General Terms And Conditions

SCOPE
1. jobs.lu (Luxembourg Branch) S.A.R.L. (“jobs.lu”) and the undersigned business partner (“customer”) agree to fulfil the performance of their contract pursuant to these terms and conditions and the price list. jobs.lu's Terms and Conditions, together with the Additional Terms and Conditions and the price list contain the whole agreement between jobs.lu and the customer. Any terms and conditions of the customer do not apply, unless jobs.lu explicitly consents to them in writing.
2. The version of jobs.lu's Terms and Conditions in force at the time of the last concluded contract with the customer shall apply to the relationship between jobs.lu and the customer. These Terms and Conditions only apply to business customers and not to consumers.
CONCLUSION OF CONTRACT
1. The contract is concluded when jobs.lu receives the signed acceptance of the contract offer which shall contain date and signature of the customer or when jobs.lu confirms the order in writing or by email or when jobs.lu publishes the ad on the internet or when jobs.lu sends the customer the login data in writing or by email, and the customer therefore has access to the job listing management. Faxes are considered to be a written form.
2. By the customer altered contract offers or offer acceptances as regards content shall be deemed a new offer made by the customer. The contract is then concluded by acceptance by jobs.lu which will either be made explicitly or implicitly by provision of the services.
DESCRIPTION OF SERVICES
1. The contract obliges jobs.lu to publish the products and perform the services agreed upon in the contract (“service elements”) in accordance with these Terms and Conditions. Additional to the description of services jobs.lu‘s Additional Terms and Conditions apply.
2. Non-competition clauses are not accepted.
REMUNERATION
CONDITIONS OF PAYMENT
1. Payment referred to in section 4, includes all additional costs such as emails, telephone calls, fax, data transmission, copies and postage which are usually incurred. The cost of correction and proof-reading that have occurred as a result of the customer supplying incorrect data are not included. jobs.lu will inform the customer if the additional costs exceed the average amount in relation to individual orders. The customer is obliged to pay jobs.lu for these additional costs if he has consented to them.
2. The customer will be invoiced immediately after the conclusion of the contract and the latest at the beginning of the contract period. Payment is due 30 days after receipt of the invoice, without deductions.
3. If jobs.lu does not receive payment by the due date, jobs.lu shall be entitled (without prejudice to any other remedies) to charge interest on all sums outstanding after the due date on a daily basis at the rate of 4% above the EURIBOR rate.
4. If the payment has not been received within thirty days following the commencement of the period, jobs.lu may cease the services provided to the customer under the contract.
5. All prices exclude any VAT legally payable on the date of the invoice.
6. Any payments made by the customer will be credited against the oldest outstanding invoice. jobs.lu may refuse to render its services until customer has made all outstanding payments.
THE BASIS OF COOPERATION/ HOUSE RULES FOR POSTING JOBS ON jobs.lu
1. jobs.lu is committed to continually optimize the number of responses to advertisements of the customer and to improve the quality and quantity of the searchable applications.
2. jobs.lu is entitled to make changes to the presentation, layout and functionality of the jobs.lu website.
3. The customer’s rights under this contract are neither transferable nor assignable. The contract can only be transferred to a third party with jobs.lu’s consent.
4. As far as jobs.lu has obtained the customers email address in connection with an order, jobs.lu may, also after the end of the contract, send information, questionnaires and other commercial communication concerning similar services provided by jobs.lu via email. The customer may opt out at any time with effect for the future without any form requirements and free of charge. jobs.lu will inform about the right to opt out in every mail.
5. The customer undertakes to provide all information and other documentation required for achieving the objectives set out in the contract. This also includes the customer’s obligation to immediately inform jobs.lu if one of the service elements becomes outdated.
6. The customer shall ensure that he receives emails from jobs.lu unobstructed and will set jobs.lu as “trusted server”.
7. jobs.lu may review the information which the customer intends to place or has placed on the jobs.lu website if they breach legal provisions, official regulations, the right of third parties or good morals or the terms and conditions of jobs.lu (“illegal content”). This also applies if links included in the customer's service elements lead directly or indirectly to pages containing illegal content. The customer's payment obligation remains unaffected. jobs.lu shall only be obliged to remove illegal content that breaches legal provisions and/or at the request of the customer. The customer undertakes to indemnify jobs.lu and hold jobs.lu harmless against all payments and legal costs incurred due to illegal content or breach of law on first demand.
  
