(1) Data Controller – Customer/You, as identified in the Agreement;
(2) Data Processor– Sand Tech Holdings Limited, a company incorporated in mauritius, having the business registration number C14117099 and its registered office at 6th Floor, Tower A, 1 Exchange Square, Wall Street, Ebene 72201, Mauritius, “We”,”us”,”Sand”;
both referred to individually as the “Party” or jointly as the “Parties”.
(A) Background
The Parties signed a main agreement for services, as detailed there, referred to as the “Agreement”
1.1 A defined term will have the meaning given to it in the Agreement unless otherwise defined in this DPA.
1.2 In this DPA:
“Affiliate” means any legal entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Our Affiliates are located, inter alia, in Africa: South Africa, Ethiopia, Nigeria, Egypt, Morocco, Kenya, Ghana, Rwanda; in Europe: Romania, Estonia, UK; and in the United States of America: Delaware, California.
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
“Data Protection Legislation” means all laws in any relevant jurisdiction that relate to data protection, privacy, the use of information relating to individuals, and/or the information rights of individual including, without limitation, the law provided in the Agreement, the GDPR and any other laws in force from time to time which implement the GDPR, and all applicable formal and informal guidance, rules, requirements, directions, guidelines, recommendations, advice, codes of practice, policies, measures or publications of the authority, and the equivalent in any other relevant jurisdictions, all as amended or replaced from time to time;
“Data Protection Authority” means any national data protection supervisory authority in the relevant jurisdiction;
“Data Subject” an identified or identifiable natural person, meaning the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and, in particular, as identified in Annex 1 – Data Processing and Data Transfer Particulars;
“GDPR” means the General Data Protection Regulation, i.e. Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
“EEA Countries” means the European Economic Area, comprising EU Member States, Iceland, Liechtenstein and Norway, and for the purposes of this DPA, Switzerland and the United Kingdom.
“Personal Information” means any information relating to an identified or identifiable Data Subject. This information may include name, address, e-mail address, telephone number, age, gender, family information, profession, education, salary, credit card numbers and other attributes that identify an individual. Personal Information should be understood to include any related definitions used in Data Protection Legislation (including ‘personal data’ as defined in the GDPR) and is provided in Annex 1 – Data Processing and Data Transfer Particulars.
“Processing Activities” mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and, in particular, the processing activities described in is provided in Annex 1 – the Data Processing and Data Transfer Particulars;
“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to the Personal Information that We process in the course of providing the Services and which would have to be notified to a data protection authority and/or Data Subjects under Data Protection Legislation;
“Sensitive Personal Information” means Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation, or Personal Information relating to criminal convictions or offences. Sensitive Personal Information should be understood to include any related definitions used in Data Protection Legislation (e.g., without limitation ‘special categories of personal data’ as defined in the GDPR, ‘sensitive data’.
1.3. In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA will prevail. Save as specifically modified and amended in this DPA, all the terms, provisions and requirements contained in the Agreement will remain in full force and effect and govern this DPA.
2.1. This DPA is part of the terms of the Agreement in order to define the Parties’ obligations relating to Personal Information that the Customer may provide to us in the course of providing the services.
2.2. The Parties agree that for the purpose of the Data Protection Legislation, You are the Data Controller and We are the Data Processor in relation to the Personal Information that We process in the course of providing the Services, and each agree to comply with the relevant applicable Data Protection Legislation.
2.3. The processing activities, including the subject matter of the processing, the nature and purpose of the processing and the categories of Data Subjects are set out in the Annex 1 – Data Processing and Data Transfer Particulars.
2.4. As an exception, the Parties are independent Data Controller in respect of any Personal Information that You transfer to us and We transfer to You for the purpose of Customer Relationship Management (invoicing, contact details, internal reporting).These are usually details on the contact persons/representatives and the Parties need to process it for the legal obligations and the administrative function. The Parties acknowledge that each (including their agents or subcontractors or Affiliates) needs to comply with Data Protection Legislation for this activity.
3.1. The processing will be carried out for the duration of the Agreement.
4.1. You agree to not provide any Personal Information under Annex 1 – Data Processing and Data Transfer Particulars that is not strictly required by us in the performance of the Agreement. For this, You undertake to minimise the Personal Information transferred to us under the Agreement as much as possible, including by anonymizing and/or pseudonymizing any Personal Information transferred to us and not disclosing any identifiers not required in the execution of the Agreement.
4.2. When We process Personal Information in the course of providing the Services, We will:
4.2.1. Process the Personal Information only on the basis of documented instructions from You, which may be sent in writing or by e-mail, unless We are required to do so by the law to which We are subject;
4.2.2. Ensure that personnel required to access the Personal Information are subject to a binding duty of confidentiality in respect of such Personal Information;
4.2.3. At all times comply with applicable Data Protection Legislation and assist You in implementing security of processing, completing data protection impact assessments and notifying Security Breach incidents to the competent Data Protection Authority or to the data subjects’ concerned, and prior consultation with Data Protection Authority in accordance with Data Protection Legislation, taking into account the nature of the processing and the information available to us. To the extent that such assistance is not included as part of the Services, We may charge a reasonable fee for any such assistance, save where assistance was required as a direct result of our own acts or omissions, in which case such assistance will be at our expense;
4.2.4. Implement appropriate technical and organisational measures to protect the Personal Information against unauthorised or unlawful processing and against accidental loss, destruction, damage. The TOMs agreed between the Parties are set out in Annex 2.
