Data Protection Addendum

Data Protection Addendum

This Data Processing Addendum (the Addendum) will apply from 30 September 2019 and will thereafter be incorporated into all arrangements, agreements and contracts (Agreement) under which members of the Fund Recs Group (each, and together Fund Recs) provide services, to the extent that in doing so they act as a ‘data processor’ (as defined in applicable Data Protection Law). Where a client of Fund Recs already has in place a signed Data Processing Agreement or Amendment Agreement to incorporate data processing provisions (DP Agreement), and there is any conflict with the terms of this Addendum, the terms of the DP Agreement will prevail.

 

  1. For the purpose of this Addendum:

    • Data Protection Law shall mean all applicable data protection law, which may include, (i) with effect from 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) including any amendments thereto and any applicable consequential national data protection legislation and guidance and codes of practice issued by any relevant European data protection supervisory authority.

    • Entity means the person or entity that has entered into an Agreement with Fund Recs.

    • Relevant Data Protection Authority means the relevant independent public authority responsible for monitoring the application of the relevant Data Protection Law.

    • Fund Recs Group means all direct and indirect subsidiaries of Fund Recs.

  2. Fund Recs acknowledges that in providing the services under the Agreement Fund Recs may process personal data on behalf of the Entity.

  3. In such circumstances, Fund Recs acknowledges that the Entity is a data controller and Fund Recs is data processor and the parties agree that:

    • Fund Recs processes personal data, as may be specified in the privacy notice of the Entity, on behalf of the Entity in the context of providing the Services under the Agreement. The obligations and rights of the Entity shall be as set out in this Addendum;

    • Fund Recs will only process such personal data in accordance with the documented instructions of the Entity unless required to do so under applicable laws to which Fund Recs is subject. In such a case Fund Recs shall inform the Entity of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

    • Fund Recs shall ensure that the persons authorised by Fund Recs to process such personal data are bound by appropriate confidentiality obligations;

    • Fund Recs shall implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Law and to ensure the rights of the data subject;

    • Fund Recs shall take all measures to ensure a level of security of processing required pursuant to Data Protection Law;

    • Fund Recs is authorised to engage sub-processors to undertake processing on its behalf, provided that it provides the Entity with prior notice in writing containing details of the sub-processors that it engages and informs the Entity of any intended changes concerning the addition or replacement of such sub-processors and provides the Entity with a reasonable opportunity to object to such changes. In certain circumstances the Entity may engage or contract directly with agents, delegates or representatives of Fund Recs in which case such agents, delegates or representatives are not considered sub-processors of Fund Recs for the purposes of this Clause and Clause (g) below and, instead, are considered to be processors on behalf of the Entity;

    • where any sub-processor of Fund Recs will be processing such personal data on behalf of the Entity, Fund Recs shall ensure that a written contract exists between Fund Recs and the sub-processor containing clauses equivalent to those imposed on Fund Recs in this clause. In the event that any sub-processor fails to meet its data protection obligations, Fund Recs shall remain fully liable to the Entity for the performance of the sub-processor’s obligations;

    • Fund Recs shall inform the Entity without undue delay in the event of receiving a request from a data subject to exercise their rights under Data Protection Law and provide such co-operation and assistance as may be required to enable the Entity to deal with such request in accordance with the provisions of Data Protection Law;

    • taking into account the nature of the processing, Fund Recs shall assist the Entity by appropriate technical and organisational measures, insofar as this is possible, to allow the Entity to comply with requests from data subjects to exercise their rights under Data Protection Law;

    • Fund Recs shall assist the Entity in ensuring compliance with obligations in respect of security of personal data, data protection impact assessments and prior consultation requirements under Data Protection Law, taking into account the nature of the processing and information available to Fund Recs;

    • when Fund Recs ceases to provide services relating to data processing Fund Recs shall: (i) at the choice of the Entity, delete or return all such personal data to the Entity; and (ii) delete all existing copies of such personal data unless relevant law requires or permits storage of the personal data;

    • Fund Recs shall: (i) make available to the Entity all information requested that is necessary to demonstrate compliance with the obligations laid down in this clause; and (ii) allow for and contribute to audits, including inspections, conducted by the Entity or another auditor mandated by the Entity, provided however that the Entity shall be entitled, at its discretion, to accept adherence by Fund Recs to an approved code of conduct or an approved certification mechanism to aid demonstration by Fund Recs that they are compliant with the provisions of this clause;

    • Fund Recs shall inform the Entity without undue delay if, in its opinion, it receives an instruction from the Entity which infringes Data Protection Law;

    • Fund Recs shall notify the Entity without undue delay after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and provide the Entity with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach; and

    • Personal data may be transferred by the Processor outside the relevant jurisdiction, including to a jurisdiction which is not recognised by the Relevant Data Protection Authority as providing for an equivalent level of protection for personal data as is provided for in the relevant jurisdiction. These jurisdictions may include the United States of America, the United Kingdom and Asia. If and to the extent that the Processor does so, it will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data and in particular will comply with its obligations under any Data Protection Law governing such transfers, which may, as applicable, include: (a) entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the Relevant Data Protection Authority; (b) transferring your personal data pursuant to binding corporate rules; or (c) a transfer where the Relevant Data Protection Authority has decided that the recipient ensures an adequate level of protection.

  1. The Entity warrants that any personal data received by Fund Recs has been collected and then transferred to Fund Recs in accordance with Data Protection Law.