  In particular this includes following content:
  If these requirements are not fulfilled the content shall be deemed illegal content as per section 6.7.
8. The customer is responsible for configuring and arranging his infrastructure in accordance with the prevailing state of the art so that it becomes neither a target nor a source of disruptions which could affect the internet service supplied by jobs.lu or trouble and fault free network operation in general.
9. The customer guarantees that all of his content or parts thereof published by him on the internet or given to jobs.lu for publication are not encumbered by third party rights. The customer shall indemnify jobs.lu and hold jobs.lu harmless against any damage jobs.lu suffers from an infringement of this provision by the customer on first demand.
10. For job service elements that are published or used at websites that are not operated by jobs.lu, additional requirements and restrictions may apply. Please be informed that in other countries certain additional requirements and restrictions may apply. These have to be met. Specific information about additional requirements and restrictions for websites that are not operated by jobs.lu are provided upon request. In addition to these Terms and Conditions the Terms and Conditions of the respective website apply.
INTELLECTUAL PROPERTY RIGHTS
1. The contract does not transfer any (intellectual) property right, license or right of use from jobs.lu to the customer. All of jobs.lu's rights (including but not limited to copyright, trademark rights, sui generis data base rights, logos, titles as well as any other commercial rights) remain jobs.lu’s (intellectual) property without restriction.
2. All material and content published by jobs.lu is subject to jobs.lu's intellectual property rights (copyright, trademark rights and sui generis database rights), except for the individual elements of such material and content designed by the customer or a third party that are already subject to a customer’s or third party's intellectual property rights and that have not been modified/revised by jobs.lu.
3. By placing the order for publishing job listings on the Internet, jobs.lu obtains the sole database right to the customer's job listings published in the database by jobs.lu.
4. The customer is responsible for ensuring that the content to be published complies with press law, competition law and other applicable provisions.
5. By placing the order, the customer warrants and guarantees that he has obtained all necessary exploitation rights, copyrights and ancillary copyrights that are required for the publication of his data and content on the Internet.
WARRANTY, MALPERFORMANCE
1. jobs.lu warrants that it will fulfil the services ordered by the customer to be rendered by jobs.lu on the Internet in a manner that complies with usual technical standards.
2. Warranty claims shall neither exist in case of immaterial deviations from the agreed quality nor in case of immaterial impairment of the usability. The customer shall notify defects in writing immediately and at the latest 7 days after the service elements have been put on the Internet. If jobs.lu is liable for a defect of a service element, jobs.lu shall initially correct the defect by displaying the service elements for a longer period. Only if this measure fails, the customer is entitled to claim a price reduction or may withdraw from the agreement about individual service elements. Upon jobs.lu's request the customer must inform jobs.lu within a reasonable period if he insists on the delivery of the services or if and what other rights he claims because of the delayed services. In the case of repeated clients, the client may terminate the entire contract for the future. Termination of the contract shall not be effective insofar as service elements have already been published.
3. All liability claims shall become time barred after one year of the date on which the customer was aware or should have been aware without gross negligence of the client giving rise to such claim.
LIABILITY
1. jobs.lu shall be liable for damages - irrespectively of their legal basis - in case of gross negligence and intent as well as for damages because of death, injuries of the body or health, if jobs.lu has fraudulently concealed a defect or guaranteed its absence as well as for claims under product liability law. In other cases jobs.lu shall only be liable for damages resulting from the violation of an essential contractual obligation (an obligation that must be fulfilled to enable the correct execution of the agreement and which the customer may usually trust and may trust that it will be fulfilled); however, in this case the liability is limited to usual damages foreseeable under the contract.
2. In case of a violation of jobs.lu's obligations that is not a defect; the customer may only withdraw from or terminate the agreement if jobs.lu is responsible.
CONFIDENTIALITY
1. The contractual parties shall treat all information and data, which they receive from the other contractual party in conjunction with the implementation of this contract, as confidential and shall not make them accessible to third parties. This obligation shall also apply after the end of the contract.
2. Upon accepting the offer, both parties agree to mutually comply with all applicable privacy and data protection laws.
3. The customer is advised in accordance with data protection laws that jobs.lu stores his data in a machine readable form and uses it according to the purposes of this contract.
4. It is the customer's responsibility to treat any ID, password or username or other security device provided for the use of the services with due diligence and due care and to take all necessary steps to ensure that they are kept confidential, secure, are used properly and are not disclosed to unauthorized persons. The customer will be held responsible for any usage of his password or his username by third parties unless the customer provides evidence that the access to such password or username by such third parties has not been enabled by him and that the cause of any such access attained does not lie within his sphere of influence. The customer must immediately inform jobs.lu if it is likely or has become known that someone not authorised is using his password or username or if they are being or are likely to be used in any unauthorized way. In the event of a breach of any material obligations of the customer under this contract, in particular including but not limited to the infringement of any obligation described in this section, jobs.lu is entitled to immediately interrupt the operation of its services without further notice and without releasing the customer from any payment obligations.
CEASE AND DESIST UNDERTAKING OR COURT ORDERS
TERM
1. This agreement shall be effective from the date on which jobs.lu receives a signed version of the contract. The term agreed therein shall begin with the rendering of the first service element. This contract terminates automatically after the agreed period has expired, unless the additional terms and conditions set out below contain different provisions.
2. Service elements can only be ordered during the agreed contractual period. The client's rights to order service elements that have not been claimed before the termination of the contract shall end with the termination of the contractual period.
MISCELLANEOUS

