Data Processing Agreement (DPA) for HireSplit
Effective Date: 01/03/24
1. Introduction
This Data Processing Agreement ("Agreement") forms part of the Terms of Service ("Principal Agreement") between:
- (1) HireSplit LTD, a company registered in Hong Kong with Company Registry 76450160 and registered office at Rooms 1703-1704, 17/F Tung Chiu Commercial Centre, 193 Lockhart Rd, Wan Chai, Hong Kong ("Processor" or "HireSplit");
- (2) You ("Controller"), the client who has entered into the Principal Agreement for the use of HireSplit’s services.
2. Definitions
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data and privacy including without limitation the GDPR and any applicable national implementing laws regulations and secondary legislation as amended or updated from time to time.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller as described in Appendix 1.
- "Processing" means any operation or set of operations that is performed on Personal Data whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Processing of Personal Data
The Processor shall process Personal Data only on the documented instructions of the Controller including with regard to transfers of Personal Data to a third country or an international organization unless required to do so by Union or Member State law to which the Processor is subject; in such a case the Processor shall inform the Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.
The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk as required under Article 32 of the GDPR.
4. Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures insofar as this is possible for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR.
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
5. Sub-Processing
The Controller authorizes the Processor to engage sub-processors for carrying out specific processing activities on behalf of the Controller provided that the Processor informs the Controller of any intended changes concerning the addition or replacement of other processors thereby giving the Controller the opportunity to object to such changes.
Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
6. Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
Such notification shall at least:
- (a) Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- (b) Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- (c) Describe the likely consequences of the personal data breach;
- (d) Describe the measures taken or proposed to be taken by the Processor to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.
7. Deletion or Return of Personal Data
At the choice of the Controller, the Processor shall delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing and delete existing copies unless Union or Member State law requires storage of the Personal Data.
8. Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
9. General Terms
This Agreement is governed by the laws of Hong Kong.
Any dispute arising under or in connection with this Agreement shall be resolved in the courts of Hong Kong.
10. Separation of Roles
HireSplit acknowledges the distinction between users who join the platform organically under the name of HireSplit and clients who utilize HireSplit’s services. For users who apply organically, HireSplit serves as both the Processor and the Controller of their Personal Data.
Appendix 1: Details of Processing
Subject Matter: The subject matter of the data processing under this Agreement is the processing of Personal Data in connection with the services provided by the Processor to the Controller.
Duration: The duration of the data processing under this Agreement is for the duration of the provision of services.
Nature and Purpose of Processing: The Processor will process Personal Data as necessary to provide the services pursuant to the Agreement.
Types of Personal Data: The Personal Data processed may include [list types of data e.g. name, contact details, employment history, etc.].
Categories of Data Subjects: The Personal Data processed concerns the following categories of data subjects: [list categories e.g. job candidates, employees, etc.].
HireSplit Limited is registered in Hong Kong Company Registry: 76450160 Address: Rooms 1703-1704, 17/F Tung Chiu Commercial Centre, 193 Lockhart Rd, Wan Chai, Hong Kong