Customer Data Protection Addendum (DPA)
(Last updated November 2022)
This Data Protection Addendum together with its Schedules (“DPA”) is part of Sage’s terms and conditions, or other written or electronic agreement between Sage and the Customer, as amended or supplemented from time to time, all together forming the “Agreement”.
In this DPA, references to “Services” shall have the same meaning as set out in the terms and conditions.
Where there is any conflict between the terms of this DPA and any other part of the Agreement, the following order of precedence shall apply: (1) SCCs/UK Addendum/UK IDTA (as applicable); (2) this DPA; and (3) any other part of the Agreement.
- DEFINITIONS & INTERPRETATION
Capitalised terms in this DPA have the meanings given to them below.
“Adequacy Decision” a finding by the European Commission, or a government or body authorised to make a finding, in accordance with Data Protection Laws, that a Recipient Country ensures an adequate level of protection of personal data, so that further steps/mechanisms are not required to be implemented under Data Protection Laws in relation to a Restricted Transfer.
“Affiliate” an entity that directly or indirectly controls, or is controlled by, or under common control with, the subject entity. “Control” for the purposes of this definition means the ownership or control (whether directly or indirectly) of at least 50% of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity. The terms “Controlled” and “Controls” shall be construed accordingly.
“Applicable Law” any law, enactment, regulation, or rule applicable to the Parties, including but not limited to the Data Protection Laws.
“Controller” the party that determines the purposes and means of the Processing of Personal Data, including as applicable any "business" as defined by Data Protection Laws.
“Customer Affiliate” an Affiliate of the Customer.
“Customer” the Customer entity that has entered into the Agreement.
“Data Protection Laws” local, national or international laws and regulations which relate to the protection or Processing of Personal Data, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); European Union (“EU”) member state data protection laws; and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (the “EU Data Protection Laws”); (b) the UK Data Protection Act 2018 (and regulations made thereunder) and UK GDPR (the “UK Data Protection Laws”); and (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003; the US Health Insurance Portability and Accountability Act (HIPAA); the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Canada Personal Information Protection and Electronic Documents Act (PIPEDA); the Swiss Federal Act on Data Protection; the Australian Privacy Act 1988; and any other relevant, EU, local, state, provincial, or national data protection laws, in each case as amended, supplemented or replaced from time to time, and in each case to the extent that they apply to the Processing of Personal Data by a Party.
“Data Subject” an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including as applicable a "consumer" as that term is defined by Data Protection Laws.
“Non-Adequate Country” Non-Adequate Country A country that is not considered by the European Commission, or national government / authority authorised by a national government, to ensure an adequate level of personal data protection, or a similarly categorised country, such that any transfer of personal data to that country is a Restricted Transfer.
“Parties” the parties to this DPA, specifically Sage and: (a) Customer; or (b) a Customer Affiliate in accordance with clause 2, each a “Party”.
“Personal Data” any information relating to a Data Subject or household (or any information defined as "personal data," or "personal information" or other similar terms under Data Protection Laws) that is included in the data, information or material provided, inputted, or submitted by the Customer, a Customer Affiliate, Users, or others into the Services, or shared with Sage by any means in connection with the Services and the Agreement, which may include Personal Data relating to the Customer, Customer Affiliates, Users, or other contacts of Customer.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, or any comparable definition or meaning under Data Protection Laws.
“Processing” any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” a party that Processes Personal Data on behalf of a Controller, including as applicable any "service provider" or "contractor" as those terms are defined by applicable Data Protection Laws.
“Restricted Transfer” a transfer of Personal Data outside of the EEA or the UK, or any other country or jurisdiction, which requires further steps to be taken under Data Protection Laws.
“Sage” the Sage entity which has executed the Agreement, which may have authorised, or act together with, a Sage Affiliate / Sage Affiliates in Processing Personal Data in order to provide the Services.
“Sage Affiliate” an Affiliate of Sage.
“Restricted Transfer Documentation” the relevant module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented through Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), as adapted for any jurisdiction to the extent permitted by Data Protection Laws, or similar mechanism in respect of any other jurisdiction, such as the UK Addendum or UK IDTA.
“Supervisory Authority” a public regulatory or supervisory authority established in accordance with Data Protection Laws and which is concerned with the Processing of Personal Data, for instance the UK Information Commissioner’s Office (“ICO”) for the UK, the relevant EU data protection authorities for EU member states, or the Federal Data Protection and Information Commissioner or relevant cantonal or municipal supervisory authority for Switzerland.
“Sub-Processor” another party engaged by a Party to assist with that Party’s Processing of Personal Data.
“User” an individual who is authorised to use the Services (for instance individuals who have been supplied with a user identification and password by the Customer or a Customer Affiliate, or by Sage at the Customer’s or Customer Affiliate’s request). Users may include Customer’s or a Customer Affiliate’s employees, consultants, contractors, agents or other third parties.
