search icon

Data Protection Addendum

Customer Data Protection Addendum (DPA)

(Last updated November 2022)

This Data Protection Addendum together with its Schedules (“DPA”) is part of Sage’s terms and conditions, or other written or electronic agreement between Sage and the Customer, as amended or supplemented from time to time, all together forming the “Agreement”. 

In this DPA, references to “Services” shall have the same meaning as set out in the terms and conditions. 

Where there is any conflict between the terms of this DPA and any other part of the Agreement, the following order of precedence shall apply : (1) SCCs/UK Addendum/UK IDTA (as applicable) ; (2) this DPA ; and (3) any other part of the Agreement.  

  1. DEFINITIONS & INTERPRETATION
  2. Capitalised terms in this DPA have the meanings given to them below.

    Adequacy Decision” a finding by the European Commission, or a government or body authorised to make a finding, in accordance with Data Protection Laws, that a Recipient Country ensures an adequate level of protection of personal data, so that further steps/mechanisms are not required to be implemented under Data Protection Laws in relation to a Restricted Transfer.

    Affiliate” an entity that directly or indirectly controls, or is controlled by, or under common control with, the subject entity. “Control” for the purposes of this definition means the ownership or control (whether directly or indirectly) of at least 50 % of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity. The terms “Controlled” and “Controls” shall be construed accordingly.

    Applicable Law” any law, enactment, regulation, or rule applicable to the Parties, including but not limited to the Data Protection Laws.

    Controller” the party that determines the purposes and means of the Processing of Personal Data, including as applicable any "business" as defined by Data Protection Laws. 

    Customer Affiliate” an Affiliate of the Customer.
     
    Customer” the Customer entity that has entered into the Agreement.

    Data Protection Laws” local, national or international laws and regulations which relate to the protection or Processing of Personal Data, including but not limited to : (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”) ; European Union (“EU”) member state data protection laws ; and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (the “EU Data Protection Laws”) ; (b) the UK Data Protection Act 2018 (and regulations made thereunder) and UK GDPR (the “UK Data Protection Laws”) ; and (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 ; the US Health Insurance Portability and Accountability Act (HIPAA) ; the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Canada Personal Information Protection and Electronic Documents Act (PIPEDA) ; the Swiss Federal Act on Data Protection ; the Australian Privacy Act 1988 ; and any other relevant, EU, local, state, provincial, or national data protection laws, in each case as amended, supplemented or replaced from time to time, and in each case to the extent that they apply to the Processing of Personal Data by a Party.

    Data Subject” an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including as applicable a "consumer" as that term is defined by Data Protection Laws.

    Non-Adequate Country” Non-Adequate Country A country that is not considered by the European Commission, or national government / authority authorised by a national government, to ensure an adequate level of personal data protection, or a similarly categorised country, such that any transfer of personal data to that country is a Restricted Transfer. 

    Parties” the parties to this DPA, specifically Sage and : (a) Customer ; or (b) a Customer Affiliate in accordance with clause 2, each a “Party”.

    Personal Data” any information relating to a Data Subject or household (or any information defined as "personal data," or "personal information" or other similar terms under Data Protection Laws) that is included in the data, information or material provided, inputted, or submitted by the Customer, a Customer Affiliate, Users, or others into the Services, or shared with Sage by any means in connection with the Services and the Agreement, which may include Personal Data relating to the Customer, Customer Affiliates, Users, or other contacts of Customer.

    Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, or any comparable definition or meaning under Data Protection Laws.

    Processing” any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Processor” a party that Processes Personal Data on behalf of a Controller, including as applicable any "service provider" or "contractor" as those terms are defined by applicable Data Protection Laws.

    Restricted Transfer” a transfer of Personal Data outside of the EEA or the UK, or any other country or jurisdiction, which requires further steps to be taken under Data Protection Laws. 

    Sage” the Sage entity which has executed the Agreement, which may have authorised, or act together with, a Sage Affiliate / Sage Affiliates in Processing Personal Data in order to provide the Services.

    Sage Affiliatean Affiliate of Sage.

    Restricted Transfer Documentation” the relevant module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented through Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), as adapted for any jurisdiction to the extent permitted by Data Protection Laws, or similar mechanism in respect of any other jurisdiction, such as the UK Addendum or UK IDTA.

