Personal Data Protection Policy – TMF Group
This policy applies to the Processing of Personal Data of Data Subjects by TMF on behalf of Clients of TMF whereby TMF will be acting as Processor and the Client will be acting as Controller (the Policy).
All capitalized terms will have the meanings ascribed to such terms in this Policy or as otherwise defined in the service agreement between TMF and the Client.
1. The Client authorizes and instructs TMF or any TMF Affiliate to:
(a) Process the Personal Data for all legitimate and relevant purposes in connection with the Services of TMF,
(b) Process the Personal Data insofar necessary to comply with a legal obligation of the Client or TMF, including the disclosure of Personal Data to competent local authorities;
(c) Transfer the Personal Data as necessary or relevant to any Sub-Processor, together hereinafter referred to as the Authorized Purposes.
TMF will not further Process the Personal Data in a way that is incompatible with the Authorized Purposes.
At Client’s request, TMF shall provide the Client with information as to the names and addresses of the Sub-Processors as well as the nature of the Processing activities performed by such Sub-Processors.
2. TMF shall keep the Personal Data confidential and will instruct its staff and Sub-Processors to the same. TMF shall implement appropriate and commercially reasonable technical, physical and organizational measures and precautions to protect the Personal Data from accidental loss, misuse, unauthorized access and disclosure, alteration, or unlawful destruction, in particular where the Processing involves the transmission of Personal Data over a network, and against all other unlawful forms of Processing. Such measures shall comply with Applicable Law. The security measures are further described and specified in the document - Statement of Continuity -.
The document - Statement of Continuity - is published on the TMF website (www.tmf-group.com/en/legal/data-protection) and forms an integral part of this Policy.
3. TMF shall without undue delay, but within the period specified by Applicable Law, inform the Client of any loss or breach of security of the Personal Data. TMF shall at least provide the following details:
(a) the nature of the loss or breach and
(b) an estimation of the number of Data Subject’s involved, and, where possible, their names.
4. The Client and each Client Affiliate involved warrant that:
(a) the Client is entitled to provide the Personal Data to TMF or to the relevant TMF Affiliate and that the Client is authorized to engage TMF and or the TMF Affiliate(s) as Processor(s);
(b) the Client complies and will continue to comply with all Applicable Law as well as with any other applicable obligations regarding the Processing and protection of Personal Data, including but not limited to any contractual obligations or agreements or protocols agreed with employee representatives;
(c) the Client has informed TMF and will inform TMF of all obligations and restrictions referred to in sub-section 4 (b), which are applicable to the Personal Data and relevant to the Services, including, but not limited to, having provided TMF with the applicable privacy notice(s);
(d) the processing of the Personal Data is lawful and does not infringe any third party rights;
(e) no later than the Effective Date, the Client has duly informed or will duly inform the Data Subjects that their Personal Data will be Processed by TMF or – as the case may be – TMF’s Sub-Processors for the Authorized Purposes and that the Client has obtained all consents of the Data Subjects required under Applicable Law, which includes the Processing of the Personal Data by TMF or its Sub-Processors;
(f) no later than the Effective Date, the Client has duly informed or will duly inform the Data Subjects that the Services may require the transfer of the Personal Data, specifically any Sensitive Data where relevant, to a TMF Affiliate or Sub-Processor in a third country providing a level of protection different than the protection afforded to such Personal Data by the laws in the jurisdiction in which the Client is established or in which Client’s employees reside, and that the Client has obtained all consents of the Data Subject to such transfer required under Applicable Law;
(g) the Personal Data provided to TMF are accurate.
5. Upon termination of the Agreement in whole or in part and at Client’s choice, TMF shall:
(a) destroy all Personal Data Processed and any copies thereof and certify to the Client at Client’s written request that it has done so; or
(b) in accordance with Client’s instructions return all Personal Data Processed and the copies thereof to the Client or Client Affiliate, unless any Applicable Law, competent court, supervisory or regulatory body prevents TMF from returning or destroying all or part of the Personal Data transferred. The obligation to destroy or return Personal Data does not apply to any notes, analyses, memoranda, minutes or other internal corporate documents, prepared by or on behalf of TMF which are based on, derived from, contain or otherwise make reference to Personal Data. Furthermore, TMF is entitled to retain copies of any computer records and files containing Personal Data which have been created pursuant to automatic electronic archiving and back-up procedures and which is not immediately retrievable as part of day-to-day business. TMF hereby warrants the confidentiality of the Personal Data and that such Personal Data will not be Processed for the Authorized Purposes or any other purposes other than their storage or their protection or as required by Applicable Law.
(a) At Client’s written request, the TMF Affiliate Processing the Personal Data of the Client shall allow, an audit (whether on-site or remotely) to verify TMF’s compliance with its obligations under Applicable Law and this Agreement, to be carried out either (i) by an independent third party audit firm bound by a duty of confidentiality and selected by the Client and approved by the TMF Affiliate (which approval shall not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (ii) by a competent data protection authority. The audit will be carried out in close cooperation with TMF’s Chief Information Security Officer. Parties shall agree the scope of the audit in advance. The Client shall notify TMF and the TMF Affiliate in writing with a minimum of fifteen (15) calendar days prior to any audit being carried out. The Client shall bear the costs of the audit. TMF is entitled to a reasonable compensation for the costs of the audit incurred by TMF, to be paid by the Client.
