DPA Agreement

WHEREAS VATGLOBAL and the Company have previously entered into a service agreement (“Service Agreement”) whereby VATGLOBAL would provide VAT compliance services to the Company (“Services”).

1. Data Protection

1.1. In this Agreement, “Data Protection Law” means the General Data Protection Regulation (2016/679) or any legislation amending, superseding or replacing it, and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner. The terms “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor” shall be construed in accordance with the meaning set out in the applicable Data Protection Law.

1.2. Each party shall comply with their respective obligations under Data Protection Law as applicable.

1.3. The purpose of the Processing of Personal Data by VATGLOBAL is the performance of the Services under the Service Agreement. VATGLOBAL, shall Process the Personal Data only in accordance with documented instructions from the Company and the legislative requirements asset by the relevant tax authority from time to time including, without limitation, those contained in the Service Agreement, and shall not Process the Personal Data for any purpose other than those expressly authorized in writing by the Company. The Company agrees that VATGLOBAL may use email in order to provide the Services.

1.4. In order for VATGLOBAL to provide the Services set out in the Service Agreement, the Company consents to the use of the following contracted processors (“Subprocessors”): VATIT Processing (Pty) Limited, SalesForce, Zhero Limited, Amazon Web Services, Microsoft, courier service providers, document translation service providers, tax agent service providers, document destruction service providers, document storage providers, software developers and technology service providers necessary in order to provide the Services and already engaged by VATGLOBAL as at the date of this Addendum.

1.5. The Company hereby expressly authorizes the transfer of Personal Data to the VATGLOBAL offices in South Africa and/or China for Processing as and when required to perform the Services. By signing this Agreement the Company agrees to be bound by the terms of the EU Standard Contractual Clauses or any replacement thereof located at https://www.vatglobal.com/standard-contractual-clauses-processors whereby the Company shall be the data exporter and VATGLOBAL the data importer. The governing law shall be the law of the member state in which the data exporter is established. The aforementioned EU Standard Contractual Clauses shall be updated and/or amended from time to time in accordance with any changes to the Data Protection Law and/or any updates to the technical and organisational security measures implemented by the data importer.

1.6. VATGLOBAL and the Company agree and acknowledge that for the purposes of the Data Protection Law, the Company is the Controller and VATGLOBAL is the Processor in respect of any Personal Data processed by or on behalf of VATGLOBAL in the provision of the Services.

1.7. The Company shall own all rights, title and interest in and to all of the Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data.

1.8. VATGLOBAL shall, having regard to the state of technological development and the cost of implementing any measures:

1.8.1. take appropriate technical and organisational measures against the unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to the Personal Data (together "Data Breach") to ensure a level of security appropriate to:

1.8.1.1. the harm that might result from a data breach;
1.8.1.2. the nature of the Personal Data to be protected; and
1.8.1.3. take reasonable steps to ensure compliance with those measures.

1.9. VATGLOBAL, shall ensure:

1.9.1. that it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data;
1.9.2. that access to Personal Data is limited to:

1.9.2.1. those employees who need access to Personal Data to meet VATGLOBAL’s obligations under the Agreement; and
1.9.2.2. only its employees and/or nominated agents involved with the provision of services and are informed of the confidential nature of the Personal Data and such have signed confidentiality agreements.

1.10. VATGLOBAL, shall implement appropriate technical and organizational measures to assist the Company in responding to:

1.10.1. any request from an individual to exercise any of its rights of Data Protection Law as it relates to the Personal Data processed by VATGLOBAL; and
1.10.2. any other correspondence, inquiry or complaint received from an individual, regulator, court or other third party in connection with the Processing of Personal Data processed by VATGLOBAL in terms of the Service Agreement.

1.11. If VATGLOBAL receives a request from a Data Subject for access to that person's information which was provided by the Company, VATGLOBAL shall:

1.11.1. notify the Company within two (2) business days of receiving such a request;
1.11.2. provide the Company with full co-operation and assistance in relation to any request made by a Data Subject to have access to such Personal Data; and
1.11.3. not disclose such Personal Data to any Data Subject or to a third party (save for the relevant tax authority and/or nominated tax agent) other than at the request of the Company or as provided for in this Agreement.

1.12. VATGLOBAL shall notify the Company immediately (no later than twenty-four (24) hours) if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data.

1.13. At the date of termination of any Services involving the Processing of Personal Data (the "Termination Date"), VATGLOBAL shall at the election of the Company return and/or delete and procure the deletion of all copies of Personal Data. VATGLOBAL, may retain Personal Data to the extent required by applicable laws.

1.14. VATGLOBAL shall, upon request, make available to the Company the necessary documentation to demonstrate compliance with this Agreement. Thereafter, the Company shall be entitled where there is a reasonable suspicion that VATGLOBAL is not complying with its data Processing obligations in terms of this Agreement, to audit the technical and organizational measures implemented by VATGLOBAL. The Company agrees to sign non-disclosure agreements prior to such audit being conducted. The Company shall provide at least five (5) business days written notice of such audit. Where possible such audits will be conducted outside of VATGLOBAL’s deadline periods.

1.15. Save for the Subprocessors set out in clause 1.3 above to this Agreement, VATGLOBAL shall not engage further processors without the prior specific or general written authorisation of the Company.  In the case of general written authorisation, VATGLOBAL shall inform the Company of any intended changes concerning the addition or replacement of other processors, thereby giving the Company the opportunity to object to such changes.

1.16. Any appointed Processor/s shall only process Personal Data in order to perform the Services in terms of the Service Agreement.

1.17. After receiving the prior specific or general written authorisation of the Company and prior to transferring any Personal Data to any Processor/s, VATGLOBAL shall enter into a written agreement with the Subprocessor on terms no less onerous that those set out in this Agreement. Such written agreement to include, but no limited to, requiring additional Subprocessor/s to:

1.17.1 process the Personal Data only in accordance with the written instructions of the Company; and
1.17.2 abide by the obligations imposed on the Processor/s set out in the Agreement.

2. POPIA:

2.1. When effective, reference to the Data Protection Law shall include the Protection of Personal Information Act 4 of 2013 (POPIA). It follows, if required in terms of POPIA, in this agreement references to:

2.1.1. the “controller” shall also mean the “responsible party”;
2.1.2. the “processor” shall also mean“operator”; and
2.1.3.  “personal data” shall also mean “personal information” and the provisions of clause 1.6 shall not apply.

The later definitions shall bear the same meanings as set out in the POPIA.

3. Liability

3.1. VATGLOBAL liability shall be governed by the Data Protection Law.