This page informs you of our data processing terms agreed by the customer and FinReg
Data Processing Terms
FinReg Global Solutions Limited’s (“FinReg”) data processing terms, as noted below, are agreed upon by the customer (“Customer” or “Data Controller”) and FinReg Global Solutions Limited (“Data Processor”) as part of the signing of the licence agreement in relation to the use of the FinReg Platform and Products hosted on the FinReg Platform. These terms are effective in line with the date of the licence agreement between the parties. By signing the licence agreement the Data Controller agrees to the below terms for itself and any related entities that may access and utilise the FinReg Platform under the terms and conditions of the licence agreement.
In the course of providing services to the Customer, FinReg may process data on behalf of the Data Controller and the parties agree to comply with the provisions as set out below. The terms below should be read in conjunction with the licence agreement.
These terms may change and be updated by FinReg from time to time. Where the terms below are amended, FinReg will communicate such changes to the Data Controller by email communication.
Definitions
– Applicable Law: The parties agree to comply with their respective obligations under applicable law arising under these Terms and Conditions.
– Customer: The individual or the company as represented by the individual with the appropriate authority to enter into the relevant licence agreement.
– Data Protection Requirements: The parties agree to comply with their respective obligations under applicable privacy law, including the Data Protection Act 2018 and any replacement legislation, including regulation (EU) 2016/679 known as the General Data Protection Regulation. Terms used bear the same meanings as ascribed to them in data protection legislation.
– Data Subject: The identified or identifiable living individuals who are subjects of the Personal Data.
– Data Subject Access Request: A request from a Data Subject in accordance with Data Protection Requirements.
– Personal Data: Means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person processed by the Data Processor in connection with the use of the FinReg Platform.
– Third-Party Processor: Any third party subcontractors listed below which may process data on behalf of the Data Processor.
Third-Party Processor Region Function
US-West-1
US-East-2
Amazon Web Services Hosting provider
AP-Southeast-1
1. Data Processing
1.1 Data Processor shall only process Personal Data on behalf of the Data Controller in accordance with the licence agreement. The subject-matter, duration of the processing and the nature and purpose of the processing are based on the relevant product or licence agreement. The types of personal data and categories of data subjects are determined and controlled by the Data Controller based on the product in use.
1.2 Each Party shall comply with the obligations applicable to that party under Data Protection Requirements.
i) Data Processor represents and warrants that:
a) It shall promptly inform the Data Controller if, in the Data Processor’s opinion, they cannot comply with Data Protection Requirements.
b) Its personnel and Third-Party Processors who may process Personal Data have committed themselves to confidentiality.
c) It will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
d) At the choice of the Controller, deletes or returns all Personal Data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the Personal Data.
e) It will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
ii) The Data Controller represents and warrants that:
a) Its use of the FinReg Platform does not contravene Data Protection Requirements.
b) It has complied and continues to comply with Data Protection Requirements, including requirements for consent and has given appropriate notices in relation to the processing of data by the Data Processor.
c) It has satisfied itself that the requirements under Article 28 of the Data Protection Requirements as they apply to the Data Controller with regards to Personal Data are adequate and have assessed the security measures of the Data Processor.
d) It shall ensure compliance with and shall not diminish the Data Processor’s security measures through its use of the FinReg Platform.
e) It understands that, to the extent possible, the Data Controller should ensure that any Personal Data is assessed prior to adding it to the FinReg Platform and consideration is completed as to the appropriateness of loading the Personal Data to the FinReg Platform, in particular in relation to special categories of Personal Data.
iii) The Data Processor shall implement and maintain technical and organisation security measures appropriate to the nature and use of the FinReg Platform.
2. Notification of Data Breach
2.1 The Data Processor shall notify the Data Controller without undue delay (and in no event more than 48 hours, with periodic updates to follow as may be necessary) of a declared breach of security that has led to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data Controller’s Personal Data which affects the integrity, availability or confidentiality of the Data Controller’s Personal Data.
2.2 In the event a data breach requires notification by the Data Controller to Data Subjects or relevant Regulators, the parties agree to coordinate in good faith on developing the content of any public statements or required notices.
3. Inspection
3.1 The Data Processor shall provide reasonable assistance in response to inquiries from the Data Controller or its Regulator relating to the processing of the Data Controller’s Personal Data.
3.2 The Data Processor shall, upon written request from the Data Controller, provide the Data Controller with information reasonably necessary to demonstrate compliance with the processing of data. This information may consist of permitting examination of the more recent reports, certificates and / or extract prepared by an independent auditor relating to the Data Processors ISO 27001 or similar certification.
4. Compliance, Co-operation and Response
4.1 The Data Processor will provide reasonable assistance to the Data Controller in complying with any Data Subject Access Requests or requests received by the Data Controller from Regulators.
4.2 If the Data Processor receives a Data Subject Access Request, the Data Processor will refer the Data Subject to the Data Controller, unless otherwise required by Data Protection Requirements. In the event the Data Processor is legally required to respond to the Data Subject, the Data Controller will fully co-operate with the Data Processor as appropriate. The Data Controller agrees that the provision of technical tools to enable the Data Controller to take the necessary action to comply with such requests/s shall be sufficient to discharge the Data Processor’s obligations.
4.3 The Data Controller will reimburse all reasonable costs incurred by the Data Processor as a result of assistance with either 4.1 and 4.2 above.
5. Third-Party Processor
5.1 The Data Controller hereby consents to the use of the Third-Party Processor to perform services in relation to the Data Processors provision of the FinReg Platform. The Data Processor confirms that they have procedures in relation to assessing third-party processors in line with their ISO 27001 procedures.
5.2 Where the Data Processor appoints a new third-party processor or plans to make any changes concerning the addition or replacement of third-party processors, it shall provide the Data Controller with reasonable notice. The Data Processor shall not engage another third-party processor without prior specific or general written authorisation of the Data Controller. In the case of general written authorisation, the Data Processor shall inform the Data Controller of any planned changes concerning the addition or replacement of other third-party processors, thereby giving the Data Controller the opportunity to object to such changes. The Data Controller may object within 30 days of receipt of notice, issued under this section, through terminating the licence agreement and providing one (1) months notice of the termination.
6. Termination
The terms as set out above will run concurrently with relevant licence agreements between the parties. Please see the licence agreement in relation to terms and conditions upon termination.
7. Confidentiality
The terms as set out above will run concurrently with relevant licence agreements between the parties. Please see the licence agreement in relation to terms and conditions in relation to confidentiality.
8. Liability
The terms as set out above will run concurrently with relevant licence agreements between the parties. Please see the licence agreement in relation to terms and conditions in relation to liability.
9. Governing Law and Jurisdiction
These terms and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Ireland, and the parties hereby submit to the exclusive jurisdiction of the Irish Courts.