Data Processing Agreement
Agreement on Processing of Personal Data
Section 1. Subject Matter of the Agreement
(1) The Processor processes personal data within the meaning of the Data Protection Legislation on behalf of the Controller.
☒ in order to perform the following contract: Allfinanz Spark Subscription Agreement between the Parties.
The processing comprises the following: —
Subject matter of the processing: Use of Processor’s cloud-based proprietary software and digital Hosted Services for the following: —
(a) Hosted Services delivery: Facilitating the submission of applications for life and health insurance to the Controller and the assessment thereof by the Controller;
(b) Maintenance and Support for the Hosted Services and the underlying Software for the provision of the said service;
(c) Quality Assurance. Monitoring performance of Software and Services efficiency; identifying areas for cost reduction and process improvement; analysing third party data usage and value.
Duration of processing
☒ Pursuant to above-mentioned contract.
including any amendments or extensions to contract covered by section 1
☐ any other duration, i.e.
including any amendments or extensions (if still covered by section 1)
Type (Article 4(2) of GDPR) and purpose of processing:
☐ Pursuant to above-mentioned contract or other agreement
Type of personal data1:
☒ Key personal data (e.g. name and date of birth of natural persons)
☒ Communication and contact data (e.g. telephone number, address)
☒ Contract data (e.g. insured ratings, insurance start date, premium)
☒ Usage or protocol data (e.g. log files)
☒ Survey data
☐ Membership data (e.g. membership of associations, chambers)
☐ Bank/account/credit card details
☒ Data subject to professional secrecy (especially information obtained from private health, life or personal accident insurances)
☒ Data relating to criminal or administrative offences (e.g. data from criminal investigation files or proceedings for administrative offences)
☒ Data on racial or ethnic origin
☐ Data on political, religious or ideological opinions or beliefs
☐ Trade union membership
☒ Genetic or biometric data
☒ Data about an individual’s sex life or sexual orientation
☒ Health data (e.g. information on illnesses, visits to physicians, curative treatment)
All data submitted by or on behalf of data subjects to the Controller for life and/or health insurance.
1Please tick the applicable box.
Categories of data subject2:
☐ Employees/Board members of the Controller
☐ Employees/Board members of Group companies of the Controller
☒ Users of IT applications
☐ Controller or its employees/board members
☐ Service providers or their employees/board members
☒ Insured persons
☒ Interested parties
☐ Doctors, lawyers, accountants, tax advisers and other professionals subject to professional secrecy requirements
☐ Loss adjusters
Applicants to the Controller for insurance including but not limited to applications for life and/or health insurance.
Should there be any conflict or ambiguity, this Agreement will take precedence over any civil law provisions between the Controller and the Processor where necessary for validity.
2Please tick the appropriate box.
Section 2. Persons involved
The following persons are authorised by the Controller to give instructions/may be contacted:
As set out in the Key Terms
The following persons are authorised by the Processor to receive instructions/may be contacted. The Processor shall update the list from time to time:
Ferghal Dunne, Financial Controller
Tel: +353 1 293 3304 (direct) and +353 1 293 2888
Natalija Tuatova, Finance Department, Finance Assistant
Tel: +353 1 293 2659 (direct) & +353 1 293 2888
Zoë Hodgins, Finance Department, Accounts Assistant
Tel: +353 1 293 2643 (direct) and +353 1 293 2888
Conor Moriarty, Director of Knowledge Management
Tel: +353 1 293 2888
Diarmuid O’Brien, Head of Legal,
Tel: +353 1 293 3315 (direct) & +353 1 293 2888
John Glynn, Solicitor
Fausto Teghillo, IT Manager
Tel: +353 1 293 2656 (direct) & +353 1 293 2888
Ross Mayne, CEO
Tel: +353 1 293 2888
Paul Duggan, COO/CFO
Tel: +353 1 293 2888
Colm Kennedy, Chief Product Officer
Tel: +353 1 293 2888
Asia and Australasia Region
Alby van Wyk, Executive Vice President Asia
Mobile: +61 426 123083
Seng Thiam Toh, VP Client Solutions Asia
Tel: +65 6653 1933 Mobile: +65 9437 8727
Andrew Yeoh, VP Business Development Asia
Mobile: +65 97270283
Shane Edwards Projects and Support Manager, Asia
Direct: +61 2 8404 9202
Alby van Wyk, Executive Vice President Asia
Mobile: +61 426 123083
Emiko Umeda, Projects and Client Service Manager, Japan
Tel: +81 3 4550 1551
Yoichi Hayashi, Business Development Manager. Japan
Tel: +81 3 4550 1550
Paul Donnelly, Executive Vice-President, EMEA
Tel: +353 1 293 3301
Paul Hackett, Business Development Manager, EMEA
Tel: +44 1270 620 912
Diane O’Brien, Business Development Manager, EMEA
Tel: +353 1 293 3310
Niall Gilligan, Senior Project Manager, EMEA
Tel: +353 1 293 2642
Andrew Smyth, Senior Project Manager, EMEA
Tel: +353 1 293 2888
Data protection officer of the Processor:
Diarmuid O’Brien, Legal Department, Head of Legal,
Mountainview, Central Park,
Leopardstown, Dublin 18, Ireland
Tel: +353 1 293 3315 (direct) and +353 1 293 2888 (main).
