Interested in joining our team?
We are always on the lookout for passionate people that possess IQ and EQ to join our growing team.
THIS DATA PROCESSING ADDENDUM (“DPA”) governs any processing of Agreement Personal Data by the parties in connection with any Agreement.
1. Interpretation
In this DPA:
| “Agreement” or “Main Agreement”
|
means any and all agreements between any IQ-EQ Contracting Party and the Client for the provision of the Services (as defined below) to which this DPA applies, and which pursuant to clause 2.a) of this DPA includes this DPA; |
| “Agreement Personal Data”
|
means any personal data provided by or on behalf of the Client to the IQ-EQ Contracting Party for the purposes of the Services; |
| “Change in Law”
|
means the coming into effect of a new or a change in Applicable Data Protection Law or any regulatory requirements, developments, or guidance issued by a regulator or competent authority applicable to Agreement Personal Data; |
| “ADGM Addendum”
|
means the ADGM Addendum to the EU SCCs issued by the Abu Dhabi Global Market (ADGM) Commissioner in accordance with Section 49(2)(j) of the DPR 2021; |
| “Applicable Data Protection Laws”
|
means any laws in force in the European Union, Guernsey, Jersey, Isle of Man, Switzerland and/or United Kingdom (as applicable) from time to time in force as may be applicable to the IQ-EQ Contracting Entity or the Client and to which the Agreement Personal Data is subject, that relate to data protection, the processing of personal data, privacy and/or electronic communications and in any other jurisdiction outside of those jurisdictions which has adopted laws analogous to EU GDPR, and references to “controller”, “data subjects”, “personal data”, “personal data breach”, and “processor” have the meanings set out in and will be interpreted in accordance with EU GDPR; |
| “Client”
|
means the entity who is the customer and signatory party in any Agreement or other recipient of Services under any Agreement to which this DPA applies or who may otherwise have acceded to or adhered to this DPA; |
| “EEA”
|
European Economic Area; |
| “EU GDPR”
|
the General Data Protection Regulation ((EU) 2016/679); |
| “EU SCCs”
|
means the appropriate module of the standard contractual clauses for the transfer of personal data from the EEA to third countries or from other countries who may have adopted the EU SCCs as an appropriate Transfer Mechanism to third countries, as set out in the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021; |
| “Group”
|
means together a person and any other person that controls, is controlled by or is under common control with the first person from time to time, where “control” means in relation to a person, the power (whether direct or indirect) to direct or cause the direction of its affairs, whether by means of holding shares, possessing voting power, exercising contractual powers or otherwise, and “controls” and “controlled” shall be construed accordingly; |
| “IQ-EQ Companies”
|
means such IQ-EQ Group companies, other than the IQ-EQ Contracting Party, as may be processing the Agreement Personal Data in connection with their involvement in the provision of the Services under any Agreement (including supporting the general operations of the IQ-EQ Contracting Party in providing the Services); |
| “IQ-EQ Contracting Party”
|
means the IQ-EQ entity identified as the contracting entity in any Agreement; |
| “IQ-EQ Group”
|
means IQ-EQ Contracting Party and other companies within the same Group of companies; |
| “IQ-EQ Privacy Notice”
|
means the privacy notice of IQ-EQ Group available at: https://iqeq.com/master-privacy-notice, as may be updated from time to time; |
| “parties”
|
means together the Client and the IQ-EQ Contracting Party, and a “party” means one of them, as the context requires; |
| “processing”
|
has the meaning set out in the applicable Data Protection Laws; and “process,” “processing” and “processed” will be interpreted accordingly; |
| “Purposes”
|
the purposes set out in, as applicable, Part A and/or Part B of Annex 2; |
| “Restricted Transfer”
|
means a transfer of Agreement Personal Data which is undergoing processing, or which is intended to be processed after transfer, to a country or territory to which such transfer is prohibited or subject to a requirement to take additional steps to adequately protect the Agreement Personal Data for the transfer to be lawful under the applicable Data Protection Laws; |
| “Services”
|
means the products (goods, services and/or digital content, as applicable) to be provided by the IQ-EQ Contracting Party to the Client pursuant to an Agreement; |
| “sub-processor” |
means any person appointed, engaged, or permitted by the IQ-EQ Contracting Party to process Agreement Personal Data; |
| “Supervisory Authority” |
means any competent regulatory authority responsible for the enforcement, regulation, or governance of any Applicable Data Protection Laws and any replacement or successor body or person for any such authority from time to time; |
| “Transfer Mechanism” |
means such measures as are prescribed by the Applicable Data Protection Laws to adequately protect personal data subjected to Restricted Transfers, which may include executing the EU SCCs, UK Addendum or UK IDTA (as applicable); |
| “Transfer Mechanism” |
means such measures as are prescribed by the Applicable Data Protection Laws to adequately protect personal data subjected to Restricted Transfers, which may include executing the EU SCCs, UK Addendum or UK IDTA (as applicable); |
| “UK Addendum” |
means the UK Addendum to the EU SCCs issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018; and |
| “UK IDTA” |
means the International Data Transfer Agreement for the transfer of personal data from the UK to third countries issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018. |
Any words following the words “include,” “includes,” “including,” “in particular,” “such as” or any similar words or expressions will be construed without limitation and accordingly will not limit the meaning of the words preceding them.