4.2.5. We are allowed to engage other sub-processors for the performance of our obligations under this DPA. We will notify You on these changes, as soon as possible. Also, We have the obligation to enter into a written agreement with all these sub-processors which will mirror the terms set out in this DPA. Upon request, We will provide You a copy of such agreement. For the avoidance of doubt, where a sub-contractor fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation, We will remain fully liable to You for the fulfilment of our obligations under these terms;
4.2.6. without undue delay, notify You in writing if We receive any requests from a Data Subject exercising its rights under Data Protection Legislation regarding Personal Information processed by us. You are responsible for responding to such requests and We will reasonably assist to the extent You are unable to access the relevant Personal Information. If such assistance is not included as part of the Services, We may charge a reasonable fee for any such assistance in accordance with Data Protection Legislation.
4.2.7. promptly inform You of complaints/requests etc. from supervisory authorities, regulatory authorities, prosecuting authorities and/or individuals received directly by us or any of our subcontractors in relation to the activities of the Agreement. You are responsible for responding to such requests and We will reasonably assist to the extent You are unable to access the relevant Personal Information;
4.2.8. During regular business hours, following reasonable prior notice sent to us, allow You and your independent auditors to conduct audits (including inspections), once per year during the term of the Agreement, which will include providing access to our resources and personnel, and provide reasonable assistance in order to assist You in exercising your audit rights under this paragraph. The purpose of an audit pursuant to this paragraph will be to verify that We are processing Personal Information in accordance with our obligations under these terms. We are allowed to provide certificates or audit reports of our own auditors as evidence of such compliance. You will bear your own costs for conducting an audit, and You will compensate us for our costs incurred by helping the audit, except where such audit identifies a breach of our obligation under these terms, in which case We will bear our own costs; and
4.2.9. stop any use of the Personal Information upon termination or expiry of the Agreement for any reason whatsoever and will destroy all the Personal Information or transfer all Personal Information to You, at Your written choice. We are allowed to choose one of these options if You do not express your choice within 10 days after termination of the Agreement;
4.3. In the event of a Security Breach, We will:
4.4.1. Promptly take action to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and to remedy the Security Breach;
4.4.2. Notify You without undue delay and provide to You a description of the Security Breach including:
a) the categories and approximate number of Data Subjects affected, and their country of residence and the categories and approximate number of records affected;
b) the likely consequences of the Security Breach and the risk posed by the Security Breach to individuals; and
c) the measures taken or proposed to be taken by us to address the Security Breach and to mitigate its adverse effects and provide timely updates to this information and any other information You may reasonably request relating to the Security Breach;
4.4.3. Not release or publish any filing, communication, notice, press release, or report concerning the Security Breach without Your prior written approval (except where required to do so by law or governmental authority), such approval not to be unreasonably withheld.
4.4 We will be entitled to process or have Personal Information processed within as well as outside the country of origin, provided that the requirements of applicable Data Protection Legislation are fulfilled. For the avoidance of doubt, We may transfer Personal Information to our Affiliates and sub-contractors located outside EEA Countries on the basis of the EU Standard Contractual Clauses (Controller to Processor: as approved by the European Commission in June 2021, as detailed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). We may transfer Personal Information outside the country of origin on the basis of the EU Standard Contractual Clauses, appropriately amended to refer to applicable local Data Protection Legislation. Where specific model clauses (controller-processor) are required by local Data Protection Legislation, the parties agree to incorporate such model clauses to this DPA as an adequate transfer mechanism for the cross-border transfer of Personal Information. As regards transfer details please see Annex 1 – Data Processing and Data Transfer Particulars.
5.1. Our liability arising out of or in connection with this DPA is limited to the amounts specified in the Agreement.
5.2. You warrant to comply with your obligations as Data Controller under Data Protection Legislation in respect of all data You processes or instructs us to process under this DPA.
5.3. No failure or delay by a Party to exercise any right or remedy provided under this DPA or by law will constitute a waiver of that or any other right or remedy, nor will it stop or restrict the further exercise of that or any other right or remedy.
5.4. No variation of this DPA will be effective unless it is in writing and signed by both Parties. If any court or competent authority finds that any provision of this DPA (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this DPA will not be affected.
5.5. This DPA and any dispute or claim arising out of or in connection with it will be governed by and construed in accordance with laws mentioned in the Agreement.
5.6. The parties irrevocably agree that the jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA will be in accordance with the Agreement.
Describe broadly the processing operations that We will undertake under the Agreement:
Processing Personal Information made available by the Customer during the Agreement, as needed for providing the services, e.g. data available in the systems and applications.
We will act upon the Personal Information only as You instruct us to perform the Services.
Describe to whom the Personal Information pertains:
As per the Agreement and as per Customer’s operations.
Describe the types of Personal Information to processed:
Generally, We will not receive any sensitive or special Personal Information.
Measures are taken to prevent unauthorized access to IT systems, including the following technical and organizational measures for user identification and authentication:
Measures are taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorised modification or disclosure of data. These measures include:
Measures are taken to prevent the unauthorized access to data, alteration or removal of data during transfer, and to ensure that transfers are secure.
Where feasible, measures are in place to ensure data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained.
Measures are in place to ensure that data are processed strictly in compliance with the
data exporter’s instructions.
Measures are in place to ensure that data are protected against accidental destruction or loss and include:
Measures are in place to ensure systems are adequately monitored and protected from a variety of potential threats including, where feasible:
Measures are in place to ensure data collected for different purposes are processed separately and include: