Joint controller arrangement
Joint Controller Arrangement
Version 1.0 - May 2026
Recitals
This Annex ("Annex") forms part of the TestGorilla Customer Terms of Service ("Terms") between TestGorilla B.V. ("TestGorilla") and the Customer and supplements the Customer Data Processing Agreement ("DPA") attached to the Terms.
The Parties acknowledge that:
(A) TestGorilla operates a talent assessment and sourcing platform through which Candidates are invited to complete skills-based assessments.
(B) When a Customer uses the Platform to invite Candidates, both TestGorilla and the Customer independently determine certain purposes and means of processing Candidate Data, making them joint controllers of that data within the meaning of Article 4(7) and Article 26 of the GDPR.
(C) The DPA governs TestGorilla's processing of Customer Data as a processor. This Annex governs the separate and additional relationship between the Parties as joint controllers of Candidate Data.
(D) Article 26(1) GDPR requires joint controllers to determine their respective responsibilities in a transparent manner by means of an arrangement between them. This Annex constitutes that arrangement.
(E) Article 26(2) GDPR requires that the essence of this arrangement be made available to data subjects. TestGorilla will satisfy this obligation by publishing a summary in its Candidate Privacy Policy.
1. Definitions
In this Annex, the following terms have the meanings set out below. Terms defined in the Terms or the DPA have the same meaning where used here.
1.1 "Candidate" means any individual invited by the Customer to complete an assessment on the Platform, or any individual who creates a profile on the Platform independently.
1.2 "Candidate Data" means any personal data relating to a Candidate that is generated, collected, or processed through the Platform, including assessment results, test responses, video recordings, webcam stills, identity verification data, and profile information. For the avoidance of doubt, Candidate Data is distinct from Customer Data as defined in the DPA.
1.3 "Customer Processing" means the Customer's use of Candidate Data received from the Platform for the purpose of making hiring decisions or otherwise managing the Customer's recruitment process.
1.4 "GDPR" means the General Data Protection Regulation (EU) 2016/679 and, where applicable, its implementation into national law.
1.5 "Joint Processing" means the processing of Candidate Data for which both Parties determine the purposes and means, as further described in Section 3.
1.6 "TestGorilla Processing" means TestGorilla's processing of Candidate Data for its own independent purposes as described in Section 3.2.
1.7 "Supervisory Authority" means the competent data protection authority under applicable law, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in respect of TestGorilla.
2. Scope and Nature of Joint Controllership
2.1 This Annex applies to all Candidate Data processed in connection with assessments initiated by the Customer on the Platform.
2.2 The Parties acknowledge that they act as joint controllers in respect of the following processing activities:
The collection of Candidate Data via assessment invitations issued by the Customer through the Platform;
The transmission of assessment results, scores, and related Candidate Data from the Platform to the Customer; and
The storage of Candidate Data on the Platform during the period in which it is accessible to the Customer.
2.3 The Parties acknowledge that they act as independent controllers in respect of the following processing activities:
TestGorilla's use of Candidate Data for its own purposes (Section 3.2); and
The Customer's use of Candidate Data following receipt from the Platform for its own hiring and recruitment decisions (Section 3.3).
2.4 This Annex does not affect the processor relationship established under the DPA in respect of Customer Data.
3. Processing Purposes and Lawful Basis
3.1 Joint Processing
3.1.1 For the Joint Processing identified in Section 2.2, the Parties jointly rely on the following lawful basis under Article 6 GDPR: the legitimate interests of both Parties and the Customer in conducting lawful, skills-based hiring processes (Article 6(1)(f)), balanced against the Candidate's interest in fair and transparent evaluation of their capabilities.
3.1.2 Where Candidate Data includes special categories of personal data within the meaning of Article 9 GDPR (such as biometric data collected for identity verification), the processing will be based on the Candidate's explicit consent obtained by TestGorilla through the Candidate Terms of Service and, where applicable, supplemented by the Customer's own legal basis.
3.2 TestGorilla Independent Processing
TestGorilla independently processes Candidate Data for the following purposes, for which it acts as sole controller:
Operating, maintaining, and improving the Platform;
Generating anonymised or aggregated benchmarking data provided to Customers;
Developing and testing new assessment content and product features;
Fraud prevention, anti-cheating, and platform integrity;
Compliance with legal obligations; and
Operating the TestGorilla talent pool and sourcing marketplace, where Candidates have opted in.
TestGorilla's lawful bases for this independent processing are set out in the Candidate Privacy Policy.
3.3 Customer Independent Processing
Following receipt of Candidate Data from the Platform, the Customer independently processes that data for the following purposes, for which it acts as sole controller:
Evaluating Candidate suitability for a specific role or position;
Making, recording, and communicating hiring decisions;
Retaining assessment records in accordance with the Customer's own data retention obligations; and
Complying with applicable employment and anti-discrimination law.
