(A) The Data Controller determines the purposes and methods of the processing of Personal Data (as defined below).
(B) The Data Processor has agreed to provide the Services on the terms set out in the Human Resources and Personnel Management System User Agreement (“Agreement”).
(C) The Parties wish to supplement the Agreement with this DPA to formalize the terms and conditions applicable to the processing of Personal Data.
(D) The purpose of this DPA is to secure adequate safeguards with the respect to the protection of privacy and to ensure that the processing of Personal Data is in accordance with the Data Controller’s and Data Processor’s legal obligations.
1.1.1. In addition to this main body of the agreement, this DPA incorporates the following documents:
Annex 1 Minimum Security Measures
1.1.2. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, this DPA shall prevail. Capitalized terms not defined herein (if any) have the meanings set forth in the Agreement.
For the purposes of this DPA, the expressions set out below have the following meanings:
means the processing required to fulfil the purpose of the Agreement, specifically the Provision of Human Resources and Management System;
means within a Member State of the European Union (EU)
means the living individual about whom the Data Controller holds Personal Data;
means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; more specifically for the context of this DPA Personal Data means the data of Data Controller’s Personnel processed by the Platform.
Personal Data Breach
means any loss, destruction, damage, alteration or unauthorised access or disclosure of Personal Data or any other non-conformity with this DPA;
means the services to be supplied by the Data Processor under the Agreement;
means the “Human Resources and Personnel Management System User Agreement” that has been executed between the Parties.
This DPA governs the Data Processor’s processing of the Personal Data it processes on behalf of the Data Controller to perform its Services under the Agreement. The Data Processor shall process the Personal Data only for the Approved Purpose and in accordance with applicable laws, this DPA and the Agreement.
The Data Controller retains the formal control of, and all ownership and rights to the Personal Data. The Data Processor shall have no rights in or to the Personal Data other than the non-exclusive, revocable and time limited right to process the Personal Data for the Approved Purpose.
The Data Processor shall process the Personal Data only for the Approved Purpose. Any processing of the Personal Data for any other purpose is strictly forbidden and will be considered a material breach of this DPA and the Agreement.
The processing of the Personal Data shall only take place in technological environments controlled by the Data Processor in the Approved Territory. For the avoidance of doubt, processing includes accessing the Personal Data from remote locations.
The Data Processor may only use a subcontractor that is an Approved Subcontractor to perform tasks under this DPA on its behalf. Companies of the same group of companies shall not be treated as subcontractors in the context of the present agreement. The Data Processor shall ensure that any processing of the Personal Data by an Approved Subcontractor complies with the requirements set out under this DPA. This includes verifying that the security measures implemented by an Approved Subcontractor ensures at least the equivalent level of protection to that required of the Data Processor under this DPA. The Data Processor shall document its security assessments of any Approved Subcontractor without undue delay when required by the Data Controller.
The Data Processor shall ensure that a data processor agreement is entered into between the Data Processor and an Approved Subcontractor before such Approved Subcontractor processes any Personal Data. The data processor agreement(s) shall ensure that such Approved Subcontractor is subject to requirements that are as stringent and that offer the equivalent level of protection to the Data Controller and the Data Subjects, as the requirements that are imposed on the Data Processor under this DPA.
For the purposes of this DPA, any and all actions or omissions by a subcontractor (whether or not an Approved Subcontractor) affecting the Data Controller or a Data Subject shall be the sole responsibility of the Data Processor. The Data Controller may in its sole discretion withdraw any approval(s) given relating to the use of a specific subcontractor. In such event the Data Controller will provide an explanation to Data Processor setting out the reason behind the withdrawal. To the extent the withdrawal prevents the Data Processor from delivering the Service, the parties shall discuss in good faith which alternative solutions and/or subcontractors could be used to continue the provisioning of the Service.
The Data Processor is not entitled to transfer or export Personal Data out of the Approved Territory in without the Data Controller’s written explicit prior approval in each case.
