Data Processing Addendum

Last updated: 23 August 2023

By this data processing addendum (Addendum), the Customer (the Controller) authorises Firmcheck Limited (company number 11997004), a company incorporated in London, England (the Processor) to process its Personal Information contained in the Data in accordance with the Firmcheck Terms of Service agreed to by the Controller (Agreement) and this Addendum.

1. Definitions

1.1 Definitions: Unless the context otherwise requires:

Applicable Privacy Laws means the laws protecting the right to privacy which apply to the Controller and Processor with respect to data connected with the Agreement, which includes the UK Data Protection Act 2018, the UK GDPR, and if applicable, the EU GDPR.

Business Day means a day other than a Saturday or Sunday or public holiday on which banks are open for commercial business in London, England.

Controller Personal Information means any Personal Information in respect of which the Controller is a data controller, including the type of Personal Information and categories of data subjects referred to in the Privacy Policy, and which is processed by the Processor on the instructions of the Controller.

EEA means the European Economic Area.

EU GDPR means the General Data Protection Regulation (EU) 2016/679.

Personal Information has the meaning given to the phrase “personal information” and “personal data” in Applicable Privacy Laws.  

Personal Information Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Controller Personal Information.

Privacy Policy means the Processor’s privacy policy: Firmcheck Privacy Policy.

Regulatory Bodies means those government departments and regulatory, statutory and other bodies, entities and committees which, whether under statute, rule, regulation, code of practice or otherwise, are entitled to regulate, investigate or influence the matters relating to the security of data, Personal Information, privacy protection or other laws connected to this Agreement.

Services means the services performed by Processor for Controller, as described in the Agreement.

Standard Contractual Clauses means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for Transfers of Personal Information to Third Countries not otherwise recognized as offering an adequate level of protection for Personal Information by the European Commission (as amended and updated from time to time).

Subprocessor shall mean any data processor engaged by the Processor (or by any other Subprocessor of the Processor) in order to be able to perform the Services.

Transfer shall mean making Controller Personal Information accessible to any person other than the data subject, including, but not limited to the active transfer of the data, permitting access, also remotely, sharing and publishing.

Third Country means a country or territory that is not:

     (a) in the context of the UK GDPR, part of the United Kingdom; or
      (b) in the context of the EU GDPR, a member state of the EEA.

UK GDPR means the General Data Protection Regulation of the United Kingdom, as defined in section 3 of the UK Data Protection Act 2018.

UK IDTA means the International Data Transfer Agreement or the International Data Transfer Addendum issued under section 119A of the UK Data Protection Act 2018, for Transfers of Personal Information to Third Countries not otherwise recognized as offering an adequate level of protection for Personal Information by the United Kingdom Government (as amended and updated from time to time). 

1.2 Interpretation: In this Addendum where the context permits:

1.2.1 references to data subject, data controller, data processor, identifiable, Personal Information, processing and special category Personal Information shall have the same meanings ascribed to them by the Applicable Privacy Laws;

1.2.2 reference to a party shall include that party's executors, administrators, successors and assigns;

1.2.3 reference to a statute or regulation shall include all amendments and re-enactments thereof; and

1.2.4 writing includes electronic communications (including email) and written has a corresponding meaning.

1.3 Standard Contractual Clauses: It is acknowledged that the Standard Contractual Clauses shall only apply to the Processor if the Processor is based in a Third Country that has not gained adequacy status under the EU GDPR.  For clarity, New Zealand holds adequacy status under the EU GDPR.

1.4 ITDA: It is acknowledged that the ITDA shall only apply to the Processor if the Processor is based in a Third Country that has not gained adequacy status under the UK GDPR.  For clarity, New Zealand holds adequacy status under the UK GDPR.

1.5 Agreement:  This Addendum is supplemental to the Agreement. Any breach of this Addendum shall constitute a material breach of the Agreement.

1.6 Priority:  In the event of any conflict between the Agreement and this Addendum, the terms in this Addendum shall prevail (to the extent of any such inconsistency).

2. Data Controller and Processor

2.1 Data Controller:  The Processor acknowledges that, in respect of the Controller Personal Information and for the purposes of the Applicable Privacy Laws, the Controller (and each group company of the Controller) is the data controller.  The Controller agrees to comply with its obligations under this Addendum and, as controller, under all Applicable Privacy Laws.

2.2 Privacy notices:  The Controller is solely responsible for all data controller obligations under Applicable Privacy Laws, including providing any required notices and obtaining any required consents, and for the processing instructions that it gives to the Processor.

