opennav

EisnerAmper Cayman | Data Protection Addendum EisnerAmper Cayman Cayman

EisnerAmper Global
Go to governance Website Previous

Data Protection Addendum

EisnerAmper” is the brand name under which EisnerAmper LLP and Eisner Advisory Group LLC provide professional services. EisnerAmper LLP and Eisner Advisory Group LLC are independently owned firms that practice in an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. EisnerAmper LLP is a licensed CPA firm that provides attest services, and Eisner Advisory Group LLC and its subsidiary entities provide tax and business consulting services to clients and provide staff and other administrative resources to EisnerAmper LLP. Eisner Advisory Group LLC and EisnerAmper Advisory Cayman Ltd (“EA“), are not licensed CPA firms. 

This Data Protection Addendum (“Addendum“) supplements the Engagement Agreement (“Agreement“) entered into between EA and the customer identified in the applicable Agreement (“Customer“). 

The parties wish to include provision for the requirements of the Cayman Islands’ Data Protection Act (as revised) and the Data Protection Regulations, 2018 (SL 17 of 2019) (“DPA”) in the Agreement. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an Addendum to the Agreement. 

In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall supersede the Agreement.  

DEFINITIONS AND INTERPRETATION 

Affiliatemeans (from time to time) an entity that owns or controls, is owned or controlled by or is under common control or ownership with EA, EisnerAmper LLP and/or Eisner Advisory Group LLC, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise. 

Applicable Laws” means any law or regulation applicable to EA, its Affiliates or, its Approved Sub-Processors including the Data Protection Laws. 

“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time. 

“Approved Sub Processor” means each (i) Affiliate (ii) Existing Sub-Processor; and (iii) New Sub-Processor to the extent that each of (i), (ii) and (iii) meet the conditions set out in Clause ‎2. 

Customer Data” means any data (including Personal Data) provided to EA or any Approved Sub-Processor by the Customer in connection with the Agreement. 

“Data Controller” has the meaning given in applicable Data Protection Laws from time to time. 

“Data Processor” has the meaning given in applicable Data Protection Laws from time to time. 

“Data Protection Laws” means, as binding on either party or the services provided under the Agreement: 

 

i) the DPA; 

ii) any laws which implement any such law; 

iii) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; 

iv) any ‘code of practice’ promulgated under section 42 of DPA; and 

v) any binding decision of the courts and tribunals of the Cayman Islands that relate to the application or interpretation of any of the foregoing. 

 

“Data Subject” has the meaning given in applicable Data Protection Laws from time to time. 

“DPA” means the Cayman Islands’ Data Protection Act (as revised) and the Data Protection Regulations, 2018 (SL 17 of 2019). 

Existing Sub-Processor(s)” means each Affiliate and each third party to which EA or any such Affiliate has, at the date of the Agreement (i) delegated or outsourced all or part of the services and/or (ii) transferred Customer Data (including Personal Data), in each case pursuant to the terms of the Agreement. 

New Sub-Processor(s)” means any third party, joint venture or Affiliate other than an Existing Sub-Processor to which EA or its Affiliates wishes to delegate the processing of Personal Data pursuant to the Agreement. 

“Personal Data” has the meaning given in applicable Data Protection Laws from time to time. 

Provider” means EA and Approved Sub-Processors. 

“Supervisory Authoritymeans the Cayman Islands Ombudsman and any other local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws from time to time. 

In this Addendum: (i) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law and the equivalent terms defined in such Applicable Laws, once in force and applicable; (ii) a reference to a law includes all subordinate legislation made under that law; and (iii) this Addendum shall survive termination (for any reason) or expiry of the Agreement. 

1.  DATA PROTECTION 

1.1  Both parties will comply with all applicable requirements of the Data Protection Laws. This Clause ‎1 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Laws. 

1.2  The parties acknowledge that (save in the circumstances contemplated under Clause ‎2 below) for the purposes of the Data Protection Laws, the Customer is the Data Controller and Provider is the Data Processor. Schedule 1 sets out the scope, nature and purpose of processing by Provider, the duration of the processing and the types of Personal Data and categories of Data Subject. 

1.3  Without prejudice to the generality of Clause ‎1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Provider for the duration and purposes of this Addendum. The Customer shall ensure all instructions given by it to Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws. 

1.4  Without prejudice to the generality of Clause ‎1.1, Provider shall, in relation to any Personal Data processed in connection with the performance by Provider of its obligations under the Agreement, where applicable: 

i) process that Personal Data only on the written instructions of the Customer unless Provider is required by Applicable Law to process that Personal Data in some other way; 

ii) immediately inform the Customer if Provider is requested to take any action which may infringe the DPA; 

iii) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected; 

iv) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 

v) assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject pursuant to information rights under Part 2 of the DPA and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 

vi) notify the Customer without undue delay on becoming aware of a Personal Data breach; 

vii) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by Applicable Law to store the Personal Data; 

viii) maintain complete and accurate records and information to demonstrate its compliance with the Data Protection Laws and to assist with any further information required to ensure that both parties meet their obligations under the DPA; and 

ix) permit audits by the Customer or the Customer’s designated auditor, subject to a maximum of one audit request in any 12 month period, at Customer’s cost. 

