Data Privacy information.

Qualifyze Data Protection Declaration

Last modified September 1st, 2025.

Purpose

The Purpose of this Data Protection Policy is to outline the commitment of Qualifyze GmbH and Qualifyze Spain, S.L.U. (hereinafter “Qualifyze”) to protecting the privacy, security and confidentiality of personal data in compliance with the General Data Protection Regulation (GDPR) and the relevant data protection laws. This Policy establishes the principles, procedures and responsibilities for the processing of personal data within Qualifyze.

Personal data shall be understood as any information that relates to an identified or identifiable living individual. The protection of natural persons in relation to the processing of personal data is a fundamental right that Qualifyze aims to not only respect but also protect. Qualifyze undertakes to implement the necessary technical and organisational measures to protect personal data against any threat that could potentially affect the confidentiality, integrity, availability, and resilience, regardless of the means and the format in which the data is used.

Scope of Application

This Data Protection Policy applies to all employees, contractors and third parties who process personal data on behalf of Qualifyze. It covers all data collected, processed, or stored by Qualifyze, regardless of the format or medium in which it is stored.

General Principles on Data Protection

Lawfulness and Fairness

The processing of personal data shall be lawful, fair and transparent. Qualifyze shall collect the personal data for one or more specific and legitimate purposes in accordance with the applicable data protection law. When mandatory under such regulation, the express consent of the data subjects must be obtained. Data privacy policies shall be drafted in clear and plain language and accessible to the data subjects.

In particular, Qualifyze shall not collect or process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, unless the collection and processing of such data is necessary, legitimate and required or permitted by the applicable laws, in which case the data shall be collected and processed in accordance with the provisions of the applicable laws.

Purpose Limitation

Qualifyze shall collect the data for specified, explicit and legitimate purposes and shall not process the personal data in any different matter.

Data Minimization:

The processing of personal data shall be adequate, relevant and limited to the necessary data for the purposes of which it is processed.

Accuracy

Personal data shall be accurate and up to date, otherwise Qualifyze shall delete or correct them.

Storage Limitation

Personal data shall not be stored longer than necessary for the purposes for which it is processed.

Integrity and Confidentiality

When processing personal data, Qualifyze shall ensure adequate organisational and security measures. These measures shall guarantee a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, and context and purposes of the processing. Additionally, they shall address the varying likelihood and severity of risks that may result from personal data processing, potentially leading to damage to the rights and freedoms of natural persons.may result from personal data processing which could lead to damage.

Transparency and Information

The processing of personal data shall be transparent to the data subjects, Qualifyze shall provide them with the information about the processing of personal data drafted in a clear, plain and accessible language. Qualifyze shall inform the data subjects, at least, about:

The identity of the Controller of the personal data.
The purpose of the processing.
The legal basis for the processing.
Automated decisions including profiling, if any.
The third parties to whom the data may be transferred.
The data storage period.

Limit to the Acquisition of Personal Data

Qualifyze shall not obtain personal data from illegitimate sources or sources that do not guarantee the legitimate origin of the personal data and/or that cannot be proven to have been obtained in compliance with the applicable data protection laws.

Contracting Processors

Prior to signing any agreement with any service provider that accesses personal data for which Qualifyze is the data controller, during the contractual relationship and onwards, Qualifyze shall ensure that the service provider complies with the applicable data protection laws and has the appropriate technical and organizational security measures.

The User of the Website or the platform grants Qualifyze a general written authorization to engage subprocessors for the provision of the services. A current list of authorized subprocessors is maintained and made available at the web and app privacy policy, section 4, data sharing.

Qualifyze will update this list in the event of any intended changes concerning the addition or replacement of subprocessors. Such updates will be published in the same location. The User may object to the changes within 14 calendar days from the date of publication by submitting a written objection on reasonable grounds related to data protection.

Continued use of the services after this period without express objection shall be deemed as tacit acceptance of the new subprocessors.

International Transfers

Personal data shall not be transferred to countries outside the European Economic Area (EEA) without adequate safeguards in place to protect the data in accordance with the applicable data protection regulations.

Data Subject Rights

Qualifyze shall guarantee the rights of the data subjects, in particular:

The right to access: Qualifyze shall allow data subjects to obtain confirmation as to whether or not their personal data is being processed.
Right to rectification: to request correction of inaccurate or incomplete personal data.
Right to erasure: to delete or remove data subject’s personal data in accordance with the data protection regulations.
Right to restriction of processing: to limit the processing of data subject’s personal data as required.
Right to data portability: to allow data subjects to receive their personal data in a structured and readable manner.
Right to object to the processing of their personal data.
Right in relation to automated individual decision-making.

Training of Employees

Employees shall receive regular training and awareness programs to ensure they understand their responsibilities regarding data protection and privacy.

Control and Evaluation

The legal team shall monitor compliance with this Data Protection Policy, at least, once a year and inform the Qualifyze management of the outcome of such monitoring. To verify compliance with this Data Protection Policy, external or internal periodical audits shall be conducted.

This Data Protection Policy shall be reviewed, at least, annually in accordance with the monitoring and the obtained outcomes, and extraordinarily when changes in internal processes or applicable legislations make it necessary.

Implementation

Qualifyze’s management together with the legal team, shall develop the internal policies and procedures as necessary to comply with the applicable data protection regulations, and shall keep them up to date. Such policies shall be implemented by Qualifyze’s management and shall be mandatory for all the employees and third parties contracting with Qualifyze.

The tech team, in collaboration with the legal team, shall prepare and keep up to date the necessary security and data privacy policies to ensure the protection and integrity of the personal data. Qualifyze shall create an Information Security Committee with the purpose of establishing the norms related to information security within the entity and work to ensure these security measures conform to the standards established in ISO 27001.

This Data Protection Policy shall be communicated to the relevant parties and shall be available upon request. Adherence to this Data Protection Policy is an obligation of both, employees, contractors and third parties who process personal data on behalf of Qualifyze and Qualifyze as a company.

Each Qualifyze team, employee, contractor or third parties that process personal data on behalf of Qualifyze must ensure that it is handled and processed in line with this Data Protection Policy and principles defined therein.

Failure to comply with this Data Protection Policy from an employee will imply a material breach subject to legal and/or disciplinary procedures, aligned with the collective labour agreement in force.

Furthermore, any breach of this Data Protection Policy or any data protection regulations committed by the contractors and third parties will be considered a material breach of the contractual relationship.

This Data Protection Policy is approved as of May 6th, 2024.

Annex 1

Data Protection basic terms and concepts:

Unless otherwise defined in this Data Protection Policy, capitalised terms and expressions used shall have the same meaning as in the GDPR and their cognate terms shall be construed accordingly. Here you can find a definition of the basic terms:

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Sensitive personal data:

Data Subject: is the individual the personal data relates to.

Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Website and app privacy policy

Last modified: October 16th, 2025

We are pleased about your visit on our website www.qualifyze.com and app.qualifyze.com. Protecting your personal data is important to us and we want you to feel safe when visiting our website. For this reason, we have compiled here some important information about the personal data that is collected, processed and used when using our website in compliance with data protection regulations (“Privacy Policy”).

Personal data are individual details about personal or factual conditions of a specific or identifiable natural person. This includes information such as your real name, your address, your e-mail address, your telephone number and your date of birth. No personal data are on the contrary such information that cannot be associated with your real identity; this includes, for example, the number of users of our website or comparable summarized information.