(b) TMF shall assist the Client, to the extent reasonably possible, (i) to comply with Applicable Law in a reasonable time and (b) to respond to any Data Subject access, correction, erasure or blocking requests and objections.
7. The Client will indemnify and hold TMF, TMF Affiliates and Sub-Processors harmless from and against any Claims from any Data Subjects and/or third parties relating to or arising from the Processing of Personal Data by TMF and/or which result from the breach of any of the warranties of the Client in this Policy.
TMF, TMF Affiliates will indemnify and hold the Client harmless from and against any Claims from any Data Subjects and/or third parties relating to or arising from or resulting from the breach of any of obligations of TMF in this Policy.
8. Any agreement between TMF and a Sub-Processor shall at least contain similar obligations as section 1, section 2, section 3, section 5 and section 6 in this Policy.
9. In the event of cross-border transfers of Personal Data between the TMF Affiliate and any Sub- Processor, the following shall apply (insofar relevant):
(a) Where any data protection law of one or more of the Member States of the European Economic Area or Switzerland applies to the Personal Data (e.g., where the Client or its relevant Affiliates are established in such Member State and the Personal Data are Processed by TMF in the context of such establishment), the Personal Data may, at the discretion of TMF, be transferred to (i) one or more TMF Affiliates in either one or more Member States of the European Economic Area or Switzerland on the basis of Applicable Law, or to (ii) one or more TMF Affiliates in one or more third countries on the basis of the Binding Corporate Rules For Processing Customer Personal Data (Processor) of TMF Group, which are published on the website of TMF Group (www.tmf-group.com/en/legal/data-protection). In such case, the information referred to in sub-section 4 (f) in this Policy shall include a reference to the Binding Corporate Rules For Processing Customer Personal Data (Processor) of TMF Group, Data Subject’s rights thereunder and TMF’s complaint procedure. The Client or the relevant TMF Affiliate, as applicable, shall upon request of the Data Subject, provide the Data Subject(s) with a copy of such Binding Corporate Rules and this Agreement (without any business sensitive or Confidential Information). Where permitted by Applicable Law, TMF shall, no later than the Go-Live Date, obtain all relevant authorizations or permits for such transfer of Personal Data based on such Binding Corporate Rules. Where Applicable Law does not allow TMF to obtain such authorization or permit for itself, the Client shall in a timely manner issue a Power-of-Attorney to the relevant TMF Affiliate to obtain such authorization or permit on behalf of the Client. Where the use of a Power-of-Attorney is not accepted under Applicable Law, the Client warrants that it has obtained, no later than the Go-Live Date, all necessary authorizations or permits to allow TMF to share the Personal Data with Affiliates of TMF in a third country.
(b) Where any data protection law of one or more of the Member States of the European Economic Area or Switzerland applies to the Personal Data (e.g., where the Client or its relevant Affiliates are established in such Member State and the Personal Data are Processed by TMF in the context of such establishment), the Personal Data may, at the discretion of TMF, be transferred to one or more Sub-Processors (other than TMF Affiliates) in one or more Member States of the European Economic Area or Switzerland on the basis of Applicable Law, or to one or more such Sub-Processors in one or more third countries on the basis of an exception under Applicable Law or on the basis of adequate safeguards adduced either, insofar as allowed under Applicable Law, by TMF to ensure the protection of the Personal Data, or by the Client, in which case TMF shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Sub-Processor. At Client’s request, TMF shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
(c) Where the data protection or privacy law of any country outside the European Economic Area or Switzerland applies to the Personal Data, the Clients warrants that any cross-border transfer of Personal Data from TMF to a Sub-Processor shall be allowed on one of the following grounds, justifications or safeguards allowed under Applicable Law:
(i) the cross-border transfer of the Personal Data is allowed under Applicable Law, without any additional safeguards to be taken by the Client;
(ii) the consent of the Data Subjects obtained by the Client;
(iii) a contract between the Client and the receiving Sub-Processor of the Personal Data;
(iv) the transfer is necessary for the performance of a contract between the Client or any Client’s Affiliate and the Data Subject; or
(v) any other safeguard or instrument.
The applicable ground, justification or safeguard shall be specified in a relevant statement of work or addendum to the service agreement between TMF and the Client.
Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by national laws or regulations or laws or regulations of the European Union, the Controller or the specific criteria for his/her nomination may be designated by such laws or regulations.
Data Subjects means the directors, officers and employees of the Client and/or the relevant Client Affiliate and, to the extent applicable, its customers.
Personal Data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identityany information relating to Data Subjects.
Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor means the party, which Processes Personal Data on behalf of a Controller.
Sensitive Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of data concerning health, sex life, or any other Personal Data the processing of which is specifically restricted or specifically prohibited unless authorized by Applicable Law.
Sub-Processor means any TMF Affiliate assisting TMF in the provision of the Services as well as any contractor engaged by TMF to assist TMF in the provision of the Services in countries where TMF does not have a presence or to provide information technology, administrative support or consultancy services to TMF.
TMF reserves the right to update this policy without consulting or pre-informing its clients
Personal Data Protection Policy – TMF Group - version 09/11/2015