DATA PROTECTION AGREEMENT (“DPA”)
The Company and VAT IT may hereinafter each be referred to as a “Party,” or collectively as the “Parties.” VAT IT and the Company have entered, or will enter into a client or service agreement, and/or VAT IT has received written instructions from the Company (“the Agreement”) whereby VAT IT will provide the agreed upon services to the Company as determined and outlined in the Agreement (“the Services”).
PART I – DEFINITIONS
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
- “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “Personal Data” means any information relating to an identified or identifiable Data Subject;
- “Process,” “Processes” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;
- “Sub-Processor” means a natural or legal person, public authority, agency or other body which acts under the instructions of the Processor, meaning that they Process a Data Subject’s Personal Data on behalf of the Processor.
PART II – GENERALLY APPLICABLE DATA PROTECTION TERMS
1. Processing of Personal Data
1.1. In order to enable VAT IT to fulfil its obligations in terms of the Agreement, the Company hereby expressly authorises the transfer of Personal Data to VAT IT for Processing only in line with and when required to perform the Services. The Company agrees that VAT IT may make use of emails in order to provide the Services.
1.2. Both Parties agree that for the purposes of this DPA, the Company is a Controller, and VAT IT is a Processor.
1.3. Both Parties agree further that the Company is solely responsible for obtaining any necessary consents or providing required notices, and for otherwise complying with any applicable data protection law when providing Personal Data to VAT IT in connection with the Agreement.
1.4. Both Parties agree further that the Company has the sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data.
1.5. Details of Processing Activities. The nature and extent of Personal Data Processed by VAT IT in delivering the Services is determined and controlled by the Company. VAT IT shall Process the Personal Data only in accordance with the Company’s written instructions from time to time (including, without limitation, those contained in the Agreement and this DPA), and shall not Process the Personal Data for any purpose other than those expressly authorised by the Company.
2. Sub-Processing
2.1. Current Sub-Processors. In order for VAT IT to provide the Services, the Company consents to VAT IT’s use of those Sub-Processors that are already engaged by VAT IT as at the date of this DPA to provide the Services in terms of the Agreement.
2.2. New Sub-Processors. The Company grants a general authorisation to VAT IT to appoint any new Sub-Processor(s) to support the performance of the Services. In relation to this general written authorisation, VAT IT shall inform the Company of any intended changes concerning the addition or replacement of any Sub-Processor(s), thereby giving the Company the opportunity to reasonably object to such changes.
2.3. Prior to transferring any Personal Data to Sub-Processor(s), VAT IT shall enter into a written agreement with the Sub-Processor(s) on terms no less onerous than those set out in this DPA. Such written agreement to include, but not be limited to, requiring the Sub-Processor(s) to:
a) Process the Personal Data only in accordance with the written instructions of VAT IT, based on the written instructions provided by the Company; and
b) Abide by the obligations imposed on the Sub-Processor(s) set out in the data protection agreement between the parties; and
c) Allow VAT IT the right to review or audit the Sub-Processor(s).
2.4. Liability. VAT IT’s liability shall be governed by the relevant and applicable data protection law.
3. Access Requests
3.1. VAT IT shall implement appropriate technical and organisational measures to assist the Company in responding to:
(a) any request from a Data Subject to exercise any of its rights in terms of data protection law as it relates to the Personal Data Processed by VAT IT; and
(b) any other correspondence, inquiry, or complaint received from an individual, regulator, court or other third party in connection with the Processing of Personal Data Processed by VAT IT in terms of the DPA.
3.2. In the event VAT IT receives a Data Subject request in line with this DPA and the Personal Data VAT IT Processes on behalf of the Company, VAT IT:
(a) Will notify the Company within 2 business days of receiving such a request; and
(b) Provide the Company with full co-operation and assistance in relation to any request made by a Data Subject to have access to such Personal Data; and
(c) Will not disclose such Personal Data to any Data Subject or to a third party other than at the request or instruction of the Company, or as is compelled to do so by law or an order in line with clause 4.
