JOINT CONTROLLERSHIP AGREEMENT

Service Start Date as specified in Terms of Use

The Parties:
Podbor Kandidatov LLC., having its registered seat at 127018, Moscow, st. Suschevsky Val,
18, floor 15, office number 28 in the Russian Federation and registered with the Uniform
State Register of Legal Entities under company number 1197746447205, here duly
represented by Golubeva Varvara Igorevna, hereinafter referred to as “Pickideally”,

and
the Customer,

hereinafter collectively referred to as the “Parties” and individually referred to as a “Party”,

Whereas:
 The Parties wish to collaborate on the project outlined in greater detail in Schedule 1;
 The Parties concluded a Main Agreement on Service Start Date stipulated in the Main
Agreement;
 This collaborative partnership shall involve the processing and exchange of Personal Data;
 The Parties shall jointly determine the purpose of the Data Processing Operations and the
resources used therein, and shall therefore be Joint Controllers within the meaning of Article 26
of the GDPR, rather than serving as the Data Processors of each other’s data;
 To ensure that the Personal Data are processed in a careful manner, the Parties wish to enter
into commitments on the Processing of Personal Data and the various Parties’ respective
responsibilities vis-à-vis each other.

Now, therefore, the Parties have agreed as follows:

1
Clause 1. Definitions

In this Agreement, the capitalised words shall have the meanings ascribed to them in the General
Data Protection Regulation. All other capitalised words shall have the meanings ascribed to them in
this clause. All references in this Agreement to the singular shall include the plural where applicable,
and vice versa, unless explicitly stated otherwise, or unless it is obvious from the context that this
rule does not apply.

1.1 Agreement: the present Agreement, including the Schedules, within the meaning of
Article 26 of the GDPR.
1.2 Collaborative Partnership: the collaborative partnership between the Parties based on the
Main Agreement, as outlined in Schedule 1, involving the exchange of Personal Data.
1.3 Employee: the employees and other persons contracted by the Parties whose work duties
come under the relevant Party’s responsibility and who are contracted by said Party for the
performance of the Agreement.
1.4 GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation).
1.5 In writing: on paper or electronically.
1.6 Main Agreement: Terms of Use concluded by the Parties in relation to their
Collaborative Partnership, on the basis of which the Parties are Joint Controllers.
1.7 Service Start Date: the date when the Customer subscribes to the Pickideally
service on its website according to the Main Agreement.
1.8 Schedule: an appendix to this Agreement, which constitutes an integral part of the
Agreement.
1.9 Special categories of Personal Data: Personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, and genetic data,
biometric data for the purpose of uniquely identifying a natural person, data concerning
health or data concerning a natural person's sex life or sexual orientation within the meaning
of Article 9 of the GDPR. This also includes personal data relating to criminal convictions and
offences within the meaning of Article 10 of the GDPR and national identification numbers.

Clause 2. Subject of the Agreement

2.1 The Agreement constitutes an addition to the Main Agreement and replaces any agreements
previously concluded by the Parties relating to the Processing of Personal Data. In the event
of inconsistency or conflict, the provisions of the Agreement shall prevail.
2.2 The Agreement is a Joint Controllership Agreement in which the Parties shall set out their
respective responsibilities in relation to the Processing of Personal Data as outlined in
Schedule 3. The Parties shall serve as the Joint Controllers of the Data Processing Operations
outlined in Schedule 3.
2.3 The provisions of the Agreement shall apply to all Data Processing Operations performed to
give effect to the Collaborative Partnership as outlined in greater detail in the Main
Agreement. The Parties shall notify each other at once in the event that one of the Parties
has grounds to assume that it will no longer be able to meet its obligations under the
Agreement.

