Contractor Policies
Firefish Group Supplier Data Protection Addendum
This data protection addendum, including its Annexes (“DPA”) forms part of and is incorporated in any agreement entered into between you (“Supplier”) and Firefish for the provision of services (identified as “Services” or otherwise in the applicable agreement (“Services”)) to Firefish (the “Agreement”). This DPA sets out the parties’ agreement regarding and applies to:
i) in Part A, the processing of personal data by Supplier on behalf of Firefish as part of the Services where Firefish is the data controller and Supplier is a data processor (“Data Processing Terms”); and
ii) in Part B, the sharing of personal data by Supplier with Firefish, where both parties act as a data controller (including as joint controllers) (“Controller Terms”)
1. Definitions and interpretation
1.1
Capitalised terms not defined in this DPA shall have the meaning ascribed to them in the Agreement. In this DPA, references to:
“Affiliate” means in respect of a party, any entity which directly or indirectly is controlled by, controls or is under common control with such party.
“Agreement” means any terms and conditions entered into between the Supplier and Firefish for the provision of the Services under which Supplier processes Firefish Personal Data;
“Data Privacy Laws” means all laws applicable to any personal data processed under or in connection with the Agreement, including: (i) Regulation (EU) 2016/679, (ii) the retained EU law version of the General Data Protection Regulation 2016/679/EC (“UK GDPR”) and the UK Data Protection Act 2018; (iii) all associated codes of practice and other binding guidance issued by any supervisory authority or regulator; and (iv) all other equivalent legislation, all as amended, re-enacted and/or replaced and in force from time to time, and the terms personal data, data controller, data processor, processing, and supervisory authority shall have the same meaning as in the applicable Data Privacy Laws;
“Firefish” means Firefish Ltd or its Affiliate (as applicable) being the entity that has entered into the Agreement with Supplier.
“Firefish Group” means Firefish and all of its Affiliates from time to time.
“Firefish Personal Data” means personal data supplied to Supplier by or on behalf of Firefish and processed by Supplier on behalf Firefish, in each case in the performance of the Services.
“Non-Adequate Recipient” means a recipient of personal data which is established in a country or territory which has not been recognised by a relevant competent supervisory authority or another competent authority (including the European Commission) as providing an adequate level of protection (as defined by Data Privacy Laws) to personal data for the transfer and further processing of personal data;
“Restricted Transfer” means a transfer of personal data to a Non-Adequate Recipient which may be rendered permissible under Data Protection Laws where a Transfer Mechanism is validly used to make and govern the transfer;
“Standard Contractual Clauses” or “SCCs” means a set of contractual provisions approved or otherwise recognised by a relevant competent supervisory authority as enabling an international transfer of personal data to be made in compliance with Data Privacy Laws including, in the EEA, the contractual provisions found in decision 2021/914 of the European Commission (“EEA SCCs”) and in the UK, the ICO’s International Data Transfer Agreement and/or the ICO’s International Data Transfer Addendum to the EEA SCCs for the transfer of personal data from the UK (“UK SCCs”);
“Transfer Mechanism” means any means of transferring personal data from a data exporter to a data importer, permitted under Data Privacy Laws, including the Standard Contractual Clauses.
1.2
Except as set out in paragraph 1.1 above or defined differently in this DPA, defined terms used in this DPA shall have the same meaning as set out in the Agreement.
To the extent of any conflict between this DPA and the rest of the Agreement, the terms of this DPA will take precedence.
Part A: DATA PROCESSOR TERMS
1. General
1.1
The subject matter and duration, the nature and the purpose of the processing to be carried out, the type(s) of Firefish Personal Data to be processed, and the categories of data subjects in relation to whom Firefish Personal Data will be processed by Supplier on behalf of Firefish under the Agreement are as set out in Annex 1 except where different provisions are set out in the Agreement or otherwise agreed by the parties in writing.
1.2
To the extent that Supplier processes Firefish Personal Data on Firefish’s behalf in the performance of the Services, Supplier shall be the data processor and Firefish shall be data controller with respect to such processing.
1.3
Each party shall comply with its obligations under the Data Privacy Laws in respect of any personal data it processes in connection with the Services. In the event of inconsistency or conflict between the Data Privacy Laws or approach to compliance of one applicable jurisdiction and another, the requirements of the country that necessitates stricter or additional requirements to protect personal data shall apply.
