Customer Data Protection Addendum (DPA)
- This Data Protection Addendum together with its Schedules (“DPA”) is part of Sage’s terms and conditions, or other written or electronic agreement between Sage and the Customer, as amended or supplemented from time to time, together forming the “Agreement”. This DPA applies where (1) Sage Processes Personal Data as a Processor on behalf of the Customer or a Customer Affiliate (the Controller); or (2) Sage Processes Personal Data as a Controller, as further described in Schedule 1(B) of this DPA.
- In this DPA, references to “Services” shall have the same meaning as set out in the terms and conditions.
- Where there is any inconsistency between the terms of this DPA and any other part of the Agreement, the terms of this DPA shall take precedence.
- Capitalised terms in this DPA not defined in paragraphs 1 to 3 above have the meanings given to them in clause 1.1 below.
- DEFINITIONS & INTERPRETATION
- In this DPA, the following terms have the following meanings. Defined terms used in the Schedules to this DPA have the meanings given to them in this clause 1.1 except where otherwise pointed out in the relevant Schedule(s).
“Adequacy Decision” means a finding by the European Commission, or United Kingdom (“UK”) government or UK body authorised by the UK government to make a finding, in accordance with the Data Protection Laws, that a country outside of the European Economic Area (“EEA”) or UK (as applicable) ensures an adequate level of protection of personal data, so that appropriate safeguards are not required to be implemented for a Restricted Transfer;
“Affiliate” means an entity that directly or indirectly controls, or is controlled by, or under common control with, another entity. “Control” for the purposes of this definition means the beneficial ownership of more than 50% of the issued share capital of a company or the legal power to direct or cause the direction of the general management of the company;
“Applicable Law” any law, enactment, regulation, or rule applicable to the Parties, including but not limited to the Data Protection Laws;
“Controller” means the party that determines the purposes and means of the Processing of Personal Data;
“Customer Affiliate” means an Affiliate of the Customer;
“Customer” means the Customer entity that has entered into the Agreement;
“Data Protection Laws” means all applicable laws and regulations which relate to the protection or Processing of Personal Data, including: the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and European Union (“EU”) member state data protection laws; the UK General Data Protection Regulation (“UK GDPR”); the UK Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); the Privacy and Electronic Communications (EC Directive) Regulations 2003; the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications; and any other relevant, EU, local or national data protection laws in each case as amended or replaced from time to time;
“Data Subject” means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Parties” shall mean the parties to this DPA, specifically Sage and: (a) Customer; or (b) a Customer Affiliate in accordance with clause 2, each a “Party”;
“Personal Data” means any information relating to a Data Subject that is included in the data, information or material provided, inputted, or submitted by the Customer, a Customer Affiliate, Users, or others into the Services, or shared with Sage by any means in connection with the Services and the Agreement, which may include Personal Data relating to the Customer, Customer Affiliates, Users, or other contacts of Customer;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
“Processing” means many operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means a party that Processes Personal Data on behalf of a Controller;
“Restricted Transfer” means a transfer of Personal Data outside of the EEA or the UK;
“Sage” means the Sage entity which has executed the Agreement, which may have authorised, or act together with, a Sage Affiliate / Sage Affiliates in Processing Personal Data in order to provide the Services;
“Sage Affiliate” means an Affiliate of Sage;
“Standard Clauses” means, as applicable: (a) the relevant module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented through Commission Implementing Decision (EU) 2021/914 of 4 June 2021; or (b) any similar transfer mechanism for transfers of personal data from the UK;
“Supervisory Authority” means a public supervisory authority established in accordance with Data Protection Laws and which is concerned with the Processing of Personal Data, for instance the UK Information Commissioner’s Office for the UK or the relevant EU data protection authorities for EU member states;
“Sub-Processor” means another party engaged by a Party to assist with that Party’s Processing of Personal Data; and
“User” an individual who is authorised to use the Services (for instance individuals who have been supplied with a user identification and password by the Customer or a Customer Affiliate, or by Sage at the Customer’s or Customer Affiliate’s request). Users may include Customer’s or a Customer Affiliate’s employees, consultants, contractors, agents or other third parties.
