DATA PROCESSING AGREEMENT
VAT IT and the Company have entered, or will enter into a service agreement (“Agreement”) whereby VAT IT will provide the agreed upon Services to the Company.
Part I – Generally Applicable Data Protection Terms
- Processing of Personal Data
1.1 In this Agreement, “Data Protection Law” means the General Data Protection Regulation (2016/679) or any legislation amending, superseding or replacing it, and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner and/or any other applicable Data Protection Laws from any other jurisdiction. The terms “Controller”, “Data Subject,” “Personal Data,” “Processing,” and “Processor” shall be construed in accordance with the meaning set out in the applicable Data Protection Law.
1.2 In order to enable VAT IT to fulfil its obligations in terms of the Agreement, the Company hereby expressly authorises the transfer of Personal Data to the VAT IT offices for Processing as and when required to perform the Services.
1.3 In order to enable VAT IT to fulfil its obligations in terms of the Agreement, VAT IT shall be entitled to sub-contract the Processing of Personal Data to VATit Processing Centre (hereinafter called “the Processing Centre”), which is situated in South Africa, and the Company hereby expressly authorises the transfer of Personal Data to the Processing Centre for Processing as and when required to perform the services.
1.4 The Company is solely responsible for obtaining any necessary consents or required notices, and for otherwise complying with any applicable Data Protection Law when providing Personal Data to VAT IT in connection with the Services.
1.5 The Company has the sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data.
1.6 Details of Processing Activities. The nature and extent of Personal Data processed by VAT IT in delivering the Services is determined and controlled solely by the Company. VAT IT will only process Personal Data where employee names and/or addresses appear on claim invoices, when the VAT and/or Tax Authority specifically requests the names, identification and designation of employees that incurred the expenses, and for any administrative functions required in order to provide the relevant services to the Company, including any Personal Data that might appear on Agreements. VAT IT shall process the Personal Data only in accordance with the Company’s written instructions from time to time (including, without limitation, those contained in the Agreement), and shall not process the Personal Data for any purpose other than those expressly authorised by the Company. The Company agrees that VAT IT may use e-mail in order to provide the Services.
2.1 Current Sub-processors. In order for VAT IT and/or the Processing Centre to provide the applicable Services, the Company consents to the use of the Services of the following ancillary Processors: Salesforce, Amazon Web Services, Microsoft Azure, Teraco, OwnBackup, translation service providers (if applicable), VAT and/or Tax agent service providers, and technology service providers necessary in order to provide the Services and that are already engaged by VAT IT as at the date of this Data Protection Agreement (“DPA”).
2.2 New Sub-processors. The Company grants a general authorisation to:
(a) VAT IT to appoint any sub-processor(s); and
(b) the sub-processor(s) to appoint ancillary sub-processors to support the performance of the Services. In relation to this general written authorisation, VAT IT shall inform the Company of any intended changes concerning the addition or replacement of any sub-processor(s), thereby giving the Company opportunity to object to such changes.
2.3 Obligations of, and Liability for Sub-processors. VAT IT and the Processing Centre’s liability shall be governed by the relevant and applicable Data Protection Law. Any appointed processor(s) or sub-processor(s) shall only process Personal Data in order to perform the Services in terms of the DPA.
Prior to transferring any Personal Data to any processor(s) and/or sub-processor(s), VAT IT and/or the Processing Centre shall enter into a written agreement with the processor and/or sub-processor on terms no less onerous than those set out in this DPA. Such written agreement to include, but not be limited to, requiring the additional processor(s) and/or sub-processor(s) to:
(a) process the Personal Data only in accordance with the written instructions of the data processor; and
(b) abide by the obligations imposed on the processor(s) and/or sub-processor(s) set out in this DPA; and
(c) allow the Company the right to audit the processor(s) and/or sub-processor(s).
- Access Requests
VAT IT and the Processing Centre shall implement appropriate technical and organisational measures to assist the Company in responding to:
(a) any request from an individual to exercise any of its rights in terms of Data Protection Law as it relates to the Personal Data processed by VAT IT and/or the Processing Centre; and
(b) any other correspondence, inquiry, or complaint received from an individual, regulator, court or other third party in connection with the Processing of Personal Data processed by VAT IT and/or the Processing Centre in terms of the DPA.
In the event VAT IT receives a Data Subject or Consumer Request from the Company Data Subject or Consumer, VAT IT:
(a) will notify the Company within 2 business days of receiving such a request; and
(b) provide the Company with full co-operation and assistance in relation to any request made by a Data Subject or Consumer to have access to such Personal Data; and
(c) will not disclose such Personal Data to any Data Subject, Consumer or to a third party other than at the request or instruction of the Company, as provided in this agreement, or as is compelled to do so by law or an order in line with clause 4.1.
