Horizons Logo

Our Solutions

Data Processing Addendum

Updated November 2021

Horizons Global Technology Pte. Ltd. and/or its subsidiaries and in-country affiliated entities (“Provider”) provides Employer of Record Services (“Principal Agreement”) to the company that is executing this Agreement (the “Company”); such Company also acting as a Data Controller as it instructs the Provider to process Company Personal Data pursuant to or in connection with the Principal Agreement (“Processing”). Each the Provider and the Company are referred to as a “Party” and together as the “Parties”.

The present Data Processing Addendum (the “Addendum”) governs the processing of Personal Data and is implemented to comply with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 known as the General Data Protection Regulation (GDPR), on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.

The Parties hereby agree on their rights and obligations:

Rights & Obligations

1. Definitions – Interpretation

Definition. Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meaning:

  • Company Personal Data or Personal Data means any Personal Data Processed by the Provider or any Contracted Processor pursuant to or in connection with the Principal Agreement;
  • Contracted Processor means a Sub-Processor, if any;
  • Data Exporter means the Controller who transfers the Personal Data;
  • Data Importer means the Processor who agrees to receive from the Data Exporter Personal Data intended for processing on his behalf;
  • Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
  • EEA means the European Economic Area;
  • EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State, and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
  • Data Transfer means:
    • A transfer of Company Personal Data from the Company to a Sub-Processor; or
    • An onward transfer of Company Personal Data from a Contracted Processor to a Sub-Contracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
  • Processor means the Provider, as it has been instructed by the Company to Process Company Personal Data pursuant to or in connection with the Principal Agreement;
  • Services means the specific Services the Company provides as per the Principal Agreement;
  • Sub-Processor means any person appointed by or on behalf of Processor to process Personal Data in connection with the Principal Agreement;
  • Eventually, the terms, Commission, Controller, Data Subject, Data Subject Rights, Member State, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Company Personal Data. Expressions used in this Addendum shall pertain as follows:

  • Categories of Data Subjects: all employees, agents and any other contractors of the Company are Data Subjects.
  • Categories of Company Personal Data: Company Personal Data processed concern the following categories of Data: Personal Data relating to Data Subjects, including name & contact, photograph, demographic, national identifiers, employment details, financial information, background, and dependents-related data.
  • Processing Operations: the nature of the operations performed on the data by the Processor are collection, recording, structuring, storage, use, availability, and destruction.

2. Obligations of the Provider

Compliance. The Provider, acting as the Data Importer, understands and agrees that it will (i) process the Company Personal Data only on instructions from the Company; (ii) process the Company Personal Data transferred only on the Company’s request and in accordance with the Data Protection Laws; and (iii) inform the Company without undue delay if any failure to comply with applicable Data Protection Laws.

Data Security. Regarding the nature, scope and purposes of Processing the Company Personal Data, the Provider warrants that it has implemented sufficient technical and organizational security measures to prevent any unlawful process of the Company Personal Data; or any accessibility for unauthorized third parties and to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, the Provider shall especially take into account the risks that are presented by Processing, in particular regarding Personal Data Breach.

Personal Data Breach. Upon becoming aware of any Personal Data Breach affecting the Company Personal Data, the Provider shall (i) promptly report such Breach to the Company, without undue delay; (ii) investigate the Personal Data Breach and provide the Company with sufficient information to allow the Company to meet any obligations to report or inform the Data Subjects of the Personal Data Breach under the Data Protection Laws; (iii) assist the Company in the investigation and remediation of such Breach; and (iv) take any reasonable measures to prevent a recurrence of such Breach.

Sub-Processor. The Company understands that the Provider may use a local in-country affiliated entity and other third-parties to deliver the Services in connection with the Principal Agreement; and the Client further authorizes the Provider to engage such Sub-Processors to Process Company Personal Data. When engaging a Sub-Processor, the Provider imposes data protection terms and conditions that provide at least the same level of protection for Personal Data as those in this Addendum, to the extent applicable according to the nature of the services provided by each Sub-Processor. The Provider will remain responsible for each Sub-Processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-Processor that would cause the Provider to breach any of its obligations under this Addendum.

Data Transfer. In the event any Personal Data processed under the Principal Agreement is to be transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. When Processing Personal Data, the Provider uses the GDPR as a guidance for its compliance obligations.

Data Subject Rights. The Provider agrees and warrants that it will cooperate with all requests from the Company relating to Data Subjects claiming rights from the Company under Data Protection Laws, as some of these rights might involve Data that are in possession of the Provider. In the event the Provider is directly contacted by a Data Subject, the Provider will promptly notify the Company and advise such Data Subject to refer to the Company.

