Background

Customer and ethiXbase have and may enter into Orders and associated ethiXbase terms and conditions for the supply of Services (“Terms”). ethiXbase will be required to process Customer Personal Data on behalf of Customer and/or its Affiliates in connection with Orders. 

This DPA sets out the additional terms on which ethiXbase will process Customer Personal Data when providing Services under or in connection with an Order.   

The terms set out in this DPA will apply to the extent Data Protection Legislation requires Customer to include equivalent terms in agreements with its processors.  

In this DPA, “ethiXbase” shall be the legal entity identified in clause 19 of the Terms and “Customer” shall be the legal entity identified in the Annex. 

1. Interpretation. The definitions and rules of interpretation in this clause apply in this DPA.

Customer Personal Data: Personal Data ethiXbase processes on behalf of Customer or its Affiliates in connection with an Order including personal data uploaded to the ethiXbase Platform 360 and processed in and in relation to, Reports. 

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “personal data breach” and “processing” shall have the meanings attributed to them in the Data Protection Legislation. 

Data Protection Legislation: all data protection and privacy legislation in force from time to time applicable to a party including, GDPR, UK GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended). 

UK GDPR: the retained version of the EU General Data Protection Regulation ((EU) 2016/679) in the UK, as defined in s.3(10) of the Data Protection Act 2018, and as supplemented by s.205(4), and all references in this DPA to “GDPR” are to UK GDPR unless otherwise stated. 

Words and expressions defined in the Terms shall have the same meaning in this DPA. 

1.2. Clause, schedule and paragraph headings shall not affect the interpretation of this DPA. 

1.3. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).

1.4. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established. 

1.5. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders. 

1.6. A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this DPA and shall include all subordinate legislation made as at the date of this DPA under that statute or statutory provision. 

Basis of Processing 

In the provision of the Services, ethiXbase may process Customer Personal Data. ethiXbase acknowledges that Customer is the Data Controller of Customer Personal Data and ethiXbase is the Data Processor of Customer Personal Data. 

Customer alone will exercise all rights under this DPA on its own behalf and on behalf of Customer Affiliates that are permitted by ethiXbase to use the Services under Customer’s Order.    

The  subject-matter, duration, nature,  purpose  of  processing, types  of  Customer Personal Data  and  categories  of  Data  Subjects  processed  under  this  DPA  are  set out in the Annex to this DPA. 

Instructions 

ethiXbase will process Customer Personal Data only in accordance with Customer’s written instructions (which instructions include use of Customer Personal Data to comply with an Order and the Terms). Instructions may be given by email and will be reasonable, given in good faith and consistent with ethiXbase’s obligations under an Order and the Terms. 

ethiXbase may also process Customer Personal Data if required to do so by applicable law.  ethiXbase will inform Customer of any such legal requirement before processing unless the law prohibits it from doing so.

Customer will not use due ethiXbase diligence questionnaires to collect High Risk Data using the Services without the prior written consent of ethiXbase. ethiXbase accepts no responsibility for the destruction, loss, alteration, unauthorised disclosure of, or access to, any such data.

Compliance with Data Protection Legislation 

Each party will comply with the Data Protection Legislation applicable to it.  

ethiXbase will notify Customer prior to carrying out any instruction from Customer that ethiXbase is aware would result in a breach of Data Protection Legislation.  

Security 

Taking into account the state of technical development and the nature of processing, ethiXbase shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data from a personal data breach. 

Customer will determine whether the technical and organisational measures provided by the Services enable Customer to meet its obligations under the Data Protection Legislation.  

Customer must also ensure the secure use of the Services by its Users. 

Sub-processing 

ethiXbase will provide Customer with a list of its then current sub-processors on request. 

ethiXbase has Customer’s general authorisation to appoint sub-processors and authorise them to process Customer Personal Data to the extent necessary for ethiXbase to provide Services. Sub-processors may be located outside the European Economic Area. 

ethiXbase will appoint each sub-processor under a written agreement containing, in substance, the same data protection obligations as this DPA.   

ethiXbase will be responsible for each sub-processor’s compliance with ethiXbase obligations under this DPA.  

ethiXbase will notify Customer of any proposed changes to sub-processors. Acting reasonably and in good faith, Customer may object to such changes on data protection grounds within 10 days of ethiXbase’s notification to Customer. If Customer does notify ethiXbase of such reasonable objections, the parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. ethiXbase may suspend the provision of the Services pending such resolution. If no objection is received within such 10 day period, Customer will be deemed to have no objections.   

ethiXbase Personnel  

ethiXbase shall ensure that those of its personnel who need access to Customer Personal Data to provide the Services:

are informed of the confidential nature of Customer Personal Data and are subject to a binding written contractual obligation to keep Customer Personal Data confidential; 

have undertaken training in the laws relating to handling Personal Data;

are aware both of ethiXbase’s duties and their personal duties and obligations under such laws and this DPA; and 

shall only have access to such part or parts of Customer Personal Data as is strictly necessary for performance of that person’s duties.  

International transfers 

ethiXbase shall not process or otherwise transfer any Customer Personal Data in or to any country outside the EEA, UK or Singapore (as applicable) unless ethiXbase has taken the steps necessary to comply with Data Protection Legislation.

Such steps may include (without limitation) transferring Customer Personal Data to a recipient that (a) is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities as providing an adequate level of protection for Personal Data (b) has achieved binding corporate rules authorisation in accordance with Data Protection Legislation, or (c) has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable Data Protection Legislation. ethiXbase may transfer Customer Personal Data to a sub-processor located in the United States if that entity participates in such mechanism as may replace or supersede the EU-US Privacy Shield from time to time, or any equivalent mechanism implemented for UK-US data transfers. 

Personal Data Breach 

ethiXbase shall without undue delay, inform Customer if ethiXbase becomes aware that any Customer Personal Data has been subject to a personal data breach.  

ethiXbase shall make reasonable efforts to identify the cause of any personal data breach and take those steps as ethiXbase deems necessary and reasonable in order to remediate the cause of any personal data breach to  the  extent remediation is within  ethiXbase’s  reasonable control.  ethiXbase will keep Customer informed of such cause and the steps it is taking. 

Audits 

ethiXbase shall on request, in accordance with the Data Protection Legislation, make available to Customer such information it has as is necessary to demonstrate ethiXbase’s compliance with the obligations placed on it under Article 28 of the GDPR and allow for and contribute to audits. 

ethiXbase will notify Customer if ethiXbase ceases to be ISO 27001 certified.   

Any audit shall be performed no more than once per calendar year (except where required due to a breach of this DPA or by a regulatory authority), follow at least 60 days prior written notice and be at Customer’s own cost and expense. Audits will be carried out on a remote or desktop basis unless it is not possible to do so. 

Customer will not unreasonably interfere with ethiXbase’s day to day business activities and shall comply with its reasonable security requirements.  

Assistance

ethiXbase shall: 

Without undue delay, provide such reasonable information and assistance as Customer may require in relation to the fulfilment of Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under the Data Protection Legislation; and

provide such information, co-operation and other assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to ethiXbase) to ensure compliance with Customer’s obligations under Data Protection Legislation, including with respect to: 

security of processing;

data protection impact assessments; 

prior consultation with a supervisory authority regarding high risk processing; and 

any remedial action and/or notifications to be taken in response to any personal data breach and/or any complaint or request relating to either party’s obligations under Data Protection Legislation relevant to this DPA, including (subject in each case to Customer’s prior written authorisation) regarding any notification of the personal data breach to supervisory authorities and/or communication to any affected Data Subject.

ethiXbase may (acting reasonably) charge Customer at its standard professional services rates for any support, co-operation or assistance it provides under the DPA that cannot be provided within the scope of the Services other than in relation to any support, co-operation or assistance required due to a breach of ethiXbase’s obligations under this DPA.

Deletion/return 

At the end of the provision of the Services, at Customer’s cost and Customer’s option, ethiXbase shall either return all of Customer Personal Data to Customer or securely dispose of Customer Personal Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires ethiXbase to retain such Customer Personal Data. This term shall apply except where ethiXbase has archived Customer Personal Data on back-up systems which data ethiXbase will securely isolate and protect from any further processing and delete in accordance with its standard deletion practises. This DPA will continue to apply until deletion. 

Customer obligations 

Customer must obtain all consents or other legal justifications necessary for ethiXbase to process Customer Personal Data and to deliver the Services in accordance with an Order and Terms. 

The Customer will ensure the Customer Data: 

contains the minimum information required for ethiXbase to provide the Services; 

is accurate and complete (and the Customer shall notify ethiXbase of any inaccuracies or of any corrections required); 

does not contain any special category or sensitive Personal Data (within the meaning of the Data Protection Legislation) other than as contained in Reports. 

If the Customer receives any complaint, notice or communication which relates directly or indirectly to the Service, ethiXbase Data or to ethiXbase’s compliance with the Data Protection Legislation it shall without undue delay notify ethiXbase and provide reasonable cooperation and assistance in relation to any such complaint, notice or communication.  

Customer will provide ethiXbase with reasonable co-operation and assistance in relation to any request made by any Data Subject identified in the Customer Data in relation to the ethiXbase Data. 

Application of the Terms 

The following provisions of the Terms shall apply equally to this DPA as if references in the Terms to the or this agreement where references to this DPA: 1 (definitions), 4 (Customer Data), 10 (confidentiality), 12 as between ethiXbase and Customer but not between ethiXbase and Data Subjects, (limitation of Liability), 14 (Force Majeure), 16 (General), 17 (Notices), 18 (Contracting Entity) and 19 (English language). 

Annex: