Personal Information (as defined below) and, in certain cases, transfer that Joint Customer Personal Information to the other party for processing at the direction of that Joint Customer;
WHEREAS, in connection with the Partner Agreement, LinkedIn and Partner may each be Data Controllers of Personal Information (e.g., personal data of LinkedIn members) and, in certain cases, transfer that Personal Information to the other party for that other party to act as a Data Controller of that Personal Information;
WHEREAS, in connection with the Partner Agreement, LinkedIn and Partner may each be Data Controllers of Personal Information and, in certain cases, transfer that Personal Information to the other party for that other party to provide certain services to the other party as a Data Processor (e.g., complete an API call); and
WHEREAS, LinkedIn and Partner wish to memorialize their obligations to one another with respect to the foregoing.
THEREFORE, by continuing to process or transfer Personal Information as set forth above, LinkedIn and Partner agree to be bound by this DPA. If Partner does not agree to comply with the terms of this DPA, it must immediately cease processing Personal Information or uploading or otherwise transferring Personal Information to LinkedIn in connection with the Partner Agreement.
1. DEFINITIONS
“CCPA” means the California Consumer Privacy Act of 2018 together with any subordinate legislation or regulations.
“Data Protection Requirements” means the General Data Protection Regulation, and any applicable laws, regulations and other legal requirements in the European Union or domestic laws relating to: (i) privacy, data security, consumer protection, marketing, promotion, text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any personal data. Requirements may include, but are not limited to Lei Geral De Proteção de Dados (Brazil’s General Data Protection Law) and the CCPA.
“Designated Countries” means countries in the European Union, the European Economic Area, and Switzerland.
“EU Personal Information” means Personal Information the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation.
“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation.
“Joint Customer” means a customer of both Partner and LinkedIn.
“Joint Customer Personal Information” means any Personal Information for which a Joint Customer acts as a data controller.
“LinkedIn Personal Information” means any Personal Information for which LinkedIn acts as a data controller.
“Partner Personal Information” means any Personal Information for which Partner acts a data controller.
“Personal Information” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that Partner provides to LinkedIn from services such as applicant tracking systems (ATSs) or customer-relationship management (CRM) services at the direction of a Joint Customer; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual. Personal Information includes any information defined as “Personal Information” or “Personal Data” under the Partner Agreement.
“Personal Information Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information processed under the Agreement.
“Process” and its cognates mean any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“SCCs” means the European Commission Standard Contractual Clauses entered into between the parties under the Agreement.
“Subprocessor” means any entity which provides processing services to a Data Processor, as defined in Section 5.1, in furtherance of such Data Processor’s processing on behalf of a Data Controller.
“Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation; or (ii) the public authority governing data protection, which has supervisory authority and jurisdiction over a Data Controller or Data Processor.
2. COMPLIANCE WITH LAWS
The parties shall each comply with their respective obligations under all applicable Data Protection Requirements. Neither Party shall knowingly perform its obligations under this Agreement in such a way as to cause the other Party to breach any of its obligations under Data Protection Requirements.
3. PROCESSOR-TO-PROCESSOR SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Data Processor with respect to Personal Information, will (i) comply with the instructions and restrictions set forth in its agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the Data Protection Requirements. Partner and LinkedIn both acknowledge and agree that each is acting as a Data Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.
4. CONTROLLER-TO-CONTROLLER SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Data Controller with respect to Personal Information, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the Data Protection Requirements. The parties acknowledge and agree that each is acting independently as Data Controller with respect of Personal Information and the parties are not joint controllers as defined under applicable Data Protection Requirements.
5. CONTROLLER-TO-PROCESSOR SCENARIOS
5.1 Relationship of the parties. The rights, responsibilities, and obligations of the parties with regard to Sections 6-9 and 10.3 of this DPA shall be as follows:
5.1.1 For data processing operations where LinkedIn processes Personal Information on Partner’s behalf and at Partner’s direction, the term “Data Processor” refers to LinkedIn, the term “Data Controller” refers to Partner, and the term “Personal Information” refers to Partner Personal Information.
