DEFINITIONS
In these Standard Terms and Conditions, unless the context other requires, the following expressions shall have the following meanings:
“Data Protection Act” means, with effective from 25 May 2018, the Data Protection Acts 1998 – 2018 has been amended or replaced from time to time; “Data Protection Legislation” means with effective from 25 May 2018 the GDPR (as amended or replaced from time to time) and the Data Protection Act.
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679, the protection of natural persons with regard to the processing of personal data and on the free movement of such data as may be amended or replaced from time to time. “Personal Data” means any personal data as defined in the GDPR processed by us or by you under our engagement. “Personal Data” shall for the avoidance of doubt include personal data or any partners, directors, officers, employees, secondees, representatives, agents, contractors or you or of us and any of their respective service providers or contractors.
“Personal Data Breach” means a personal data breach as defined in the GDPR.
Safe as is provided in the above definitions terms used in the GDPR shall when used in the Standard Terms and Conditions have the same meaning as in the GDPR.
Data Protection Obligations
Where you or the data controller and we are the data processor:
2.1 You and we acknowledge that a part where otherwise provided under clause
2.4 below, for the purposes of the Data Protection Legislation you (as client) or the data controller of the personal data provided to us or otherwise collected and processed by us on your behalf under this engagement and we are the data processor of such personal data. Both you and we agree to comply with and cause a directors, employees and other representatives, agents and contractors to comply with the applicable Data Protection Legislation in connection with the performance of our respective obligations under this engagement.
2.2 To the extent that we process the personal data on your behalf;
2.2.1 We shall only process the personal data to the extent necessary to comply with our obligations under this engagement and otherwise solely in accordance with your written instructions, unless the processing is required by applicable law to which we are subject in which we shall, to the extent permitted by such law, inform you of our legal requirement before processing the personal data.
2 2.2.2 We shall ensure that all staff and any other persons authorised by us to process the personal data have committed themselves to confidentiality or otherwise under an appropriate statutory obligation of confidentiality.
2.2.3 We shall implement appropriate technical and organisational measures to ensure an appropriate level of security of processing of the personal data protect against accidental or unlawful destruction, loss, alternation or unauthorised disclosure of or access to, such personal data.
2.2.4 Taking into account the nature of the processing undertaken by us, subject to you reimbursing us for all costs reasonably and properly incurred by us in performing our obligations under this clause, we shall provide all reasonable assistance to you in order to enable you to respond to requests from data subjects seeking to exercise their rights under the GDPR in respect of personal data processed by us on your behalf under this engagement.
2.2.5 We shall notify you without undue delay upon becoming aware of a personal data breach and we shall provide you with all relevant information relating to the personal data breach and with all reasonable assistance in the investigation, containment, rectification and notification of personal data breach provided that, to the extent that a personal data breach does not result from a breach by us of our obligations hereunder, you shall reimburse us in full for all costs reasonable and properly incurred by us in performing our obligations pursuant to this clause. For the avoidance of doubt, or the personal data breach is a result of a breach of our obligations hereunder, we shall be responsible for all costs reasonably and properly incurred by us in performing our obligations pursuant to this clause.
2.2.6 To extent applicable, we shall provide advanced written notice of any intention to engage a new processing, in particular using new technologies, which is likely to result in the high risk to the rights and freedoms of data subject whose personal data is processed by us on your behalf under this engagement.
2.2.7 On termination of our engagement or at any other time on your instruction, we shall, acting on your written instructions, either delete all personal data or return all personal data to you and shall delete all existing copies of the personal data held by us, unless we are required under applicable law to retain same. If you fail to provide appropriate written instruction on whether you require us to delete or return all your personal data on termination of our engagement, you shall be deemed to have instructed us to delete all relevant personal data.
2.2.8 Subject to reasonable access arrangements, we shall make available to you all other information necessary to demonstrate our compliance with obligations under this clause and subject to being reimbursed for all reasonably incurred and properly vouch costs incurred by us in permitting same, allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. We shall immediately inform you if in our opinion, an instruction pursuant to this sub clause infringes the GDPR or other data protection provisions set out under the applicable law.
2.2.9 It is hereby agreed between you and us that we may engage another entity to process the personal data on our behalf provided that any such engagement shall respect the conditions set out in the Standard Terms and Conditions for engaging another entity to process the personal data on our behalf and we shall notify you in advance in writing of the identity of any such sub processor and the location of which the sub processor will be processing personal data on your behalf and of any intended changes concerning the additions or replacement of other sub processes so that you are given the opportunity to object to such changes. This hereby further agreed that we shall remain fully liable to you for the performance of such sub processors obligations.