A “person” includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
A reference to a “company” shall include any company, corporation, or other body corporate, wherever and however incorporated or established.
The Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
A reference to “writing” and “written” includes email to the representative of the relevant contracting Party.
2. Scope and application
a) Incorporation. This DPA forms part of any Agreement between the Client and the IQ-EQ Contracting Party under which Services are to be delivered to the Client by the IQ-EQ Contracting Party.
b) Compliance with this DPA. The parties agree that, in consideration of the mutual obligations and covenants contained in this DPA, they will comply with the terms of this DPA where applicable and required by Applicable Data Protection Laws.
c) Scope. This DPA applies to any Agreement Personal Data processed by the parties under or in connection with any Agreement (or in contemplation of entering into any agreement for the purposes of further processing or the delivery of additional Services to the Client). In particular, it sets out the terms governing:
i) the processing of Agreement Personal Data by the IQ-EQ Contracting Party acting as a processor on behalf of the Client; and
ii) the sharing of Agreement Personal Data between the Client and IQ-EQ Contracting Party acting as independent controllers.
d) Order of precedence. Where there is a conflict between any provision governing the processing of personal data set out in another document forming part of any Agreement and any term of this DPA, the terms set out in this DPA shall prevail.
e) Point of contact. Each party shall appoint a representative as a point of contact for issues relating to the processing of Agreement Personal Data relating to this Agreement and receipt of notices and communications and notify the other party of the relevant contact details without undue delay. In the case of the IQ-EQ Contracting Party, the appropriate point of contact shall be the client relationship director notified to the Client from time to time. In the absence of a specified notice party, the point of contact shall be the board of directors of the relevant Contracting Party.
f) Other Processing. Nothing in this Addendum shall be construed as preventing the IQ-EQ Contracting Party from processing any personal data controlled by the Client as a controller (whether independently or jointly with the client), as may be agreed between the parties from time to time.
g) Anonymisation of Agreement Personal Data. The Client agrees that the IQ-EQ Contracting Party may anonymise Agreement Personal Data obtained or generated in the course or in connection with the provision of the Services, to test and develop (i) new services which may be of interest to the Client and (ii) to test and develop additional functionality for applications and solutions used in delivering the Services, and (iii) to create anonymised reports, insights, databases, and other derivative works (Derivative Works), and (iv) use (including disclosing to any third-parties) such Derivative Works during and after the term of any Agreement for internal business purposes.
3. Data processing
a) Application. This clause 3 sets out the arrangement between the Client and IQ-EQ Contracting Party for the processing of the Agreement Personal Data by IQ-EQ Contracting Party acting as processor on behalf of the Client acting as the controller as described in any Agreement.
b) Agreement Personal Data where IQ-EQ is a processor. The subject matter, nature, duration, and purpose of the processing, as well as type of personal data and categories of data subjects are set out in Annex 2 of this DPA.
c) Processing obligations. Where the IQ-EQ Contracting Party acts as processor of the Agreement Personal Data (the “IQ-EQ Data Processor”), that IQ-EQ Data Processor will, where required by Applicable Data Protection Laws:
Instructions
i) only process the Agreement Personal Data for the purposes set out in Annex 2 to this DPA and in accordance with the Client’s documented instructions in respect of the Agreement Personal Data, unless these instructions are legally prohibited or require material changes to the Services or delivery of the Services, or unless the IQ-EQ Data Processor is required to process the Agreement Personal Data by any other applicable law to which the IQ-EQ Data Processor is subject, in which case the IQ-EQ Data Processor shall, where permitted by law, inform the Client of that legal requirement;
Confidentiality
ii) ensure that individuals processing the Agreement Personal Data on behalf of the IQ-EQ Data Processor are bound by appropriate confidentiality obligations applicable to their roles in providing the Services;
Security
iii) implement appropriate technical and organisational measures as required under the Applicable Data Protection Laws to ensure a level of data security appropriate to the risk and as set out in Annex 1 to this DPA, which may be updated by the IQ-EQ Contracting Party from time to time as it deems appropriate;
Assistance
iv) at the Client’s request and cost, provide reasonable assistance to the Client with regards to the Client’s obligations with respect to:
(1) implementing appropriate technical and organisational measures to ensure the security of the Agreement Personal Data in addition to the technical and organisational measures described in Annex 1;
(2) notification of and response to of personal data breaches to data subjects and/or Supervisory Authorities; and
(3)to the extent required by the Applicable Data Protection Laws, carrying out of data protection impact assessments and any resulting consultation with Supervisory Authorities, in each case as required under Applicable Data Protection Laws;
Data subject rights
v) at the Client’s request and cost, provide reasonable assistance to (considering the nature of the processing and the information available to the IQ-EQ Data Processor) the Client (including by appropriate technical and organisational measures, insofar as this is possible), for the fulfilment of the Client’s obligation as controller to respond to requests for exercising the data subject’s rights as required under Applicable Data Protection Laws;