- APPLICATION OF THIS DPA
- For the purposes of this DPA only, and to the extent necessary under the Data Protection Laws, the Customer enters into this DPA on behalf of itself and any Customer Affiliate(s) who may be involved in the Processing of Personal Data. For the avoidance of doubt, any such Customer Affiliate is not, and does not become, a party to the other parts of the Agreement by virtue of this clause 2.1, but only a party to this DPA.
- Each Customer Affiliate agrees to be bound by the obligations of this DPA (including those of the Customer) to the extent that such obligations apply to its involvement (if any) in Processing Personal Data.
- Notwithstanding clauses 2.1 and 2.2, the Customer shall wherever possible be responsible for communicating with Sage, and co-ordinating relevant communications from Customer Affiliates ahead of communicating with Sage, in relation to this DPA.
- Where Sage Affiliates are involved in the Processing of Personal Data, Sage shall ensure that such Sage Affiliates are bound by equivalent obligations to those contained in this DPA, including by way of an intra-group data processing agreement.
- PROCESSING PERSONAL DATA
- The Parties agree that the Customer is the Controller, and Sage is the Processor (or Sub-Processor where the Customer is a Processor), in relation to the Processing of Personal Data for the purposes set out in Schedule 1 (A), and Sage will act in accordance with the Customer’s documented instructions and in accordance with the Data Protection Laws in carrying out that Processing.
- Sage may also Process Personal Data as a Controller, solely for the purposes and in the ways described in paragraph 5 and Schedule 1 (B) of this DPA, or as otherwise agreed by the Parties in writing from time to time.
- If the Customer wishes to change Schedules 1 (A) or (B), it is the Customer’s responsibility to agree the changes with Sage before the Customer enters into the Agreement. Sage may also update Schedule 1 during the term of the Agreement, by mutual written agreement with Customer in respect of any substantial changes; for reasons such as to reflect changes in Processing or changes in requirements under Data Protection Laws. Each updated version shall form part of the Agreement.
- CUSTOMER’S GENERAL DATA PROTECTION OBLIGATIONS
- The Customer shall:
- comply with; and
- procure the compliance of Customer Affiliates, Users, other contacts of the Customer or Customer Affiliates, or third parties who may use the Services with, the Data Protection Laws in Processing Personal Data in relation to the Services;
- In particular, the Customer shall:
- ensure that the Customer has an appropriate lawful basis under the Data Protection Laws to share Personal Data with Sage;
- as required by the Data Protection Laws, obtain any necessary consents and provide sufficient information to Data Subjects regarding the Processing of their Personal Data, or procure the same, for:
- the Customer to disclose the Personal Data to Sage; and
- Sage to Process the Personal Data for the purposes set out in the Agreement and in accordance with the Data Protection Laws,
- ensure that the Customer’s instructions to Sage for Processing Personal Data as the Customer’s Processor (where relevant) comply with the Data Protection Laws and do not put Sage in breach of the Data Protection Laws or violate the rights of any Data Subject; and
- provide reasonable assistance to Sage in complying with Sage’s obligations under the Data Protection Laws, including by entering into any amendments or additions to this DPA which may be necessary to reflect any changes in the Customer’s, or Sage’s, Personal Data Processing activities, or otherwise as required by the Data Protection Laws.