ADDITIONAL TERMS AND CONDITIONS

ADVERTISMENTS

Description of Services
1. These additional terms and conditions for job ads and company presentations (“advertisements&”) apply in addition to our general terms and conditions and prevail in case of doubt.
  
  The customer can publish one or more advertisements for a recruiting purpose.
2. The content published must comply with following requirements; otherwise they are considered as illegal content with the consequences as per section 6 of jobs.lu's General Terms and Conditions:
3. jobs.lu is entitled but not required to make the job listings accessible otherwise, in particular through partner sites or by setting corresponding links to other websites. jobs.lu will not charge any additional fees for such additional performance.
4. The customer is advised that according to the current state of technology, it cannot be ruled out that the job listings published on our internet sites are also copied, linked and/or published, disguised as their own offer, by other internet providers. Within the framework of the technical and legal possibilities, we shall endeavor to prevent copying, linking and/or framing as described above. To this end, the customer herewith grants any required consent. However, if there is any unauthorised linking and/or framing, which has not been caused by us culpably or negligently, this shall be tolerated by the customer. The customer cannot derive any claims against us from this.
5. The personal data provided by the customer within the framework of the job listing contract, which are needed simply for registration but which are not included in the job listings, are not made accessible, forwarded or published by us to third parties.
6. Offers that are subject to change: International Deals and free services
7. Upon customers request jobs.lu will publish a button in relation to the job advertisements that is labeled with “Apply Now” or similar. Depending on the customer’s selection, this button can either link to a page designated by the customer or to a standardized application form operated by jobs.lu on its platforms, with which the applicants can provide the data requested through the form and have them transmitted by jobs.lu to the customer. The customer can receive the application at his choice through the Jobs.lu platform. jobs.lu will then submit the application to the specific account of the customer on the jobs.lu platform.
8. If an application was submitted to the customer in accordance with para. 1.7 of the Additional terms and conditions Advertisement into the specific account of the customer on the jobs.lu platform, the customer can access and download the application there (applicant management functionality).
9. Within the scope of the services under para. 1.8, jobs.lu processes personal data on behalf of the customer as a processor in the sense of Art. 28 GDPR; the Additional Terms and Conditions jobs.lu Data Processor Agreement apply in this context. Any other services provided by jobs.lu are not carried out as data processor.