Information demonstrating compliance and audits
vi) make available to the Client, where permitted by applicable laws, all information necessary to demonstrate compliance with the obligations laid down within this clause 3, and allow for and contribute to audits, including inspections (on at least 10 business days’ notice), conducted by the Client or another auditor mandated by the Client. No more than one such audit shall be conducted in any 12-months’ period (unless there are objective indications of non-compliance by the IQ-EQ Processor with its obligations under this clause 3). Without prejudice to the generality of the foregoing, in the event of the IQ-EQ Data Processor holding a certificate under ISO27001 then, in deciding on a review or audit, the Client may take into account the certification held by the IQ-EQ Contracting Party;
Personal data breaches
vii) without undue delay after becoming aware of a personal data breach involving the Agreement Personal Data, inform the Client of such breach and shall provide reasonable co-operation and take reasonable commercial steps as directed by the Client and at the cost of the Client to assist in the investigation, containment, notification and remediation of such personal data breach. The information to be provided to the Client may include, as available to the IQ-EQ Contracting Party and requested by the Client, the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay;
Duration of processing and erasure or return of data
viii) upon request from the Client, and subject to any duty to retain Agreement Personal Data under any applicable law, delete or return (at the Client’s choice) the Agreement Personal Data at the end of the provision of the Services to the Client. The IQ-EQ Data Processor may:
(1) retain a copy of the Agreement Personal Data which is subject to Applicable Data Protection Laws if same require storage of the Data;
(2) retain a copy of the Agreement Personal Data not subject to Applicable Data Protection Laws if required by any other applicable law; and
(3) archive the Agreement Personal Data at the instruction of the Client for such duration and subject to the costs of such archiving being agreed between the parties, but otherwise the IQ-EQ Data Processor will delete existing copies of the Agreement Personal Data after deleting or returning the Agreement Personal Data at the end of the provision of the Services to the Client and in such case this DPA shall continue to apply for so long as IQ-EQ Contracting Party processes Agreement Personal Data following termination of any Agreement; and
Infringing instructions
ix) immediately inform the Client if, in its reasonable opinion, any instruction received from the Client infringes any Applicable Data Protection Laws.
d) Sub-processors. In respect of sub-processors of the Agreement Personal Data:
IQ-EQ Companies
i) IQ-EQ Group operates a global operating model. In this context, the Client provides a general authorisation to the IQ-EQ Contracting Party to appoint any IQ-EQ Companies to sub-process the Agreement Personal Data for any purposes consistent with the purposes set out in Annex 2 (including for the purposes of supporting the general operations of the IQ-EQ Contracting Party as well as supporting the provision of the Services);
External sub-processors
ii) the Client provides a general authorisation to the IQ-EQ Contracting Party to appoint any other third-party service providers as its sub-processors, and to transmit the Agreement Personal Data to its sub-processors, for any purposes consistent with the purposes set out in Annex 2 (including for the purposes of hosting the Agreement Personal Data, supporting the performance of the Services and supporting the IQ-EQ Contracting Party’s business operations);
Existing sub-processors
iii) the Client authorises the IQ-EQ Contracting Party to appoint in connection with any Agreement all such sub-processors as the IQ-EQ Contracting Party already engages as at the date of this DPA in connection with the provision of services similar to the Services to other customers of IQ-EQ Group;
New sub-processors
iv) the IQ-EQ Contracting Party shall inform the Client of any addition or replacement of sub-processors from time to time prior to such appointment by update on its website or by email. The Client is advised to subscribe to receive notifications of such updates via the IQ-EQ website, available at the following link – https://iqeq.com/processor-and-sub-processor-list/ . The Client shall be deemed to approve such changes, unless the Client notifies the IQ-EQ Contracting Party of any reasonable objection in writing (Objection) within 5 days of being informed of the change. On receipt of any such Objection, the IQ-EQ Contracting Party will use reasonable efforts to either overcome the Client’s objections, or make available to the Client an alternative solution for the provision of the Services, or propose a commercially reasonable change to Client’s configuration or use of the Services to avoid processing of Agreement Personal Data by the objected-to new sub-processor without materially adversely affecting the IQ-EQ Contracting Party’s performance of its obligations in any Agreement, Where the Client cannot demonstrate that the Objection is due to an actual or likely breach of Applicable Data Protection Law, and the IQ-EQ Contracting Party nonetheless agrees to accommodate the Objection, the Client shall indemnify the IQ-EQ Contracting Party for any losses, damages, costs (including legal fees) and expenses suffered by the IQ-EQ Contracting Party in accommodating the Objection. If a mutually agreeable solution cannot be reached between the parties within one month from receipt of the Client’s Objection, the IQ-EQ Contracting Party will be entitled to terminate any Agreement on one month’s notice given to the Client no later than two months after receiving the Objection; and
Contracts with sub-processors
v) Any sub-processor engaged by the IQ-EQ Contracting Party to process the Agreement Personal Data within the scope of this DPA will be bound by data protection obligations which are substantially similar to those imposed on the IQ-EQ Contracting Party under this DPA.