    Supervisory Authoritya public regulatory or supervisory authority established in accordance with Data Protection Laws and which is concerned with the Processing of Personal Data, for instance the UK Information Commissioner’s Office (“ICO”) for the UK, the relevant EU data protection authorities for EU member states, or the Federal Data Protection and Information Commissioner or relevant cantonal or municipal supervisory authority for Switzerland.

    Sub-Processor” another party engaged by a Party to assist with that Party’s Processing of Personal Data.

    User” an individual who is authorised to use the Services (for instance individuals who have been supplied with a user identification and password by the Customer or a Customer Affiliate, or by Sage at the Customer’s or Customer Affiliate’s request). Users may include Customer’s or a Customer Affiliate’s employees, consultants, contractors, agents or other third parties.

    UK Addendum” the template Addendum B.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time. 

    UK IDTA” the template IDTA A.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time. 

  3. APPLICATION OF THIS DPA

    1. For the purposes of this DPA only, and to the extent necessary under the Data Protection Laws, the Customer enters into this DPA on behalf of itself and any Customer Affiliate(s) who may be involved in the Processing of Personal Data. A Customer Affiliate is not, and does not become, a party to the other parts of the Agreement by virtue of this clause 2.1, but only a party to this DPA.

    2. Each Customer Affiliate agrees to be bound by the obligations of this DPA (including those of the Customer) to the extent that such obligations apply to its involvement (if any) in Processing Personal Data. The Customer shall wherever possible be responsible for communicating with Sage, and co-ordinating relevant communications from Customer Affiliates ahead of communicating with Sage, in relation to this DPA

    3. Where Sage Affiliates are involved in the Processing of Personal Data, Sage shall ensure that those Sage Affiliates are bound by equivalent obligations to those contained in this DPA, including by way of an intra-group data processing agreement.

  4. PROCESSING ROLES

    1. The Parties agree that where the EU or UK Data Protection Laws apply to the Processing of Personal Data, the Customer is the Controller, and Sage is the Processor, in relation to the Processing (which is more fully described in Schedule 1) and Sage will act in accordance with the Customer’s documented instructions and in accordance with the Data Protection Laws in carrying out that Processing. 

    2. The Customer may alternatively be acting as a Processor under the EU or UK Data Protection Laws in Processing the Personal Data described in Schedule 1 on behalf of its own customers/other parties, in which case Sage will be the Customer’s Sub-Processor, and the obligations in this DPA will apply to Sage as a Sub-Processor.

  5. CUSTOMER’S OBLIGATIONS

    1. The Customer shall :
      1. comply with ; and
      2. procure the compliance of Customer Affiliates, Users, other contacts of the Customer or Customer Affiliates, or third parties who may use the Services with, 
        the Data Protection Laws in Processing Personal Data ahead of sharing it in connection with the Services.

    2. The Customer warrants on an ongoing basis that :
      1. it has an appropriate lawful basis under the Data Protection Laws to share Personal Data with Sage in connection with the Services ; and
      2. where it is acting as a Processor under EU or UK Data Protection Laws, the relevant Controller has authorised : (i) the Customer’s Personal Data Processing instructions to Sage (as set out in this DPA) ; (ii) the Customer’s appointment of Sage as a Sub-Processor ; and (iii) Sage’s use of further Sub-Processors as described in Section 5 (Use of Sub-Processors).

    3. The Customer further agrees that it shall :
      1. as required by the Data Protection Laws, obtain any necessary consents and provide sufficient information to Data Subjects regarding the Processing of their Personal Data, or procure the same, for : (i) the Customer to share the Personal Data with Sage or the Services ; and (ii) Sage to Process the Personal Data for the purposes set out in the Agreement and in accordance with the Data Protection Laws 
      2. not do or cause Sage to do anything which would put Sage in breach of the Data Protection Laws or violate the rights of any Data Subject ; and 
      3. provide reasonable assistance to Sage in complying with Sage’s obligations under the Data Protection Laws, including by entering into any amendments or additions to this DPA which may be necessary to reflect any changes in the Customer’s, or Sage’s, Personal Data Processing activities, or otherwise as required by the Data Protection Laws.