CV Database

Description of services
1. These additional terms and conditions “CV Database” apply in addition to jobs.lu’s General Terms and Conditions and prevail in case of doubt.
  
  jobs.lu operates a database on the jobs.lu website which contains CVs of jobseekers (“Candidates”). Candidates can enter their CV or create a CV in the database. The customer, that orders an access to the CV database, may directly view public profiles and contact the candidates behind the profile and in case of anonymous profiles may, via the jobs.lu electronic system, send a contact request to the candidate behind the profile.
2. jobs.lu operates a database on the jobs.lu website which contains CVs of jobseekers (“Candidates”). Candidates can enter their CV or create a CV in the database. The customer, that orders an access to the CV database, may directly view public profiles and contact the candidates behind the profile and in case of anonymous profiles may, via the jobs.lu electronic system, send a contact request to the candidate behind the profile.
3. The customer may make use of certain functionalities in the CV database. The service does not include any data backup for the customer. Data may be removed or deleted from the back-office at any time without giving prior warning. Data will automatically be removed from the CV database for data protection reasons as soon as a candidate deletes his CV from the CV database. The CV database must not be used for any purposes violating antidiscrimination law.
4. If the customer saves the personal data of candidates on his own system he is obliged to comply with further monitoring duties. Should a candidate delete his CV from the CV database, the customer is obliged to immediately delete such data from his own system. He is then also obliged to destroy any related hard copies.
5. Depending on the specific price model agreed upon the customer can access a predefined number of CVs in the CV Database for a predefined time and may contact the predefined amount of profiles individually in order to fill a specific open position.
Obligation of the customer
1. The customer warrants that he will comply with all legal provisions, third party rights and good morals. Section 6 of these general terms and conditions shall prevail.
2. In particular, the customer warrants not forwarding or otherwise communicating the personal data of candidates, to respect their confidentiality and to comply with all applicable data protection and privacy rules. The customer is advised that, if a candidate should approach jobs.lu requesting the deletion of any data relating to the candidate, and jobs.lu thereafter gives notice to the customer of this request, the customer is obliged to delete any hard copy or electronic files or data relating to a certain candidate Profile immediately.
3. The customer undertakes to indemnify jobs.lu against all losses, costs, claims, damages or other expenses that are caused by the customer, unless jobs.lu is responsible.
4. Candidates are responsible for completing their candidate Profiles. Therefore, jobs.lu does not warrant their completeness, correctness, accuracy or accessibility. jobs.lu does not warrant any degree of response.
5. The data of jobseekers registering on jobs.lu‘s website ("candidates") is strictly confidential and may only be stored, or used according to applicable data protection laws. The customer is only entitled to contact candidates for filling concrete vacancies. jobs.lu is entitled to block the account of the customer and withhold access to candidate data in cases of infringements by the customer.
6. The customer is advised that special terms apply to data transfers outside the European Union. Generally, such data transfers require the consent of the candidate - even if the transfer occurs within a corporate group.

CERTAIN ADVERTISEMENTS

These additional terms and conditions for certain advertisements apply to the advertisement products defined below (collectively referred to as “Certain advertisements”) and apply in addition to our general terms and conditions and the additional terms and conditions advertisements and prevail in doubt. The applicability of the general terms and conditions and the additional terms and conditions advertisements to other products remains unaffected.

The following descriptions of services are an exhaustive description of the services owed by jobs.lu. No other functionalities or services are owed.

• Listing Slots

Job ads published on jobs.lu’s website can be placed, managed and replaced in listing slots which are accessible with personal access data. Quantity and display period of job ads in a listing slot is unlimited throughout the term of contract. Listings slot for the customers personal use and therefore must not contain job ads of third parties.

• On-site Promotion

jobs.lu shall publish on behalf of the customer a presentation of the customer provided by the customer in form of a Top banner, Homepage MPU, Featured Employer (“On-site promotion”) on jobs.lu’s website.

Top banner is placed at the top of jobs.lu’s homepage and in all target group channels/sub sites. Homepage MPU and Featured Employer will be published on jobs.lu’s homepage and are subject to rotation.

On-site promotion may contain a link to a certain job ad published on jobs.lu, job listings on jobs.lu, to customer’s presentation with logo or recruiting events on customer’s homepage.

• Auto-Responder

Auto-Responder is a tool provided by jobs.lu which sends automatic responses to the applicants of the customer’s job advertisements. The customer can configure the Auto-Responder himself or supply jobs.lu with a preferred text.

