Data Protection Agreement
The Data Processing Agreement/DPA forms part of the Terms of Service.
- Global Shares has agreed to provide certain services to you (“the Parties”) under the Terms of Service. The services involve the processing of Personal Data. A Data Record covering the specific processing activities for the services is attached to this Data Protection Agreement (“DPA”);
- The provisions of this DPA govern the processing of Personal Data pursuant to the Terms of Service;
- This DPA is a separate legal agreement between the Parties relating to the processing of Personal Data under the Terms of Service. This DPA shall take precedence over the Terms of Service in case of any conflict; and
- This DPA seeks to protect Personal Data when transferred between the Parties.
- DEFINITIONS AND INTERPRETATION
- Capitalised terms used but not defined in this DPA shall have the meaning given to them in the Agreement.
- The following definitions shall apply for the purposes of this DPA:
Controller: has the meaning provided in the GDPR;
Data Protection Laws: means the GDPR and any other applicable data protection legislation including the Data Protection Act 1988 to 2018 in the Republic of Ireland;
Data Record: is the record of processing attached as Annex 1 to this Data Processing Agreement;
Processor: has the meaning provided in the GDPR;
Security Event: means an incident which resulted in (or may result in) the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, Personal Data while in the custody or control of Global Shares;
Standard Contractual Clauses (SCCs): are standard sets of contractual terms and conditions, issued by the European Commission, which the sender and the receiver of personal data both sign up to, aimed at protecting Personal Data going to a Third Country through contractual obligations in compliance with the GDPR’s requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects;
Sub-Processor: means another Processor engaged by Global Shares in carrying out processing activities in respect of the Personal Data on behalf of Global Shares and authorised by you in accordance with this Data Processing Agreement and the Data Record; and
Third Country: means all countries that are not members of the European Economic Area (“EEA”) or which have not been recognised by the European Commission as providing an adequate level of protection for Personal Data.
- The terms “data subject” and “processing” have the meanings set out in the GDPR (and related terms such as “process” have corresponding meanings).
- You acknowledge that where:
- The Parties independently determine the purpose and means of Processing Personal Data pursuant to the Agreement then each of them is an independent Controller of such Personal Data and the provisions of Section A shall apply;
- You instruct Global Shares, as a Controller, such that you determine the purpose of Processing and Global Shares is solely following those instructions in its Processing activities then you are the Controller and Global Shares is a Processor and the provisions of Section B shall apply.
SECTION A: PROCESSING BY INDEPENDENT CONTROLLERS
2. CONTROLLER ENTITIES
2.1. Where the Parties are independent Controllers of Personal Data, each Party is separately responsible for its own Processing activities and for informing Data Subjects of the Processing purposes and any other information required under the GDPR in respect of all Personal Data which the relevant Party holds.
2.2. Global Shares will operate as a Controller of Personal Data under the following circumstance:
• Processing of your data for the purpose of receipt of Fees.
2.3. For the purposes of any processing of Personal Data where each Party is a Controller of the relevant Personal Data, each Party will:
• ensure that it has all necessary notices and consents in place to enable lawful transfer of the Personal Data;
• give full information to any Data Subject whose Personal Data may be Processed under this Agreement of the nature of such Processing;
• Process the Personal Data only for the purposes agreed;
• ensure that staff involved in the Processing of Personal Data are subject to obligations of confidentiality to ensure that the Personal Data is kept safe and secure; and
• ensure that a Data Subject can exercise its rights under the GDPR in respect of the Personal Data.
2.4. The provisions of the Standard Contractual Clauses attached hereto at Appendix 2 are hereby incorporated into this Agreement, and each Party agrees to the requirements of these provisions, for the purposes of any transfers between the Parties where one of a Controller’s Party is in a Third Country for the purposes of the relevant transfer.
SECTION B: CONTROLLER TO PROCESSOR PROCESSING
3.1. As part of the services, Global Shares will process Personal Data on your behalf where Global Shares is a Processor and you are a Controller of the relevant Personal Data.
3.2. This Section B and the Data Record specify the processing activities and the obligations of the Parties where Global Shares is a Processor of the relevant Personal Data and you are the Controller.