1. SCOPE

This privacy policy applies to the website www.qualifyze.com and all related websites, applications, services, and tools referring to this Privacy Policy, regardless of the type of access and including access via mobile devices.

In the event of changes to this Privacy Policy, we will post the amended Privacy Policy and the effective date of the amended Privacy Policy on this website. We therefore recommend reading the Data Privacy Policy at regular intervals. Changes that require your consent will only be made by requesting it to you.

2. DATA CONTROLLER OF THE PERSONAL DATA

If you have a Subscription Agreement in place with Qualifyze, the Data Controller will be the company you have signed the Subscription Agreement with. If you do not have an active Subscription Agreement with us and you access our services from the United States, the Data Controller will be Qualifyze Inc., if you access from anywhere else in the world, the Data Controller will be Qualifyze GmbH.

Details of the data controllers:

Qualifyze GmbH, Bockenheimer Anlage, 46, 60322 Frankfurt am Main, Germany. DPO: dataprivacy@qualifyze.com

Qualifyze Inc., a Delaware corporation with an address at 525 Washington Blvd, Jersey City, NJ 7310, New Jersey. Data Privacy contact details: dataprivacy@qualifyze.com

3. CATEGORIES OF DATA

If you have registered with us, you have chosen to provide us with your personal data and not to remain anonymous to us.

We collect the following types of personal data to enable you to use and access our website, applications, services and tools, to provide you with a more personal and better user experience and to customize content. If you do not allow Qualifyze to collect this personal data, you must stop using the website or platform: For more information see section “Automatically collected data” below:

Automatically collected data

Upon accessing our website, we temporarily log information about the type and duration of use (general usage data, e.g. IP address, the connection data of the requesting computer, the websites you visit on our site, the date and duration of your visit, the identification data of the browser and operating system type used and the website from which you visit us if you have provided your consent), which is transmitted to us from your computer, mobile device or other technical device. This is to provide you with a more personal and better user experience and to customize content.

Cookies, Web Beacons and Similar Technologies

We also use data collected through cookies, web beacons and other similar technologies. More detailed information on how we use these technologies and how you can prevent their use can be found in our Cookie Policy.

Data provided by you or your company

Additional personal data is not collected unless you provide this information voluntarily, e.g. as part of registration, application, a survey or for implementation an information request, contacting our sales team or by creating a user in the platform as part of a subscription agreement.

These may include:

Information you provide when setting up a user account or registering for our services, such as your name, company address, e-mail address, telephone number, and professional title.
Data that you transmit to us via social media, websites or services;
Data transmitted through community discussions, chats, problem resolution and correspondence/feedback on the website or by e-mail/fax/post;
Other personal data which we ask you to provide and which we require for your authentication or for verification in the event of suspected violation of our terms of use (e.g., if permitted by law, a copy of your ID or a copy of invoice to verify your address or your identity).
Other contact details as necessary for the performance of the services, including names and email addresses of contact persons; names and email addresses of participants in Qualifyze’s meetings, the meeting subject and description and the input and output of the meeting while Qualifyze’s employees are in the meeting.
Your voice and any other personal data you provide in calls or meetings that must be recorded under this privacy policy.

Collection of information from social media and sign-on services

We offer sign-on services that allow you to access our website, applications, services and tools using credentials from other services (such as Microsoft or Google). We also offer services that allow you to share information with other social media sites such as Meta, Google, X and others.

You are free to give us access to certain Personal Data stored on such third-party websites. Which personal data we can access depends on the respective website and is controlled by your data protection settings on this website and your consent. By linking an account managed by a third party to your user account set up with us and authorizing access to this information, you agree that we may collect, use and store information from this website in accordance with this Privacy Policy.

Regulatory compliance verification

In order to verify compliance with our legal and contractual obligations, Qualifyze may carry out a preliminary review (compliance screening) that will include consulting public information relating to the client company, its representatives or related persons, including data related to administrative sanctions or records available in official registers. Under no circumstances will automated decisions or decisions based exclusively on data relating to criminal convictions or offences be taken without the corresponding specific legal basis in accordance with article 10 of GDPR.

4. PROCESSING AND USE OF PERSONAL DATA: PURPOSES

Main purposes:The processing and use takes place in particular for the following main purposes and with the following legal bases:

Provide you with access to our website, applications, services and tools as well as the desired customer service by e-mail or telephone. Depending on the case, the legal basis for this purpose will be your consent (art. 6.1.a) GPDR), our legitimate interest (art. 6.1.f) GDPR) or the performance of the contract (art. 6.1.b) GDPR). The legitimate interest will consist of maintaining commercial relations with the user and providing a proper service.
Prevent, detect and investigate fraud, security breaches and prohibited or illegal activities and enforce our Terms and Conditions. Depending on the case, the legal basis for this purpose will be our legitimate interest (art. 6.1.f) GDPR) or the fulfilment of legal obligations (art. 6.1.c) GDPR). The legitimate interest will consist of maintaining the security of communications and information for the benefit of Qualifyze and its users.
Adapt, measure and improve our services and content. Depending on the case, the legal basis for this purpose will be our legitimate interest (art. 6.1.f) GDPR) or your consent (art. 6.1.a) GDPR). Legitimate interest will consist of improving our services to ensure a good relationship with the client and the smooth running of the business.
Contact you by telephone or e-mail to resolve disputes, enforce fee claims, resolve problems with your user account or our website, our services, applications or tools or for any other legally permitted purposes. Depending on the case, the legal basis for this purpose will be our legitimate interest (art. 6.1.f) GDPR) or the performance of the contract (art. 6.1.b) GDPR). The legitimate interest will consist of maintaining a correct relationship with users and minimizing conflicts that may have legal or security consequences.
Contact you by telephone or e-mail and to inform you about our services and the services of our group of companies, targeted marketing activities, service updates and advertising offers if you have given your express consent and/or if the statutory requirements are given. The legal basis for this purpose will be your consent (art. 6.1.a) GPDR or our legitimate interest (art.6.1.f) GDPR) Legitimate interest will consist on Qualifyze maintaining a relationship with the data subject and informing of services similar to those contracted between the parties.
Provide you with other services that you have expressly requested in accordance with the description provided when collecting the data. The legal basis for this purpose will be the performance of the contract (art. 6.1.b) GDPR).
Regulatory compliance verification processing is based on the legitimate interest of Qualifyze in preventing legal and reputational risks before establishing a contractual relationship, in accordance with art. 6.1.f) of GDPR and, where applicable, art. 31 of the Swiss Federal Data Protection Act (FADP).
Qualifyze uses notetaker tools to collect meeting data, for documentation and quality purposes: recording of the meetings are used to document proceedings, decisions and discussions for archival, documentation and quality purposes. And internal communication: recordings may be shared internally within the organisation for review training, or other legitimate business purposes. The legal basis is Qualifyze’s legitimate interest for quality and documentation purposes, as well as for the performance of the contract. Qualifyze’s informs the attendees about the notetaking, providing a link to the applicable policy and giving them the option to oppose the processing and delete the meeting data.

The processing may involve authorized subprocessors listed in the applicable policy.