• Applicant Pre-Screening

Applicant Pre-Screening is a service provided by jobs.lu, where jobs.lu pre-screens the applicants of customer’s job advertisements after certain criteria as agreed upon with the customer and in accordance to antidiscrimination law

• LuxPlus pack

A job listing published on jobs.lu can be additionally published on StepStone.be for 60 days, StepStone.de for 60 days and/or Cadremploi.fr for 28 days. The customer can purchase credits for LuxPlus listing for a certain price per credit. The publication of one listing in one of the three countries costs one credit.

In addition to these Terms and Conditions the Terms and Conditions of the respective website apply.

Video Interview Service

The video job interview service (“Video Interview Service”) allows customers to a) create customized automated job interviews and/or b) conduct live job interviews (the “Video Interview“). An automated job interview is a structured way of interviewing where the customers’ candidate (Candidate”) answers a pre-recorded set of questions with a video recording at their convenience. The live job interview is a real-time interactive online conversation between a Candidate and one, or multiple, interviewer(s).
The web-based software system on which the Video Interviews are generated (the “System”), stored in a database specific to the customer and are made available to the customer through this.
The System may also be used for live video interviews using a webcam (see section 1 lit. b above).
The customer is not permitted to give third parties access to the System e.g. by letting them perform Video Interviews with its Candidates, unless expressly agreed otherwise in the agreement.
The price for the Video Interview Service is calculated according to the number of Video Interviews conducted on the basis of the contractually agreed unit price.

A Video Interview has been conducted if a) the Candidate provided its recorded video or b) the customer has carried out the live job interview with the Candidate.
StepStone has the right to delete the recorded Video Interviews from the System after one-hundred-and-eighty (180) days.

Additional Terms and Conditions jobs.lu Data Processor Agreement

jobs.lu acting as Processor

1.1 In the context of the the applicant management functionality according to Sec. 1.8 of the Additional terms and conditions Advertisements as well as in context of the use of the Video Interview Service, jobs.lu processes personal data as a processor in the manner described therein on behalf of the customer in accordance with Art. 28 GDPR, observing the following provisions.

1.2 jobs.lu processes the personal data solely within the framework of the contract and in accordance with the documented instructions of the customer unless there is an exceptional case within the meaning of Article 28 (3) (a) GDPR.

1.3 The processing takes place exclusively in member states of the European union or in another contracting state of the agreement over the European economic area, as far as no other instruction was given and a transmission in accordance with the regulations of Artt. 44 to 49 GDPR is allowed. Already upon conclusion of the contract, in the context of the measures to be taken under section 4.3 jobs.lu is instructed to transfer personal data to the other subcontractor Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA, as described in Section 6 below. This transfer is permitted under Art. 46 (2) lit. c GDPR, since the Standard Contractual Clauses of the European Commission (‘EU Model Clauses’) has been concluded with Akamai Technologies and the customer entered into the EU Model Clauses already according of that agreement. The customer may also directly enter into the EU Model Clauses with Akamai Technologies. These are available under https://www.akamai.com/de/de/multimedia/documents/akamai/akamai-pre-signed-eu-standard-contractual-clauses.pdf. Akamai Technologies’ Data Protection Officer may be contacted at privacy@akamai.com.

1.4 The duration of the processing corresponds with the duration of the use of the applicant management functionality. The duration of the processing within the scope of the Video Interview Service corresponds to the duration of the use of the Video Interview Service or depending on an active or existing account of the customer.

1.5 Data subjects are persons who have applied for a job vacancy with the Customer through the jobs.lu application form and/or participate in a video interview where the customer uses Jobs.lu's Video Interview Service.

1.6 The type of personal data used consists of CV data, such as contact details, educational records, work experience and knowledge and interests, and any other data submitted by the candidate as well as in case of using the Video Interview Service a) the recorded candidate videos, when an application video is created by the Candidate in accordance with 1 lit. a of the Video Interview Service in these GTC, or b) the e-mail address and name of the Candidate to conduct a live interview in accordance with 1 lit. b of the the Video Interview Service of these GTC.

1.7 The subject matter and purpose of the processing is, that the application data submitted by applicants can be made available and viewed in the jobs.lu account to the customer after his login. Within the scope of the Video Interview Service, the object and purpose of the processing is to transmit the Video Interview created by the applicant to the customer by making the videos available in the customer-specific account. If the Video Interview is used by the client, the purpose of the processing is the online transmission of the real-time interactive online conversation of candidates and one, or multiple, interviewer(s).

1.8 References in these Additional Terms and Conditions jobs.lu Data Processor Agreement to the General Data Protection Regulation (GDPR) shall be interpreted as references to the corresponding provision in the national data protection legislation until 24.05.2018. Unless there is a corresponding provision in the national legislation, the said obligation shall not apply until 24.05.2018 and will only apply with effect from 25.05.2018.

2. Obligations of the customer as client

2.1 In accordance with Art. 4 No. 7 GDPR, the customer is controller of the data processed by jobs.lu in accordance with the contract.

2.2 The customer informs Jobs.lu immediately and completely if it finds errors or irregularities regarding data protection regulations when checking the outcome of the processing.

2.3 The customer keeps a register for processing activities in accordance with Art. 30 para. 1 GDPR.

3. Obligations of jobs.lu as processor

3.1 jobs.lu informs the customer immediately if Jobs.lu believes that an instruction violates applicable laws. jobs.lu may suspend the implementation of the instruction until it has been confirmed or modified by the customer.

3.2 jobs.lu complies with the terms of this agreement and relevant data protection laws, including the GDPR.

3.3 jobs.lu shall take appropriate organizational and technical measures in accordance with the relevant data protection laws, including the GDPR and in particular it’s Art. 32, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, nature, extent and purpose of the processing and the likelihood and severity of the risk. These measures are recorded in the overview of technical and organizational measures, which is included below as Appendix 2. The technical and organizational measures are subject to technical progress and further development. To that extent, jobs.lu is obliged to take account of developments in the latest technological standards when reviewing the effectiveness and making corresponding modifications. Alternative security measures are permitted if they at least comply with the security level of the specified measures. Any material modifications must be documented.
Substantial modifications after conclusion of the agreement shall be communicated to the customer without undue delay. If the measures are modified to such an extent that the customer does not consider that jobs.lu can guarantee equivalent or higher protection of the data, the customer has the right of termination without notice following the issue of instructions to no avail. The same applies in the event of a failure to give notice of such modifications.

3.4 jobs.lu shall provide the customer with the information required for the records of processing activities under Art. 30 para. 1 GDPR and, to the extent required by law in accordance with Art. 30 para. 2 to 5 GDPR, shall maintain its own record for all categories of processing performed on behalf of the customer.

3.5 All persons who are able to access personal data processed for the customer in accordance with the agreement must be subjected to a duty of confidentiality in accordance with Art. 28 para. 3 b) GDPR and notified of the particular data protection duties arising under this agreement as well as the existing obligation to adhere to instructions and the purpose limitation.

3.6 jobs.lu has appointed a data protection officer. Its current contact details are easily accessible on the homepage of Jobs.lu.

3.7 jobs.lu guarantees the protection of the rights of data subjects and shall support the customer in responding to applications for the safeguarding of the rights of data subjects in accordance with Art. 12-23 GDPR.

jobs.lu informs the customer immediately if data subject directly addresses jobs.lu for the purpose of accessing, rectification, erasure or to restriction of processing his personal data.

jobs.lu supports the customer in carrying out data protection impact assessments pursuant to Art. 35 GDPR and the resulting consultation of the supervisory authority in accordance with Art. 36 GDPR to the extent necessary. jobs.lu supports the customer with regard to ensuring the reporting and notification obligations in the event of data breaches as defined in Articles 33 and 34 GDPR.

3.8 jobs.lu shall notify the customer without undue delay in text form in the event of any disruptions to the operational processes, the suspicion of data protection breaches under Art. 4 no. 12 GDPR in connection with the data processing or any other irregularities in processing the customer’s data.

3.9 In the case of investigations by the data protection authority at jobs.lu, the customer is to be informed immediately as far as these investigations concern the subject matter of the contract.

3.10 In the event that jobs.lu intends to process data from the customer, including transmission to a third country or to an international organization, without having been instructed by the customer, i.e. because jobs.lu is obliged to do so in accordance with Article 28 (3) sentence 1 a GDPR, jobs.lu will inform the customer without delay about the purpose, legal grounds and data concerned, unless prohibited by law.

