Data Processing Agreement (the “DPA”)
In this agreement, the terms ‘we’ and ‘us’ refer to Pareto Financial Direction Limited (company number 06244623), whose registered office is at 910 The Crescent, Colchester Business Park, Colchester, Essex, England, CO4 9YQ and the terms ‘you’ and ‘your’ refer to you, the company entering into a Contract with us. ‘Both of us’ means you and us together, and ‘each of us’ means each of you and us individually.
1 Definitions
Approved Countries
means the European Economic Area and any territory which is subject to a current finding under the applicable Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals.
Contract
means the agreement between you and us that incorporates this DPA by reference.
Data Protection Legislation
means the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated).
The terms ‘Personal Data’, ‘Personal Data Breach’, ‘Data Controller’, ‘Data Processor’, ‘Data Subject’, and ‘process’ (in the context of the use of Personal Data) shall have the meanings given to them in the Data Protection Legislation.
Purpose
means the purpose of the processing as set out in the Contract.
SCC
means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers).
Sub-Processor
means a third-party processor engaged to provide processing services to a Data Processor who is party to this DPA.
2 Duration
2.1 This DPA will come into effect upon signature of the Contract.
2.2 This DPA shall remain in effect until the termination of the Contract, save that regarding the lawful use and processing of Personal Data transferred pursuant to this DPA, such termination shall not exempt you or us from the obligations and/or conditions hereunder which shall survive termination of this DPA for so long as either of us has custody, control, or possession of such Personal Data.
3 Roles
3.1 Throughout the commercial relationship between us, each of us will be processing the Personal Data of the other’s employees to facilitate contact and co-operation between our respective organisations and achieve our respective business interests. Both of us agree and acknowledge that the other is a Data Controller of such Personal Data.
3.2 In respect of the provision by us to you of the Services, you are the Data Controller and we are the Data Processor in respect of any Personal Data you provide to us.
4 Instruction
4.1 We shall:
a) at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of the Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. We shall, save where prohibited by law and as soon as reasonably practical, notify you of any legal obligation to disclose the Personal Data to a third party;
b) not transfer the Personal Data outside of the Approved Countries, or to any third party without your written consent;
c) send you any communications received from individuals in relation to their Personal Data as soon as reasonably practicable. We shall provide reasonable co-operation to you in relation to any individuals exercising their rights under the Data Protection Legislation;
d) give you reasonable assistance in relation to your compliance with Data Protection Legislation;
e) take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data;
f) co-operate with you, and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this DPA (including any such facilities, premises or equipment used by staff and/or sub-contractors) as you may reasonably require to enable you to monitor compliance with the obligations in this DPA;
g) notify you promptly of any Personal Data Breach and assist you with any investigation into and remediation of a Personal Data Breach. We shall also provide you with reasonable assistance with any notifications made to relevant authorities and/or individuals in relation to a Personal Data Breach;
h) except where permitted under clause 6, not subcontract any obligations under this DPA regarding the processing of Personal Data to a third-party Sub-Processor without your prior written consent. We shall be liable for the acts and omissions of any Sub-Processors as if they were our acts or omissions and we shall ensure that there is a written contract executed between us and the Sub-Processor that contains equivalent protections for Personal Data to those set out in this DPA;
i) when instructed by you, immediately cease processing the Personal Data and immediately return any Personal Data Discloser or delete the Personal Data in accordance with your instructions;
j) submit to audits and inspections carried out directly upon us by a supervisory authority or by you, at your sole discretion, as you may reasonably believe necessary, based on evidence and providing such evidence in notification to us, and co-operate in any audits and inspections carried out upon you by third parties; and
k) inform you immediately if we receive any requests that would involve infringing Data Protection Legislation.
5 International Transfers
5.1 If any Personal Data transfer between you and us requires execution of SCC in order to comply with the Data Protection Legislation, the parties will enter into such SCC prior to the transfer of Personal Data and take all other actions required to legitimise the transfer. For the avoidance of doubt, if there are any conflicts between this DPA and the SCC, the provisions of the executed SCC shall prevail.
5.2 Either party may, at any time on not less than one month’s prior written notice, revise this clause 5.1 by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this DPA).
5.3 You hereby give your written consent for us to transfer Personal Data to the Sub-Processors set out in this DPA.
5.4 We will not process Personal Data outside the Approved Countries without your prior written consent. Where such consent is granted, we will ensure that:
a) appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals.
b) the transfer otherwise complies with the Data Protection Legislation and is detailed in the DPA at Exhibit 1.