4. Restricted Transfers and Miscellaneous
a) Restricted Transfers. The Client acknowledges (and shall procure that data subjects are informed) that IQ-EQ Contracting Party, and certain IQ-EQ Companies and other sub-processors of the IQ-EQ Contracting Party may be located in countries that do not offer an adequate level of protection under Applicable Data Protection Laws, including Mauritius, the Philippines, Singapore, the United States of America, Hong Kong, India and other jurisdictions where IQ-EQ Group has existing operations or where IQ-EQ Group may establish operations from time to time and the jurisdictions noted on the IQ-EQ Group Sub-Processor List. The Client hereby acknowledges and agrees to such transfers and the parties agree as follows:
Appropriate safeguards
i) IQ-EQ Contracting Party will (and will procure that any sub-processors will) only undertake Restricted Transfers if they are covered by appropriate Transfer Mechanism (for example, EU SCCs, UK Addendum, or UK IDTA) or as otherwise authorised under the applicable Data Protection Law and any supplemental measures which IQ-EQ Contracting Party may deem appropriate;
EU SCCs
ii) if the Restricted Transfer of Agreement Personal Data is from
(1) the EEA to a jurisdiction outside the EEA; or
(2) from a jurisdiction outside the EEA that has adopted the EU SCCs as an appropriate Transfer Mechanism to certain prescribed jurisdictions;
and the data exporter and the data importer consider that EU SCCs provide an appropriate Transfer Mechanism, the data exporter and the data importer shall enter into the EU SCCs a copy of which is available upon request. The IQ-EQ Contracting Party shall be the data exporter under the EU SCCs;
UK Addendum
iii) if the Restricted Transfer of Agreement Personal Data is from the United Kingdom to a jurisdiction outside the United Kingdom, and the data exporter and the data importer consider that UK Addendum provides an appropriate Transfer Mechanism, the data exporter and the data importer shall enter into the UK Addendum a copy of which is available on request. The IQ-EQ Contracting Party shall be the data exporter under the UK Addendum;
ADGM Addendum
iv) if the Restricted Transfer of Agreement Personal Data is from the ADGM to a jurisdiction outside the ADGM, and the data exporter and the data importer consider that ADGM Addendum provides an appropriate Transfer Mechanism, the data exporter and the data importer shall enter into the ADGM Addendum, a copy of which is available on request. The IQ-EQ Contracting Party shall be the data exporter under the ADGM Addendum;
b) Fines. Each party is responsible for any fines imposed on them by Supervisory Authorities that are intended to sanction that party for its own violation of Applicable Data Protection Laws.
c) Client warranties. The Client warrants that:
i) it has the authority to provide the Agreement Personal Data to the IQ-EQ Contracting Party; and
ii) it has taken, and shall take, all steps necessary, including providing all required notices to data subjects, to ensure that the provision and processing of Agreement Personal Data by the IQ-EQ Contracting Party and its sub-processors (including any Restricted Transfer of Agreement Personal Data) as envisaged under, and for the purposes specified in, any Agreement is in accordance with the Applicable Data Protection Laws.
5. Data Sharing and acting as Data Controller
a) Application. The parties acknowledge and agree that the IQ-EQ Contracting Party may process certain Agreement Personal Data provided to it by or on behalf of the Client as a controller, as set out in any Agreement, and in Annex 2. This clause 5 sets out the arrangement between the Client and the IQ-EQ Contracting Party for the sharing of the Agreement Personal Data as independent controllers.
b) Agreement Personal Data where both parties are controllers, IQ-EQ being a separate and independent controller. References to Agreement Personal Data in this clause 5 are references to the Agreement Personal Data provided by or on behalf of one party to the other party where both parties act as independent controllers, as more particularly described in Annex 2 of this Addendum.
c) Permission to process. Where a party discloses Agreement Personal Data controlled by that party to the other party in connection with this Agreement, the disclosing party acknowledges that the receiving party may use that Agreement Personal Data as provided in the Annexes to this Addendum and for such other purposes as long as not incompatible with the purposes set out in the Annexes and the applicable privacy notice.
