This Data Protection Addendum together with its Schedules (“DPA”) is part of Sage’s terms and conditions, or other written or electronic agreement between Sage and the Customer, as amended or supplemented from time to time, all together forming the “Agreement”.
In this DPA, references to “Services” shall have the same meaning as set out in the terms and conditions.
Where there is any conflict between the terms of this DPA and any other part of the Agreement, the following order of precedence shall apply: (1) SCCs/UK Addendum/UK IDTA (as applicable); (2) this DPA; and (3) any other part of the Agreement.
Capitalised terms in this DPA have the meanings given to them below.
“Adequacy Decision” a finding by the European Commission, or a government or body authorised to make a finding, in accordance with Data Protection Laws, that a Recipient Country ensures an adequate level of protection of personal data, so that further steps/mechanisms are not required to be implemented under Data Protection Laws in relation to a Restricted Transfer.
“Affiliate” an entity that directly or indirectly controls, or is controlled by, or under common control with, the subject entity. “Control” for the purposes of this definition means the ownership or control (whether directly or indirectly) of at least 50% of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity. The terms “Controlled” and “Controls” shall be construed accordingly.
“Applicable Law” any law, enactment, regulation, or rule applicable to the Parties, including but not limited to the Data Protection Laws.
“Controller” the party that determines the purposes and means of the Processing of Personal Data, including as applicable any "business" as defined by Data Protection Laws.
“Customer Affiliate” an Affiliate of the Customer.
“Customer” the Customer entity that has entered into the Agreement.
“Data Protection Laws” local, national or international laws and regulations which relate to the protection or Processing of Personal Data, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); European Union (“EU”) member state data protection laws; and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (the “EU Data Protection Laws”); (b) the UK Data Protection Act 2018 (and regulations made thereunder) and UK GDPR (the “UK Data Protection Laws”); and (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003; the US Health Insurance Portability and Accountability Act (HIPAA); the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Canada Personal Information Protection and Electronic Documents Act (PIPEDA); the Swiss Federal Act on Data Protection; the Australian Privacy Act 1988; and any other relevant, EU, local, state, provincial, or national data protection laws, in each case as amended, supplemented or replaced from time to time, and in each case to the extent that they apply to the Processing of Personal Data by a Party.
“Data Subject” an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including as applicable a "consumer" as that term is defined by Data Protection Laws.
“Non-Adequate Country” Non-Adequate Country A country that is not considered by the European Commission, or national government / authority authorised by a national government, to ensure an adequate level of personal data protection, or a similarly categorised country, such that any transfer of personal data to that country is a Restricted Transfer.
“Parties” the parties to this DPA, specifically Sage and: (a) Customer; or (b) a Customer Affiliate in accordance with clause 2, each a “Party”.
“Personal Data” any information relating to a Data Subject or household (or any information defined as "personal data," or "personal information" or other similar terms under Data Protection Laws) that is included in the data, information or material provided, inputted, or submitted by the Customer, a Customer Affiliate, Users, or others into the Services, or shared with Sage by any means in connection with the Services and the Agreement, which may include Personal Data relating to the Customer, Customer Affiliates, Users, or other contacts of Customer.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, or any comparable definition or meaning under Data Protection Laws.
“Processing” any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” a party that Processes Personal Data on behalf of a Controller, including as applicable any "service provider" or "contractor" as those terms are defined by applicable Data Protection Laws.
“Restricted Transfer” a transfer of Personal Data outside of the EEA or the UK, or any other country or jurisdiction, which requires further steps to be taken under Data Protection Laws.
“Sage” the Sage entity which has executed the Agreement, which may have authorised, or act together with, a Sage Affiliate / Sage Affiliates in Processing Personal Data in order to provide the Services.
“Sage Affiliate” an Affiliate of Sage.
“Restricted Transfer Documentation” the relevant module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented through Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), as adapted for any jurisdiction to the extent permitted by Data Protection Laws, or similar mechanism in respect of any other jurisdiction, such as the UK Addendum or UK IDTA.
“Supervisory Authority” a public regulatory or supervisory authority established in accordance with Data Protection Laws and which is concerned with the Processing of Personal Data, for instance the UK Information Commissioner’s Office (“ICO”) for the UK, the relevant EU data protection authorities for EU member states, or the Federal Data Protection and Information Commissioner or relevant cantonal or municipal supervisory authority for Switzerland.
“Sub-Processor” another party engaged by a Party to assist with that Party’s Processing of Personal Data.
“User” an individual who is authorised to use the Services (for instance individuals who have been supplied with a user identification and password by the Customer or a Customer Affiliate, or by Sage at the Customer’s or Customer Affiliate’s request). Users may include Customer’s or a Customer Affiliate’s employees, consultants, contractors, agents or other third parties.
“UK Addendum” the template Addendum B.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time.
“UK IDTA” the template IDTA A.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time.