  6. SAGE’S OBLIGATIONS
  7. INSTRUCTIONS

    1. By entering into the Agreement including this DPA, the Customer is instructing Sage to Process Personal Data to provide the Services and any related support to the Customer. Sage’s Personal Data Processing activities for these purposes are more fully described in Schedule 1. The Customer further instructs Sage to comply with Sage’s Personal Data Processing obligations as a Processor (or Sub-Processor where the Customer is acting as a Processor) as set out in the rest of this DPA.
    2. Sage shall Process Personal Data only on the instructions from the Customer as set out in this DPA, unless Sage is required to Process Personal Data by applicable law to which Sage is subject, in which case Sage shall inform the Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Sage shall immediately inform the Customer if, in Sage’s opinion, instructions given by the Customer infringe Data Protection Laws.
    3. SECURITY

    4. Sage shall have in place at all times appropriate technical and organisational measures to prevent any unauthorised or unlawful Processing, or accidental loss or destruction, of Personal Data, taking into account the state of the art, the costs of implementation, the nature of the relevant Personal Data Processing, and the risk to the rights and freedoms of the relevant Data Subjects. Such security measures may include : (a) the pseudonymisation or encryption of Personal Data ; (b) the ability to timely restore the availability and access to Personal Data in the event of an incident ; (c) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems ; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures. 
    5. Sage grants internal access to Personal Data only where strictly necessary, and ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality.

    6. USE OF SUB-PROCESSORS

    7. The Customer hereby generally authorises Sage’s use of Sub-Processors and Sage’s list of criteria used to select and appoint a Sub-Processor which is as follows : (a) Sage will conduct reasonable due diligence on the data privacy and security measures of proposed Sub-Processors before providing them with access to Personal Data ; (b) Sage will carry out data protection impact assessments ahead of appointing a Sub-Processor where any Processing of Personal Data by a Sub-Processor is likely to result in a high risk to the rights and freedoms of Data Subjects ; (c) as required under Data Protection Laws, Sage will ensure that it puts in place a contract with any appointed Sub-Processor which imposes on the Sub-Processor, in substance, the same data protection obligations as imposed on Sage in this DPA ; and (d) Sage shall keep its relationships with Sub-Processors under review and take any further steps as may be required under Data Protection Law or in relation to any changes to Customer’s or Sage’s Personal Data Processing activities. Sage shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations under the Sub-Processor’s contract with Sage. 
    8. Sage’s current list of Sub-Processors is here. Please contact Sage should you require information on Sub-Processors for a Service that is not on this page. Sage shall inform the Customer if Sage wishes to make any changes to its criteria for choosing a Sub-Processor, and the Customer may reasonably object at any time to such changes or find out more information about Sage’s use of Sub-Processors by contacting their Sage representative, or using the contact information on the Sage website.  
    9. Sage will take any reasonable objection that it receives from the Customer in relation to a Sage Sub-Processor, or Sage’s criteria to appoint Sub-Processors, seriously, and will work with a Sub-Processor where necessary to address the Customer’s concern. If a solution cannot be found to the Customer’s concern, and it is not possible for Sage to stop using a particular Sub-Processor, or to find an alternative Sub-Processor (none of which shall be considered a material breach of the Agreement by Sage) the Customer may choose to terminate the Agreement in accordance with its termination provisions. 
    10. INTERNATIONAL TRANSFERS

    11. Sage shall only carry out a Restricted Transfer in compliance with Data Protection Laws and shall implement appropriate safeguards to the extent necessary under Data Protection Laws (which may include Sage’s intra-group Personal Data Processing agreements, or Sage’s SCCs with third parties).
    12. Where the EU Data Protection Laws or Swiss FDPA apply to a Restricted Transfer that occurs directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the EU C-P SCCs and/or EU P-P SCCs will apply (depending upon whether the Customer is a Controller or Processor).
    13. Where the UK Data Protection Laws apply to a Restricted Transfer that occurs directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the UK IDTA will apply.5.9. Where the EU Data Protection Laws or Swiss FDPA apply to a Restricted Transfer that occurs directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the EU C-P SCCs and/or EU P-P SCCs will apply (depending upon whether the Customer is a Controller or Processor).
    14. Where the EU Data Protection Laws and UK Data Protection Laws both apply to Restricted Transfers that occur directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfers under Data Protection Laws, the SCCs stated in clause 5.9 together with the UK Addendum will apply.
    15. Particulars in relation to the transfer mechanisms referred to in clauses 5.9 to 5.11 above are in Schedule 2.
    16. PERSONAL DATA BREACH

