Data Processing Addendum for Practice Partners
This data processing addendum includes the Data Processing Terms and attached Appendices and is incorporated into, and forms part of, the agreement between FreeAgent Central Limited ("FreeAgent") and the account holder (the "Account Holder") comprising the Terms of Service and Standard Framework Agreement (the "Agreement"), governing the Account Holder's use of the FreeAgent Service.
This addendum is effective from the date of the last signature hereof.
- Instructions (this addendum has been pre-signed on behalf of FreeAgent). To enter into this addendum, the Account Holder must:
- complete the table below by signing and providing the Account Holder's full legal entity name, address and signatory information; and
- submit the completed and signed Addendum to FreeAgent via email to privacy@freeagent.com
- Effectiveness
- This Addendum will be effective only if it is executed and submitted to FreeAgent in accordance with paragraph 1 above and this paragraph 2, and all Account Holder items in the table below are completed accurately and in full.
- If the Account Holder makes any deletions or other revisions to this Addendum, then this Addendum will be null and void.
- This Addendum will only apply to the Account Holder's use of FreeAgent accounts (including any use by agents or subcontractors (including any of its affiliates who are acting as an agent or subcontractor of the Account Holder) performing work on behalf of the Account Holder) that include the Account Holder's full legal entity name (matching the one provided in the table above) in the "Account Holder Partner Name" field associated with the FreeAgent account. If the Account Holder has affiliates with their own FreeAgent accounts that need coverage under a FreeAgent Data Processing Addendum, in order to have coverage each affiliate must sign its own FreeAgent Data Processing Addendum, in which case, the full legal entity name entered in the "Account Holder Partner Name" field associated with the FreeAgent account will be the name of the affiliates.
- Account Holder signatory represents to FreeAgent that he or she has the legal authority to bind the Account Holder and is lawfully able to enter into contracts (e.g. is not a minor).
- This Addendum will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of this Addendum.
This Addendum is valid if subject to signature from both parties
FreeAgent's pre-signed Data Processing Addendum (DPA) is available to download from this link for your record-keeping.
Data Processing Terms
-
Definitions
Unless otherwise defined in the Agreement, all capitalised terms used in this Addendum will have the meanings given to them below:
"Controller" has the meaning given to it in Data Protection Law;
"Processor" has the meaning given to it in Data Protection Law;
"Data Protection Impact Assessment" has the meaning given to it in Data Protection Law;
"Data Security Breach" means any known potential or actual breach of the Minimum IS Requirements or any obligations or duties owed by FreeAgent to the Account Holder relating to the confidentiality, integrity or availability of Personal Data;
"Data Subject" has the meaning given to it in Data Protection Law;
"Data Protection Law" all applicable laws relating to privacy and data protection including but not limited to (a) the GDPR, and (b) the UK GDPR, and (c) Directive on privacy and electronic communications (2002/58/EC, as amended), as well as all laws implementing each of (a) to (c) above, including the UK Data Protection Act 2018, as amended and updated from time to time. In the event, any such Directive, Regulation or laws are repealed or replaced, the successor legislation to such repealed or replaced Directive, Regulation and/or law shall be deemed to constitute Applicable Data Protection Law;
"GDPR" means the General Data Protection Regulation (EU) 2016/679;
"Personal Data" means any personal data (as defined by Data Protection Law) Processed by FreeAgent on behalf of the Account Holder pursuant to or in connection with the Agreement;
"Processing" has the meaning given to it in Data Protection Law, and "Process" will be construed accordingly;
"Regulator" means any regulator or regulatory body (including the Prudential Regulation Authority, the Financial Conduct Authority, the Information Commissioner's Office and the Bank of England or their successors or equivalent authorities outside of the UK) to which the Account Holder is subject from time to time or whose consent, approval or authority is required so that the Account Holder can lawfully carry on its business or other competent data privacy authorities;
"EU SCCs" means the relevant module of the standard contractual clauses adopted by the European Commission on 4 June 2021 in Commission Implementing Decision (EU) 2021/914, for the transfer of Personal Data to third countries not otherwise recognised as offering an adequate level of protection for Personal Data by the European Commission (as amended or replaced from time to time).
"Standard Contractual Clauses" means the EU SCCs and the UK Addendum.
"UK Addendum" means Part 1: Tables and Part 2: Mandatory Clauses of the template Addendum B.1.0, issued by the Information Commissioner's Office and laid before Parliament in accordance with Section 119A of the Data Protection Act, 2018 on 2 February 2022, as it is revised under Section 18 thereof, in respect of any Restricted Transfers of Personal Data that is subject to the applicable Data Protection Law in the United Kingdom;
"UK GDPR" has the meaning ascribed to it section 3(10) of the UK Data Protection Act 2018.
-
Data Protection
-
FreeAgent acts as a Processor with respect to the Personal Data. Appendix 1 to this Addendum sets out certain information regarding FreeAgent's Processing of the Personal Data as required by article 28(3) of the GDPR.
-
The Account Holder is a Controller in respect of the Personal Data and shall comply with its obligations as a Controller under Data Protection Law.
-
FreeAgent shall comply with its obligations as a Processor under Data Protection Law. If FreeAgent is or becomes aware of any reason that would prevent its compliance with Data Protection Law or any incident of non-compliance with Data Protection Law in connection with the Processing of Personal Data under this Agreement it shall notify the Account Holder in the most expedient time possible.
-
FreeAgent agrees that it will acquire no rights or interest in the Personal Data, will only Process the Personal Data in accordance with this Agreement and any other written instructions of the Account Holder, unless Processing of the Personal Data is required by applicable law to which FreeAgent is subject, in which case FreeAgent shall inform the Account Holder of that legal requirement before Processing, unless such applicable law prohibits the provision of such information on important grounds of public interest.
-
To the extent possible for FreeAgent to do so, taking into account the nature of the Processing of Personal Data, and without requiring FreeAgent to incur any additional costs, FreeAgent agrees to assist the Account Holder within such reasonable timescale as may be specified by the Account Holder with the fulfilment of the Account Holder's obligations to respond to Data Subject rights requests received from the Data Subjects of the Personal Data Processed in connection with this Agreement. Should FreeAgent receive any such requests directly, FreeAgent will immediately inform the Account Holder that it has received the request and forthwith forward the request to the Account Holder. FreeAgent will not respond in any way to such a request, except on the instructions of the Account Holder.
-
FreeAgent agrees to assist the Account Holder within such reasonable timescale as may be specified by the Account Holder with the conduct of Data Protection Impact Assessments and prior consultation requests to Regulators in relation to Personal Data Processing under this Agreement which the Account Holder reasonably considers to be required of the Account Holder under article 35 or 36 of the GDPR.
-
FreeAgent will ensure that its personnel who Process Personal Data under this Agreement are subject to obligations of confidentiality in relation to such Personal Data.
-
The Account Holder hereby generally authorises FreeAgent to engage third parties to carry out Processing of the Personal Data ("Third Party Service Providers") provided that FreeAgent shall ensure that the Processing is carried out under a written contract imposing on the Third Party Service Provider equivalent obligations as are imposed on FreeAgent under this Agreement in respect of the Processing and protection of Personal Data. Prior to implementing any changes concerning the addition or replacement of Third Party Service Providers engaged by FreeAgent pursuant to the Account Holder's general authorisation, FreeAgent will notify the Account Holder in writing of such proposed engagement. The Account Holder may, within fourteen working days of receipt of such notice, give notice in writing, objecting to FreeAgent disclosing Personal Data to such Third Party Service Provider and the Account Holder's objection will be deemed to be the Account Holder's waiver of FreeAgent's obligation to perform its obligations under the Agreement that FreeAgent would ordinarily perform using that Third Party Service Provider. The Account Holder hereby provides specific authorisation for FreeAgent to engage as Third Party Service Providers those parties listed at: https://www.freeagent.com/company/subprocessors
-
FreeAgent will also make available to the Account Holder, any Regulator or their representatives all information necessary to demonstrate compliance with its obligations under this Addendum and allow for and contribute to audits conducted by the Account Holder or another auditor mandated by the Account Holder, at the Account Holder's cost.
-
FreeAgent will notify the Account Holder within 24 hours of a Data Security Breach following the procedure set out in Appendix 3 (and follow-up with a detailed description in writing, including the cause of the breach, remedial action taken and the potential consequences of the breach) and support the Account Holder in any notification of the breach to Regulators and/or Data Subjects.
-
Other than as expressly permitted under this Agreement, on expiry or termination of this Agreement for whatever reason FreeAgent shall return, destroy or permanently erase, at the Account Holder's election, all copies of Account Holder Personal Data in its possession or control.
-
The provisions of this Clause 2 shall survive the term of this Agreement until FreeAgent has returned or destroyed all Personal Data in accordance with Clause 2.11
-
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing of the Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FreeAgent shall in relation to the Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, FreeAgent shall take account in particular of the risks that are presented by Processing of the Personal Data, in particular from a Data Security Breach.
-
-
Data Exports
-
FreeAgent may only Process, or permit the Processing, of Personal Data outside the European Economic Area under the following conditions:
-
FreeAgent is Processing, or permitting the Processing, of Personal Data in a territory deemed to have an adequate level of protection of Personal Data under applicable Data Protection Law; or
-
FreeAgent participates in a valid cross-border transfer mechanism under the Data Protection Laws (including without limitation the Standard Contractual Clauses), so that FreeAgent (and, where appropriate, the Account Holder) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by article 46 of the GDPR.
-
-
To the extent that any Personal Data transfer from the Account Holder to a Third Party Service Provider outside the EEA requires execution of Standard Contractual Clauses in order to comply with the Data Protection Laws, the Account Holder hereby appoints FreeAgent as its agent to enter into the Standard Contractual Clauses between Account Holder (as "data exporter") and such Third Party Service Provider (as "data importer").
-
In the event that the transfer mechanism entered into under Clause 3.1 or 3.2 ceases to be valid, FreeAgent shall at the Account Holder's discretion:
-
enter into and/or procure that any relevant Third Party Service Provider enters into an appropriate alternative data transfer mechanism;
-
destroy any Personal Data in its and/or its Third Party Service Provider's possession; or
-
return any Personal Data in its and/or its Third Party Service Provider's possession to the Account Holder.
-
-
In the event that there ceases to exist any valid data transfer mechanism which would enable the Personal Data to be lawfully transferred by the Account Holder to FreeAgent, the Account Holder shall be entitled to terminate this Agreement by giving a minimum of three (3) months' prior written notice to FreeAgent.
-
Appendix 1
Description of the Processing of Personal Data
-
Subject Matter
FreeAgent provides a cloud-based service for the Accountancy Practice ("Account Holder") to provide accountancy services ("Service") to the Account Holder's freelance and micro-business clients ("Client") as recorded by the Account Holder within the Service.
-
Nature of Processing
Personal Data is processed, stored and retrieved automatically for the provision of accounting services by the Account Holder to their Clients, in accordance with the Agreement and FreeAgent's Privacy Policy.
Where explicit, unambiguous and freely given consent is given to FreeAgent by an Account Holder or other such Data Subject, the Personal Data of that Data Subject may also be additionally used for marketing FreeAgent's Services. Data Subject is free to unsubscribe at any time.
-
Purpose of Processing
Personal Data is processed during the provision of accounting services to Account Holders, their employees, customers, suppliers and contacts, including the following:
- Management of outbound estimates and invoices;
- Management of inbound bills and expenses;
- Project management and associated time tracking;
- Payroll management, including PAYE and NI filing;
- Import of banking transactions;
- Building real-time business accounts;
- Generation and submission of VAT returns;
- Self Assessment calculation and submission;
- Corporation Tax forecast and deadline;
-
Categories of Personal Data
FreeAgent collects the following categories of Personal Data:
- Contact information for Account Holder (name, address, email, phone)
- Account Holder user and/or employee details (name, email address)
- Contact information for Account Holder's Clients (name, address, email, phone)
- Contact information for Client's customers, suppliers and other contacts
- Contact information and payroll details of Client's employees including tax Code, NI Number and Date of Birth
- Client's bank account(s) name, sort code, account number
- Financial transaction and bank feed information related to the Client's business
-
Special Categories of Personal Data
FreeAgent does not knowingly collect or process special categories of Personal Data as defined under GDPR.
-
Categories of Data Subjects
FreeAgent processes the data of Account Holders that include limited companies, partnerships, landlords and sole traders, their employees, their customers, suppliers and other contacts.
-
Recipients of the Personal Data
On request, initiated by the Account Holder, FreeAgent will send PAYE, NI, VAT and tax return filings for the Account Holder, to and as required by HMRC, and which may include necessary Personal Data of the Account Holder and their employees, customers and suppliers as applicable.
-
Contact
All queries around GDPR and the processing of Personal Data should be addressed to the Head of Information Security via privacy@freeagent.com or in writing to Head of Information Security, FreeAgent Central Ltd, One Edinburgh Quay, 133 Fountainbridge, Edinburgh EH3 9QG.
Appendix 2
Security Measures
Information regarding the technical and organisational measures FreeAgent has implemented to protect Personal Data in accordance with clause 2.13 of this Addendum is available on our website, available at: https://www.freeagent.com/features/security
Appendix 3
Template Breach Notification Form
Data Security Breach notifications in accordance with Clause 2.14 above must be made electronically and shall contain at least the following minimum details regarding the Data Security Breach:
-
Nature of the Breach
[FreeAgent to insert a description of the breach, including the categories and approximate number of affected data subjects.]
-
Likely Consequences
[FreeAgent to insert a description of the likely consequences of the breach, e.g., risk of identity theft, media coverage, etc.]
-
Mitigating Measures
[FreeAgent to insert description of the measures taken/to be taken to address the breach and mitigate its effects.]