4. OBLIGATIONS OF GLOBAL SHARES
4.1. Global Shares in its role as Processor will:
• comply with the Data Protection Laws in connection with all processing of Personal Data undertaken hereunder;
• process Personal Data provided for the Services only for the purposes of providing the Services and in accordance with your instructions, including transfers of Personal Data to any Sub-Processor as further described in clause 8 below. Global Shares shall inform you in the event that any instruction provided by you infringes the Data Protection Laws;
• ensure that all staff processing Personal Data are subject to obligations of confidentiality to ensure that the Personal Data is kept safe and secure;
• provide the SaaS to meet the technical and organisational measures agreed as part of the Terms of Service which shall, in any event, be appropriate to the SaaS and the nature of the processing undertaken by Global Shares;
• assist you in taking appropriate technical and organisational measures, insofar as this in possible, to respond to data subject’s rights as further described in clause 7 below;
• provide all information reasonably requested by you for the purposes of responding to a Security Event, as further described in clause 6 below.
• provide all information reasonably requested by you, for the purposes of any data protection impact assessment undertaken pursuant to Article 35 and Article 36 of the GDPR;
• delete or return (at your choice), all Personal Data at the end of the retention period specified in the Data Record unless Global Shares is legally required to retain the Personal Data;
• make available to you all information necessary to demonstrate compliance with the Terms of Service and allow for, and contribute to audits, as further described in clause 9 below; and
• notify you, as soon as reasonably practicable, in the event of violations against the Data Protection Laws or against the provisions of this Data Processing Agreement committed by Global Shares or the persons employed by Global Shares within the scope of the Terms of Service.
4.2. The name of Global Shares and your designated contact for all data protection issues that fall within the scope of the Terms of Service is set out in the Data Record.
4.3. You acknowledge that Global Shares is reliant on you for direction as to the extent to which Global Shares is entitled to process the Personal Data. Consequently, Global Shares will not be liable for any claim brought by a Data Subject arising from any action or omission by Global Shares, to the extent that such action or omission resulted directly or indirectly from your instructions.
5. YOUR OBLIGATIONS
5.1. You will comply with the Data Protection Laws.
5.2. You must ensure, where applicable, that in connection with all Personal Data provided to Global Shares that it has complied with Article 6 and Article 9 of the GDPR to ensure that you have a lawful basis for processing the Personal Data.
5.3. You acknowledge that Global Shares is reliant on you for direction as to the extent to which Global Shares is entitled to process the Personal Data. Consequently, Global Shares will not be liable for any claim brought by a data subject arising from any action or omission by Global Shares, to the extent that such action or omission resulted from your instructions.
6. SECURITY EVENT
6.1. Global Shares shall without undue delay (and in any event no later than forty-eight (48) hours after becoming aware of, receiving a notification regarding, or first suspecting a Security Event) notify you of the Security Event.
6.2. Global Shares shall provide you with detailed information about:
• the nature of the Security Event including the categories and approximate number of data subjects and Personal Data records concerned;
• the steps Global Shares has taken to address the Security Event.
6.3. Global Shares shall:
• take all necessary steps to mitigate the effects and to minimise any damage resulting from the Security Event and to prevent a recurrence of such Security Event; and
• provide such assistance and cooperation as you require in responding to the Security Event including in relation to notifying any relevant regulatory authority and/or data subject of the Security Event always provided that no action shall be taken in relation to such notifications without written instructions from you.
7. DATA SUBJECT RIGHTS REQUESTS
7.1. If you have an obligation to provide a data subject with information on the processing of their Personal Data, Global Shares will assist you in making this information available. You must request Global Shares written assistance specifying the Personal Data required. Global Shares shall not respond directly to any data subject requests for information and shall refer the data subject to you and inform you in writing about the details of any request received, as soon as possible.
7.2. If a data subject requests Global Shares to correct, delete or block Personal Data, Global Shares shall refer the data subject to you and inform you in writing of the details of the request.
8.1. You approve the Sub-Processors specified on the Global Shares website (currently posted at https://www.globalshares.com/global-shares-sub-processor-list-cap/ and it is acknowledged that Global Shares may provide those approved Sub-Processors with Personal Data in order to provide the Services under the Terms of Service.
At least thirty (30) days (the “Notice Period”) before Global Shares engages any new Sub-Processor to carry out processing activities under this Agreement, Global Shares will update the applicable website and provide notice to you of that update. If no objection is received during the Notice Period, you will be deemed to have authorised the new Sub-Processor.
8.2. If you object to a new Sub-Processor during the Notice Period, and where such objection is reasonable (for example, such as an objection raised as a result of the relevant Sub-Processor’s ability to comply with Data Protection Law), then Global Shares will undertake commercially reasonable efforts to remedy the situation. If Global Shares continues with the appointment of the relevant Sub-Processor, without ensuring the Sub-Processors compliance with Data Protection Law, then you shall be entitled to terminate the Terms of Service on three (3) months’ notice to Global Shares, paying on a pro-rata basis any amounts due until the date of termination.
