WTax and the Client have previously entered/will enter into a service agreement (“Service Agreement”) whereby WTax will provide services as set out in the Service Agreement to the Client (“Services”).
Data protection
- In this Agreement, “Data Protection Law” means the General Data Protection Regulation (2016/679), Swiss Federal Data Protection Act and its ordinance or any legislation amending, superseding or replacing it, and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner and/or any other applicable and regional data protection law. The terms “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor” shall be construed in accordance with the meaning set out in the applicable Data Protection Law.
- Each party shall comply with their respective obligations under Data Protection Law as applicable.
- The purpose of the Processing of Personal Data by WTax is the performance of the Services under the Service Agreement.
- In order to enable WTax to fulfil its obligations in terms of the Service Agreement, WTax shall be entitled to utilise its ISO27001 certified processing office. The Client hereby expressly authorises the transfer of Personal Data to the processing office in South Africa for Processing as and when required to perform the Services. By signing this Agreement, when applicable, the Client and WTax agree to be bound by the terms of the EU Standard Contractual Clauses or any replacement thereof located at Standard Contractual Clauses Processors whereby the Client shall be the data exporter and WTax the data importer. The governing law shall be law of the member state in which the data exporter is established. The aforementioned EU Standard Contractual Clauses shall be updated and/or amended from time to time in accordance with any changes to the Data Protection Law and/or any updates to the technical and organisational security measures implemented by the data importer.
- WTax and the Client agree and acknowledge that for the purposes of the Data Protection Law, the Client is the Controller and WTax is the Processor in respect of any Personal Data processed by or on behalf of WTax in the provision of the Services.
- The Client shall own all rights, title and interest in and to all of the Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data.
- In most cases, while performing the Services, WTax will not process Personal Data. WTax will only process Personal Data where it is present on documents need for the Services.
- WTax shall process the Personal Data only in accordance with the Client’s written instructions from time to time (including, without limitation, those contained in the Service Agreement), and shall not process the Personal Data for any purpose other than those expressly authorised by the Client. The Client agrees that WTax may use e-mail in order to provide the Services.
- Should the Client be a financial intermediary, then it shall be the financial intermediary’s obligation and responsibility to ensure that they have informed and obtained the necessary informed consent from their own clients whose information may be needed in order to provide the Services. Proof shall be furnished of compliance to this clause to WTax upon request.
- WTax shall, having regard to the state of technological development and the cost of implementing any measures:
- take appropriate technical and organisational measures against the unauthorised or unlawful Processing of the Personal Data and against the accidental loss or destruction of, or damage to the Personal Data (together “data breach”) to ensure a level of security appropriate to:
- the harm that might result from a data breach; and
- the nature of the Personal Data to be protected; and
- take reasonable steps to ensure compliance with those measures.
- take appropriate technical and organisational measures against the unauthorised or unlawful Processing of the Personal Data and against the accidental loss or destruction of, or damage to the Personal Data (together “data breach”) to ensure a level of security appropriate to:
- WTax shall ensure:
- that it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data;
- that access to Personal Data is limited to:
- those employees who need access Personal Data to meet WTax’s obligations under this Agreement.
- that all of its employees involved with the Services:
- are informed of the confidential nature of the Personal Data;
- have signed confidentiality agreements.
- WTax shall implement appropriate technical and organizational measures to assist the Client in responding to:
- any request from an individual to exercise any of its rights of Data Protection Law as it relates to the Personal Data processed by WTax; and
- any other correspondence, inquiry or complaint received from an individual, regulator, court or other third party in connection with the Processing of Personal Data processed by WTax in terms of the Service Agreement.
- If WTax receives a request from a Data Subject for access to that person’s information which was provided by the Client, WTax shall:
- notify the Client within 2 (two) business days of receiving such a request;
- provide the Client with full co-operation and assistance in relation to any request made by a Data Subject to have access to such Personal Data; and
- not disclose such Personal Data to any Data Subject or to a third party other than at the request of the Client or as provided for in this Agreement.
- WTax shall notify the Client immediately [no later than 24 (twenty-four) hours] if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data.
- WTax, at the date of cessation of any Services involving the Processing of Personal Data, shall at the election of the Client return and/or delete and procure the deletion of all copies of Personal Data. WTax may retain Personal Data to the extent required by applicable laws.
- WTax shall, on request, make available to the Client the necessary documentation to demonstrate compliance with this Agreement. Thereafter, the Client shall be entitled where there is a reasonable suspicion that WTax is not complying with its data Processing obligations in terms of this Agreement, to audit the technical and organizational measures implemented by WTax. The Client agrees to sign non-disclosure agreements prior to such audit being conducted. The Client shall provide at least 5 (five) business days written notice of such audit. Where possible such audits will be conducted outside of WTax’s deadline periods.
- In order for WTax to provide the Services the Client consents to the use of the services of the following ancillary Processors: SalesForce, AWS, translation service providers, VAT and/or Tax agent service providers, and technology service providers necessary in order to provide the Services.
- Save for the Processors set out in clause 1.17 above to this Agreement, WTax shall not engage further Processor/s without the prior specific or general written authorisation of the Client. In the case of general written authorisation, WTax shall inform the Client of any intended changes concerning the addition or replacement of other Processor/s, thereby giving the Client the opportunity to object to such changes.
- Any appointed Processor/s shall only process Personal Data in order to perform the Services in terms of the Service Agreement.
- After receiving the prior specific or general written authorisation of the Client and prior to transferring any Personal Data to any Processor/s, WTax shall enter into a written agreement with the Processor on terms no less onerous than those set out in this Agreement. Such written agreement to include, but not be limited to, requiring the additional Processor/s to:
- process the Personal Data only in accordance with the written instructions of the Data Processor; and
- abide by the obligations imposed on the Processor/s set out in this Agreement; and
- allow the Client the right to audit the additional Processor.
- WTax shall impose data protection terms at least as strict as those set forth herein on any Processor it appoints to process the Client’s Personal Data.
Liability
WTax’s liability shall be governed by the Data Protection Law.