- Deletion of Personal Data
VAT IT will at the date of cessation of any services involving the Processing of Personal Data (the “Cessation Date”), delete or procure the deletion of all copies of Personal Data. VAT IT may retain Personal Data to the extent required by applicable laws.
- Inspections and Audit
6.1 VAT IT shall on written request make available to the Company the necessary documentation to demonstrate compliance with this DPA. Thereafter, the Company shall be entitled where there is a reasonable suspicion that VAT IT is not complying with its Data Processing obligations in terms of this DPA, to audit or mandate a third party to audit VAT IT’s compliance with this DPA and the technical and organisational measures implemented by VAT IT. The Company agrees to sign a non-disclosure agreement prior to such audit being conducted. To the extent necessary to protect business secrets or other confidential information including Personal Data, and to comply with any contractual or legal obligations regarding confidentiality, VAT IT may redact some of the text or refrain (in limited and reasonable circumstances) from providing certain information. In such a scenario, the Company may request VAT IT to provide the Company with written reasons for its election to redact or refrain from providing the information. The Company shall provide reasonable written notice of such audit. Where possible, such audits will be conducted outside of VAT IT’s deadline periods.
- Technical and Organisational Security Measures
7.1 VAT IT and the Processing Centre, having regard to the state of technological development and the cost of implementing any measures, shall take appropriate technical and organisational measures against the unauthorised or unlawful processing of the Personal Data and against the accidental loss, theft, or destruction of, or damage to, the Personal Data (together “data breach”) to ensure a level of security appropriate to:
(a) The harm that might result from a data breach; and
(b) The nature of the Personal Data to be protected; and
(c) Take reasonable steps to ensure compliance with those measures.
7.2 VAT IT and the Processing Centre shall ensure:
(a) That it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data; and
(b) That access to Personal Data is limited to those employees who need access to Personal Data to meet VAT IT’s obligations under this DPA and the main agreement; and
(c) That all of its employees involved with the Services are informed of the confidential nature of the Personal Data and have signed confidentiality agreements.
- Personal Data Breach Notification
VAT IT shall notify the Company immediately [no later than 24 (twenty-four) hours] if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data (together “data breach”). In respect of such a data breach, VAT IT will provide reasonable assistance to Company, which may include assistance in notifying the relevant supervisory authority, a description of the nature and extent of the data breach (e.g., number and categories of affected subjects; number and categories of records concerned), a description of the likely consequences, and the measures taken or proposed to be taken to remediate or mitigate the possible adverse effects.
Part II – International Data Transfers
- EU Data Transfers
To the extent that Personal Data is protected by the EU GDPR, as amended from time to time, the following shall apply:
1.1 The EU Standard Contractual Clauses are incorporated into this DPA and apply where the application of the EU Standard Contractual Clauses, as between the Parties, is required under applicable Data Protection Law in the European Union for the transfer of Personal Data. The information required in Annexes I, II and III of the EU Standard Contractual Clauses is as set forth in Exhibit 1 to this DPA.
1.2 The Company, VAT IT and the Processing Centre agree to be bound by the terms of the EU Standard Contractual Clauses (where applicable), or any replacement thereof, whereby the Company shall be the data exporter and VAT IT and/or the Processing Centre the data importer(s). The governing law shall be law of the member state in which the data exporter is established. The aforementioned EU Standard Contractual Clauses shall be updated and/or amended from time to time in accordance with any changes to the Data Protection Law and/or any updates to the technical and organisational security measures implemented by the data importer(s).
1.3 Processing location. The Company acknowledges that VAT IT may process Personal Data outside the EEA, from time to time, in compliance with this DPA, the Agreement, the EU Standard Contractual Clauses, and Data Protection Law.
1.4 Module Two Controller to Processor. Where The Company is a data exporter and Controller and VAT IT and/or the Processing Centre is a data importer and Processor: (i) Module Two of the EU Clauses will apply; (ii) Option 2 of Clause 9(a) will apply (general written authorisation of sub-processors); (iii) the time period in Clause 9(a) will be thirty (30) days; and (iv) Option 1 of Clause 17 will apply (governing law).
1.5 The governing law, forum and jurisdiction in Clauses 17 and 18 will be that of the Germany.
1.6 In all cases, the parties satisfy any signature requirement in “Annex 1: List of Parties” to the EU SCCs by the execution of this DPA.
