This Data Processing Addendum (the “Addendum”) is deemed to be incorporated in all services agreements where Conyers acts as a “data processor” as defined in the Cayman Islands Data Protection Act, to include entity formation and registration services, registered office, secretarial, corporate administration and other associated services involving little discretion or autonomy. This Addendum will not apply where Conyers acts as a “data controller” in providing Corporate Services or Director Services under the Agreement.
This Addendum shall be deemed to be incorporated into the Agreement on the date the Agreement becomes effective, or the date when the Addendum is brought to the attention of the Client where the Client has continued to accept Corporate Services from Conyers pursuant to an existing Agreement after the Addendum is brought to the Client’s attention.
“Data Protection Act” means the Cayman Islands Data Protection Act, 2017 as amended from time to time and as supplemented by the Data Protection Regulations, 2018 and guidance issued by the Cayman Islands data protection supervisory authority and the terms “personal data”, “data controller”, “data processor” and “process” shall have the meanings given to them under that law.
The Client warrants that any personal data provided to Conyers has been collected by the Client and transferred to Conyers in accordance with the Data Protection Act. Conyers and the Client acknowledge and agree that pursuant to the Data Protection Act, the Client is a data controller and Conyers is a data processor and further agree that:
(a) Conyers will only process personal data in the context of providing Corporate Services under this Agreement, in accordance with the documented instructions of the Client unless it is otherwise required to do so under applicable law;
(b) Conyers will ensure that persons authorised by Conyers to process personal data received from the Client pursuant to this Agreement are subject to a duty of confidence;
(c) The Client acknowledges and agrees that as a data controller, it remains liable for compliance with the Data Protection Act even where the processing of personal data is delegated;
(d) Conyers has implemented appropriate technical, security and organisational measures to ensure that any processing of personal data will meet the requirements of the Data Protection Act;
(e) Conyers will inform the Client promptly in the event of receiving a request from a data subject to exercise their rights under the Data Protection Act and provide such cooperation and assistance as the Client as data controller may require in order to respond to such requests;
(f) Conyers will notify the Client promptly after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised access to or disclosure of Client personal data processed and will provide the Client with any required cooperation and assistance to mitigate the effects of such a breach and to assist the Client to comply with its reporting obligations under the Data Protection Act in respect of such breach;
(g) Conyers will submit to audits and inspections and provide the Client with such information it requires in order to ensure that both Conyers and the Client each meet their legal obligations under the Data Protection Act. Conyers will inform the Client immediately if, in its opinion, it receives an instruction from the Client which infringes the Data Protection Act;
(h) The Client acknowledges and agrees that personal data provided to Conyers may be transferred, disclosed, stored, processed and maintained by Conyers electronically on servers, or in hard copy or original format, in a number of different jurisdictions, including, and outside of, the Cayman Islands and/or any of the other jurisdictions where Conyers, its affiliates or subsidiaries have a presence. Conyers will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data. The Client explicitly consents to the transfer of all personal data into and out of any such jurisdictions;
(i) Conyers shall only engage the services of a sub-processor with the prior written consent of the Client and in such circumstances would only do so pursuant to the terms of a written contract with such sub-processor. Conyers as the original data processor will remain directly liable to the Client for the performance of the sub-processor’s obligations;
(j) The Addendum shall survive any termination of the Agreement so long as any personal data of the Client remains under Conyers’ custody or control. Upon termination of Conyers’ appointment under this Agreement, Conyers shall, at the option of the Client either delete or return all personal data to the Client and shall, subject to applicable laws, delete all copies of such personal data. To the extent it is not technically practicable to permanently delete any personal data under Conyers’ custody or control, such personal data will be put beyond use and not processed any further. Client acknowledges and agrees that Conyers may retain personal data if and to the extent it is required to do so under any applicable law.