Skip to content
Talk to Sales
Alight named by Fortune as one of the ‘100 Best Companies to Work For’ in 2024

Alight GDPR Terms

Effective date: July 2020

In the course of providing Services to an Alight client identified in any statement of work (“Client”), Alight may have access to Personal Data (as defined the GDPR) provided by a Client Group Member. These GDPR Terms apply to the processing of such Personal Data within the scope of the GDPR by Alight on behalf of a Client Group Member. Capitalized terms not otherwise defined herein shall have the meaning ascribed to it in the underlying services agreement between Alight and Client (the “Agreement”).
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be incorporated to the Agreement. Except where the context requires otherwise, references in these GDPR Terms to the Agreement are to the Agreement as amended by, and including, these GDPR Terms.

1. Definitions
1.1 In these GDPR Terms, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  • 1.1.1 "Applicable Laws" means all regional, national and international laws, rules, regulations and standards including those imposed by any governmental or regulatory authority which apply from time to time to the person or activity in the circumstances in question;
  • 1.1.2 "Client Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Client, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
  • 1.1.3 "Client Group Member" means Client or any Client Affiliate;
  • 1.1.4 "Client Personal Data" means any Personal Data Processed by a Processor on behalf of a Client Group Member pursuant to or in connection with the Agreement;
  • 1.1.5 “Controller” means the Client or any Client Affiliate;
  • 1.1.6 "Data Protection Laws" means as the case may be, the GDPR and/or any other Applicable Law or regulation relating to the protection of personal data or personally identifiable information;
  • 1.1.7 "EEA" means the European Economic Area;
  • 1.1.8 "Effective Date" means the date on which the Processor first Processes Client Personal Data;
  • 1.1.9 "GDPR" means EU General Data Protection Regulation 2016/679;
  • 1.1.10 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data on systems managed by or otherwise controlled by Processor;
  • 1.1.11 "Processor" means Alight and/or a Processor Affiliate (who is bound by the terms of these GDPR Terms under section 3);
  • 1.1.12 "Processor Affiliate(s)" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Alight, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise, and which as of the Effective Date, includes the entities listed on Annex 2, which Alight may update upon reasonable notice to Client;
  • 1.1.13 "Restricted Transfer" means a transfer of Client Personal Data where such transfer would be prohibited under Article 44 of the GDPR without the Standard Contractual Clauses (or another appropriate safeguard) applying;
  • 1.1.14 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Processor for Controller pursuant to the Agreement;
  • 1.1.15 "Standard Contractual Clauses" means (i) the standard contractual clauses of which the European Commission on the basis of Article 26(4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of personal data to a third country; or (ii) the data protection clauses adopted by the European Commission or by a Supervisory Authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of GDPR. Data protection clauses adopted in accordance with GDPR shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship; and
  • 1.1.16 "Subprocessor" means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any employee of its sub-contractors) appointed by or on behalf of Processor to Process Personal Data on behalf of Controller in connection with the Agreement. 1.2 The terms, "Commission", "Data Subject", "Member State", "Personal Data", "Processing," (including “Process” and “Processed”) and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.2 The terms, "Commission", "Data Subject", "Member State", "Personal Data", "Processing," (including “Process” and “Processed”) and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Duration of GDPR Terms
These GDPR Terms will take effect on the Effective Date and, notwithstanding expiry of the Agreement, remain in effect until, and automatically expire upon, deletion of all Client Personal Data by Processor as described in these GDPR Terms.

3. Authority
3.1 Processor warrants and represents that, before any Processor Affiliate Processes any Client Personal Data on behalf of Controller, Processor's entry into these GDPR Terms as agent for and on behalf of that Processor Affiliate will have been duly and effectively authorised (or will be subsequently ratified) by that Processor Affiliate.

4. Processing of Client Personal Data
4.1 Processor shall:

  • 4.1.1 comply with all applicable Data Protection Laws in the Processing of Client Personal Data; and
  • 4.1.2 not Process Client Personal Data other than on the relevant instructions of Controller unless Processing is required by Data Protection Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Data Protection Laws inform the Controller of that legal requirement before the relevant Processing of that Client Personal Data.

