Ethixbase360 Data Processing Agreement
Background
Customer and ethiXbase have and may enter into Orders and associated ethiXbase terms and conditions for the supply of Services (“Terms”). ethiXbase will be required to process Customer Personal Data on behalf of Customer and/or its Affiliates in connection with Orders.
This DPA sets out the additional terms on which ethiXbase will process Customer Personal Data when providing Services under or in connection with an Order.
The terms set out in this DPA will apply to the extent Data Protection Legislation requires Customer to include equivalent terms in agreements with its processors.
In this DPA, “ethiXbase” shall be the legal entity identified in clause 19 of the Terms and “Customer” shall be the legal entity identified in the Annex.
1. Interpretation. The definitions and rules of interpretation in this clause apply in this DPA.
Customer Personal Data: Personal Data ethiXbase processes on behalf of Customer or its Affiliates in connection with an Order including personal data uploaded to the ethiXbase Platform 360 and processed in and in relation to, Reports.
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “personal data breach” and “processing” shall have the meanings attributed to them in the Data Protection Legislation.
Data Protection Legislation: all data protection and privacy legislation in force from time to time applicable to a party including, GDPR, UK GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended).
UK GDPR: the retained version of the EU General Data Protection Regulation ((EU) 2016/679) in the UK, as defined in s.3(10) of the Data Protection Act 2018, and as supplemented by s.205(4), and all references in this DPA to “GDPR” are to UK GDPR unless otherwise stated.
Words and expressions defined in the Terms shall have the same meaning in this DPA.
1.2. Clause, schedule and paragraph headings shall not affect the interpretation of this DPA.
1.3. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).
1.4. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders.
1.6. A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this DPA and shall include all subordinate legislation made as at the date of this DPA under that statute or statutory provision.
Basis of Processing
In the provision of the Services, ethiXbase may process Customer Personal Data. ethiXbase acknowledges that Customer is the Data Controller of Customer Personal Data and ethiXbase is the Data Processor of Customer Personal Data.
Customer alone will exercise all rights under this DPA on its own behalf and on behalf of Customer Affiliates that are permitted by ethiXbase to use the Services under Customer’s Order.
The subject-matter, duration, nature, purpose of processing, types of Customer Personal Data and categories of Data Subjects processed under this DPA are set out in the Annex to this DPA.
Instructions
ethiXbase will process Customer Personal Data only in accordance with Customer’s written instructions (which instructions include use of Customer Personal Data to comply with an Order and the Terms). Instructions may be given by email and will be reasonable, given in good faith and consistent with ethiXbase’s obligations under an Order and the Terms.
ethiXbase may also process Customer Personal Data if required to do so by applicable law. ethiXbase will inform Customer of any such legal requirement before processing unless the law prohibits it from doing so.
Customer will not use due ethiXbase diligence questionnaires to collect High Risk Data using the Services without the prior written consent of ethiXbase. ethiXbase accepts no responsibility for the destruction, loss, alteration, unauthorised disclosure of, or access to, any such data.
Compliance with Data Protection Legislation
Each party will comply with the Data Protection Legislation applicable to it.
ethiXbase will notify Customer prior to carrying out any instruction from Customer that ethiXbase is aware would result in a breach of Data Protection Legislation.
Security
Taking into account the state of technical development and the nature of processing, ethiXbase shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data from a personal data breach.
Customer will determine whether the technical and organisational measures provided by the Services enable Customer to meet its obligations under the Data Protection Legislation.
Customer must also ensure the secure use of the Services by its Users.
Sub-processing
ethiXbase will provide Customer with a list of its then current sub-processors on request.
ethiXbase has Customer’s general authorisation to appoint sub-processors and authorise them to process Customer Personal Data to the extent necessary for ethiXbase to provide Services. Sub-processors may be located outside the European Economic Area.
ethiXbase will appoint each sub-processor under a written agreement containing, in substance, the same data protection obligations as this DPA.
ethiXbase will be responsible for each sub-processor’s compliance with ethiXbase obligations under this DPA.
ethiXbase will notify Customer of any proposed changes to sub-processors. Acting reasonably and in good faith, Customer may object to such changes on data protection grounds within 10 days of ethiXbase’s notification to Customer. If Customer does notify ethiXbase of such reasonable objections, the parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. ethiXbase may suspend the provision of the Services pending such resolution. If no objection is received within such 10 day period, Customer will be deemed to have no objections.
ethiXbase Personnel
ethiXbase shall ensure that those of its personnel who need access to Customer Personal Data to provide the Services:
are informed of the confidential nature of Customer Personal Data and are subject to a binding written contractual obligation to keep Customer Personal Data confidential;
have undertaken training in the laws relating to handling Personal Data;
are aware both of ethiXbase’s duties and their personal duties and obligations under such laws and this DPA; and
shall only have access to such part or parts of Customer Personal Data as is strictly necessary for performance of that person’s duties.
International transfers
ethiXbase shall not process or otherwise transfer any Customer Personal Data in or to any country outside the EEA, UK or Singapore (as applicable) unless ethiXbase has taken the steps necessary to comply with Data Protection Legislation.
Such steps may include (without limitation) transferring Customer Personal Data to a recipient that (a) is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities as providing an adequate level of protection for Personal Data (b) has achieved binding corporate rules authorisation in accordance with Data Protection Legislation, or (c) has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable Data Protection Legislation. ethiXbase may transfer Customer Personal Data to a sub-processor located in the United States if that entity participates in such mechanism as may replace or supersede the EU-US Privacy Shield from time to time, or any equivalent mechanism implemented for UK-US data transfers.
Personal Data Breach
ethiXbase shall without undue delay, inform Customer if ethiXbase becomes aware that any Customer Personal Data has been subject to a personal data breach.
ethiXbase shall make reasonable efforts to identify the cause of any personal data breach and take those steps as ethiXbase deems necessary and reasonable in order to remediate the cause of any personal data breach to the extent remediation is within ethiXbase’s reasonable control. ethiXbase will keep Customer informed of such cause and the steps it is taking.
Audits
ethiXbase shall on request, in accordance with the Data Protection Legislation, make available to Customer such information it has as is necessary to demonstrate ethiXbase’s compliance with the obligations placed on it under Article 28 of the GDPR and allow for and contribute to audits.
ethiXbase will notify Customer if ethiXbase ceases to be ISO 27001 certified.
Any audit shall be performed no more than once per calendar year (except where required due to a breach of this DPA or by a regulatory authority), follow at least 60 days prior written notice and be at Customer’s own cost and expense. Audits will be carried out on a remote or desktop basis unless it is not possible to do so.
Customer will not unreasonably interfere with ethiXbase’s day to day business activities and shall comply with its reasonable security requirements.
Assistance
ethiXbase shall:
Without undue delay, provide such reasonable information and assistance as Customer may require in relation to the fulfilment of Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under the Data Protection Legislation; and
provide such information, co-operation and other assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to ethiXbase) to ensure compliance with Customer’s obligations under Data Protection Legislation, including with respect to:
security of processing;
data protection impact assessments;
prior consultation with a supervisory authority regarding high risk processing; and
any remedial action and/or notifications to be taken in response to any personal data breach and/or any complaint or request relating to either party’s obligations under Data Protection Legislation relevant to this DPA, including (subject in each case to Customer’s prior written authorisation) regarding any notification of the personal data breach to supervisory authorities and/or communication to any affected Data Subject.
ethiXbase may (acting reasonably) charge Customer at its standard professional services rates for any support, co-operation or assistance it provides under the DPA that cannot be provided within the scope of the Services other than in relation to any support, co-operation or assistance required due to a breach of ethiXbase’s obligations under this DPA.
Deletion/return
At the end of the provision of the Services, at Customer’s cost and Customer’s option, ethiXbase shall either return all of Customer Personal Data to Customer or securely dispose of Customer Personal Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires ethiXbase to retain such Customer Personal Data. This term shall apply except where ethiXbase has archived Customer Personal Data on back-up systems which data ethiXbase will securely isolate and protect from any further processing and delete in accordance with its standard deletion practises. This DPA will continue to apply until deletion.
Customer obligations
Customer must obtain all consents or other legal justifications necessary for ethiXbase to process Customer Personal Data and to deliver the Services in accordance with an Order and Terms.
The Customer will ensure the Customer Data:
contains the minimum information required for ethiXbase to provide the Services;
is accurate and complete (and the Customer shall notify ethiXbase of any inaccuracies or of any corrections required);
does not contain any special category or sensitive Personal Data (within the meaning of the Data Protection Legislation) other than as contained in Reports.
If the Customer receives any complaint, notice or communication which relates directly or indirectly to the Service, ethiXbase Data or to ethiXbase’s compliance with the Data Protection Legislation it shall without undue delay notify ethiXbase and provide reasonable cooperation and assistance in relation to any such complaint, notice or communication.
Customer will provide ethiXbase with reasonable co-operation and assistance in relation to any request made by any Data Subject identified in the Customer Data in relation to the ethiXbase Data.
Application of the Terms
The following provisions of the Terms shall apply equally to this DPA as if references in the Terms to the or this agreement where references to this DPA: 1 (definitions), 4 (Customer Data), 10 (confidentiality), 12 as between ethiXbase and Customer but not between ethiXbase and Data Subjects, (limitation of Liability), 14 (Force Majeure), 16 (General), 17 (Notices), 18 (Contracting Entity) and 19 (English language).
Annex:
Customer/Controller | As identified in the Order |
Processor | The legal entity identified in section 18 of the Terms |
Subject matter of processing | Authorised Users: for the provision of the Services Other parties: for assessing and managing third party risks in the Customer’s business operations |
Duration of Processing | The term of the applicable Order |
Nature of Processing | The processing of Personal Data in accordance with an Order and the Terms including the collection, organisation, structuring, storage, back-up, retrieval, transmission and erasure of personal data. |
Personal Data Categories | Authorised Users: names, email addresses, IP addresses and phone numbers, and/or any other data made available to ethiXbase in connection with the provision of the Services Other parties: identification details, contact details, location details, family details, lifestyle and social circumstances, educational details, employment details, financial details, media and other publicly sourced information, appearance on governmental and professional sanctions and watch lists, actual and alleged criminal offence information, political opinion (Politically Exposed Persons) and/or any other data made available to ethiXbase in connection with the provision of the Services or collected by Customer through a custom due diligence questionnaire prepared to Customer’s specification. |
Data Subject Types | Authorised Users Actual and potential Customer officers, employees, contractors, suppliers and other Customer counterparties and their officers, employees, contractors |