3. Obligations of the Company

Compliance. The Company, acting as the Data Exporter, agrees and warrants that (i) the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the Data Protection Laws; and (ii) it has instructed, and throughout the duration of the subcontracted Services will instruct, the Provider to process the Company Personal Data transferred only on the Company’s request and in accordance with the Data Protection Laws.

Obligations. In particular but without prejudice to the generality of the foregoing, the Company acknowledges and agrees that it will be solely responsible for (i) the accuracy, quality, and legality of Company Personal Data and the means by which such Company Personal Data have been acquired; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring to have the right to transfer, or provide access to, the Company Personal Data to the Provider for Processing in accordance with the terms of the Principal Agreement, including this Addendum; (iv) ensuring that Instructions given to the Provider regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all applicable laws, including Data Protection Laws, to any emails or other content created, sent or managed, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.

4. Term – Termination

Duration. The term of this Addendum shall commence when the Principal Agreement is executed, and shall remain in full force and effect so long as (i) the Principal Agreement remains in effect; or (ii) the Provider retains any Company Personal Data.

Termination. Any provision of this Addendum, that expressly or by legal implication should continue in force on or after termination, shall remain in full force and effect in order to ensure protection of the Company Personal Data.

Deletion – Return of Company Personal Data. Upon completion of the Processing (“Cessation Date”) the Provider should, at the choice of the Company, return or delete the Company Personal Data processed pursuant to the Principal Agreement, within 15 working days of the Cessation Date, unless otherwise required by applicable Data Protection Laws (e.g., for archive and compliance reasons).

5. Confidentiality of Company Personal Data

Duty of Confidentiality. The Provider will keep confidential all Company Personal Data and other confidential information. The Provider will further ensure that each of its staffs, whether they be direct employees, agents, contractors or any employee, agent or contractor of any Sub-Contracted Processor (together the “Provider Personnel”), who may have access to or may be involved with the Processing of the Company Personal Data under this Addendum will (i) undertake a duty of responsibility; and (ii) be informed of and comply with the obligations of this Addendum.

Access to Company Personal Data. Furthermore, the Provider shall take all necessary measure to ensure that access to Company Personal Data is strictly limited to the Provider Personnel who need to know or access such relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement.

6. Sub-Processing

Appointment of a Sub-Processor. The Provider shall not appoint (or disclose any Company Personal Data to) any Sub-Processor unless required or authorized by the Company in written form.

Rights and Obligations of a Sub-Processor. Any Sub-Processor that may be appointed to process Company Personal Data shall be bound by the same level of obligations as the Provider under this Addendum; and the Provider shall remain fully liable to the Company for the performance of the Sub-Processor(s)’ obligations.

7. Assessment – Audit

Data Protection Impact Assessment. The Provider shall provide reasonable assistance to the Company with carrying out any Data Protection Impact Assessments, or consultation, which the Company reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in relation to Processing of Company Personal Data by the Contracted Processors.

Audits. Furthermore, the Provider allows and contributes to audits and inspections that may be conducted by the Company or any auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Provider.

8. Governing Law – Disputes

Governing Law. This Addendum is governed by and construed in accordance with the “Governing Law” section of the Principal Agreement, unless otherwise required by applicable Data Protection Laws.

Dispute. Any dispute arising in connection with this Addendum, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the Company’s country of establishment.

9. Entirety

Entire Agreement. This Addendum supersedes any and all prior addendums or representations, whether written or oral, relating to the subject matter hereof. This Addendum shall form an indivisible and integral part of the Principal Agreement and have equal force with it.

Modification. From time to time, the Provider may modify this Addendum, to ensure it stays aligned and complies with any change to any applicable laws and regulations. Any such change should become effective without delay. The Provider will use reasonable efforts to notify the Company of any significant through communications via the Company Account, email or other means.

10. Miscellaneous

Inconsistency. In the event this Addendum is not consistent with any newly established local mandatory stipulations such as laws, regulations, provisions or policies, the new laws, regulations, provisions or policies shall prevail. Any illegal or unenforceable disposition or part of shall be null and void, without any effect of the remaining part of this Addendum.

Independence. The Parties are independent from each other, and this Addendum will not establish any relationship of partnership, joint venture, employment, franchise or agency between them. Neither Party will have the power to bind the other Party or to incur any obligations on its behalf without the other Party’s prior consent.

Confidentiality. Each Party must keep this Addendum and information it receives about the other Party and its business in connection with the Principal Agreement, including this Addendum (“Confidential Information”) confidential and must not use or disclose such Confidential Information without the prior written consent of the other Party except to the extent that (i) disclosure is required by law; or (ii) the relevant information is already in the public domain.

Notice. All notices and communications given under this Addendum must be in writing and will be delivered through communications via the Client’s email or other means.