4.2 Controller:

  • 4.2.1 instructs Processor to:
    • 4.2.1.1 Process Client Personal Data; and
    • 4.2.1.2 in particular, transfer Client Personal Data to any country or territory (subject to compliance with clause 13 (Restricted Transfers),
    as reasonably necessary for the provision of the Services and consistent with the Agreement; and
  • 4.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 4.2.1 on behalf of each relevant Client Affiliate.

4.3 Annex 1 to these GDPR Terms sets out certain information regarding the Processors' Processing of the Client Personal Data as required by Article 28(3) of the GDPR. Controller may make reasonable amendments to Annex 1 by written notice to Processor from time to time as Controller reasonably considers necessary to meet those requirements. Nothing in Annex 1, including as amended pursuant to this section 4.3, confers any right or imposes any obligation on any party to these GDPR Terms.

5. Processor and Processor Affiliate Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

6. Security
6.1 Taking into account industry standards, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
6.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

7. Subprocessing
7.1 Controller authorises Processor to appoint (and permit each Subprocessor appointed in accordance with this section 7 to appoint) Subprocessors in accordance with this section 7 and any restrictions in the Agreement.
7.2 Processor may continue to use those Subprocessors already engaged by Processor as at the Effective Date, subject to Processor in each case as soon as practicable providing the information required in section 7.4.
7.3 Processor shall give Controller prior written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. If, within 10 business days of receipt of that notice, Controller notifies Processor in writing of any objections to the proposed appointment due to a reasonable belief that such Subprocessor may not be able to comply with the Data Protection Laws, Processor shall work with Controller in good faith to make available materials and documentation evidencing Subprocessor’s ability to comply with the Data Protection Laws.
7.4 With respect to each Subprocessor, Processor shall:

  • 7.4.1 before the Subprocessor first Processes Client Personal Data (or, where relevant, in accordance with section 7.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Client Personal Data required by the Agreement;
  • 7.4.2 ensure that the arrangement between Processor and Subprocessor (or Subprocessor and other Subprocessor) is governed by a written contract including terms which offer at least the same level of protection for Client Personal Data as those set out in these GDPR Terms and meet the requirements of article 28(3) of the GDPR; and
  • 7.4.3 provide to Controller for review such terms of the arrangements under section 7.4.2 (which may be redacted to remove confidential commercial information not relevant to the requirements of these GDPR Terms) as Controller may reasonably request from time to time for satisfaction of Controller’s compliance responsibilities.

7.5 Processor shall ensure that each Subprocessor performs the obligations under sections 4.1, 5, 6, 8.1, 9.2, 10 and 12.1, as they apply to Processing of Client Personal Data carried out by that Subprocessor, as if it were party to these GDPR Terms in place of Processor.

8. Data Subject Rights
8.1 Processor shall provide all reasonable assistance to Controller for the fulfilment of Controller obligations to respond to requests to exercise data subject rights under the Data Protection Laws including, without limitation, those described in Chapter III of the GDPR.
8.2 Processor shall:

  • 8.2.1 promptly notify Controller if any Processor receives a request from a Data Subject under any Data Protection Laws in respect of Client Personal Data; and
  • 8.2.2 ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Data Protection Laws inform Controller of that legal requirement before the Processor responds to the request.

9. Data Breach
9.1 Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects and/or the relevant Supervisory Authority of the Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:

  • 9.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
  • 9.1.2 communicate the name and contact details of Processor's data protection officer or other relevant contact responsible for compliance with Data Protection Laws;
  • 9.1.3 describe the likely consequences of the Personal Data Breach; and
  • 9.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

9.2 Processor shall co-operate with Controller and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

10. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which Controller reasonably considers to be required by the Data Protection Laws, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to the Processors.

