EisnerAmper Data Protection Addendum
This Data Protection Addendum (Addendum) supplements the Engagement Agreement (Agreement) entered into between any EisnerAmper entity acting as a Processor of Customer Data (Provider) and the customer identified in the applicable Agreement, to whom such services are provided (Customer).
The parties wish to include provision for the requirements of the Cayman Islands’ Data Protection Law, 2017 (Law 33 of 2017) and the Data Protection Regulations, 2018 (SL 17 of 2019) (“DPL”) in the Agreement. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an Addendum to the Agreement.
The terms set out in this Addendum will take effect from 30 September 2019 and in the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall supersede the Agreement.
Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
Data Controller has the meaning given in applicable Data Protection Laws from time to time.
Data Processor has the meaning given in applicable Data Protection Laws from time to time.
Data Protection Laws means, as binding on either party or the services provided under the Agreement:
- the DPL;
- any laws which implement any such law;
- any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
- any ‘code of practice’ promulgated under section 42 of DPL; and
- any binding decision of the courts and tribunals of the Cayman Islands that relate to the application or interpretation of any of the foregoing.
Data Subject has the meaning given in applicable Data Protection Laws from time to time.
DPL means the Cayman Islands’ Data Protection Law, 2017 (Law 33 of 2017) and the Data Protection Regulations, 2018 (SL 17 of 2019).
Personal Data has the meaning given in applicable Data Protection Laws from time to time.
1. DATA PROTECTION
1.1 Both parties will comply with all applicable requirements of the Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
1.2 The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Data Controller and Provider is the Data Processor. Schedule 1 sets out the scope, nature and purpose of processing by Provider, the duration of the processing and the types of Personal Data and categories of Data Subject.
1.3 Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Provider for the duration and purposes of this Addendum. The Customer shall ensure all instructions given by it to Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
1.4 Without prejudice to the generality of clause 1.1, Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under the Agreement, where applicable:
- process that Personal Data only on the written instructions of the Customer unless Provider is required by law to process that Personal Data in some other way;
- immediately inform the Customer if Provider is requested to take any action which may infringe the DPL;
- taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected;
- ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
- assist the Customer, at the Customer's cost, in responding to any request from a Data Subject pursuant to information rights under part 2 of the DPL and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify the Customer without undue delay on becoming aware of a Personal Data breach;
- at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by applicable law to store the Personal Data;
- maintain complete and accurate records and information to demonstrate its compliance with the Data Protection Laws and to assist with any further information required to ensure that both parties meet their obligations under the DPL; and
- permit audits by the Customer or the Customer's designated auditor, subject to a maximum of one audit request in any 12 month period, at Customer’s cost.
1.5 The Customer acknowledges that Provider’s primary processing facilities are based in the United States of America. The Customer agrees that Provider may transfer Personal Data outside of the Cayman Islands, provided all such transfers by Provider of Personal Data outside of the Cayman Islands (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws.
1.6 The Customer consents to Provider appointing sub-processor(s) as third-party processors of Personal Data under the Agreement, and provides a general authorisation for Provider to appoint further sub-processors. Provider confirms that it has entered or (as the case may be) will enter into a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in this clause 1. As between the Customer and Provider, Provider shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. The list of sub-processors engaged by Provider will be provided upon request. Provider will inform the Customer of any addition, replacement, or other changes of sub-processors and provide the Customer with the opportunity to reasonably object to such changes on legitimate grounds.
1.7 Provider may, at any time on not less than 30 days’ notice, revise this clause 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Addendum).
Processing, Personal Data and Data Subjects
Processing of Personal Data by Provider under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subject set out in this Schedule 1.
- Processing by Provider
- Subject-matter of processing
The subject matter of the data processing under this Addendum is the Customer Personal Data processed by Provider pursuant to the services provided to the Customer under the Agreement.
- Nature and purpose of processing
Provider will process Personal Data for the purposes of providing the services to the Customer in accordance with the Agreement.
- Duration of the processing
The duration of the processing under the Agreement is determined by the Customer and as set forth in the Agreement.
- Subject-matter of processing
- Types of personal data
Data relating to individuals processed by Provider in order to provide services under the Agreement, including of the Customer’s personnel and customers, including but not limited to the following:
- First and last name
- Mailing address
- Bank account information
- Categories of data subject
- Fund employees, managers and investors