- SAGE’S GENERAL DATA PROTECTION OBLIGATIONS
- Sage shall comply with its obligations under the Data Protection Laws in Processing Personal Data, and, in particular, Sage shall:
- have in place at all times appropriate technical and organisational measures to prevent any unauthorised or unlawful Processing, or accidental loss or destruction, of Personal Data, taking into account the state of the art, the costs of implementation, the nature of the relevant Personal Data Processing, and the risk to the rights and freedoms of the relevant Data Subjects; such measures may include:
- the pseudonymisation or encryption of Personal Data;
- the ability to timely restore the availability and access to Personal Data in the event of an incident;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures;
- treat Personal Data as confidential information and Process Personal Data only for one or more of the following purposes: (a) to fulfil its obligations under the Agreement and in relation to any related requests, actions or instructions from the Customer, Customer Affiliates or Users that do not conflict with the Agreement; (b) as set out in Schedules 1 A or B; or (c) as required by Applicable Law (together, the “Purposes”);
- ensure that staff members who may be involved in Processing Personal Data have committed themselves to confidentiality;
- ensure that it appoints any Sub-Processors only in accordance with clause 8;
- ensure that it transfers, or participates in the transfer of, Personal Data out of the UK or EEA in accordance with clause 9;
- takes any steps required of it under the Data Protection Laws in relation to a Personal Data Breach, or in relation to any communication from a Data Subject, Supervisory Authority or other body in relation to Personal Data; and
- taking account of the nature of the relevant Processing and the information available to Sage, provide such assistance as is reasonably required by the Customer to enable the Customer to comply with the Customer’s obligations under the Data Protection Laws, and Sage reserves the right to reasonably charge the Customer for such assistance based on Sage’s standard applicable pricing.
- SAGE’S DATA PROTECTION OBLIGATIONS WHERE IT IS ACTING AS A PROCESSOR OR SUB-PROCESSOR
- In addition to its obligations set out in clause 5, where Sage is Processing Personal Data as the Customer’s Processor or Sub-Processor (as further described in Schedule 1 A), Sage shall:
- only Process the Personal Data in accordance with the Customer’s documented instructions (and the Agreement including this DPA and any additional written Personal Data Processing instructions from the Customer shall count as instructions) and promptly notify the Customer if Sage considers the Customer’s instructions to conflict with the Data Protection Laws. Sage reserves the right to refuse to carry out the Customer’s instructions if Sage considers that the instructions will put Sage or a Sub-Processor in breach of the Data Protection Laws and the matter has not been resolved with Customer;
- inform the Customer if Sage is legally required to Process Personal Data other than on the Customer’s documented instructions (unless that legal requirement or law prohibits Sage from doing so);
- without undue delay, notify the Customer of a Personal Data Breach affecting Personal Data and take actions that Sage reasonably considers necessary and possible to contain and mitigate the effects of such Personal Data Breach (subject to any instructions regarding the same from the Customer);
- at the Customer’s reasonable request and in accordance with the cost provision in clause 5.1.7, and subject to the Customer and any third-party auditor entering into an appropriate confidentiality agreement: (a) provide the Customer with information as may reasonably be necessary to demonstrate compliance with the obligations on a Processor as laid down in the Data Protection Laws; and (b) allow the Customer (or an independent, third-party professional auditor mandated by the Customer and acceptable to Sage, both the Customer and Sage acting reasonably) to conduct an audit, including inspection, of Sage’s Processing of the relevant Personal Data pursuant to the Agreement, and contribute to that audit;
- without undue delay notify the Customer in relation to any communication from a Data Subject, Supervisory Authority or other body in relation to Personal Data;
- in accordance with the cost provision in clause 5.1.7, taking into account the nature of the relevant Processing, assist the Customer by appropriate technical and organisational measures to fulfil the Customer’s obligation under the Data Protection Laws to respond to requests from Data Subjects;
- in accordance with the cost provision in clause 5.1.7, in each case if and to the extent required by the Data Protection Laws, and taking into account the nature of the relevant Processing and the information available to Sage, assist the Customer in: (a) ensuring sufficient security measures to protect the Personal Data; (b) notifying any Personal Data Breach to the Supervisory Authorities or relevant Data Subjects; (c) preparing data protection impact assessments; and (d) carrying out prior consultation of the Supervisory Authorities; and
- at the choice of the Customer, delete or return to the Customer all Personal Data Processed on behalf of the Customer and delete existing copies unless Applicable Law requires storage of the Personal Data. Sage may additionally retain any Personal Data which Sage Processes as a Controller.