d) Mutual obligations. To the extent that both parties process the Agreement Personal Data as independent controllers, each party agrees that it will, where required by Applicable Data Protection Laws:
Lawful basis
i) ensure that it has a lawful basis under Applicable Data Protection Laws for its processing of the Agreement Personal Data, and upon request of the other party confirm in writing the lawful basis on which it relies;
Consent
ii) where it relies on a data subject’s consent to share their personal data with the other party, ensure that a valid consent for such sharing has been provided, and, when requested, supply that other party with the form of consent wording used to obtain the data subject’s consent;
Privacy notices
iii) provide appropriate privacy notices to the data subjects of the Agreement Personal Data, as required under Applicable Data Protection Laws, including (in case of the disclosing party) the fact that their personal data may be shared with the other party for the Purposes. The Client further agrees that it will make the IQ-EQ Privacy Notice accessible to and bring it to the attention of the data subjects of the Agreement Personal Data prior to their disclosure of such personal data to the IQ-EQ Contracting Party (the IQ-EQ Contracting Party’s privacy notice can be accessed at www.iqeq.com/master-privacy-notice or such other website as the IQ-EQ may notify to the Client from time to time);
Security
iv) implement technical and organisational measures to ensure a level of security appropriate to the risk presented by processing the Agreement Personal Data, in particular from a personal data breach, including having regard to the risk of varying likelihood and severity for the rights and freedoms of the data subjects, and upon request supply the other party with details of the security measures implemented pursuant to this clause;
Personal data breaches
v) without undue delay after becoming aware of a personal data breach involving the Agreement Personal Data, inform the other party of such breach and provide reasonable co-operation and assistance to the other party in the investigation containment, preparation and management of notification, and remediation of such personal data breach;
Enquiries about data breaches
vi) cooperate with and assist the other party as far as reasonably practicable in the event that the other party receives enquiries from data subjects and/or a Supervisory Authority about any such personal data breach;
Restricted Transfers
vii) ensure that any Restricted Transfers made from time to time are compliant in all material respects with Applicable Data Protection Laws, which may include (where applicable) an appropriate Transfer Mechanism;
Data subject rights
viii) comply with the rights of the data subjects under Applicable Data Protection Laws, including the right of access, in relation to its processing of Agreement Personal Data. If either party receives a data subject request to exercise any data subject rights under Applicable Data Protection Laws in relation to any of the Agreement Personal Data processed by (or on behalf of) the other party, it shall, to the extent permitted under any applicable laws, promptly (and in any event within five business days of receipt) notify the other party, and (to the extent reasonably practicable) consult with the other party in advance of giving any response; and
Information
ix) respond as soon as reasonably practicable to any queries as may reasonably be raised from time to time by the other party, in respect of its compliance with this clause 5.
6. Changes in Law
If there is a Change in Law or an anticipated Change in Law that has been finalised but has not come into effect yet, the parties agree that:
Minor changes
a) the IQ-EQ Contracting Party may unilaterally make amendments to this DPA on 30 days’ written notice to the Client, provided that such amendments will be the minimum changes reasonably and properly required to ensure that the DPA complies with Applicable Data Protection Laws as varied by that Change in Law;
Other changes
b) where a Change in Law prevents either party from performing all or part of its obligations under any Agreement, the parties agree that:
i) each party will continue to perform all of its obligations the performance of which are not affected by the Change in Law;
ii) the parties may agree to suspend the processing of the affected Agreement Personal Data until that processing complies with the new requirements;
iii) unless the IQ-EQ Contracting Party serves a notice under clause 6(a), the parties will review and negotiate in good faith such amendments to the DPA as may be necessary to ensure that it complies with Applicable Data Protection Laws as varied by the Change in Law; and
iv) if the parties are unable to bring the processing of the Agreement Personal Data into compliance with Applicable Data Protection Laws as affected by the Change of Law within 90 days, IQ-EQ Contracting Party may terminate the Main Agreement on 30 days’ written notice.
Costs
c) neither party will be entitled to recover any costs it has incurred from the other party or recover any costs saved by the other party as a result of any Change in Law.
Annex 1: List of technical and organisational measures
IQ-EQ maintains and enforces various policies, standards and processes designed to secure personal data and other data to which IQ-EQ employees are provided access. These are described in more detail in the IQ-EQ Group Information Security Summary document, available on request.
Following is a summary description of the core technical and organisational security measures implemented by IQ-EQ:
Information Security and Data Protection Controls
1. Physical Access Controls
IQ-EQ maintains and enforces controls to prevent unauthorized persons from gaining physical access to IQ-EQ premises, buildings, rooms, or data centres where data processing systems are located that process and/or use personal data. IQ-EQ uses the enhanced physical access controls at IQ-EQ data centres and server facilities.
2. System Access Control
IQ-EQ maintains and enforces controls to permit only authorized personnel to access and use IQ-EQ’s data processing systems.
3. Data Access Control
IQ-EQ maintains and enforces controls to allow persons authorized to use data processing systems to gain access only to the personal data that they have a legitimate business need to access in accordance with their job function, and to prevent personal data from being read, copied, modified or removed without authorization in the course of processing, use and storage.
