Data Protection Addendum

      1. This Data Processing Addendum (the Addendum) will apply from 30 September 2019 and will thereafter be incorporated into all arrangements, agreements and contracts (Agreement) under which members of the Waystone Group (each, and together Waystone) provide services, to the extent that in doing so they act as a ‘data processor’ (as defined in applicable Data Protection Law). Where a client of Waystone already has in place a signed Data Processing Agreement or Amendment Agreement to incorporate data processing provisions (DP Agreement), and there is any conflict with the terms of this Addendum, the terms of the DP Agreement will prevail.
      2. For the purpose of this Addendum:
        • Data Protection Law shall mean all applicable data protection law, which may include, (i) with effect from 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) including any amendments thereto and any applicable consequential national data protection legislation and guidance and codes of practice issued by any relevant European data protection supervisory authority; and (ii) from 30 September 2019, the Cayman Islands Data Protection Law, including any amendments thereto and any applicable consequential national guidance and codes of practice issued by any relevant Cayman Islands data protection supervisory authority, and the terms ‘personal data’, ‘data controller’, ‘data processor’ and ‘process’ shall have the meanings given to them under Data Protection Law.
        • Entity means the person or entity that has entered into an Agreement with Waystone.
        • Relevant Data Protection Authority means the relevant independent public authority responsible for monitoring the application of the relevant Data Protection Law.
        • Waystone Group means all direct and indirect subsidiaries of Waystone Governance Ltd (formerly known as DMS Governance Ltd) and Waystone Centralised Services (IE) Limited (formerly known as DMS Governance Risk and Compliance Services Limited).
      3. Waystone acknowledges that in providing the services under the Agreement Waystone may process personal data on behalf of the Entity.
      4. In such circumstances, Waystone acknowledges that the Entity is a data controller and Waystone is data processor and the parties agree that:
        • Waystone processes personal data, as may be specified in the privacy notice of the Entity, on behalf of the Entity in the context of providing the Services under the Agreement. The obligations and rights of the Entity shall be as set out in this Addendum;
        • Waystone will only process such personal data in accordance with the documented instructions of the Entity unless required to do so under applicable laws to which Waystone is subject. In such a case Waystone shall inform the Entity of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
        • Waystone shall ensure that the persons authorised by Waystone to process such personal data are bound by appropriate confidentiality obligations;
        • Waystone shall implement appropriate technical and organisational measures in such a manner that the processing will meeting the requirements of Data Protection Law and to ensure the rights of the data subject;
        • Waystone shall take all measures to ensure a level of security of processing required pursuant to Data Protection Law;
        • Waystone is authorised to engage sub-processors to undertake processing on its behalf, provided that it provides the Entity with prior notice in writing containing details of the sub-processors that it engages and informs the Entity of any intended changes concerning the addition or replacement of such sub-processors and provides the Entity with a reasonable opportunity to object to such changes. In certain circumstances the Entity may engage or contract directly with agents, delegates or representatives of Waystone in which case such agents, delegates or representatives are not considered sub-processors of Waystone for the purposes of this Clause and Clause (g) below and, instead, are considered to be processors on behalf of the Entity;
        • where any sub-processor of Waystone will be processing such personal data on behalf of the Entity, Waystone shall ensure that a written contract exists between Waystone and the sub-processor containing clauses equivalent to those imposed on Waystone in this clause. In the event that any sub-processor fails to meet its data protection obligations, Waystone shall remain fully liable to the Entity for the performance of the sub-processor’s obligations;
        • Waystone shall inform the Entity without undue delay in the event of receiving a request from a data subject to exercise their rights under Data Protection Law and provide such co-operation and assistance as may be required to enable the Entity to deal with such request in accordance with the provisions of Data Protection Law;
        • taking into account the nature of the processing, Waystone shall assist the Entity by appropriate technical and organisational measures, insofar as this is possible, to allow the Entity to comply with requests from data subjects to exercise their rights under Data Protection Law;
        • Waystone shall assist the Entity in ensuring compliance with obligations in respect of security of personal data, data protection impact assessments and prior consultation requirements under Data Protection Law, taking into account the nature of the processing and information available to Waystone;
        • when Waystone ceases to provide services relating to data processing Waystone shall: (i) at the choice of the Entity, delete or return all such personal data to the Entity; and (ii) delete all existing copies of such personal data unless relevant law requires or permits storage of the personal data;
        • Waystone shall: (i) make available to the Entity all information requested that is necessary to demonstrate compliance with the obligations laid down in this clause; and (ii) allow for and contribute to audits, including inspections, conducted by the Entity or another auditor mandated by the Entity, provided however that the Entity shall be entitled, at its discretion, to accept adherence by Waystone to an approved code of conduct or an approved certification mechanism to aid demonstration by Waystone that they are compliant with the provisions of this clause;
        • Waystone shall inform the Entity without undue delay if, in its opinion, it receives an instruction from the Entity which infringes Data Protection Law;
        • Waystone shall notify the Entity without undue delay after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and provide the Entity with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach; and
        • Personal data may be transferred by the Processor outside the relevant jurisdiction, including to a jurisdiction which is not recognised by the Relevant Data Protection Authority as providing for an equivalent level of protection for personal data as is provided for in the relevant jurisdiction. These jurisdictions may include the United States of America, the United Kingdom and Asia. If and to the extent that the Processor does so, it will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data and in particular will comply with its obligations under any Data Protection Law governing such transfers, which may, as applicable, include: (a) entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the Relevant Data Protection Authority; (b) transferring your personal data pursuant to binding corporate rules; or (c) a transfer where the Relevant Data Protection Authority has decided that the recipient ensures an adequate level of protection.
      5. The Entity warrants that any personal data received by Waystone has been collected and then transferred to Waystone in accordance with Data Protection Law.
      6. This Addendum shall be governed by and construed in accordance with the same governing law the parties have chosen to apply to the Agreement or, in the absence of such provision, the laws of the Cayman Islands. Any dispute arising under or in connection with this Addendum shall be resolved in accordance with the relevant provisions of the Agreement or, in the absence of such provision, the Grand Court of the Cayman Islands shall have exclusive jurisdiction.