MuchBetter Business
DATA PROTECTION ADDENDUM

1. Definitions

All capitalised terms not defined in this Data Protection Addendum (“DPA”) have the meanings set forth in the Agreement.

  1. Affiliate means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, “control” (including, with correlative meanings, the terms “controlling”, “controlled by” and “under common control with”) means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
  2. Agreement means the MuchBetter Business Account Services Agreement between MIR and Account Holder which involves access to or otherwise Processing of Personal Data;
  3. Approved Jurisdiction means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission, or by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018, as applicable;
  4. Breach Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  5. Data Protection Laws means any and/or all applicable domestic and foreign laws, rules, directives and regulations pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and including the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”).
  6. EEA means those countries that are member of the European Economic Area.
  7. MIR means MIR Limited UK Ltd, provider of MuchBetter Business Account Services
  8. Personal Data or “Personal Data” means any information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person. Personal Data shall be considered Confidential Information regardless of the source.
  9. Process means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. “Processes” or “Processing” shall be construed accordingly.
  10. Standard Contractual Clauses or “SCCs” the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021 as may be amended, superseded or replaced from time to time.
  11. UK Addendum means the International Data Transfer Addendum to the Standard Contractual Clauses, which was entered into force on 21 March, 2022.

 

2. Application of this DPA

  1. This DPA will only apply to the extent all of the following conditions are met:
    1. Either Party processes Personal Data that is made available by the other Party in connection with the Agreement;
    2. The Data Protection Laws apply to the processing of Personal Data.
  2. This DPA will only apply to the services which the Parties agreed to in the Agreement, and which incorporates the DPA by reference.

 

3. Data Protection and Privacy

  1. To the extent that a Party has access to or otherwise Processes Personal Data made available for the other Party, then this Party shall:
    1. Be an independent Controller of the Personal Data and will determine the purposes and means of processing in accordance with the Agreement and Data Protection Laws.
    2. Only Process the Personal Data in accordance with the requirements of the Data Protection Laws, and as required under Data Protection Laws, maintain accurate written records of all the Processing activities of any Personal Data carried out under the Agreement.
    3. Without derogating from the foregoing, be responsible to provide data subject with any information required under the Data Protection Laws, and to allow data subjects to exercise their rights under the Data Protection Laws, and shall provide the other Party with reasonable cooperation and assistance to fulfil the foregoing and any legal or regulatory obligations;
    4. Implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, and all other unlawful forms of Processing;
    5. Comply with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
    6. Notify the other Party without undue delay and no later than twenty four (24) hours, after becoming aware of a Breach Incident.
  2. The Party who initially obtains the Personal Data from a data subject shall be responsible for obtaining any consents that may be required from the data subject (in each case to the extent necessary to comply with Data Protection Laws) and for the provision of information to the data subject prior to the collection of the Personal Data (e.g. “Privacy Notice” or “Privacy Policy”), as necessary to comply with Data Protection Laws. The foregoing shall not derogate from the other Party’s responsibilities under the Data Protection Laws (such as the requirement to provide information to the data subject when the Personal Data in connection with the processing of Personal Data).
  3. Each Party may appoint subcontractors, including Affiliates to process Personal Data on its behalf (“Sub-Processors”) for the purpose of performing its obligations and services under the Agreement, provided that: (i) the appointment will be subject to a written agreement with the appointed Sub-Processor containing, where applicable terms providing equivalent protection of Personal Data as provided under this Data Protection Addendum; and (ii) each Party shall be liable for the acts or omissions of its own Sub-Processors to the same extent it is liable for its own actions or omissions under this Data Protection Addendum, the Agreement and Data Protection Laws.

 

4. The Transfer of Personal Data

The Parties shall not Process in or transfer Personal Data to outside an Approved Jurisdiction;

  1. if a Party wishes to Process Personal Data in or transfer Personal Data to a jurisdiction other than an Approved Jurisdiction, then it shall be deemed to enter into the SCCs, where applicable together with the UK Addendum, in which event: (i) the UK Addendum and the SCCs are incorporated herein by reference; and (ii) the Party disclosing the Personal Data shall be deemed as the Exporter and the Party receiving the Personal Data shall be deemed as the Importer (as these terms are defined therein).

 

5. General

  1. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and both Parties will promptly begin complying with such Data Protection Laws.
  2. If there is any conflict or inconsistency between the terms of this DPA and the Standard Contractual Clauses or the UK Addendum (as applicable), the terms of the Standard Contractual Clauses or the UK Addendum (as applicable) will govern.

 

Annex I of the SCCs

  1. Annex 1 forms part of the DPA and sets out the Parties’ agreed interpretation of their respective obligations under the UK Addendum and/or Standard Contractual Clauses.
  2. The Parties agree that for the purpose of transfer of Personal Data between MIR and Account Holder, the following shall apply:
    1. Clause 7 of the SCCs will not be applicable
    2. The supervisory authority shall be the UK Information Commissioner’s Office where the UK Addendum is incorporated or the Irish Data Protection Commissioner when only the SCCs are incorporated.
    3. The laws of England and Wales shall govern when the UK Addendum applies and of Ireland where it does not.
    4. The Parties choose the English courts as their choice of forum and jurisdiction when the UK Addendum applies and of Ireland when it does not.
    5. In Table 4 of the UK Addendum, either party may terminate the agreement in accordance with section 19 of the UK Addendum.

 

Identification of Parties

“Data Exporter”: the transmitter of Personal Data;

“Data Importer”: the recipient of Personal Data

Description of Transfer

Data Subjects

The Personal Data processed concern the following categories of Data Subjects (please specify):

  • ☐ MIR’s employees
  • ☐ MIR’s customers
  • ☐ Account Holder’s end-users
  • ☐ Account Holder’s employees
  • ☐ Account Holder’s customers
  • ☐ Other: ________

 

Categories of Personal Data

The Personal Data transferred concern the following categories of data (please specify):

  • ☐ Contact information (name, age, gender, address, telephone number, email address etc.)
  • ☐ Financial and payment data (e.g. credit card number, bank account, transactions)
  • ☐ Governmental IDs (passport, driver’s license)
  • ☐ Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps)
  • ☐ Geo-location information
  • ☐ Biometric data
  • ☐ Other: ________

 

Special Categories of Data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

  • ☐ None
  • ☐ Genetic or biometric data
  • ☐ Health data
  • ☐ Racial or ethnic origin
  • ☐ Political opinions, religious or philosophical beliefs
  • ☐ Other: ________

 

The frequency of the transfer:

  • ☐ One-off
  • ☐ Continuous
  • ☐ Other: ________

 

Nature of the processing

  • ☐ Collection
  • ☐ Recording
  • ☐ Organization or structuring
  • ☐ Storage
  • ☐ Adaptation or alteration
  • ☐ Retrieval
  • ☐ Consultation
  • ☐ Disclosure, dissemination or otherwise making available
  • ☐ Analysis
  • ☐ Erasure or destruction
  • ☐ Other: ________
  •  

Purpose of the transfer and further processing

  • ☐ To provide, manage and operate MBB Account Services
  • ☐ Other: ________

 

Retention period

Personal Data will be retained for the term of the Agreement or in accordance with Applicable Law.

Annex II of the SCCs – Technical and Organizational Measures including Technical and Organizational Measures to Ensure the Security of the Data

This Annex forms part of the DPA and describes the technical and organisational security measures implemented by the data importer.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Importer shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
  • maintenance of Information Security and Data Privacy Policies

MB Popup