2. Compliance with Data Privacy Laws
2.1
In relation to the processing of Firefish Personal Data, Supplier warrants, represents and undertakes for itself, and in respect of any sub-processor authorised under this DPA, that at all times it shall:
a) process Firefish Personal Data (including when making an international transfer of Firefish Personal Data) only to the extent necessary in order to provide the Services and then only in accordance with the terms of this DPA and Firefish’s written instructions from time to time (including as set out in the Agreement), unless otherwise required by law. Where Supplier is required by law to process Firefish Personal Data otherwise than as provided by this DPA, it will notify Firefish before carrying out the processing concerned (unless the law also prevents Supplier from doing so for reasons of public interest). If Supplier is aware, or of the opinion, that any instruction given by Firefish breaches Data Privacy Laws, Supplier shall immediately inform Firefish, giving details of the potential breach;
b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Firefish Personal Data transmitted, stored or otherwise processed under this DPA;
c) Take all reasonable steps to ensure that only authorised personnel have access to Firefish Personal Data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to Firefish Personal Data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
d) not do, or omit to do, anything which would cause Firefish to be in breach of its obligations under Data Privacy Laws;
e) not publish, disclose or divulge (and ensure that its personnel do not publish, disclose or divulge) any Firefish Personal Data to a third party unless Firefish has given its prior written consent;
f) ensure that only such of its personnel who may be required by Supplier to assist it in meeting its obligations in connection with the Services will have access to Firefish Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the reliability of such personnel;
g) inform Firefish promptly, and in any event within 24 (twenty-four) hours, of any enquiry or complaint received from a data subject or supervisory authority relating to Firefish Personal Data;
h) at no additional cost, provide full cooperation and assistance to Firefish (and its clients, as applicable) as Firefish (and its client, as applicable) may require to allow Firefish (and its client, as applicable) to comply with its obligations under the Data Privacy Laws, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfilment of data subject’s rights, and any enquiry, notice or investigation by a supervisory authority;
i) allow Firefish (and its client, as applicable) to monitor and audit Supplier’s compliance with the Data Privacy Laws and its obligations under this DPA at any time during normal business hours. Supplier agrees to provide Firefish (and its client, as applicable) promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If Firefish (or its client, as applicable) believes that an on-site audit is necessary, Supplier agrees to give Firefish (and its client, as applicable) reasonable access to Supplier’s premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has on-site. Firefish (and its client, as applicable) is entitled to have the audit carried out by a third party; and
j) at the request and option of Firefish or its client (whether during or following termination of the Services), promptly and as specified by Firefish return and/or destroy all Firefish Personal Data in the possession or control of Supplier.
2.2
Supplier shall, on Firefish’s request, make available to Firefish all information necessary to demonstrate compliance with this DPA and Supplier shall, at Firefish’s sole expense, comply with all reasonable requests from Firefish to allow Firefish’s independent auditors or external representatives to access and inspect Supplier’s records relevant to any Firefish Personal Data processed by it on behalf of Firefish under this Agreement, in each case to enable Firefish to verify that Supplier is complying fully with its obligations under this DPA and under Data Privacy Laws in relation to Firefish Personal Data processed by it on behalf of Firefish.
2.3
Upon completion of the Services, Supplier will delete or return to Firefish all Firefish Personal Data processed by Supplier under this Agreement, except to the extent that Supplier is required by law to retain any copies of Firefish Personal Data.
3. Sub-processors
3.1
Supplier shall not appoint any third party to process Firefish Personal Data (“Sub-processor”) without Firefish’s prior written consent or in accordance with this section 3, and subject in all cases to Supplier:
- a) providing reasonable prior written notice to Firefish of the identity and location of the Sub-processor and a description of the intended processing to be carried out by the Sub-processor to enable Firefish to evaluate any potential risks to Firefish Personal Data;
- b) imposing legally binding contract terms on the Sub-processor which are the same as those contained in this DPA.
3.2
Supplier acknowledges and agrees that it shall remain liable to Firefish for a breach of the terms of this DPA by a Sub-processor and other subsequent third-party processors appointed by it.
3.3
Firefish consents to Supplier engaging the Sub-processors for the processing of Firefish Personal Data as set out in Annex 1.
3.4
Firefish may object to Supplier’s use of a new Sub-processor on reasonable grounds relating to the protection of personal data, by notifying Supplier in writing no less than 30 days from receipt of Supplier’s notice under paragraph 3.1(a). The parties will promptly negotiate in good faith to resolve Firefish’s concerns, however if after a reasonable period of time (and in case no longer than 30 days from notification of Firefish’s initial objection), the parties cannot agree a suitable resolution, Firefish shall, upon written notice to Supplier, be entitled to terminate those Services under the Agreement that cannot be provided without the use of the contested Sub-processor. Supplier will refund Firefish any fees paid in advance for the terminated Services corresponding to the unexpired term after the effective date of termination.
4. Security breaches
4.1
Supplier shall notify Firefish in the most expedient time possible under the circumstances and in any event within 24 (twenty-four) hours of becoming aware of any actual or suspected accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Firefish Personal Data (“Security Breach“). Supplier shall also provide Firefish with a detailed description of the Security Breach, the type of data that was the subject of the Security Breach and (to the extent known to Supplier) the identity of each affected person(s), as soon as such information can be collected or otherwise becomes available, as well as all other information and co-operation which Firefish may reasonably request relating to the Security Breach.
4.2
Supplier agrees to take action immediately, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of any such Security Breach and, with Firefish’s prior agreement, to carry out any recovery or other action necessary to remedy the Security Breach.
4.3
Supplier may not issue, publish or make available to any third party any press release or other communication concerning a Security Breach without Firefish’s prior written approval.
5. International data transfers
5.1
Supplier shall not make a Restricted Transfer to or process any Firefish Personal Data in a country which is a Non Adequate Recipient without Firefish’s prior written consent (which may be given in the Agreement or this DPA) and only as strictly as necessary for the purpose of the Services.
5.2
If, pursuant to paragraph 5.1, Supplier or any of its Sub-processors are authorised to make a Restricted Transfer of Firefish Personal Data, then Supplier shall ensure that a Transfer Mechanism is put in place to ensure that the transfer complies with Data Privacy Laws and shall comply with such other instructions and shall carry out such other actions as Firefish may notify to it in writing.
5.3
Subject to the requirements of paragraph 5.2, Firefish hereby authorises Supplier to make Restricted Transfers to the extent strictly required for the processing carried out by Sub-Processors approved pursuant to paragraph 4 and Supplier shall ensure that it and the relevant Sub-Processor comply at all times with Data Privacy Laws in respect of the Restricted Transfer, including that the conditions for use of the chosen Transfer Mechanism for the Restricted transfer are met.
Transfers between Supplier and Firefish
5.4
To the extent that, in order for the Supplier to deliver the Services, any Restricted Transfer is required of Firefish Personal Data between Firefish or its Affiliate (acting as an ‘exporter’) and the Supplier (acting as an ‘importer’) or between the Supplier (acting as an ‘exporter’) to Firefish or its Affiliate (acting as an ‘importer’), the parties will ensure that an agreed Transfer Mechanism will govern such Restricted Transfer(s), which may include any relevant provisions of the Standard Contractual Clauses.
5.5
Where a Restricted Transfer set out in paragraph 5.4 would result in the transfer of Firefish Personal Data from the European Economic Area to a Non-Adequate Recipient outside the European Economic Area, Part A of Annex 2 shall apply to such Restricted Transfers.
5.6
Where a Restricted Transfer set out in paragraph 5.4 would result in the transfer of Firefish Personal Data from the Switzerland to a Non-Adequate Recipient outside of Switzerland, Part B of Annex 2 shall apply to such Restricted Transfers.
5.7
Where a Restricted Transfer set out in paragraph 5.4 would result in the transfer of Firefish Personal Data from the UK to a Non-Adequate Recipient outside of the UK, Part C of Annex 2 shall apply to such Restricted Transfers.
5.8
For the purposes of any Restricted Transfers described in paragraphs 5.5 to 5.7 (inclusive) above, the Supplier shall implement and maintain all supplementary measures to ensure compliance with its obligations as data exporter and to render the Restricted Transfer effective and compliant with the Data Privacy Laws.
5.9
the extent that, the parties consider that any specific Restricted Transfers of the nature described in paragraph 5.5 are not adequately protected by the Transfer Mechanisms incorporated into this DPA pursuant to paragraphs 5.5 to 5.7 (inclusive), the parties shall work together to put in a place an alternative or amended Transfer Mechanism to ensure such Restricted Transfers comply with Data Privacy Laws.
New Transfer Mechanisms
5.10
Where any updates or amendments to, or replacement of, a Transfer Mechanism is approved by the competent authority/ies during the term of the Agreement (“New Transfer Mechanism“), the parties will work together to agree and to put in place a New Transfer Mechanism.
6. Indemnity
6.1
Supplier shall indemnify and keep Firefish and its Affiliates (and its or their client, if applicable) fully and effectively indemnified in respect of all losses, damages, costs, charges, expenses and liabilities (including regulatory penalties imposed on Firefish or its Affiliates or its or their client, if applicable) arising out of or in connection with a breach by Supplier or its Sub-processor’s of this DPA or Data Privacy Laws.
Part B: DATA CONTROLLER TERMS
7. Data Discloser / Data Recipient
7.1
Where Supplier provides Services which involve the collection and processing of personal data (which shall be confined to the categories of information set out in the Agreement (“Shared Personal Data”)) as a data controller, the parties acknowledge and agree that Supplier (the “Data Discloser”) may disclose such Shared Personal Data to Firefish (the “Data Recipient”). Each of the Data Discloser and Data Recipient acts as a Data Controller (as the case may be, as Joint Data Controllers) in respect of the Shared Personal Data and each shall comply with the obligations on a Data Controller under Data Privacy Laws in respect of the Shared Personal Data.
8. Discloser obligations
The Data Discloser shall:
a) ensure that it has all necessary consents and notices in place to enable the lawful transfer of the Shared Personal Data to the Data Recipient and any Permitted Recipients (as defined below) for the purposes of the Agreement;
b) give full information to any data subject whose personal data may be processed under this Agreement of the nature such processing;
c) only process Shared Personal Data for the purposes contemplated by the Agreement and in accordance with the consents obtained from the relevant data subjects;
d) not disclose or allow access to the Shared Personal Data to anyone other than the parties to the Agreement, the employees and professional advisors of each party, any third parties engaged to perform obligations in connection with these Controller Terms (“Permitted Recipients”);
e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by the Controller Terms; and
f) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
g) The Data Discloser shall not transfer, nor permit any onward transfer by a third party of, any Shared Personal Data outside of the UK, European Economic Area or Switzerland unless the following conditions are fulfilled:
i) appropriate safeguards are provided in relation to the transfer in accordance with the Data Privacy Laws;
ii) the data subject has enforceable rights and effective legal remedies; and
iii) the transferor complies with its obligations under the Data Privacy Laws by providing an adequate level of protection to any Shared Personal Data that is transferred, including by implementing any Transfer Mechanism.
h) To the extent that any Restricted Transfer is required of Shared Personal Data between the Supplier (acting as an ‘exporter’) to Firefish (acting as an ‘importer’) or between Firefish (acting as an ‘exporter’) and the Supplier (acting as an ‘importer’), the parties will ensure that an agreed Transfer Mechanism will govern such Restricted Transfer(s), which may include any relevant provisions of the Standard Contractual Clauses. Where such a Restricted Transfer would result in the transfer of Shared Personal Data:
i) from the European Economic Area to a Non-Adequate Recipient outside the European Economic Area, Part A of Annex 3 shall apply to such Restricted Transfers.
ii) from the Switzerland to a Non-Adequate Recipient outside of Switzerland, Part B of Annex 3 shall apply to such Restricted Transfers.
iii) from the UK to a Non-Adequate Recipient outside of the UK, Part C of Annex 3 shall apply to such Restricted Transfers.
9. Assistance
9.1
Each party shall assist the other in complying with all applicable requirements of the Data Privacy Laws. In particular, each party shall, at its own cost:
a) consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;
b) promptly inform the other Party about the receipt of any exercise of a data subject’s rights under the Data Privacy Laws;
c) provide the other party with reasonable assistance in complying with any exercise of data subject’s rights under the Data Privacy Laws;
d) not disclose or release any Shared Personal Data in response to any exercise of a data subject’s rights without first consulting the other party wherever possible;
e) assist the other party, in responding to any exercise of a data subject’s rights and in ensuring compliance with its obligations under the Data Privacy Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
f) notify the other party without undue delay on becoming aware of any breach of the Data Privacy Laws relating to the Shared Personal Data.
10. Indemnity
10.1
Supplier shall indemnify and keep Firefish and its Affiliates (and its or their client, if applicable) fully and effectively indemnified in respect of all losses, damages, costs, charges, expenses and liabilities (including regulatory penalties imposed on Firefish or its Affiliates or its or their client, if applicable) arising out of or in connection with a breach by Supplier or its Sub-processor’s of these Controller Terms or Data Privacy Laws.
10.2
Nothing shall exclude or limit either party’s liability for fraud or for death or personal injury arising from its negligence, or for any other liability which cannot be excluded or limited as a matter of law. Subject to this, a party’s total aggregate liability for breach of these Controller Terms (including Annex 3 hereto) whether in contract, tort (including negligence), strict liability or otherwise) is limited to £5,000,000.
Annex 1 – Data Protection Particulars
- Processing by Supplier: For the provision of the Services as set out in the applicable order document to the Agreement (“Work Order”) which may include (services related to market research, recruitment, fieldwork, analysis and reporting).
- Scope & Nature: See description of Services in the applicable Work Order to the Agreement.
- Purpose of processing: For the service provision agreed between the parties in the Work Order.
- Frequency of processing: Processing will be continuous or ad hoc dependent on the nature of service provision.
- Duration of the processing: For so long as the Services are provided under the Agreement and/or in accordance with Firefish’s written instructions.
- Data subjects: As set out in the applicable Work Order to the Agreement or as determined by the nature of the Services under the Agreement and which may include:
For market research services: Market research participants
For HR/Finance services: Firefish employees/contractors
For business services: Firefish employees, Firefish Third Parties
- Types and/or categories of personal data: As set out in the applicable Work Order to the Agreement or as determined by the nature of the Services under the Agreement and which may include:
For market research services:
- Name and contact details (phone and email)
- Age, gender and location
- Address, if any research is to be conducted in a home
- Bank details for incentives paid via BACS
- Audio recordings, video footage and films
- Other types of personal data will be specified on confirmation of each Work Order
- Special Category Personal Data (which includes sensitive personal information such as health status/information, ethnicity, sexual orientation, sex life, political opinions, religious or philosophical beliefs) should only be processed if specified and necessary to provide the Services.
All types of personal data should only be processed on the strict basis that consent has been gained
For HR/Finance services: full name, contact details (phone, email), address, tax data such as NI number, bank details, emergency contact name and contact details, proof of identity and address. If Special Category Data is processed this will include health and criminal background data.
For business services: Firefish employee and Firefish third party contact details which may include IP address/geo-location data
- Sub-processors: As set out in or in accordance with the Agreement
Annex 2: Data Processor Terms – Incorporation of SCCs (C2P and P2C)
Part A: EEA Transfers
Where the EEA SCCs are agreed as required by the parties for a Restricted Transfer, EEA SCCs are hereby deemed accepted by the parties and incorporated and read as follows:
EEA SCC clause reference | Interpretation – Controller – Processor Module 2 | Interpretation – Processor – Controller Module 4 |
Clause 7 – optional docking clause | Clause is not included | Clause is not included |
Clause 9 – use of sub-processors | OPTION 2: GENERAL WRITTEN AUTHORISATION is chosen. | N/A |
Clause 11 – redress | The optional paragraph within clause 11(a) is removed. | The optional paragraph within clause 11(a) is removed |
Clause 17 – governing law | Irish law shall be included into Clause 17 where a Member State is required to be specified | Irish law shall be included into Clause 17 where a Member State is required to be specified |
Clause 18 – choice of forum and jurisdiction | Irish courts shall be included into Clause 18 where a Member State is required to be specified | Irish courts shall be included into Clause 18 where a Member State is required to be specified |
Part A, Annex I – list of parties | For transfers from Firefish to Supplier: Firefish identified as the data exporter; and Supplier identified as data importer.
|
For transfers from Supplier to Firefish: Supplier identified as the data exporter; and Firefish identified as data importer.
|
Part B, Annex I – description of transfer | Populated with the relevant details of Annex 1 of this DPA | Populated with the relevant details of Annex 1 of this DPA |
Part C, Annex I – competent supervisory authority | The Data Protection Commission of Ireland shall be included where a competent supervisory authority is required to be specified | N/A |
Annex II – technical and organisational measures | As set out in paragraph 2.1(b) of the Data Processor Termsof this DPA | N/A |
Annex III – list of sub-processors | Populated in accordance with the Sub-processor section of Annex 1 of this DPA | N/A |
PART B: EEA Transfers
Swiss Transfers: Where the Swiss Federal Act on Data Protection of June 19, 1992, as amended or replaced (“Swiss FADP”) applies, the EEA SCCs above will apply as follows:
- the Swiss Data Protection and Information Commissioner is the exclusive supervisory authority;
- the term “member state” must not be interpreted in such a way as to exclude data subjects of Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EEA SCCs; and
- references to the GDPR in the EEA SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.
PART C: UK Transfers
Where Standard Contractual Clauses are agreed as required by the Parties for a Restricted Transfer involving any Firefish Personal Data that is subject to the UK Data Protection Law, the EEA SCCs found in PART A, Annex 2 to this DPA are incorporated, as amended by the Information Commissioner’s Office International Data Transfer DPA to the EU Commission Standard Contractual Clauses version B1.0 (the “IDTA”), which is hereby incorporated into this DPA as the Transfer Mechanism for any Restricted Transfers of Firefish Personal Data from the United Kingdom to a Non-Adequate Recipient, as populated by the details set out below:
Part 1: Tables
Table 1: Parties and signatures
Table 1 is populated as follows:
- The details of the Exporter and the Importer are populated with the relevant details of Firefish or (where the transfer is to or from a Firefish Affiliate) its Affiliate and Supplier (each as appropriate for the transfer) as described in the Agreement.
- The Key Contact for Firefish is the DPO, contactable at dataprotection@firefishgroup.com The Key Contact for Supplier is populated with the details of the signatory to the Agreement.
- The signatures to the Agreement to which this DPA relates constitute the signatures confirming each party agreeing (for itself and, as applicable, its relevant Affiliate(s)) to be bound by the IDTA.
Table 2: Selected SCCs, Modules and Selected Clauses
Table 2 is populated as follows:
- The Approved EU SCCs, including the Appendix Information, and with only the following modules, clauses or operational provisions of the Approved EU SCCs brought into effect for the purposes of this DPA.
- The modules and operational clauses in table 2 are populated with the relevant details of Part A, Annex 2 of this DPA.
- For the purposes of Option 4, personal data received from the importer may be combined with personal data collected by the exporter.
Table 3: Appendix Information
Table 3 is populated as follows:
- The list of parties is populated with the details of the parties found in the Agreement (or as applicable such party’s relevant Affiliate).
- A description of the transfer is populated with the details of the DPA and of Annex 1 of the DPA.
- The technical and organizational measures are populated with the details of paragraph 3.1(b) of the DPA.
- The list of Sub-processors is as set out in Part 1 of Annex 1 of this DPA]
Table 4: Ending this DPA when the Approved DPA Changes
Neither party may end this DPA as set out in Section 19 of the IDTA
Annex 3: Controller Terms – Incorporation of SCCs (C2C)
Part A: EEA Transfers
Where the EEA SCCs are required for a Restricted Transfer between the parties acting as data controllers, EEA SCCs are hereby deemed accepted by the parties and incorporated and read as follows:
EEA SCC clause reference | Interpretation – Controller to Controller Module 1 |
Clause 7 – optional docking clause | Clause is not included |
Clause 9 – use of sub-processors | N/A |
Clause 11 – redress | The optional paragraph within clause 11(a) is removed |
Clause 17 – governing law | Irish law shall be included into Clause 17 where a Member State is required to be specified |
18 – choice of forum and jurisdiction | Courts of Ireland shall be included into Clause 18 where a Member State is required to be specified |
Part A, Annex I – list of parties | For transfers from Supplier to Firefish: Supplier identified a data exporter; and Firefish identified as data importer
For transfers from Firefish to Supplier: Firefish identified as data exporter; and Supplier identified as data importer |
Part B, Annex I – description of transfer | For the purpose of the Services as set out in the Work Order to the Agreement. |
Part C, Annex I – competent supervisory authority | The Data Protection Commission of Ireland shall be included where a competent supervisory authority is required to be specified |
Annex II – technical and organisational measures | As set out at paragraph 8.1(f) of the Controller Terms to the DPA and/ or the relevant provisions of the Agreement (as applicable). |
Annex III – list of sub-processors | N/A |
PART B: Swiss Transfers
Swiss Transfers: Where the Swiss Federal Act on Data Protection of June 19, 1992, as amended or replaced (“Swiss FADP”) applies, the EEA SCCs above will apply as follows:
- the Swiss Data Protection and Information Commissioner is the exclusive supervisory authority;
- the term “member state” must not be interpreted in such a way as to exclude data subjects of Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EEA SCCs; and
- references to the GDPR in the EEA SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.
PART C: UK Transfers
Where Standard Contractual Clauses are required by the parties for a Restricted Transfer in accordance with these Controller Terms that is subject to the Data Privacy Laws in the UK, the EEA SCCs found in PART A of this Annex 3 are incorporated, as amended by the Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0 (the “IDTA”), which is hereby incorporated into this DPA as the Transfer Mechanism for any Restricted Transfers by a party from the United Kingdom to the other party as a Non-Adequate Recipient, as populated by the details set out below:
Part 1: Tables
Table 1: Parties and signatures
Table 1 is populated as follows:
- The details of the Exporter and the Importer are populated with the relevant details of Supplier and Firefish (each as appropriate for the transfer) as described in the Agreement.
- The Key Contact for Firefish is the DPO contactable at dataprotection@firefishgroup.com The Key Contact for the Supplier is populated with the details of the signatory to the Agreement.
- The signatures to the Agreement to which this DPA relates constitute the signatures confirming each party agreeing (for itself and, as applicable, its relevant Affiliate(s)) to be bound by the IDTA.
Table 2: Selected SCCs, Modules and Selected Clauses
Table 2 is populated as follows:
- The Approved EU SCCs, including the Appendix Information, and with only the following modules, clauses or operational provisions of the Approved EU SCCs brought into effect for the purposes of this DPA.
- The modules and operational clauses in table 2 are populated with the relevant details of Part A of this Annex 3.
- For the purposes of Option 4, personal data received from the importer may be combined with personal data collected by the exporter.
Table 3: Appendix Information
Table 3 is populated as follows:
- The list of parties is populated with the details of the parties found in the Agreement (or as applicable such party’s relevant Affiliate).
- A description of the transfer is populated with the details at Part A of this Annex 3.
- The technical and organizational measures are populated with the details referred to in Part A of this Annex 3.
Table 4: Ending this Addendum when the Approved Addendum Changes
Neither party may end this Addendum as set out in Section 19 of the ID
Anti–Bribery Policy
We are committed to the highest standards of ethical conduct and integrity in our business activities in the UK and overseas. This policy outlines our position on preventing and prohibiting bribery, in accordance with the Bribery Act 2010. The Firefish Group will not tolerate any form of bribery by, or of, its employees, agents or consultants or any person or body acting on its behalf. We should all be committed to implementing effective measures to prevent, monitor and eliminate bribery.
This policy applies to all employees and officers of the Firefish Group, and to temporary workers, consultants, contractors, agents and subsidiaries acting for, or on behalf of, the Firefish Group (“associated persons”) within the UK and overseas. Every employee and associated person acting for, or on behalf of, the Firefish Group is responsible for maintaining the highest standards of business conduct. Any breach of this policy is likely to constitute a serious disciplinary, contractual and criminal matter for the individual concerned and may cause serious damage to the reputation and standing of the Firefish Group.
The Firefish Group may also face criminal liability for unlawful actions taken by our employees or associated persons under the Bribery Act 2010. Therefore, all employees and associated persons are required to familiarise themselves and comply with this policy, including any future updates that may be issued from time to time by the Firefish Group.
The Bribery Act 2010 came into force on 1 July 2011. This policy covers:
- The main areas of liability under the Bribery Act 2010
- The responsibilities of employees and associated persons acting for or on behalf of the Firefish Group
- The consequences of any breaches of this policy
Bribery Act 2010
We are committed to complying with the Bribery Act 2010 in its business activities in the UK and overseas. Under the Bribery Act 2010, a bribe is a financial or other type of advantage that is offered or requested with the:
- Intention of inducing or rewarding improper performance of a function or activity
- Knowledge or belief that accepting such a reward would constitute the improper performance of such a function or activity
A relevant function or activity includes public, state or business activities or any activity performed in the course of a person’s employment, or on behalf of another company or individual, where the person performing that activity is expected to perform it in good faith, impartially, or in accordance with a position of trust.
A criminal offence will be committed under the Bribery Act 2010 if:
- An employee or associated person acting for, or on behalf of, the Firefish Group offers, promises gives, requests, receives or agrees to receive bribes
- An employee or associated person acting for, or on behalf of, the Firefish Group offers, promises, or gives a bribe to a foreign public official with the intention of influencing that official in the performance of his/her duties (where local law does not permit or require such influence)
- The Firefish Group does not have adequate procedures in place to prevent bribery by its employees or associated persons.
What is prohibited?
We prohibit employees or associated persons from offering, promising, giving, soliciting or accepting any bribe. The bribe might be cash, a gift or other inducement to, or from, any person or company, whether a public or government official, official of a state-controlled industry, political party or a private person or company, regardless of whether the employee or associated person is situated in the UK or overseas. The bribe might be made to ensure that a person or company improperly performs duties or functions (for example, by not acting impartially or in good faith or in accordance with their position of trust) to gain any commercial, contractual or regulatory advantage for the Firefish Group in either obtaining or maintaining the Firefish Group business, or to gain any personal advantage, financial or otherwise, for the individual or anyone connected with the individual.
This prohibition also applies to indirect contributions, payments or gifts made in any manner as an inducement or reward for improper performance, for example through consultants, contractors or sub-contractors, agents or sub-agents, sponsors or sub-sponsors, joint-venture partners, advisors, customers, suppliers or other third parties.
Records
Employees and, where applicable, associated persons, are required to take particular care to ensure that all Firefish Group records are accurately maintained in relation to any contracts or business activities, including financial invoices and all payment transactions with clients, suppliers and public officials.
Employees and associated persons are required to keep accurate, detailed and up-to-date records of all corporate hospitality, entertainment or gifts accepted or offered.
Procedure
Employees and associated persons are required to comply with the Firefish Group’s risk management procedures and to report suspicions of bribery to their Managing Director. While any suspicious circumstances should be reported, employees and associated persons are required particularly to report:
- Close family, personal or business ties that a prospective agent, representative or joint-venture partner may have with government or corporate officials, directors or employees
- A history of corruption in the country in which the business is being undertaken
- Requests for cash payments
- Requests for unusual payment arrangements, for example via a third party
- Requests for reimbursements of unsubstantiated or unusual expenses
- A lack of standard invoices and proper financial practices
If an employee or associated person is in any doubt as to whether or not a potential act constitutes bribery, please speak to the People Team or COO.
Corporate entertainment, gifts, hospitality and promotional expenditure
Principle
We do permit corporate entertainment, gifts, hospitality and promotional expenditure that is undertaken:
- For the purpose of establishing or maintaining good business relationships
- To improve the image and reputation of the Firefish Group
- To present the Firefish Group’s goods/services effectively
- Provided that it is arranged in good faith, and not offered, promised or accepted to secure an advantage for the Firefish Group’s or any of its employees or associated persons or to influence the impartiality of the recipient
We will only authorise any reasonable, appropriate and proportionate entertainment and promotional expenditure.
This principle applies to employees and associated persons, whether based in the UK or overseas. However, those with remits overseas will be given further training on the specific procedures that they are required to follow.
Procedure
Employees and, where relevant, associated persons should submit requests in writing to their Managing Director for proposed hospitality and promotional expenditure well in advance of proposed dates. Make sure you include:
- The objective of the proposed client entertainment or expenditure
- The identity of those who will be attending
- The organisation that they represent
- Details and rationale of the proposed activity
We will approve business entertainment proposals only if they demonstrate a clear business objective and are appropriate for the nature of the business relationship and will not approve business entertainment where it considers that a conflict of interest may arise or where it could be perceived that undue influence or a particular business benefit was being sought (for example, prior to a tendering exercise).
