Mercury 4
Data Processing Addendum
1. INTRODUCTION
Addendum. This Data Processing Addendum supplements the Master Service
Agreement (as updated from time to time between Customer and Mercury 4) and all other agreements between Customer and Mercury 4 governing Customer’s use of Mercury 4’s services.
Binding agreement. The Customer agrees to be bound by this DPA and to comply with the terms and conditions set out herein by (a) indicating its acceptance on the Site or (b) executing a copy of this DPA and returning it to Mercury 4.
2. DEFINITIONS
All capitalised terms in this DPA shall have the meaning ascribed to them in the Agreement, unless otherwise defined below:
“Agreement” means the agreement between the Customer and Mercury 4 for the provision of Services.
“Customer” means the entity that executed the Agreement.
“Customer Data” means what is defined as “Customer Data” in the Agreement.
“Controller” means an entity determining the purpose and means of processing of personal data.
“Data Subject” means identified or identifiable persons, including End-Users (as defined in the Agreement).
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement as amended from time to time.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Party” means the Customer or Mercury 4 individually, and “Parties” refers to the Customer and Mercury 4 jointly.
“Processor” means an entity processing data on behalf of a Controller.
“Personal Data” means any Customer Data relating to Data Subjects.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
“P2C SCCs” means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Four (Processor-to-Controller) including the supplementary provisions in Schedule 2 to this DPA.
“Restricted Transfer” means any transfer of Personal Data between Mercury 4 and Customer which, in the absence of the Standard Contractual Clauses, would be unlawful.
“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
“Sub-processor“ means a subcontractor that process Personal Data on behalf of Mercury 4.
“Mercury 4” means the entity defined as “Mercury 4” in the Agreement.
“Ultimate Controller” means a person or entity for which the Customer operates as a Processor.
“UK Addendum” means the UK addendum to the Standard Contractual Clauses issued by the Information Commissioner under S119A(1) Data Protection Act 2018.
3. PROCESSING OF PERSONAL DATA
Processing Roles. Mercury 4 will operate as a Processor on behalf of the Customer and Customer will operate as a Controller, or as a Processor for an Ultimate Controller, for any processing of Personal Data pursuant to this DPA.
Details of the processing. A description of subject-matter, duration, nature and purposes as well as categories of Personal Data and Data Subjects is included in Schedule 1 to this DPA.
Customer’s instructions. Mercury 4 shall only process Personal Data in accordance with documented instructions from Customer, unless required to do so by applicable laws and, if so required, provided that Mercury 4 informs the Customer of that legal requirement before processing, unless the relevant law prohibits such information on important grounds of public interest. The initial instructions to Mercury 4 are set forth in this DPA and any further changes to the instructions need to be agreed in writing.
Lawfulness of Customer’s instructions. The Customer is responsible for ensuring that the instructions are compliant with the Customer’s obligations under the applicable Data Protection Laws (including where the Customer is a Processor, by ensuring that the Ultimate Controller does so). Mercury 4 shall inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
Compliance. Each party undertakes to process Personal Data in compliance with its respective obligations under applicable Data Protection Laws.
4. SUB-PROCESSORS
General Authorization. Mercury 4 has the Customer’s general authorization for the engagement of Sub-processors, subject to the limitations set out in this DPA (including Clause 8). Mercury 4 shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors at least two months in advance, thereby giving the Customer the opportunity to object to such changes prior to the engagement of the concerned Sub-processors.
Objections. Customer may object in writing to Mercury 4 appointment of a new Sub-processor within one calendar months of receiving notice in accordance with Section 4.1 of this DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Mercury 4 will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to terminate the Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to termination).
Notifications. Mercury 4 shall provide the information referred to in Clauses 4.1 and 4.2 by updating the Subcontractor Documentation and will make available a mechanism to subscribe to updates.
Authorized Sub-Processors. Subcontractor Documentation contains a list of Sub Processors engaged as of the date of the DPA.
Contract. Where Mercury 4 engages a Sub-processor to carry out specific processing activities (on behalf of the Customer), it shall do so by way of a contract that provides for, in substance, the same data protection obligations as those binding Mercury 4 under this DPA (including an appropriate data transfer mechanism where a Restricted Transfer takes place between Mercury 4 and the relevant Sub-processor). Mercury 4 shall provide, at the Customer’s request, a copy of such a Sub-processor agreement and any subsequent amendments to the Customer. To the extent necessary to protect business secrets or other confidential information, including personal data, Mercury 4 may redact the text of the agreement prior to sharing a copy.
Liability. Mercury 4 accepts no liability responsible to Customer for the performance of the Sub-processor’s obligations under the contract with the Sub-processor.
