Data Processing Addendum (DPA)
Last Updated: January 2026
This DPA is incorporated into the Agreement between Graduate Pathfinder (“the Provider”) and the Employer/Recruiter (“the Receiver”). This document governs the technical and legal standards for processing Member Personal Data.
1. Relationship of the Parties
1.1. Independent Controllers: Both parties acknowledge that they act as Independent Controllers of Member data. The Receiver assumes full controller responsibility and liability the moment they access, view, or download a Member's profile or documents.
1.2. Compliance: Both parties shall comply with the UK GDPR and the Data Protection Act 2018.
2. Strict Purpose Limitation (Anti-Hoarding)
2.1. Per-Candidate, Per-Role Access:
The Receiver shall process data only for the specific, legitimate recruitment purpose for which it was accessed.
2.2. Tertiary Database Prohibition:
The Receiver is strictly prohibited from using data sourced from the Provider to populate any internal, general, or tertiary candidate database. Any such processing is deemed a violation of Article 5(1)(a) (Lawfulness, Fairness, and Transparency) of the GDPR.
2.3. Mandatory Audit & Disclosure:
If the Provider has reasonable grounds to suspect a violation of Section 2.2, the Receiver shall, upon request, provide a certified inventory of all data held. If a tertiary database is discovered, the Receiver must disclose all affected data subjects to the Provider immediately to facilitate mandatory transparency notifications.
3. Data Stewardship & Standards
The Receiver agrees to:
3.1. Security: Implement technical measures (encryption, restricted access) equal to or greater than ISO/IEC 27001 standards.
3.2. Retention: Delete candidate data immediately once a hiring decision is made, unless the candidate provides explicit, separate consent for the Receiver to retain their CV for future roles.
4. Breach Notification
The Receiver must notify Graduate Pathfinder within 24 hours of becoming aware of any unauthorized access, loss, or disclosure of Member data. The Receiver acknowledges that they may be held liable for damages to the Data Subject and Graduate Pathfinder resulting from such a breach.
5. Legal Ramifications & Indemnity
The Receiver acknowledges that a breach of this DPA, particularly regarding unauthorized database population, constitutes a material breach of contract. The Receiver accepts full liability for legal claims brought by the Data Subject and/or Graduate Pathfinder, including full indemnity for any regulatory fines (e.g., from the ICO) imposed on the Provider due to the Receiver's non-compliance or the failure of their chosen third-party tools.
6. International Transfers
Data must remain within the UK/EEA. Any transfer outside these zones requires the prior written consent of Graduate Pathfinder and the implementation of Standard Contractual Clauses (SCCs).
7. Sub-processing & External Tools (ATS)
If the Receiver utilizes a third-party tool (such as an Applicant Tracking System, "ATS", or CRM) to store or process Member data, the Receiver remains fully liable for the actions of that third party. The Receiver warrants that:
7.1. Flow-Down Protections: They have a written contract with the tool provider that is at least as protective as this DPA.
7.2. Security Parity: The tool provider maintains security measures that meet or exceed the standards outlined in Section 3.
7.3. Veto Right: Graduate Pathfinder reserves the right to prohibit the use of specific third-party tools if we believe they do not meet our privacy-centric security standards.
8. Termination and Deletion
Upon the request of Graduate Pathfinder or the Candidate - or once the recruitment process is finished and there is no further legal basis to keep it - the Receiver shall delete or return the Personal Data.