- UK Data Transfers
To the extent that Personal Data is protected by the Data Protection Act 2018 and the UK GDPR, as amended from time to time, and where the application of EU Standard Contractual Clauses is required under UK Data Protection Law for the transfer of Personal Data, the following Addendum shall apply:
2.1 The UK Addendum is incorporated into this DPA and applies where the application of the UK Addendum, as between the Parties, is required under Data Protection Law in the UK for the transfer of Personal Data.
2.2 Processing location. The Company acknowledges that VAT IT may process Personal Data outside the UK, from time to time, in compliance with this DPA, the Agreement, the EU Standard Contractual Clauses, the UK Addendum and Data Protection Law.
2.3 For the purposes of the UK Addendum, (a) the information required for Table 1 is contained in Annex I of Exhibit 1 to this DPA and the start date shall be the Effective Date; (b) in relation to Table 2, the versions of the EU Clauses to which the UK Addendum applies are Module Two (Controller to Processor); (c) in relation to Table 3, the list of parties and description of the transfer are as set out in Annex I of Exhibit 1 to this DPA, VAT IT’s technical and organisational measures are set in Annex II of Exhibit 1 to this DPA, and the list of VAT IT’s sub-processors is contained in Annex III of Exhibit 1 to this DPA; and (d) in relation to Table 4, neither Party will be entitled to terminate the UK Addendum in accordance with clause 19 of the UK Mandatory Clauses.
2.4 In all cases the parties satisfy any signature requirement in the UK Addendum by the execution of this DPA.
- Switzerland Data Transfers
To the extent that Personal Data is protected by Swiss Data Protection Laws, including the revised Federal Act on Data Protection 1992, as amended from time to time, and where the application of EU Standard Contractual Clauses is required under Swiss ata protection law for the transfer of Personal Data, the following Addendum shall apply:
3.1 Processing location. The Company acknowledges that VAT IT may process Personal Data outside Switzerland, from time to time, in compliance with this DPA, the Agreement, the EU Standard Contractual Clauses, the Swiss Addendum and Data Protection Law.
3.2 The terms below in the EU Standard Contractual Clauses will have the following substituted meanings:
(a) “GDPR” means the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1) and its revised version of 25 September 2020 (“Revised FADP”), or any legislation amending, superseding or replacing it;
(b) where the Clauses use terms that are defined in the GDPR, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP;
(c) “Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time;
(d) This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfils the intention for it to provide the appropriate safeguards as is required by the GDPR and Swiss Data Protection Laws, as the case may be;
(e) “European Union”, “Union” or “Member States” means Switzerland, provided that the term “Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland), in accordance with Clause 18 c; and
(f) “Supervisory Authority” means the Swiss Federal Data Protection and Information Commissioner.
3.3 None of these amendments will have the effect or be construed to amend the EU Standard Contractual Clauses in relation to the processing of Personal Data as it is subject to the EU GDPR.
EXHIBIT 1 TO DPA
- LIST OF PARTIES [APPLICABLE TO ALL MODULES]
The parties are as is set out in the Agreement. The Company is the Data Controller, and VAT IT is the Data Processor.
- DESCRIPTION OF TRANSFER
[MODULE TWO: Transfer controller to processor]
Categories of data subjects whose personal data is transferred
Employees of the data exporter
Categories of personal data transferred
Names and/or addresses and/or designation and/or proof of identification of the data exporters’ employees.………………………………………………………………………………………..
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data will be transferred continuously, as is needed to provide the Services. …………………………………………………………………………………….
Nature of the processing
Processing for the purposes of VAT reclaim services including the following processing operations: collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction………………………………………………………………………………………..
Purpose(s) of the data transfer and further processing
The purpose of the Processing of Company Personal Data by Service Provider is the performance of the Services pursuant to the Agreement for the provision of VAT reclaim services…………………………………………………………………………………………….
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As long as needed to perform the services, and as long as is required for auditing and legal purposes…………………………………………………………………………………………..
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Transfers are made to sub-processors in order to assist VAT IT in fulfilling its obligations in terms of the Agreements and in order to provide the relevant services to the Company. This includes, but is not necessarily limited to: customer relationship management tool, external data centres, backup and archiving services, and hosting servers. The duration, nature and subject matter will be, where applicable, the same as is for the data importer. ………………………..…………………………………….………………………………………..
- COMPETENT SUPERVISORY AUTHORITY [APPLICABLE TO MODULES ONE (TRANSFER CONTROLLER TO CONTROLLER), TWO (TRANSFER CONTROLLER TO PROCESSOR) AND THREE (TRANSFER PROCESSOR TO PROCESSOR)]
Identify the competent supervisory authority/ies in accordance with Clause 13
Supervisory authority of Germany (Bundesbeauftragter für Datenschutz und Informationsfreiheit – “BfDI”)
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
[MODULE TWO: Transfer controller to processor]
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons
Provider provides the technical and organizational measures as set forth in the Agreement. These may contain, as applicable, measures reasonably designed for:
IT security governance and management
The data importer maintains appropriate technical and organizational measures to protect the Company data against destruction, loss, alteration, unauthorized disclosure of or access. All necessary information security policies are in place, which are updated from time to time. Security training is conducted at least annually to employees of the data importer.
Depending on the transmission mechanism:
- TLS1.2 encryption (HTTPS);
- TLS1.2 encryption (SFTP) (should this be chosen by the data exporter as a mechanism for transfer);
- Microsoft SharePoint’s security controls (should this be chosen by the data exporter as a mechanism for transfer).
All data is encrypted at rest in our database. Data at rest is encrypted using AES 256. Advanced logging and monitoring are used to track every transaction on our system. We keep an auditable record of all activity within our environment.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Confidentiality: We have put in place various measures to ensure that information is protected from organization access. Data is stored in secure environments behind appropriately configured firewalls with IPS and 24/7 monitoring. Physical access is controlled with either biometric or access card-controlled doors. All devices are securely configured and installed with real-time antivirus, anti-malware and anti-spyware software and password protected. We ensure the reliability of any employees who access the Personal Data and ensure that such personnel have undergone appropriate information security awareness and training in the care, protection and handling of Personal Data and have entered into comprehensive non-disclosure and strict indefinite confidentiality agreements. User access permissions are managed, incorporating the principle of least privilege. User accounts and related access rights are reviewed and approved by managers on a regular basis, including terminated users. Password complexity and rotation requirements have been established and documented in our Password Policy.
Integrity: All data is encrypted at rest in our database. Data at rest is encrypted using AES 256 and data in transit is secured using TLS 1.2 encryption. Advanced logging and monitoring are used to track every transaction on our system. We keep an auditable record of all activity within our environment.
Availability: Full backups are performed daily and is stored encrypted in an environment physically separated from the primary servers to ensure fault tolerance. Availability and security continue being monitored using our security practices. Our co-location centres feature fully redundant power backup systems, physical access controls, biometric authentication systems, extensive seismic bracing, the latest in early detection smoke and fire alarms, and digital surveillance systems. All server and network components are continuously monitored by internal staff.
The data importer has established incident management policies and procedures. In the case that there is an incident, affected clients are notified without undue delay and in line with the timelines of our policies and procedures.
The sharing of data is controlled with granular access controls. The data importer uses the principle of least privilege to mitigate risk in this regard. Role based access controls are employed to ensure that access to Company data is necessary for service operations. The data importer keeps an auditable record of who has accessed data. Users are required to change their passwords every 90 days.
All co-location data centre facilities have successfully been attested to SSAE 16, SOC 2 type 2, ISO 27001, or similar requirements. Data is backed up following proper industry best practices. Access is limited to organization individuals and reviewed on a semi-annual basis.
These facilities feature 24/7 manned security, fully redundant power backup systems, physical access controls, biometric authentication systems, extensive seismic bracing, the latest in early detection smoke and fire alarms, and digital surveillance systems. All server and network components are continuously monitored by internal staff.
Full back up is performed on a daily basis and is stored encrypted in an environment physically separated from the primary servers to ensure fault tolerance.
Access to data centres is limited to authorized employees or contractors only. Access to systems and network devices is limited to organization personnel and login details within event logs are reviewed on a continual basis.
Timely decommissioning and secure wiping (that renders data unrecoverable) of old software.
All systems organization within the data importer’s environment log information to their system log facility or to a centralized server to enable security reviews and analysis.
Audits and Certifications
The data importer conducts audits of its information and communication technology infrastructure at least annually. Theses comprise of both internal and accredited, independent third-party security audits. Upon request, the data importer will furnish the executive summary report and relevant certificate (where applicable) to the Company.
The data importer has implemented procedures to ensure that data is processed only on the instructions of the data exporter and for the purposes for which it was collected, throughout its entire chain of processing activities and that of its subprocessor.
Due to the nature of our services, we may be required to retain such data to the extent required by applicable laws and only for the period required by applicable laws. It is then securely destroyed.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The specific technical and organizational measures to be taken are set out in the relevant DPA, and include, but is not necessarily limited to, requiring that any sub-processor it engages to provide services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such sub-processor terms no less protective of Personal Data than those imposed on data importer in the DPA, including in connection with the transfer of Personal Data to a third country or international organization in accordance with Data Protection Law.
LIST OF SUB-PROCESSORS
[MODULE TWO: Transfer controller to processor]
This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9 (a), Option 1).
The controller has authorised the use of the following sub-processors: