Data Processing Agreement
This data processing agreement (“DPA”) serves the main functions of (i) appointing T.B.I. Refunds of IDA BUSINESS & TECHNOLOGY PARK, RING ROAD, KILKENNY, IRELAND as Data Processors (“Data Processor”) of the requesting organization (“Data Controller”).
The Parties wish to agree certain provision for the protection and security of data passed from the Data Controller to the Data Processor in order to reflect the requirements of the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the Data Protection Law according to the country of jurisdiction where the Data Controller operates.
A. NOW IT IS HEREBY AGREED that in consideration of the terms and conditions provided herein, the Parties agree as follows:
1.1 Capitalised terms shall be as defined in the Agreement. “Damages” means all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, fines, penalties and legal costs (calculated on a full indemnity basis), and all other reasonable professional costs and expenses) suffered or incurred by the Customer arising out of this Agreement or a cause of action in connection with the operation of this Agreement, including breach of contract, tort (including negligence) and any other common law, equitable or statutory cause of action;
“Data Controller” has the meaning given to it in Data Protection Law;
“Data Processor” has the meaning given to it in Data Protection Law;
“Data Protection Impact Assessment” has the meaning given to it in Data Protection Law;
“Data Protection Law” means the data protection and information privacy laws according to the data controllers country of jurisdiction.
“Data Security Breach” has the meaning given to it in Data Protection Law;
“Data Subject” has the meaning given to it in Data Protection Law;
“Personal Data” has the meaning given to it in Data Protection Law;
“Privacy Shield” means the Privacy Shield scheme and principles operated by the US Department of Commerce, and approved by the European Commission, or any replacement scheme and principles approved by the European Commission for that purpose from time to time;
“Processing” has the meaning given to it in Data Protection Law, and “Process” will be construed accordingly;
“Regulator” means any government department and regulatory, statutory and any other entity, committee and body which, whether under statute, rules, regulations, code of practice or otherwise, is entitled by any applicable law to supervise, regulate, investigate or influence the matters dealt with in this Agreement or any other affairs of the parties;
“Sub Processor” has the meaning given to it in Data Protection Law.
2. DATA PROTECTION
2.1 Data Controller: The Customer is a Data Controller in respect of the Personal Data Processing as set out in Annex 1.
2.2 Data Processor:, the Supplier acts as a Data Processor in respect of the Personal Data it processes on behalf of the Customer.
2.3 The Supplier shall comply with its obligations as a Data Processor under Data Protection Law. If the Supplier is or becomes aware of any reason that would prevent its compliance with Data Protection Law or any incident of non-compliance with Data Protection Law in connection with the Processing of Personal Data under this Agreement, it shall notify the Customer in the most expedient time possible.
2.4 Instructions: The Supplier shall only, and shall procure that its personnel only, Process the Personal Data in accordance with this Agreement and any other written instructions of the Customer unless required to do so by Union or Member State law to which the Supplier is subject and in such a case, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Supplier agrees that it will acquire no rights or interest in the Personal Data.
2.5 Data Subject Rights: The Supplier agrees to assist the Customer to respond to requests by Data Subjects, exercising their rights under Data Protection Law, within such reasonable timescale as may be specified by the Customer.
2.6 If the Supplier receives any such request from Data Subjects directly, the Supplier will immediately inform the Customer that it has received the request and forthwith forward the request to the Customer. The Supplier will not respond in any way to such a request, except on the instructions of the Customer.
2.7 Assistance: The Supplier shall assist the Customer within such reasonable timescale as may be specified by the Customer with compliance with the Customer’s obligations pursuant to:
2.7.1 Security of Processing
2.7.2 Data Breach Notification
2.7.3 Data Protection Impact Assessments
2.8 Data Transfers: The Supplier will transfer Personal Data or other information relating to customers of the Customer in accordance with fulfilling its contractual obligations. The Customer may, among other requirements, require the Supplier to:
2.8.1 enter into or procure that any relevant subcontractor enters into an appropriate Data Transfer Agreement; or
2.8.2 for transfers to the United States of America, ensure that the recipient has and continues to maintain a current, valid certification under the Privacy Shield and complies with the Privacy Shield principles.
The foregoing provisions of this Clause 2.8 shall also apply to any further transfer of the Personal Data or other information relating to customers of the Customer.
2.9 In the event that the transfer mechanism entered into under Clause 8 ceases to be valid, the Supplier shall at the Customer’s discretion:
2.9.1 enter into and/or procure that any relevant subcontractor enters into an appropriate alternative data transfer mechanism;
2.9.2 destroy any Personal Data in its and/or its subcontractor’s possession; or
2.9.3 return any Personal Data in its and/or its subcontractor’s possession to the Customer.
2.10 Personal Data from Customer Group Members: In the event that more than one member of the Customer Group passes to the Supplier, or otherwise gives the Supplier access to, Personal Data or other information relating to its customers under this Agreement:
2.10.1 the Supplier will keep the Personal Data and other information relating to customers of each member separately identified, by reference to that member; and
2.10.2 the Supplier will not divulge any of the Personal Data or other information relating to customers of one member of the Customer Group, to another member of the Customer Group, without the consent of the member owning the Personal Data or other information relating to its customers.
2.11 Sub-Processing: The Supplier agrees that it shall not engage any third party to Process Customer Personal Data without the prior written consent of the Customer.