    17. In the case of a Personal Data Breach affecting Personal Data, Sage shall notify the Customer without undue delay, and take actions that Sage reasonably considers necessary and possible to contain and mitigate the effects of such Personal Data Breach (subject to any instructions regarding the same from the Customer).
    18. The notification referred to in paragraph 5.13 shall at least : (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned ; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained ; (c) describe the likely consequences of the Personal Data Breach ; (d) describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
    19. OTHER

    20. At the Customer’s reasonable request and expense, and subject to the Customer and any third-party auditor entering into an appropriate confidentiality agreement, Sage shall : (a) provide the Customer with information as may reasonably be necessary to demonstrate compliance with the obligations on a Processor as laid down in the Data Protection Laws ; and (b) allow the Customer (or an independent, third-party professional auditor mandated by the Customer and acceptable to Sage, both the Customer and Sage acting reasonably) to conduct an audit, including inspection, of Sage’s Processing of the relevant Personal Data pursuant to the Agreement, and contribute to that audit.
    21. Sage shall, without undue delay, notify the Customer in relation to any communication from a Data Subject, Supervisory Authority or other body in relation to Personal Data.
    22. At the reasonable expense of the Customer, Sage shall :
      1. taking into account the nature of the relevant Processing, assist the Customer by appropriate technical and organisational measures to fulfil the Customer’s obligation under the Data Protection Laws to respond to requests from Data Subjects ; and 
      2. in each case if and to the extent required by the Data Protection Laws, and taking into account the nature of the relevant Processing and the information available to Sage, assist the Customer in : (a) ensuring sufficient security measures to protect the Personal Data ; (b) notifying any Personal Data Breach to the Supervisory Authorities or relevant Data Subjects ; (c) preparing data protection impact assessments ; and (d) carrying out prior consultation of the Supervisory Authorities.
    23. At the end of Sage’s provision of the Services, Sage shall, at the choice of the Customer, delete or return to the Customer all Personal Data Processed by Sage as a Processor/Sub-Processor on behalf of the Customer and delete existing copies unless Applicable Law requires storage of the Personal Data.

Schedule 1 – Processing Particulars

Categories of Data Subjects whose Personal Data is Processed

Personal Data submitted by the Customer or a Customer Affiliate to the Services, or otherwise shared with Sage, as determined by the Customer or a Customer Affiliate in its/their discretion, which may include Personal Data relating to :

 • Employees, contractors, workers and other staff members ;
 • Suppliers, customers, business partners, advisors or agents of the Customer or a Customer Affiliate (in each case where such parties are individuals) ;
 • Users (as defined in this DPA) to the extent not covered above ; and
 • Other contacts of the Customer or Customer Affiliates (where these parties are individuals).

Categories of Personal Data processed

Personal Data submitted to the Services, or otherwise shared with Sage, as determined by the Customer or a Customer Affiliate in its discretion. This may include contact information, technical information, business and financial information, identification information, and profile information such as feedback, preferences, bank or transaction history, or data captured through any integrations/specific additional functionality required. Without prejudice to the foregoing, a more detailed breakdown for key product types is below.


 Product  Personal Data
Sage payroll and accounting products  Limited detail about business, including name and contact details, business type, where registered, payment details, transaction information, invoices, expenses, receipts, payroll ID, payroll information, full name, address, username, Sage ID, passwords, security question responses, data captured through any integrations/specific additional functionality required
 Sage HR products  Limited detail about business, (including contact details, business type, where registered, payment details), contact details, payroll information, appraisals, absence, holidays, disciplinary records, job and salary history, next of kin, dependencies, emergency contacts, bank information, data captured through any integrations/specific additional functionality required
 Sage Intacct  Background checks, beneficiary details, browsing information, contact details, data benchmarking and analytics, education and skills, employment information, ID evidence, family information, financial information, government identifiers, other categories, personal identification, recordings, social, travel and expenses, feedback/options, individual share awards data, insurance details, marital status, trade union membership or professional membership, user account information, workplace welfare, data captured through any integrations/specific additional functionality required
 Sage enterprise resource planning, business automation and inventory planning   Company names, registration numbers, addresses, bank details (BIC/IBAN), contact information : names, emails, phone numbers, URLs, address, payroll information, employee  names and addresses, personal details, social security number, salary details, bank details,  administration data (names, emails, photo, address), authentication details (LDAP login, email), data captured through any integrations/specific additional functionality required, inventory, order and warehouse information

Sensitive Personal Data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive Personal Data (including “Special Category” data under the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) may at times be captured and transferred in connection with the Services, if shared by a Data Subject described above.