8.3. Global Shares will ensure that all processing undertaken with any Sub-Processor imposes materially the same terms and conditions on the Sub-Processor as are imposed on Global Shares under the Terms of Service.
8.4. The Data Record will specify any Sub-Processors you agree may be used by Global Shares in order to provide the Services. In the event that Global Shares uses any Sub-Processor situated in a Third Country, Global Shares will ensure a transfer method compliant with the GDPR is used to transfer the Personal Data including Standard Contractual Clauses and binding corporate rules.
9. AUDIT AND ASSESSMENT
9.1. Global Shares will allow its implementation and compliance with its obligations under this Data Processing Agreement to be audited by you, or an external auditor approved by you, at least annually subject to the payment of pre-agreed fees in relation to same. If and insofar as the audit indicates that Global Shares compliance falls short on one or more aspects, Global Shares will make concrete proposals for improvements in this respect, if possible in the context of its continuous improvement program.
9.2. If the audit/assessment identifies any gaps in Global Shares processing activities which are not compliant with this Data Processing Agreement, or the relevant Data Protection Laws, you have the right to ask Global Shares to update the technical and organisational security measures taken so that they are in line with the relevant requirements. Global Shares will provide all reasonable cooperation and as soon as reasonably practicable implement the necessary modifications indicated by you.
ANNEX 1 – DATA RECORD
You (“The Customer”):
Supplier: Global Shares
Supplier Contact Name: [email protected]
Subject-matter of processing activity:
Supplier provides the following Services and Processes Personal Data for the purposes of performing the Services under the Terms of Service.
Duration of processing:
Term of contract plus 30 days
Nature and purpose of processing:
Management of company ownership including investor details, percentages of ownership, equity dilution and the value of company’s shares.
Categories of Data Subject:
Shareholders including Customer employees and ex-employees and investors
Type of Personal Data processed as part of the Services:
Special Categories of Personal Data processed as part of the Services:
No Special category Data
Permitted Sub-Processors and transfers:
Technical and Organisational Measures:
This document is intended to provide a mid-level overview of Global Shares’ Information Security Policy and Procedures. The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes electronic information and information on paper.
This policy shall be reviewed annually or after any changes to the business processes that would require additional policies and controls. The review shall be completed by the IT Security Officer and Legal / Compliance Team are jointly, or by their designee(s).
Employee Training and Security Awareness
All new employees shall be made aware of Global Share’s Information Security Policy, and shall acknowledge the requirements thereunder, and agree to adhere by same. Annual training will take place to ensure all employees are continually aware and familiar with the company’s policy. Any changes made to this policy during the year shall be communicated to all employees.
This policy shall be tested by the IT Security Officer and Legal / Compliance Team jointly, or by their designee(s) every 6 months. Test results shall be shared with the Risk Management team and any recommended amendments shall be incorporated into the policy.
The following encryption standards are in place:
- All active company owned laptops and desktops are encrypted using Sophos Full Disk encryption (AES 256-bit key length) and monitored via the Sophos Enterprise Console.
- All Data at rest and in transit is encrypted within the hosted environment being used by the Equity Based web applications.
- Backups sent to and stored at Mozy are secured with a 448-bit Blowfish encryption key.
- Data residing on network shares are not encrypted.
Bring Your Own Device (BYOD) Policy
As part of Global Shares’ data loss prevention initiatives and the confidential nature of the data Global Shares processes, Company data is not permitted to be accessed from personal devices (a personal device is any device not owned by the company including but not limited to mobile phones, tablets, laptops or desktops). The only exception to this is accessing your email from Outlook Web Access (OWA) which is available to all employees given acceptance of the BYO policy document.
IT Asset Management is the responsibility of the Senior Systems Administrator. The Senior Systems Administrator shall monitor the Company’s IT assets to ensure an accurate list of all assets is available, and to ensure sufficient technology is available to allow for the provision of the agreed customer services and deliverables. Global Shares IT Asset Management is monitored with LanSweeper. LanSweeper scans the corporate network on a daily basis and records data that is reviewed at least once a week by the Senior Systems Administrator. The data recorded includes software, security patches and updates and device configuration. Any issues and/or alerts are assessed and acted on to resolve in a timely manner.
All Company and Client data is considered confidential and as such is secured in the following ways:
Sophos Complete Security Suite
The below is a non-exhaustive list of the configurations provided by Sophos that are available to the company, to ensure a secure environment. The Head of IT and the Senior Systems Administrator review the configurations available and apply those that are most applicable to Global Shares’ network, data, hardware and software.
- Anti-Virus and Host Intrusion Prevention (HIPS)
- All managed computers are scanned for viruses and malware in real time.
