THE FOLLOWING TERMS AND CONDITIONS (“AGREEMENT”) SHALL APPLY TO ALL SERVICES PROVIDED BY ARETE (AS DEFINED BELOW) AND MAY BE AMENDED BY ARETE FROM TIME TO TIME. THESE TERMS AND CONDITIONS ARE TO BE READ TOGETHER WITH THE APPLICABLE QUOTE OR INVOICE (THE “INVOICE”) AND THE TERMS OF ANY SERVICE SELECTED BY CLIENT.
Definitions
“ARETE” means Arete Asia Pacific Pte Ltd (Registration No.: 201701535K), which term where the context permits shall include any present or future branches, affiliates, or subsidiaries thereof.
“Client” means persons for whom ARETE provides any services and such other persons or Authorised Persons who may have executed any agreement with ARETE.
“Authorised Person” means a natural person or the Client of ARETE who is authorised to act for the Client with full authority to act on behalf of the Client to give instructions to ARETE in relation to the services provided by ARETE.
“Services” means all or any service provided by ARETE to or on behalf of its Clients.
1. SUBJECT OF THESE DATA PROCESSING TERMS
1.1 The Customer hereinafter referred to as the (“Controller”) is the data controller, who determines the purposes for which and the way any Personal Data relating to any Data Subject is, or is to be, Processed.
1.2 Unit4 hereinafter referred to as the (“Processor”) is the data processor, who acts on behalf of the Controller without being subject to its direct authority.
1.3 The Processor will Process the Personal Data for the Controller (and Controller consents to the same) in accordance with Applicable Law and these Data Processing Terms including any schedules hereto.
1.4 For the purposes of these Data Processing Terms, the Data Protection Legislation includes the Singapore Personal Data Protection Act 2012 as varied and amended from time to time.
2. HANDLNG AND PROTECTION OF PERSONAL DATA
Compliance with Data Protection Legislation
2.1 Both parties shall comply with all its obligations under the Data Protection Legislation.
Process, Use and Disclosure
2.2 The Processor shall only process, use or disclose Personal Data:
2.2.1 strictly for the purposes of fulfilling its obligations and providing the services required under the Agreement;
2.2.3 with the Controller’s prior written consent; or
2.2.4 when required by Applicable Law or an order of court, but shall notify the Controller as soon as practicable before complying with such Applicable Law or order of court at its own costs.
Transfer of personal data outside Singapore
2.3 The Processing of Personal Data takes place in the country/place or countries/places set out in in the Agreement and the Controller hereby gives its explicit consent to such Processing. Save as consented to in the previous sentence, the Processor shall not transfer Personal Data to a place outside Singapore without the Controller’s further prior written consent. Personal Data transferred outside Singapore will be protected at a standard that is comparable to that under the Data Protection Legislation. If the Processor transfers Personal Data to any third party overseas, the Processor shall ensure any sub-processing by that third party takes place on comparable terms to these Data Processing Terms.
Security Measures
2.4 The Processor shall protect Personal Data in the Processor’s control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent unauthorised or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of Personal Data, or other similar risks. Details of such “reasonable security arrangements” can be provided on request.
2.5 The Processor shall only permit its authorised personnel to access the Personal Data.
Access to Personal Data
2.6 The Processor shall provide the Controller with access to the Personal Data that the Processor has in its possession or control, as soon as practicable upon Controller’s written request.
Accuracy and Correction of Personal Data
2.7 Where the Controller provides Personal Data to the Processor or inputs Personal Data into Controller applications, the Controller shall ensure that the Personal Data is accurate, complete, not corrupted and virus free before providing or inputting the same. Save where the Controller may correct errors itself, the Processor shall take steps to correct any errors in the Personal Data, as soon as practicable upon the Controller’s written request.
Retention of Personal Data
2.8 The Processor shall not retain Personal Data (or any documents or records containing Personal Data, electronic or otherwise) for any period longer than is necessary to serve the purposes of this Agreement.
2.9 The Processor shall, upon the request of the Controller:
2.9.1 return to the Controller, all Personal Data; or
2.9.2 delete all Personal Data in its possession, and, after returning or deleting all Personal Data, provide the Controller with written confirmation that it no longer possesses any Personal Data. Where applicable, the Processor shall also instruct all third parties to whom it has disclosed Personal Data for the purposes of this Agreement to return to the Processor or delete, such Personal Data.
Notification of Breach
2.10 The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach.
Responsibilities of the Controller
2.11 The Controller is responsible for the lawful Processing of the Personal Data and compliance with the Data Protection Legislation including, but not limited to, the protection of the rights of the Data Subjects.
2.12 The Controller shall be solely responsible for determining the purposes for which and the way in which the Personal Data is to be Processed.
2.13 The Controller is responsible for informing the Data Subjects and guaranteeing the rights that the Data Subjects can exercise based on the Data Protection Legislation and other applicable privacy laws and regulations and for communication with the Data Subjects.
2.14 The Controller warrants that the collected Personal Data is adequate, relevant and not excessive in relation to the purposes for which the Personal Data is transferred and (further) Processed.
2.15 The Controller shall inform the Processor, if errors or irregularities occur concerning the Processing.
2.16 The Controller shall make available all information that the Processor may need for the Processing, in a timely fashion.
2.17 The Controller shall be responsible and liable (as between the parties themselves and to the Data Subjects and the Data Protection Authority) for: (i) ensuring Data subjects have given the appropriate consent to the processing of any Personal Data by the Processor (or any Sub-Processors); and (ii) any claims or complaints resulting from the Processor’s actions to the extent that such actions result from instructions received from the Controller.
Last Updated: July 2024