USE OF SUB-PROCESSORS
PERSONAL DATA BREACH
Schedule 1 – Processing Particulars
Categories of Data Subjects whose Personal Data is Processed
Personal Data submitted by the Customer or a Customer Affiliate to the Services, or otherwise shared with Sage, as determined by the Customer or a Customer Affiliate in its/their discretion, which may include Personal Data relating to:
• Employees, contractors, workers and other staff members;
• Suppliers, customers, business partners, advisors or agents of the Customer or a Customer Affiliate (in each case where such parties are individuals);
• Users (as defined in this DPA) to the extent not covered above; and
• Other contacts of the Customer or Customer Affiliates (where these parties are individuals).
Categories of Personal Data processed
Personal Data submitted to the Services, or otherwise shared with Sage, as determined by the Customer or a Customer Affiliate in its discretion. This may include contact information, technical information, business and financial information, identification information, and profile information such as feedback, preferences, bank or transaction history, or data captured through any integrations/specific additional functionality required. Without prejudice to the foregoing, a more detailed breakdown for key product types is below.
|Sage payroll and accounting products||Limited detail about business, including name and contact details, business type, where registered, payment details, transaction information, invoices, expenses, receipts, payroll ID, payroll information, full name, address, username, Sage ID, passwords, security question responses, data captured through any integrations/specific additional functionality required|
|Sage HR products||Limited detail about business, (including contact details, business type, where registered, payment details), contact details, payroll information, appraisals, absence, holidays, disciplinary records, job and salary history, next of kin, dependencies, emergency contacts, bank information, data captured through any integrations/specific additional functionality required|
|Sage Intacct||Background checks, beneficiary details, browsing information, contact details, data benchmarking and analytics, education and skills, employment information, ID evidence, family information, financial information, government identifiers, other categories, personal identification, recordings, social, travel and expenses, feedback/options, individual share awards data, insurance details, marital status, trade union membership or professional membership, user account information, workplace welfare, data captured through any integrations/specific additional functionality required|
|Sage enterprise resource planning, business automation and inventory planning||Company names, registration numbers, addresses, bank details (BIC/IBAN), contact information: names, emails, phone numbers, URLs, address, payroll information, employee names and addresses, personal details, social security number, salary details, bank details, administration data (names, emails, photo, address), authentication details (LDAP login, email), data captured through any integrations/specific additional functionality required, inventory, order and warehouse information|
Sensitive Personal Data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive Personal Data (including “Special Category” data under the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) may at times be captured and transferred in connection with the Services, if shared by a Data Subject described above.
Sage ensures that it applies additional restrictions or safeguards with regard to Processing sensitive Personal Data, including by ensuring that the Processing of sensitive Personal Data is avoided wherever possible, accountability processes (for instance carrying out data protection impact assessments) are followed in relation to processing sensitive Personal Data, staff are provided with appropriate training on handling sensitive Personal Data, additional contractual and due diligence measures are applied where possible, and anonymisation, pseudonymisation and password-protection are applied to sensitive Personal Data where possible.
Frequency of the ProcessingContinuous basis based on the Customer or Customer Affiliate’s use of the Services.
Nature of the ProcessingThe nature of the Processing of the Personal Data described above may include the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose(s) of the Processing
Personal Data is Processed by Sage in the capacity of a Processor (or Sub-Processor, where the Customer is a Processor) to provide, protect, support, enable, improve and maintain the Services in connection with the Agreement. If the Customer opts to subscribe to, or interact with, any particular additional services or features (as described in the Agreement), Sage may upload, copy and/or transfer Customer Personal Data to facilitate these options. If the Customer chooses to connect the Services to third-party products or Services, Sage will use the Customer’s Personal Data to make that connection. Where Sage receives Personal Data because of that connection, Sage will use that Personal Data in line with the Agreement (including this DPA).
Schedule 2 – Restricted Transfer Documentation
1.1 OPTIONS AND ANNEXES I, II AND III TO EU SCCS
Clause 7 (Docking Clause) – the optional docking clause shall be included.
Clause 9 (a) (Use of sub-processors) – option 2 shall apply and the specified time period shall be a reasonable time period.
Clause 11 (Redress) – the optional language shall not be included.
Clause 13 (Supervision) – the competent supervisory authority shall be the supervisory authority of: (a) the EU member state in which the data exporter is established; (b) if the data exporter does not have an EU establishment, the EU member state in which the data exporter’s representative is established; or (c) if the data exporter does not have an EU establishment and is not required to appoint a representative, one of the member states in which the relevant data subjects are located.
Clause 17 (Governing Law) – option 2 shall apply and the specified law shall be Irish law.
Clause 18 (Choice of Forum and Jurisdiction) – the courts of Ireland shall be specified.
The additional sections for the Processor to Processor module in clauses 14, 15 and 16 shall be included where the Processor to Processor module applies to transfer.