3.11 As far as a transfer of controller’s personal data outside of the European Union is planned or is already being carried out by StepStone and no adequacy decision of the European Union according to Art. 45 GDPR is available, StepStone has or will conclude the EU Model Clauses. It is hereby agreed that the data controller as an independent holder of rights and obligations will enter these EU Model Clauses. The data controller is still free to conclude the EU Model Clauses directly with the data importer.

4. Audits including inspections

4.1 jobs.lu shall provide the customer with all information required to evidence the obligations set down in this agreement and , subject to adequate prior notice and during standard business hours (9:00 a.m. – 6.00 p.m.), shall enable the customer prior to and during the term of this agreement to perform checks, including inspections, in accordance with Art. 28 para. 3 h) GDPR. Before and during the data processing, the customer is entitled to satisfy itself that the technical and organisational measures are being complied with, or it may retain suitable third parties with an obligation of professional confidentiality to do so, at jobs.lu’s business premises during regular business hours subject to timely notification without disrupting business operations. The outcome of these checks will be documented and signed by both parties.

4.2 The technical and organisational measures may also be evidenced by presenting current certificates, reports or extracts of reports by independent bodies (e.g. external auditors internal auditors, Data Protection Officer, IT security team, data protection auditors, quality auditors) or a suitable certification by IT security or data protection audit (e.g. based on BSI principles) for this purpose.

5. other processors

5.1 With conclusion of the contract, the subcontractors listed in Appendix 1 below are approved. jobs.lu may assign agreements to sub-processors if it notifies the customer in writing in advance of the involvement or replacement of new sub-processors and the customer raises no objection within 4 (four) weeks. If customer objects, then jobs.lu may cease to provide the comment functionality according to para. 1.8 of the Additional terms Advertisements or in the context of the Video Interview Service.

5.2 jobs.lu shall impose the same data protection obligations as set out in this agreement on the sub-processors so that the processing will meet the requirements of the GDPR. If the subcontractor fails to comply with its data protection obligations, jobs.lu shall be liable to the customer under Art. 28 para. 4 sent. 2 GDPR for that subcontractor’s compliance with its obligations.

5.3 Further outsourcing by the subcontractor requires the express consent of the main processor (at the minimum in text form. All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

5.4 Services that are procured from third parties as an ancillary service to support the performance of the agreement shall not be deemed subcontracted. These include e. g. telecommunication services, maintenance and user service, cleaners, auditors or the disposal of data media. However, in agreement to guarantee the protection and the security of the customer’s data, jobs.lu is also obliged to enter into adequate and legally compliant agreement and to perform checking measures for ancillary services that are procured from third parties

6. Erasure and return

Upon request from the customer, jobs.lu will delete data processed on behalf of the customer. jobs.lu will delete all data processed on behalf of the customer when the contract for the use of the customer’s account terminates. In the application management functionality, jobs.lu will delete the data at the latest 18 months after expiration of the job ad.

Appendix 1 – List of sub-processors to the Terms and Conditions jobs.lu Data Processor Agreement

The customer consents to the use of the following sub-processors:.

Company	Address	Services
Jobs.ie Ltd	Waterways House, Grand Canal Quay, Dublin 2, D02 NF40, Ireland	– hosting and associated security services – back up services – Customer service support for trouble-shooting
StepStone GmbH	Axel-Springer-Str. 65, 10969 Berlin Germany	– hosting and associated security services – back up services – Customer service support for trouble-shooting
StepStone Continental Europe GmbH	Völklinger Straße 1, 40219 Düsseldorf Germany	– hosting and associated security services – back up services – Customer service support for trouble-shooting
StepStone N.V.	Koningsstraat 47 Rue Royale, 1000 Brussel Belgium	– hosting and associated security services – back up services – Customer service support for trouble-shooting
StepStone Services sp. z o.o.	ul. Domaniewska 50, 02-672 Warschau, Poland	Customer service support for trouble-shooting
Akamai Technologies GmbH	Parkring 20-22 85748 Garching Germany	jobs.lu uses Akamai as part of the technical and organizational measures as Web Application Firewall and therefore delivers its webcontent to website users through Akamai to protect its systems.
Akamai Technologies, Inc.	150 Broadway, Cambridge, 02142 MA, USA	Akamai Technologies GmbH schaltet als Subunternehmer Akamai Technologies, Inc ein.
Amazon Webservices, Inc.	410 Terry Drive Ave North WA 98109-5210 Seattle USA	Hosting and associated security services (within the EU)
Cammio GmbH	Alexanderstraße 1-5, 10178 Berlin, Germany	StepStone uses Cammio to conduct Video Job Interviews

