THIS DATA PROTECTION ADDENDUM is made between:

1. The Company that has entered into an agreement and/or order forms (collectively the “Agreement”) with a CareerBuilder Counterparty for the purchase of various recruitment and related products and services as more particularly defined as the Services in the Agreement ("Company"); and

2. CareerBuilder, LLC a company incorporated in the USA with a head office at 200 North LaSalle Street, Chicago, Illinois 60601, USA ("CareerBuilder, LLC"), acting on its own behalf with respect to: (a) Clause 10 (Transfers of Personal Data Outside the EEA/UK/Switzerland); and (b) if it is party to the Agreement (as defined above) with the Company; or (c) acting as agent for the CareerBuilder Affiliate which is party to the Agreement (in each case CareerBuilder, LLC or the CareerBuilder Affiliate being referred to as the “CareerBuilder Counterparty”),

(each a “Party” and collectively the “Parties”).

INTRODUCTION:

(A) Company is the Data Controller in respect of any Company Personal Data, Processed by the CareerBuilder Counterparty in connection with the Services.

(B) Company and the CareerBuilder Counterparty are entering into this Data Protection Addendum ("DPA") to facilitate compliance with the Data Protection Laws (as defined below).

IT IS AGREED:

1. DEFINITIONS AND INTERPRETATION

1.1. In this DPA except where the context requires otherwise the following words shall have the following meanings and cognate terms shall be construed accordingly. All capitalized terms not defined herein shall have the meaning set forth in the Agreement:

“Affiliate” means any corporation or other business entity controlling, controlled by or under common control with CareerBuilder, LLC or Company as the context requires, from time to time.

“Agreement” has the meaning given to it above.

"Business Day" means any day which is not a Saturday, a Sunday or public holiday in Chicago, Illinois, USA.

“CareerBuilder Counterparty” means the CareerBuilder party to the Agreement with Company.

"Clauses" means clauses 1 to 11 inclusive of this DPA.

“Company Personal Data” means any Personal Data of any nature, in any form, collected, generated, Processed or used for or in relation to the Services in respect of which the Company is (a) the Data Controller; and (b) subject to Data Protection Laws with respect to the Processing of such Personal Data. For the avoidance of doubt, Company Personal Data excludes Aggregate Data.

“Contracted Business Purposes” means the Services.

“Data Controller” (or “Controller”), “Data Processor” (or “Processor”), “Data Subject”, “Personal Data” all have the meaning given to those terms in the Data Protection Laws (and related terms such as “Process”, “Processing” have corresponding meanings). Unless stated otherwise, where terms differ under each Data Protection Law but are conceptually similar, each term shall be given equivalent meaning. For example, a “Data Controller” is similar to a “Business” and a “Data Subject” is similar to a “Consumer” as those terms are found throughout Data Protection Laws and, therefore, the terms shall be given the same meaning.

“Data Protection Laws” means: (a) European Directive 2002/58/EC together with all laws and regulations implementing the same in any European Member State; (b) EU GDPR; (c) UK GDPR; (d) any similar laws in Switzerland or in the European Economic Area; (e) US state and federal data protection or privacy laws including, but not limited to, the California Consumer Privacy Act of 2018 and its amendments; and (f) any related rules or regulations.

“EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data as applicable as of 25 May 2018.

“Request” means a request from a Data Subject to exercise his/her rights under the Data Protection Laws in respect of Personal Data.

“Restricted Transfer” means a transfer of Personal Data from the European Economic Area (EEA) and/or Switzerland and/or the UK outside the EEA and Switzerland and UK, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission or Swiss or UK regulator as relevant as providing an adequate level of protection for Personal Data; and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data.

“Services” (or “”Contracted Business Purposes”) means the contracted business purposes for which services are to be provided by the CareerBuilder Counterparty pursuant to the Agreement.

“Sub-processor” means each Data Processor appointed by the CareerBuilder Counterparty.

“UK GDPR” means the EU GDPR, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.2. In this DPA, except where the context requires otherwise:

1.2.1. the clause headings are included for convenience only and shall not affect the interpretation of this DPA; and

1.2.2. any phrase introduced by the terms "including", "include", "in particular" or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.

1.3. The Schedule forms part of this DPA and shall have effect as if set out in full in the body of this DPA.

1.4. References to any Directive, Regulation, statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such Directive, statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time.