ANNEX I A: LIST OF PARTIES:
Data exporter(s): Customer
Name and Address: as provided to Sage
Contact person’s name, position and contact details: as provided to Sage
Activities relevant to the data transferred under these Clauses: as provided to Sage
Signature and date: as Agreement confirmed or executed by Customer
Role (controller/processor): Controller or Processor, depending upon Customer’s relationship with Data Subjects.
Data importer(s): (depending on product and service): Sage Software Canada Ltd, Sage Budgeta, Inc.,
Sage Global Services US, Inc., Sage Intacct, Inc., Sage Software Holdings, Inc., Sage Software North America, Sage Software, Inc., Ocrex Australia Pty Ltd, Ocrex, Inc (US), Brightpearl, Inc, Sage Business Solutions
Pty Limited, Intacct Software Private Ltd, Sage Business Technology (India) Private Limited (Formerly known as Ocrex Enterprises Private Limited), and possibly other importers in the Sage group from time to time (see signature pages).
Name: As below
Address: As below
Contact person’s name, position and contact details: Sage Global Data Protection Officer - [email protected]
Activities relevant to the data transferred under these Clauses: Assisting in provision of the Services
Signature and date: As below
Role (controller/processor): Processor
ANNEX I B:DESCRIPTION OF TRANSFER:
See Schedule 1. Additionally:
(a) The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): the Personal Data may be transferred on a continuous basis for the duration of the Services.
(b) The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: the Personal Data described in Schedule 1 shall be retained for as long as is necessary in order to provide the Services, and in order for the data importer to fulfil any applicable legal requirements or obligations.
(c) For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing: the subject matter, nature and duration of sub-processing is as described in Schedule 1 and above.
ANNEX I C: COMPETENT SUPERVISORY AUTHORITY
Irish supervisory authority for transfers from EEA, or Switzerland supervisory authority for transfers from Switzerland
ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES
Available at https://www.sage.com/en-gb/trust-security/ or upon request
ANNEX III: LIST OF SUB-PROCESSORS
See Section 5 of DPA
1.2 PARTS 1 AND 2 OF UK ADDENDUM (defined terms used in this section shall have the meaning given to them in UK Addendum. If not defined in UK Addendum, they shall have the meaning given to them in the DPA).
Part 1: Tables
Table 1: Parties
|Start date||Start date of Agreement|
|The Parties||Exporter (who sends the Restricted Transfer)||Importer (who receives the Restricted Transfer)|
|Parties’ details||Customer||As stated in section 1.1 of this Schedule 2.|
|Key Contact||As provided to Sage||As stated in section 1.1 of this Schedule 2.|
Table 2: Selected SCCs, Modules and Selected Clauses
|Addendum EU SCCs||The version of the Approved EU SCCs which this Addendum is appended to|
|Module||Module in operation||Clause 7 (Docking Clause)|| Clause 11
|Clause 9a (Prior Authorisation or General Authorisation)||Clause 9a (Time period)||Is personal data received from the Importer combined with personal data collected by the Exporter?|
|1||Module 2||Yes||No||General Authorisation||Reasonable time period||May occur from time to time, depending on Exporter’s requirements|
|2||Module 3||Yes||No||General Authorisation||Reasonable time period||May occur from time to time, depending on Exporter’s requirements|
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in section 1.1 of this Schedule 2.
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the
Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19:
|UK country’s law that governs the IDTA:||
England and Wales
|Primary place for legal claims to be made by the Parties||England and Wales|
|The status of the Exporter||See section 1.1 of this Schedule 2|
|The status of the Importer||See section 1.1 of this Schedule 2|
|(a) If the Importer is the Exporter’s Processor or Sub-Processor – the Agreement (including the DPA)
(b) If the Exporter is a Processor or Sub-Processor – the agreement(s) between the Exporter and the Party(s) which sets out the Exporter’s instructions for Processing the Transferred Data
The Importer may Process the Transferred Data for the following time period:the period for which Linked Agreement (a) is in force
|Ending the IDTA before the end of the Term||The Parties can end the IDTA before the end of the Term by serving six months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).|
|Ending the IDTA when the Approved IDTA changes||Which Parties may end the IDTA as set out in Section 29.2: Importer or Exporter|
|Can the Importer make further transfers of the Transferred Data?||The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).|
|Specific restrictions when the Importer may transfer on the Transferred Data||There are no specific restrictions.|
|Review Dates||The Parties must review the Security Requirements each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment.|
Table 3: Transferred Data
|See Schedule 1 of the DPA|
|Special Categories of Personal Data and criminal convictions and offences||See Schedule 1 of the DPA|
|Relevant Data Subjects||See Schedule 1 of the DPA|
|Purpose||See Schedule 1 of the DPA|
Table 4: Security Requirements
See Annex II of Schedule 2
Mandatory ClausesThe following are hereby incorporated: Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.
1.4 SIGNATURES OF SAGE AFFILIATES (to the extent that they act as data importers): see pages here.