6 Sub-Processors
6.1 You hereby give your written consent for us to use the Sub-Processors set out below in this DPA. We may add further Sub-Processors to the list below, subject to your written consent.
6.2 We shall enter into a written contract or other legal act with the Sub-Processor that:
a) contains data processing obligations as required by the Data Protection Legislation;
b) requires the Sub-Processor to only process such Personal Data for the Purpose, and
c) sets out that the Sub-Processors’ authority to process Personal Data in respect of which you are the Data Controller terminates automatically on termination of these Terms and Conditions for any reason or your withdrawal of that authority.
6.3 If a Sub-Processor fails to fulfil its obligations under such written agreement, we shall remain fully liable to you for the Sub-Processor’s performance of its obligations.
7 Additional Obligations
7.1 You hereby represent that you have all necessary consents and notices in place to enable lawful transfer of the Personal Data to us and/or lawful collection of the Personal Data by us on your behalf for the duration and the Purpose.
7.2 Upon termination of processing, we shall return all Personal Data that you have provided and shall delete all records of such from any systems used by us (and shall require the same from any Sub-Processors we have used).
7.3 Nothing in this DPA relieves a Data Processor of its own direct obligations under Data Protection Legislation, including:
a) to co-operate with supervisory authorities; and
b) to keep records of its own processing activities.
7.4 You and we shall each inform the other of any Personal Data Breach without undue delay irrespective of whether there is a requirement to notify any regulatory authority or Data Subject(s).
7.5 You acknowledge that we are reliant on you for direction as to the extent to which we are entitled to use and process the Personal Data. Consequently, we will not be liable to you for any claim brought by a Data Subject arising from any action or omission by us, to the extent that such action or omission resulted directly from your instructions.
8 General
8.1 Each of us may send any queries or concerns about the other’s performance under this DPA to their data protection lead:
a) our data protection lead is Andy Cristin (acristin@pareto-fd.com).
9 This is a legally binding agreement
9.1 Both of us agree to be legally bound by this DPA.
9.2 Nothing in this DPA authorises either of us to make any commitments for or on behalf of the other or gives any rights to any person who is not a party to it. If either of us wants to communicate something regarding this DPA to the other, we must do so in writing (including by email).
9.3 This DPA sets out the entire agreement between both of us regarding Personal Data and supersedes any other communication that might have taken place between you and us on this subject.
9.4 This DPA is governed by English law and is subject to the exclusive jurisdiction of the English Courts.
Exhibit 1 to DPA
1 Nature and purpose of the processing
1.1 For the purpose of providing accounting, financial and administrational consulting, and this may include: a) Receiving data by use of electronic means
2 Duration of the processing
2.1 The duration of the processing will continue until the Contract is terminated.
3 Types of personal data processed
3.1 The types of Personal Data that will be processed under this DPA include:
a) Identity data: forename, surname
b) Contact data: email address, address
c) Financial data: salary, bank account detail, National Insurance Number, tax code
4 Special Categories of data
4.1 N/A
5 Categories of data subjects
5.1 Employees
5.2 Directors
5.3 Shareholders
5.4 Partners
6 Obligations and rights of the data controller
7 Approved International Transfers and Sub-Processors:
7.1 You agree that we may engage the following Sub-Processors:
a) Cloud storage, including DropBox, OneDrive and Google Drive. Processing Activity: Data storage.
Note 1: Identify the legal basis for the transfer of Personal Data outside the EEA in order to comply with international transfer restrictions:
a) Located in a country with a current determination of adequacy.
b) Binding Corporate Rules.
c) Standard Contractual Clauses between Discloser as "data exporter" and Recipient as "data importer".
d) Standard Contractual Clauses between Recipient as "data exporter" on behalf of Discloser and Recipients affiliate or subcontractor as "data importer".
e) Other (describe in detail): _______________________________________________________
8 Security Measures
8.1 Physical access controls
8.2 System access controls (eg. Encryption and password controls) a) All systems used to process personal data are password controlled.
8.3 Data access controls (eg. confidentiality agreements with staff) a) All applications containing personal data are password controlled.
8.4 Transmission controls
8.5 Data backups a) All data backups containing personal data are password controlled.