5.1.2 For data processing operations where Partner processes Personal Information on LinkedIn’s behalf and at LinkedIn’s direction, the term “Data Processor” refers to Partner, the term “Data Controller” refers to LinkedIn, and the term “Personal Information” refers to LinkedIn Personal Information.
5.2 Scope of Processing. In the context of the scenarios described in Section 5.1 above, each party agrees to process Personal Information only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Information processed and the categories of data subjects subject to this Agreement are described in Schedule A to this DPA.
6. DATA CONTROLLER OBLIGATIONS
The parties in their capacity as Data Controller agree to:
6.1 provide instructions to Data Processor and determine the purposes and general means of Data Processor’s processing of Personal Information in accordance with the Agreement; and
6.2 comply with its protection, security and other obligations with respect to Personal Information prescribed by Data Protection Requirements for Data Controllers by: (a) ensuring it has provided data subjects with all necessary information in respect of its processing of Personal Information; (b) ensuring it obtains valid consent from data subjects where required; (c) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Information are processed on behalf of Data Controller; (d) processing only Personal Information and other data that has been lawfully and validly collected and ensuring that such Personal Information and other data will be relevant and proportionate to the respective uses; and (e) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Information on its behalf.
7. DATA PROCESSOR OBLIGATIONS
7.1 Processing Requirements. The parties in their capacity as Data Processor agree to:
a. process Personal Information (i) only for the purpose of providing, supporting and improving the Data Processor’s services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Data Controller. Data Processor will not use or process the Personal Information for any other purpose. Data Processor will promptly inform Data Controller in writing if it cannot comply with the requirements under Sections 5-9 and 10.3 of this DPA, in which case Data Controller may terminate the Agreement or take any other reasonable action, including suspending data processing operations;
b. inform Data Controller promptly if, in Data Processor’s opinion, an instruction from Data Controller violates applicable Data Protection Requirements;
c. if Data Processor is collecting Personal Information from individuals on behalf of Data Controller, follow Data Controller’s instructions regarding such Personal Information collection (including with regard to the provision of notice and exercise of choice);
d. take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on Data Processor’s behalf comply with the terms of the Agreement;
e. ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Personal Information, including after the end of their respective employment, contract, or assignment;
f. if it intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors provided by Data Processor to Data Controller (such list for LinkedIn is available online at https://www.linkedin.com/legal/l/customer-subprocessors), obtain the prior written consent of Data Controller to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to Data Controller for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on Data Processor’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
g. upon request, provide Data Controller with Data Processor’s privacy and security policies.
7.2 Notice to Data Controller. Data Processor will inform Data Controller if Data Processor becomes aware of:
a. any non-compliance by Data Processor or its employees with Sections 5, 7-9, and 10.3 of this DPA or the Data Protection Requirements relating to the protection of Personal Information processed under this DPA;
b. any legally binding request for disclosure of Personal Information by a law enforcement authority, unless Data Processor is otherwise forbidden by law to inform Data Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Information; or
d. any complaint or request (in particular, requests for access to, rectification or blocking of Personal Information) received directly from data subjects of Data Controller. Data Processor will not respond substantively to any such request without Data Controller’s prior written authorization, except to acknowledge receipt of the request.
7.3 Assistance to Data Controller. Data Processor will provide reasonable assistance to Data Controller regarding:
a. any requests from Data Controller data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking, or deletion of Personal Information that Data Processor processes for Data Controller. In the event that a data subject sends such a request directly to Data Processor, Data Processor will promptly send such request to Data Controller;
b. the investigation of Personal Information Breaches and the notification to the Supervisory Authority and Data Controller data subjects regarding such Personal Information Breaches; and
c. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
7.4 Required Processing. If Data Processor is required by Data Protection Requirements to process any Personal Information for a reason other than in connection with the Agreement, Data Processor will inform Data Controller of this requirement in advance of any processing, unless Data Processor is legally prohibited from informing Data Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable European Union member state laws).
