Data Processing Addendum for GDRP compliance at Ledgy
Ledgy AG, a company incorporated under the laws of Switzerland, having its registered office and principal place of business on Forchstrasse 60, 8008 Zurich, Switzerland, as registered with the Commercial Register of the Canton of Zurich under number CHE-261.454.963 (“Ledgy”, the “Data Processor” or the “Processor”), and the customer (the “Customer” or the “Controller”), hereby agree as follows:
This data processing addendum (the “Data Processing Addendum” or “Addendum”) applies exclusively to the processing of personal data (the “Customer Personal Data” or “Personal Data”) that is subject to European Union (EU) and Swiss data privacy law, in the scope of the services (the “Services Agreement”) between the Data Controller and the Processor (each a “Party” and together the “Parties”) on the provision of services (the “Services”).
The term EU data privacy law (“EU Data Privacy Law”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). The term Swiss data privacy law means the Federal Act of 19 June 1992 on Data Protection, including any future revision thereof (“Swiss Data Privacy Law”). EU Data Privacy Law and Swiss Data Privacy Law are collective referred to as “Data Privacy Law”.
Terms such as “Processing”, “Personal Data”, “Data Controller” and “Processor” shall have the meaning ascribed to them in EU Data Privacy Law and Swiss Data Privacy Law, as applicable.
Insofar as the Data Processor will be processing Personal Data of the Data Controller subject to the EU Data Privacy Law and Swiss Data Privacy Law in the course of the performance of the Services Agreement with the Data Controller, the terms of this Data Processing Addendum shall apply. An overview of the categories of Personal Data, the types of data subjects (the “Data Subjects”), and purposes (the “Purposes”) for which the Personal Data are being processed is provided below.
2 Binding character of this Addendum
The Parties hereby agree to be bound by the provisions and obligations set forth in this Addendum in respect of all their data protection obligations and data processing relationships and agree that any data protection and data processing obligations as agreed to previously amongst the Parties shall be deleted and repealed in its entirety and be replaced with this Addendum.
3 Information required by Data Privacy Law
The Parties agree to the following information, as required by the EU and Swiss Data Privacy Law:
Subject matter of processing
Equity management services by means of an online software application (the “Application”) and the fulfillment of contractual obligations under the Services Agreement and this Data Processing Addendum.
Duration of processing
For the duration of the Services Agreement until terminated or once processing by Ledgy of any Personal Data is no longer required for the performance of its relevant obligations under the Services Agreement or Addendum or for its other legitimate interests.
Purpose of processing
Processing of Customer’s Personal Data and equity data for the purposes of the provision of the Services. Personal Data is provided by Customer.
Customer Personal Data
Equity data: Shareholder information (including their General Personal Data), company information, share ledger transaction history, legal documents, other cap table details.General Personal Data: Name, date of birth, country of origin, telephone number, email, postal address, bank details.
Shareholders, other third parties (e.g. lawyers).
4 Ledgy as Processor
The Customer and Ledgy hereby agree that for the purposes of this Addendum, Ledgy (and each permitted subcontractor) shall be the Data Processor.
5 Ledgy’s obligations
Ledgy, acting as Data Processor, shall:
only process the Customer Personal Data as necessary to perform its obligations under this Services Agreement, as required by laws applicable to it (provided that Ledgy first informs the Customer of that legal requirement before processing, unless that law prohibits this on important grounds of public interest);
ensure that all staff who have access to Customer Personal Data have committed themselves to appropriate obligations of confidentiality;
maintain all appropriate technical and organizational measures to ensure the security of the Customer Personal Data; The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Ledgy will, therefore, evaluate the measures on an on-going basis and will tighten, supplement and improve these measures. The Parties will negotiate in good faith the cost, if any, and an amendment to the Services Agreement, if necessary, to implement material changes required by specific updated security requirements set forth in applicable Data Privacy Law or by data protection authorities of competent jurisdiction; An overview of the current technical and organizational measures can be found on the Website, as amended from time to time;
assist, to the extent possible, the Customer to fulfill its obligations in responding to requests for exercising of Data Subject rights set out in the applicable Data Privacy Law;
not engage any other processor in relation to the Services except in accordance with Customer’s general authorization. Upon request by Customer, (i) Ledgy shall make available to the Customer a list of processors and (ii) the Customer shall have a right to be informed of new processors and veto proposed changes in good faith for material grounds within 30 days of publication. For the avoidance of doubt, Ledgy shall enter into an agreement with each sub-contractor containing obligations which are equivalent to those set out in this Clause 5;
subcontracting relationships within the meaning of this Clause 5 shall not include services which Ledgy makes use of with third parties as an ancillary service to support the execution of the order. This includes, for example, telecommunications services, maintenance and user service, data hosting services, cleaning staff, inspectors or the disposal of data media. However, Ledgy shall be obliged to make appropriate contractual agreements in accordance with the law and to take control measures in order to guarantee the protection and security of the Customer’s data even in the case of ancillary services awarded to third parties;
subject to reasonable access arrangements and save for disclosure of information which is confidential, commercially sensitive or privileged, permit Customer or a third-party auditor acting under the Customer’s direction, to conduct, at the Customer’s cost, data protection audits, assessments and inspections concerning Ledgy’s data protection procedures relating to its compliance with this Clause 5. For the avoidance of any doubt, the Customer’s audit, access, and inspection rights under this Clause are limited to Ledgy’s records only and does not apply to Ledgy’s physical premises;
notify the Customer as soon as reasonably practicable and in writing if it becomes aware of a reportable breach and provides the Customer with assistance in responding to and mitigating it;
assist the Customer in complying with Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the GDPR in respect of any new type of processing proposed, in accordance with EU Data Privacy Law and Swiss Data Privacy Law;
save as to where required by law or in accordance with the Services Agreement, on termination or expiry of this Addendum however made and for any reason, and unless otherwise stipulated in the Services Agreement, either destroy all Customer Personal Data or transfer it to Customer or a nominated third party (in a mutually agreed format and by a mutually agreed method);
Notwithstanding anything to the contrary in the Addendum, Ledgy’s aggregate liability to Customer hereunder and in relation to all of Ledgy’s data protection obligations under Data Privacy Law shall be limited to and shall not exceed 100% of the fees paid by the Customer in a Contract Year under the Services Agreement for each such Contract Year and shall in no event exceed, in aggregate for the entire duration of the Services Agreement and thereafter, 200% of the fees paid by the Customer in the Contract Year with the lowest fees. For the purposes of this Clause, “Contract Year” shall mean each period of 12 months following on from the effective date of the Services Agreement or its anniversary and shall include such 12-month periods that continue after the termination of the Services Agreement.
6 The Customer’s obligations
The Customer, acting as the Controller, hereby warrants and represents:
that all processing of Customer Personal Data will be in compliance with all Data Privacy Law, and that the processing of the Customer Personal Data by Ledgy in accordance with this Addendum will not breach Data Privacy Law;
that Customer Personal Data provided to Ledgy are accurate and will be updated to ensure continued accuracy as and when required;
that it has notified data subjects of any applicable period for which Customer Personal Data or any element of Customer Personal Data will be stored by Ledgy;
that the Customer has the right to provide Customer Personal Data to Ledgy and has provided Data Subjects with all necessary information and data protection notices on or in connection with the collection of such Customer Personal Data from data subjects including, but not limited to, the supply of Customer Personal Data to Ledgy and details of the purposes for which such Customer Personal Data will be processed by Ledgy including, if applicable, as set out in Ledgy’s retention policy;
Customer warrants and represents:
that the Customer will not provide Ledgy with nor request Ledgy to process the types and categories of Personal Data listed, defined, or referenced to in Articles 8–10 of the GDPR or respective definitions in the Swiss Data Privacy Law (collectively “High-Risk Personal Data”), and
that the Customer will not provide Ledgy with nor pass to Ledgy personal data for which Ledgy has no knowledge of, is unaware of, or which is not explicitly provided for under this Data Protection Addendum, and that where applicable, the Customer will not enter any personal data into free text fields embedded in relevant Ledgy products and/or Services and will not incorporate any personal data outside of the scope of Personal Data as contemplated in the Services Agreement and this Addendum into any attachments that are to be uploaded into Ledgy’s Application;
that the Customer shall, and shall procure its employees, contractors, and/or agents to keep the login credentials used to access to the Services secure and shall be liable for the access to the Services through such login credentials. The Customer further warrants that it shall promptly notify Ledgy of any unauthorized use of any login credentials, or other breaches of security, including loss, theft or unauthorized disclosure of login credentials.
The Customer acknowledges that Ledgy is reliant on the Customer for instructions as to the extent to which Ledgy is entitled to use and process the Customer Personal Data. Consequently, Ledgy will not be liable for and the Customer shall, immediately on demand, fully indemnify Ledgy and keep Ledgy effectively indemnified against all costs, claims, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature incurred by Ledgy or for which Ledgy may become liable due to any claim brought by a data subject or Supervisory Authority arising from any action or omission by Ledgy, to the extent that such action or omission resulted from the Customer’s instructions.
The Customer shall, immediately on demand, fully indemnify Ledgy and keep Ledgy fully and effectively indemnified against all costs, claims, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature arising from or incurred by Ledgy or its affiliates in connection with any failure of the Customer or any third party appointed by the Customer to comply with any of the provisions of Clause 6 and/or Data Privacy Law in respect of its processing of Customer Personal Data.
9 Prevalence of this Addendum
To the extent of any conflict between this Addendum and any parts of the Services Agreement, this Addendum shall prevail, govern, and supersede. This Addendum and the obligations hereunder shall survive the termination or expiry of the Services Agreement however effected or arising.
Subject to Clause 5.11, to the extent that either Party (the “Claiming Party”) has an entitlement under Data Privacy Law to claim from the other Party (the “Compensating Party”) compensation paid by the Claiming Party to a data subject as a result of a breach of Data Privacy Law to which the Compensating Party contributed, the Compensating Party shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject. For the avoidance of doubt the Compensating Party shall only be liable to make payment to the Claiming Party under this Clause 10 upon receipt of evidence from the Claiming Party, to the Compensating Party’s reasonable satisfaction, that clearly demonstrates the Compensating Party:
where Ledgy is the Compensating Party only, that Ledgy the instructions of the Customer;
has breached applicable Data Privacy Law; and
that such breach contributed (in part or in full) to the harm caused and entitling the relevant data subject to receive compensation in accordance with the applicable Data Privacy Law; and
the proportion of responsibility for the harm caused to the relevant data subject which is attributable to the Compensating Party.
11 Competent Court
Any disputes arising from or in connection with this Data Processing Addendum shall be brought exclusively before the competent courts of the Canton of Zurich, Switzerland.