Data protection officer of the Controller:
As set out in the Key Terms
(First name, surname, unit, function, telephone, e-mail)
If the contact person changes or will not be available for a long period of time, the other party must be notified in writing without undue delay of the contact person’s deputy or replacement; this must also be done if the communication channel is changed. This will only apply for the data protection officer if the information is not available on the internet.
For the purposes of this Agreement, the terms “in writing” or “written” shall mean in paper form or in a documented electronic form, for example by e-mail.
Section 3. Rights and obligations of the Controller
(1) The Controller of the personal data set out in section 1 of this Agreement must ensure that the processing of the personal data meets the requirements of the applicable Data Protection Legislation to which it is subject; the Controller must ensure that the rights and freedoms of the data subject are protected.
(2) The Controller will place all orders or partial orders in writing. Changes to processing or processes must be agreed in writing with the Processor, and determined and documented in accordance with section 1 and section 2 of this Agreement. The Controller has the right to issue instructions concerning the nature, scope and methods of data processing. Verbal instructions must be confirmed in writing without delay.
(3) The Controller must advise the Processor without delay if it discovers errors or irregularities when inspecting the work results.
(4) The Processor undertakes to maintain strict confidentiality with regard to the Controller’s business secrets and measures to ensure the security of processing of which it becomes aware within the framework of this Agreement. The obligation to maintain confidentiality will continue even after this Agreement has been terminated.
Section 4. Obligations of the Processor
(1) The Processor may only process personal data within the framework of agreements in place and where documented instructions are received from the Controller, unless required to perform any other processing by applicable law to which the Processor is subject. In such a case, the Processor must inform the Controller of that legal requirement before processing, unless that law prohibits the provision of such information on important grounds of public interest. This applies also to any persons acting under the authority of the Processor who have access to the Controller’s personal data. The Processor undertakes to ensure compliance with this.
(2) The Processor must immediately inform the Controller if, in its opinion, an instruction infringes the Data Protection Legislation provisions or provisions of agreements in place. The Processor is entitled to delay carrying out the instructions concerned until they are confirmed or amended by the Controller.
(3) The Processor must only amend, erase or restrict the personal data covered by this Agreement if the Controller so requires in the Agreement in place or instructs it to do so and if there are no conflicting legitimate interests of the Processor.
(4) The Processor may not use the data provided for processing for any other purpose.
(5) Data carriers provided by the Controller or used on its behalf will be specially labelled as such, and their receipt or return must be documented. The Processor will keep the data processed for the Controller strictly separate from other datasets.
(6) The Processor undertakes to maintain strict confidentiality when processing the Controller’s personal data in line with this Agreement. The obligation to maintain the confidentiality of data will continue even after this Agreement has been terminated.
(7) If the Controller is a private health, casualty or life insurance company, the Processor is subject to the additional obligations according to the Annex to this paragraph.
(8) The Processor will ensure that the necessary security measures pursuant to Data Protection Legislation are in place for data processing. The details of binding security measures for data processing are set out in the attached Annex. Technical and organisational measures may be adjusted in the course of processing to take account of technical and organisational developments. The level of security may not fall below the measures specified in the Annex. Any material changes must be documented in writing. Any decisions concerning the organisation of the data processing and methods used that could materially impact on security must be agreed in advance with the Controller and noted in writing.
If security measures put in place by the Processor do not meet the specifications, the Processor will inform the Controller immediately.
(9) The Processor must make available to the Controller all information necessary to demonstrate compliance with the Processor’s obligations of applicable law or in this Agreement, including any instructions issued, and – usually with prior notice – will allow checks (including inspections on site) to be carried out by the Controller and/or its authorised agent and will provide assistance as required.
The following rules will apply to the processing of personal data in a private residence:3
☒ Home office/teleworking: The Processor will ensure that the above checks can also be carried out on the premises concerned. The Processor confirms that it has obtained the consent in writing of all residents of the private residence to such checks being carried out.
☐ Within the scope of mobile working, data may be processed in private residences. The relevant rules are attached in the Annex.
(10) Taking into account the nature of the processing, the Processor will assist the Controller with appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in the Data Protection Legislation (particularly information, access, rectification, erasure, restriction on processing, data portability and objections where relevant in each case). If the data subject contacts the Processor directly, the Processor will inform the Controller of such contact immediately. The Processor may only itself provide information to the data subject or any third party with the Controller’s prior written consent. This shall also apply to any other enquiry that is recognisably addressed to the Controller.
(11) Upon request, the Processor will give the Controller a Record of Processing Activities.
(12) The Processor undertakes to assist the Controller in ensuring compliance with its obligations in respect of security of processing, data protection impact assessment, taking into account the nature of processing and the information available to the Processor.
(13) The Processor must notify the Controller without delay on becoming aware of any personal data breach using the e-mail address of the Customer Data Protection Officer or (in if none) the Customer Contact Manager as set out in the Key Terms. This notification must contain at least the following information:
(a) A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) The name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) A description of the likely consequences of the personal data breach;
(d) A description of the measures taken or proposed by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Processor may make notifications for the Controller only after having been instructed to do so in accordance with section 2 of this Agreement.
(14) ☒ The processing of personal data by the Processor will take place in a member state of the European Union (“EU”) or European Economic Area (“EEA”). Any performance of the service provided or parts of it in a third country requires the prior written consent of the Controller and may only take place if the specific requirements for the Transfers of Personal Data to Third Countries set out in the Data Protection Legislation are met.
(15) At the discretion of the Controller, the Processor undertakes to delete or return all personal data to the Controller after the end of the provision of services relating to processing, and to delete existing copies unless applicable law requires storage of the personal data. Upon request, documentation of the deletion must be provided to the Controller.
3Please tick the appropriate box.
Section 5. Sub-contractual relationships
(1) Sub-contractual relationships within the meaning of this Agreement refers to services that are directly related to the performance of contractual provisions. It does not generally cover ancillary services that the Processor uses, such as telecommunications, post and transportation, maintenance, help desks and other measures designed to ensure the confidentiality, availability, integrity and resilience of hardware and software for data processing centres. However, for such outsourced services the Processor is required to conclude appropriate and legally binding contractual arrangements and carry out checks in order to guarantee data protection and the data security of the Controller’s personal data.
(2) ☒ The Controller grants the Processor a general authorisation to use subcontractors. The Processor must always give the Controller notice of any intended changes concerning the addition or replacement of other processors (stating company, country, type of subcontracted service and the legal basis for transferring data in accordance with section 4(14)), and the Controller has, in accordance with section 2, the right to object to any such changes within one month, in which case the Processor may not engage the services of the subcontractor concerned. The engagement of the subcontractor is deemed to be authorised upon expiry of the notice period where express authorisation has not already been given. The notice period starts with access to the information at the Controller.
The Processor will inform the Controller about the change of subcontractors in the following manner: By providing advance notice to the Controller.
☒ The subcontractors listed in the Annex are authorised (company, country, type of subcontracted service and information pursuant to section 4(14) to the extent relevant).
(3) If the Processor engages another processor in order to carry out certain processing services on behalf of the Controller, the Processor must bind the new processor by a written contract or other legal act under applicable law to the same data protection obligations as those set out in this Agreement, and in particular there must be adequate safeguards to ensure that technical and organisational measures can be implemented in such a way that processing meets the requirements of the Data Protection Legislation. If necessary, the Controller must be given the right to carry out checks on the subcontractor’s premises; the nature and the extent of the Processor’s right of audit must be taken into account.
Section 6. Responsibility/liability
Section 7. Miscellaneous
(1) The Processor may terminate this Agreement with one month’s notice if it can no longer fulfil the provisions of or duties under this Agreement, especially if the Controller refuses to accept the appointment of a subcontractor.
(2) Any supplement to this Agreement must be made in writing.
(3) Should any provision of this Agreement be invalid, this shall not affect the validity of the remaining provisions of the Agreement.
(4) This Data Processing Agreement shall be governed and construed in accordance with the laws of Ireland. Any disputes or claims arising out of or in connection with this Data Processing Agreement shall be submitted to the exclusive jurisdiction of the courts of Ireland.
☐ Pursuant to section 4(7) (additional obligations of life insurers)
☒ Pursuant to section 4(8) (Security of processing): As per Information Security Program.
☐ Pursuant to section 4(9) (Conditions for Mobile Working)
☐ Pursuant to section 4(14) (Measures to ensure an adequate level of data protection)
☒ Pursuant to section 5(2) (List of authorised sub- contractors):
Amazon Web Services (AWS)
Purpose: Cloud-Hosting via Cloud-Services platform.
Location: Singapore/ USA/ Canada/ Ireland/ Germany and any other AWS hub selected by Supplier.
Term: Subscription Term.
|Version||Date||Rationale for Update||Update|
|v1.0||16/02/2022||Initial release||Data Processing Agreement.|