7.5 Security. Data Processor will:
a. maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption of Personal Information while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of Personal Information;
b. be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Data Processor personnel with respect to Personal Information and liable for any failure by such Data Processor personnel to meet the terms of this Agreement;
c. take appropriate steps to confirm that all Data Processor personnel are protecting the security, privacy and confidentiality of Personal Information consistent with the requirements of this DPA; and
d. notify Data Controller of any Personal Information Breach by Data Processor, its Subprocessors, or any other third parties acting on Data Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Information Breach.
8. AUDIT, CERTIFICATION
8.1 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which Data Processor processes Personal Information in order to ascertain or monitor compliance with Data Protection Requirements, Data Processor will cooperate with such audit. Data Controller will reimburse Data Processor for its reasonable expenses incurred to cooperate with the audit.
8.2 Data Processor Certification. Data Processor must, upon Data Controller’s request (not to exceed one request per calendar year) by email (where LinkedIn is Data Processor, such emails shall be sent to DPO@linkedin.com; where Partner is Data Processor, Partner shall establish and provide to LinkedIn upon request a single point of contact for email correspondence regarding data protection), certify compliance with Sections 5, 7-9, and 10.3 of this DPA in writing. Data Processor will, upon Data Controller’s request, provide to Data Controller each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 16 (“SSAE 16”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Agreement.
9. DATA RETURN AND DELETION
The parties agree that on the termination of the data processing services or upon Data Controller’s reasonable request, Data Processor shall and shall take reasonable measures to cause any Subprocessors to, at the choice of Data Controller, return all the Personal Information and copies of such data to Data Controller or securely destroy them and demonstrate to the satisfaction of Data Controller that it has taken such measures, unless Data Protection Requirements prevent Data Processor from returning or destroying all or part of the Personal Information disclosed. In such case, Data Processor agrees to preserve the confidentiality of the Personal Information retained by it and that it will only actively process such Personal Information after such date in order to comply with applicable laws.
10. DATA TRANSFERS.
With respect to a transfer of data between the parties that results in a transfer of EU Personal Information to a jurisdiction other than a jurisdiction in the European Union, the European Economic Area, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees as follows:
10.1 Processor-to-Processor. Where both parties act as Data Processor with respect to Personal Information, the parties agree that Module 3 of the SCC’s, which applies to Processor-to-Processor relationships will apply and that the following terms apply: (i) the Data Protection Commission of Ireland shall be the Competent Supervisory Authority pursuant to Clause 13 of the SCCs; (ii) these terms shall be governed by the law of one of the European Union member states, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland pursuant to Clause 17 of the SCCs; (iii) any dispute arising from the SCCs shall be resolved by the courts of Ireland pursuant to Clause 18 of the SCCs; (iv) Schedule A to this DPA shall apply as Annex I of the Processor-to-Processor SCCs; (v) Schedule B to this DPA shall apply as Annex II of the Processor-to-Processor SCCs; and (vi) Schedule C to this DPA shall apply as Annex III of the Processor- to-Processor SCCs.
10.2 Controller-to-Controller. Where both parties act as Data Controller with respect to Personal Information, the parties agree that Module 1 of the SCC’s, which applies to Controller-to-Controller relationships will apply and that the following terms apply: (i) the Data Protection Commission of Ireland shall be the Competent Supervisory Authority pursuant to Clause 13 of the SCCs; (ii) these terms shall be governed by the law of one of the European Union member states, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland pursuant to Clause 17 of the SCCs; (iii) Any dispute arising from the SCCs shall be resolved by the courts of Ireland pursuant to Clause 18 of the SCCs; (iv) Schedule A to this DPA shall apply as Annex I of the Controller-to-Controller SCCs; and (v) Schedule B to this DPA shall apply as Annex II of the Controller-to-Controller SCCs.
