Data Protection

VAT IT will utilize the services of its sub-processor, the Processing Centre when providing the VAT and/or Tax reclaim services.

1.1. In this Agreement, “Data Protection Law” means the General Data Protection Regulation (2016/679) or any legislation amending, superseding or replacing it, and includes, where applicable, the guidance and codes of practice issued by the Information Commissioner and/or any other applicable data protection law. The terms “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor” shall be construed in accordance with the meaning set out in the applicable Data Protection Law.

1.2. Each party shall comply with their respective obligations under Data Protection Law as applicable.

1.3. The purpose of the Processing of Personal Data by VAT IT is the performance of the Services under the Agreement.

1.4. In order to enable VAT IT to fulfil its obligations in terms of the Agreement, VAT IT shall be entitled to sub-contract the Processing of Personal Data to the Processing Centre, which is ISO27001 certified. The Company hereby expressly authorises the transfer of Personal Data to the Processing Centre in South Africa for Processing as and when required to perform the Services. By signing this Agreement, the Company and the Processing Centre agree to be bound by the terms of the EU Standard Contractual Clauses, or any replacement thereof located at whereby the Company shall be the data exporter and the Processing Centre the data importer. The governing law shall be law of the member state in which the data exporter is established. The aforementioned EU Standard Contractual Clauses shall be updated and/or amended from time to time in accordance with any changes to the Data Protection Law and/or any updates to the technical and organisational security measures implemented by the data importer.

1.5. VAT IT, the Processing Centre and the Company agree and acknowledge that for the purposes of the Data Protection Law, the Company is the Controller and VAT IT and the Processing Centre are Processors in respect of any Personal Data processed by or on behalf of VAT IT in the provision of the Services.

1.6. The Company shall own all rights, title and interest in and to all of the Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Personal Data.

1.7. In most cases, while performing the Services, VAT IT and the Processing Centre will not process Personal Data. VAT IT and the Processing Centre will only process Personal Data where employee names and/or addresses appear on claim invoices or when the VAT and/or Tax Authority specifically requests the names and designation of employees that incurred the expenses.

1.8. VAT IT and the Processing Centre shall process the Personal Data only in accordance with the Company’s written instructions from time to time (including, without limitation, those contained in the Agreement), and shall not process the Personal Data for any purpose other than those expressly authorised by the Company. The Company agrees that VAT IT may use e-mail in order to provide the Services.

1.9. VAT IT and the Processing Centre shall, having regard to the state of technological development and the cost of implementing any measures:

1.9.1. take appropriate technical and organisational measures against the unauthorised or unlawful Processing of the Personal Data and against the accidental loss or destruction of, or damage to the Personal Data (together “data breach”) to ensure a level of security appropriate to: the harm that might result from a data breach; and the nature of the Personal Data to be protected; and

1.9.2. take reasonable steps to ensure compliance with those measures.

2. VAT IT and the Processing Centre shall ensure:

2.1. that it takes reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data;

2.2. that access to Personal Data is limited to:

2.2.1. those employees who need access Personal Data to meet VAT IT ’s obligations under this Agreement.

2.3. that all of its employees involved with the Services:

2.3.1. are informed of the confidential nature of the Personal Data;

2.3.2. have signed confidentiality agreements.

3. VAT IT and the Processing Centre shall implement appropriate technical and organizational measures to assist the Company in responding to:

3.1. any request from an individual to exercise any of its rights of Data Protection Law as it relates to the Personal Data processed by VAT IT and/or the Processing Centre; and

3.2. any other correspondence, inquiry or complaint received from an individual, regulator, court or other third party in connection with the Processing of Personal Data processed by VAT IT and/or the Processing Centre in terms of the Agreement.

4. If VAT IT and/or the Processing Centre receives a request from a Data Subject for access to that person’s information which was provided by the Company, VAT IT shall:

4.1. notify the Company within 2 business days of receiving such a request;

4.2. provide the Company with full co-operation and assistance in relation to any request made by a Data Subject to have access to such Personal Data; and

4.3. not disclose such Personal Data to any Data Subject or to a third party other than at the request of the Company or as provided for in this Agreement.

5. VAT IT shall notify the Company immediately (no later than 24 hours) if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data.

6. VAT IT and/or the Processing Centre at the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), shall at the election of the Company return and/or delete and procure the deletion of all copies of Personal Data. VAT IT and/or the Processing Centre may retain Personal Data to the extent required by applicable laws.

7. VAT IT and/or the Processing Centre shall, on request, make available to the Company the necessary documentation to demonstrate compliance with this Agreement. Thereafter, the Company shall be entitled where there is a reasonable suspicion that VAT IT and/or the Processing Centre is not complying with its data Processing obligations in terms of this Agreement, to audit the technical and organizational measures implemented by VAT IT and/or the Processing Centre. The Company agrees to sign non-disclosure agreements prior to such audit being conducted. The Company shall provide at least 5 business days written notice of such audit. Where possible such audits will be conducted outside of VAT IT ’s deadline periods.

8. In order for VAT IT and/or the Processing Centre to provide the Services the Company consents to the use of the services of the following ancillary Processors: SalesForce, AWS, translation service providers, VAT and/or Tax agent service providers, and technology service providers necessary in order to provide the Services.

9. Save for the Processors set out in clause 8 above to this Agreement, VAT IT shall not engage further Processor/s without the prior specific or general written authorisation of the Company.  In the case of general written authorisation, VAT IT shall inform the Company of any intended changes concerning the addition or replacement of other Processor/s, thereby giving the Company the opportunity to object to such changes.

10. Any appointed Processor/s shall only process Personal Data in order to perform the Services in terms of the Agreement.

11. After receiving the prior specific or general written authorisation of the Company and prior to transferring any Personal Data to any Processor/s, VAT IT and/or the Processing Centre shall enter into a written agreement with the Processor on terms no less onerous than those set out in this Agreement.  Such written agreement to include, but not be limited to, requiring the additional Processor/s to:

11.1. process the Personal Data only in accordance with the written instructions of the Data Processor; and

11.2. abide by the obligations imposed on the Processor/s set out in this Agreement; and

11.3. allow the Company the right to audit the additional Processor.

12. VAT IT shall impose data protection terms at least as strict as those set forth herein on any Processor it appoints to process the Company’s Personal Data.

13. Liability

VAT IT and the Processing Centre’s liability shall be governed by the Data Protection Law.