This Data Processing Agreement ("DPA") acts in complement to the Terms and Conditions posted on the website https://senecaesg.com/ (the “Seneca ESG Platform”), and are automatically entered into if you or users acting on behalf of your organization resort to the Seneca ESG Platform for its services. In these circumstances you/ your organization/ company is considered to be acting on its own behalf as the “Controller”, and Seneca ESG will be acting on its own behalf as the "Processor", each being a “Party” and together the “Parties”.
The terms used in this DPA shall have the meanings set forth in this DPA.
This DPA applies if there is not Controller submitted DPA signed by the Parties.
The Controller commits to having a valid legal basis under Applicable Laws, for Processing the Personal Data that will be input into Seneca ESG Platform.
1. Definitions
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 "Applicable Laws" means (a) the UK and European Union or Member State laws with respect to any Personal Data in respect of which any entity which Processes Personal Data is subject to such legislation; and (b) any other applicable law with respect to the protection of Personal Data and those natural persons to whom it pertains to from around the Globe, as applicable to the Processing under the Seneca ESG Platform Service;
1.1.2 "Controller Personal Data" Personal Data pertaining to staff elements of the Controller (employees; consultants) by Seneca ESG or on Seneca ESG Platform;
1.1.3 "EEA" means the European Economic Area;
1.1.4 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation) and laws implementing or supplementing the GDPR and (ii) any data privacy legislation including the E-privacy Directive and as amended, replaced or superseded from time to time;
1.1.5 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
1.1.6 “Personal Data” means any of the following (i) Personal Data as defined in EU Directive 95/46/EC and transposed with Domestic legislation of each member state and as amended, replaced or superseded from time to time (ii) Personal Data as defined in the GDPR as amended, replaced or superseded from time to time; and (iii) personal data as defined in the local data protection or data privacy legislation or laws of another country (including Switzerland) if applicable.
1.1.7 "International Transfer" in the context defined by the EU and the UK does not apply because all such Personal Data is publicly accessible and consists solely of Controller corporate related information where natural persons are identified as staff members of the Controller.
1.1.8 "Services" means the services and other activities to be supplied to or carried out from the Seneca ESG Platform, by or on behalf of Processor for a Controller via the Controller or directly by Controller users, pursuant to the Terms and Conditions;
1.1.9 "Subprocessor" means any 3rd party (including any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller, the Controller in connection with the Terms and Conditions; and
1.1.10 "Processor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise. In the present case there is Seneca ESG Singapore and Netherlands.
1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", "Processing", “International Transfer” and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Authority
2.1 Processor warrants and represents that, prior to having any Subprocessor Processing any Controller Personal Data, the Processor shall have entered into a DPA with that Subprocessor which bears at least the same amount of commitment towards the observance of Applicable Law and the protection of the Rights and Freedoms of those natural persons whose Personal Data is under Processing.
3. Processing of Controller Personal Data
3.1 Processor and each Processor Affiliate shall:
3.1.1 comply with all Applicable Laws in the Processing of Controller Personal Data; and
3.1.2 not process Controller Personal Data other than on the relevant Controller`s or Controller`s documented instructions unless Processing is required by Applicable Laws to which the relevant Subprocessor is subject, in which case Processor or the relevant Processor Affiliate shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
3.2 The Controller shall on behalf of the Controller or ensure that the Controller does:
3.2.1 instructs Processor and each Processor Affiliate (and authorises Processor and each Processor Affiliate to instruct each Subprocessor) to:
3.2.1 .1Process Controller Personal Data; and
3.2.1 .2in particular, transfer Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Terms and Conditions .
3.3 Annex 1 to this DPA sets out certain information regarding the Processors' Processing of the Controller Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Applicable Laws). Controller may make reasonable amendments to Annex 1 by written notice to Processor from time to time as Controller reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this DPA.
4. Processor and Processor Affiliate Personnel
Processor and each Processor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Terms and Conditions , and to comply with Applicable Laws in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and each Processor Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.2 In assessing the appropriate level of security, Processor and each Processor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.3 The technical and organizational implemented measures by the Processor and each Processor Affiliate are listed on Annex 2.
6. Subprocessing
6.1 The Controller authorises Processor and each Processor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section 6 to appoint) Subprocessors in accordance with this section 6 and any restrictions in the Terms and Conditions .
6.2 Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as at the date of this DPA, subject to Processor and each Processor Affiliate in each case as soon as practicable meeting the obligations set out in section 6.4.
6.3 Controller authorises the Processor to subcontract subprocessors which the Processor considers necessary for the correct service provision of the services agreed in the main contract. Upon Controller´s request, the Processor will provide an updated list of all categories of subcontractors involved in the service provision contracted by the former.
The subprocessor shall also be regarded as processor in the same terms as the Processor in this agreement. In this sense, the Processor agrees to sign a data processing agreement with the third-party subprocessor through which the Subprocessor agrees to comply with the obligations established in this agreement, as a Subprocessor.
In any case, the same data protection obligations will be imposed on the subcontractor in such a way that the processing complies with the provisions of GDPR (being at present date the most comprehensive piece of Personal Data Protection legislation being enforced).