10.3 Controller-to-Processor. Where one party acts as a Data Controller and the other party acts as such party’s Data Processor with respect to Personal Information, the parties agree that Module 2 of the SCC’s, which applies to Controller-to-Processor relationships will apply and that the following terms apply: (i) the Data Protection Commission of Ireland shall be the Competent Supervisory Authority pursuant to Clause 13 of the SCCs (ii) these terms shall be governed by the law of one of the European Union member states, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland pursuant to Clause 17 of the SCCs; (iii) Any dispute arising from the SCCs shall be resolved by the courts of Ireland pursuant to Clause 18 of the SCCs; (iv) Schedule A to this DPA shall apply as Annex I of the Controller-to-Processor SCCs; (v) Schedule B to this DPA shall apply as Annex II of the Controller-to-Processor SCCs; and (vi) Schedule C to this DPA shall apply as Annex III of the Controller-to-Processor SCCs.
11. TERM
This DPA shall remain in effect as long as either party carries out Personal Information processing operations on the Personal Information uploaded or otherwise provided by the other party pursuant to and in accordance with the Partner Agreement.
12. GOVERNING LAW, JURISDICTION, AND VENUE
Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by the laws of Ireland, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Dublin, Ireland.
SCHEDULE A
ANNEX I
A. LIST OF PARTIES
A.1 Processor-to-Processor
Notes:
- If LinkedIn is sending EU Personal Information to the counterparty, LinkedIn is the Data Exporter and the counterparty is the Data Importer.
- If LinkedIn is receiving EU Personal Information from the counterparty, LinkedIn is the Data Importer and the counterparty is the Data Exporter.
- If EU Personal Information is transferred both from LinkedIn to the counterparty and from the counterparty to LinkedIn for processing on behalf of a mutual customer of LinkedIn and the counterparty, then a LinkedIn signatory to the Partner Agreement is both a Data Importer and Data Exporter and the counterparty is both a Data Importer and Data Exporter.
When LinkedIn is the Data Exporter:
| Name: | LinkedIn Ireland Unlimited Company |
| Address: | Wilton Plaza, Wilton Place, Dublin 2 IRELAND |
| Contact person's name, position, and contact details: | Conor Bowe Data Protection Officer
|
| Activities relevant to the data transferred under these Clauses: | A provider of professional networking and online talent, sales, marketing, employee engagement and learning services to members, guests and customers who are data subjects from the Designated Countries (as defined in the LinkedIn Data Processing Agreement for Business Development Agreements) |
| Role: | Processor |
When the Counterparty is the Data Importer:
| Name: | Signatory to the Partner Agreement (as defined in the LinkedIn Data Processing Agreement for Business Development Agreements) |
| Address: | As set forth in the Partner Agreement, or associated with the applicable developer account |
| Contact person's name, position, and contact details: | As set forth in the Partner Agreement, or associated with the applicable developer account
|
| Activities relevant to the data transferred under these Clauses: | As set forth in the Partner Agreement |
| Role: | Processor |
When the Counterparty is the Data Exporter:
| Name: | Signatory to the Partner Agreement |
| Address: | As set forth in the Partner Agreement, or associated with the applicable developer account |
| Contact person's name, position, and contact details: | As set forth in the Partner Agreement, or associated with the applicable developer account
|
| Activities relevant to the data transferred under these Clauses: | As set forth in the Partner Agreement |
| Role: | Processor |
When LinkedIn is the Data Importer:
| Name: | LinkedIn Corporation |
| Address: | 1000 West Maude Avenue, Sunnyvale, California, 94085 USA |
| Contact person's name, position, and contact details: | Kalinda Raina Chief Privacy Officer Tel.: +1 650-687-3600 email: LegalTeam@linkedin.com
|
| Activities relevant to the data transferred under these Clauses: | As set forth in the Partner Agreement |
| Role: | Processor |
A.2. Controller-to-Controller
Data exporter(s):
| Name: | LinkedIn Ireland Unlimited Company |
| Address: | Wilton Plaza, Wilton Place, Dublin 2 IRELAND |
| Contact person's name, position, and contact details: | Conor Bowe Data Protection Officer
|
| Activities relevant to the data transferred under these Clauses: | A provider of professional networking and online talent, sales, marketing, employee engagement and learning services to members, guests and customers who are data subjects from the Designated Countries |
| Role: | Controller |
Data Importer:
| Name: | Signatory to the Partner Agreement |
| Address: | As set forth in the Partner Agreement, or associated with the applicable developer account |
| Contact person's name, position, and contact details: | As set forth in the Partner Agreement, or associated with the applicable developer account
|
| Activities relevant to the data transferred under these Clauses: | As set forth in the Partner Agreement |
| Role: | Controller |
A.3. Controller-to-Processor
Notes:
- If LinkedIn, as Data Controller, is sending EU Personal Information to the counterparty, LinkedIn is the Data Exporter and the counterparty is the Data Importer.
- If LinkedIn, as Data Processor, is receiving EU Personal Information from the counterparty, LinkedIn is the Data Importer and the counterparty is the Data Exporter.
When LinkedIn is the Data Exporter:
| Name: | LinkedIn Ireland Unlimited Company |
| Address: | Wilton Plaza, Wilton Place, Dublin 2 IRELAND |
| Contact person's name, position, and contact details: | Conor Bowe Data Protection Officer
|
| Activities relevant to the data transferred under these Clauses: | A provider of professional networking and online talent, sales, marketing, employee engagement and learning services to members, guests and customers who are data subjects from the Designated Countries |
| Role: | Controller |
When the Counterparty is the Data Importer:
| Name: | Signatory to the Partner Agreement |
| Address: | As set forth in the Partner Agreement, or associated with the applicable developer account |
| Contact person's name, position, and contact details: | As set forth in the Partner Agreement, or associated with the applicable developer account
|
| Activities relevant to the data transferred under these Clauses: | As set forth in the Partner Agreement |
| Role: | Processor |
When the Counterparty is the Data Exporter:
| Name: | Signatory to the Partner Agreement |
| Address: | As set forth in the Partner Agreement, or associated with the applicable developer account |
| Contact person's name, position, and contact details: | As set forth in the Partner Agreement, or associated with the applicable developer account
|
| Activities relevant to the data transferred under these Clauses: | As set forth in the Partner Agreement |
| Role: | Controller |
When LinkedIn is the Data Importer:
| Name: | LinkedIn Corporation |
| Address: | 1000 West Maude Avenue, Sunnyvale, California, 94085 USA |
| Contact person's name, position, and contact details: | Kalinda Raina Chief Privacy Officer Tel.: +1 650-687-3600 email: LegalTeam@linkedin.com
|
| Activities relevant to the data transferred under these Clauses: | A provider of professional networking and online talent, sales, marketing, employee engagement and learning services to members, guests and customers who are data subjects from the Designated Countries |
| Role: | Processor |
B. DESCRIPTION OF TRANSFER
| Categories of Data Subjects The personal data transferred concern the following categories of data subjects | Depending on the agreement between the data importer and data exporter:
- LinkedIn members;
- Potential and actual candidates and employees of the data exporter;
- Sales and marketing leads of the data exporter, and
- Third parties that have, or may have, a commercial relationship with the data exporter (e.g. advertisers, customers, corporate subscribers, contractors, and individual product users). |
| Categories of Personal Information Transferred The personal data transferred concern the following categories of data | The data transferred is the personal data provided by the data exporter to the data importer in connection with the Partner Agreement. Such personal data may include first name, last name, email address, contact information, system and network data (e.g., IP address, cookies / beacons / browser ID, device ID / advertising ID), education, work history, and other information provided in LinkedIn member profiles, resumes, CRM data concerning sales leads and customer lists, any notes provided by the data exporter regarding the foregoing, and other activities of LinkedIn members taken on the LinkedIn platform. |
| Sensitive Data Transferred The personal data transferred may concern the following categories of data | None.
|
| Restrictions or Safeguards for Sensitive Data The applied restrictions or safegaurds taken with respect to any sensitive data transferred | None applicable. |
| Subject Matter of Processing | The relationship of the parties as contemplated by the Partner Agreement. |
| Nature and Purpose of Processing | The transfer is intended to enable the relationship of the parties contemplated by the Partner Agreement. |
| Frequency of Processing | Continuous basis. |
| Duration of Processing | As set forth in the Partner Agreement. |
| Retention Period The period for which the personal data will be retained, or the criteria used to determine that period | The personal data transferred between the parties may only be retained for the period of time permitted under the Partner Agreement. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
LinkedIn uses sub-processors to support its infrastructure environment, local and international providers of telecommunications and networking services, and legal entities engaged in data storage and content delivery material. Personal data processed by sub-processors is processed for the purposes and duration of the relevant underlying Partner Agreement. For more information, see Annex III, where applicable.
C. COMPETENT SUPERVISORY AUTHORITY
See Section 10 of the BD DPA.
SCHEDULE B
Annex II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
A. Where LinkedIn is the Data Importer the following Annex II applies:
1. General Security Measures
Data Importer will comply with industry standard security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Data Exporter's Personal Information provided by Data Exporter to Data Importer), as well as with all applicable data privacy and security laws, regulations and standards.
2. Contact Information
Data Importer's security team can be reached at security@linkedin.com for any security issues or questions related to the product.
3. Compliance
Data Importer complies with the standards and practices set forth at the following web address: https://security.linkedin.com/trust-and-compliance. Data Exporter must contact LinkedIn for any additional information on the security certifications listed at the web address.
4. Information Security Program
The objective of the Data Importer’s Information Security Program is to maintain the confidentiality, integrity, and availability of its computer and data communication systems while meeting necessary legislative, industry, and contractual requirements. Data Importer shall establish, implement, and maintain an information security program that includes technical and organizational security and physical measures, as well as policies and procedures to protect Data Exporter data processed by Data Importer against accidental loss; destruction or alteration; unauthorized disclosure or access; or unlawful destruction.
4.1 Secure Software Development
Data Importer shall maintain policies and procedures to ensure that system, device, application, and infrastructure development is performed in a secure manner. This includes review and test of all Data Importer applications, products, and services for common security vulnerabilities and defects, employing defense-in-depth strategy through the use of multiple layers of security boundaries and technologies, periodic pen testing and security assessment of these services, defining baseline configurations, and requirements for patching of third party systems.
4.2 Human Resources Security
Data Importer shall maintain a policy which defines requirements around enforcing security measures as they relate to employment status changes. This includes background checks, acknowledgement and adherence to Data Importer's security policies, and onboarding and termination for employees and third parties.
4.3 Data Classification & Protection
Data Importer shall maintain policies and procedures for data classification and protection, along with requirements for classification of data containing Personal Information in consideration of applicable laws, regulations, and contractual obligations. Data Importer shall also maintain requirements on data encryption, rules for transmission of data, and requirements for removable media, along with requirements on how access to these data should be governed.
4.4 Network Security
Data Importer shall maintain policies and procedures around the network infrastructure used to process Data Exporter data, establish and enforce safe network practices, and define service level agreements with internal and external network services.
4.5 Physical and Environmental Security
Data Importer shall maintain policies and procedures for physical and environmental security, define requirements to protect areas that contain sensitive information, and ensure that critical information services be protected from interception, interference, or damage.
4.6 Business Continuity and Disaster Recovery
Data Importer shall maintain policies and procedures to ensure that Data Importer may continue to perform business critical functions in the face of an extraordinary event. This includes data center resiliency and disaster recovery procedures for business critical data and processing functions.
5. Access Control
Data Importer shall maintain access control measures designed to limit access to Data Importer's facilities, applications, systems, network devices, and operating systems to a limited number of personnel who have a business need for such access. Data Importer shall ensure such access is removed when no longer required and shall conduct access reviews periodically.
6. Risk Assessments
Data Importer has a documented risk management procedure and Secure Software Development LifeCycle process. Data Importer performs risk assessments of its products and infrastructure on a regular basis, including review of the data classification policies and targeted reviews of highly sensitive data flows.
Data Importer performs application and infrastructure level testing for every new product that is launched as well as periodic reassessments of its network, as well as feature changes. Data Importer leverages access control, and peer code review which would ensure that viruses are not introduced in the code and to detect such abuse. Data Importer uses a combination of manual penetration testing and automated tools.
