Data Processing Annexure
1. Data protection
- 1.1 Terms used in this Annexure have the meaning given to them in clause 2 below.
- 1.2 The parties agree that, for Protected Data, the Client shall be the Controller and Evelyn Partners shall be the Processor.
- 1.3 Each party shall comply with DP Laws and its relevant obligations under this Annexure. Evelyn Partners shall procure that any Sub-Processor that has access to Protected Data shall comply with Evelyn Partners’ obligations under this Annexure.
- 1.4 The processing of Protected Data to be carried out by Evelyn Partners under this Annexure will comprise the processing set out in the Schedule (Data Processing Details) as updated from time to time by written agreement of the parties.
- 1.5 Where Evelyn Partners processes Protected Data on behalf of the Client, Evelyn Partners shall (and shall procure that any person acting under its authority who has access to Protected Data):
- 1.5.1 process the Protected Data only on and in accordance with the Client’s documented instructions as set out in this clause and the Schedule (Data Processing Details), (“Processing Instructions”); and
- 1.5.2 immediately inform the Client of any legal requirement under applicable law that would require Evelyn Partners to process the Protected Data otherwise than only on the Processing Instructions, or if any Client instruction infringes DP Laws.
- 1.6 Evelyn Partners shall implement and maintain, at its reasonable cost and expense, appropriate technical and organisational measures in relation to the processing of Protected Data by Evelyn Partners:
- 1.6.1 such that the processing will meet the requirements of DP Laws and ensure the protection of the rights of Data Subjects; and
- 1.6.2 so as to ensure a level of security in respect of Protected Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed.
- 1.7 Evelyn Partners shall not engage another Processor to perform specific processing activities in respect of the Protected Data without the Client’s authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed), provided that the Customer authorises the appointment of any of Evelyn Partners group company or any IT supplier engaged by Evelyn Partners in the ordinary course of its business. Evelyn Partners shall appoint each Sub-Processor under a binding written contract (“Processor Contract”) which imposes the same data protection obligations as are contained in this Annexure on the Sub-Processor, in particular under clause 6 and the conditions in this clause 1.7 for engaging another Processor. Where the Client has concerns about the Sub-Processor’s compliance with DP Laws or the Processor Contract, Evelyn Partners shall discuss these concerns with the Client and use its reasonable endeavours to resolve them. In the event that Evelyn Partners is unable to resolve the concerns, Evelyn Partners shall cease using the Sub-Processor as soon as reasonably practicable.
- 1.8 Evelyn Partners shall ensure that Evelyn Partners personnel processing Protected Data have signed agreements requiring them to keep Protected Data confidential, and take all reasonable steps to ensure the reliability of the Evelyn Partners personnel processing Protected Data and that the Evelyn Partners personnel processing Protected Data receive adequate training on compliance with this clause 1 and the DP Laws applicable to the processing.
- 1.9 Evelyn Partners shall implement and maintain, at its reasonable cost and expense, appropriate technical and organisational measures to assist the Client in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data, including to ensure that all Data Subject Requests it receives are recorded and then referred to the Client within three days of receipt of the request.
- 1.10 Evelyn Partners shall, at the Client’s cost and expense, provide reasonable assistance, information and cooperation to the Client to ensure compliance with the Client’s obligations under DP Laws including with respect to: (i) security of processing; (ii) notification by the Client of breaches to the Supervisory Authority or Data Subjects; and (iii) DPIAs and prior consultation with a Supervisory Authority regarding high risk processing.
- 1.11 The Client agrees that Evelyn Partners may transfer any Protected Data to any country outside the European Economic Area (“EEA”) or to any international organisation (an “International Recipient”), provided that Evelyn Partners ensures that such transfer (and any onward transfer): (i) is pursuant to a written contract including provisions relating to security and confidentiality of the Protected Data; (ii) is effected by way of a legally enforceable mechanism for transfers of Personal Data as may be permitted under DP Laws from time to time; (iii) complies with clause 5.1; and (iv) otherwise complies with DP Laws.
