VATGlobal and the client (“the Client”) have previously entered into a service agreement (“Service Agreement”) whereby VATGlobal will provide VAT compliance/registration/consulting services to the Client (“Services”).VATGlobal will utilize the services of the Processing Centre when providing the Services.
1. Data protection
1.1 In this Agreement, “Data Protection Law” means the Data Protection Act 1998 or any legislation amending, superseding or replacing it (including the General Data Protection Regulation), and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner. The terms “controller”, “ data subject”, “personal data”, “processor” and “process” shall be construed in accordance with the meaning set out in the applicable Data Protection Law.
1.2 Each party shall comply with their respective obligations under Data Protection Law as applicable.
1.3 In order to enable VATGlobal to fulfil its obligations in terms of the Service Agreement, VATGlobal shall be entitled to sub-contract the processing of Personal Data to the Processing Centre, which is ISO27001 certified. The Client hereby expressly authorises the transfer of Personal Data to the Processing Centre in South Africa for processing as and when required to perform the Services. By signing this Agreement the Client and the Processing Centre agree to be bound by the terms of the standard model clauses or any replacement thereof located here whereby the Client shall be the data exporter and the Processing Centre the data importer. The governing law shall be law of the member state in which the data exporter is established. The aforementioned standard model clauses shall be updated and/or amended from time to time in accordance with any changes to the Data Protection Law and/or any updates to the technical and organisational security measures implemented by the data importer.
1.4 VATGlobal, the Processing Centre and the Client agree and acknowledge that for the purposes of the Data Protection Law, the Client is the Controller and VATGlobal and the Processing Centre are Processors in respect of any Personal Data processed by or on behalf of VATGlobal in the provision of the Services.
1.5 The Client shall own all rights, title and interest in and to all of the Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data.
1.6 VATGlobal and the Processing Centre shall Process the Personal Data only in accordance with the Client's written instructions from time to time (including, without limitation, those contained in the Service Agreement), and shall not Process the Personal Data for any purpose other than those expressly authorised by the Clients. The Client agrees that VATGlobal may use e-mail in order to provide the Services.
1.7 VATGlobal and the Processing Centre shall, having regard to the state of technological development and the cost of implementing any measures:
a. take appropriate technical and organisational measures against the unauthorised or unlawful processing of the Personal Data and against the accidental loss or destruction of, or damage to the Personal Data (together "data breach") to ensure a level of security appropriate to:
i. the harm that might result from a data breach; and
ii. the nature of the Personal Data to be protected; and
b. take reasonable steps to ensure compliance with those measures.
1.8 VATGlobal and the Processing Centre shall ensure:
a. that it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data;
b. that access to Personal Data is limited to:
i. those employees who need access Personal Data to meet VATGlobal’s obligations under this Agreement.
c. that all of its employees involved with the Services:
i. are informed of the confidential nature of the Personal Data;
ii. have signed confidentiality agreements.
1.9 VATGlobal and the Processing Centre shall implement appropriate technical and organizational measures to assist the Client in responding to:
a. any request from an individual to exercise any of its rights of Data Protection Law as it relates to the Personal Data processed by VATGlobal and/or the Processing Centre; and
b. any other correspondence, inquiry or complaint received from an individual, regulator, court or other third party in connection with the processing of Personal Data processed by VATGlobal and/or the Processing Centre in terms of the Service Agreement.
1.10 If VATGlobal and/or the Processing Centre receives a request from a Data Subject for access to that person's information which was provided by the Client, VATGlobal shall:
a. notify the Client within 2 business days of receiving such a request;
b. provide the Client with full co-operation and assistance in relation to any request made by a Data Subject to have access to such Personal Data; and
c. not disclose such Personal Data to any Data Subject or to a third party other than at the request of the Client or as provided for in this Agreement.
1.11 VATGlobal shall notify the Client immediately (no later than 24 hours) if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of the Personal Data.
1.12 VATGlobal and/or the Processing Centre at the date of cessation of any Services involving the Processing of Personal Data (the "Cessation Date"), shall at the election of the Client return and/or delete and procure the deletion of all copies of Personal Data. VATGlobal and/or the Processing Centre may retain Personal Data to the extent required by applicable laws.
1.13 VATGlobal and/or the Processing Centre shall, on request, make available to the Client the necessary documentation to demonstrate compliance with this Agreement. Thereafter, the Client shall be entitled where there is a reasonable suspicion that VATGlobal and/or the Processing Centre is not complying with its data processing obligations in terms of this Agreement, to audit the technical and organizational measures implemented by VATGlobal and/or the Processing Centre. The Client agrees to sign non-disclosure agreements prior to such audit being conducted. The Client shall provide at least 5 business days written notice of such audit. Where possible such audits will be conducted outside of VATGlobal’s deadline periods.
1.14 In order for VATGlobal and/or the Processing Centre to provide the Services the Client consents to the use of the services of the following processors: SalesForce, Zhero, AWS, DocuSign, Microsoft, courier service providers, penetration test providers, document destruction service providers, document storage providers necessary in order to provide the Services.
1.15 Save for the processors set out in clause 1.15 above to this Agreement, VATGlobal shall not engage further processors without the prior specific or general written authorisation of the Client. In the case of general written authorisation, VATGlobal shall inform the Client of any intended changes concerning the addition or replacement of other processors, thereby giving the Client the opportunity to object to such changes.
1.16 Any appointed processors shall only process Personal Data in order to perform the Services in terms of the Service Agreement.
1.17 After receiving the prior specific or general written authorisation of the Client and prior to transferring any Personal Data to any processors, VATGlobal and/or the Processing Centre shall enter into a written agreement with the processor on terms no less onerous than those set out in this Agreement. Such written agreement to include, but not be limited to, requiring the additional processors to:
a. process the Personal Data only in accordance with the written instructions of the Data Processor; and
b. abide by the obligations imposed on the Processor/s set out in this Agreement; and
c. allow the Client the right to audit the additional processor.
1.18 VATGlobal shall impose data protection terms at least as strict as those set forth herein on any processor it appoints to process the Client’s Personal Data.
2.1 When effective, reference to the Data Protection Law shall include the Protection of Personal Information Act 4 of 2013 (POPIA). It follows, if required in terms of POPIA, in this agreement references to:
a. the “controller” shall also mean the “responsible party”;
b. the “processor” shall also mean “operator”; and
c. “personal data” shall also mean “personal information”;
The later definitions shall bear the same meanings as set out in the POPIA.
3.1 VATGlobal and the Processing Centre’s liability shall be governed by the Data Protection Law.