Worknation

Legal

Data Protection Agreement

The framework under which Worknation lawfully transfers, processes and protects personal data across international borders.

Last updated: January 2025

This Data Protection Agreement sets out the framework under which Worknation lawfully transfers, processes and protects personal data across international borders, including with the partners that support career growth, skill development and job placement on the platform.

This Data Protection Agreement for Cross-Border Data Sharing (the “Agreement”) is entered into between the Parties identified below.

Between

Worknation Platform FZC, a company incorporated under the laws of the United Arab Emirates, having its registered office at Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates, hereinafter referred to as the “Data Exporter”.

And

CareerBox, a company incorporated under the laws of South Africa, having its registered office at CCI House 2, 11 Park Avenue, Durban, Kwazulu Natal, South Africa, hereinafter referred to as the “Data Importer”.

The Data Exporter and the Data Importer are collectively referred to as the “Parties”.

1. Recitals

  • The Data Exporter intends to transfer certain personal data and documentation to the Data Importer located outside its primary data hosting and storage locations for purposes that include career growth, skill development, and job placement.
  • This Agreement sets forth the terms and conditions under which personal data will be lawfully transferred, processed, and protected to ensure the privacy and rights of clients and data subjects.

2. Definitions

Personal Data
Information relating to an identified or identifiable natural person, including names, identification numbers, location data, online identifiers, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Processing
Any operation performed on personal data such as collection, storage, use, disclosure, transmission, or destruction.
Data Controller
The entity that determines the purposes and means of processing personal data.
Data Processor
The entity that processes personal data on behalf of the Data Controller.
Sub-processor
Any third party engaged by the Data Importer to process personal data.
Cross-Border Data Transfer
The transmission of personal data from one country’s jurisdiction to another.
Applicable Laws
All relevant data protection and privacy laws including, but not limited to, the General Data Protection Regulation (GDPR), Protection of Personal Data Protection (PDPL), ISO 27001:2022, and any legislation applicable in either Party’s jurisdiction.

3. Purpose and Scope of Processing

3.1 The Data Importer shall process personal data solely for purposes that include career growth, skill development, and job placement.

3.2 The subject matter, nature, and types of personal data processed include names, contact details, gender, date of birth, educational qualifications, and other relevant information required to deliver the services.

3.3 Categories of data subjects include talents, sponsors, employers, mentors, and other stakeholders engaged with the Worknation platform.

3.4 The duration of processing shall be limited to the period necessary to fulfil the agreed purpose or as required by law.

4. Legal Basis and Consent

4.1 The Data Exporter confirms that all personal data transferred is collected and processed with a valid legal basis under applicable laws, including explicit consent where required.

4.2 The Data Importer agrees to comply with all applicable privacy laws and regulations and to respect data subjects’ rights.

5. Cross-Border Data Transfer and Compliance

5.1 The Parties acknowledge that personal data may be transferred across international borders.

5.2 Such transfers shall comply with all relevant legal requirements, including:

  • Use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) wherever required under applicable laws.
  • Compliance with the ISO 27001:2022 framework to facilitate lawful data transfers and interoperability.
  • Adherence to adequacy decisions or equivalent safeguards recognised by relevant authorities.

5.3 The Data Importer shall notify the Data Exporter promptly if any local laws or government requests conflict with this Agreement or data protection obligations.

6. Data Hosting and Storage Location

6.1 Personal data will be stored in secure data centres located within the United States, the European Union, Africa, or other required locations.

6.2 Approved hosting providers include AWS, Rack Centre, and MainOne or any other facility that meets equivalent certification standards.

6.3 Where cloud infrastructure is used, region-specific data residency rules will be enforced to ensure compliance with local laws.

7. Data Residency and Segmentation

7.1 Personal data will remain logically segmented and stored according to region-specific data residency rules, unless otherwise approved in writing by the data subject or mandated by law.

7.2 All storage systems will apply strict access controls, role-based permissions, and encryption at rest and in transit.