4. Assistance
4.1. If VAT IT receives an order from any third party for compelled disclosure of Personal Data that has been transferred under this DPA, VAT IT will:
a) Use every reasonable effort to redirect the third party to request data directly from the Company;
b) Promptly notify the Company, unless prohibited by law; and
c) Request a reasonable extension of time from the third party to allow the Company to evaluate the request.
If, after exhausting steps (a) to (c) described above, VAT IT remains compelled to disclose Personal Data to a third party, VAT IT will disclose only the minimum amount necessary to satisfy the request and inform the Company of the request, unless prohibited from doing so by law or an order.
5. Deletion of Personal Data
5.1. VAT IT will at the date of cessation of the Services involving the Processing of Personal Data (the “Cessation Date”), delete and/or procure the deletion of all copies of Personal Data and ensure that same is done by its Sub-Processors. VAT IT may retain Personal Data to the extent required by applicable laws, and will, after such retention period, promptly comply with this clause 5.
6. Inspections and Audit
6.1. VAT IT shall implement and maintain a comprehensive written information security and data protection program (“Program”), which Program shall be updated and/or reviewed as necessary where there are significant changes in VAT IT’s organisation, and not less than once annually. VAT IT shall ensure that the Program complies with all applicable data protection laws and industry standards.
6.2. VAT IT shall on written request make available to the Company the necessary documentation to demonstrate compliance with this DPA, including any certifications or reports in line with clause 6.1. Thereafter, the Company shall be entitled, where there is a reasonable suspicion that VAT IT is not complying with its data protection obligations in terms of this DPA, to audit or mandate a third party to audit VAT IT’s compliance with this DPA and the technical and organisational measures implemented by VAT IT. To the extent necessary to protect business secrets or other confidential information, including Personal Data, and to comply with any contractual or legal obligations regarding confidentiality, VAT IT may redact some of the text or refrain (in limited and reasonable circumstances) from providing certain information. In such a scenario, the Company may request VAT IT to provide the Company with written reasons for its election to redact or refrain from providing the information. The Company shall provide reasonable written notice of such an audit. The Company or its elected auditor agrees to sign a non-disclosure agreement prior to such audit being conducted.
7. Technical and Organisational Security Measures
7.1. VAT IT shall, having regard to the state of technological development and the cost of implementing any measures, implement appropriate technical and organisational measures against the unauthorised or unlawful Processing of Personal Data and against the accidental loss, theft, or destruction of, or damage to, the Personal Data (together “Data Breach”) to ensure a level of security appropriate to:
a) The harm that might result from a Data Breach;
b) The nature of the Personal Data to be protected; and
c) Take reasonable steps to ensure compliance with those measures.
7.2. VAT IT shall ensure:
a) That it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data;
b) That access to Personal Data is limited to those employees who need access to Personal Data to meet VAT IT’s obligations under this DPA and the Agreement; and
c) That all of its employees involved with the Services are informed of the confidential nature of the Personal Data and have signed confidentiality agreements.
8. Personal Data Breach Notification
8.1. VAT IT shall notify the Company immediately (no later than 48 [forty-eight] hours) if it becomes aware of any Data Breach. In respect of such a Data Breach, VAT IT will provide reasonable assistance to the Company, which may include assistance in notifying the relevant supervisory authority, a description of the nature and extent of the Data Breach (e.g. number and categories of affected Data Subjects; and number and categories of records concerned), a description of the likely consequences of the Data Breach, and the measures taken or proposed to be taken to remediate or mitigate the possible adverse effects.
PART III – INTERNATIONAL DATA TRANSFERS
1. EU Data Transfers
To the extent that Personal Data is protected by the EU General Data Protection Regulation (2016/679) or any legislation amending, superseding or replacing it, and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner (“EU Data Protection Law”), and where the application of EU Standard Contractual Clauses (“EU Clauses”) is required under EU Data Protection Law for the transfer of Personal Data, the following shall apply:
1.1. The EU Clauses, as contained in Annexure A of https://vatit.com/annexture-a-to-the-client-dpa/, are incorporated into this DPA and apply where the application of the EU Clauses, as between the Parties, is required under applicable EU Data Protection Law.