7. Third-Party Risk Assessments
Data Importer conducts security due diligence on third-party service providers to assess and monitor risk. This assessment includes a review of scope of confidential information and personal data transferred to or processed by the service provider and the purpose of the work. Data Importer will also conduct a risk assessment which may include the service provider’s organization and technical security measures, the sensitivity of any information processed by the service provider, storage limitations, and data deletion procedures and timelines.
8. Supplementary Measures
In addition to the general security measures set out above, the Data Importer has implemented the following supplementary technical and organisational measures:
- Partner Personal Information is transferred across public networks to the Data Importer’s data centres in the United States and is stored on secured servers behind firewall.
- Data Importer encrypts all Partner Personal Information in transit across public networks depending on the Data Exporter’s ability to support encryption. Certain highly confidential data (including but not limited to passwords, authentication tokens, salary and payment information) is also encrypted at rest. LinkedIn will only use industry tested and accepted standards for cryptographic algorithms.
- Data Importer’s data is replicated across all its data centres in a secure environment.
- Data Importer employs app logic with appropriate authorization to protect tenant data. Access requests are reviewed to ensure only appropriate access is granted. Server and database access logs are retained for auditing purposes.
- Data Importer deploys industry standard security measures including ISO 27001 & ISO 27018 and PCI DDS to keep the data of our members and customers safe.
- Data Importers’ employees and contractors are trained in relation to specific technical and organisational security measures.
- Servers are monitored by both industry standard and proprietary network monitoring tools to prevent any potential security breaches.
- Corporate systems and databases are password protected.
- VPN and direct LinkedIn network access are limited to company issued or approved devices.
- Dual factor authentication is in operation for VPN access.
- Customer and member passwords are hashed and salted and stored in a separate, secure database.
- Keys to credit card database are rotated regularly.
- Active and automated monitoring of critical access logs and anomaly detection.
B. Where LinkedIn is the Data Exporter the following Annex II applies:
1. Data Importer will comply with industry standard security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Data Exporter's Personal Information provided by Data Exporter to Data Importer), as well as with all applicable data privacy and security laws, regulations and standards.
2. Data Importers’ employees and contractors must be trained in relation to specific and appropriate technical and organizational security measures.
3. Personal data is to be stored on secured servers behind firewall.
4. Data Importer’s servers are to be monitored by industry standard and, as appropriate, proprietary network monitoring tools to prevent any potential security breaches.
5. Data Importer’s corporate systems and databases must be password protected.
6. VPN and direct Data Importer network access will be limited to company-issued devices.
7. Dual factor authentication will be mandatory for VPN access.
8. Member passwords, if supplied to Data Importer, are to be hashed and salted and stored in a separate database.
9. Data Importer must retain, for one year, VPN, server, wiki, and database access logs.
10. Data Importer must segregate and limit employee access permissions.
11. If applicable, Data Importer must rotate keys to credit card database.
12. Data Importer must conduct active and automated monitoring of critical access logs and anomaly detection.
13. Data Importer has implemented appropriate safeguards proportionate to the specific risks associated with data transfers to the Data Importer’s jurisdiction.
14. Data Importer will adapt its technical and organisational measures to comply with developments in legal and regulatory requirements.
C. If LinkedIn is both a Data Importer and a Data Exporter and the counterparty to the Partner Agreement (as defined in the LinkedIn Data Processing Agreement for Business Development Agreements) is both a Data Importer and a Data Exporter (i.e., EU Personal Information is transferred both from LinkedIn to the counterparty and from the counterparty to LinkedIn for processing on behalf of a mutual customer of LinkedIn and the counterparty); The foregoing Sections A and B shall be included in Annex II.
SCHEDULE C
Annex III
LIST OF SUB-PROCESSORS
This Annex applies only where MODULE TWO: Transfer controller to processor or MODULE THREE: Transfer processor to processor of the SCCs is used.
General authorisation is provided to the use of sub-processors, a list of which is to be made available to the parties to this Agreement on request.
The list of sub-processors contains the following details in relation to each sub-processor:
- Name;
- Address;
- Contact person’s name, position and contact details; and
- Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised).