Last Update: August 28, 2023
EU/EEA Data Protection Addendum for the processing of personal data in the European Economic Area, Switzerland, and the U.K. (together “Europe”)
Subscriber and FRM agree to the following additional representations, warranties, certifications, and agreements in relation to the processing of personal data for the provision of European Reports:
1. Definitions
a. All capitalized terms in the EU/EEA Data Protection Addendum have the meaning set out in the Terms of Service, and in the event that any terms are contradictory, terms of the Terms of Service shall prevail. The Terms of Service can be found here and at https://frm-inc.com/frmclientportaltermsofservice/.
b. “controller”, “data subject”, “personal data”, “personal data breach”, “processor”, “process” and “special category data” have the meaning given to them by the Regulation (EU) 2016/679 (the “Regulation”).
c. “Data Protection Laws” means the Regulation, the Data Protection Act 2018, any successor or replacement thereto, and any applicable European Union, Member State or, when the United Kingdom leaves the European Union, U.K. Law, relating to data protection or the privacy of individuals.
d. “Subscriber Personal Data” means the personal data of data subjects whose personal data is processed in connection with a European Report.
2. Obligations of FRM as a processor of Subscriber Personal Data
a. Subscriber and FRM agree that Subscriber is the controller and FRM is the processor of any personal data processed in connection with this Addendum and the Terms of Service.
b. FRM shall process Subscriber Personal Data on behalf of the controller for the purpose of providing European Reports as described in c and d below. The processing shall take place for the duration of the Terms of Service, unless otherwise directed by the Subscriber in writing.
c. The nature and purpose of the processing shall be to process Subscriber Personal Data on the instruction of the Subscriber in connection with a current or potential business investment or employment background investigation, whereby Subscriber Personal Data may be used by FRM in order to contact third-parties to verify that certain information is accurate, in relation to carrying out background checks relating to due diligence in connection with a current or potential business investment, or as part of an employment investigation for the purpose of preparing a European Report. Subscriber acknowledges that it is the responsibility of Subscriber to ensure that the processing of Subscriber Personal Data by FRM is fair and lawful and carried out in accordance with Data Protection Laws.
d. The personal data processed under this EU/EEA Data Protection Addendum related to data subjects identified by the Subscriber in connection with the preparation of European Reports. The subject matter of the processing may comprise the following categories of data, including special categories of data, based on the scope of the instructions from the Subscriber:
(i) Names;
(ii) Address;
(iii) Dates of birth;
(iv) Job titles;
(v) Identification and address information;
(vi) Education and qualifications;
(vii) Past employment and positions held in other organizations, including fiduciary or board of directors’ responsibilities for a company, including the dates such positions may be held;
(viii) Professional qualifications, registration, and sanctions with professional bodies;
(ix) Financial Information relating to bankruptcy, financial judgments, and litigation;
(x) Criminal proceedings, convictions, and involvement in litigation, including civil suits where the subject was either a plaintiff or defendant;
(xi) Media information;
(xii) Patents and other intellectual property and corporate records; and
(xiii) Other Public Record information.
e. FRM shall, and shall procure that its Sub-processors shall: process Subscriber Personal Data only to the extent, and in such a manner, as is necessary for the purposes of this EU/EEA Data Protection Addendum and in accordance with Subscriber’s documented instructions, including with regard to transfers of Personal Data by the Subscriber outside Europe to a country deemed to have insufficient protection for personal data, or to an international organization, unless FRM is otherwise required to process Subscriber Personal Data by European Union, European Union member-state, and/or (in the event the U.K. ceases to be a member of the European Union) U.K. law to which FRM is subject in which case FRM shall immediately inform Subscriber of that legal requirement before processing (unless prohibited from doing so by that law on important grounds of public interest).
f. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risks for the rights and freedoms of individuals concerned, FRM shall implement technical and organizational measures necessary to ensure a level of security appropriate to the risk in order to assure that Subscriber Personal Data is protected against loss, destruction, or damage, and unauthorized or unlawful processing. In case of a personal data breach which may affect Subscriber, FRM will notify Subscriber without undue delay upon becoming aware of it.
g. FRM shall make available to Subscriber all information reasonably necessary to demonstrate compliance with Data Protection laws and allow for and contribute to audits of its data processing facilities, procedures, records, and documentation which relate to the processing of Subscriber Personal Data, including inspection (on reasonable written notice) by Subscriber, its auditors, or any Supervisory Authority.
h. FRM will ensure that its personnel who have access to Subscriber Personal Data are (1) both informed of the confidential nature of the personal data and obliged to keep such Subscriber Personal Data confidential; and (2) aware of FRM’s duties and their personal duties and obligations under this Addendum.
i. FRM shall only engage another processor (a “Sub-Processor”) with Subscriber’s prior authorization and by FRM’s entering into a legally binding written agreement that places substantively similar data protection obligations as those set out in the EU/EEA Data Protection Addendum on the Sub-processor, provided that if the Sub-Processor fails to fulfill its data protection obligations then FRM shall remain fully liable to Subscriber for the performance of the relevant Sub-Processor’s obligations. For the purpose of clarity, Subscriber approved all Sub-Processors in place at the date in which the parties enter into this Addendum the details of which are provided here and found at https://frm-inc.com/gdpr-sub-processors/.
j. FRM shall provide notice of any new Sub-Processors through its existing notice mechanism described in Section 11 of the Terms of Service, and the Subscriber acknowledges that the continued use of the service as per Section 11 of the Terms of Service after any change in Sub-Processors are provided shall be treated by FRM as consent.
k. FRM shall provide its record of processing in relation to the Subscriber Personal Data on reasonable request of Subscriber and maintain a record of all categories of processing activities carried out on behalf of Subscriber, containing all information required under Data Protection Laws.
l. FRM shall promptly carry out to the extent reasonably possible any reasonable request from Subscriber requiring FRM to amend, transfer, copy, or delete any Subscriber Personal Data in a format and on media reasonably specified by Subscriber.
m. FRM shall notify Subscriber, and shall procure that its Sub-processors notify Subscriber, of any requests received from a data subject exercising his or her rights under Data Protection Laws and, taking into account the nature of processing, assist Subscriber by appropriate technical and organizational measures with fulfilling its obligation in respect of that data subject under Data Protection Laws (including responding to any data subject access requests or requests from a data subject for access to, rectification, erasure, or portability of personal data relating to them) but only where requested to do so by Subscriber.
n. FRM represents and warrants that, as at the date on which the parties enter into this EU/EEA Data Protection Addendum and for the duration of the remaining term of this Addendum, FRM complies with the requirements of the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework (the “DPF’s”) (or any successor arrangement approved by the European Commission from time to time) and holds a valid registration with the US Department of Commerce to that effect, and, in the event the DPF’s are nullified, FRM agrees that the Standard Contractual Clauses shall govern the original transfer of data as available here (and found at https://frm-inc.com/scc), and to enter into in good faith with Subscriber other lawful mechanisms for the transfer or onward transfer as applicable of data from the Europe to ensure that the data transfer obligations under Data Protection Laws are followed.
o. On termination FRM will, and will procure that its Sub-Processors will, at Subscriber’s choice, cease to use, delete, or return all personal data unless otherwise provided by European Union or European Member State, or once the U.K. is no longer a part of the EU, U.K. Laws.
3. Obligations of the Subscriber in relation to Subscriber Personal Data
a. Subscriber undertakes to comply with Data Protections Laws applicable to it and will not knowingly cause FRM to breach Data Protection Laws or its obligations under the DPF’s.
b. Without prejudice to the generality of clause 3.a., Subscriber shall (1) comply with its obligations to provide notice of processing to data subjects in connection with any processing carried out by FRM carried out on the Subscriber’s instructions, and (2) where required, shall obtain consent to the processing of Subscriber Personal Data directly from the data subject, or by instructing FRM to do so on its behalf.