4. Data Transfer Control
IQ-EQ maintains and enforces controls to prevent personal data from being read, copied, modified, or removed without authorization, including during transfer or storage.
5. Data Entry Control
IQ-EQ maintains and enforces controls to make it possible to retrospectively examine and establish whether and by whom personal data have been entered, modified or removed from IQ-EQ’s business-critical data processing systems, by using the following data entry controls.
6. Job Control
IQ-EQ takes measures to segregate responsibilities between data controller and data processor (IQ-EQ affiliate or subcontractor/service provider).
IQ-EQ maintains and enforces measures to ensure that personal data being processed on commission is processed solely in accordance with the Client contract and related instructions of the Client.
7. Availability Control
IQ-EQ maintains and enforces controls to protect personal data against accidental or unauthorized destruction or loss.
8. Separation Control
IQ-EQ maintains and enforces to control to ensure that personal data collected for different purposes are processed separately where applicable.
9. Organisational Control
Organisational approach and governance around data protection is designed to ensure the continued protection of personal data across the organization, including appointment of a Data Protection Officer.
Annex 2
Part A: Role of the IQ-EQ Contracting Party and IQ-EQ Group Companies
The role of the parties as described below apply to the services as described under the Main Agreement (excluding MaxComply and Cosmos) and to activities conducted by the IQ-EQ Contracting Party and IQ-EQ Group Companies as a consequence of the Main Agreement
| Services (where applicable to the Main Agreement)
|
IQ-EQ role |
| AIFM services which directly impose on IQ-EQ any legal or regulatory obligations (including AML/KYC on Client, and AML/KYC on assets) | Controller |
|
Fund management services (other than AIFM services) which directly impose on IQ-EQ any legal or regulatory obligations (including AML/KYC on Client and AML/KYC on assets) |
Controller |
|
Regulatory reporting (where reporting is an IQ-EQ obligation) |
Controller |
|
Investment management services, |
Controller |
|
Risk management |
Controller |
|
Portfolio management |
Controller |
|
Regulatory reporting on behalf of Client |
Processor |
|
Annex IV (regulatory reporting) |
Processor |
| Pre-marketing and marketing | Processor |
| AML/CFT Officer (responsable du contrôle du respect des obligations “RC”) | Processor |
|
MLRO Services |
[Controller/Processor] |
|
AML/KYC support on assets (external AIFM or delegated Portfolio Manager asking IQ-EQ to provide support on AML/KYC support on assets) |
Processor |
| Depositary services |
Controller |
|
Administration, domiciliation, transfer agent and registrar agent services which directly impose on IQ-EQ any legal or regulatory obligations (including but not limited to investors AML/KYC when IQ-EQ is acting as Transfer Agent) |
[Controller/Processor] |
|
Tasks instructed by the Client where IQ-EQ is not subject to a direct legal or regulatory obligation (including but not limited to investors AML/KYC when IQ-EQ is not appointed as Transfer Agent; accounting/bookkeeping services, tax services, supply chain management, treasury and outsourced CFO services) |
[Controller/Processor] |
|
Directorship and company secretary mandates |
[Processor/Controller] |
|
Provision of employees on a split contract or part-time basis |
[Controller/Processor] |
|
Professional trustee services |
Controller |
|
Wealth administration including family office services |
[Controller/Processor] |
|
Company secretarial and other administrative services |
[Controller/Processor] |
|
Data Connectivity services |
Processor |
|
Permitting access to IQ-EQ Connect and its component modules for Client and Authorised Users, storing credentials and facilitating 2 factor authentication, and other processing necessary to secure the technology platform. |
Controller |
|
In the context of IQ-EQ making its technology platform available to the Client and Authorised Users for the purposes of providing investor AML/KYC services as part of the Services, permitting access to IQ-EQ Connect and its component modules for Client and Authorised Users, storing credentials and facilitating 2 factor authentication, and other processing necessary to secure the technology platform. |
Controller |
|
ESG and compliance advisory services (including provision of ESG Platform) |
Processor |
|
Authorised representative services |
Controller |
|
To the extent not comprised within IQ-EQ Connect, permitting access for Client and Authorised Users to any other IQ-EQ or third-party platform to the extent comprised within the Services, storing credentials and facilitating 2 factor authentication, and other processing necessary to secure the technology platform. |
Controller |
Part B: Details of Processing
| Subject matter of processing | Processing of the Agreement Personal Data of the Client by IQ-EQ Contracting Party (either as processor on behalf of the Client, or as controller).