Clause 3. The Parties’ obligations

3.1. The Parties declare to each other that they shall process the Personal Data in a proper,
careful, and transparent manner, in accordance with Schedule 3 of this Agreement and
applicable laws and regulations on the Processing of Personal Data, particularly (but not
exclusively) with regard to the GDPR and the UK Data Protection Act 2018.
3.2. The Parties commit to processing the Personal Data exclusively for the purpose for which the
Personal Data were collected, unless the Parties, following a prior mutual consultation on the
subject, have agreed in writing that the Personal Data can also be used for purposes closely
related to the original purpose.
3.3. The Parties shall not collect more Personal Data than strictly necessary for the relevant
purpose.
3.4. If, due to its nature, size, context and purposes, a Data Processing Operation may pose a
great risk to the rights and freedoms of natural persons, the Parties shall perform a Data
Protection Impact Assessment for the Data Processing Operation concerned, in which case
such a Data Protection Impact Assessment will be incorporated into a Schedule to this
Agreement.
3.5. Each Party shall be separately responsible for recording the Data Processing Operations in a
suitable register of data processing activities.
3.6. The obligations arising from this Agreement shall also apply to those who process Personal
Data under the Parties’ authority, such as the Parties’ Employees and the Data Processors
they have contracted.
3.7. The Parties shall communicate in a clear and readily understood manner to whom Data
Subjects can turn to exercise their rights, in accordance with the division of tasks included in
Schedule 2.
3.8. Schedule 1 shall include a specification of the Collaborative Partnership between the Parties
as agreed between the Parties in the Main Agreement, as well as a general description of the
Collaborative Partnership. Among other things, the schedule shall include information on the
purpose and nature of the Collaborative Partnership.
3.9. Schedule 2 shall include a specification of the responsibilities the Parties shall have vis-à-vis
each other, as well as an explanation of how the tasks related to the careful Processing of
Personal Data that will be performed as part of the Collaborative Partnership will be
distributed among the Parties. Among other things, Schedule 2 must contain information on
the following aspects:

 Which Party/Parties shall be responsible for concluding Data Processing Agreements

with Data Processors, and when said agreements must be concluded;
 Which Party/Parties shall be responsible for the technical and organisational measures
to be implemented in order to protect the Personal Data processed as part of the
Collaborative Partnership;
 Which Party/Parties shall be responsible for enabling the Data Subjects to exercise their
rights, including the duty to provide the Data Subjects with information on how their
Data will be used.

3.10. Schedule 3 shall include a specification of the nature of the Data Processing Operation(s).
Among other things, Schedule 3 must contain information on the following aspects:
  A description of the Data Processing Operation(s) to be performed;
 The purposes of the Data Processing Operation(s);
 The various types of Data Subjects;
 The various types of Personal Data;
 The retention periods;
 The types of Employees who will have access to the Personal Data;
 The names of the Data Processors that have been contracted by the Parties to perform
the Data Processing Operation(s);
 Where relevant, whether Data will be transmitted to countries outside the EEA;
 The contact details of the Parties in the event of a Data Breach in connection with
Personal Data.

3.11. Schedule 4 shall include a specification of the technical and organisational security measures
implemented by the Parties.

Clause 4. Access to Personal Data

4.1 The Parties shall reduce Employees’, Data Processors’, Third Parties’ and other Recipients’
access to Personal Data to an absolute minimum, on the basis of necessity.
4.2 The Parties have identified the categories of Employees who will need access to the Personal
Data to perform their duties under the Collaborative Partnership in Schedule 3.
4.3 The Parties must not engage other persons or organisations to help them process the
Personal Data without prior Written permission from the other Parties.
4.4 If a Party chooses to outsource the (further) Processing of the Personal Data (or certain
sections thereof) to a Data Processor in accordance with Clause 4.3, it shall ensure that the
Data Processor processes the Personal Data in a proper and careful manner that complies
with applicable laws and regulations regarding the Processing of Personal Data. Agreements
regarding the processing of Personal Data by a Data Processor shall be laid down in an
appropriate Data Processing Agreement within the meaning of Article 28 of the GDPR.
Where possible, the Parties shall use the latest version of EU Standard Contractual Clauses
(Controller to Processor) for this. The Data Processors engaged by the Parties shall be
named in Schedule 3.
4.5 All Parties have the right to inspect the Data Processing Agreement(s) referred to in Clause
4.4 at all times.
4.6 The Parties are allowed to have Personal Data processed by other persons or organisations
located outside the European Economic Area in accordance with Clauses 4.3 to 4.5
(inclusive), on the condition that said persons or organisations comply with applicable laws
and regulations regarding the Processing of Personal Data. The manner in which the Parties
will outsource the processing activities shall be included in Schedule 3.