Appendix 2 – Overview of technical and organizational measures to Terms and Conditions jobs.lu Data Processor Agreement

1. Confidentiality (Article 32 Paragraph 1 Point b GDPR)
· Physical Access Control: No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems	The data centers have a multi-layered security structure. The perimeter of data centers is protected by high security fencing and walls. The entrances are staffed with security guards, 24×7 hours. Surveillance cameras are used to monitor the locations. Access to the computer room is protected by a magnetic card system. The equipment is stored in locked cabinets. The outer boundary of the data centers is secured by high-security fences and walls. The entrances are guarded around the clock, video camera systems are used for full surveillance. Access to the computer rooms is protected by a card-based access control system. Extensive safety precautions also exist at the relevant locations jobs.lu. Card-based access control systems are used and visitors will have to be granted access.
· Electronic Access Control: No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media	The Customer can only access the data processed on its behalf after logging in to the customer space with the password that was defined by the user. jobs.lu stores the user authentication details in encrypted form, only. By default, the user-system data flow is end-to-end encrypted using the Transport Layer Security (TLS) protocol. jobs.lu uses Akamai’s services as a web application firewall to its systems. jobs.lu has an internal password policy for it’s employees which requires i.a. passwords to be at least 8 characters long, not to be the same or similar to the user name, to contain at least 3 of the following 4: i) Upper case letters e.g. A,B,C, ii) Lower case letters e.g. a,b,c , iii) Numbers e.g. 1,2,3 iv) Symbols e.g. @,#,+, to be regularly changed.
· Internal Access Control (permissions for user rights of access to and amendment of data): No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events	The Customer’s access rights are strictly limited to access only such personal data that is actually processed on its behalf. Only selected jobs.lu personnel can access the personal data processed on behalf of the Customer on a need to know basis within pre-defined rights and only for the purposes of system administration and customer service purposes on request of the customer. The system logs all events about the data processed on behalf of the customer.
· Isolation Control: The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing;	The jobs.lu system is multi-client capable so that each individual logged in customer can only see data associated with the customer’s account
· Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR): The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.	Does not apply, because the customer needs to see the full details of an applicant.

2. Integrity (Article 32 Paragraph 1 Point b GDPR)
· Data Transfer Control: No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;	All data sent over public networks is end-to-end encrypted using the Transport Layer Security (TLS) protocol.
· Data Entry Control: Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management	The jobs.lu systems log the activities of any login and logout as well as the editing, adding, altering, and deleting by recording user, actions and time (through a timestamp).
3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)
· Availability Control: Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning	Antivirus as well as Firewall and other security solutions in place to guarantee safety. jobs.lu uses Akamai’s services as a web application firewall to its systems. The hosting environment is equipped with fire detection system, water leak detection system in rooms below the raised floor. Temperature and humidity are constantly monitored to ensure that the pre-defined specifications are continuously met. Hosting infrastructure is equipped with continuous supply with life span from at least 72 hours.
· Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);	Rapid recovery is ensured by · Back-up procedure; · Encryption; · Uninterrupted power supply (USV); · Separate storage; · Virus protection, Firewall; · Emergency plan, disaster recovery; · Organisational / Employee Training;
4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)	We have regular audits of our Information Security standards and processes with external providers. Network penetration scans are performed regularly. We track and review logs at two levels before any requests reach our application servers. These are at a firewall level and at a WAF (Web Application Firewall) level. This allows us to track all unordinary presentation layer requests to database being analysed and actively blocked, preventing SQL injection attempts. The application itself tracks any failed login attempts if the request has gone through the Firewall and WAF. Data protection measures are continuously reviewed in a PDCA cycle.

Luxembourg, 31.12.2020