5. DATA SUBJECT REQUESTS
Data Subject Requests. Mercury 4 provides technical controls in the Services which Customer can use to retrieve, correct and delete the use of Personal Data without any additional fees. In addition, Mercury 4 shall, taking into account the nature of the processing, provide reasonable additional assistance to Customer to enable Customer to comply with its data protection obligations under Data Protection Laws with respect to Data Subject requests (provided such assistance can’t be satisfied by the use of the technical controls).
Requests to Mercury 4. Mercury 4 shall not respond to requests from Data Subjects made directly to Mercury 4 but will make commercially reasonable efforts to refer Data Subjects to Customer, provided that the Data Subject identifies the Customer.
6. SECURITY AND DATA BREACHES
Technical and organisational safeguards. Mercury 4 implements technical and organisational measures to ensure an appropriate level of security with respect to Customer Data (including Personal Data) including, at a minimum, the measures described in the Privacy and Security Documentation.
Privacy and Security Documentation. Mercury 4 may modify the Privacy and Security Documentation from time to time but undertakes not to reduce the overall level of Protection.
Personal Data Breaches. Mercury 4 shall inform the Customer without undue delay after becoming aware of any Personal Data Breach. Mercury 4 shall (a) provide any information available to Mercury 4 that the Customer reasonably needs to comply with its obligations under Data Protection Laws and (b), take commercially reasonable steps to contain and investigate any Personal Data Breach.
Personnel. Mercury 4 will ensure that all personnel used to process Personal Data have agreed to maintain the confidentiality of the Personal Data or are under an appropriate statutory obligation of confidentiality.
7. CONFIDENTIALITY
Any information provided to the Customer under this Section shall be construed as Mercury 4’s Confidential Information (including information made available about Sub-processors).
DATA PROCESSING ADDENDUM
2024-01-25
8. RETURN AND DELETION OF PERSONAL DATA
Return and Deletion. Mercury 4 provides technical controls in the Services which Customer can use to retrieve or delete Personal Data during, and up to 30 days after the termination of, the Agreement.
Post-Termination Deletion. Mercury 4 will delete all Personal Data after the termination of the Agreement in accordance with the timescale specified in the Privacy and Security Documentation, unless otherwise required by applicable laws. For the avoidance of doubt, Customer acknowledges that Mercury 4 is authorised to create, use and retain generalised or aggregated data or statistics. (Aggregated Data) of the Agreement.
9. TERM
This DPA shall continue in force until the termination of the Agreement.
10. MISCELLANEOUS
Conflicts. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. Nothing in this document varies or modifies the UK Addendum.
DATA PROCESSING ADDENDUM
1. SUBJECT MATTER AND NATURE OF THE PROCESSING
The performance of the Services pursuant to the Agreement, as further described in the Documentation.
2. PURPOSE OF PROCESSING
The performance of the Services pursuant to the Agreement, as further described in the Documentation.
3. INTERNATIONAL DATA TRANSFERS
Mercury 4 does not carry out Restricted Transfers to transfer Personal Data outside the EEA (a) unless otherwise explicitly provided by the Agreement and the DPA due to the location of the staff member working on the client account or (b), except as necessary to transfer Personal Data to customers consuming our Services from outside the EEA.
4. CATEGORIES OF DATA SUBJECTS
• Employees, representatives and Users of Customer
• End-Users and Silent Parties
5. CATEGORIES OF PERSONAL DATA
• Identity information
• Contact information
• Financial account information (for example, account numbers, balances and account types)
• Transaction history
6. SENSITIVE DATA TRANSFERRED
Mercury 4 does not process special categories of Personal Data in the Services.
7. DURATION OF PROCESSING
The Personal Data will be processed for the duration of the Agreement.
8. FREQUENCY OF THE TRANSFER (IF APPLICABLE)
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous basis depending on the use of the Services by Customer.
9. SUB-PROCESSOR TRANSFERS (IF APPLICABLE)
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
As set out in Clauses 1 and 2 above, Sub-processors will process Personal Data as necessary to perform the Services pursuant to the Agreement and the Personal Data will be
processed for the duration of the Agreement.
Information about the Sub-processors used can be found in the Subcontractor Documentation.
10. TECHNICAL AND ORGANIZATIONAL MEASURES
Mercury 4 will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data in the Services, as described in Privacy and Security Documentation. Mercury 4 will not materially decrease the overall security of the Services during the term.
11. DATA PROTECTION OFFICER
Mercury 4’s data protection officer can be contacted on admin@Mercury 4.com.
This Document was last modified on 20th February 2024