“UK Addendum” the template Addendum B.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time.
“UK IDTA” the template IDTA A.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time.
- APPLICATION OF THIS DPA
- For the purposes of this DPA only, and to the extent necessary under the Data Protection Laws, the Customer enters into this DPA on behalf of itself and any Customer Affiliate(s) who may be involved in the Processing of Personal Data. A Customer Affiliate is not, and does not become, a party to the other parts of the Agreement by virtue of this clause 2.1, but only a party to this DPA.
- Each Customer Affiliate agrees to be bound by the obligations of this DPA (including those of the Customer) to the extent that such obligations apply to its involvement (if any) in Processing Personal Data. The Customer shall wherever possible be responsible for communicating with Sage, and co-ordinating relevant communications from Customer Affiliates ahead of communicating with Sage, in relation to this DPA
- Where Sage Affiliates are involved in the Processing of Personal Data, Sage shall ensure that those Sage Affiliates are bound by equivalent obligations to those contained in this DPA, including by way of an intra-group data processing agreement.
- PROCESSING ROLES
- The Parties agree that where the EU or UK Data Protection Laws apply to the Processing of Personal Data, the Customer is the Controller, and Sage is the Processor, in relation to the Processing (which is more fully described in Schedule 1) and Sage will act in accordance with the Customer’s documented instructions and in accordance with the Data Protection Laws in carrying out that Processing.
- The Customer may alternatively be acting as a Processor under the EU or UK Data Protection Laws in Processing the Personal Data described in Schedule 1 on behalf of its own customers/other parties, in which case Sage will be the Customer’s Sub-Processor, and the obligations in this DPA will apply to Sage as a Sub-Processor.
- CUSTOMER’S OBLIGATIONS
- The Customer shall:
- comply with; and
- procure the compliance of Customer Affiliates, Users, other contacts of the Customer or Customer Affiliates, or third parties who may use the Services with,
the Data Protection Laws in Processing Personal Data ahead of sharing it in connection with the Services.
- The Customer warrants on an ongoing basis that:
- it has an appropriate lawful basis under the Data Protection Laws to share Personal Data with Sage in connection with the Services; and
- where it is acting as a Processor under EU or UK Data Protection Laws, the relevant Controller has authorised: (i) the Customer’s Personal Data Processing instructions to Sage (as set out in this DPA); (ii) the Customer’s appointment of Sage as a Sub-Processor; and (iii) Sage’s use of further Sub-Processors as described in Section 5 (Use of Sub-Processors).
- The Customer further agrees that it shall:
- as required by the Data Protection Laws, obtain any necessary consents and provide sufficient information to Data Subjects regarding the Processing of their Personal Data, or procure the same, for: (i) the Customer to share the Personal Data with Sage or the Services; and (ii) Sage to Process the Personal Data for the purposes set out in the Agreement and in accordance with the Data Protection Laws;
- not do or cause Sage to do anything which would put Sage in breach of the Data Protection Laws or violate the rights of any Data Subject; and
- provide reasonable assistance to Sage in complying with Sage’s obligations under the Data Protection Laws, including by entering into any amendments or additions to this DPA which may be necessary to reflect any changes in the Customer’s, or Sage’s, Personal Data Processing activities, or otherwise as required by the Data Protection Laws.
- SAGE’S OBLIGATIONS
INSTRUCTIONS
- By entering into the Agreement including this DPA, the Customer is instructing Sage to Process Personal Data to provide the Services and any related support to the Customer. Sage’s Personal Data Processing activities for these purposes are more fully described in Schedule 1. The Customer further instructs Sage to comply with Sage’s Personal Data Processing obligations as a Processor (or Sub-Processor where the Customer is acting as a Processor) as set out in the rest of this DPA.
- Sage shall Process Personal Data only on the instructions from the Customer as set out in this DPA, unless Sage is required to Process Personal Data by applicable law to which Sage is subject, in which case Sage shall inform the Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Sage shall immediately inform the Customer if, in Sage’s opinion, instructions given by the Customer infringe Data Protection Laws.
SECURITY
- Sage shall have in place at all times appropriate technical and organisational measures to prevent any unauthorised or unlawful Processing, or accidental loss or destruction, of Personal Data, taking into account the state of the art, the costs of implementation, the nature of the relevant Personal Data Processing, and the risk to the rights and freedoms of the relevant Data Subjects. Such security measures may include: (a) the pseudonymisation or encryption of Personal Data; (b) the ability to timely restore the availability and access to Personal Data in the event of an incident; (c) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
- Sage grants internal access to Personal Data only where strictly necessary, and ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality.
USE OF SUB-PROCESSORS
- The Customer hereby generally authorises Sage’s use of Sub-Processors and Sage’s list of criteria used to select and appoint a Sub-Processor which is as follows: (a) Sage will conduct reasonable due diligence on the data privacy and security measures of proposed Sub-Processors before providing them with access to Personal Data; (b) Sage will carry out data protection impact assessments ahead of appointing a Sub-Processor where any Processing of Personal Data by a Sub-Processor is likely to result in a high risk to the rights and freedoms of Data Subjects; (c) as required under Data Protection Laws, Sage will ensure that it puts in place a contract with any appointed Sub-Processor which imposes on the Sub-Processor, in substance, the same data protection obligations as imposed on Sage in this DPA; and (d) Sage shall keep its relationships with Sub-Processors under review and take any further steps as may be required under Data Protection Law or in relation to any changes to Customer’s or Sage’s Personal Data Processing activities. Sage shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations under the Sub-Processor’s contract with Sage.
- Sage’s current list of Sub-Processors is here. Please contact Sage should you require information on Sub-Processors for a Service that is not on this page. Sage shall inform the Customer if Sage wishes to make any changes to its criteria for choosing a Sub-Processor, and the Customer may reasonably object at any time to such changes or find out more information about Sage’s use of Sub-Processors by contacting their Sage representative, or using the contact information on the Sage website.
- Sage will take any reasonable objection that it receives from the Customer in relation to a Sage Sub-Processor, or Sage’s criteria to appoint Sub-Processors, seriously, and will work with a Sub-Processor where necessary to address the Customer’s concern. If a solution cannot be found to the Customer’s concern, and it is not possible for Sage to stop using a particular Sub-Processor, or to find an alternative Sub-Processor (none of which shall be considered a material breach of the Agreement by Sage) the Customer may choose to terminate the Agreement in accordance with its termination provisions.
INTERNATIONAL TRANSFERS
- Sage shall only carry out a Restricted Transfer in compliance with Data Protection Laws and shall implement appropriate safeguards to the extent necessary under Data Protection Laws (which may include Sage’s intra-group Personal Data Processing agreements, or Sage’s SCCs with third parties).
- Where the EU Data Protection Laws or Swiss FDPA apply to a Restricted Transfer that occurs directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the EU C-P SCCs and/or EU P-P SCCs will apply (depending upon whether the Customer is a Controller or Processor).
- Where the UK Data Protection Laws apply to a Restricted Transfer that occurs directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the UK IDTA will apply.5.9. Where the EU Data Protection Laws or Swiss FDPA apply to a Restricted Transfer that occurs directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the EU C-P SCCs and/or EU P-P SCCs will apply (depending upon whether the Customer is a Controller or Processor).
- Where the EU Data Protection Laws and UK Data Protection Laws both apply to Restricted Transfers that occur directly between the Customer and a Sage Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfers under Data Protection Laws, the SCCs stated in clause 5.9 together with the UK Addendum will apply.
- Particulars in relation to the transfer mechanisms referred to in clauses 5.9 to 5.11 above are in Schedule 2.
PERSONAL DATA BREACH
- In the case of a Personal Data Breach affecting Personal Data, Sage shall notify the Customer without undue delay, and take actions that Sage reasonably considers necessary and possible to contain and mitigate the effects of such Personal Data Breach (subject to any instructions regarding the same from the Customer).
- The notification referred to in paragraph 5.13 shall at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
OTHER
- At the Customer’s reasonable request and expense, and subject to the Customer and any third-party auditor entering into an appropriate confidentiality agreement, Sage shall: (a) provide the Customer with information as may reasonably be necessary to demonstrate compliance with the obligations on a Processor as laid down in the Data Protection Laws; and (b) allow the Customer (or an independent, third-party professional auditor mandated by the Customer and acceptable to Sage, both the Customer and Sage acting reasonably) to conduct an audit, including inspection, of Sage’s Processing of the relevant Personal Data pursuant to the Agreement, and contribute to that audit.
- Sage shall, without undue delay, notify the Customer in relation to any communication from a Data Subject, Supervisory Authority or other body in relation to Personal Data.
- At the reasonable expense of the Customer, Sage shall:
- taking into account the nature of the relevant Processing, assist the Customer by appropriate technical and organisational measures to fulfil the Customer’s obligation under the Data Protection Laws to respond to requests from Data Subjects; and
- in each case if and to the extent required by the Data Protection Laws, and taking into account the nature of the relevant Processing and the information available to Sage, assist the Customer in: (a) ensuring sufficient security measures to protect the Personal Data; (b) notifying any Personal Data Breach to the Supervisory Authorities or relevant Data Subjects; (c) preparing data protection impact assessments; and (d) carrying out prior consultation of the Supervisory Authorities.
- At the end of Sage’s provision of the Services, Sage shall, at the choice of the Customer, delete or return to the Customer all Personal Data Processed by Sage as a Processor/Sub-Processor on behalf of the Customer and delete existing copies unless Applicable Law requires storage of the Personal Data.