CONTROL OF PERSONAL DATA FOR PROFESSIONALS IN THE EUROPEAN UNION
These provisions apply when Globalization Partners has engaged Professional(s) in the European Union pursuant to the EOR Master Services Agreement (the “Agreement”) with Client.
1.1. The Parties’ performance under the Agreement may require control and processing of personal data belonging to individuals who are protected under the EU’s General Data Protection Regulation EU 2016/679 (GDPR) or other analogous data protection laws. To the extent the Parties may act as joint controllers with respect to personal data and sensitive personal data belonging to data subjects, that data will be considered “Shared Personal Data”. Where the Parties are not acting as joint controllers with respect to Shared Personal Data, the Parties agree they will act as independent controllers of information processed under the Agreement. These provisions define the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other with respect to personal data (including, where applicable, Shared Personal Data). Terms not otherwise defined herein have the meaning taken from the Agreement or privacy laws applicable to the data subject as appropriate.
1.2. The Parties may share personal data and sensitive personal data to the extent necessary to (i) perform and implement the terms of the employment agreement or other agreement for services with the Professional; and/or (ii) perform or conclude the terms of the EOR Services Agreement pursuant to which Client has contracted with Globalization Partners to engage the Professional (the “Agreed Purposes”).
1.3. With respect to performing and implementing the terms of the employment agreement or other agreement for services with the Professional, the Parties may share personal data such as data subject’s home and mailing addresses, contact and personal telephone numbers, email addresses, date of birth, tax information, salary and compensation information, passport information, government identifiers, employment history, and visa and work permit information to the extent required to achieve the Agreed Purposes. With respect to performing or concluding the terms of the EOR Services Agreement pursuant to which Client has contracted with Globalization Partners to engage the Professional, the Parties may share information such as data subject’s home and mailing addresses, contact and personal telephone numbers, email addresses, dates of birth, salary and compensation information, health benefit information, government identifiers, visa and work permit information. The Parties agree to share personal data only for the Agreed Purposes. The personal data collected or processed under the Agreement must not be irrelevant or excessive with respect to the Agreed Purposes and shall in all cases comply with the principles and other terms of the GDPR or other applicable law.
1.4. Globalization Partners’ Privacy Notices explain to data subjects the personal data Globalization Partners may collect, process and share, the circumstances in which it will be collected, processed, and shared, and the purposes for the data collection, processing and data sharing. The Parties agree to abide by the rights and obligations that attach to the personal data, including with regard to the security, confidentiality, integrity, use, and disclosure of the Shared Personal Data. Each party agrees promptly to notify the other if it determines it is no longer able to abide by the rights and obligations attached to the Shared Personal Data, and to cease using that data or otherwise to take appropriate steps to remediate. The Parties remain individually responsible for ensuring that their respective uses of the personal data (including any Shared Personal Data) comply with all applicable data protection and privacy laws and regulations.
1.5. The Parties agree to process personal data fairly and lawfully in compliance with this Agreement and all applicable laws, enactments, regulations, orders, standards, and other similar instruments that apply to such Party’s personal data processing operations, including with respect to subprocessors. Each Party shall ensure that its processing of personal data is limited to the Agreed Purposes and is based on a legal ground for lawful processing. Globalization Partners may make these provisions available to data subjects as required and upon their request.
1.6. Data subjects may have a right under applicable law to request that their personal data be corrected, amended, or erased (an “Access Request”). The Parties shall each maintain a record of Access Requests they receive in relation to personal data (including any Shared Personal Data) connected to the Agreement, the decisions made, and any personal data exchanged. The Parties agree that responsibility for complying with Access Requests is governed by applicable law; however, the Party receiving the Access Request shall notify the other party of such request. The Parties agree to provide reasonable and prompt assistance as is necessary to each other to enable them to comply with Access Requests and to respond to any other queries or complaints from data subjects.
1.7. Neither Client nor Globalization Partners shall retain or process personal data (including Shared Personal Data) for longer than is necessary to carry out the Agreed Purposes, and the Parties shall ensure that any personal data (including Shared Personal Data) is destroyed upon resolution of all matters relating to the termination of employment, for whatever reason, of the Professional linked to the personal data; except that the Parties may continue to retain personal data (including Shared Personal Data) in accordance with any applicable statutory or professional retention periods.
1.8. To the extent applicable, the Parties agree to implement appropriate technical and organizational measures to protect the personal data (including Shared Personal Data) in their possession against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The Parties each agree not to disclose or transfer personal data (including any Shared Personal Data) to third parties unless they first ensure that adequate and equivalent protections as provided for in the Agreement will be afforded to the personal data (including any Shared Personal Data) in compliance with applicable law.
1.9. The Parties agree to notify each other of any potential or actual losses of personal data (including Shared Personal Data) as soon as possible and, in any event, within one (1) business day of identification of any potential or actual loss, to enable the Parties to consider what action is required in order to resolve the issue in accordance with the applicable data protection laws and guidance. In connection with such a loss, the Parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any data security breach in an expeditious and compliant manner. These obligations apply to any breaches of security which may compromise the security of the personal data (including Shared Personal Data).
1.10. In the event a data subject or a Data Protection Authority initiates a dispute or claim against either or both Parties regarding the processing of Shared Personal Data in connection with the Agreement, the Parties will inform each other about any such disputes or claims and will cooperate with a view to resolving them amicably in a timely fashion. Each Party shall nominate a single point of contact within their organization who can be contacted in respect of queries or complaints and/or compliance under the terms of these provisions.
1.11. If the applicable data protection and ancillary laws change in a way that these provisions no longer govern lawful data sharing exercises, the Parties agree that they will maintain compliance with the applicable data protection laws.