Any and all such transfer or export shall meet the security requirements and protection of the Data Subjects’ rights as set forth in clause 8 and Annex 1. Subject to clause 6, the Data Processor is responsible for ensuring that a corresponding clause is included in any agreement with the Approved Subcontractors.
The Data Processor shall not allow any cross border transfer of Personal Data unless a valid legal basis for such transfer exists and all required approvals has been obtained from the relevant data protection or governmental authorities. In the event such approval is required, the Data Processor shall comply with any requirements established by any data protection or other government authorities necessary for the granting of approval by such authorities for the transfer of Personal Data. If applicable, the Data Processor shall cooperate immediately with the Data Controller in order to sign, execute, file and obtain any necessary government approvals with relevant government authorities.
The Data Processor represents and warrants that the legal basis for the applicable transfer of Personal Data complies with the applicable law and that the legal basis for such transfer of Personal Data will be maintained and be in full force and effect throughout the term of the Contract.
The Data Processor shall notify Data Controller, in the event of any changes to the legal basis for transfer of Personal Data, which may prevent or restrict the transfer of Personal Data to the Approved Subcontractor in question. The Data Processor’s notification shall be accompanied by a detailed description of the reason for the change in the legal basis for transfer of Personal Data and any initiatives that the Data Processor and/or the relevant Approved Subcontractor has undertaken or will undertake to mitigate the impact of the change to the legal basis for the transfer of Personal Data to or from the relevant Approved Subcontractor.
The Data Processor shall and shall procure that its Approved Subcontractors provide all reasonable assistance and provide all information and documentation reasonably required by Data Controller, in relation to the preparation and approval by relevant authorities (if any).
The Data Processor shall perform its obligations and actions under this DPA with all due skill, care and diligence.
The Data Processor shall use technical and organisational security measures appropriate to prevent the harm which might result from any unauthorised or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected. As a minimum, the security level shall correspond with the security measures set out in Annex 1.
The Data Processor shall document the technical and organisational security measures it uses to fulfil the requirements set out in Annex 1. The documentation shall be made available to the Data Controller upon request. Should the Data Processor become aware of any non-conformity with the security requirements set out in Annex 1, either within its own or within the Approved Subcontractor’s organisation, such non- conformity shall be notified to the Data Controller in accordance with the Personal Data Breach procedure set out in Section 11.
The Data Processor shall ensure that it and its employees maintain secrecy about any and all Personal Data and that the Personal Data is accessed by the Data Processor’s employees on a need to know basis only.
The Personal Data shall be considered as confidential information belonging to the Data Controller and/or the Data Subject and shall be subject to confidential handling in accordance with the confidentiality undertakings agreed between the parties in the Agreement or elsewhere.
The Data Processor shall keep detailed, accurate and up-to-date records relating to the processing of Personal Data by the Data Processor’s books of account (Records) and its technology system(s) to which Personal Data is delivered or on which the Services are provided (Systems). The Data Controller shall be entitled to audit the Data Processor’s compliance with this DPA in accordance with the provisions set out below.
Access to external audit reports in alternative (a) above or audit access by any third party representative of the Data Controller in alternative (b) above shall be subject to the Data Controller and/or the Auditor agreeing confidentiality obligations in respect of the information obtained, provided that all information obtained by the Auditor shall be disclosed to the Data Controller.
The audit right in alternative (b) above may be exercised only once in a calendar year during the Term. However, should the audit reveal any non-conformity; the Data Controller shall be entitled to have its Auditor perform follow-up audits to the extent necessary to protect its interests under this DPA.
If requested by the Data Protection Authority of the country where the Data Controller resides, the Data Controller shall be entitled to share external audit reports and/or the results of the audit by any third-party representative of the Data Controller with the relevant Data Protection Authority.
The Data Controller may at its sole discretion decide whether it would like to perform its audits based on alternative (a) or (b) above, or both. The Data Controller may also choose not exercise any of the two options.