Horizons Global Technology Pte. Ltd. and/or its subsidiaries and in-country affiliated entities (“Provider”) provides Employer of Record Services (“Services“) as per its terms and conditions (“Principal Agreement”) to the company that is executing this Principal Agreement (“Company”); where both the Provider and the Company share personal information with each others as independent data controllers.
The present Data Processing Addendum (“Addendum”) forms a part of the Principal Agreement, and governs the processing of Personal Data and is implemented to comply with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 known as the General Data Protection Regulation (GDPR), on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
Each the Provider and the Company are referred to as a “Party” and together as the “Parties”.
The Parties hereby agree on their rights and obligations:
1. Definitions - Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meaning:
- Controller, Processor, Data Subject, Personal Data, Processing, Data Breach, and Special Categories of Personal Data shall have the same as in the GDPR, and their cognate terms shall be construed accordingly;
- Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
- EEA means the European Economic Area;
- EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State, and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- Professional refers to the local national or foreign individual who has a direct employment contract with the Provider and who is dedicated to work on the Client’s project under the Client’s instructions pursuant to or in connection with the Principal Agreement;
- Sale, and its cognate terms (within the context of the California Consumer Privacy Act) is defined as: selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration;
- Services means the specific Services the Company provides as per the Principal Agreement.
The purpose and nature of operations carried out on the Personal Data are necessary to provide the Services as described in the Principal Agreement; and Personal Data should not be processed or sold for any purpose other that the one strictly necessary to provide the Services.
3. Nature of Personal Data Shared
Personal Data collected and shared.
Both the Provider and the Company share with each others the Professionals’ Personal Data.
The Company may provide the following Professionals’ Personal Data to the Provider:
Identity and contact details as first name and last name, email address,
Country of employment,
Employment details as work location, job title, main duties, salary, vacations, sick leave,
Approval or refusal of expenses or leave requests.
The Provider may provide the following Professionals’ Personal Data to the Company:
- Employment agreement and pay slips,
- Emergency contact persons’ name, phone and relationship with the Professional,
- Banking information,
- Requests for expenses reimbursement, annual, sick and other leaves.
Special categories of data.
Depending on applicable labor laws and regulations, personal details contained in the employment agreements or required when hiring an employee may vary from a place of work to another. Depending on the country of hiring, the personal informations collected may include the following:
- National ID number & information,
- Social and or health insurance information,
- Special categories of data such as,
- biometric data,
- ethnic origin,
- criminal records,
- health certificate or related data.
The Parties understand and agrees that the Company will not disclose any special categories of personal data to the Provider for processing, unless explicitly requested by the Provider.
4. Obligations of the Parties
When processing Personal Data, the Parties undertake to comply with all applicable Data Protection Laws.
The Parties understand and agree that they shall always comply with all applicable Data Protection Laws when processing Personal Data pursuant to, or in connection with this Addendum.
Each Party shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which they have been acquired; as well as for informing the Data Subject about the processing of their Personal Data.
Each Party further understands and agrees that it shall promptly inform the other Party if any failure to comply with its obligations under this Addendum or with any applicable Data Protection Law.
Each Party shall have implemented and maintain appropriate security technical and organizational measures (“TOMs”) to ensure protection of the confidentiality, integrity, availability and security of Personal Data against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Each Party is solely responsible to ensure that its TOMs efficiently meet the other Party’s requirements and safeguards, with regard to security as per applicable Data Protection Laws.
Each Party further acknowledges and agrees that its security practices and policies are effectively implemented and maintained in accordance with the requirements relating to its respective mission and duties as data controllers, and provide a level of security appropriate to prevent any unlawful process or access to Personal Data.
Each Party acknowledges that its TOMs are subject to technical progress and development and that they may be updated or modified from time to time, provided that such updates and modifications ensure a better overall security of the Personal Data.
Each Party undertakes to preserve the confidentiality of any Personal Data it retains and process during the Principal Agreement and thereafter. Each Party further undertakes that access to Personal Data is strictly limited to the extent necessary to deliver the Services and in accordance with applicable Data Protection Laws.
The Parties agree to comply with the privacy by default & by design and data minimization principles from the EU Data Protection Laws.
Each Party agrees to minimize Personal Data processing to the extent strictly necessary to provide the Services, including, not not limited to: minimization of telemetry data, support data and feedback functionality, minimization of data retention periods, collection of pseudonymized identifiers when necessary, immediate effective and irreversible anonymization when the Service can be performed without Personal Data, end to end encryption when technically feasible, and the implementation and control of strict access controls to Personal Data.
The Parties shall implement relevant applicable policies when collecting new types of Personal Data, and shall ensure such new collection is supervised by a data privacy officer (“DPO”). Both Parties shall perform regular checks on the contents of collected Personal Data to verify the processing lawfulness and minimization principles of EU-GDPR
Data Subject Rights.
Each Party is solely responsible for the execution of its Data Subject rights within its own scope of data and processing and in accordance with all applicable Data Protection Laws.
5. Term - Termination
This Addendum commences when the Principal Agreement is executed, and remains in full force and effect so long as:
- the Principal Agreement remains in effect; or
- the Provider retains any Personal Data.
Any provision of this Addendum, that, expressly or by legal implication should continue in force on or after termination, shall remain in full force and effect in order to ensure protection of such Personal Data.
Return or deletion of Personal Data.
Upon termination of the Principal Agreement or any time upon written notification, and to the extent permitted by law, both Parties shall make sure and inform the other Party that all Personal Data (including all copies) are securely destroy, deleted, or – at each Party’s sole discretion – returned.