Sage ensures that it applies additional restrictions or safeguards with regard to Processing sensitive Personal Data, including by ensuring that the Processing of sensitive Personal Data is avoided wherever possible, accountability processes (for instance carrying out data protection impact assessments) are followed in relation to processing sensitive Personal Data, staff are provided with appropriate training on handling sensitive Personal Data, additional contractual and due diligence measures are applied where possible, and anonymisation, pseudonymisation and password-protection are applied to sensitive Personal Data where possible.

Frequency of the Processing

Continuous basis based on the Customer or Customer Affiliate’s use of the Services.

Nature of the Processing

The nature of the Processing of the Personal Data described above may include the following : collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the Processing

Personal Data is Processed by Sage in the capacity of a Processor (or Sub-Processor, where the Customer is a Processor) to provide, protect, support, enable, improve and maintain the Services in connection with the Agreement. If the Customer opts to subscribe to, or interact with, any particular additional services or features (as described in the Agreement), Sage may upload, copy and/or transfer Customer Personal Data to facilitate these options. If the Customer chooses to connect the Services to third-party products or Services, Sage will use the Customer’s Personal Data to make that connection. Where Sage receives Personal Data because of that connection, Sage will use that Personal Data in line with the Agreement (including this DPA).

Schedule 2 – Restricted Transfer Documentation

1.1 OPTIONS AND ANNEXES I, II AND III TO EU SCCS

OPTIONS :
Clause 7 (Docking Clause) – the optional docking clause shall be included.
Clause 9 (a) (Use of sub-processors) – option 2 shall apply and the specified time period shall be a reasonable time period.
Clause 11 (Redress) – the optional language shall not be included.
Clause 13 (Supervision) – the competent supervisory authority shall be the supervisory authority of : (a) the EU member state in which the data exporter is established ; (b) if the data exporter does not have an EU establishment, the EU member state in which the data exporter’s representative is established ; or (c) if the data exporter does not have an EU establishment and is not required to appoint a representative, one of the member states in which the relevant data subjects are located.
Clause 17 (Governing Law) – option 2 shall apply and the specified law shall be Irish law.
Clause 18 (Choice of Forum and Jurisdiction) – the courts of Ireland shall be specified.
The additional sections for the Processor to Processor module in clauses 14, 15 and 16 shall be included where the Processor to Processor module applies to transfer.

ANNEX I A : LIST OF PARTIES :
Data exporter(s) : Customer
Name and Address : as provided to Sage
Contact person’s name, position and contact details : as provided to Sage
Activities relevant to the data transferred under these Clauses : as provided to Sage
Signature and date : as Agreement confirmed or executed by Customer
Role (controller/processor) : Controller or Processor, depending upon Customer’s relationship with Data Subjects.

Data importer(s) : (depending on product and service) : Sage Software Canada Ltd, Sage Budgeta, Inc.,
Sage Global Services US, Inc., Sage Intacct, Inc., Sage Software Holdings, Inc., Sage Software North America, Sage Software, Inc., Ocrex Australia Pty Ltd, Ocrex, Inc (US), Brightpearl, Inc, Sage Business Solutions
Pty Limited, Intacct Software Private Ltd, Sage Business Technology (India) Private Limited (Formerly known as Ocrex Enterprises Private Limited), and possibly other importers in the Sage group from time to time (see signature pages).
Name : As below
Address : As below
Contact person’s name, position and contact details : Sage Global Data Protection Officer - [email protected]
Activities relevant to the data transferred under these Clauses : Assisting in provision of the Services
Signature and date : As below
Role (controller/processor) : Processor