- SAGE’S DATA PROTECTION OBLIGATIONS WHERE IT IS ACTING AS A CONTROLLER
- In addition to its obligations set out in clause 5, where Sage is Processing Personal Data as a Controller (as further described in Schedule 1 B), Sage shall:
- ensure that it has an appropriate lawful basis under the Data Protection Laws to Process the relevant Personal Data as a Controller;
- ensure that it has contracts in place with any Sub-Processors or other parties involved in the Processing of Personal Data which comply with the Data Protection Laws; and
- take any actions required that are specific to Sage as a Controller under the Data Protection Laws, including those relating to transparency and accountability.
- Where the Customer and Sage are acting as joint Controllers in respect of any Processing of Personal Data, the Customer agrees to enter into an appropriate arrangement with Sage in respect of such Processing, and to make such arrangement clear to relevant Data Subjects, as required under the Data Protection Laws.
- SAGE’S USE OF SUB-PROCESSORS WHEN SAGE IS ACTING AS A PROCESSOR
- Where Sage is acting as the Customer’s Processor or Sub-Processor, the Customer generally authorises Sage’s engagement of Sub-Processors. Sage shall specifically inform the Customer in writing of any intended changes to its Sub-Processors through the addition or replacement of a Sub-Processor, giving the Customer the opportunity to object to such changes prior to the engagement of the relevant Sub-Processor(s).
- Subject to clause 8.1, where Sage engages a Sub-Processor to carry out specific Processing activities on behalf of the Customer, Sage shall enter into a contract with the Sub-Processor which imposes on the Sub-Processor, in substance, the same data protection obligations as Sage has under this DPA.
- Sage shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with Sage’s contract with the Sub-Processor.
RESTRICTED TRANSFERS OF PERSONAL DATA
- Sage shall only carry out a Restricted Transfer:
- on the basis of an Adequacy Decision;
- on the basis of appropriate safeguards already in place which apply to such transfer, including, but not limited to Sage’s intra-group Personal Data Processing agreement, or Sage’s Standard Clauses with third parties; or
- where an exception, derogation or scope exemption to implementing appropriate safeguards for such transfer applies under the Data Protection Laws.
- The Customer shall ensure that it implements appropriate safeguards in respect of any Restricted Transfer that it carries out in relation to the Agreement, and Sage shall provide reasonable co-operation and assistance to the Customer in relation to this.
- LIMITATION OF LIABILITY
- Each Party’s and each Party’s Affiliates’ liability in the aggregate arising out of or in relation to this DPA, whether in contract, tort (including negligence), misrepresentation, or otherwise, shall be subject to any limitation of liability provisions in the Agreement, and, only for the purposes of this DPA, any reference to the liability of a party in those Agreement provisions shall be taken to mean to the liability of that party and its Affiliates.
Schedule 1 (A) - Processing Particulars Relevant to Sage’s Role as a Processor
Categories of Data Subjects whose Personal Data is Processed
Personal Data submitted by the Customer or a Customer Affiliate to the Services, or otherwise shared with Sage, as determined by the Customer or a Customer Affiliate in its/their discretion, which may include Personal Data relating to:
- Employees, contractors, workers and other staff members, and other individual contacts of the Customer or Customer Affiliates;
- Suppliers, customers, business partners, advisors or agents of the Customer or a Customer Affiliate (in each case where such parties are individuals);
- Users (as defined in this DPA) to the extent not covered above; and
- Other contacts of the Customer or Customer Affiliates (where such parties are individuals).
Categories of Personal Data processed
Personal Data submitted by the Customer or a Customer Affiliate to the Services, or otherwise shared with Sage, as determined by the Customer or a Customer Affiliate in its/their discretion, which may include the following:
- Contact information – address, email address, telephone number.
- Profile information – name, job title, gender, marital status, country of residence, nationality, social security number, service requirements, service use, username and password, feedback, complaints, correspondence, comments, due diligence information, business and tax records.
- Technical information - settings and configurations, information relating to the devices used to access Services, IP address, browser type and version, browser plug-in types and versions, location, operating system and platform, traffic to and from sites, referral URL, ad data, web log information, unique identifiers, e.g. cookies and device identifiers and Personal Data revealed by those identifiers.
- Marketing information - marketing and communication preferences, marketing consent records, correspondence relating to marketing.
- Financial information - transaction history, bank account details, business accounts and taxation data, banking details, expenses details, payslip information, payroll information.
Sensitive Personal Data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive Personal Data (including “Special Category” data under the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) may at times be captured and transferred in connection with the Services, if shared by a Data Subject described above.
Sage ensures that it applies additional restrictions or safeguards with regard to Processing sensitive Personal Data, including by ensuring that the Processing of sensitive Personal Data is avoided wherever possible, accountability processes (for instance carrying out data protection impact assessments) are followed in relation to processing sensitive Personal Data, staff are provided with appropriate training on handling sensitive Personal Data, additional contractual and due diligence measures are applied where possible, and anonymisation, pseudonymisation and password-protection are applied to sensitive Personal Data where possible.
Frequency of the Processing
Continuous basis based on the Customer or Customer Affiliate’s use of the Services.
Nature of the Processing
The nature of the Processing of the Personal Data described above may include the following:
- Disclosure, sharing, transmission, transfer, connection, dissemination or otherwise making available;
- Alignment or combination;
- Organisation, alteration, anonymisation or adaption;
- Collecting, recording, uploading, transferring, moving or storing;
- Restricting, erasing or destroying; and
- Retrieval, consultation, back-up or use.
Purpose(s) of the Processing
The purposes of the Personal Data Processing are: to provide, protect, support, enable, maintain, and enhance the Services in connection with the Agreement.
If the Customer opts to subscribe to, or interact with, any particular additional services or features (as described in the Agreement), Sage may upload, copy and/or transfer Customer Personal Data to facilitate these options.
If the Customer chooses to connect the Services to third-party products or Services, Sage will use the Customer’s Personal Data to make that connection. Where Sage receives Personal Data because of that connection, Sage will use that Personal Data in line with the Agreement (including this DPA).
Schedule 1 (B) - Processing Particulars Relevant to Sage’s Role as a Controller
Categories of Data Subjects whose Personal Data is Processed
As described in Schedule 1 (A)
Categories of Personal Data Processed
As described in Schedule 1 (A), plus personal data contained in information relating to legal or regulatory proceedings.Note that Sage endeavours to use aggregated or pseudonymised information wherever possible for the purposes described in this Schedule 1 (B).
Frequency of the Processing
Continuous basis as necessary in connection with the purposes described in this Schedule 1 (B).
Nature of the Processing
As described in Schedule 1 (A).
Purpose(s) of the Processing
The purposes of the Personal Data Processing are:
- Sage’s analysis of its products and services
Sage may use Personal Data to better understand how its products and services are being used by its customers. This understanding is important for several reasons, for instance it can: inform improvements that Sage makes to its products and services; help Sage to record issues that need to be addressed in future releases of its products and services; help Sage to manage resources within its business; and provide Sage with insights into how different components of its business are performing.
- Improving, creating and further developing Sage’s products and services
Sage may process Personal Data to focus in on what new creations, improvements and further development its products and services require. For instance, Sage may realise from statistical reports that Sage is creating across its products and services that Sage needs to add new features and functionality to certain/all of those products and services (such as receipt recognition and cashflow forecasting). Or Sage may need to use Personal Data to further develop products that rely upon a constant contribution of data to improve them (such as products involving artificial intelligence or machine-learning algorithms).
Sage may Process Personal Data for research purposes. For instance, Sage may want to: carry out more in-depth consideration of any or all of its products and services against specific research criteria; understand how its products and services are reflecting current and anticipated technological developments; and understand potential opportunities and risks around future business plans.
Sage may Process Personal Data to send marketing communications and carry out certain marketing activities.
Sage will only take these actions in accordance with the Data Protection Laws, its obligations and restrictions under the Agreement, and the Customer’s requests and instructions in relation to this, including by obtaining the Customer’s or the relevant Data Subjects’ consent where required under the Data Protection Laws.
- Legal or regulatory proceedings
Subject to its obligations under the Agreement and Applicable Law, Sage may be required to disclose or otherwise process Personal Data to comply with a legal or regulatory obligation, for instance to comply with a court order, or defend Sage’s interests in legal or regulatory proceedings.