2.3 Controller warranties:  The Controller warrants that:

2.3.1 no contractual obligations prohibit the processing of the Controller Personal Information as described in the Agreement and this Addendum; and

2.3.2 the production, collection, and processing of Controller Personal Information has been and will continue to be carried out in accordance with the Applicable Privacy Laws.

2.4 Appointment as Data Processor:  The Controller appoints the Processor as a data processor of the Controller Personal Information, and the Processor accepts the appointment and agrees to comply with its obligations under this Addendum.

3. Data processing

3.1 Principles:  Controller Personal Information will be processed by the Processor under the general principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. 

3.2 Processing restrictions:  Subject to clause 3.3, the Processor shall ensure that all Controller Personal Information is processed only:

3.2.1 according to the instructions of the Controller, which shall include the purposes described in the Agreement;

3.2.2 in accordance with this Addendum; 

3.2.3 in compliance with Applicable Privacy Laws; and

3.2.4 except as otherwise specified in clause 7:

     (a) where the EU GDPR applies to the Personal Information, within the European Union or a Third Country which ensures an adequate level of protection as indicated by the decision of the European Commission taken pursuant to article 25(6) of the Directive or article 45, § 3, of the EU GDPR; and/or

     (b) where the UK GDPR applies to the Personal Information, within the United Kingdom or a Third Country which ensures an adequate level of protection, as recognised by the United Kingdom Government.

3.3 Outside of instructions:  The Processor may process Controller Personal Information outside of the Controller’s instructions if laws to which the Processor is subject require or allow it. The Processor shall notify the Controller if it is of the opinion that any instruction provided by the Controller is in breach of any Applicable Privacy Law.

4. Cooperation obligations

4.1 Assistance:  The Processor shall take any steps reasonably requested by the Controller to assist the Controller to demonstrate compliance with its obligations under Applicable Privacy Laws, including to assist and support the Controller:

4.1.1 in the event of an investigation or other control measures or by any Regulatory Body to the extent that such investigation relates to Controller Personal Information;

4.1.2 in the event of the exercise of any claims by data subjects or third parties related to the processing under this Addendum or the Agreement;

4.1.3 in complying with the rights of data subjects, including the right to obtain transparent information, the right to access, rectify, and erase their Personal Information, restrict, or object to, the processing of their Personal Information, exercise their right to data portability;

4.1.4 in notifying, consulting with and obtaining approvals from Regulatory Bodies where required; and

4.1.5 in performing data protection impact assessments.

4.2 Data subject rights:

4.2.1 The Processor shall promptly comply with any request from the Controller requiring the Processor to access, amend, Transfer or delete any Controller Personal Information.

4.2.2 The Processor must inform the Controller promptly, taking into account the notification requirements imposed on the Controller under Applicable Privacy Laws, following the Processor’s receipt of any inquiry from a data subject with respect to Controller Personal Information.

4.2.3 Provided that the Controller acts in accordance with Applicable Privacy Laws, the Processor shall not respond to any such request referred to in clause 4.2.2 unless expressly authorised to do so by the Controller.

4.3.  Regulatory action:  The Processor will promptly notify the Controller about: 

4.3.1  any binding request addressed to the Processor or any of its Subprocessors for the disclosure of Controller Personal Information by a Regulatory Body, unless otherwise prohibited by the applicable law; and

4.3.2  any monitoring activities and measures undertaken by the Regulatory Body, including where a Regulatory Body investigates the Processor for a possible breach of Applicable Privacy Laws.

4.4.  Audit rights:  The Controller has the right to, on reasonable notice and in a reasonable manner, audit and inspect the implemented technical and organisational measures of the Processor and the Processor’s compliance with this Addendum to the extent such measures are able to be audited.  If the Processor notifies the Controller of a Personal Information Breach, then the Controller shall have the right to perform an on-site audit of the Processor on notice without undue delay.  Any audit or inspection undertaken by the Controller shall be at the Controller’s cost.

5. Personal information breach

5.1 Data breach:  To the extent the Processor becomes aware of any Personal Information Breach or if it has reason to believe that a Personal Information Breach may have occurred, then the Processor must without undue delay (and where feasible, within 72 hours of becoming aware of the breach):

5.1.1 notify the Controller, taking into account the notification duty requirements imposed on the Controller under the Applicable Privacy Laws; and

5.1.2 investigate the Personal Information Breach and provide the Controller with the information set out in clause 5.2; and

5.1.3  with the prior consent of the Controller (not to be unreasonably withheld or delayed), take measures to prevent further Personal Information Breaches, and mitigate or remedy the Personal Information Breach. 

5.2 Information obligations:  The Processor shall summarise in reasonable detail the impact of the Personal Information Breach, including describing to the extent this is known to the Processor:

5.2.1 the nature of the Personal Information Breach;

5.2.2 the categories and numbers of data subjects concerned;

5.2.3 the categories and numbers of Personal Information records concerned;

5.2.4 the details of any unlawful recipient (including names, addresses and business sectors);

5.2.5 the estimated risk and the likely consequences of the Personal Information Breach; and

5.2.6 the measures taken or proposed to be taken to address the Personal Information Breach.

5.3 Records:  The Processor shall maintain records of any actual or suspected Personal Information Breach in accordance with commercially accepted industry practices.  The Processor shall make such records reasonably available to the Controller.

6. Technical and organisational measures

6.1 Confidentiality:  The Processor will:

6.1.1 ensure that the personnel it authorises to process Controller Personal Information are under appropriate confidentiality obligations; and

6.1.2 inform its authorised personnel that the Controller Personal Information is only to be processed in accordance with the Agreement and as otherwise instructed by the Controller.

6.2 Data Security:  During the processing of Controller Personal Information, the Processor shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of a Personal Information Breach.  

6.3 Security Measures:  The Processor will: 

6.3.1 take reasonable steps to ensure the reliability of any staff who have access to Controller Personal Information;

6.3.2 ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services processing Controller Personal Information;

6.3.3 implement a process for testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Controller Personal Information; and

6.3.4 take any other steps required by Applicable Privacy Laws.

7. Cross border transfers

7.1 Cross-Border Transfers:  The Processor is based in the United Kingdom and the Processor’s Subprocessors are, as at the date of this Addendum, in the United Kingdom, Europe, United States, New Zealand, and Australia. The Controller gives the Processor general written consent to Transfer Controller Personal Information to a Third Country where the relevant Subprocessor:

7.1.1 is in a Third Country that:

     (a) where the EU GDPR applies to the Personal Information, the European Commission has recognised as providing adequate protection; or

     (b) where the UK GDPR applies to the Personal Information, the United Kingdom Government has recognised as providing adequate protection; or

7.1.2 is a Subprocessor at the date of this Agreement; or

7.1.3 has entered into a contract with the Processor containing:

     (a) where the EU GDPR applies to the Personal Information, the Standard Contractual Clauses;           or

     (b) where the UK GDPR applies to the Personal Information, the ITDA. 

In each case, the Controller explicitly grants the Processor a mandate to execute and enforce the Standard Contractual Clauses and/or ITDA (as applicable) on its behalf against the Processor’s relevant Subprocessors. 

‍

8. Subprocessors

8.1 Subprocessors:  Without limiting clause 7, the Controller gives the Processor general written consent for the Processor to authorise any third party to process Controller Personal Information as a Subprocessor, subject to the following conditions: 

8.1.1 the Processor must maintain an up-to-date list of the names and locations of all Subprocessors, and shall make this list reasonably available to the Controller (see our Privacy Policy for this list); and

8.1.2 except in respect of any Subprocessors existing at the date of this Addendum, the contract entered into between the Processor and a Subprocessor will include terms which are substantially the same as those set out in this Addendum.

The Processor will assume liabilities for the acts and omissions of its Subprocessors in relation to the Services provided to the Controller, subject to the limitations of liability under this Addendum and the Agreement.

9. Liability

9.1 Agreement:  Unless expressly prohibited by law, with regard to the parties' liability to each other under or in connection with the Agreement and this Addendum, the provisions of the Agreement shall apply. To the extent permitted by law, any liability cap and liability exclusions applicable to a party under the Agreement (including without limitation exclusions of any special, indirect or consequential loss, or loss of profits, loss or corruption of data, revenue, business or goodwill) shall apply in respect of that party’s total liability under this Addendum and the Agreement.

10. Term and termination

10.1 Termination:  The parties may terminate this Addendum earlier than the Agreement is terminated where the parties sign a new data processing agreement to replace this Addendum.

10.2 Return/Destruction of Controller Personal Information:  Except as otherwise directed by the Controller, when requested to do so by the Controller the Processor shall hand over to the Controller all Controller Personal Information, and shall erase or destroy related data as described in the Privacy Policy.