The parties have entered into an agreement for the use of FINBOURNE Technology services (“Agreement”) and this Data Processing Agreement (“DPA”) is an addendum to that Agreement. To the extent that FINBOURNE processes personal data under the Agreement, such processing shall be subject to the terms of this DPA.
For the purposes of this DPA, the following definitions apply: “Customer Data” has the meaning given to it in the Agreement.
“Data Protection Laws” means the EU General Data Protection Regulation 2016/679, relevant European Union Member State data protection legislation, and any laws implementing such Regulation into domestic law;
“EEA” means the European Economic Area;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Services” means the services provided by FINBOURNE under the Agreement.
“Sub-processor” means any person appointed by or on behalf of FINBOURNE to process personal data on its behalf in connection with the Agreement;
“Standard Contractual Clauses” means the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries;
The terms, “controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “processor”, “processing” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws.
Any terms defined in the Agreement and used in this DPA shall have the same meaning in this DPA as given to them in the Agreement.
In order to comply with its obligations under the Agreement, FINBOURNE is required to process personal data belonging to Customer. The processing shall be for the duration of the Agreement (except as otherwise agreed). The types of personal data to be processed are those set out in the Agreement and the categories of data subject are Customer’s end users and clients.
This DPA forms part of the Agreement and in the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail. Notwithstanding the preceding sentence, in the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Customer and FINBOURNE agree that Customer is the controller and FINBOURNE shall be the processor in relation to any personal data contained within the Customer Data; except where Customer is, itself, a data processor in which case FINBOURNE shall be a sub-processor to the Customer.
The parties shall comply with their obligations under Data Protection Laws in respect of Customer Data to the extent that it comprises personal data. Customer shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Data to FINBOURNE for the duration and purposes of the Agreement.
In the event of termination or expiry of the Agreement, FINBOURNE shall promptly and securely at the choice of the Customer either return or delete or destroy all customer data (except for any personal data which the Data Protection Laws require to be stored).
Customer may request deletion of all personal data at any time except for any personal data that the Data Protection Laws require to be stored and except to the extent that deletion may adversely affect FINBOURNE’s performance of its obligations or the exercising of its rights under the Agreement.
This DPA shall be effective from the Effective Date of the Agreement and shall terminate automatically on the expiry or termination of the Agreement.
FINBOURNE shall only process personal data for the purposes of providing the Services.
FINBOURNE shall only process personal data in accordance with the documented instructions of Customer unless required to do so by a Member State of the European Union or the European Union. Customer shall ensure that all instructions (including the provision of instructions via configuration tools and APIs made available for the Service) comply with the Data Protection Laws.
FINBOURNE shall not be required to comply with the instructions of the Customer if doing so would infringe or potentially infringe any laws. FINBOURNE shall inform Customer promptly if it believes that any instruction provided by Customer infringes the Data Protection Laws or other European Union or Member State data protection provisions.
Additional instructions outside the scope of the documented instructions require prior written agreement between the parties and may result in additional fees payable by the Customer.
FINBOURNE may notify any relevant Supervisory Authority of any circumstance that has arisen in relation the processing of personal data, but only to the extent that it (acting reasonably and in good faith) believes that this is necessary in order to comply with Data Protection Laws.
FINBOURNE shall ensure that access to Customer Data is strictly limited to those entities and individuals who need to know / access the relevant Customer Data and that all personnel who have access to and/or process Customer Data are obliged to keep it confidential.
FINBOURNE shall not transfer the personal data outside of the EEA without taking such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws, including without limitation the EU Standard Contractual Clauses or any other valid transfer mechanism in accordance with Articles 45, 46, 47 or where a derogation applies under Article 49 of the GDPR.
FINBOURNE shall maintain appropriate technical and organisational security measures to safeguard all personal data against unauthorised or unlawful processing and against accidental loss, disclosure or destruction of, or damage to, that personal data as required by the Data Protection Laws.
FINBOURNE shall ensure that the security measures to be taken are appropriate having regard to:
Details of FINBOURNE’s security measures can be found at www.finbourne.com/security
FINBOURNE shall maintain a record of its processing activities which relate to the Agreement in accordance with the requirements of Article 30(2) of the GDPR and shall make available to Customer on request all information necessary to demonstrate compliance with this DPA.
At any time upon request, and in any event upon termination or expiry of the Agreement, (unless Customer agrees otherwise) FINBOURNE will provide the Customer with a copy of the record of processing activities which relate to the Agreement.
FINBOURNE shall permit Customer (or its third party auditor) not more than once in any 12 month period or at any other time if required by a regulatory authority, to audit its compliance with this DPA on giving reasonable notice in advance to FINBOURNE, provided that any third party auditor mandated by Customer to conduct such audit has entered into confidentiality undertakings which are satisfactory to FINBOURNE, such an audit is conducted during normal business hours and the Customer uses its reasonable endeavours to ensure that any such audit is designed to minimise disruption to FINBOURNE’s business.
Customer agrees that FINBOURNE may use sub-processors to process personal data on its behalf in connection with the Agreement. The FINBOURNE (www.FINBOURNE.com) and LUSID (www.LUSID.com) websites list Sub-processors that are currently engaged by FINBOURNE to carry out processing activities on Customer Data. In the event that FINBOURNE wishes to appoint additional or replacement Sub-processors during the term of the Agreement, FINBOURNE will update the applicable website and provide a mechanism for Customer, upon request, to obtain a notification of that update. Details of this process are set out at https://www.finbourne.com/legal/subprocessor
Customer has the right to object to new sub-processors by notifying FINBOURNE in writing within [30 days] after receipt of FINBOURNE’s notification as outlined in the process set out at https://www.finbourne.com/legal/subprocessor. If Customer objects to a new sub-processor and that objection is deemed to be reasonable, at FINBOURNE’s sole discretion, FINBOURNE will make reasonable endeavours to process Customer Data without using the new sub-processor. If FINBOURNE is not able to make the relevant changes to the Service within [30 days of receipt of the Customer's objection], then Customer may terminate the applicable subscription with respect to only those features with the Service which cannot be provided without the new sub-processor.
To request termination, please provide a written notice and send to the following address:
FINBOURNE Technology Limited
1 Phipp Street
FINBOURNE shall ensure that any of its sub-processors are subject to binding contractual obligations on terms which reflect the obligations which Customer would be obliged to impose on such Sub-processor pursuant to the Data Protection Laws if the Sub-processor were a direct processor of the personal data. FINBOURNE shall ensure that the sub-processors comply with those obligations.
Except as set out above, or as Customer may otherwise authorise, FINBOURNE will not permit any sub-processor to carry out processing activities on Customer Data.
FINBOURNE shall provide reasonable assistance, as requested by Customer, from time to time in undertaking any data protection impact assessments and consultation with a Supervisory Authority that the Customer may reasonably decide to undertake.
FINBOURNE shall, as far as is reasonably practicable, taking into account the nature of the personal data and FINBOURNE’s obligations under the Agreement, co-operate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a data subject under the Data Protection Laws or to comply with any assessment, enquiry, notice or investigation required to be carried out by Customer or which is required by or carried out by a Supervisory Authority, in each case under the Data Protections Laws.
FINBOURNE may charge Customer for any costs incurred by FINBOURNE in complying with these obligations.
FINBOURNE shall notify Customer without undue delay upon FINBOURNE becoming aware of a personal data breach affecting Customer Data and shall provide Customer with sufficient information to allow Customer to meet any obligations to report or inform applicable data protection authorities and data subjects of the personal data breach under the Data Protection Laws.
In the event of a personal data breach which occurs in connection with this Agreement and affects Customer Data, FINBOURNE shall reasonably co-operate with Customer and take reasonable steps as are directed by Customer to assist the Customer in investigating the personal data breach.
This DPA shall terminate when the Agreement terminates and FINBOURNE ceases to process Customer Data on behalf of the Customer, unless otherwise agreed by the parties in writing.