1.2. The Company and VAT IT agree to be bound by the terms of the EU Clauses (where applicable), or any replacement thereof, whereby the Company shall be the data exporter and VAT IT shall be the data importer. The aforementioned EU Clauses shall be updated and/or amended from time to time in accordance with any changes to the EU Data Protection Law.
1.3. Processing location. The Company acknowledges that VAT IT may Process Personal Data outside the European Economic Area (“EEA”), from time to time, only in compliance with this DPA, the Agreement, the EU Clauses, and EU Data Protection Law.
1.4. Module Two: Controller to Processor. Where the Company is a data exporter and Controller, and VAT IT is a data importer and Processor, Module Two of the EU Clauses will apply.
1.5. The governing law, forum and jurisdiction in Clauses 17 and 18 will be that of the Germany.
2. UK Data Transfers
To the extent that Personal Data is protected by the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”), as amended from time to time (together “UK Data Protection Law”), and where the application of the EU Clauses is required under UK Data Protection Law for the transfer of Personal Data, the following shall apply:
2.1. The UK International Data Transfer Addendum (the “UK Addendum”), as contained in Annexure B of https://vatit.com/annexture-a-to-the-client-dpa/, is incorporated into this DPA and applies where the application of the UK Addendum, as between the Parties, is required under UK Data Protection Law for the transfer of Personal Data.
2.2. Processing location. The Company acknowledges that VAT IT may Process Personal Data outside the UK, from time to time, only in compliance with this DPA, the Agreement, the EU Clauses, the UK Addendum and UK Data Protection Law.
3. Switzerland Data Transfers
To the extent that Personal Data is protected by Swiss Data Protection Laws (defined below), and where the application of the EU Clauses is required under Swiss Data Protection Laws for the transfer of Personal Data, the following addendum (“Swiss Addendum”) shall apply:
3.1. Processing location. The Company acknowledges that VAT IT may Process Personal Data outside Switzerland, from time to time, in compliance with this DPA, the Agreement, the EU Clauses, this Swiss Addendum and Swiss Data Protection Laws.
3.2. The terms below in the EU Clauses will have the following substituted meanings:
a) “GDPR” means Swiss Data Protection Laws and any new or revised version of these laws that may enter into force from time to time;
b) where the EU Clauses use terms that are defined in the GDPR, those terms shall be deemed to have the meaning of the equivalent terms as they are defined in the FADP (defined below);
c) “Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection (“FADP”) of 19 June 1992 (SR 235.1) and its revised version of 25 September 2020, the Swiss Ordinance to the Swiss FADP, and any new or revised version of these laws that may enter into force from time to time or any legislation amending, superseding or replacing it;
d) This Swiss Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfils the intention for it to provide the appropriate safeguards as is required by the GDPR and Swiss Data Protection Laws, as the case may be;
e) “European Union”, “Union” or “Member States” means “Switzerland,” provided that the term “Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and
f) “Supervisory Authority” means the Swiss Federal Data Protection and Information Commissioner.
3.3. None of these amendments will have the effect or be construed to amend the EU Clauses in relation to the Processing of Personal Data as it is subject to the EU GDPR.
4. South African Personal Data Protection
To the extent that Personal Data is protected by the Protection of Personal Information Act 4 of 2013 (“POPI Act”), the following shall apply:
4.1. Processing location. The Company acknowledges that VAT IT may Process Personal Data outside South Africa, from time to time, in compliance with this DPA, the Agreement, and POPI Act.
4.2. Throughout, if required in terms of the POPI Act, in this DPA references to:
a) The “Controller” shall also mean the “Responsible Party;”
b) The “Processor” shall also mean the “Operator;”
c) “Personal Data” shall also mean “Personal Information;”
d) “Sub-Processor” shall also mean “Sub-Operator;”
4.3. Both Parties agree that the Company will determine the lawful condition(s) for Processing and ensure that measures that give effect to such conditions are complied with, including that consent is obtained from Data Subjects (if applicable). To the extent that it is determined by the Company to be necessary, the Company is responsible for, and shall obtain prior authorisation from the Information Regulator in line with the POPI Act. Furthermore, the Company shall take reasonable steps to ensure that the Personal Information provided to VAT IT is complete, accurate, not misleading and updated where necessary.