Data processing annexure

Share:
  1. Processing of personal data

Compliance with Data Protection Laws

  • 1.1 For the purposes of processing Protected Data pursuant to this Agreement, the parties agree that the Client is a Controller and that S&W is a Processor. The Client shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Client shall ensure that all instructions given by it to S&W in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with all Data Protection Laws. Nothing in this Agreement relieves the Client of any responsibilities or liabilities under any Data Protection Laws.
  • 1.2 This Data Processing Annexure sets out the additional terms, requirements and conditions on which S&W will process Protected Data when providing Services under the Terms of Business. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between Controllers and Processors.
  • 1.3 The Client retains control of the Protected Data and is responsible for compliance with the applicable Data Protection Laws, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to S&W.
  • 1.4 S&W shall process Protected Data in compliance with its obligations under Data Protection Laws and the terms of this Agreement.

Instructions

  • 1.5 The parties agree:
  • 1.5.1 S&W shall only process (and shall ensure that S&W personnel only process) the Protected Data in accordance with this Agreement (including with regard to any transfer to which clause 1.13 relates), except to the extent:
  • (a) that alternative processing instructions are agreed between the parties in writing; or
  • (b) otherwise required by applicable law (and shall inform the Client of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest); and
  • 1.5.2 without prejudice to clause 1.2, if S&W believes that any instruction received by it from the Client is likely to infringe the Data Protection Laws it shall be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which do not infringe those laws. 

Security

  • 1.6 S&W shall implement and maintain appropriate technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. More detail about Information Security can be provided to the Client upon request to their main S&W contact.

Sub-processing and personnel

  • 1.7 S&W shall:
  • 1.7.1 not engage another Processor to perform specific processing activities in respect of the Protected Data without the Client’s authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed), provided that the Client authorises the appointment of any S&W group company or any IT supplier engaged by S&W in the ordinary course of its business. Where the Client has concerns about the Sub-Processor’s compliance with Data Protection Laws or the Processor Contract, S&W shall discuss these concerns with the Client and use its reasonable endeavours to resolve them.  In the event that S&W is unable to resolve the concerns, S&W will either cease using the Sub-Processor or allow the Client to terminate the agreement. Upon such termination, any outstanding fees shall be paid in full up to the last chargeable service provided by S&W.
  • 1.7.2 prior to any Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure such Sub-Processor is appointed under a binding written contract containing materially the same obligations as under this clause 1 (including those relating to sufficient guarantees to implement appropriate technical and organisational measures) and ensure such Sub-Processor complies with all such obligations;
  • 1.7.3 remain fully liable to the Client under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
  • 1.7.4 ensure that all persons authorised by S&W or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
  • 1.8 A list of Sub-Processors can be provided to the Client upon request to their main S&W contact.

Assistance

  • 1.9 S&W shall implement and maintain, at its reasonable cost and expense, appropriate technical and organisational measures to assist the Client in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data, including to ensure that all Data Subject Requests it receives are recorded and then referred to the Client within three days of receipt of the request.
  • 1.9.1 S&W reserves the right to charge the Client where in S&W’s reasonable opinion the numbers of Data Subject Requests is excessive and onerous to the maintenance of S&W’s data privacy function.
  • 1.10 S&W shall, at the Client’s cost and expense, provide reasonable assistance, information and cooperation to the Client to ensure compliance with the Client’s obligations under Data Protection Laws including with respect to: (i) security of processing; (ii) notification by the Client of breaches caused by the Client to the Supervisory Authority or Data Subjects; and (iii) DPIAs and prior consultation with a Supervisory Authority regarding high-risk processing.

International transfers

  • 1.11 The Client agrees that S&W may transfer any Protected Data to any country outside the European Economic Area (“EEA”) or to any international organisation (an “International Recipient”), provided that S&W ensures that such transfer (and any onward transfer): (i) is pursuant to a written contract including provisions relating to security and confidentiality of the Protected Data; (ii) is effected by way of a legally enforceable mechanism for transfers of Personal Data as may be permitted under Data Protection Laws from time to time; and (iii) otherwise complies with Data Protection Laws.