3.3.1 The Customer shall rely on legitimate interests (Article 6(1)(f)) as its primary lawful basis for Customer Processing, unless a different or additional lawful basis is appropriate under applicable law. The Customer is solely responsible for identifying and documenting its lawful basis.
3.3.2 The Customer is solely responsible for ensuring that its Customer Processing complies with all applicable data protection laws, including any sector-specific obligations applicable to its industry or jurisdiction.
4. Allocation of Responsibilities
The Parties allocate their respective GDPR responsibilities as follows. This allocation is without prejudice to a Candidate's right to exercise their rights against either Party under Article 26(3) GDPR.
Obligation | TestGorilla | Customer |
Obtain and manage Candidate consent (Candidate Terms of Service) | TestGorilla | — |
Publish Candidate-facing privacy notice | TestGorilla | Customer (own notice) |
Publish essence of this Arrangement to Candidates | TestGorilla | — |
Lawful basis for Joint Processing | Both Parties (Sec. 3.1) | Both Parties (Sec. 3.1) |
Lawful basis for independent processing | TestGorilla (own) | Customer (own) |
Security of Candidate Data on the Platform | TestGorilla | — |
Security of Candidate Data after export from Platform | — | Customer |
Data Subject Access Requests (Platform processing) | TestGorilla | Referral support |
Data Subject Access Requests (Customer Processing) | Referral support | Customer |
Data Subject erasure requests (Platform) | TestGorilla | — |
Data Subject erasure requests (Customer systems) | — | Customer |
Security incident notification to Supervisory Authority (Platform breach) | TestGorilla | — |
Security incident notification to Supervisory Authority (Customer-side breach) | — | Customer |
Security incident notification between Parties | Both Parties (Sec. 6) | Both Parties (Sec. 6) |
Candidate Data retention on Platform | TestGorilla (Sec. 7.1) | — |
Candidate Data retention in Customer systems | — | Customer (Sec. 7.2) |
Sub-processor management (Platform) | TestGorilla | — |
Sub-processor management (Customer systems) | — | Customer |
Data Protection Impact Assessment (Platform) | TestGorilla | Cooperation |
Data Protection Impact Assessment (Customer Processing) | Cooperation | Customer |
Anti-discrimination compliance in hiring decisions | — | Customer |
5. Data Subject Rights
5.1 A Candidate may exercise their rights under Chapter III GDPR against either Party. The Party receiving a request shall inform the other Party without undue delay and in any event within three (3) business days of receipt.
5.2 TestGorilla shall handle requests relating to Candidate Data processed on the Platform, including requests for access, rectification, erasure, restriction, and portability, to the extent they concern TestGorilla's processing activities. TestGorilla shall respond to such requests within the statutory timeframe.
5.3 The Customer shall handle requests relating to Candidate Data processed in the Customer's own systems following export from the Platform. The Customer shall respond within the statutory timeframe and shall not require Candidates to exercise their rights solely through TestGorilla.
5.4 Each Party shall provide the other with reasonable cooperation and information necessary to respond to data subject requests that concern the other Party's processing activities, at no charge to the requesting Party.
5.5 Where TestGorilla receives an erasure request from a Candidate, TestGorilla will delete the relevant Candidate Data from the Platform and notify the Customer. The Customer is solely responsible for erasing that Candidate Data from its own systems.
6. Security Incidents
6.1 Each Party shall notify the other without undue delay, and in any event within forty-eight (48) hours of becoming aware of a security incident affecting Candidate Data processed under this Annex, whether the incident originates on the Platform or in the Customer's systems.
6.2 Notifications under Section 6.1 shall include, to the extent then known: (a) the nature of the incident; (b) the categories and approximate number of Candidates affected; (c) the categories and approximate volume of Candidate Data affected; (d) the likely consequences; and (e) the measures taken or proposed to address the incident.
6.3 TestGorilla shall be responsible for notifying the competent Supervisory Authority of any incident originating on the Platform, where required by applicable law. The Customer shall be responsible for notifying the competent Supervisory Authority of any incident originating in its own systems.
6.4 Each Party shall provide the other with reasonable cooperation in investigating and remediating any security incident affecting Candidate Data.
7. Data Retention
7.1 TestGorilla shall retain Candidate Data on the Platform in accordance with its Candidate Privacy Policy and the Terms. TestGorilla shall delete or anonymise Candidate Data: (a) upon a valid erasure request from the Candidate; (b) upon expiry of the applicable retention period; or (c) upon termination of the Agreement, subject to any statutory obligations requiring longer retention.
7.2 The Customer is solely responsible for establishing and enforcing an appropriate retention period for Candidate Data stored in its own systems, having regard to: (a) applicable employment and anti-discrimination law; (b) the principle of storage limitation under Article 5(1)(e) GDPR; and (c) any applicable sector-specific requirements.
