EisnerAmper Sub-Processor Data Protection Addendum

This Data Protection Addendum (Addendum) supplements the Engagement Agreement (Agreement) entered into between any EisnerAmper entity acting as a Processor of Customer Data (EA) and the vendor identified in the applicable Agreement (Sub-Processor).

The parties wish to include provision for the requirements of the Cayman Islands Data Protection Law, 2017 (Law 33 of 2017) and the Data Protection Regulations 2018 (SL 17 of 2019) (“DPL”) in the Agreement. When providing services to EA, the Sub-Processor will potentially have access to or process personal data of EA’s customers who are data subjects in the Cayman Islands (such customer being data controllers under the DPL). In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an Addendum to the Agreement.

Unless otherwise expressly provided, when the services require the parties to collect or process Personal Data (1) within or from the Cayman Islands or (2) belonging to a data subject in the Cayman Islands, you as our Sub-Processor, agree to the terms of this Addendum with regard to the processing of that Personal Data.  This Addendum does not apply to data collected from any other jurisdiction. 

The terms set out in this Addendum took effect from 30 September 2019.  In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall supersede the Agreement. 

DEFINITIONS

Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
Data Controller has the meaning given in applicable Data Protection Laws from time to time.
Data Processor has the meaning given in applicable Data Protection Laws from time to time.
Data Protection Laws means, as binding on either party or the services provided under the Agreement:

  1. the DPL;
  2. any laws which implement any such law;
  3. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
  4. any ‘code of practice’ promulgated under section 42 of the DPL; and
  5. any binding decision of the courts and tribunals of the Cayman Islands that relate to the application or interpretation of any of the foregoing.

Data Subject has the meaning given in applicable Data Protection Laws from time to time.
DPL means the Cayman Islands Data Protection Law, 2017 (Law 33 of 2017) and the Data Protection Regulations 2018 (SL 17 of 2019).
Personal Data has the meaning given in applicable Data Protection Laws from time to time.

1. DATA PROTECTION

1.1  Both parties will comply with all applicable requirements of the Data Protection Laws and the Sub-Processor shall not by any act or omission cause EA or the customer for whom the Sub-Processor provides services under the Agreement (Customer) to be in breach of any Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.

1.2  The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Data Controller and both EA and the Sub-Processor are Data Processors. Schedule 1 sets out the scope, nature and purpose of processing by the Sub-Processor, the duration of the processing and the types of Personal Data and categories of Data Subject.

1.3  Without prejudice to the generality of clause 1.1, the Sub-Processor shall, in relation to any Personal Data processed in connection with the performance by the Sub-Processor of its obligations under the Agreement, where applicable:

    1. process that Personal Data only on the written instructions of the Customer (as communicated in writing to the Sub-Processor by EA) unless the Sub-Processor is required by law to process that Personal Data in some other way;
    2. immediately inform EA if the Sub-Processor is requested to take any action which may infringe the DPL;
    3. at all times implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access;
    4. ensure that access to Personal Data is limited to the authorised persons who need to access it to supply the services and that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
    5. provide regular training in security and data protection to any personnel who have access to and/or process Personal Data;
    6. at no cost to EA record and refer all requests and communications received from data subjects or any supervisory authority to EA which relate (or which may relate) to any Personal Data promptly (and in any event within 3 days of receipt) and shall not respond to any without EA’s express written approval and strictly in accordance with EA’s instructions unless and to the extent required by law;
    7. promptly (and in any event within 6 hours) notify EA if it suspects or becomes aware of any suspected, actual or threatened occurrence of any personal data breach in respect of any Personal Data and provide all information EA requires to report the circumstances to a supervisory authority and or the Customer to notify the Data Subjects under Data Protection Laws;
    8. delete or return Personal Data and copies thereof to EA immediately on termination of the Agreement unless required by applicable law to store the Personal Data;
    9. maintain a complete, accurate and up to date record of all categories of processing activities carried out on behalf of EA and make copies available to EA promptly on request; and
    10. promptly make available to EA (at the Sub-Processor’s cost) such information as is required to demonstrate the Sub-Processor’s and EA’s compliance with their respective obligations under this Addendum and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by EA or the Customer for this purpose.

1.4  The Sub-Processor may not transfer Personal Data outside of the Cayman Islands without EA’s prior written consent in each instance.

1.5  The Sub-Processor shall not permit any processing of Personal Data by any agent, subcontractor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Personal Data) without the prior specific written authorisation by EA and the Customer and only then subject to such conditions as EA and the Customer may require.

1.6  The Sub-Processer shall indemnify and keep EA indemnified against:

    1. all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to data subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Sub-Processor of any of its obligations under this Addendum; and
    2. all amounts paid or payable by EA to a third party which would not have been paid or payable if the Sub-Processor’s breach of this Addendum had not occurred.

1.7  The Sub-Processor shall perform all of its obligations under this Addendum at no cost to EA.

1.8  EA may, at any time on not less than 30 days’ notice, revise this Addendum by replacing it with or adding any applicable standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Addendum).

Schedule 1

Processing, Personal Data and Data Subjects

Processing of Personal Data by the Sub-Processor under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subject set out in this Schedule 1.

  1. Processing by Sub-Processor
    1. Subject-matter of processing
      The subject matter of the data collection and processing under this Addendum is the Customer’s Personal Data processed by the Sub-Processor pursuant to the services provided to EA under the Agreement.
    2. Nature and purpose of processing
      The Sub-Processor will collect and process Personal Data for the purposes of providing the services to EA in accordance with the Agreement.
    3. Duration of the processing
      The duration of the contract and processing under the Agreement is determined by EA and the Customer and as set forth in the Agreement.
  2. Types of personal data
    Data relating to data subjects of the Customer collected and processed by the Sub-Processor in order to provide services to EA under the Agreement, including of the Customer’s personnel and customers, including but not limited to the following:
    • First and last name
    • Mailing address
    • Social security number
    • Bank account information
  3. Categories of data subject
    • Individuals for whom EA prepares tax returns
    • Employees, shareholders or investors of EA Customers to which EA provides tax, audit, accounting or advisory services