6.4 With respect to each Subprocessor, Processor or the relevant Processor Affiliate shall:
6.4.1 before the Subprocessor first processes Controller Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data required by the Terms and Conditions ;
6.4.2 ensure that the arrangement between on the one hand (a) Processor, or (b) the relevant Processor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR;
6.5 Processor and each Processor Affiliate shall ensure that each Subprocessor performs the obligations under sections 3.1, 4, 5, 7.1, 8.2, 9 and 11.1, as they apply to Processing of Controller Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Processor.
7. Data Subject Rights
7.1 Taking into account the nature of the Processing, Processor and each Processor Affiliate shall implement appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of its legal obligations, to respond to the exercise of Data Subject rights under the Applicable Laws.
7.2 Processor shall:
7.2.1 promptly notify Controller if the Processor or any Subprocessor receives a request from a Data Subject under any Applicable Law in respect of Controller Personal Data; and
7.2.2 ensure it shall not neither its Subprocessor respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor or the Subprocessor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement prior to having the Subprocessor responding to the request.
8. Personal Data Breach
8.1 Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Personal Data Breach on their side, affecting Controller Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under the Applicable Laws. "Such notification shall as a minimum contain the following information:
8.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2 communicate the name and contact details of Processor's data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.2 Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
Processor and each Processor Affiliate shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, as defined under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.
10. Deletion or return of Controller Personal Data
10.1 Subject to section 10.2, Controller may in its absolute discretion by written notice to Processor request that within thirty (30) days of the Cessation Date require Processor and each Processor Affiliate to (a) return a complete copy of all Controller Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (b) delete and procure the deletion of all other copies of Controller Personal Data processed by any Subprocessor. Processor and each Processor Affiliate shall comply with any such written request within 30 days of the Cessation Date.
10.2 Each Subprocessor may retain Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processor and each Processor Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
10.3 Processor shall provide written confirmation document to Controller certifying that the Processor and its Subprocessors have fully complied with this section 10 within 30 days of the Cessation Date.
10.4 For the purposes of this clause, “delete” means to remove or obliterate Personal Data that it should not be recovered or reconstructed”, “Cessation Date” means the date of cessation of any services involving the processing of Controller Personal Data.
11. Audit rights
11.1 Processor and each Processor Affiliate shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA.
12. General Terms
Governing law and jurisdiction
12.1 Without prejudice to clauses 7 (Mediation and Jurisdiction):
12.1.1 the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms and Conditions with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.1.2 this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms and Conditions .
Order of precedence
12.2 Nothing in this DPA reduces Processor's or any Processor Affiliate’s obligations under the Terms and Conditions in relation to the protection of Personal Data or permits Processor or any Processor Affiliate to process (or permit the Processing of) Personal Data in a manner which is prohibited by the Terms and Conditions .
12.3 Subject to section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Terms and Conditions and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Changes in Applicable Laws, etc.
12.4 Controller may:
12.4.1 by written notice to Processor propose any other variations to this DPA which Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.5 If Controller gives notice under section 12.4.1:
12.5.1 Processor and each Processor Affiliate shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 6.4.3; and
12.5.2 Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Subprocessors against additional risks associated with the variations made under section 12.4.1 and/or 12.5.1.
12.6 If Controller gives notice under section 12.4.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable.
12.7 Neither Controller nor Processor shall require the consent or approval of any Controller Affiliate or Processor Affiliate to amend this DPA pursuant to this section 12.5 or otherwise.
Severance
12.8 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.9 Contact information of the Parties.
Each Party is hereby informed that the contact information of their representatives and employees will be processed by the other Party for the purpose of executing, developing, complying and controlling the provision of the agreed services, considering the compliance of the contractual obligations as the legal grounds for the data processing. Personal data will be retained during the term of the commercial agreement and for statutory limitation periods upon termination of the agreement in order to comply with any potential liabilities arising thereof. In addition, each of the Parties shall comply with its obligation of information to their respective representatives and employees.
The data of the Parties may be transferred to banks and financial entities for payment management and collection, to the Tax Authorities and other Public Administrations for the purpose of carrying out the corresponding tax declarations and complying with their respective legal obligations, in accordance with applicable regulations, and to the Public Administrations in the event of statutory requirements.
The Parties may request access to the personal data which is referred to in this clause, its rectification, erasure, portability, and restriction of its processing, as well as objection of said processing, at the address of the Parties as specified in Annex 3.
12.10 Liability
The Processor shall be responsible for all penalties and fines arising from the failure to comply with the obligations set under this agreement.
Annex 1: Description of Processing of Personal Data
This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of Personal Data are set out in the Terms and Conditions and the Privacy Policy.
The nature and purpose of the Processing of Personal Data
The nature and purpose of the Processing of Personal Data are set out in the Terms and Conditions and the Privacy Policy.
The categories of Data Subject to whom Personal Data relates
The Data Subjects whose Personal Data will be under Processing by the Processor consist of Controller’ staff members under a B2B perspective and context.
The types of Personal Data to be processed
Contact Data (name; email; etc...)
Employment Data (Controller; role; etc...)
Operational Data (user actions on the platform)
The obligations and rights of Processor and Processor Affiliates
The Processor has the obligation to meet and observe Applicable Laws’ requirements mainly and specifically the EU Regulation 2016/ 679 (the General Data Protection Legislation – GDPR) which under European Union law takes precedence over each member state local transposition legislation.