7.3 The Customer shall not retain Candidate Data in its own systems for longer than is necessary for the purposes of the relevant recruitment process, unless a longer period is required by law.
8. Customer Obligations
The Customer represents, warrants, and undertakes that:
8.1 Privacy Notice. The Customer maintains and makes available to Candidates a privacy notice that accurately describes the Customer's processing of Candidate Data received from the Platform, including the lawful basis, retention period, and rights available to Candidates.
8.2 No Unlawful Discrimination. The Customer shall not use Candidate Data to make hiring decisions that are unlawful under applicable employment or anti-discrimination law. The Customer is solely responsible for ensuring that its use of assessment results complies with applicable equality and employment legislation.
8.3 Security. The Customer shall implement and maintain appropriate technical and organisational measures to protect Candidate Data in its own systems against unauthorised access, loss, or disclosure.
8.4 Onward Transfers. The Customer shall not transfer Candidate Data to a third country or an international organisation except in compliance with Chapter V GDPR.
8.5 Sub-processors. The Customer shall ensure that any third party to whom it discloses Candidate Data is subject to appropriate data processing obligations consistent with GDPR.
8.6 DSAR Cooperation. The Customer shall promptly forward to TestGorilla any data subject requests it receives that relate to TestGorilla's processing of Candidate Data on the Platform.
9. TestGorilla Obligations
TestGorilla represents, warrants, and undertakes that:
9.1 Candidate Transparency. TestGorilla shall publish the essence of this Arrangement in its Candidate Privacy Policy, including a clear explanation that the Customer receiving assessment results is an independent controller of those results for hiring purposes.
9.2 Consent Mechanism. TestGorilla shall obtain valid consent from Candidates through the Candidate Terms of Service for the collection and processing of their Candidate Data, including the sharing of results with the Customer.
9.3 Security Measures. TestGorilla shall maintain the technical and organisational security measures described in the Information Security Measures document as part of the Agreement.
9.4 Sub-processor Management. TestGorilla shall ensure that all sub-processors handling Candidate Data on the Platform are bound by appropriate data processing agreements.
9.5 Candidate Rights on Platform. TestGorilla shall provide Candidates with the ability to access, correct, and request deletion of their Candidate Data through the Platform or by contacting privacy@testgorilla.com.
10. Liability
10.1 Each Party shall be liable to Candidates for any damage caused by its own processing that infringes the GDPR, in accordance with Article 82 GDPR.
10.2 If one Party pays full compensation to a Candidate for damage caused jointly, it may recover from the other Party that portion of the compensation corresponding to the other Party's part of the responsibility for the damage.
10.3 TestGorilla shall not be liable for any damage arising from the Customer's independent processing of Candidate Data, including any discriminatory, unlawful, or disproportionate use of assessment results.
10.4 The Customer shall not be liable for any damage arising from TestGorilla's independent processing of Candidate Data on the Platform.
10.5 The liability limitations set out in the Terms apply to each Party's liability under this Annex to the extent permitted by Article 82 GDPR.
11. Governance and Contact Points
11.1 Each Party designates the following contact point for matters arising under this Annex:
TestGorilla: privacy@testgorilla.com
Customer: the contact designated in the applicable Order Form, or, the owner email in the TestGorilla app (if the Customer purchased the plan using self-serve).
11.2 The Parties shall cooperate in good faith to resolve any dispute or ambiguity regarding the application of this Annex.
12. Duration and Termination
12.1 This Annex enters into force on the Effective Date of the Agreement and remains in force for the duration of the Agreement.
12.2 Upon termination or expiry of the Agreement: (a) TestGorilla will delete or anonymise Candidate Data on the Platform in accordance with Section 7.1; and (b) the Customer's obligations in respect of Candidate Data already in its systems (Sections 3.3, 7.2, and 8) shall survive termination.
12.3 The following Sections shall survive termination: 3.3, 5, 6, 7, 8, 9.1, 10, and 12.2.
13. Governing Law
13.1 This Annex is governed by the laws of the Netherlands, consistent with the Terms.
13.2 Any dispute arising from this Annex shall be subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands, consistent with Section 17 of the Customer Terms of Service.
13.3 In the event of any conflict between this Annex and the Terms or the DPA with respect to Candidate Data, this Annex shall prevail.
13.4 TestGorilla may update this Annex from time to time in accordance with the amendment provisions stipulated in the Terms. Material changes will be communicated to Customers with reasonable notice.
Note to Customer: The Customer must not rely on consent as the sole lawful basis for processing Candidate Data received from the Platform for hiring decisions, as consent in the employment context is generally not freely given within the meaning of Article 7 GDPR due to the inherent power imbalance between prospective employers and candidates.