2.3 We shall ensure that if we pass personal data of any of our directors, employees, representatives, agents or contractors to you in order to allow you to pursue your legitimate interests (being the performance of contractual obligations between us underneath this engagement), we shall ensure that we have notified, in a manner compliant with the Data Protection Legislation, the relevant data subjects that their personal data will be disclosed to and processed by you and, where required, obtained all necessary consents from the relevant data subjects, including with respect to the possible transfer (if ever) of their personal data outside of the EEA. Where we are the data controller
2.4 It is hereby acknowledged and agree that we may use personal data received by you or at your instruction for our own purposes, in which case we shall be considered a data controller of such personal data. In such circumstances, we represent and warrant on a continuous basis that:
(i) We shall only process such personal data for the following purposes and on the following lawful grounds: Performance of a contract
(a) For the purposes of opening your file with us and for the purposes of the provision by us of services to you (which may include but is not limited to the provision of taxation advice, registration services, secretarial services and any services covered by a particular engagement).
(b) For the purposes of disclosures to third parties (including but not limit to your service providers auditors, secretaries, regulators, tax authorities, other competent authorities, registers, technology providers, legal advisers engaged by you) in connection with the provision of services to you under our engagement. Compliance with a legal obligation
(c) For the purposes of complying with any legal or regulatory obligations to which we are subject including, but not limited to, anti-money laundering/counter terrorist financing laws.
Legitimate interest
(d) For the purposes of recording, maintaining, storing and using recordings of telephone calls and electronic communications relating to our engagement for any matters relating to our engagement dispute, resolution, record keeping, security and/or training purposes after that.
Consent
(e) For the purposes of sending information about tax matters and updates (e.g. newsletters, bulletins etc), seminars, client entertainment and other services offered by us from time to time, provided that we have obtained the prior consent of the relevant data subjects to the use of their personal data for such purposes.
(ii) Should it be necessary for us to use the personal data for any purposes other than those outlined above, we will notify you and seek your written consent prior to any utilisation of the personal data for such additional purposes.
(iii) We acknowledge and agree that we shall be solely responsible for complying with all obligations imposed on data controllers under the GDPR to which we are subject with respect the processing activities identified in this clause.
(iv) Please note that where personal data is processed for the purposes of legitimate interest, you have the right to object to such processing and we will no longer process the personal data unless it can be demonstrated that there are compelling legitimate grounds for the processing which override our interests, rights and freedoms or for the establishment, exercise or defence of legal claims. General
2.5 Subject to the Data Protection Legislation, the personal data processed by on your behalf shall not be shared with third parties other than those parties designed by you or third parties whose involvement is necessary for us to carry out all or part of the services contemplated under this engagement.
2.6 It is hereby agreed that we may transfer personal data processed by us on your behalf to any affiliated offices outside of the State within the EEA or the United States of America. However, the transfer of personal data will not happen until we have received the appropriate consent with you in order to seek the tax advice required in the other jurisdiction by reference to the specific advice you that you required in respect of our engagement.
2.7 It is hereby agreed that nothing within this agreement shall be relieve us from our own direct responsibilities and liabilities of a data processor and a data controller under the GDPR. It is further agreed that we shall be liable to you for any loss suffered by you as a result of our failing to comply with our obligations as data processor and a date controller under the GDPR or for failing to comply with any of its obligations set out under clauses 2.5 to 2.7.
2.8 You shall ensure if you pass personal data of any of your partners, directors, officers, employees, secondees, affiliates, representatives, agents or contractors to us in order to allow us to perform our engagement, comply with a legal obligation or to pursue our legitimate interest, you shall ensure that you have notified, in the manner complied with the Data Protection legislation, the relevant data subjects that their personal data will disclosed to and processed by us and where required, obtained all necessary consents from the relevant data subjects, including with respect of the possible transfer of their personal data outside the EEA.
3 YOUR DATA PROTECTION RIGHTS
3.1 Please note that you have the following rights under the GDPR. In each case, the exercise of these rights is subject to the provisions of the GDPR:
(i) You have the right of access and the right to amend and rectify your personal data. (ii) You have the right to have any incomplete personal data completed.
(iii) You have a right to lodge a complaint with supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the aligned infringement if you consider the data processing of personal data relating to you carried out by us infringes the GDPR.
(iv) You have the right to be forgotten (right of erasure of personal data).
(v) You have a right to restrict the processing.
(vi) You have a right to data portability.
(vii) You also have the right to object to processing where personal data is being processed for legitimate interest. Where you wish to exercise any of your data protection rights please contact us via the details provided to us as indicated below.
3.2 We will respond to your request to exercise any of the rights under the GDPR in writing, as soon as practical and in any event within one month of the receipt of your request, subject to the provisions of the GDPR. We may request proof of identification to verify your request.
4 FAILURE TO PROVIDE PERSONAL DATA
4.1 The provision of personal data by you is required for us to manage and administer your service and provide you with requested engagement services and so that we may comply with the tax regulatory and legal requirements reference above. Where you fail to provide such personal data in order to comply with any anti-money laundering, counter terrorist financing or other legal requirements, in certain circumstances we may not be 6 able to accept an engagement or may be required to discontinue our business relationship with you.
5 CONTACT US
5.1 If you have any questions please contact our firm at the following e-mail address lisa@kta.ie our GDPR personal data representative.