Agreement Personal Data: Personal data obtained or generated in the course or in connection with the provision of the Services, which may include: – name, address, email address, legal guardian, professional qualifications, job function, some family details, date of birth, user activity details and log in details, electronic identification data, IP address Personal data such as financial information, passport identification number, tax registration number, tax residence, proof of identity, economic sanctions status, some family details, IP address, location data, payment and payee details, bank account details, tax returns and tax records, records relating to Client transactions, financial records, investors, beneficial owners shareholders, ultimate controlling parties, other methods of identification and verification of identity of data subjects, current and previous employment details, PA Dealing records, personal data from public and private sources, such as PEP, sanctions, and all special categories of personal data e.g., data relating to political parties, personal data relating to diversity, equity and inclusion. Categories of data subjects: – Clients, employees of Clients, employees of third-party advisors and service providers to Clients, beneficiaries, guardians of beneficiaries, investors, limited partners, directors and officers of Clients, beneficial owners, ultimate beneficial owners, investors and investees of the Client, employees and ultimate beneficial owners of the Client’s investors and investees, shareholders, persons exerting significant control, borrowers, family members of any of the foregoing and any Authorised User of IQ-EQ Connect and/or MaxComply (where same is made available by the IQ-EQ Contracting Party to facilitate Investor KYC/AML services) to the extent not included in the foregoing. |
| Duration of processing | Where IQ-EQ is processor:
– Processing will last as long as the Main Agreement is in force, or longer in accordance with the legal durations applicable when it comes to the mandatory storage of documents or as may otherwise be agreed between the parties on termination of the Main Agreement for provision of archiving services by the IQ-EQ Contracting Party Where IQ-EQ is controller: – Processing will last as long as may be required for the stated purposes. |
| Nature of processing
|
Where IQ-EQ is processor:
– Processing in connection with the Services which is performed whether or not by automated means, such as collection, recording, organization, structuring, anonymising, aggregating with other data, storage, consultation, use, disclosure by transmission or otherwise making available including to the Data Controller or third parties including other IQ-EQ Group Companies who may provide other services to the Data Controller under any other Main Agreement or at the request of the Data Controller, combination, restriction, erasure or destruction, cleansing, analytics, visualisation and DevOps activities in connection with the Services and other use for the purposes set out in this table.
Where IQ-EQ is controller:
– Processing in connection with the Services and other use for the purposes set out in this table.
|
| Purpose of processing | Where IQ-EQ is processor:
– To enable the IQ-EQ Contracting Party to perform its professional duties and obligations as described in the provision of services under the Main Agreement and as described in this Annex 2. Where IQ-EQ is controller: – to provide Services to the Client where such Services require the IQ-EQ Contracting Party to determine the purposes and means of processing of the Agreement Personal Data, and in particular, which may include depositary services, compliance services, fund management services, alternative investment fund manager (AIFM) services, professional trustee services, transfer agency services, private wealth administration, corporate services, and data analytics; – creation of derivative works using the Agreement Personal Data to facilitate delivery of the Services; – to comply with applicable laws on anti-money laundering and counter terrorist financing, tax identification and reporting applicable to IQ-EQ Contracting Party; – to comply with requests from or requirements of regulatory and enforcement authorities; – to carry out customer relationship management activities, including maintaining a database of customers; – to conduct vendor selection tests, testing and implementation of new technology solutions and services that may be used in the Services or to improve IQ-EQ’s operations and service delivery capabilities; – for fraud and other criminal activity prevention, payment verification; – to enforce any Agreement or any other agreement, to implement changes in the IQ-EQ Contracting Party’s corporate structure or ownership; – to create statistics and analytics; – to manage risk, litigation, accounting and audits both internal and external; – to provide insights to the Client regarding Authorised Users’ use of IQ-EQ Connect and/or MaxComply; – to conduct benchmarking; – to conduct analytics in order to develop new methods of providing Services and new services which may be of relevance to the Client; – for hosting; – to conduct anonymisation of personal data, in the context of clause 2(g) of this DPA; – in so far as the IQ-EQ Contracting Party has obtained consent of any data subject to use their personal data for the purposes of direct marketing, to conduct such direct marketing; – Determining hosting location of Agreement Personal Data uploaded or stored within IQ-EQ Connect or MaxComply (where same is made available to Clients and Authorised Users to facilitate delivery of the Services); – Preventing access to any component of the relevant Platform in case of breach by Client or an Authorised User of the applicable end user terms, relevant third-party partner terms or Main Agreement as regards acceptable use; – managing information security requirements. – In connection with any financing and/or investment in the IQ-EQ Group or change of ownership of the IQ-EQ Group |
Where MaxComply or Cosmos forms the Service or part of the Service, the following shall apply to the Agreement Personal Data
Part A: Role of the IQ-EQ Contracting Party and IQ-EQ Group Companies
The role of the parties as described below apply to the services as described under the Main Agreement relating to MaxComply and Cosmos and to activities conducted by the IQ-EQ Contracting Party and IQ-EQ Group Companies as a consequence of the Main Agreement
| Services (where applicable to the Main Agreement)
and activities |
IQ-EQ role
|
| Permitting access to the relevant Platform(s) for Client and Authorised Users, other service providers including IQ-EQ Group Companies, storing credentials and facilitating 2 factor authentication | Controller |
| Data visualisation, access, analytics, aggregation, reporting, cleansing, dashboard creation, bank account information, collation and aggregation Services | Processor |
Part B: Details of Processing
| Subject matter of processing
|
Processing of the Agreement Personal Data by the IQ-EQ Contracting Party in the course or in connection with the provision of the Services to the Client as defined in the Agreement, including for the purposes of conducting compliance checks related to ‘know your customer’, anti-money laundering, counter-fraud and counter-terrorism, which may include identity verification checks and background screening of sanctions, PEPs, watchlists, adverse media, and enforcement data.