8. Security Measures

8.1 The Data Importer shall implement and maintain appropriate technical and organisational measures consistent with internationally recognised standards, including:

  • ISO/IEC 27001 Information Security Management System (ISMS).
  • ISO/IEC 27701 Privacy Information Management System (PIMS).
  • Encryption of personal data at rest and in transit using industry-standard protocols such as TLS and AES-256.
  • Access controls ensuring only authorised personnel can access personal data.
  • Regular security risk assessments and audits.
  • Incident response and breach notification procedures compliant with GDPR Article 33 and other applicable laws.

8.2 The Data Importer shall notify the Data Exporter without undue delay, and within 72 hours, of any personal data breach affecting the data transferred under this Agreement.

9. Sub-processors

9.1 The Data Importer shall not engage sub-processors without prior written consent from the Data Exporter.

9.2 Approved sub-processors shall be bound by data protection obligations equivalent to those set out in this Agreement.

9.3 The Data Importer remains fully liable for the acts and omissions of its sub-processors.

10. Data Subject Rights

10.1 The Data Importer shall assist the Data Exporter in fulfilling obligations related to data subject requests, including the rights to access, rectification, erasure, restriction, portability, and objection.

10.2 Assistance shall include timely provision of information and cooperation necessary to comply with legal timeframes.

11. Data Retention, Deletion, and Return

11.1 Upon expiration or termination of this Agreement, or upon request by the Data Exporter, the Data Importer shall, at the Data Exporter’s direction, securely return or delete all personal data processed under this Agreement.

11.2 Data deletion shall be performed in a manner that prevents recovery or reconstruction.

11.3 The Data Importer shall certify in writing the completion of data return or deletion.

12. Confidentiality

12.1 Both Parties shall maintain strict confidentiality of personal data and shall not disclose it to any unauthorised third parties except as required by law or with prior written consent.

12.2 All personnel authorised to process personal data shall be subject to confidentiality obligations.

13. Audit and Compliance

13.1 The Data Importer shall allow the Data Exporter, or an appointed auditor, to conduct audits or inspections to verify compliance with this Agreement upon reasonable notice.

13.2 The Data Importer shall provide all necessary information and assistance to demonstrate compliance.

14. Liability and Indemnification

14.1 Each Party shall be liable for damages arising from its breach of this Agreement or applicable data protection laws.

14.2 The Data Importer shall indemnify and hold harmless the Data Exporter against any claims, penalties, or damages resulting from the Data Importer’s failure to comply with this Agreement.

15. Governing Law and Dispute Resolution

15.1 This Agreement shall be governed by and construed in accordance with the laws of England and Wales.

15.2 Any disputes arising out of or relating to this Agreement shall be resolved by arbitration in England.

16. Miscellaneous

16.1 This Agreement constitutes the entire understanding between the Parties regarding data protection and supersedes all prior agreements.

16.2 Amendments or modifications must be in writing and signed by authorised representatives of both Parties.

16.3 If any provision of this Agreement is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.

17. Execution

This Agreement is executed by the duly authorised representatives of Worknation Platform FZC and CareerBox.

Summary of Global Compliance and Client Protection

  • The Agreement aligns with leading global privacy laws such as GDPR, PDPL, CCPA, LGPD, and the DPDP Act to ensure lawful data processing and transfer.
  • It incorporates internationally recognised security standards, including ISO/IEC 27001 and ISO/IEC 27701, to protect data confidentiality, integrity, and availability.
  • The ISO 27001:2022 framework is integrated to support trustworthy and interoperable cross-border data transfers.
  • Detailed clauses on sub-processors, data subject rights, breach notification, and audit rights reinforce transparency and accountability.
  • Clients’ personal data rights are safeguarded through defined mechanisms for consent, access, correction, deletion, and objection.
  • Liability and indemnification provisions provide legal recourse and protection against misuse or breaches.

Questions about this policy?

Our team is happy to clarify any section or point you toward additional resources.

Email our team