- Application Control
- Provides the ability to restrict or block applications running on company owned machines that pose risks such as data leakage, virus\ malware and potentially unwanted applications.
- Data Control
- Provides the ability to allow, restrict or block data from being transferred to specific destinations based on a criteria set out by management and IT.
- Device Control
- Provides the ability to allow, restrict or block storage devices, network devices and short-range devices (Bluetooth and Infrared).
- The Intrusion Prevention System (IPS) analyses every packet destined for the local network and will either ‚Drop silently‘ or ‚Terminate connection‘ Packets are evaluated against signatures defined in the ‚Attack Patterns‘ section of the IPS configuration.
- Full Disk Encryption
- All company owned laptops and desktops are encrypted securing the data on them while out of the office.
- Tamper Protection
- Monitors and tracks attempts to disable the Sophos Security Suite on all company owned computers.
- Security Patch Management
- Monitors all security related patches available on managed computers.
- Web control
- Provides the ability monitor web traffic and allow, restrict or block access to sites based on content or site category.
Security Patch Management
The Senior Systems Administrator to subscribe to patch release notes for all key software vendors used.
Disposal of Data
Client data is retained by Global Shares as agreed in the client Service Agreement and on the instruction of the client.
Disposal of Hardware
Decommissioned hard drives are wiped with a three pass overwrite prior to in-house destruction.
Disposal of Hard Copy Documents
Global Shares policy is to shred all paper containing confidential client and company data. Secure re-cycling containers are located throughout the office to be used to collect confidential documentation. The containers are emptied on a regular basis by an external confidential shredding company. An employee of Global Shares shall monitor the shredding and disposal of the hard copy documents by the Cork Confidential Shredding Company.
Working RemotelyRegardless of location all employees must adhere to company security policies. Employees traveling or working remotely full time are monitored via the Sophos Enterprise Console to ensure all relevant policies are adhered to which include but not limited to Data Security Policy, BYOD Policy and Computer Usage Policy. All remote workers are required to use two-factor authentication when gaining access to the corporate network. Only company-owned and managed devices are allowed to be used by remote workers.
Access controls are broken out into the following segments:
The Senior Systems Administrator is responsible for assigning and maintaining access rights to the network. Administrator access to the network is restricted to authorized personnel. The Senior Systems Administrator has the primary responsibility for network administration. The DevOps manager and Chief Architect also has access to the network level administrator account passwords backups in case of an emergency.
The HR department authorizes access to the corporate network, to all new employees, by completing the New Employee Permissions Form. The Senior Systems Administrator sets up network and remote access, as applicable.
All terminated employees have their access to the corporate network removed immediately on the date of termination. A Loss of Permissions Form is completed by the Senior Manager Plan Administration and submitted to the Senior Systems Administrator for disabling corporate network account and access.
Any change in role by an employee which requires change in level of access to the corporate network is submitted to the Senior Systems Administrator, and logged through the case management system, Dynamics CRM.
Access to data on network shares is based on least privilege whereby employees have access to data based on their role within the company.
Third Party systems (incl. Brokerage firms and other partner systems).
All Third-Party vendors and partners who may have access to client and company confidential information, shall be contracted through and governed by Service Agreements which shall contain non-disclosure provisions to restrict the disclosure of all such confidential information. As soon as an employee has become aware of any breach of a non-disclosure provision, they shall report the breach to Senior Management immediately who will decide on the appropriate course of action to resolve the matter. The non-disclosure provisions of the Service Agreements should survive the term of the contract.
The following backup solution is currently in place:
- Servers are backing up to Mozy on a daily basis. Backup sets are encrypted onsite prior to being transferred to Mozy.
- Backups are retained for 6 months
- Backups sent to and stored at Mozy are secured with a 448-bit Blowfish encryption key.
- Application databases
- Application databases backups run on a daily basis along with 15 minute incremental backups throughout the day. For more information please see Hosting Infrastructure Default document
Clear Desk / Screen Policy
The purpose of this policy is to establish and maintain a culture of security for all employees of Global Shares. Maintaining a clean desk policy reduces potential security incidents internally as well as to visitors to the corporate office. The policy provides that at the end of the working day the employee is expected to tidy their desk and to put away all office papers which may contain client information or data. It further provides that anytime an employee leaves their desk that their computer screen is locked to prevent access to client data by unauthorised persons. All employees and any person or entity acting on behalf of Global Shares are subject to this policy. Employees found to have violated this policy may be subject to disciplinary action.
All company information is classified as confidential. This includes client data and documentation and data related to Global Shares. As such data must not be shared without prior consent from the client and Global Shares senior management. Please see the confidentiality policy for further details.
Transfer of Information
Emails are used for internal and external communication and should not include sensitive information. As email can be intercepted and end up in the wrong hands, employees should not include credit card numbers, social security numbers or other sensitive information in an email. This type of information should be transferred via secure websites (https), secure file transfer systems, or use the phone. In the event that no other option is available, attachments containing sensitive information should be at minimum password protected, and where possible using public-key cryptography. Global Shares uses Basecamp as its secure file transfer system.
Phishing is the act of sending an e-mail to a user while falsely claiming to be an established, legitimate enterprise in an attempt to scam the user into surrendering confidential client or company information. Phishing emails may appear to be from a trustworthy source but are designed to trick the email recipient into disclosing sensitive, private and confidential information. Web users should be wary of suspicious email. Signs that an email may be a phishing attempt include:
- The email contains obvious spelling errors. Phishers do this intentionally in order to avoid spam filters that many Internet providers use.
- Links at the website contain all or part of a real entity’s name, or web address, but the link itself is not identical to that of the legitimate web site. Clicking on these links may take you to a different, possibly malicious website or pop-up windows that ask you to provide, update or confirm sensitive personal information. (Remember to check the true destination of an active link by hovering your mouse over it and reviewing the address information displayed in the status bar at the bottom)
Phishing detection may be enhanced by use of a web browser that has a phishing filter. Global Shares corporate network employs Sophos for its phishing filter and/or identification capabilities.
– Not open email attachments or click on links from unknown senders: They could potentially infect your machine with a virus or other malware.
– Beware of phishing attacks: Any unexpected emails asking you to click on a link to update or to log in to your account is suspicious. Instead of clicking on the link, go to the website directly and login from there to see if any action needs to be taken.
– Not use company email, free email accounts or chat clients to exchange confidential files.
– Not include sensitive information in an email: Do not include credit card numbers, social security numbers or other sensitive information in an email. Email can be intercepted and end up in the wrong hands. Submit this type of information via secure websites (https), secure file transfer systems, or use the phone.
– Report any phishing attempts or suspected phishing attempts to their manager as soon as they have become aware.
The Senior Systems Administrator shall keep antivirus software up-to-date and that antivirus is scheduled for a full computer scan on a weekly basis, as well as real time scanning.
ANNEX 2 : STANDARD CONTRACTUAL CLAUSES (CONTROLLERS)
Standard contractual clauses for the transfer of personal data from the Community to third countries
(controller to controller transfers)
Data transfer agreement
data exporter means the relevant Controller entity (Global Shares/the Partner) as defined in the Data Processing Agreement above
hereinafter “data exporter”)
data importer means the relevant Controller entity (Global Shares/the Partner) as defined in the Data Processing Agreement above
hereinafter “data importer”
each a “party”; together “the parties”.
For the purposes of the clauses:
- “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);
- “the data exporter” shall mean the controller who transfers the personal data;
- “the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;
- “clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.
I – Obligations of the data exporter
The data exporter warrants and undertakes that:
- The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.
- It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
- It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
- It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.
- It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.
II – Obligations of the data importer
The data importer warrants and undertakes that:
- It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
- It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.
- It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
- It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
- It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).
- At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).
- Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
- It will process the personal data, at its option, in accordance with:
- the data protection laws of the country in which the data exporter is established, or
- the relevant provisions (1) of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data (2), or
- the data processing principles set forth in Annex A.
Data importer to indicate which option it selects: (iii)
Initials of data importer: Signature of the Agreement shall be deemed acceptance of the indicated option;
- It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and
- the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or
- the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or
- data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or
- with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer
III – Liability and third party rights
- Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
- The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).
IV – Law applicable to the clauses
These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.
V – Resolution of disputes with data subjects or the authority
- In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
- The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
- Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.
VI – Termination
- In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
- In the event that:
- the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);
- compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;
- the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
- a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or
- a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs
then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.
- Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
- The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
VII – Variation of these clauses
The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.
VIII – Description of the Transfer
The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.
ANNEX A TO SCHEDULE 1
DATA PROCESSING PRINCIPLES
- Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.
- Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
- Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
- Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
- Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
- Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
- Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
- Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:
- (i) such decisions are made by the data importer in entering into or performing a contract with the data subject, and
(ii) (the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.
- where otherwise provided by the law of the data exporter.
- ANNEX B TO SCHEDULE 1
DESCRIPTION OF THE TRANSFER
The provision of a full-service equity compensation administration service as well as an online Software as a Service (SaaS) delivery model to provide cap table management solutions and employee stock plan management tools to end users and the Customer requires that personal data in their capacity as Controller for legal or regulatory purposes.