Agreement Personal Data: The Client Agreement Personal Data obtained or generated in the course or in connection with the provision of the Services, which may include: name, address, job title, current and previous employment details, Personal Account Dealing records, personal data from public and private sources, such as PEP records and sanctions records, and all special categories of personal data e.g. data relating to political affiliations, diversity, equity and inclusion, and all other personal data necessary for the delivery of the Services including access credentials. Categories of data subjects: – Client’s, employees of clients, customers, vendors, investors, investor personnel and investor representatives, limited partners, directors and officers of Clients, beneficial owners, ultimate beneficial owners, shareholders, officers, customer personnel, and professional service provider personnel and any Authorised User of a Platform to the extent not included in the foregoing. |
| Duration of processing
|
Where IQ-EQ is processor:
– Processing will last as long as the Main Agreement is in force, or longer in accordance with the legal durations applicable when it comes to the mandatory storage of documents or as may otherwise be agreed between the parties on termination of the Main Agreement for provision of archiving services by the IQ-EQ Contracting Party Where IQ-EQ is controller: – Processing will last as long as may be required for the stated purposes. |
| Nature of processing
|
Where IQ-EQ is processor:
– Processing in connection with the Services which is performed whether or not by automated means, such as collection, recording, organization, structuring, anonymising, aggregating with other data, storage, consultation, use, disclosure by transmission or otherwise making available including to the Data Controller or third parties including other IQ-EQ Group Companies who may provide other services to the Data Controller under any other Main Agreement or at the request of the Data Controller, combination, restriction, erasure or destruction, cleansing, analytics, visualisation and DevOps activities in connection with the Services and other use for the purposes set out in this table. Where IQ-EQ is controller: – Processing in connection with the Services and other use for the purposes set out in this table. |
| Purpose of processing | Where IQ-EQ is processor:
– To enable the IQ-EQ Contracting Party to perform its professional duties and obligations as described in the provision of services under the Main Agreement and as described in this Annex 3. Where IQ-EQ is controller: – to provide Services to the Client where such Services require the IQ-EQ Contracting Party to determine the purposes and means of processing of the Agreement Personal Data; – creation of derivative works using the Agreement Personal Data to facilitate delivery of the Services; – in relation to any proposed sale, merger or takeover of part or all of the IQ-EQ Group of companies, or assets; – to comply with applicable laws on anti-money laundering and counter terrorist financing, tax identification and reporting applicable to IQ-EQ Contracting Party; – to comply with requests from or requirements of regulatory and enforcement authorities; – to carry out customer relationship management activities, including maintaining a database of customers; – to conduct vendor selection tests, testing and implementation of new technology solutions and services that may be used in the Services or to improve IQ-EQ’s operations and service delivery capabilities; – for fraud and other criminal activity prevention, payment verification; – to enforce any Agreement or any other agreement, to implement changes in the IQ-EQ Contracting Party’s corporate structure or ownership; – to create statistics and analytics; – to manage risk, litigation, accounting and audits both internal and external; – to provide insights to the Client regarding Authorised Users’ use of any Platform; – to conduct benchmarking; – to conduct analytics in order to develop new methods of providing Services and new services which may be of relevance to the Client; – for hosting; – to conduct anonymisation of personal data, in the context of clause 2(g) of this DPA; – in so far as the IQ-EQ Contracting Party has obtained consent of any data subject to use their personal data for the purposes of direct marketing, to conduct such direct marketing; – Permitting access to a relevant Platform for Client and Authorised Users, storing credentials and facilitating 2 factor authentication; – Determining functionality of a Platform including selection of third-party partners; – Determining hosting location of Agreement Personal Data uploaded or stored within one or more Platforms and of the Platform components; – Preventing or withdrawing access to any component of the relevant Platform in case of breach by Client or an Authorised User of the applicable end user terms, relevant third-party partner terms or Main Agreement as regards acceptable use; – managing information security requirements; – verify identity of Client and Authorised Users, facilitate and process transactions, provide suggestions and recommendations related to our Services; – consolidating and aggregating bank account information received from a bank or other third party (including an AISP) as mandated by the Client or any Client Entity in order to provide aggregated information or insights relating to such aggregated information to the Client via a Platform. |