UpMee — Data Processing Agreement (Article 28 GDPR)

GDPR · Article 28

Data Processing Agreement

Article 28 GDPR Compliance Agreement

Effective Date: July 2026

This Data Processing Agreement (“Agreement”) forms part of the contractual relationship between:

(1)
UpMee Group OÜ, registry code 16707575, registered at Suur tn 12-14, 20307 Narva, Estonia, website https://upmee.net (“Data Processor” or “Processor”)
and
(2)
The Client / Employer / Recruitment Partner (“Data Controller”)

together referred to as the “Parties”.

Definitions

For the purposes of this Agreement:

  • “GDPR” means Regulation (EU) 2016/679.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” has the meaning set out in Article 4(2) GDPR.
  • “Subprocessor” means any third party engaged by the Processor to process Personal Data.
  • “Data Subject” means candidates, applicants, or other individuals whose data is processed.

Subject Matter and Duration of Processing

2.1. The subject matter of this Agreement is the processing of Personal Data in connection with IT recruitment services, including:

  • candidate sourcing and screening;
  • CV and profile evaluation;
  • matching candidates with job vacancies;
  • communication between candidates and employers;
  • interview coordination;
  • talent acquisition analytics (non-sensitive).

2.2. Processing shall continue for the duration of the service agreement between the Parties and thereafter only as required for legal compliance or legitimate retention obligations.

Nature and Purpose of Processing

The Processor shall process Personal Data solely for the purpose of:

  • providing recruitment and staffing services;
  • facilitating employment matching between candidates and employers;
  • maintaining recruitment databases;
  • performing candidate pre-screening and evaluation.

The Processor shall not process Personal Data for any purpose other than instructed by the Controller.

Categories of Data Subjects

Processing may concern:

  • job applicants and candidates;
  • contractors and freelancers;
  • employees or prospective employees of the Controller;
  • referees and professional contacts provided by candidates.

Types of Personal Data Processed

Depending on the recruitment context, the following categories may be processed:

  • identification data (name, nationality, work authorization);
  • contact data (email, phone, address);
  • professional data (CV, employment history, skills);
  • education and certification data;
  • technical profiles (GitHub, LinkedIn, portfolios);
  • salary expectations and job preferences;
  • communication records.

No special categories of data under Article 9 GDPR shall be intentionally processed unless explicitly instructed in writing by the Controller and supported by lawful basis.

Processing Instructions

6.1. The Processor shall process Personal Data only on documented instructions from the Controller.

6.2. Instructions may be provided via:

  • written agreements;
  • email communication;
  • recruitment platform workflows.

6.3. If the Processor believes an instruction violates GDPR or other EU/Estonian laws, it shall immediately inform the Controller.

Confidentiality

7.1. The Processor shall ensure that all personnel authorized to process Personal Data:

  • are bound by confidentiality obligations;
  • receive appropriate data protection training;
  • access data strictly on a need-to-know basis.

Security of Processing (Article 32 GDPR)

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • encryption of personal data in transit and at rest;
  • access control and role-based permissions;
  • secure authentication mechanisms;
  • regular security testing and vulnerability assessments;
  • backup and disaster recovery procedures;
  • logging and monitoring of system access.

Detailed measures are set out in Annex II.

Subprocessors

9.1. The Controller provides general authorization for the use of Subprocessors.

9.2. The Processor shall:

  • maintain an updated list of Subprocessors;
  • ensure Subprocessors are bound by equivalent data protection obligations;
  • remain fully liable for Subprocessor compliance.

9.3. The Processor shall notify the Controller of any intended changes concerning Subprocessors, allowing the Controller to object within a reasonable timeframe.

International Data Transfers

10.1. Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure compliance with Chapter V GDPR.

10.2. Safeguards may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • adequacy decisions;
  • supplementary technical and organizational measures.

10.3. The Processor shall provide documentation of transfer mechanisms upon reasonable request.

Personal Data Breach

11.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach.

11.2. The notification shall include:

  • nature of the breach;
  • categories and approximate number of Data Subjects affected;
  • likely consequences;
  • measures taken or proposed to mitigate the breach.

11.3. The Processor shall cooperate fully in breach investigation, mitigation, and regulatory notifications.

Audit Rights

12.1. The Controller has the right to verify Processor compliance with this Agreement.

12.2. Audits may include:

  • review of security documentation;
  • assessment of technical safeguards;
  • remote or on-site inspections (with reasonable notice).

12.3. The Processor shall cooperate and provide necessary information, subject to confidentiality obligations.

Return and Deletion of Data

Upon termination of services, the Processor shall, at the choice of the Controller:

  • delete all Personal Data; or
  • return all Personal Data in a structured, commonly used format.

Deletion shall be carried out securely and confirmed in writing, unless retention is required by law.

Liability

Each Party shall be liable for damages caused by breaches of GDPR in accordance with Article 82 GDPR.

The Processor shall be liable only for processing outside or contrary to documented instructions or where it has failed to comply with GDPR obligations specifically addressed to processors.

Governing Law and Jurisdiction

This Agreement shall be governed by the laws of the Republic of Estonia.

Any disputes shall be subject to the jurisdiction of Estonian courts, unless mandatory EU law provides otherwise.

Annexes

Supporting documentation

Annex I

Description of Processing

Categories of Data Subjects

  • IT job candidates
  • software engineers, designers, managers
  • freelancers and contractors
  • HR representatives of clients

Categories of Personal Data

  • identification data
  • contact details
  • CV and professional history
  • technical skills and assessments
  • salary expectations
  • communication logs

Processing Activities

  • collection
  • storage
  • structuring and analysis
  • transmission to employers
  • deletion or anonymization

Purpose of Processing

  • recruitment services
  • candidate-employer matching
  • talent acquisition support

Duration

  • duration of service agreement + retention periods under GDPR and consent terms
Annex II

Technical and Organisational Measures (TOMs)

The Processor implements the following measures:

Access Control

  • role-based access control (RBAC)
  • unique user IDs
  • strong password policies
  • multi-factor authentication (MFA)

Data Encryption

  • TLS 1.2+ for data in transit
  • AES-256 encryption for stored data

Integrity & Confidentiality

  • restricted database access
  • logging of all administrative actions
  • anonymization where applicable

Availability

  • daily backups
  • disaster recovery plan
  • redundancy of critical systems

Monitoring & Incident Response

  • intrusion detection systems
  • security event logging
  • incident response procedures aligned with GDPR 72-hour rule

Data Minimisation

  • collection limited to recruitment necessity
  • periodic review of stored candidate data

Organisational Measures

  • staff confidentiality agreements
  • mandatory GDPR training
  • internal privacy policies
  • subprocessors due diligence process