Other Uses of Personal Data: Marketing Purposes

If you have given Qualifyze the consent to use your personal data for Marketing purposes, or if there are legitimate interest grounds, your data may be used for the following specific purposes:

inform you about websites, applications, services and tools that we offer;
to inform you about targeted marketing campaigns and advertising offers;
to personalize, evaluate and improve our advertisements.

We assure you that we will not pass on your personal data to third parties for their marketing purposes without your express consent.

Objection against the use of your personal data for marketing purposes

If you do not wish to receive marketing and advertising messages from us, you can indicate this in direct contact with us (e.g. by e mail to dataprivacy@qualifyze.com or unsubscribe via the registration link in the marketing or advertising message).

5. DATA SHARING:

Data can be transmitted to the following recipient groups:

Authorized subprocessors who support us in the provision of services our business operations (in particular fraud prevention, compliance checks, analytics, communications and infrastructure support, as listed in the applicable subprocessor section of our Privacy Policy. The User is informed that the use of such subprocessors is subject to a general written authorization, in accordance with art. 28 GDPR.
Third-party providers of websites, applications and tools by which we work in accordance with our General Terms and Conditions to publish or promote your advertisement and their content on their website or in their applications and tools. If we also transfer personal data to such third party providers with the content of your advertisements, this happens exclusively on the basis of a written contract which limits the use of the personal data by the third party provider and obliges them to take security measures with regard to this data. In particular, third parties are not permitted to sell, rent or in any other way pass on to third parties the personal data contained in your advertisements.
Qualifyze uses Datadog Inc., which allows servers, databases, tools and services to be monitored using a software-as-a-service-based data analysis platform. Qualifyze guarantees that the data is located in Europe, if a transfer is needed, it’s GDPR-compliant, as the United States has an adequacy decision by the European Commission and the company is included in the Data Privacy Framework List.
Qualifyze uses Amplitude to analyze user behavior within our website, products and services. Qualifyze guarantees that the data is located in Europe, if a transfer is needed, such transfer is GDPR-compliant, as the United States has an adequacy decision by the European Commission and the company is included in the Data Privacy Framework List.
Qualifyze uses Amplitude to analyze user behavior within our website, products and services. Qualifyze guarantees that such transfer is GDPR-compliant, as the United States has an adequacy decision by the European Commission and the company is included in the Data Privacy Framework List.
Qualifyze uses Hotjar to better understand our users’ needs and to optimize this service and experience.
Qualifyze uses MailChimp for email marketing, a company established in the United States. Qualifyze guarantees that such transfer is based on the Standard Contractual Clauses approved by the European Commission.
Qualifyze uses Chili Piper Inc., a company established in the United States, to qualify, route and schedule meetings from any inbound or outbound channel. Qualifyze guarantees that such transfer is based on the Standard Contractual Clauses approved by the European Commission.
Qualifyze uses Heap to help us better understand user interacctions with our website, Qualifyze hereby confirms the company is included in the Data Privacy Framework List.
Other third parties to whom we send your data exclusively at your express request, or where you have been specifically informed and provided your explicit consent, in accordance with the applicable data protection law. These Parties are not considered subprocessors but independent controllers of third-party recipients.
Criminal prosecution or supervisory authorities or authorized third parties on the basis of a request for information in connection with an investigation procedure or the suspicion of a criminal offence, an illegal act or other actions which may give rise to legal liability for us, you or another user. In such cases, we will disclose the information requested. In order to protect your privacy, we will not disclose your personal data to law enforcement authorities, regulatory authorities or other third parties without a subpoena, court order or comparable legal proceedings, unless we are not convinced that disclosure is necessary to avert imminent danger to life and limb, property or financial assets, to report suspicions of unlawful actions or to otherwise protect our users from unlawful actions.
Qualifyze’s Affiliates for administrative purposes only.

Standard Information in Advertisements

On our website, the location information of registered trade dealers and buyers is transmitted to external service providers that may be located outside the European Economic Area (EEA) for the purpose of displaying maps with location information in advertisements.

Third country transfers:

Personal data will be processed within the European Union. In the event that the contracting of any service provider involves the transfer of data outside the European Union, such transfer will take place in accordance with the GDPR. In particular, the data could be processed by companies in the United States. In this case, the processing is based on the European Commission’s adequacy decision, given that the companies importing the data are adhered to the EU-US Data Privacy Framework. Failing this, the exporter and importer of the data will have subscribed to the standard clauses of the European Commission. When an international data transfer is based on standard clauses of the European Commission, the user will have the right to request a copy of them.

6. USE OF SOCIAL MEDIA PLUGINS

Plugins of the social networks of META (“Facebook”; overview of Facebook plugins), X, USA (“Twitter”) can be integrated on our website via “Tweet-Button“ or “Follow-Button“ and Google Inc., USA (“Google+“ ) (for more information click on the link of the respective network). When you visit our website, which contains such a plugin, the plugin establishes a direct connection between your browser and the server of the respective social network. The social network provider receives the information that you have visited our site with your IP address. If you click the plugin while logged into your account, you can link the content of our website to your social networking profile. This allows the social network to associate the visit to our site with your account. We, as the provider of the pages, are not aware of the content of the transmitted data or its use by the provider of the social network. For more information, see the social networks’ privacy policy, which you can access here for the social networks Facebook, Twitter and Google+.

Please note that you must be logged out of your social network account if you visit our site and do not want your social network or social networks to associate your visit to our site with your account.

7. DATA SECURITY

Qualifyze takes all necessary technical and organizational security measures to protect your personal data from loss, unauthorized access or other misuse. Your data is stored in a secure operating environment that is not accessible to the public.

We protect your data through technical and organizational security measures to minimize risks in connection with loss, misuse, unauthorized access and unauthorized disclosure and modification of this data. For example, we use firewalls and data encryption, but also physical access restrictions for our data centres and authorization controls for data access. You can find more information in the Information Security Policy. However, if you believe that your account has been misused, please report this to us at security@qualifyze.com

8. DATA PROTECTION RIGHTS

You have the right of access to your data, the right of rectification of your data, erasure, restriction of the processing, object to the processing and right to portability, as well as the right to withdraw consent at any time, without it affecting the lawfulness of the processing based on consent before its withdrawal. You can reach us by the e-mail dataprivacy@qualifyze.com for this purpose at the contact details given at the end of this Data Privacy Policy.

We will process your request within a reasonable time and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Qualifyze shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Subject to the requirements of Art. 77 GDPR, data subjects have the right to file a complaint with a competent supervisory authority. As a rule, the data subjects may contact the supervisory authority of his or her habitual residence or place of work or place of the alleged infringement or the registered office of Qualifyze. The supervisory authority responsible for Qualifyze GmbH is the Hessian Commissioner for Data Protection and Freedom of Information. A list of all German supervisory authorities and their contact details can be found here.

9. STORAGE OF PERSONAL DATA

The data will be stored for the time necessary to fulfill the purpose of the processing and in accordance with the principle of limitation of the conservation period. If you have a contract with us, Qualifyze will retain the company data for 10 years after the termination of the contractual relationship. The data is retained for the legally established period during which legal actions can be exercised. The details of the users of the platform will be deleted (i) when the user formally requests so or (ii) when the Client that has a contract with Qualifyze requests to remove the user from the Client account, in accordance with the specifics of the contract between the Parties. Once the data is no longer necessary, it will no longer be processed for the initial purposes and will be stored with restricted access, only available to the competent authorities in the event of a complaint or legal action.