11. Deletion or return of Client Personal Data
11.1 Subject to section 11.2, following termination or expiry of the Agreement for whatever reason Processor shall (upon written request of Controller)(a) return a complete copy of all Client Personal Data to Controller by secure file transfer in Processor’s customary format; and (b) delete and/or procure the deletion of all other copies of Client Personal Data Processed by any Subprocessor. Processor shall comply with any such written request within 20 business days of the date of termination of the Agreement.
11.2 Processor may retain Client Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processor shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
11.3 Upon written request by Controller, Processor shall provide written confirmation to Client that Processor and each Subprocessor has fully complied with this section 11.

12. Audit rights
12.1 Subject to sections 12.2 and 12.3, Processor shall make available to Controller on request all information reasonably necessary to demonstrate compliance with these GDPR Terms, and shall allow for audits by Controller or any Client Group Member or an auditor reasonably requested by any Client Group Member in relation to the Processing of the Client Personal Data by Processor (and any Subprocessor).
12.2 Information and audit rights of Controller and Client Group Members only arise under section 12.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
12.3 Controller or the relevant Client Affiliate undertaking an audit shall give Processor reasonable notice of any audit or inspection to be conducted under section 12.1 and shall make and ensure that each of its mandated auditors avoids causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Processor’s (and any relevant Subprocessor’s) premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit. Processor need not give access to its premises for the purposes of such an audit or inspection to any individual unless he or she produces reasonable evidence of identity and authority.

13. Restricted Transfers
13.1 To the extent the parties anticipate a Restricted Transfer, Controller and Processor hereby enter into the Standard Contractual Clauses at https://alight.com/sccterms, with Controller as data exporter and Processor as data importer.
13.2 The Standard Contractual Clauses shall come into effect on the commencement of the Restricted Transfer. In the event of any conflict or inconsistency between these GDPR Terms and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

14. General Terms
14.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:

  • 14.1.1 the parties to these GDPR Terms hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under these GDPR Terms, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
  • 14.1.2 these GDPR Terms and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

14.2 Should any provision of these GDPR Terms be invalid or unenforceable, then the remainder of these GDPR Terms shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
14.3 Where Applicable Laws require these GDPR Terms be signed, Alight will execute a version of these GDPR Terms upon written request by Client. Please contact your usual account representative or Alight at privacycontracts@alight.com if you would like an executed version of these GDPR Terms.

Annex 1

Details of the Processing

Processor and Controller agree that for the operations specified below the Client Personal Data shall be Processed in accordance with the terms of the Agreement, together with any amendments agreed from time to time between parties in writing.

1. Operations
The processing operations to be carried out under these GDPR Terms are as follows: Processor may receive, access or download Client’s Personal Data through a secure file share application, may access or download from Controller’s own server or may receive Client Personal Data directly from Client or a data subject via telephone, mail or by a data subject accessing the Processor web site. Processor will perform consulting and /or human resources administration services that may include:

  • a. provide data processing software, equipment, and services through various tools, applications and vendors;
  • b. maintain Client Personal Data (and other non-Personal Data) through modification, enhancement, and/or deletion;
  • c. prevent unauthorized access to or modification of Client Personal Data (and other non- Personal Data);
  • d. program, print and assemble, review, and modify statements as directed by Controller;
  • e. distribute statements to individual employees as directed by Controller; and
  • f. provide reference materials as requested by Controller.
  • The purpose of the processing operations above is to provide the Services in accordance with the Agreement.

2. Data Subjects
The Personal Data Processed by Processor on behalf of Controller concern the following categories of data subjects: current, former and/or prospective directors and employees of Client and Client Group Members.

3. Categories of Personal Data
The Personal Data Processed by Processor comprise the following categories: Identification data that may include but is not limited to full name, employee identification number, email address, salary and employment history, benefits information, professional qualifications, previous employment, salary and benefits, time records, performance records, appraisals, training needs assessments, and such other data that may be transferred from (or on behalf of) Controller to Processor for processing services related to human resources administration and/or consulting services.