1.5. If there is any conflict between the Clauses of this DPA and the Agreement, this DPA takes precedence. If there is any conflict between the Clauses in the body of this DPA and the terms of the EU C2P Standard Contractual Clauses or UK C2P Standard Contractual Clauses (each as defined in Clause 10 below and together the “Standard Contractual Clauses”), then the terms of the Standard Contractual Clauses shall apply.

2. RELATIONSHIP BETWEEN THE AGREEMENT AND THIS DPA

2.1. This DPA is incorporated into and hereby forms part of the Agreement between Company and the CareerBuilder Counterparty and reflects the Parties’ agreement in relation to facilitating compliance with Data Protection Laws. This DPA shall terminate upon expiry or termination of the Agreement.

3. APPOINTMENT AND ROLE OF DATA PROCESSOR

3.1. The Company appoints the CareerBuilder Counterparty as its Data Processor with respect to all Company Personal Data Processed pursuant to or in relation to the performance of the Services by the CareerBuilder Counterparty. The Parties agree that, for the purposes of the Data Protection Laws, the Company is the Data Controller and the CareerBuilder Counterparty is the Data Processor of Company Personal Data.

3.2. The details of the scope and purpose and duration of the Company Personal Data and Processing (including the type of Company Personal Data and categories of Data Subjects) covered by this DPA are set out in Schedule 1 of this DPA.

3.3. The CareerBuilder Counterparty shall comply with and Process Company Personal Data in accordance with Data Protection Law and its relevant obligations under this DPA.

3.4. The CareerBuilder Counterparty shall only Process the Company Personal Data on behalf of and in accordance with the Company’s instructions. Company hereby instructs the CareerBuilder Counterparty to Process Company Personal Data: (i) in accordance with the Agreement and any new Order Forms entered into pursuant to the Agreement; and (ii) in accordance with any reasonable, legal instructions provided by the Company to the CareerBuilder Counterparty in writing where such instructions are consistent with the terms of the Agreement and this DPA.

3.5. The CareerBuilder Counterparty shall only collect, use, retain, disclose, or otherwise Process Personal Data for the Services in accordance with the instructions in the above clause 3.4 when carrying out the Contracted Business Purposes for which the Company provides or permits the CareerBuilder Counterparty to access Company Personal Data.

3.6. The CareerBuilder Counterparty shall not collect, use, retain, disclose, sell, or otherwise make Personal Data available for the CareerBuilder Counterparty’s own commercial purposes or in a way that does not comply with Data Protection Laws. If a law requires the CareerBuilder Counterparty to disclose Personal Data for a purpose unrelated to the Contracted Business Purposes, the CareerBuilder Counterparty must inform the Company of the legal requirement, unless the law prohibits such notice.

3.7. The CareerBuilder Counterparty will limit Personal Data collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

3.8. Where the Contracted Business Purposes require the collection of Personal Data from Data Subjects on the Company’s behalf, the Company will always provide a notice at collection.

3.9. The CareerBuilder Counterparty shall ensure that its personnel processing Company Personal Data have signed agreements requiring them to keep such Personal Data confidential, and take reasonable steps to ensure the reliability of CareerBuilder Counterparty personnel processing Personal Data, and that personnel Processing Personal Data receive adequate training on compliance with the data protection provisions of this DPA and Data Protection Law applicable to the Processing.

3.10. Where permitted by Data Protection Laws, the CareerBuilder Counterparty may aggregate, de-identify, or anonymize Personal Data, so it no longer meets the Personal Data definition under the relevant Data Protection Law, and may Process such aggregated, de-identified, or anonymized data for its own purposes. The CareerBuilder Counterparty will not attempt to or actually re-identify any previously aggregated, de-identified, or anonymized data and will contractually prohibit downstream recipients of that data from attempting to or actually re-identifying such data.

3.11. The CareerBuilder Counterparty shall not combine the Personal Data it receives from or on behalf of the Company with Personal Data the CareerBuilder Counterparty (i) receives from or on behalf of another person; or (ii) collects from its own Data Subject interaction, unless the Personal Data is used for a purpose that does not involve cross-site, behavioural advertising and is permitted under the Data Protection Laws.

4. CO-OPERATION, ASSISTANCE, AUDITS AND RECORDS OF PROCESSING

4.1. The CareerBuilder Counterparty shall provide reasonable assistance, information and cooperation to the Company to ensure compliance with the Company’s obligations under Data Protection Law, subject to Clause 8 below.

4.2. The CareerBuilder Counterparty shall permit audits conducted by the Company or another auditor mandated by the Company for the purpose of demonstrating the CareerBuilder Counterparty’s compliance with its obligations under Data Protection Law and this DPA. The Parties agree that such audits shall be carried out in accordance with the following specifications:

Upon Company’s request, and subject to the confidentiality obligations set forth in the Agreement, the CareerBuilder Counterparty or CareerBuilder, LLC, as applicable, (“CareerBuilder”) shall make available to Company (or Company’s independent, third-party auditor that is not a competitor of CareerBuilder, LLC or its Affiliates) information regarding the CareerBuilder's compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits set forth in the Technical and Organisational Measures to the extent CareerBuilder makes them generally available to its customers. Company may contact CareerBuilder in accordance with the "Notices" Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Company Personal Data. Before the commencement of any such on-site audit, Company and CareerBuilder shall mutually agree upon the scope, timing, and duration of the audit. Company shall promptly notify CareerBuilder with information regarding any non-compliance discovered during the course of an audit.

4.3. The CareerBuilder Counterparty shall make available to the Company on request in a timely manner such information as is reasonably required by the Company to demonstrate the CareerBuilder Counterparty’s compliance with its obligations under Data Protection Laws and this DPA.

4.4. The CareerBuilder Counterparty will notify the Company without undue delay if it becomes aware circumstances which actually render its compliance with any Data Protection Law impossible.

5. SECURITY MEASURES

5.1. The CareerBuilder Counterparty shall:

5.1.1. take appropriate technical and organisational measures against unauthorised or unlawful Processing of Company Personal Data and against accidental loss, alteration, disclosure or destruction of, or damage to, Company Personal Data as set out in Schedule 2 (Technical and Organisational Measures) to this DPA. The CareerBuilder Counterparty may change the controls and safeguards set out in Schedule 2 from time to time provided that the CareerBuilder Counterparty will not materially decrease the overall security of the Services during the term of the Agreement; and

5.1.2. take reasonable steps to ensure the reliability of any staff or contractors who may have access to Company Personal Data; and

5.1.3. on termination or expiry of the Agreement, at its own expense on the Company’s written request (at the Company’s sole option) securely wipe or return all Company Personal Data to the Company and shall not retain or further Process any Company Personal Data.

6. BREACH NOTIFICATION

6.1. The CareerBuilder Counterparty shall to the extent permitted by applicable law, notify Company without undue delay if it becomes aware of any unauthorised or unlawful Processing of, loss of, damage to or destruction or corruption of, the Company Personal Data (“Security Breach”) save where such Security Breach is unlikely to result in a risk to the rights and freedoms of individuals and provide details of such Security Breach to the Company.

6.2. To the extent such Security Breach is caused by the CareerBuilder Counterparty, the CareerBuilder Counterparty shall make reasonable efforts to promptly identify and remedy the cause of such Security Breach.

7. SUB-PROCESSORS

7.1. Company acknowledges and agrees that: (a) the CareerBuilder Counterparty may engage Sub-processors; (b) Affiliates of the CareerBuilder Counterparty are retained as Sub-processors; and (c) the CareerBuilder Counterparty and its Affiliates engage third party Sub-processors to Process Company Personal Data in connection with the provision of the Services.

7.2. The CareerBuilder Counterparty shall appoint all Sub-processors under a binding written contract (“Processor Contract”) which imposes the same data protection obligations as are contained in this DPA. The Parties agree that the copies of the Processor Contracts that must be sent by CareerBuilder to Company may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by CareerBuilder beforehand; and, that such copies will be provided by CareerBuilder only upon reasonable request by Company.

7.3. The CareerBuilder Counterparty shall be liable for the acts and omissions of its Sub-processors to the extent that the CareerBuilder Counterparty would be liable if performing the services of each Sub-processor directly under this DPA.

7.4. CareerBuilder shall make available to Company a list of Sub-processors for the respective Services with the identities of those Sub-processors ("Sub-processor List"). CareerBuilder shall provide Company with a mechanism to subscribe to updates to the relevant Sub-processor List and shall provide such updates before authorizing any new Sub-processor(s) to Process Company Personal Data in connection with the provision of the Services. The Sub-processor List is set out in Schedule 3 of this DPA.

7.5. If Company has a reasonable basis to object to CareerBuilder's use of a new Sub-processor, Company shall notify CareerBuilder promptly in writing within 10 Business Days after receipt of CareerBuilder's notice. In the event Company objects to a new Sub-processor(s) and that objection is not unreasonable CareerBuilder will use reasonable efforts to make available to Company a change in the affected Services or recommend a commercially reasonable change to Company's configuration or use of the affected Services to avoid Processing of Company Personal Data by the objected-to new Sub-processor without unreasonably burdening Company. If CareerBuilder is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Company may terminate the applicable Order Form(s) in respect only to those Services which cannot be provided by CareerBuilder without the use of the objected- to new Sub-processor, by providing written notice to CareerBuilder. Company shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.

7.6. Where a Restricted Transfer is involved and the Parties have entered into Standard Contractual Clauses pursuant to clause 10 below, the terms of such Standard Contractual Clauses in respect of Sub-processors shall also apply.

8. SUBJECT ACCESS AND ACCURACY OF DATA

8.1. To the extent that the Company or any Company Affiliate party to an Order Form is unable to comply with any Request made pursuant to Data Protection Laws in relation to the processing of Company Personal Data under this DPA without the CareerBuilder Counterparty’s assistance, the CareerBuilder Counterparty shall cooperate with and assist the Company or the relevant Company affiliate to comply with such subject access obligations and in particular shall:

8.1.1. comply with any Company request or instruction requiring the CareerBuilder Counterparty to provide, amend, transfer, or delete the Personal Data, or stop, mitigate, or remedy any unauthorized Processing;

8.1.2. notify the Company within five days if it receives a Request from a Data Subject for access to any Company Personal Data;

8.1.3. provide Company with reasonable co-operation and assistance in complying with any Data Subject access Request received by the CareerBuilder Counterparty or Company relating to Company Personal Data, including, solely to the extent the Company is not able to access such Company Personal Data itself without the CareerBuilder Counterparty’s support, by supplying the Company with the Company Personal Data which is sought under the Request within 20 days of receiving the Request from the Company; and

8.1.4. not disclose or release any Company Personal Data in response to a Data Subject access Request served on the CareerBuilder Counterparty by any Data Subject or third party, without first consulting with and obtaining the prior written consent of the Company.

8.2. To the extent that the Company is unable to correct, amend, block or delete Company Personal Data in response to a Request from a Data Subject in accordance with Data Protection Laws without the CareerBuilder Counterparty’s assistance, the CareerBuilder Counterparty shall reasonably cooperate and assist with meeting the Company’s obligations. When determining whether such cooperation is reasonable, the Parties may take into account the nature of the CareerBuilder Counterparty’s Processing and the information available to the CareerBuilder Counterparty.

8.3. In all cases save where passing on the costs to Company is prohibited by applicable law, Company shall reimburse the CareerBuilder Counterparty for all costs incurred by the CareerBuilder Counterparty and its Affiliates complying with its obligations in this Clause 8 (including internal costs and any third party costs incurred including reasonable legal fees).

9. COMPANY’S OBLIGATIONS AND INDEMNITY

9.1. Company shall:

9.1.1. comply with its obligations under the Data Protection Laws including ensuring that all Company Personal Data is Processed fairly and lawfully and that all necessary disclosures and consents have been obtained from Data Subjects to permit the Processing of their Personal Data by the CareerBuilder Counterparty and its Affiliates to perform the Services and as described in the Agreement (including the right for CareerBuilder to process Company Personal Data in order to create and use Aggregate Data for its own business purposes);

9.1.2. provide or permit access to the Company Personal Data, instructions and information necessary for the CareerBuilder Counterparty to perform the Services; and

9.1.3. not use nor permit the use of the Services to Process any Sensitive Information.

9.2. In addition and without prejudice to the indemnities given by Company in the main body of the Agreement, Company shall at its sole expense, defend, indemnify, and hold harmless the CareerBuilder Counterparty and its Affiliates, successors and assigns (collectively, the "CareerBuilder Indemnified Parties”) from and against any and all damages, losses, costs and expenses (including any reasonable attorney's fees and expenses), which the CareerBuilder Indemnified Parties (a) reasonably incur themselves as a result including staff time in responding or remediating the same at CareerBuilder’s then applicable hourly rates; and (b) pay to third parties in connection with any claim, suit, action, or proceeding brought against a CareerBuilder Indemnified Party, in each case to the extent arising out of any breach by Company of this DPA.

10. TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA/UK/SWITZERLAND

EU GDPR

10.1. To the extent that Processing of Company Personal Data by the CareerBuilder Counterparty in the course of providing the Services under the Agreement or any new Order Form involves a Restricted Transfer under the EU GDPR or to a country outside of the European Economic Area or Switzerland, then the Parties shall each comply with their respective obligations as set out in module two of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by European Commission decision of 4 June 2021 and published under document number C/2021/3972 (the “EU C2P Standard Contractual Clauses”) and incorporated herein by reference. Should the EU C2P Standard Contractual Clauses be superseded, the Parties shall amend this DPA to incorporate such updated clauses.

UK GDPR

10.2. To the extent that Processing of Company Personal Data by the CareerBuilder Counterparty in the course of providing the Services under the Agreement or any new Order Form involves a Restricted Transfer under the UK GDPR, then the Parties shall each comply with their respective obligations as set out in module two of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by European Commission decision of 4 June 2021 and published under document number C/2021/3972, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (the “UK C2P Standard Contractual Clauses”) and incorporated herein by reference. Should the UK C2P Standard Contractual Clauses be superseded, the Parties shall amend this DPA to incorporate such updated clauses.

10.3. The Parties agree that for the purposes of the EU C2P Standard Contractual Clauses and as referred out to and amended in the UK C2P Standard Contractual Clauses each as entered into under Clauses 10.1 or 10.2 where relevant:

10.3.1. the optional clause set out at Clause 7 (‘Docking clause’) shall not apply;

10.3.2. Clause 9(a) (‘Use of sub-processors’) Option 1 shall apply with a time period of thirty (30) days inserted;

10.3.3. the optional clause set out at Clause 11(a) (‘Redress’) shall not apply;

10.3.4. for Clause 13(a) (‘Supervision’) and the Appendix, Annex I(C), the supervisory authority shall be whichever is the competent authority for the relevant data subject or the CareerBuilder Counterparty under Data Protection Legislation;

10.3.5. for Clauses 17 (‘Governing law’) and 18(b) (‘Choice of forum and jurisdiction’) the laws and courts of Ireland shall apply but for the UK C2P Standard Contractual Clauses, it shall be the law and courts of England and Wales;

10.3.6. for the purposes of the Appendix, Annex I(A), the details of the Parties are set out under the Agreement, with the CareerBuilder Counterparty and its Affiliates, being the "Data Importer" and the Company the “Data Exporter”;

10.3.7. for the purposes of the Appendix, Annex I(B), the details of the description of transfer are set out in Schedule 1 (Data Processing Details) of this DPA; and

10.3.8. for the purposes of the Appendix, Annex II, the details of the technical and organisation measures are set out in Schedule 2 (Technical and Organisational Measures) of this DPA.

11. RESPONSIBILITY FOR COMPLIANCE

11.1. The Company acknowledges that as Data Controller of the Company Personal Data, the Company is responsible for ensuring compliance with all applicable Data Protection Laws including to ensure that all Company Personal Data is Processed fairly and lawfully and in full compliance with applicable Data Protection Laws and that data subjects are fully informed of the Processing of Personal Data necessary for the performance of the Services and as described in the Agreement (including the right for CareerBuilder to process Company Personal Data in order to create and use Aggregate Data for its own business purposes).

11.2. Company authorises the CareerBuilder Counterparty (as Data Processor of the Company Personal Data) to display Company’s privacy policy on the applicable Services on behalf of Company (as Data Controller of the Company Personal Data). Company acknowledges that Company is responsible for ensuring that all privacy policies made available through the Services comply fully with Data Protection Laws and accurately describe the Processing of Personal Data contemplated by the Agreement.

11.3. Neither the CareerBuilder Counterparty nor any of its Affiliates make any representation that entering into this DPA will enable the Company to comply with its obligations under Data Protection Laws. Company understands and accepts that neither the CareerBuilder Counterparty nor any of its Affiliates provides legal advice and that they are not authorised to do so.

SCHEDULE 1

Data Processing Details

Subject Matter, Nature and Purpose of the transfer and further processing (including in relation to Sub-Processors where relevant)	The CareerBuilder Counterparty’s provision of the Services to the Company. Data relating to the prospective employees, contractors, temporary workers and consultants of the data exporter shall be used for the purposes of: · providing the services offered by the data importer; · customer relations management; and · customer service. Data relating to the present employees, contractors, temporary workers and consultants of the data exporter shall be used for the purposes of: · marketing; · customer relations management; · sales operations, customer service, order processing; · certification; and · training.
Duration and Deletion Period	The term of the Agreement.
Personal Data/Special Category Data	Data relating to the prospective employees, contractors, temporary workers and consultants of the data exporter, consisting of: · personal contact details (including name, personal email address, home address, home telephone numbers, emergency contact details); · personal details (including date of birth, gender, nationality, marital status, place of birth, national identification number or any other identifier of general application); · work contact details (including work email address and work telephone numbers); · employment details (including job title, job duties, level/grade, working hours, pay, bonus, allowances, benefit entitlements, work permit details, license to work details); · work history (including CVs, previous employers, employee vetting details and reasons for leaving); and · education. Data relating to the present employees, contractors, temporary workers and consultants of the data exporter, consisting of: · work contact details (including name and address, work location details, telephone numbers, fax numbers and email addresses); · compliance checks required by applicable law and regulations (including “know your client” information and anti-money laundering/counter-terrorist financing checks); · customer payment details (including bank account details, payment method, collector details, payment terms and payment history details); and · marketing details (including customer relationship database).
Data Subjects	· Prospective employees, contractors, temporary workers and consultants (including next of kin/relatives of such individuals where relevant) of the Company. · Present employees, contractors, temporary workers and consultants of the Company.
Frequency of any transfer out of EEA/UK/Switzerland if applicable	Continuous for the term of the Agreement
Specific Restrictions	The CareerBuilder Counterparty shall not reverse engineer or combine anonymized/pseudonymized data with other data in order to create personal data
Services (The permitted services that the company will undertake in relation to the CareerBuilder Counterparty Personal Data, and a description of the processing taking place)	The services to be provided by the CareerBuilder Counterparty pursuant to the Agreement.

SCHEDULE 2

Technical and Organisational Measures

1. ACCESS CONTROL (PREMISES AND EQUIPMENT)

The term "Access" means physical access of persons to buildings and premises in which IT systems are operated and used. This may be data centres in which web servers, application servers, databases, mainframes, storage systems are operated and work rooms in which employees use workplace computers. The premises in which the grid components and grid wiring are located and placed are part of this.

1.1 General Requirements

1.1.1 Specification of safety areas

The requirement is met with the following measures:

(a) The areas are structured into different safety areas.

(b) The area to be protected has been specified.

1.1.2 Implementation of access protection

The requirement is met with the following measures:

(a) All possible points of access have been secured against unauthorised access.

(b) There is an access authentication that is binding upon all persons (key, chip card).

1.1.3 Specification of persons with access authorisation

The requirement is met with the following measures:

(a) There are roles or group concepts.

(b) The roles or groups are assigned to specific persons in writing/electronically.

1.1.4 Management and documentation of personal access rights

The requirement is met with the following measures:

(a) Organisational rules on access rights to the business area.

(b) Documentation of the awarding of ID cards.

(d) Defined procedure for loss of ID card and/or key.

(e) An IT Policy/Charter has been drafted and incorporated in the staff handbook applicable to all staff.

1.1.5 Accompanying visitors and external staff

The requirement is met with the following measures:

(a) There are policies in place.

(b) Visitor monitoring (accompanying, visitor's badge, logging).

1.1.5 Logging access

The requirement is met using electronic access control systems.

2. ACCESS CONTROL (USE OF SYSTEM)

In contrast to access control (premises/equipment), the objective of access control (use of system) is to prevent IT systems which save, process or use personal data from being accessed or used by unauthorised persons.

2.1 General Requirements

2.1.1 Access protection (authentication)

The requirement is met with the following measures:

(a) Access protection of all data processing systems by user authentication.

(b) There are password conventions.

2.1.2 Strong authentication at maximum protection level

The requirement is met with the following measures:

(a) Use of mechanisms that require possession and knowledge for authentication (e.g. chip card a. PIN).

(b) Indirect log-on (e.g. Kerberos).

2.1.3 Simple authentication (user name/password) at high protection level

The requirement is met with the following measures:

(a) There are specifications for the password length for data importer’s customers and end users (at least 8 characters).

(b) There are specifications for the password complexity (capitalisation, number-character mix).

2.1.4 Secured transmission of authentication secrets (credentials) in the network

The requirement is met with the following measure: the authentication information is only transmitted through the network once encrypted.

2.1.5 Lock out for unsuccessful attempts/inactivity and process to reset locked access IDs

The requirement is met with the following measures:

(a) Company staff access is blocked following multiple incorrect attempts. End-user and customer access is temporarily suspended following multiple incorrect attempts.

(b) For Company staff there is a safe procedure to reset (e.g. re-assignment of a user ID).

2.1.6 Specification of authorised persons

The requirement is met with the following measures:

(a) There is a role concept (pre-defined user profiles).

(b) Access rights are always assigned individually (in relation to specific persons).

(d) There are no reusable access IDs (e.g. intern#1, consultant#2).

2.1.7 Management and documentation of personal authentication media and access rights

The requirement is met with the following measures:

(a) A process to apply for, approve, assign and take back authentication media and access rights has been set up, described and is being applied.

(b) A responsible person has been designated for awarding access rights.

2.1.8 Logging access

The requirement is met with the following measures:

(a) All successful and unsuccessful network access attempts are logged (ID used, computer, IP-address) and stored for auditing purposes for at least 6 months.

(b) Regular random-sample evaluations on network logs must be performed for abuse recognition.

2.2 Measures at the user's workplace

2.2.1 Automatic access lock

The requirement is met with the following measure: in the case of more than 15 minutes' inactivity of the work station or terminal, a password-protected screensaver must be activated automatically with the internal operating system.

2.2.2 Manual access lock

The requirement is met with the following measures:

There is a policy for work stations and terminals to be protected against unauthorised use when leaving the workplace temporarily (e.g. by manual activation of the password-protected screensaver).

Company employees have been trained regarding the necessity to implement measure a).

3. ACCESS CONTROL (SPECIFIC DATA)

The requirements for access control (specific data) shall ensure that only authorised persons have access to the data for which they have access rights and that these data cannot be manipulated or read by unauthorised persons.

3.1 General Requirements

3.1.1 Generation of an authorisation concept

The requirement is met with the following measures:

(a) There are rules and procedures to set up, change and delete authorisation profiles or user roles.

(b) The areas of responsibility are set out.

3.1.2 Implementation of access limitations

The requirement is met with the following measures:

(a) Every person who has access rights can only access the data that he/she specifically needs for processing the respective current process according to the order and that are set up in the individual authorisation profile.

(b) Where data inventories of several controllers are saved in a database or processed with a data processing system, logical access limitation is implemented that is aligned solely with data processing for the respective controller (multiple client capacity).

3.1.3 Awarding of minimum authorisations

The requirement is met with the following measure: the scope of authorisations must be limited to the minimum required for meeting the respective task or functions (logic, time).

3.1.4 Management and documentation of personal access rights

The requirement is met with the following measures:

(a) A process to apply for, approve, assign and take back access rights, and how they are reviewed, has been implemented.

(b) Authorisations are linked to a personal user ID and an account.

4. TRANSMISSION CONTROL

THE REQUIREMENTS TO ENSURE THAT PERSONAL DATA CANNOT BE READ, COPIED, MODIFIED OR REMOVED WITHOUT AUTHORISATION DURING ELECTRONIC TRANSMISSION OR TRANSPORT OR STORAGE ON DATA CARRIERS, AND THAT IT IS POSSIBLE TO CHECK AND ESTABLISH TO WHICH BODIES THE TRANSFER OF PERSONAL DATA BY MEANS OF DATA TRANSMISSION FACILITIES IS ENVISAGED (TRANSMISSION CONTROL).

4.1 Transport through networks

4.1.1 Safe data transmission between the server and client

The requirement is met with the following measure: if Wi-Fi networks are set up within the Company network, resort to WPA protocol or better with AES/CCMP encryption mode. Guest WiFi are entirely separate from Company’s network and system.

4.2 Logical access to systems

4.2.1 Risk minimisation by network separation

The requirement is met with the following measures:

(a) Network segmentation is performed, which is targeted at data transfer taking place via a minimum of network elements.

(b) The relevant system is in a DMZ.

4.2.2 Safety gateways at the network handover points

The requirement is met with the following measures:

(a) There are network/hardware firewalls.

(b) There are personal/desktop firewalls.

(d) The firewalls cannot be deactivated by the user.

4.2.3 Protecting systems

The requirement is met with the following measure: all critical security patches are implemented within 30 days of release.

4.3 Safe sending of data

4.3.1 Shipping provisions

If data is shipped the requirement is met with the following measures:

(a) There are packaging and shipping provisions for the transport of personal data by data carriers.

(b) For personal data, encryption of the personal data before transmission is mandatory.

4.4 Safe deletion, disposal and destruction

4.4.1 Process for collection and disposal

The requirement is met with the following measure: there are rules for destruction of documents in a manner which ensures data privacy.