Audits and processing

  • 1.12 The Client shall have the right to conduct one audit per calendar year to verify the Data Processor's compliance with this Annexure and applicable Data Protection Laws. Audits shall be conducted remotely and shall not involve on-premises inspections of the Data Processor's facilities. The Client must provide reasonable prior notice to the commencement of any audit. The Client agrees that audits will be conducted in a manner that minimises disruption to S&W's business operations and other clients. The Client shall ensure that any auditors engaged to perform such audits are bound by confidentiality obligations no less stringent than those set forth in this Agreement. The Client shall not have access to any confidential information or personal information of other clients of S&W during the audit. The scope of the audit shall be limited to S&W’s systems, processes, and documentation directly related to the processing of the Client's personal data. S&W shall provide the Client with all necessary information and documentation to demonstrate compliance, subject to the restrictions outlined above.
  • 1.13 Where the Client wishes to conduct more than one audit or inspection every twelve (12) months, the Client shall pay S&W’s reasonable costs for allowing or contributing to such audits or inspections under clause 1.12.

Breach

  • 1.14 S&W shall notify the Client without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.

Deletion/return of Protected Data

  • 1.15 S&W shall without delay, at the Client’s written request, either securely delete or return all Protected Data to the Client after the end of the provision of the relevant Services related to processing or, if earlier, as soon as processing by S&W of any Protected Data is no longer required for S&W’s performance of its obligations under the Terms of Business, and securely delete existing copies (unless storage of any data is required by applicable law).

2. Definitions and Interpretation

2.1 Definitions

applicable law” means applicable law of the United Kingdom (or of a part of the United Kingdom) and the Republic of Ireland.

Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor” and “processing” shall have the respective meanings given to them in applicable Data Protection Laws.

Data Protection Laws” means, as binding on either party or the Services:

  1. the UK GDPR;
  2. the Data Protection Act 2018;
  3. the GDPR; and
  4. any laws that supplement, replace, extend, re-enact, consolidate or amend any of the foregoing.

UK GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).

GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.

Protected Data” means Personal Data received from or on behalf of the Client in connection with the performance of S&W’s obligations under this Agreement.

Sub-Processor” means any Processor engaged by S&W (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data on behalf of the Client.

Terms of Business” means the applicable terms of business which apply to the provision of the Services by S&W to the Client;

Services” means the services and other activities to be supplied to or carried out by or on behalf of S&W for the Client pursuant to the Terms of Business.

Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

DPIA” means a Data Protection Impact Assessment, as defined in Data Protection Laws.

Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws.

S&W’ means the company within the S&W group that is providing the Services under the Terms of Business, details of which can be found at https://www.swgroup.com/legal-regulatory-and-compliance/registered-details/

2.2 Interpretation

To the extent that a term of this Annexure requires the performance by a party of an obligation “in accordance with Data Protection Laws” (or similar) this requires performance in accordance with such Data Protection Laws as are in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under applicable Data Protection Laws, it shall not apply until such time as it is so required.

THE SCHEDULE

DATA PROCESSING DETAILS

Processing of the Protected Data by S&W under this Agreement shall be for the subject matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Part A.

  1. Subject matter of processing:

The provision of Services to the Client which require S&W to process personal data on behalf of the Client.

  1. Duration of the processing:

As long as may be required for the provision of the Services and otherwise as may be required by applicable laws.

  1. Nature and purpose of the processing:

Only to the extent necessary to provide the Services and as may be required by applicable laws.

  1. Type of Personal Data:

Name, address, date of birth, and other personal data necessary for the performance of the service.

  1. Categories of Data Subjects:

Client’s employees, Client’s clients, and other data subjects as agreed from time to time.

 

*This privacy Data Processing Annexure was last updated on 13TH June 2025.