Data Privacy for Job Applicants

Last modified March 19th, 2025.

Information on personal data processing in accordance GDPR for job applicants

This policy refers to the processing of job applicants’ or Auditors (“Applicants”) personal data by Qualifyze Spain, S.L.U. (“Qualifyze”). Protecting Applicants’ personal data is important to Qualifyze, for this reason, this policy compiles all the relevant information about the processing of Applicants’ personal data during the application process with Qualifyze.

Data Controller:
Qualifyze Spain, S.L.U.
Passeig de Gràcia, 19, planta 5

08007, Barcelona, Spain.

Contact details for data protection:
Email: dataprivacy@qualifyze.com

General data processing information

Collected data: only personal data shared with Qualifyze are being collected, when applying for a job offer. Apart from that, no personal data are collected. Any processing of Applicants’ personal data that goes beyond this scope is only possible with their express consent.

Data categories: Qualifyze collects and processes some or all of the following type of personal data Applicants provide during the application process, which are not limited to but include:

Information provided when applying for a role. This includes information provided through an online job site, via email, in person at interviews and/or by any other method.
In particular, Qualifyze processes personal details such as name, email address, gender, address, telephone number, date of birth, qualifications, experience, information relating to employment history, and skills provided by the Applicants.
Applicants’ details, CV and interview evaluation outcomes will be shared among current team members.
Evaluation outcomes are usually shared with the respective recruiter, contracted by Qualifyze, who referred the candidate.
When job interviews are recorded, Qualifyze can process the image and voice of the Applicants.

Qualifyze does not process special categories of data.

Processing purpose: To add Applicants’ resume to Qualifyze’s job application process, to evaluate Applicants; send email notifications regarding the current application status and future job offers (only with Applicants’ prior consent) and manage Applicants’ application process.

Legal basis: Adoption of pre-contractual measures (art. 6.1.b) GDPR). However, consent (art. 6.1.a) GDPR) is the legal basis for collecting recommendations from previous employers and image and voice processing.

Categories of recipients: Qualifyze may share Applicants’ data with the following recipients:

Qualifyze’s affiliate (Qualifyze GmbH) for a better administrative management of the companies that comprise Qualifyze. Both entities have signed the appropriate contracts to regulate the communication of data between them.
External service providers or other contractors. These providers offer services such as document management, e-mail and other Office applications, information hosting, recruitment, online interview recording or legal advice. Qualifyze has signed the appropriate data processing agreements with those providers when necessary..
Public authorities and agencies in case of legal obligation.

Third country transfers: Personal data will be processed within the European Union. In the event that the contracting of any service provider involves the transfer of data outside the European Union, such transfer will take place in accordance with the GDPR. In particular, the personal data could be processed by companies in the United States. In this case, the processing is based on the European Commission’s adequacy decision, given that the companies importing the data are adhered to the EU-US Data Privacy Framework. Failing this, the exporter and importer of the data will have subscribed to the standard clauses of the European Commission. When an international data transfer is based on standard clauses of the European Commission, the user will have the right to request a copy of them.

Duration of data storage: Application data will generally be deleted within one year, at the latest, after the application date, unless consent has been given to store the data for a longer period of time in an applicant pool or another legal basis.

Automated decision-making

Qualifyze may use automated decision-making processes during the job application process in order to ensure efficiency and consistency in the evaluation of job applications. These processes analyse exclusively the information provided by Applicants under the application form and it does not review nor analyse Applicants’ resume or other documents provided therein. Decisions made through automated processes are always based on objective responses provided by Applicants to ensure there is no bias in the evaluation process. Specifically, Qualifyze’s system automatically evaluates responses to two questions: 1. Do you have a valid permit to work in Spain and/or German; 2. Do you speak English? If an applicant answers “No” to either of these questions, they may be automatically disregarded from the consideration. However, every automated decision is reviewed by a human before being finalized to ensure accuracy and fairness. Qualifyze is committed to fair and equitable treatment of all Applicants. For additional information about how automated decision-making is used or to request human intervention in the decision-making process, please contact us at dataprivacy@qualifyze.com

Qualifyze guarantees that reaching a decision is not solely up to the automated tool, but there is also meaningful human involvement during the process, in order to ensure objectivity and fairness.

Applicants’ rights

Applicants may invoke their rights to access, rectification or erasure their data, limitation, opposition to the use of the data, restrict its processing and portability. The rights can be exercised, and the consent can be withdrawn by sending a written request to the Data Controller, without affecting the lawfulness of the processing based on the consent given before its withdrawal. Applicants can also exercise their right to object to decisions exclusively taken by automated tools. To exercise any of these rights, Applicants may send an e-mail to dataprivacy@qualifyze.com.

Subject to the requirements of Art. 77 GDPR, Applicants have the right to file a complaint with a competent supervisory authority. As a rule, the Applicant may contact the supervisory authority of his or her habitual residence or place of work or place of the alleged infringement or the registered office of Qualifyze. The supervisory authority responsible for Qualifyze in Spain is the Agencia Española de Protección de Datos.

Changes to this Privacy Policy

Qualifyze reserves the right to update or modify this privacy policy at any time to reflect changes in its data processing policies or legal requirements. Qualifyze will always inform Applicants of the updated privacy policy before starting the processing of their data. However, Qualifyze encourages Applicants to review this policy periodically for any updates.

Cookie Policy

Data Processing Agreement

Last modified October 10th, 2025.

This Data Processing Agreement (“DPA”) shall apply to all Subscription Agreements in which QUALIFYZE GMBH or QUALIFYZE INC. (hereinafter individually each as “Qualifyze”), in the course of fulfilling its obligations under the relevant Subscription Agreement, processes Personal Data on behalf of a client acting as a Data Controller. Qualifyze is also referred to as “Data Processor” and the respective client as “Data Controller”; they are also referred to collectively as the “Parties” and each as a “Party”. For the avoidance of doubt, if the Client has a Subscription Agreement in place with Qualifyze, the Data Processor is the company the Client has signed the Subscription Agreement with.

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the same meaning as in the General Data Protection Regulation 2016/679 (“GDPR”) or the Subscription Agreement and their cognate terms shall be construed accordingly.
In addition, the following definitions shall be applicable:
1. “Affiliated Company” or “Affiliated Companies” shall mean any company directly or indirectly owning or controlling any Party, or any company under the same direct or indirect ownership or control as any Party, or any company directly or indirectly owned or controlled by any Party. Ownership or control shall exist through the direct or indirect ownership or control of more than 50% of the nominal value of the issued equity share capital or of more than 50% of the shares entitling the holders to vote for the appointment of directors or persons performing similar functions. Ownership or control shall also exist when there is power to direct or cause the direction of the management or policies of the company by any means.
2. “Auditor” shall mean the independent, qualified and experienced auditors in accordance with international quality standards, hired by Qualifyze.
3. “Auditee” shall mean the Client’s supplier.

2. Personal Data

The Data Processor shall process Personal Data on behalf of the Data Controller in accordance with the written instructions given by the Data Controller.
A description of the categories of Personal Data and Data Subjects and the processing activities can be found in Appendix I.

3. Processing of Personal Data

The Data Processor shall comply with all data protection laws applicable to it in the Processing of Personal Data and process the Personal Data only in line with the instructions issued by the Data Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Data Processor is subject; in such a case, the processor shall inform the Data Controller or that the legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

4. Data Processor’s Personnel

The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Data Controller’s Personal Data, ensuring that access is strictly limited on a need-to-know basis, and strictly necessary for the purposes of the applicable Subscription Agreement.
Likewise, Data Processor shall ensure that the persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory or contractual obligation of confidentiality.

5. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement the appropriate technical and organizational measures to ensure an appropriate level of security as established in article 32 of the GDPR, including as appropriate:
1. The pseudonymization and encryption of Personal Data.
2. The ability to ensure the ongoing, confidentiality, integrity, availability and resilience of processing systems and services;
3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The technical and organizational measures employed by the Data Processor are described in Appendix II.

6. Relationship between Qualifyze GmbH and Qualifyze Inc.

For the avoidance of doubt, under a Subscription Agreement, both Qualifyze entities may act either as (i) Data Processor, when directly engaged under a Subscription Agreement; or (ii) sub-processor, when providing limited support and maintenance services to the other Qualifyze entity for fulfilment of such Subscription Agreement.
In such cases, the Qualifyze entity with whom the Client signed the Subscription Agreement shall remain the main Data Processor towards the Client, and the other Qualifyze entity shall be bound by equivalent data protection obligations as those set forth in this DPA.
For the avoidance of doubt, data processing activities jointly carried out by Qualifyze GmbH and Qualifyze Inc. as joint controllers (e.g., users of the Qualifyze platform) are governed by a separate Joint Controllership Agreement between both companies.

7. Sub processing

The Data Processor may appoint other processors who provide auxiliary services necessary for the normal functioning of the services of the Data Processor, including hosting or storing. The Data Controller hereby grants a general written authorisation to the Data Processor to appoint such other processors (including any Affiliate of the Data Processor or Qualified Auditor) as sub-processors. Appendix III contains a list of sub-processors used by the Data Processor at the time of signing this DPA.
Notwithstanding the foregoing, the Data Processor shall inform the Data Controller of any changes concerning the addition or replacement of other processors. In individual cases, the Data Controller has the right to object to the engagement of a new sub-processor. An objection may only be raised by the Data Controller for important reasons which have to be further clarified. Insofar as the Data Controller does not object within 14 days after receipt of the notification, its right to object to the corresponding engagement lapses. If the Data Controller objects, the Data Processor is entitled to terminate the Subscription Agreement and this DPA with a notice period of three months.
It is the Data Processor’s responsibility to ensure that its contractual agreements with sub-processors impose the same obligations on sub-processors as those incumbent upon the Data Processor under this DPA (including sufficient guarantees as to the implementation of appropriate technical and organizational measures). The Data Processor shall be fully liable to the Data Controller according to clause 7 of the Subscription Agreement in case of any breach of the data protection laws by any of the subcontractors engaged by the Data Processor.
Where the Data Processor engages a sub-processor in a non-EEA country that is not recognised by the European Commission as providing an adequate level of protection for Personal Data, the data transfer shall be subject to the Standard Contractual Clauses approved by the European Commission (EU) 2021/914, of June 4th, 2021, Module 3 (Processor to Processor) or other appropriate safeguards in line with Art. 46 GDPR.

8. Data processor’s Obligations

Taking into account the nature of the processing, the Data Processor undertakes to assists the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights described in Chapter III of the GDPR. In particular, the Data Processor shall:
1. Promptly notify the Data Controller if it receives a request from a Data Subject under any data protection law in respect of the Data Controller’s Personal Data; and
2. Undertakes not to respond to that request except on the documented instructions of the Data Controller or as required by applicable law to which the Data Processor is subject, in which case the Data Processor shall inform the Data Controller of that legal requirement before responding to the request.
The Data Processor shall notify the Data Controller without undue delay and, where feasible, within 48 hours of becoming aware of a Personal Data Breach affecting the Data Controller’s Personal Data, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach. Data Processor shall co-operate with the Data Controller and take reasonable commercial steps as directed by the Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Said notification shall at least:

Describe the nature of the personal data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
Describe the likely consequences of the Personal Data Breach;
Describe the measures taken or proposed to be taken by the Data Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

In no case will the Data Processor notify the Personal Data Breach to the supervisory authority competent without the authorization of the Data Controller.

3. The Data Processor shall co-operate with the Data Controller with any Data Protection Impact Assessment which the data Controller reasonably considers to be subject to pursuant to Article 35.

9. Term and Termination

This DPA shall become effective on the same date as the Subscription Agreement and shall remain in force until the Subscription Agreement is terminated in accordance with its terms.
Upon written request from the Data Controller, the Data Processor will, within 30 business days, return to the Data Controller all documents and other materials in the Data Processor’s possession containing Personal Data of the Data Controller. The Data Controller might, at its sole discretion, request the Data Processor to destroy all documents and other materials in the Data Processor’s possession containing Personal Data of the Data Controller.
Notwithstanding the foregoing, (a) the Data Processor may retain one copy of all documents and other materials containing Personal Data of the Data Controller for archival, compliance and legal purposes, and (b) the Data Processor shall not be required to destroy any securely stored computer files that contain Personal Data of the Data Controller created during automatic system back-ups and/or archiving systems.

10. International Data Transfer

For Clients with an active Subscription Agreement with Qualifyze GmbH: If, for the provision of the services, Personal Data under this DPA is transferred by the Data Processor to the Data Controller outside of the EEA to a country that is not recognised by the European Commission as providing an adequate level of protection for Personal Data, the data transfer shall be subject to the Standard Contractual Clauses approved by the European Commission (EU) 2021/914, of June 4th, 2021, Module IV (Processor to Controller), incorporated herein as Appendix IV.

For Clients with an active Subscription Agreement with Qualifyze Inc.: The Parties acknowledge that, although both entities are established in the United States, the processing of personal data under this DPA may involve the transfer of personal data originating from the European Economic Area (EEA). The Parties agree that such transfer will be governed by the Standard Contractual Clauses adopted by the European Commission’s Implementing Decision (EU) 2021/914, Module IV included as an exhibit herein.

11. Personal Data of the Signatories and other Contact Persons

The signatories and the contact persons are informed that their personal data will be processed by both Parties as independent controllers. Both Parties shall observe any applicable data protection regulation, in particular the provisions of the GDPR. The legal basis for the processing is the performance of the contract. The data may be transferred to the Affiliates of Qualifyze for administrative purposes only.
The data subject may exercise the rights to access, rectification or erasure of the data, restriction of processing and portability, as well as withdraw the consent, without affecting the lawfulness of the processing based on consent before its withdrawal, by sending a written request to the Data Controller, whose contact details are in section 1. They may also lodge a complaint with a supervisory authority. The data will be stored for the duration of the contractual relationship and even after the termination until the appropriate legal actions for this purpose expire.

12. Miscellaneous

Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain (c) can be proven by the receiving Party to have been developed independently of Confidential Information received from the disclosing Party; or (d) are approved in writing by the disclosing Party not to be treated as confidential.
No Party may assign any rights or claims under this DPA without the prior written consent of the other Party (within the meaning of section 126 b German Civil Code). This will not apply to assignments to Affiliated Companies of the assigning Party or successors of the Parties.
This DPA comprise the entire agreement between the Parties concerning its subject matter. It shall supersede all prior agreements and conventions, oral and written declarations of intent and other arrangements or side agreements (whether binding or non-binding) made by the Parties in respect thereof. This does not apply to a confidentiality agreement concluded between the Parties. In case of a conflict between any Contractual Document, including the Subscription Agreement, and the provisions of this DPA, the provisions of this DPA shall prevail.
No amendments to this DPA shall be valid and binding unless they are in writing and signed by the Parties.
The failure or delay by the either Party in exercising or enforcing any right, remedy or power under this Subscription Agreement shall not constitute or operate as a waiver of that right, remedy or power. The single or partial exercise or enforcement of any right, remedy or power under this DPA shall not preclude or restrict any further exercise or enforcement of that right, remedy or power, or the exercise or enforcement of any other right, remedy or power under this DPA.
Should one or more provisions of the DPA be or become invalid or unenforceable, this shall not affect the validity and enforceability of the remaining provisions of the DPA. In that case, the Parties shall agree a valid provision to replace the invalid or unenforceable provision which reflects as closely as possible the original economic purpose, provided a supplementary interpretation of the DPA does not have precedence or is not possible. In place of the invalid or unenforceable provision, or to fill a contractual lacuna, such valid and enforceable provision shall apply which reflects as closely as possible the commercial intention of the Parties as regards the invalid, unenforceable or missing provision.
Each Party represents and warrants to the other Party that it has the legal power and authority to enter into and perform under this DPA.
The Parties agree that electronic signatures, if used in execution of this DPA, any subsequent amendments and/or any Contractual Document, are legally binding and have the same legal effect as traditional handwritten/wet ink signatures. Each of the Parties agrees that the electronic signatures used in execution of this DPA, any subsequent amendments and/or any Audit Contracts shall constitute an original for all purposes. The Parties also agree that exchanging scanned copies of this DPA, any subsequent amendments and/or any Contractual Documents containing traditional handwritten/wet ink signatures via email is legally binding and has the same legal effect as exchanging hard copies of the DPA.

Appendix I Description of Data Subjects and data processing activities

Affected persons and group of persons

In particular:

Contact persons and employees of Data Controller
Contact persons and employees of Data Importer’s suppliers

Where Data Importer’s supplier conduct clinical trials that are within the scope of the audit at hand:

Participants of clinical trials

Type of data or data categories

In particular:

Full name
E-mail address
Phone number

Where Data Importer’s supplier conduct clinical trials that are within the scope of the audit at hand:

Health data (pursuant to Art. 9 GDPR)

Nature and purpose of processing

Nature of the processing:

Collection, use, storage and deletion of personal data

Purpose of the processing:

Provision of Data Processor’s services via the Internet (i.e., SaaS distribution), in particular
Facilitation and conduction of audits of Data Processor’s client suppliers via selected auditors

Appendix II Technical and Organizational Measures (TOMs)in accordance with art. 32 gdpr

Section 1. Purpose and applicability

A secure personal data processing is fundamental to Qualifyze’s operational efficiency, risk mitigation, and overall health. This document describes the technical and organizational measures Qualifyze takes with regards to the processing of personal data in accordance with article 32 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).

Section 2. Anonymization, pseudonymization and encryption:

Encryption: all devices with access to personal data shall be encrypted. Client information when at rest and in transit, or stored on portable devices shall be encrypted to avoid access for unauthorized individuals.

Data rest is encrypted using AWS Key Management Service (KMS) with symmetric keys (key spec: symmetric_default), utilizing the AES-256 encryption algorithm as per AWS standards.
Data in transit is encrypted using RSA 2048-bit encryption provided by Amazon for secure communication over its web applications.

Section 3. Confidentiality:

3.1. Access Control: Qualifyze has established robust and secured access through one-person passwords and permissions control.

3.1.1. Passwords: for every network user, a personally assigned user must be set up with a minimum of 8-digit password featuring both uppercase and lowercase letters, numbers, and special characters, in accordance with the OWASP recommendations.
3.1.2. Access restrictions: Qualifyze’s access to networks and applications are built on the principle of the minimum privilege. Authorizations are implemented through a role-based access control (RBAC), ensuring that Qualfiyze’s employees and users have access only to the data and resources necessary for their roles. Creating, changing, and removing authorizations is managed in documented procedures and monitoring of administrator access is performed continuously using advanced security tools. Systems are protected by VPN and all cloud accounts shall require a two-factor authentication mechanism. Auth0 for identity management with a 2FA for internal users is applied.
3.1.3. Logging and Monitoring: Access logs are maintained and regularly reviewed to detect any unusual or unauthorised activities. Automated alerts are configured to notify security personnel of any suspicious access attempts or anomalies.
3.2. Entry Control:The physical offices in which personal data are processed shall not be freely accessible, rooms must be locked when employees are away. In cases of remote access to personal data, Qualifyze’s security policies shall apply and shall be done using a multi-factor authentication method.

3.2. Transition control:controls to prevent the transition of data to external systems shall be in place. Environments shall be isolated in separate networks.

3.3. Confidential Disclosure Agreements:all employees and third parties allowed to access personal data are bound by confidentiality obligations under formal agreements.

3.4. Security:Network firewalls, website filtering, intrusion prevention/detection solutions are in place.

Section 4. Integrity and Availability:

4.1. Devices and Software management: personal data shall be processed on data processing systems that are subject to regular and documented patch management. A state of the art firewall is enabled by default and is kept up to date. Servers shall be replicated in the cloud in order to ensure availability. Automatic scripts that apply backups shall be used, as well as infra as code.

4.2. Logging and monitoring: access logs are maintained to ensure traceability of access, modifications to personal data and deletions are recorded. Regular integrity checks and hashing mechanisms are in place to detect unauthorized alterations.

4.3. Backups: backups of essential personal data are performed on a regular basis according to Qualifyze’s internal policies and industry best practices. Qualifyze regularly tests the backup process, at least once per quarter.

4.4. Testing: regular vulnerability scannings and penetration testings are conducted.

4.5. Disaster recovery and business continuity plans are in place.

Section 5. Incident response:

Qualifyze has a documented security incident management protocol that covers incident response, escalation and remediation to ensure availability to restore the availability and access to personal data in a timely manner. Records of incidents are retained for a minimum of 5 years. Security incidents involving Client’s personal data will be notified in accordance with clause 7 of the DPA.

Section 6. Data Deletion:

Client personal data shall be deleted from Qualifyze information systems upon written request by the Client when no longer needed by Qualifyze to fulfill its obligations under the subscription agreement.

Section 7. Review and Evaluation:

Qualifyze TOMs are periodically reviewed to assess compliance with industry security standards and applicable regulations, regular audits are conducted. Upon Client’s request, when deemed appropriate by Qualifyze, Qualifyze will provide relevant information to the client to demonstrate compliance with this TOMs.

APPENDIX III – LIST OF SUB-PROCESSORS

Amazon Web Services (hosting and infrastructure), Germany.

Google (Data hosting provider), Germany.

Microsoft (Office 365 and OneDrive Suite), Germany.

JIRA and Confluence from Atlassian (project management), Ireland.

Make (Data automation flows), Germany.

HubSpot (Customer Relationship Management – CRM), Germany.