Client understands that Horizons may use a local in-country affiliated entity and other third-parties (“Sub-Processors”) to deliver the Services in connection with the Principal Agreement.
Both Parties authorize each others to engage Sub-Processors to process Personal Data. When engaging a Sub-Processor, a Party imposes data protection terms and conditions that provide at least the same level of protection for Personal Data as those in this Addendum, to the extent applicable according to the nature of the services provided by each Sub-Processor.
Each Party will remain responsible for its Sub-Processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-Processor that would cause the Party to breach any of its obligations under this Addendum.
The Parties shall ensure that their post-termination obligations are also required from their Sub-Processors.
7. Impact Assessment
Data Protection Impact Assessment.
In the event a Party plans to introduce new features, or related software and services (“New Features”) which will or may result in a new type of data processing (i.e. new type or Personal Data and/or new purpose for processing), such Party shall:
- Perform a data protection impact assessment (“DPIA”);
- Determine if the New Features and such new type of data processing are allowed within the scope of this Addendum;
- Ensure that such new type of data processing only occurs with the necessary permissions of the other Party; which can consult a supervisory authority in case the result of the DPIA shows a high risk for the fundamental rights for its Data Subjects.
8. Data breach
After the detection of a data breach involving Personal Data, each Party undertakes to:
- Notify the other Party without undue delay, and within 3 days when possible;
- Provide the other Party with details relating to such data breach, to the extent possible, to allow the other Party to comply with its own notification requirement as per applicable Data Protection Laws;
- Promptly launch an investigation into the data incident and take appropriate remedial steps to prevent and minimize any possible harm, provided that such data incident would compromise the security of Personal Data.
9. International Data Transfer
The Parties understand and acknowledge that as part of the Services, each Party may, upon instruction from the other Party, transfer Personal Data to a third-party Sub-Processor that is based outside the EEA; each Party is hence responsible for entering into a separate contractual arrangement with such third-party Sub-Processor to ensure they follow all applicable Data Protection Laws.
Standard Contractual Clauses.
In the event any Personal Data stored or processed is to be transferred to a country outside the EEA and which is not an Adequate Country (with the meaning of Art. 45 (1) of EU-GDPR), the Parties shall ensure that the Personal Data are adequately protected. The Parties agree that such international transfers of Personal Data shall be governed by the applicable Standard Contractual Clauses (“SCC”). Furthermore, in the event the Data Subjects are citizens of the EEA, any transfer of their Personal Data to a country outside the EEA, such international transfers of Personal Data shall also be governed by the applicable SCC.
In the event any provision of this Addendum contradicts, directly or indirectly, the SCC, such SCC shall prevail. If the SCC are deemed invalid or if additional obligations and restrictions are added to them, the Parties shall work in good faith to find an alternative and/or modified approach with respect to the transferred Personal Data, and in compliance with applicable Data Protection Laws.
10. California Consumer Privacy Act
In the event any Personal Data is processed within the scope of the California Consumer Privacy Act (“CCPA”), the Parties understand and agree that each of them may be qualified as a ‘service provider’ with regard to the CCPA; in such case, Personal Data can be provided to the other Party only for a valid business purpose, and only if necessary to perform the Services. Furthermore each Party agrees that it should not:
Sell any Personal Data;
Retain, use or disclose any Personal Data (i) for any purpose other than providing the Services, or (ii) outside its direct business relationship with the other Party.
11. Limitation of Liability
To the full extent permitted by applicable Data Protection Laws, the Parties understand and agree that each Party’s respective liability, pursuant to or in connection with this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Principal Agreement, and any reference to the liability of one Party means its aggregate liability under the Principal Agreement and this Addendum.
12. Governing Law - Dispute
Governing Law. This Addendum is governed by and construed in accordance with the “Governing Law” section of the Principal Agreement, unless otherwise required by applicable Data Protection Laws.
Dispute. Any dispute arising in connection with this Addendum, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the Provider’s country of establishment, unless otherwise required by applicable Data Protection Laws.
Entire Agreement. This Addendum supersedes any and all prior addendums or representations, whether written or oral, relating to the subject matter hereof. This Addendum shall form an indivisible and integral part of the Principal Agreement and have equal force with it.
Modification. From time to time, the Provider may modify, amend or enrich this Addendum, to ensure it stays aligned and complies with any change to any applicable laws and regulations. Any such change should become effective without delay. The Provider will use reasonable efforts to notify the Company of any significant through communications via the Company Account, email or other means.
Inconsistency. In the event this Addendum is not consistent with any newly established local mandatory stipulations such as laws, regulations, provisions or policies, the new laws, regulations, provisions or policies shall prevail. Any illegal or unenforceable disposition or part of shall be null and void, without any effect of the remaining part of this Addendum.
Independence. The Parties are independent from each other, and this Addendum will not establish any relationship of partnership, joint venture, employment, franchise or agency between them. Neither Party will have the power to bind the other Party or to incur any obligations on its behalf without the other Party’s prior consent.
Confidentiality. Each Party must keep this Addendum and information it receives about the other Party and its business in connection with the Principal Agreement, including this Addendum (“Confidential Information”) confidential and must not use or disclose such Confidential Information without the prior written consent of the other Party except to the extent that (i) disclosure is required by law; or (ii) the relevant information is already in the public domain.
Notice. All notices and communications given under this Addendum must be in writing and will be delivered through communications via the Client’s email or other means.