Data Processing Agreement
FINBOURNE Data Processing Agreement
Last updated: 10 October 2024
This Data Processing Agreement is between FINBOURNE TECHNOLOGY LIMITED (a company registered in England and Wales, with number 10539696 whose registered office is at 1 Carter Lane, London, EC4V 5ER, UK (“FINBOURNE) and the entity or person who has agreed to evaluate or subscribe to FINBOURNE Services under an Agreement (“Customer”).
The parties have entered into an agreement for the use of FINBOURNE Technology services (“Agreement”) and this Data Processing Agreement (“DPA”) is an addendum to that Agreement. To the extent that FINBOURNE processes personal data under the Agreement, such processing shall be subject to the terms of this DPA.
1. Definitions
For the purposes of this DPA, the following definitions apply: “Customer Data” has the meaning given to it in the Agreement.
“Data Protection Laws” means applicable data protection and privacy legislation, including the Data Protection Act 2018; the GDPR; the GDPR as adopted into UK law (“UK GDPR”); and any associated regulations or instruments and any other data protection laws, regulations and codes of practice applicable to FINBOURNE’s provision of the Services;
“EEA” means the European Economic Area;
“EU Standard Contractual Clauses” means the agreement in the form annexed to the European Commission’s decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries or such alternative clauses as may be approved by the EU Commission from time to time;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Services” means the services provided by FINBOURNE under the Agreement.
“Sub-processor” means any person appointed by or on behalf of FINBOURNE to process personal data on its behalf in connection with the Agreement;
“Standard Contractual Clauses” means the agreement in the form annexed to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries or such alternative clauses as may be approved by the UK from time to time;
The terms, “controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “processor”, “processing” and “Supervisory Authority” shall have the same meaning as in the Data Protection Act 2018.
Any terms defined in the Agreement and used in this DPA shall have the same meaning in this DPA as given to them in the Agreement.
2. General
In order to comply with its obligations under the Agreement, FINBOURNE is required to process personal data belonging to Customer. The processing shall be for the duration of the Agreement (except as otherwise agreed). The types of personal data to be processed are those set out in the Agreement and the categories of data subject are Customer’s end users and clients.
This DPA forms part of the Agreement and in the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail. Notwithstanding the preceding sentence, in the event of a conflict between this DPA and the EU Standard Contractual Clauses or the Standard Contractual Clauses, the EU Standard Contractual Clauses or Standard Contractual Clauses (as applicable) shall prevail.
Customer and FINBOURNE agree that Customer is the controller and FINBOURNE shall be the processor in relation to any personal data contained within the Customer Data; except where Customer is, itself, a data processor in which case FINBOURNE shall be a sub-processor to the Customer. The Customer acknowledges its obligation as a controller to procure that personal data shall be processed only if the purpose of such processing cannot reasonably be fulfilled by any other means.
The parties shall comply with their obligations under Data Protection Laws in respect of Customer Data to the extent that it comprises personal data. Customer shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Data to FINBOURNE for the duration and purposes of the Agreement.
In the event of termination or expiry of the Agreement, FINBOURNE shall promptly and securely at the choice of the Customer either return or delete or destroy all customer data (except for any personal data which the Data Protection Laws require to be stored).
Customer may request deletion of all personal data at any time except for any personal data that the Data Protection Laws require to be stored and except to the extent that deletion may adversely affect FINBOURNE’s performance of its obligations or the exercising of its rights under the Agreement.
This DPA shall be effective from the Effective Date of the Agreement and shall terminate automatically on the expiry or termination of the Agreement.
3. Data processing
FINBOURNE shall only process personal data for the purposes of providing the Services.
FINBOURNE shall only process personal data in accordance with the documented instructions of Customer unless FINBOURNE is required to process such personal data by any applicable laws to which FINBOURNE is subject. Customer shall ensure that all instructions (including the provision of instructions via configuration tools and APIs made available for the Service) comply with the Data Protection Laws.
FINBOURNE shall not be required to comply with the instructions of the Customer if doing so would infringe or potentially infringe any laws. FINBOURNE shall inform Customer promptly if it believes that any instruction provided by Customer infringes the Data Protection Laws or other European Union or Member State data protection provisions.
Additional instructions outside the scope of the documented instructions require prior written agreement between the parties and may result in additional fees payable by the Customer.
FINBOURNE may notify any relevant Supervisory Authority of any circumstance that has arisen in relation the processing of personal data, but only to the extent that it (acting reasonably and in good faith) believes that this is necessary in order to comply with Data Protection Laws.
FINBOURNE shall ensure that access to Customer Data is strictly limited to those entities and individuals who need to know / access the relevant Customer Data and that all personnel who have access to and/or process Customer Data are obliged to keep it confidential.
4. Security
FINBOURNE shall maintain appropriate technical and organisational security measures to safeguard all personal data against unauthorised or unlawful processing and against accidental loss, disclosure or destruction of, or damage to, that personal data as required by the Data Protection Laws.
FINBOURNE shall ensure that the security measures to be taken are appropriate having regard to:
the nature of the personal data and the scope, context and purposes of the processing and the likelihood and severity of the risks to data subjects that are presented by the processing of such personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed; and
the state of technological development and the cost of implementing such measures.
