Data Protection Addendum
(Joint Controllers Agreement)
This Data Protection Addendum (“DPA”) shall constitute an addendum to the Master Services Agreement signed between Client and GoGlobal GEO Limited and/or its Affiliates (together “GoGlobal”) (“Agreement”) and shall declare the intention of the Parties to comply with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (“EU GDPR”) and with UK GDPR as defined in section 3(10) (as supplemented by section 205(4) of the Data Protection Act 2018) (EU GDPR and UK GDPR together referred to in this DPA as “GDPR”), and with other applicable data protection laws (all hereinafter referred to in this DPA as “Data Protection Laws”). This DPA shall apply to the extent required by applicable Data Protection Laws and the Parties undertake to enter into additional agreements if required by applicable Data Protection Laws.
1. Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the meanings assigned in the Agreement or GDPR as the case may be.
1.1. “Data Controller” means a natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of Personal Data.
1.2. “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
1.3. “Data Subject” means an identified or identifiable natural person whose Personal Data are being processed.
1.4. “Joint Controllers” means Data Controllers who jointly determine the purposes and means of Personal Data processing.
1.5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. Processing of Personal Data
2.1. The provision of Services under the Agreement involves the processing of Personal Data, with both Parties acting as Joint Controllers (within the meaning of the concept specified in the GDPR) with respect to the processing of personal data, provided that the Parties jointly determine the purposes and means of processing of Personal Data.
2.2. This DPA sets out the additional terms, requirements and conditions on which the Parties will process Personal Data when providing Services by GoGlobal under the Agreement. This DPA contains a general framework for the agreement between Joint Controllers and regulates mutual relationship between the Parties as regards the joint control of Personal Data, and in particular it determines in a transparent manner the Joint Controllers’ responsibilities for compliance with the obligations under the Data Protection Laws.
2.3. The purposes and means of the processing activities that involves processing of Personal Data are jointly determined by Joint Controllers. Categories of Data Subjects and personal data, the purposes and means of processing are defined in Annex A to this DPA.
3. Rights and Obligations of Joint Controllers
3.1. The Parties shall (i) cooperate on performing the obligations of the Joint Controllers of Personal Data, (ii) process Personal Data in compliance with the Data Protection Laws, and (iii) refrain from any legal or factual actions which might in any way undermine the security of Personal Data or threaten the other Joint Controller.
3.2. To the extent applicable to the Personal Data Processing under the Agreement, both Parties shall maintain all records of processing required by applicable Data Protection Laws.
3.3. Each Party shall provide reasonable assistance to the other Party with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities as may be required by applicable Data Protection Laws.
3.4. If Data Subjects, competent supervising authorities or any other third parties request information from the Party regarding the processing of Personal Data, the Party shall promptly inform the other Party and both Parties shall cooperate and provide each other with necessary information and assistance.
3.5. Each Party shall make available to the other Party on request reasonable information necessary to demonstrate compliance with its obligations under Data Protection Laws.
3.6. For the purpose of the Agreement and with regard to the nature of the relationship between the Parties as Joint Controllers, each Party may share Personal Data with other Party, provided that they comply with the applicable Data Protection Laws.
4. Principles and Legal Basis for Treatment
4.1. Each Party shall be responsible for the existence of a valid legal basis for processing and for being able to document the existence of such legal basis, e.g. to the supervisory authority.
4.2. Each Party shall be responsible for complying with the principles for processing Personal Data to the extent that such principles apply to their responsibilities under this Agreement.
5. Parties’ Personnel
5.1. Each Party shall restrict access to Personal Data only to persons who need the access to Personal Data for the purposes of the Agreement. Each Party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to applicable Personal Data, ensuring that all such persons are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
6. Security
6.1. Taking into account the nature of processing of Personal Data in the Services provided, both Parties shall maintain appropriate technical and organizational measures, to ensure the security of processing of Personal Data, including protection against unauthorized or unlawful Personal Data processing, and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data. The Parties acknowledge and agree that the security measures in Annex B to this DPA constitute appropriate technical and organizational security measures to ensure a level of security appropriate to the risk.
7. Data Subject Rights
7.1. Both Parties undertake to comply with the Data Subjects’ rights and shall assist one another with the execution of Data Subjects’ requests. GoGlobal is primarily responsible for exercising the rights of Data Subjects and providing information about data processing.
7.2. If Client receives request or enquiry from Data Subject, Client undertakes to (i) transfer without undue delay any such request or enquiry to GoGlobal and (ii) where relevant, provide GoGlobal with all information related to such request of Data Subject.
8. Use of Data Processors
8.1. Both Parties shall be entitled to use Data Processors in connection with the joint processing of Personal Data under the Agreement.
8.2. To the extent required by applicable Data Protection Laws, in the event of any use of Data Processors, both Parties shall be responsible for complying with the requirements of Article 28 of the GDPR. Both Parties are hereafter obliged to:
-
- to use only Data Processors that can provide appropriate guarantees that they carry out the appropriate technical and organizational measures in such a way that processing complies with the requirements of this DPA and ensures the protection of the Data Subject’s rights; and
- to ensure that there is a valid data processing agreement between the Party and the Data Processor.
8.3. Each Party shall, upon request, be made aware of whether Personal Data is processed by Data Processors of the other Party.
9. Transfer of Personal Data to Third Countries or International Organisations
9.1. Both Parties may decide that Personal Data may be transferred to third countries.
9.2. Each Party shall be responsible for complying with the requirements of all applicable Data Protection Laws in the event of transfer of Personal Data to third countries.
10. Personal Data Breach
10.1. Both Parties undertake to implement internal procedures to identify, investigate and report any Personal Data Breach, to ensure compliance with applicable Data Protection Laws.
10.2. Each Party shall notify the other Party without undue delay upon becoming aware of a Personal Data Breach affecting applicable Personal Data, providing the other Party with sufficient information to allow to meet any obligations to report or inform Data Subjects or competent supervising authorities, if necessary under applicable Data Protection Laws.
10.3. Each Party shall co-operate with the other Party and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
11. Miscellaneous
11.1. This DPA shall not be modified or amended, unless mutually agreed in writing and signed by the authorized representatives of both Parties.
11.2. This DPA shall form an integral part of the Agreement and shall be governed by the terms specified in the Agreement. To the extent any of the provisions of the Agreement conflict or are inconsistent with or create ambiguities with this DPA, the provisions of this DPA shall govern and control.
Version: 24-08
Effective date: August XX, 2024
Annex A – Personal Data Processing Purposes
1. Nature and Purpose of Personal Data Processing
a. Hiring of Worker
b. Onboarding of Worker
c. Administration of the Worker´s employment
d. Processing of payment of Worker´s compensation and benefits
e. Offboarding of Worker
2. Categories of Personal Data
a. Registration information (e.g. name, date of birth, address, location, work start date, etc.)
b. Contact information (e.g. phone, email, license number, etc.)
c. Employment administration data (e.g. job title, performance data, training records, etc.)
d. Payroll data (e.g. national insurance number, social security number, salary, bank account number, etc.)
e. Professional qualification and work history (e.g. education history, certificates, CV, employment records, etc.)
f. Monitoring data (e.g. CCTV footage, building access card records, etc.)
3. Categories of Data Subjects
a. Workers
Annex B – Technical and Organizational Measures
1. Both Parties shall, in order to fulfill their legal obligations under Data Protection Laws, be obliged to take appropriate technical and organizational measures to protect the Personal Data which is processed. The measures shall at least result in a level of security which is appropriate taking into consideration:
a. existing technical possibilities;
b. the costs for carrying out the measures;
c. the particular risks associated with the processing of Personal Data; and
d. the sensitivity of the Personal Data which is processed.
2. Both Parties shall maintain adequate security of Personal Data. Both Parties shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organisational measures to be implemented by both Parties shall include as appropriate:
a. Data security controls and use of encrypted data and message services.
b. Controls such as Managed User permissions to systems to restrict access to data on a need-to-know basis including processes to revoke/change permission promptly.
c. Implement appropriate anti-virus and firewall protection for all IT systems as well as other security measures to prevent against malicious damage.
d. Controls over software and systems access, including restricting the availability to end users outside of defined platforms/access points that have necessary controls for us to protect data and enable remote data erasure.
e. Maintain a business continuity plan (BCP) and data recovery methods designed to restore the availability, and/or mitigate risks and the loss of access to personal data.
f. Maintain incident management reports and procedures to allow for investigation, response, mitigation, and notification of breaches or other pertinent assessments under this agreement.
g. Conduct regular evaluations and testing of the security measures in place including engaging outside consultants to evaluate (audit) party’s infrastructure.
h. Maintain policies and procedures including guidelines for sharing confidential, sensitive information, device and password policies, information security, and other such policies.
i. Conduct regular trainings to bring awareness to organization on data protection measures and obligations, information security risks and other pertinent policies.