1.5  The Customer: 

1.5.1  instructs and grants a general written authorisation for Provider to process Personal Data and to transfer Personal Data to any country or territory (either inside or outside of the Cayman Islands and/or the European Economic Area) as reasonably necessary for the provision of the services and consistent with the Agreement;  

1.5.2  warrants and represents that it is and will at all times (i) remain duly and effectively authorised to give the instruction set out in Clause ‎1.5.1 and (ii) have in place all fair processing notices and (where applicable) consent mechanisms for Data Subjects sufficient to ensure that all processing of Personal Data envisaged by this Addendum and the Agreement will be lawful.  

1.6  The Customer authorises EA to transfer Personal Data to its Affiliates and to its Approved Sub-Processors located within or outside of the Cayman Islands. The Customer acknowledges that Provider’s primary processing facilities are based in the United States of America. The Customer agrees that Provider may transfer Personal Data outside of the Cayman Islands to countries which do not provide an adequate level of protection for Personal Data according to the Supervisory Authority in the Cayman Islands, provided all such transfers by Provider of Personal Data outside of the Cayman Islands (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards (such as the European Commission’s standard contractual clauses) and in accordance with Data Protection Laws. 

2. APPROVED SUB-PROCESSORS  

2.1  The Customer consents to EA using its Existing Sub-Processors and EA shall procure that the arrangement between it and each of its Existing Sub-has the same level of protection for Personal Data as set out in this Addendum and which meet the requirements of the DPA. 

2.2  Customer provides a general authorisation for Provider to appoint New Sub-Processors as third-party processors of Personal Data under the Agreement in accordance with this Clause. Provider shall give the Customer prior notice of the appointment of any New Sub-Processor, including details of the processing of Personal Data to be undertaken by such New Sub-Processor and provide the Customer with the opportunity to make reasonable objections to such changes on legitimate grounds. 

2.3  Each New Sub-Processor shall become an Approved Sub-Processor on the completion of:  

2.3.1  Provider providing notice to the Customer as envisaged by Clause ‎‎2.2 above; and  

2.3.2 satisfaction of Clause ‎2.4 below in respect of that New Sub-Processor.  

2.4  With respect to each New Sub-Processor, Provider shall ensure that at least the same level of protection for Personal Data is provided as those set out in this Addendum and which meet the requirements of the DPA. 

2.5  As between the Customer and EA, EA shall remain fully liable for all acts or omissions of any Approved Sub-Processor. The list of Approved Sub-Processors used by EA will be provided upon request.  

3.  PROVIDER AS CONTROLLER 

3.1  Notwithstanding any other Clause in this Addendum, the parties agree that, where Provider determines the means or purpose of processing Customer Data, Provider shall be acting as a Data Controller in relation to the Customer Data and not as a Data Processor.  

3.2  Where Provider acts as Data Controller in relation to Customer Data, it shall comply with all applicable Data Protection Laws. 

3.3  For the avoidance of doubt, the parties acknowledge that Provider acts as a Data Controller when it is conducting activity required to comply with: 

3.3.1  Applicable Laws (such as but not limited to conducting checks for anti-money laundering purposes and conducting sanctions screening, in each case which Provider is required to conduct under applicable laws, regulation or internal policies); and 

3.3.2  any request made by any financial services regulator or other public authority or governmental body having jurisdiction over Provider.   

3.4  Where Provider acts as a Data Controller, EA shall provide the Customer with a fair processing notice to facilitate the Customer providing a fair processing notice to the relevant underlying Data Subjects and the Customer shall provide such assistance as Provider requires in complying with Applicable Laws. 

4.  GENERAL TERMS 

4.1  Provider may, at any time on not less than 30 days’ notice, revise the Clauses in this Addendum by replacing them with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Addendum). 

4.2  The parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum in relation to the processing of Personal Data pursuant to the Agreement. 

4.3  This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated in the Agreement. 

 

5.  SCHEDULE 1 

6.  Processing, Personal Data and Data Subjects 

Processing of Personal Data by Provider under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subject set out in this Schedule 1. 

 

 1.  PROCESSING BY PROVIDER 

6.1  Subject-matter of processing 

The subject matter of the data processing under this Addendum is the Customer Personal Data processed by Provider pursuant to the services provided to the Customer under the Agreement. 

6.2  Nature and purpose of processing 

Provider will process Personal Data for the purposes of providing the services to the Customer in accordance with the Agreement PROVIDED THAT the parties agree that Provider may retain Personal Data to the extent required by and for such period as required by Applicable Laws. 

6.3  Duration of the processing 

Subject to Clause ‎3 (Provider as Controller), the duration of the processing under the Agreement is determined by the Customer and as set forth in the Agreement. 

2.  TYPES OF PERSONAL DATA 

Data relating to individuals processed by Provider in order to provide services under the Agreement, including of the Customer’s personnel and customers, including but not limited to the following: 

1. First and last name
2. Mailing address
3. Bank account information 

3.  CATEGORIES OF DATA SUBJECT 

4. Fund employees, managers and investors