- 1.12 Evelyn Partners shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Client containing such information as required under DP Laws (“Processing Records”), and shall make available to the Client on request in a timely manner such Processing Records as required by the Client to demonstrate compliance by Evelyn Partners with its obligations under DP Laws and this Annexure.
- 1.13 Evelyn Partners shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client for the purpose of demonstrating Evelyn Partners’ compliance with its obligations under DP Laws and this clause 1, subject to the Client giving Evelyn Partners reasonable prior notice of such audit and/or inspection, and ensuring that any auditor is subject to binding obligations of confidentiality and that such audit or inspection is undertaken so as to cause minimal disruption to Evelyn Partners’ business and other customers.
- 1.14 The Client shall pay Evelyn Partners’ reasonable costs of allowing or contributing to audits or inspections under clause 13 where the Client wishes to conduct more than one audit or inspection every twelve (12) months.
- 1.15 In respect of any personal data breach (actual or suspected) related to the Services or this Annexure, Evelyn Partners shall notify the Client of the breach without undue delay and provide the Client without undue delay with such details relating to the breach as the Client reasonably requires.
- 1.16 Evelyn Partners shall without delay, at the Client’s written request, either securely delete or return all Protected Data to the Client after the end of the provision of the relevant Services related to processing or, if earlier, as soon as processing by Evelyn Partners of any Protected Data is no longer required for Evelyn Partners’ performance of its obligations under the Terms of Business, and securely delete existing copies (unless storage of any data is required by applicable law).
2. DEFINITIONS AND INTERPRETATION
- 2.1 Definitions
“Client” means the trust, company or other legal entity that is receiving the Services from Evelyn Partners under the Terms of Business;
“Controller” (or data controller), Processor” (or data processor), “Data Subject”, “international organisation”, “Personal Data” and “processing” all have the meanings given to those terms in DP Laws (and related terms such as “process” shall have corresponding meanings);
“Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under DP Laws;
“DPIA” means a Data Protection Impact Assessment, as defined in DP Laws;
“DP Laws” means any applicable law relating to the processing, privacy, and use of Personal Data, as applicable to Evelyn Partners, the Client and/ or the Services, including:
- the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), and/or any corresponding or equivalent national laws or regulations and;
- any judicial or administrative interpretation of them, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;
“Protected Data” means Personal Data received from or on behalf of the Client, or otherwise obtained in connection with the performance of Evelyn Partners’ obligations that is processed by Evelyn Partners on behalf of the Client;
"Services" means the services and other activities to be supplied to or carried out by or on behalf of Evelyn Partners for the Client pursuant to the Terms of Business;
“Sub-Processor” means another Processor engaged by Evelyn Partners for carrying out processing activities in respect of the Protected Data on behalf of the Client, and authorised by the Client in accordance with clause 1.7;
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering DP Laws; and
“Terms of Business” means the applicable terms of business which apply to the provision of the Services by Evelyn Partners to the Client; and
“Evelyn Partners” means the company within the Evelyn Partners Limited group that is providing the Services under the Terms of Business, details of which can be found at www.evelyn.com/legal-compliance-regulatory/registered-details
- 2.2 Interpretation
To the extent that a term of this Annexure requires the performance by a party of an obligation “in accordance with DP Laws” (or similar) this requires performance in accordance with such DP Laws as are in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under applicable DP Laws, it shall not apply until such time as it is so required.
Schedule
DATA PROCESSING DETAILS
- subject-matter of processing:
The provision of Services to the Client which require Evelyn Partners to process personal data on behalf of the Client.
- duration of the processing:
As long as may be required for the provision of the Services and otherwise as may be required by applicable laws.
- nature and purpose of the processing:
Only to the extent necessary as is needed to provide the Services and as may be required by applicable laws.
- type of Personal Data:
Name, address, date of birth, and other personal data as agreed from time to time.
- categories of Data Subjects:
Beneficiaries, shareholders, and other data subjects as agreed from time to time.