ANNEX I B :DESCRIPTION OF TRANSFER :
See Schedule 1. Additionally :
(a) The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) : the Personal Data may be transferred on a continuous basis for the duration of the Services.
(b) The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period : the Personal Data described in Schedule 1 shall be retained for as long as is necessary in order to provide the Services, and in order for the data importer to fulfil any applicable legal requirements or obligations.
(c) For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing : the subject matter, nature and duration of sub-processing is as described in Schedule 1 and above.
ANNEX I C : COMPETENT SUPERVISORY AUTHORITY
Irish supervisory authority for transfers from EEA, or Switzerland supervisory authority for transfers from Switzerland
ANNEX II :
TECHNICAL AND ORGANISATIONAL MEASURES
Available at https://www.sage.com/en-gb/trust-security/ or upon request
ANNEX III :
LIST OF SUB-PROCESSORS
See Section 5 of DPA

1.2 PARTS 1 AND 2 OF UK ADDENDUM (defined terms used in this section shall have the meaning given to them in UK Addendum. If not defined in UK Addendum, they shall have the meaning given to them in the DPA).

Part 1 : Tables
Table 1 : Parties

 Start date Start date of Agreement  
 The Parties Exporter (who sends the Restricted Transfer)  Importer (who receives the Restricted Transfer)
 Parties’ details Customer  As stated in section 1.1 of this Schedule 2.
 Key Contact  As provided to Sage  As stated in section 1.1 of this Schedule 2.

Table 2 : Selected SCCs, Modules and Selected Clauses

 Addendum EU SCCs  The version of the Approved EU SCCs which this Addendum is appended to
 Module  Module in operation  Clause 7 (Docking Clause)  Clause 11
(Option)
Clause 9a (Prior Authorisation or General Authorisation)  Clause 9a (Time period)  Is personal data received from the Importer combined with personal data collected by the Exporter ?
 1  Module 2  Yes No   General Authorisation  Reasonable time period  May occur from time to time, depending on Exporter’s requirements
 2  Module 3  Yes  No   General Authorisation  Reasonable time period  May occur from time to time, depending on Exporter’s requirements

Table 3 : Appendix Information
“Appendix Information”
means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in section 1.1 of this Schedule 2.

Table 4 : Ending this Addendum when the Approved Addendum Changes

 Ending this Addendum when the
Approved Addendum changes
 

Which Parties may end this Addendum as set out in Section ‎19:


 Importer
 Exporter
neither party


Part 2 : Mandatory Clauses

Part 2 : Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses, are hereby incorporated.

1.3 PARTS 1 – 4 OF UK IDTA

Part 1 : Tables
Table 1 : Parties and signatures

See section 1.1 of this Schedule 2.
Table 2 : Transfer Details

UK country’s law that governs the IDTA :  

England and Wales

Primary place for legal claims to be made by the Parties England and Wales
The status of the Exporter See section 1.1 of this Schedule 2
The status of the Importer See section 1.1 of this Schedule 2
 

Linked Agreements

(a) If the Importer is the Exporter’s Processor or Sub-Processor – the Agreement (including the DPA)
(b) If the Exporter is a Processor or Sub-Processor – the agreement(s) between the Exporter and the Party(s) which sets out the Exporter’s instructions for Processing the Transferred Data
Term

The Importer may Process the Transferred Data for the following time period :

the period for which Linked Agreement (a) is in force
Ending the IDTA before the end of the Term The Parties can end the IDTA before the end of the Term by serving six months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes Which Parties may end the IDTA as set out in Section ‎29.2: Importer or Exporter
Can the Importer make further transfers of the Transferred Data ?  The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data There are no specific restrictions.
 Review Dates  The Parties must review the Security Requirements each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment.

Table 3 : Transferred Data

 

Transferred Data

 See Schedule 1 of the DPA
Special Categories of Personal Data and criminal convictions and offences  See Schedule 1 of the DPA
Relevant Data Subjects  See Schedule 1 of the DPA
Purpose  See Schedule 1 of the DPA

Table 4 : Security Requirements
See Annex II of Schedule 2

Mandatory Clauses

The following are hereby incorporated : Part 4 : Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎5.4 of those Mandatory Clauses.

1.4 SIGNATURES OF SAGE AFFILIATES (to the extent that they act as data importers) see pages here.

Give Feedback