DPA Agreement

WHEREAS

VATGlobal and the Company have previously entered into a service agreement ("Service Agreement") whereby VATGlobal shall provide registration, compliance and/or consulting services to the client.


1.      Data protection

1.1   In this agreement, "Data Protection Law" means the Data Protection Act 2018 or any legislation amending, superseding or replacing it (including the General Data Protection Regulation), and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner. The terms "Controller", "Data Subject", "Personal Data", "Processing" and "Processor" shall be construed in accordance with the meaning set out in the applicable Data Protection Law.

1.2   Each party shall comply with their respective obligations under Data Protection Law as applicable

1.3   In order for VATGLOBAL to provide the services set out in the Service Agreement, the Company consents to the use of the following ancillary Processors: VATIT Processing (Pty) Limited, SalesForce, Zhero Limited, Amazon Web Services, Google Cloud, Microsoft, DocuSign, courier service providers, penetration test providers, translation service providers, tax agent service providers, document destruction service providers, document storage providers, software developers and technology service providers necessary in order to provide the services (together the "Third-Party Service Providers").

1.4   In addition to clause 1.3 above, so as to enable VATGLOBAL to fully fulfill its obligations in terms of the Service Agreement, VATGLOBAL shall be entitled to, where necessary, sub-contact the Processing of Personal Data to any Third-Party Service Provider. By signing the Service Agreement the Company agrees to be bound by the terms of the standard model clauses or any replacement thereof located at http://www.vatglobal.com/standard- contractual- clauses- processors whereby the Company shall be the data exporter and the Service Provider the data importer. The governing law shall be updated and/or amended from time to time in accordance with any changes to the Data Protection Law and/or any updates to the technical and organisational security measures implemented by the data importer.

1.5  VATGLOBAL and the Company agree and acknowledge that for the purposes of the Data Protection Law, the Company is the Controller and VATGLOBAL is the Processor in respect of any Personal Data processed by or on behalf of VATGLOBAL in the provision of the Services.


1.6  The Company shall own all rights, title and interest in and to all of the Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data
            
1.7   VATGLOBAL, shall Process the Personal Data only in accordance with the legislative requirements as set by the relevant tax authority from time to time including, without limitation, those contained in the Service Agreement, and shall not Process the Personal Data for any purpose other than those expressly authorized by the company. The Company agrees that VATGLOBAL may use e-mail in order to provide the Services.

1.8.   VATGLOBAL, shall having regard to the state of technological development and the cost of implementing any measures:
                
1.8.1. take appropriate technical and organisational measures against the unauthorised or unlawful Processing of the Personal Data (together "data breach") to ensure a level of security appropriate to: 
               1.8.1.1.  the harm that might result from a data breach;
               1.8.1.2.  the nature of the Personal Data to be protected; and
               1.8.1.3.  take reasonable steps to ensure compliance with those measures.

1.9.  VATGLOBAL, shall ensure: 

1.9.1. that it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data;
1.9.2. that access to Personal Data is limited to:

           1.9.2.1. those employees who need access to Personal Data to meet VATGLOBAL's obligations under the Agreement; and
            1.9.2.2. only its employees and/or nominated agents involved with the provision of services and are informed of the confidential nature of the Personal Data and such have signed confidentiality agreements.

1.10.  VATGLOBAL, shall implement appropriate technical and organisational measures to assist the Company in responding to: 

1.10.1. any request from an individual to exercise any of its right of Data Protection Law as it relates to the Personal Data processed by VATGLOBAL; and
1.10.2. any other correspondence, inquiry or complaint received from an individual, regulator, court or other third party in connection with the Processing of Personal Data processed by VATGLOBAL in terms of the Service Agreement.

               
1.11. If VATGLOBAL receives a request from a Data Subject for access to that person's information which was provided by the Company, VATGLOBAL shall:

1.11.1.  notify the Company within 2 business days of receiving such a request;
1.11.2.  provide the Company with full co-operation and assistance in relation to any request made by a Data Subject to have access to such Personal Data; and
1.11.3.  not disclose such Personal Data to any Data Subject or to a third party (save for the relevant tax authority and/or nominated tax agent) other than at the request of the Company or as provided for in this agreement.


1.12.  VATGLOBAL shall notify the Company immediately (no later than 24 hours) if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of Personal Data.


1.13. VATGLOBAL at the date of cessation of any Services involving the Processing of Personal Data (the "Cessation Date"), shall at the election of the Company return and/or delete and procure the deletion of all copies of Personal Data. VATGLOBAL, may retain Personal Data to the extent required by applicable laws.


1.14.  Save for the Processors set out in clause 1.3 above to this Agreement, VATGLOBAL shall not engage further processors without the prior specific or general written authorisation of the Company. In case of general written authorisation of the Company. In the case of general written authorisation, VATGLOBAL shall inform the Company of any intended changes concerning the addition or replacement of other processors, thereby giving the Company the opportunity to object to such changes.


1.15.  Any appointed Processor/s shall only process Personal Data in order to perform the Services in terms of the Service Agreement.


2.     Marketing

2.1.  The Company consents to VATGLOBAL sending marketing materials, invitations and industry newsletters to the Company's contact person/s.


3.    POPIA

3.1. When effective, reference to the Data Protection Law shall include the Protection of Personal Information Act 4 of 2013 (POPIA). It follows, if required in terms of POPIA, in this agreement references to:

         3.1.1.  the "controller" shall also mean the "responsible party",
         3.1.2.  the "processor" shall also mean "operator"; and
         3.1.3.  "personal data" shall also mean "personal information" and the provisions of clause 1.7 shall not apply.

          The later definitions shall bear the same meanings as set out in the POPIA 


4. Liability

4.1.  VATGLOBAL liability shall be governed by the Data Protection Law.