Data Processor contract terms addendum to engagement letter
For some elements of an engagement with a client Greenback Alan LLP may act as a Data Processor rather than as a Data Controller, for those elements of our engagement the following Data Processor contract terms will apply as an addendum to the engagement letter.
1. We shall both comply with all applicable requirements of the data protection legislation. This addendum is in addition to, and does not relieve, remove or replace, either of our obligations under the data protection legislation.
2. We both acknowledge that for the purposes of the data protection legislation, you are the data controller and we are the data processor. Clause 6 sets out the scope, nature and purpose of processing by us, the duration of the processing and the types of personal data and categories of data subject.
3. In respect of the personal data, unless otherwise required by applicable laws or other regulatory requirements, we shall:
A. process the personal data only in accordance with your lawful written instructions, in order to provide you with the services pursuant to our engagement with you and in accordance with applicable data protection legislation;
B. disclose and transfer the personal data to our regulatory bodies as and to the extent necessary in order to provide you with the services pursuant to our engagement with you in relation to those services;
C. disclose the personal data to courts, government agencies and other third parties as and to the extent required by law;
D. maintain written records of our processing activities performed on your behalf which shall include: (i) the categories of processing activities performed; (ii) details of any on cross border data transfers outside of the European Economic Area (EEA); and (iii) a general description of security measures implemented in respect of the personal data;
E. maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of any personal data and against accidental loss or destruction of, or damage to, such personal data.
F. return or delete all the personal data upon the termination of the engagement with you pursuant to which we agreed to provide the services;
G. ensure that only those personnel who need to have access to the personal data are granted access to it and that all of the personnel authorised to process the personal data are bound by a duty of confidentiality;
H. notify you if we appoint a sub-processor (but only if you have given us your prior written consent, such consent not to be reasonably withheld or delayed) and ensure any agreement entered into with the relevant sub-processor includes similar terms as the terms set out in these clauses 1-6;
I. where we transfer the personal data to a country or territory outside the EEA to do so in accordance with data protection legislation;
J. notify you promptly if:
K. we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of the personal data; or
L. we are served with an information or assessment notice, or receive any other material communication in respect of our processing of the personal data from a supervisory body (for example, the Information Commissioner’s Officer);
M. notify you, without undue delay, in the event that we reasonably believe that there has been a personal data breach in respect of the personal data;
N. at your cost and upon receipt of you prior written notice, allow you, on an annual basis and/or in the event that we notify you of personal data breach in respect of the personal data, reasonable access to the relevant records, files, computer or other communication systems, for the purposes of reviewing our compliance with the data protection laws.
4. Without prejudice to the generality of clause 1, you will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of the relevant personal data to us.
5. Should you require any further details regarding our treatment of personal data, please contact our data protection partner.
6. This paragraph includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
A. Subject matter and duration of the processing of personal data
The subject matter and duration of the processing of the personal data are set out in the engagement letter between us.
B. The nature and purpose of the processing of personal data
The processing is that required for us to carry out the services to be provided as set out in the engagement letter.
C. The types of personal data to be processes
Personal Data that may be processed includes contact email addresses that may identify an individual, and for specific services the following:
Payroll: Where we carry-out payroll services on your behalf, the data subjects will be your employees. We will require personal data on your employees which covers their names, national insurance numbers, addresses, gender, age, salary, pension contributions and other PAYE information.
Personal tax: The data subjects will be yourselves, and may also include family members, trustees and other professionals where their details need to be retained in order to advise you. In the case of adult children, non-child relatives and professionals we are to liaise with (lawyers, trustees, bankers, etc) please note the contents of clause 4. Where we prepare your trust tax returns on your behalf we may require personal data of trustees and beneficiaries which cover their names, contact details, age, gender, income, and other information relevant to the trusts tax affairs.
Other services: The data subjects may include your employees, customers and suppliers where these are necessary to carry out the engagement. To carry out the services for which we are engaged we may require personal details of your employees which covers their name, contact details, details of loans from the company to them, personal information of theirs within the company books, etc.
Your obligations and rights
Your obligations and rights are set out in the engagement letter between us.
Data Processor contract terms addendum to engagement letter