Details of FINBOURNE’s security measures can be found at www.finbourne.com/security
5. Record Keeping and Audits
FINBOURNE shall maintain a record of its processing activities which relate to the Agreement in accordance with the requirements of Article 30(2) of the GDPR and shall make available to Customer on request all information necessary to demonstrate compliance with this DPA.
At any time upon request, and in any event upon termination or expiry of the Agreement, (unless Customer agrees otherwise) FINBOURNE will provide the Customer with a copy of the record of processing activities which relate to the Agreement.
FINBOURNE shall permit Customer (or its third party auditor) not more than once in any 12 month period or at any other time if required by a regulatory authority, to audit its compliance with this DPA on giving reasonable notice in advance to FINBOURNE, provided that any third party auditor mandated by Customer to conduct such audit has entered into confidentiality undertakings which are satisfactory to FINBOURNE, such an audit is conducted during normal business hours and the Customer uses its reasonable endeavours to ensure that any such audit is designed to minimise disruption to FINBOURNE’s business.
6. International Transfers
FINBOURNE may transfer and otherwise process personal data outside the EEA or the UK, including by any Sub-Processor; provided that such transfer is made in compliance with applicable Data Protection Laws, including, if applicable, EU Standard Contractual Clauses, Standard Contractual Clauses or a European Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC or Article 45 of the GDPR.
If and to the extent the United Kingdom loses its adequacy decision under Article 45 of the GDPR and transfers of personal data from the EEA to the United Kingdom become restricted transfers under the GDPR, then any such transfers of personal data from the Customer to FINBOURNE shall be through the EU Standard Contractual Clauses. To the extent of any inconsistency or conflict between (a) the EU Standard Contractual Clauses, (b) the provisions of this Data Processing Agreement and (c) the Agreement (with the exclusion of this Data Processing Agreement), precedence shall be given in the following order: (a) the EU Standard Contractual Clauses (provided such terms are applicable to the transfer of the relevant personal data), (b) the provisions of this Data Processing Agreement and (c) the Agreement (with the exclusion of this Data Processing Agreement).
7. Sub-processing
Customer agrees that FINBOURNE may use sub-processors to process personal data on its behalf in connection with the Agreement. The FINBOURNE (www.FINBOURNE.com) and LUSID (www.LUSID.com) websites list Sub-processors that are currently engaged by FINBOURNE to carry out processing activities on Customer Data. In the event that FINBOURNE wishes to appoint additional or replacement Sub-processors during the term of the Agreement, FINBOURNE will update the applicable website and provide a mechanism for Customer, upon request, to obtain a notification of that update. Details of this process are set out at https://www.finbourne.com/legal/subprocessor
Customer has the right to object to new sub-processors by notifying FINBOURNE in writing within 30 days after receipt of FINBOURNE’s notification as outlined in the process set out at https://www.finbourne.com/legal/subprocessor . If Customer objects to a new sub-processor and that objection is deemed to be reasonable, at FINBOURNE’s sole discretion, FINBOURNE will make reasonable endeavours to process Customer Data without using the new sub-processor. If FINBOURNE is not able to make the relevant changes to the Service within 30 days of receipt of the Customer’s objection, then Customer may terminate the applicable subscription with respect to only those features with the Service which cannot be provided without the new sub-processor.
To request termination, please provide a written notice and send to the following address:
FINBOURNE Technology Limited
1 Carter Lane
London
EC4V 5ER
UK
FINBOURNE shall ensure that any of its sub-processors are subject to binding contractual obligations on terms which reflect the obligations which Customer would be obliged to impose on such Sub-processor pursuant to the Data Protection Laws if the Sub-processor were a direct processor of the personal data. FINBOURNE shall ensure that the sub-processors comply with those obligations.
Except as set out above, or as Customer may otherwise authorise, FINBOURNE will not permit any sub-processor to carry out processing activities on Customer Data.
8. Data Subject Rights and Assistance
FINBOURNE shall provide reasonable assistance, as requested by Customer, from time to time in undertaking any data protection impact assessments and consultation with a Supervisory Authority that the Customer may reasonably decide to undertake.
FINBOURNE shall, as far as is reasonably practicable, taking into account the nature of the personal data and FINBOURNE’s obligations under the Agreement, co-operate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a data subject under the Data Protection Laws or to comply with any assessment, enquiry, notice or investigation required to be carried out by Customer or which is required by or carried out by a Supervisory Authority, in each case under the Data Protections Laws.
FINBOURNE may charge Customer for any costs incurred by FINBOURNE in complying with these obligations.
9. Breach Notification
FINBOURNE shall notify Customer without undue delay upon FINBOURNE becoming aware of a personal data breach affecting Customer Data and shall provide Customer with sufficient information to allow Customer to meet any obligations to report or inform applicable data protection authorities and data subjects of the personal data breach under the Data Protection Laws.
In the event of a personal data breach which occurs in connection with this Agreement and affects Customer Data, FINBOURNE shall reasonably co-operate with Customer and take reasonable steps as are directed by Customer to assist the Customer in investigating the personal data breach.
10. Termination
This DPA shall terminate when the Agreement terminates and FINBOURNE ceases to process Customer Data on behalf of the Customer, unless otherwise agreed by the parties in writing.