4.4.2 Deletion/destruction procedure for data privacy

The requirement is met with the following measures:

(a) Laptops are cleared of any personal data before reuse by other users to make recovery impossible or only possible with disproportional effort.

(b) Hardware components or documents are cleared of personal data to make recovery impossible or only possible with disproportional effort.

5. INPUT CONTROL

Requirements to ensure that it is possible to check and establish whether and by whom personal data have been inputted into data processing systems, modified or removed (input control).

5.1 General Requirements

5.1.1 Documentation of the input rights

The requirement is met with the following measure: there is documentation of which persons are authorised and responsible due to their tasks to make inputs into the data processing system.

6. JOB CONTROL

Requirements to ensure that in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the controller (job control).

The requirement is met with the following measure: job control is implemented in the data processing agreement as well as by the organisation control in section 9 of attachment 2.

7. AVAILABILITY CONTROL

Requirements to ensure that personal data are protected from accidental destruction or loss (availability control).

7.1 Backup concept

7.1.1 Backup concept

The requirement is met with the following measures:

(a) There is a backup concept.

(b) There are regular backups.

7.2 Disaster Recovery

7.2.1 Emergency plan

The requirement is met with the following measure: there is an emergency plan in which the steps to be initiated are listed and it is specified which persons are to be informed of the incident. Controller has indicated the relevant contacts in the Data Processing Agreement.

7.2.2 Storing the backup

The requirement is met with the following measure: data backups are stored in industry standard safety cabinets.

8. REVIEW OF PURPOSE

Requirements to ensure that data collected for different purposes can be processed separately.

8.1 General Requirements

8.1.1 Separate processing

The requirement is met with the following measure: there are technical and organisational rules and measures to ensure separate processing (storage, modification, deletion and transfer, etc.) and/or storage of data and/or data carriers with different contractual purposes.

9. ORGANISATION CONTROL

9.1 Training/obligation

The requirement is met with the following measures:

(a) Principles of data privacy, including the technical and organisational measures.

(b) Obligation to secrecy regarding operating and business secrets, including the controller's processes.

(d) Where required, special further confidentiality obligations.

(e) The training has been documented.

(f) The training is regularly repeated, at least every three years. Shorter intervals if required by applicable laws in specific territories.

9.2 Training/obligation of external persons

The requirement is met with the following measures:

(a) There are rules on the access to data processing facilities for external persons, e.g. guests, suppliers, etc.

(b) These rules at least contain that external persons must only be given access to data processing systems when they have been committed to data secrecy and, if applicable, telecommunication secrecy or other confidentiality obligations and trained, before they may put any data processing systems into operation and use them.

9.3 Representative rule

The requirement is met with the following measures:

(a) A representative has been specified for all operationally necessary functions.

(b) The representative must only receive the required access and admission rights in the event they are acting as representative.

10. ADDITIONAL TECHNICAL AND ORGANISATIONAL SECURITY MEASURES FOR TRANSFERS FROM FRANCE

10.1 Managing maintenance activities

The requirement is met with the following measure: for remote assistance on client workstations, the remote administration tool must be configured to obtain user’s consent before any intervention on his/her workstation. User must be able to see that remote assistance is in progress.

10.2 Manage sub-processing

The requirement is met with the following measures:

(a) Draft a specific clause to be included in agreements with data processors/sub-contractors (see sample clause page 22-23 Security of Personal Data Guidelines).

(b) Provide for conditions of destruction of data on the agreement’s expiry and termination.

10.3 Software development

The requirement is met with the following measure: carry out data processing development in a data processing environment separate from that of production (for example, on different computers, in different data centres).

10.4 Encryption

The requirement is met with the following measures:

a. Regarding symmetric encryption:

(i) Use state of the art algorithms (AES, triple DES).

(ii) Key lengths of at least 128 or 256 bits.

b. Regarding asymmetric encryption:

(i) Use state of the art algorithms (RSA, ECC).

(ii) Key lengths advised to follow recommendations of appendix B1 of the French General Security Reference Framework http://www.ssi.gouv.fr/uploads/2014/11/RGS_v-2-0_B1.pdf (French only), i.e. 2048 bits key lengths

SCHEDULE 3

Sub-processor List

CareerBuilder Counterparty has authorised the use of the following sub-processors: http://www.cbriskandcompliance.com/. The Company must register an account to access the Sub-processor List.

December 21, 2022 version