Annex 2

Processor Affiliates

Europe
ALIGHT SOLUTIONS EUROPE SP ZOO. Enterprise Park Building E, Al. Powstancow Wielkopolskich 13G, 30-707 Kraków, Poland
ALIGHT SOLUTIONS PROFESSIONAL SERVICES IRELAND LIMITED CSC Capital Markets (Ireland), 3rd Floor, Fleming Court, Fleming’s Place, Dublin 4, Ireland
NORTHGATEARINSO POLAND SP ZOO. Sciegiennego 3 Str, 40-114 Katowice, Poland
ARINSO IBERICA S.A.U. Edificio America II , C/Procion 7; Puerta 3; Planta 1a, 28023, Madrid, Spain
ARINSO DENMARK APS Høffdingsvej 34, 2500 Valby, Denmark
ARINSO FINLAND OY Urho Kekkosen katu-4-6E, 0100 Helsinki, Finland
ARINSO FRANCE SAS West Plaza, 9-11 rue du Débarcadère, 92700 COLOMBES Paris, France
NORTHGATEARINSO DEUTSCHLAND GMBH Waldecker Strasse 9, 64546 Mörfelden-Walldorf, Germany
NORTHGATEARINSO NEDERLAND B.V. Nevelgaarde 9, NL-3436 ZZ Nieuwegein, The Netherlands
ARINSO PORTUGAL SISTEMA DE SOFTWARE E SERVICOS, S.A. Av. Jose Malhoa, nº 2, 2º, Escritorio 28, 1150 278 Lisbon, Portugal
NORTHGATEARINSO SWEDEN AB Wallingatan 34, 111 24 Stockholm Sweden
ALIGHT SOLUTIONS EUROPE ESC LIMITED 25 Canada Square, 37th Floor, Canary Wharf, London E14 5LQ, UK
Americas
ALIGHT SOLUTIONS LLC 4 Overlook Point, Lincolnshire IL 60069, USA
CARLSON MANAGEMENT CONSULTING, LLC 4 Overlook Point, Lincolnshire IL 60069, USA
ALIGHT CANADA N.S. ULC 1959 Upper Water Street, Suite 900, Halifax, B3J 3N2, Nova Scotia, Canada
ALIGHT FINANCIAL ADVISORS, LLC c/o Corporation Service Company, 251 Little Falls Drive, Wilmington, DE 19808, USA
ALIGHT FINANCIAL SOLUTIONS, LLC c/o Illinois Corporation Service Company, 801 Adlai Stevenson Drive, Springfield, IL 62703, USA
ALIGHT SOLUTIONS CARIBE, INC. 304 Ponce de Leon Ave., Suite 1000, San Juan, Puerto Rico 00918
ALIGHT SOLUTIONS BENEFIT PAYMENT SERVICES, LLC c/o Illinois Corporation Service Company, 801 Adlai Stevenson Drive, Springfield, IL 62703 USA
NORTHGATEARINSO LLC 8880 Freedom Crossings Trail, Prominence 400, Jacksonville, FL 32256, USA
NORTHGATEARINSO BRAZIL INFORMATICA LTDA Alameda Madeira Numero 53, 5 andar, conjunto 52, Alphaville, Sao Paulo, Brazil
APAC
ALIGHT SERVICES, INDIA PRIVATE LIMITED 710, Ansal Chambers II, 6, Bhikaji Cama Place, New Delhi - 110066 India
ALIGHT SOLUTIONS PTE, LIMITED 24 Raffles Place #19-05 Clifford Centre SINGAPORE 048621
ALIGHT SOLUTIONS PRIVATE LIMITED Shega Limited, 1st Floor, CTS House, 78-83 Connaught Road Central, Hong Kong
FUTURE KNOWLEDGE PTY LTD. KSR Partners Pty Ltd, G1 Oxley Road, Hawthorn VIC 3122 Australia
NGA HR INDIA PVT LTD Unit 2A,Phase 2, Carnival Infopark, Kususmagiri, Kakkanad, Kochi-30, 682030, India
ARINSO INTERNATIONAL PHILIPPINES INC 4/F Building 1 , ETON Cyberpod, Corinthian Ortigas Avenue. Quezon City 1110 , Philippines