Mailchimp (Email Marketing), USA.

Hotjar (analyze user behaviour on websites), Ireland.

DataDog Inc. (security and system maintenance), Europe.

AirTable, (support tool), US.

Slack (internal messaging system), Germany.

Qualifyze Spain, S.L.U. (Service & Support), Spain.
Qualifyze Inc. (Service & Support), US. – acts as a sub-processor only when the Subscription Agreement has been signed with Qualifyze GmbH.
Qualifyze GmbH (Service & Support), Germany – acts as a sub-processor only when the Subscription Agreement has been signed with Qualifyze Inc.

Qualified auditors as agreed with the Client in accordance with the Subscription Agreement.

Gong.io, (notetaker of meetings with clients for training and quality purposes), Israel, US, UK, EEA.

ChiliPiper (scheduling services), US.

DocuSign Inc., (signing tool) EEA, (depending on the DocuSign account used).

Juro Online Limited, (contract automation), Ireland.

Appendix IV Standard Contractual Clauses

Module IV (Processor to Controller)

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ⁽¹⁾ for the transfer of personal data to a third country.

(b) The Parties:

the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

————————————————-

¹ Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
Clause 8.1 (b) and Clause 8.3(b);
N/A
N/A
Clause 13;
Clause 15.1(c), (d) and (e);
Clause 16(e);
Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data ⁽²⁾, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

————————————————-

² This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

N/A

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

N/A

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(where the EU where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards ⁽³⁾;
any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

————————————————-

³ As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
the data importer is in substantial or persistent breach of these Clauses; or
the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of Frankfurt am Main, Germany.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: Qualifyze GmbH (if the Subscription Agreement has been signed with this entity) or Qualifyze Inc. (if the Subscription Agreement has been signed with this entity).

Address: Bockenheimer Anlage 46, 60322, Frankfurt am Main, Germany and 525 Washington Blvd, Jersey City, NJ 7310, New Jersey, United States (respectively)

Contact person’s name, position and contact details: Rosa de Antonio Rodríguez, Data Protection Officer; dataprivacy@qualifyze.com (Qualifyze GmbH) and dataprivacy@qualifyze.com (Qualifyze Inc.)

Activities relevant to the data transferred under these Clauses:

Transfer of audit reports pursuant to contract obligations to Data Importer as further described in the DPA.

Signature and date:

Role (controller/processor): Processor

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: As laid down in the Subscription Agreement

Address: As laid down in the Subscription Agreement and/or order form

Contact person’s name, position and contact details: As laid down in the Subscription Agreement and/or order form

Activities relevant to the data transferred under these Clauses:

Use and disclosure of audit reports to relevant authorities; storage of audit reports pursuant to statutory retention obligations.

Signature and date:

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Contact persons and employees of Data Importer’s supplier
Where audited entities conducted clinical trials: participants of said clinical trials

Categories of personal data transferred

Contact data, e.g. full name, e-mail address, phone number.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Where audited entities conducted clinical trials: health data relating to participants of said clinical trials. The sensitive data is only transferred and used further by the Data Importer as part of the audit reports and only disclosed to relevant authorities pursuant to statutory obligations.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis

Nature of the processing

Storage, combination, dissemination

Purpose(s) of the data transfer and further processing

Transfer to Data Controller as part of audit results pursuant to contract obligations as further described in the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Only for as long as required by applicable statutory retention obligations.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

n/a

Data Privacy for Qualifyze’s Events

Last modified July 9th, 2025.

SCOPE

Qualifyze GmbH (hereinafter “Qualifyze”) is committed to protecting the privacy, security and confidentiality of personal data in compliance with the General Data Protection Regulation (GDPR) and the relevant data protection laws.

This privacy notice outlines how Qualifyze collects and processes certain personal data of the attendees to a Qualifyze event (hereinafter the “Event”).

In the event of changes to this Privacy Policy, we will post the amended Privacy Policy and send you an informative email.

CONTROLLER OF THE PERSONAL DATA

The Data Controller of your personal data is Qualifyze GmbH, Bockenheimer Anlage, 46, 60322 Frankfurt am Main, Deutschland, dataprivacy@qualifyze.com.
DPO: dataprivacy@qualifyze.com

CATEGORIES OF PERSONAL DATA

We process the following categories of personal data:

Identifying and contact data: name and surname, email address , telephone number, industry, professional title, department and/or email address.
Data that you transmit to us via social media, websites or services;
In case you are a speaker at our event or in any way intervene by presenting a topic, we will also process professional and academic information about you, such as: professional experience, work title, qualifications.
Other information: date and time of access to the Event.
Photographs or video images and sound in which individuals may be identifiable.
Opinions on the realization of the Event.

PURPOSES FOR THE PROCESSING OF PERSONAL DATA

The processing and use takes place in particular for the following purposes:

Sending of the invitation to the Event, management of your participation and other communications related to the Event.
Access control to the Event.
Satisfaction survey after the Event.
Capturing and sharing Event photos on social media to promote
Qualifyze’s Events and engage with our community.

BASIS FOR PROCESSING YOUR DATA

The legal basis for processing your data for purposes a. to c. is Qualifyze’s legitimate interest (art. 6.1.f) GDPR) for the Event management.

Likewise, for the purpose indicated in letter d. In case of wide shots and environmental sound, the legal basis is Qualifyze’s legitimate interest (art. 6.1.f) GDPR) in publicising and promoting Qualifyze’s Events both internally and externally, whether on our website or social media profiles, blogs, printed or other appropriate actions for the purpose.

In the event that, within the pictures of the Event Qualifyze or any Qualifyze’s subcontractor captures shots in which a person can be identified, the processing of the image and voice is based on the consent (art. 6.1.a) GDPR) of the Attendee given in the process of confirming attendance to the Event. By accepting the processing of their image and voice, the Attendee accepts Qualifyze to publish these images through any media, supports and formats known at present or that may be known in the future, including, by way of example: printed media such as brochures, magazines, press, books; radio, television, mobile telephony or the Internet (including websites, social network profiles, microsites, blogs, etc.), applications for smartphone and tablets, all on a non-exclusive, indefinite and worldwide basis. It is hereby informed that photos/videos may be published on the internet and thus distributed worldwide, further use by other persons cannot be excluded and deletion cannot be guaranteed. This transfer does not imply any obligations for Qualifyze to make use of the rights that are the object of this transfer.

Also, in the process of confirming attendance, the Attendee will be able to authorize Qualifyze to totally or partially assign these rights, transfer or subrogate its rights and obligations to any company of the Qualifyze Group, solely and exclusively for the purpose described above.

DATA SHARING

Data can be transmitted to the following recipient groups:

Authorized service providers who support us in our business operations and/or during the Event (advertising agencies, website operation, photographers).
Criminal prosecution or supervisory authorities or authorized third parties on the basis of a request for information in connection with an investigation procedure or the suspicion of a criminal offence, an illegal act or other actions which may give rise to legal liability for us, you or another user.
Qualifyze’s Affiliates for administrative purposes only.

Third-country transfers:

STORAGE OF PERSONAL DATA

The data will be stored for the time necessary to fulfil the purpose of the processing and in accordance with the principle of limitation of the conservation period for 2 years. Once the data is no longer necessary, it will no longer be processed for the initial purposes and will be stored with restricted access, only available to the competent authorities in the event of a complaint or legal action during 4 additional years.

DATA PROTECTION RIGHTS

Subject to the requirements of Art. 77 GDPR, data subjects have the right to file a complaint with a competent supervisory authority. As a rule, the data subject may contact the supervisory authority of his or her habitual residence or place of work or place of the alleged infringement or the registered office of Qualifyze. The supervisory authority responsible for Qualifyze is the Hessian Commissioner for Data Protection and Freedom of Information. A list of all German supervisory authorities and their contact details can be found here.

Data Privacy for Qualifyze’s Events in the U.S.

Last modified July 30th, 2025.

SCOPE

Qualifyze Inc. (hereinafter “Qualifyze”) is committed to protecting the privacy, security of individuals and transparency and fairness in the processing of their personal data. This privacy notice outlines how Qualifyze collects and processes certain personal data of the attendees to a Qualifyze event in the U.S. (hereinafter the “Event”), including marketing activities.

In the event of changes to this Privacy Policy, we will post the amended Privacy Policy and send you an informative email.

CATEGORIES OF PERSONAL DATA COLLECTED

In the course of the Event, we process the following categories of personal data:

Identifying and contact data: name and surname, email address, telephone number, industry, professional title, department and/or email address.
Data that you transmit to us via social media, websites or services;
In case you are a speaker at our event or in any way intervene by presenting a topic, we will also process professional and academic information about you, such as: professional experience, work title, qualifications.
Other information: date and time of access to the Event.
Photographs or video images and sound in which individuals may be identifiable.
Opinions on the realization of the Event.

PURPOSES FOR THE PROCESSING OF PERSONAL DATA

The processing and use takes place in particular for the following purposes:

Sending of the invitation to the Event, management of your participation and other communications related to the Event.
Access control to the Event.
Satisfaction survey after the Event.
Capturing and sharing Event photos on social media to promote Qualifyze’s Events and engage with our community.

BASIS FOR PROCESSING YOUR DATA

The legal basis for processing your data for purposes is your consent given when accepting this Privacy Policy by registering to the Event.

DATA SHARING

Data can be transmitted to the following recipient groups:

Authorized service providers who support us in our business operations and/or during the Event (advertising agencies, website operation, photographers, speakers).
Criminal prosecution or supervisory authorities or authorized third parties on the basis of a request for information in connection with an investigation procedure or the suspicion of a criminal offence, an illegal act or other actions which may give rise to legal liability for us, you or another user.
Qualifyze’s Affiliates.

Third country transfers:

This Privacy Policy and the Event is intended for attendees located within the United States. While the website is generally available outside the United States, we do not market the Event to any other individuals beyond the United States. Law governing data collection and use in other jurisdictions may differ from U.S. law. If you are located in the European Union and decide to join the Event, you should be aware that data will be transferred to the U.S.

EVENT PHOTOGRAPHY AND VIDEO

To promote Qualifyze’s Events and engage with our community, Qualifyze or its contractors may capture and employ pictures and videos of the attendees. Attendance at our Event means consent to this Privacy Policy for Qualifyze’s events in the U.S., including the use of individuals’ image in promotions. Qualifyze may publish these images through any media, supports and formats known at present or that may be known in the future, including, by way of example: printed media such as brochures, magazines, press, books; radio, television, mobile telephony or the Internet (including websites, social network profiles, microsites, blogs, etc.), applications for smartphone and tablets, all on a non-exclusive, indefinite and worldwide basis. It is hereby informed that photos/videos may be published on the internet and thus distributed worldwide, further use by other persons cannot be excluded and deletion cannot be guaranteed. Qualifyze hereby disclaims any liability for its usage by other attendees or third parties on social media. Also, the Attendee is hereby authorizing Qualifyze to totally or partially assign these rights, transfer or subrogate its rights and obligations to any company of the Qualifyze Group, solely and exclusively for the purpose described above.

If you don’t agree to this, you can exercise your opt-out right by sending an email to dataprivacy@qualifyze.com.

While the data will be stored for as long as it is required to fulfil the purposes of this Privacy Policy, attendees may exercise the opt-out right at any time, without it affecting the consent given prior to that withdrawal.

Data Privacy information.

Purpose

Scope of Application

General Principles on Data Protection

Lawfulness and Fairness

Purpose Limitation

Data Minimization:

Accuracy

Storage Limitation

Integrity and Confidentiality

Transparency and Information

Limit to the Acquisition of Personal Data

Contracting Processors

International Transfers

Data Subject Rights

Training of Employees

Control and Evaluation

Implementation

Annex 1

Data Protection basic terms and concepts:

1. SCOPE

2. DATA CONTROLLER OF THE PERSONAL DATA

3. CATEGORIES OF DATA

4. PROCESSING AND USE OF PERSONAL DATA: PURPOSES

5. DATA SHARING:

6. USE OF SOCIAL MEDIA PLUGINS

7. DATA SECURITY

8. DATA PROTECTION RIGHTS

9. STORAGE OF PERSONAL DATA

Information on personal data processing in accordance GDPR for job applicants

General data processing information

Collected data: only personal data shared with Qualifyze are being collected, when applying for a job offer. Apart from that, no personal data are collected. Any processing of Applicants’ personal data that goes beyond this scope is only possible with their express consent.

Data categories: Qualifyze collects and processes some or all of the following type of personal data Applicants provide during the application process, which are not limited to but include:

Processing purpose: To add Applicants’ resume to Qualifyze’s job application process, to evaluate Applicants; send email notifications regarding the current application status and future job offers (only with Applicants’ prior consent) and manage Applicants’ application process.

Legal basis: Adoption of pre-contractual measures (art. 6.1.b) GDPR). However, consent (art. 6.1.a) GDPR) is the legal basis for collecting recommendations from previous employers and image and voice processing.

Categories of recipients: Qualifyze may share Applicants’ data with the following recipients:

Duration of data storage: Application data will generally be deleted within one year, at the latest, after the application date, unless consent has been given to store the data for a longer period of time in an applicant pool or another legal basis.

Automated decision-making

Applicants’ rights

Changes to this Privacy Policy

1. Definitions and Interpretation

2. Personal Data

3. Processing of Personal Data

4. Data Processor’s Personnel

5. Security

6. Relationship between Qualifyze GmbH and Qualifyze Inc.

7. Sub processing

8. Data processor’s Obligations

9. Term and Termination

10. International Data Transfer

11. Personal Data of the Signatories and other Contact Persons

12. Miscellaneous

Appendix I Description of Data Subjects and data processing activities

Appendix II Technical and Organizational Measures (TOMs)in accordance with art. 32 gdpr

Section 1. Purpose and applicability

Section 2. Anonymization, pseudonymization and encryption:

Section 3. Confidentiality:

Section 4. Integrity and Availability:

Section 5. Incident response:

Section 6. Data Deletion:

Section 7. Review and Evaluation:

APPENDIX III – LIST OF SUB-PROCESSORS

Appendix IV Standard Contractual Clauses

Module IV (Processor to Controller)

SECTION I

Clause 1

Purpose and scope

Clause 2

Effect and invariability of the Clauses

Clause 3

Third-party beneficiaries

Clause 4

Interpretation

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

Clause 7 – Optional

Docking clause

SECTION II – OBLIGATIONS OF THE PARTIES