2.12 If the Supplier engages any third party to Process any Customer Personal Data, the Supplier shall impose on such third party, by means of a written contract, the same data protection obligations as set out in this Agreement and shall ensure that if any third party engaged by the Supplier in turn engages another person to Process any Personal Data, the third party is required to comply with all of the obligations in respect of Processing of Personal Data that are imposed under this Agreement.
2.13 The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of the other processors and shall not make any such changes without the prior written consent of the Customer.
2.14The Supplier shall remain fully liable to Customer for Processing by any third party as if the Processing was being conducted by the Supplier.
2.15 Security: The Supplier shall implement appropriate technical and organisational measures to assure a level of security appropriate to the risk to the security of Personal Data, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Personal Data including as appropriate and as notified in advance to the Customer:
2.15.1 the pseudonymisation and encryption of Personal Data
2.15.2 the ability to ensure the ongoing confidentiality, integrity and availability of the Personal Data and resilience of the Supplier’s Systems used for such Processing;
2.15.3 the ability to restore the availability and access to the Personal Data in the event of a physical or technical incident; and
2.15.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2.16 Confidentiality: The Supplier will ensure that its personnel who Process Personal Data under this Agreement are subject to obligations of confidentiality in relation to such Personal Data.
2.17 Demonstrating Compliance: The Supplier shall make available to the Customer all information necessary to allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
2.18 Infringement: The Supplier will immediately inform the Customer if, in its opinion, an instruction given or request made pursuant to this Agreement infringes Data Protection Law.
2.19 Breach Notification: The Supplier will notify the Customer within twenty-four (24) hours, of the Supplier becoming aware of a Data Security Breach. The Supplier shall not communicate with any Data Subject in respect of a Data Security Breach without the prior written consent of the Customer.
2.20 Damages The Supplier shall indemnify the Customer, against any Damages incurred by the Customer, arising from or in connection with:
2.20.1 The Supplier acting outside or contrary to the lawful instructions of the Customer;
2.20.2 Any other breach by the Supplier of its obligations under this Agreement or of Data Protection Laws; and/or
2.20.3 Any act or omission of the Supplier or its personnel which causes the Customer in any way to be in breach of Data Protection Laws.
2.21 Termination/Expiry: On termination or expiry of this Agreement (or at any other time on request by the Customer), the Supplier shall return, destroy or permanently erase, at the election of the Customer, all copies of Personal Data received and/or processed by it under this Agreement unless Applicable Law requires retention of the Personal Data.
2.22 Survival of Clause: The provisions of this Clause 22 shall survive the term of this Agreement until the Supplier has returned or destroyed all Personal Data in accordance with Clause 2.21.
3.1 This Agreement shall terminate automatically upon termination or expiry of the Data Processor’s obligations in relation to the Services, and on termination of this agreement, the Data Processor shall comply with its obligations under Clause 2.21 of this Agreement.
3.2 Either party may terminate this Agreement with immediate effect by written notice to the other:
(a) if the other party commits a material breach of the Agreement; or
(b) if the other party becomes or is declared insolvent or takes formal steps to commence bankruptcy or makes or proposes any composition with its creditors or the appointment of a receiver or similar officer over or in respect of some or all of its assets or the taking of steps for dissolution or strike off.
4.1 Counterparts: this Agreement may be executed in any number of counterparts and by the Parties to it on separate counterparts, each of which is an original but all of which together constitutes one and the same agreement.
4.2 Governing Law and Jurisdiction: this Agreement and any disputes or claims arising out of or in connection with its subject matter are governed by and construed in accordance with the laws of the Republic of Ireland. The Parties shall submit to the exclusive jurisdiction of the Irish Courts in respect of any disputes or claims arising out of or in connection with this Agreement.
Description of the Processing of Personal Data
1. Subject Matter
VAT Recovery for the duration of the contract agreement.
2. Nature of business agreement
Data Processor is responsible for processing data and information on behalf of the Data Controller on the understanding that the Data Controller has obtained the necessary consent or has the legitimate purpose for processing the data.
Personal data is processed in order to validate VAT where purchases have been made in direct relation to corporate travel and associated expenses.
4. Categories of Personal Data
Contact data (name, address, email address, phone numbers), transaction data.
5. Sensitive Personal Data
No sensitive personal data is captured.
6. Categories of Data Subjects
Employees of the Customer
7. Security and Organisational Measures
Security and organisation measures Technical and organisational security controls are implemented in accordance to the ISO27001 information security standard; to which Taxback International is certified to, by our external accreditation body.
8. Recipients of the Personal Data
Data is received by Taxback International from various sources in its pursuant to ensure VAT is recovered for the (name of client) as contractually agreed.
Data is shared with our service providers including (without limitation) those engaged by us to perform functions for the processing of global VAT services, which includes storage of your data in the EEA and the United States. Any persons necessary to ensure Taxback International compliance with any applicable law, regulation, legal requirement.
9. Data Transfers
Data Transfers as directed by the Data Controller, including Local Tax Authorities in accordance with each country applicable for VAT Recovery.
Data Retained as directed by the Data Controller.
11. Taxback DPO
Margaret Corrigan, The Taxback Group, IDA Business & Technology Park, Ring Road, Kilkenny, Ireland.