This Data Processing Agreement (the “Agreement”) relates to Terms of Use (“Master Agreement”) entered into between the Customer and the Provider, that may require the Provider to Process Personal Data on behalf of the Customer. This Agreement sets out the additional terms, requirements and conditions upon which the Provider will Process Personal Data when providing services under the Master Agreement.
AGREED TERMS
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions:
Business Purposes: the services to be provided by the Provider to the Customer as described in the Master Agreement or any related agreement and any other purpose specifically agreed as between the Parties.
Controller: means the Customer under this Agreement
Customer: means the Controller under this Agreement
Data Protection Legislation: means the Nigeria Data Protection Act 2023, the General Application & Implementation Directive 2025, as may be amended, revised or replaced from time to time.
Data Subject: has the meaning given under the Data Protection Legislation, including the employees of the Customer.
Personal Data: has the meaning given under the Data Protection Legislation and refers to the categories of Personal Data to be Processed by the Processor on behalf of the Controller, as communicated to the Controller by the Provider.
Processing, Processor, Processes, Processed, Process: means the Provider and its processing activities pursuant to this Agreement.
Personal Data Breach: has the meaning given under the Data Protection Legislation.
Provider: means Pade HCM Technology Limited.
1.2 This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.
1.3 The Annexes, if any, form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
1.4 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Agreement and any provision contained in the Annexes, if any, the provision in the body of this Agreement will prevail.
(b) any of the provisions of this Agreement and the provisions of the Master Agreement in relation to the obligations of the Controller under the Data Protection Legislation and this Agreement, the provisions of this Agreement will prevail.
2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Customer is the Controller and the Provider is the Processor.
(b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the Processing instructions it gives to the Provider.
2.2 The Controller represents and warrants that it shall obtain all necessary consents or rely on other lawful basis under the Nigeria Data Protection Act, 2023 to permit the processing of Personal Data by the Processor under this Agreement. The Processor shall not be responsible for verifying the adequacy of the lawful basis provided by the Controller.
2.3 The Processor shall process the categories of Personal Data on behalf of and upon the request of the data controller
2.4 The Purpose of Data Processing is to be determined by the data controller.
2.5 The duration of processing shall align with the duration of the Master Agreement unless terminated earlier under this Agreement.
3.1 The Provider will only Process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes. The Provider will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider shall use reasonable efforts to notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2 The Provider shall use reasonable efforts to comply with Customer’s written instructions requiring the Provider to amend, transfer, delete or otherwise Process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.
3.3 The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or such disclosure is required by any applicable law.
3.4 The Provider may reasonably assist, at Customer’s cost, the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's Processing and the information available to the Provider.
4.1 Each Party shall use reasonable endeavours to implement appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. Each Party shall use reasonable endeavours to implement such measures to ensure a level of security appropriate to the risk involved.
5.1 A Party shall without undue delay notify the other in writing if it becomes aware of any Personal Data Breach.
5.2 Where the Provider becomes aware of a Personal Data Breach, the notifying Party may also provide the other Party with the following written information:
(a) A description of the nature of the Personal Data Breach, including the categories of Personal Data affected and the approximate number of Data Subjects and records concerned
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
5.3 Immediately following any accidental, unauthorised or unlawful Personal Data Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Parties will reasonably co-operate with each other in the Customer's handling of the matter.
5.4 A party to this Agreement will not inform any third-party of any accidental, unauthorised or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by Data Protection Legislation.
5.5 The Controller shall fully indemnify and hold harmless the Processor in connection with any claims arising out of or related to the Controller’s breach of this Agreement or a breach of the relevant Data Protection Legislation,including any fraud, negligence or misconduct attributable to the actions or inactions of the Controller.
6.1 The Customer acknowledges that Provider may transfer and Process the Personal Data outside of Nigeria, where PaidHR, its affiliates or its sub-processors maintain Processing operations. Provider shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws.
7.1 The Provider may authorise any third party or subcontractor and sub-processors to Process the Personal Data. The Provider shall use reasonable efforts to ensure that such Processing activities are done in accordance with the Data Protection Legislation.
8.1 A Party must notify the other immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
8.2 Each Party shall notify the other within 3 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
8.3 Each Party will give each other reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.1 This Agreement will remain in full force and effect so long as:
(a) the Master Agreement remains in effect; or
(b) the Provider retains any of the Personal Data related to the Master Agreement in its possession or control
10.1 At the Customer's request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media
reasonably specified by the Customer.
10.2 On termination of the Master Agreement for any reason or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control, unless retention is required to comply with applicable Data Protection Legislation.
The Provider is not liable or responsible for any failure or delay in its performance under this Agreement due to causes beyond its reasonable control, including but not limited to acts of God, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, cyber attacks , floods, accidents, strikes, or shortages of transportation, fuel, energy, labor, or materials. This also includes interruptions in internet services or hosting providers.
12.1 Any notice given to the Processor under or in connection with this Agreement shall be in writing and may be sent via email to hello@paidhr.com.
12.2 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
13.1 Both Parties agree that in no event shall Processor’s aggregate and total liability under this Agreement to the Customer or any other third party, exceed the value of all fees paid by Customer to Processor in the last twelve (12) months immediately preceding the incident that gave rise to Customer’s claim.
14.1 If any provision of this Agreement is held to be invalid or unenforceable, then the remainder of this Agreement will remain valid and in force. The invalid or unenforceable provision will be either
(a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible; and
(b) interpreted as if the invalid or unenforceable provision had never been included.
14.2. In the event of any conflict or inconsistency between this Agreement and any other agreement, communication, or understanding between the Controller and the Provider, whether written or oral, or made after the date of this Agreement, this Agreement shall prevail and govern the relationship between the parties herein. Any other terms, conditions, or representations not expressly incorporated herein shall be deemed void to the extent of such conflict or inconsistency.
15.1 The Parties acknowledge that the processing of Personal Data inherently involves certain risks. including but not limited to unauthorized access, accidental loss, unlawful disclosure, alteration, and misuse of data. The Processor shall assess and document risks associated with its processing activities, taking into account the nature, scope, context, and purpose of processing. The Controller accepts and understands these inherent risks. The Processor shall implement appropriate technical and organizational measures, in line with applicable data protection laws to mitigate such risks. The Processor shall not be held liable for any Personal Data breach or incident arising from circumstances beyond its reasonable control, provided it has complied with its obligations under this Agreement and applicable law.
16.1 The Processor shall:
(a) Not use the Personal Data for any purpose other than as expressly authorised under this Agreement;
(b) Not retain Personal Data longer than necessary;
(c) Not disclose Personal Data to any third party without the prior written consent of the Controller;
(d) Not engage any sub-processor without prior notice and agreement from the Controller;
(e) Immediately inform the Controller if any instruction infringes applicable Data Protection Legislation.
17.1 This Agreement, including any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria.
The Parties shall endeavor, in good faith, to resolve any dispute arising out of or in connection with this Agreement through mutual consultation and negotiation within a period of one (1) month from the date either Party notifies the other of such dispute.
Where amicable resolution is not achieved within the stipulated period, the dispute shall be referred to arbitration under the auspices of the Lagos Multi-Door Courthouse (“LMDC”) and in accordance with the Arbitration and Mediation Act, 2023. The arbitration shall be conducted by a sole arbitrator with no less than five (5) years of post-qualification experience and demonstrable knowledge and practical expertise in data protection and privacy law.
The findings and award of the arbitrator shall be final and binding on the Parties. Each Party shall bear its own costs in connection with the arbitration proceedings. The seat and venue of arbitration shall be Lagos, Nigeria.