Clause 5. Non-disclosure and confidentiality

5.1. All Personal Data are considered confidential information and must therefore be treated as
confidential information. The Parties shall impose this duty of confidentiality on all the
natural persons and legal entities they engage to process Personal Data, including but not
limited to Employees, Data Processors, Third Parties and other Recipients of Personal Data.
5.2. The Parties shall keep all Personal Data secret and shall not disclose them to internal or
external parties in any way whatsoever, except in cases where:
 (i) Disclosure and/or transmission of the Personal Data is necessary for the performance of the
Main Agreement or Agreement;

(ii) The Parties are required to disclose, transmit and/or transfer the Personal Data due to
mandatory legal provisions or a court order issued by a competent court or on the orders of
some other government agency having authority over the Parties, although the Parties shall
first notify the other Parties of this requirement; or

(iii) The Personal Data are disclosed and/or transmitted with the other Parties’ prior Written
consent.

Clause 6. Liability
6.1 The Parties shall only be liable vis-à-vis each other in the event that a Party is demonstrably
in breach of one or more of its obligations under this Agreement, and shall only be liable for
direct damage that will be reimbursed and paid out by the insurance company, subject to a
maximum insurance coverage amount of GBP 5000 per annum. The maximum amount for
which the Party shall be liable as referred to in the previous sentence shall apply to individual
events, with a series of interrelated events being regarded as one single event. If, for
whatever reason, the insurance company chooses not to pay out on a claim, the Party’s
liability shall be limited to GBP 5000 per event or series of interrelated events.
6.2 The exclusions and restrictions set out in this article shall lapse if and insofar as the damage
was caused by an intentional act or willful misconduct on the part of the Party/Parties
causing the damage and/or its/their managers.
6.3 A Party that is demonstrably in breach of one of its obligations under the Agreement, thus
causing the other Parties to be held liable by a third party for any damage, costs or interest
payments it has incurred, shall indemnify the other Parties against the claims brought by the
third party and reimburse any expenses the other Parties may incur, unless said Party is able
to prove that the damage was caused by an intentional act or gross negligence on the part of
the other Parties.

Clause 7. Data Breach

7.1 In the event of a Data Breach, the Party on whose premises the Data Breach occurred shall be
responsible for notifying the other Parties of the Breach. The Parties shall inform each other
without delay of the information included in the latest data breach form issued by the UK
Data Protection Authority, which can be found on the UK Data Protection Authority’s Data
Breach Reporting Webpage.
7.2 If the Parties are notified of a Data Breach as referred to in Clause 7.1, they shall consult each
other on the consequences and potential consequences for all Parties.
7.3 The Parties shall notify each other of the latest developments regarding the Data Breach.
7.4 Each Party shall be separately responsible for reporting a Data Breach to the Supervisory
Authority and/or affected Data Subjects if a Data Breach occurred under its responsibility. If
any costs are incurred in the attempt to resolve the breach situation and ensure that it will
not occur again in the future, said costs shall be borne by the Party on whose premises the
Data Breach occurred, although the Parties may consider sharing the costs if the solution will
benefit all participating Parties.
7.5 Each Party is separately responsible for recording Data Breaches in a register.

Clause 8. Term and termination

8.1. This Agreement shall enter into force at the Service Start Date. The term of the Agreement
shall be the same as the term of the Main Agreement. This Agreement cannot be
terminated independently from the Main Agreement. If the Main Agreement is terminated,
the Agreement shall also become void by operation of law, and vice versa.
8.2. This Agreement can only be amended by the Parties following a consultation of all
participating Parties, and provided that all participating Parties have agreed to the proposed
amendment. If applicable law and regulations are amended, the Parties shall seek to amend
this Agreement accordingly.
8.3. Once the term of the Agreement and/or the statutory retention periods has/have expired,
the Parties shall ensure jointly that the Personal Data are destroyed.
8.4. Those obligations under the Agreement that, by their nature, must continue to be fulfilled
after the termination of the Agreement, must continue to be fulfilled after the termination of
the Agreement.

Clause 9. Other provisions

9.1. This Agreement and its performance are governed by the law of the Russian Federation.
9.2. If any disputes relating to the Agreement should arise between the Parties, they must be
brought before the court that is competent to rule on them pursuant to the Main
Agreement.
9.3. In the event that one or more provisions of the Agreement should prove to be legally invalid,
the validity of the remaining provisions of the Agreement shall be unaffected. In such cases,
the Parties shall consult each other on the provisions that are not legally valid so as to be
able to come to an Agreement that is legally valid and obeys the letter and spirit of the
provision that requires amendment.
LIST OF SCHEDULES

Schedule 1: Specification of the Collaborative Partnership between the Parties

Schedule 2: Specification of the Parties’ responsibilities vis-à-vis each other and the division of
tasks
Schedule 3: Specification of the Data Processing Operation(s) to be performed
Schedule 4: Specification of the technical and organisational security measures implemented by
the Parties
SCHEDULE 1: THE COLLABORATIVE PARTNERSHIP BETWEEN THE PARTIES

Description of the nature of the collaborative partnership

Pickideally is a developer and service provider of Pickideally platform. This platform is a database of
IT-specialists collected from publicly available sources by Pickideally. The database is formed by
Pickideally specifically to share access to it with the Customer allowing the Customer to find
IT-specialists who are the perfect fit for the Customer vacancies. This service is fully covered in the
Main Agreement.
SCHEDULE 2: THE PARTIES’ RESPONSIBILITIES VIS-À-VIS EACH OTHER AND THE DIVISION OF TASKS

A) Pickideally will solely ensure that Data Subjects are guaranteed the opportunity to exercise their
rights (Articles 12-23 of the GDPR). In case the Customer receives a Data Subject Request
concerning the Data specified in Schedule 3 to this Agreement it shall immediately forward such
Data Subject Request to Pickideally.

B) Pickideally is solely responsible for concluding Data Processing Agreements with Data Processors
(service providers).

C) Pickideally is responsible for implementing appropriate technical and organisational security

measures (Article 32 of the GDPR). As such Pickideally applies Firewall iptables:1.6.0; Key
Authorization: OpenSSH-server 7.2p2 with an ssh-rsa encryption algorithm; access to DigitalOcean
and AWS console through multi-factor authentication (MFA); SSL Certificates with key lengh 2048.
Moreover, Pickideally applies the following organizational measures:
̶ Access privileges for all IT Systems is determined on the basis of employees’ levels of
authority and the requirements of their job roles.
̶ All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets,
and smartphones) are protected with a secure password or passcode, or such other form of
secure log-in system.
̶ All employees participating in data processing are informed by their direct supervisors.
̶ When being hired all employees sign Non-Disclosure Agreement.
̶ It is ensured that no copies of any personal data remain in the possession of a departing staff
member.
 SCHEDULE 3: SPECIFICATION OF THE DATA PROCESSING OPERATION(S)

Description of the nature of the Data Processing Operation

Collection, subsequent organisation and structuring and further disclosure by transmission

Purposes of the Data Processing Operation

Collection of Data from publicly available sources to form a database of IT-specialists by Pickideally which is
then provided to the Customer. The Customer uses the Data as a potential employer to IT-specialists (data
subjects) seeking for a job in IT.

Categories of Data Subjects

IT-specialists

(Categories of) Personal Data

Contact details (phone number, email address, social media accounts)

Photo (avatar)

The city where an individual is willing to work

Age or approximate age

IT-skills

Work experience information (duration, current employer and position, period of previous employment,
positions, detailed description of work
Education information (university's name and period of studying)

Retention period for the Personal Data, or the criteria used to establish the retention period

The Data is being updated at regular intervals (every 90 days) starting from February 2020.

Categories of Employees

Party Categories of Parties’ Employees (Category of) Type of

(function roles/function groups) Personal Data Data
who perform Data Processing processed by Processing
Operations Employees Operation
Pickideally All employees Contact details (phone Collection,
number, email address, organisation,
social media accounts); structuring,
photo (avatar); storage,
the city where an adaptation or
individual is willing to alteration,
 work; retrieval, use,
age or approximate disclosure by
age; IT-skills; transmission,
work experience restriction,
information (duration, erasure,
current employer and destruction.
position, period of
previous employment,
positions, detailed
description of work);
education information
(university's name and
period of studying)
Customer All employees of the Customer Contact details (phone Collection,
number, email address, recording,
social media accounts); organisation,
photo (avatar); structuring,
the city where an storage,
individual is willing to retrieval,
work; consultation,
age or approximate use, disclosure
age; IT-skills; by transmission,
work experience alignment,
information (duration, combination.
current employer and
position, period of
previous employment,
positions, detailed
description of work);
education information
(university's name and
period of studying)
 Data Processors

The Parties have authorised the engagement of the following Data Processors for the Data
Processing Operations to be performed.

Party Data Coun Location Engaged Data Authoris

Process try of Data by Processi ed by
ors wher Processor ng another
engaged by e Agreement Party
Data will
this Party be
processe
d
Pickideally Individual Russia Russia Pickideally __ Yes
Entrepreneur
Karmo A.Y.
(Russia);
external
developers
(Russia)
Customer The The The Customer The The Customer The
Customer is Customer is required to Customer is is required to Customer is
required to is required provide this required to provide this required to
provide this to provide information to provide this information provide this
information this support@picki information to information
to informatio deal.ly to support@pick to
support@pic n to support@p ideal.ly support@pic
kideal.ly support@ ickideal.ly kideal.ly
pickideal.l
y

Transmission

The Parties have authorised the transmission of data to the third countries or international
organisations listed below.

Party Description of Entity Entity receiving Mechanism of

the Data to be transmitting the Personal Data
transmitted the Personal Data transmission
Data + + country
country
Pickideally Contact details Podbor Individual Standard
(phone number, Kandidatov LLC Entrepreneur Contractual Clauses
email address, (Russia) Karmo A.Y. for the transfer of
social media (Russia); personal data to
accounts); external processors
photo (avatar); developers established in third
the city where an (Russia) countries under
individual is willing Directive 95/46/EC
to work; of the European
age or approximate Parliament and of
 age; IT-skills; the Council
work experience
information
(duration, current
employer and
position, period of
previous
employment,
positions, detailed
description of
work);
education
information
(university's name
and period of
studying).
Customer The Customer is The Customer is The Customer is The Customer is
required to provide required to required to required to provide
this information to provide this provide this this information to
support@pickideal.l information to information to support@pickideal.l
y support@pickideal support@pickideal y
.ly .ly

Contact details

Contact details in the event of Name Job title E- Phone number

Data Breach mail
addr
ess
Pickideally support@
pickideal.l
y

Customer The The The The Customer is required

Customer is Customer Customer to provide this
required to is required is information to
provide this to provide required support@pickideal.ly
information this to provide
to informatio this
support@pi n to informati
ckideal.ly support@ on to
pickideal.ly support@
pickideal.l
y
SCHEDULE 4: SPECIFICATION OF TECHNICAL AND ORGANISATIONAL SECURITY MEASURES IMPLEMENTED
The Parties will implement the technical and organisational security measures listed in this schedule.

1. Technical security measures

Party Technical security measures implemented

Pickideally Firewall iptables:1.6.0; Key Authorization: OpenSSH-server 7.2p2 with an ssh-rsa

encryption algorithm; access to DigitalOcean and AWS console through multi-
factor authentication (MFA); SSL Certificates with key lengh 2048.
The Customer is required to provide this information to support@pickideal.ly
Customer

2. Organisational security measures: roles and rights model.

Party Organisational security measures implemented

Pickideally Access privileges for all IT Systems is determined on the basis of employees’
levels of authority and the requirements of their job roles.
All IT Systems (and in particular mobile devices including, but not limited to,
laptops, tablets, and smartphones) are protected with a secure password or
passcode, or such other form of secure log-in system.
All employees participating in data processing are informed by their direct
supervisors.
When being hired all employees sign Non-Disclosure Agreement.
It is ensured that no copies of any personal data remain in the possession of a
departing staff member.
The Customer is required to provide this information to support@pickideal.ly
Customer