Any gifts, rewards or entertainment received or offered from clients, public officials, suppliers or other business contacts should be reported immediately to their Managing Director. In certain circumstances, it may not be appropriate to retain such gifts or be provided with the entertainment and employees and associated persons may be asked to return the gifts to the sender or refuse the entertainment, for example, where there could be a real or perceived conflict of interest. As a general rule, small tokens of appreciation, such as flowers or a bottle of wine, may be retained by employees.
If an employee or associated person wishes to provide gifts to suppliers, clients or other business contacts, prior written approval from their Managing Director is required, together with details of the intended recipients, reasons for the gift and business objective. These will be authorised only in limited circumstances and will be subject to a cap of £100 per recipient.
Employees and, where applicable, associated persons must supply records and receipts, in accordance with the Firefish Group’s expenses policy.
Charitable donations
We recognise that charitable giving can form part of our wider commitment and responsibility to the community. We therefore support charities that are selected in accordance with objective criteria, following a risk assessment. We may also choose to support fundraising events involving employees, but any donations will be at the discretion of their Managing Director.
What practices are permitted?
This policy does not prohibit normal and appropriate hospitality and entertainment with clients (please see the Firefish Group’s expenses policy);
Please make sure that any practices are proportionate, reasonable and made in good faith. Clear records must be kept.
Reporting suspected bribery
Principle
We depend on our employees and associated persons to ensure that the highest standards of ethical conduct are maintained in all our business dealings. Employees and associated persons are requested to assist the Firefish Group and to remain vigilant in preventing, detecting and reporting bribery.
Employees and associated persons are encouraged to report any concerns that they may have to their Managing Director as soon as possible. Issues that should be reported include:
- Any suspected or actual attempts at bribery;
- Concerns that other employees or associated persons may be being bribed; or
- Concerns that other employees or associated persons may be bribing third parties, such as clients or government officials
Procedure
You must report any incidents of suspected bribery to your Managing Director immediately. Any such reports will be thoroughly and promptly investigated by them in the strictest confidence. Employees and associated persons will be required to assist in any investigation into possible or suspected bribery.
Employees or associated persons who report instances of bribery in good faith will be supported by us and we will ensure that the individual is not subjected to detrimental treatment as a consequence of his/her report. Any instances of detrimental treatment by a fellow employee because an employee has made a report will be treated as a disciplinary offence. An instruction to cover up wrongdoing is itself a disciplinary offence. If told not to raise or pursue any concern, even by a person in authority such as a manager, employees and associated persons should not agree to remain silent. They should report the matter to their Managing Director immediately.
Action by the Firefish Group
We will fully investigate any instances of alleged or suspected bribery. Employees suspected of bribery may be suspended from their duties while the investigation is being carried out and we will invoke our disciplinary procedures where any employee is suspected of bribery, and proven allegations may result in a finding of gross misconduct and immediate dismissal. We may terminate the contracts of any associated persons, including consultants or other workers who act for, or on behalf of, the Firefish Group who are found to have breached this policy.
The Firefish Group may also report any matter to the relevant authorities, including the Director of Public Prosecutions, Serious Fraud Office, Revenue and Customs Prosecutions Office and the police. We will provide all necessary assistance to the relevant authorities in any subsequent prosecution.
Firefish Group Code of Business Conduct
Firefish group companies respect national laws and industry Codes of Conduct in the countries we operate in. We are committed to acting ethically in all aspects of our business and to maintaining the highest standards of honesty and integrity.
- We, the officers and staff of all companies in Firefish group (“the Group”), recognise our obligations to all who have a stake in our success including clients, staff, and suppliers.
- Information about our business shall be communicated clearly, and accurately in a non- discriminatory manner and in accordance with local regulations.
- We select and promote our people on the basis of their qualifications and merit, without discrimination or concern for any protected characteristic protected by federal, state or local law across any of the countries in which we operate.
- We believe that a workplace should be safe and civilised; we will not tolerate sexual harassment, discrimination or offensive behaviour of any kind, which includes the persistent demeaning of individuals through words or actions or the display or distribution of offensive material, on Firefish group or client premises.
- We will not tolerate the use, possession or distribution of illegal drugs, or our people reporting for work under the influence of drugs or alcohol.
- We will treat all information relating to the Group’s business, or to its clients, as confidential. In particular, “insider trading” is expressly prohibited and confidential information must not be used for personal gain.
- We are committed to protecting consumer, client and employee data in accordance with national laws and industry codes.
- We will not knowingly deliver work which contains statements, suggestions or images offensive to general public decency and will give appropriate consideration to the impact of our work on minority segments of the population, whether that minority be by any protected characteristic protected by federal, state or local law across any of the countries in which we operate.
- We will not undertake work which is intended or designed to mislead, including in relation to social, environmental and human rights issues.
- We will consider the potential for clients or work to damage the Group’s reputation prior to taking them on. This includes reputational damage due to participating in business activities that abuse human rights.
- We will not for personal or family gain directly or indirectly engage in any activity which competes with companies within the Group or with our obligations to any such company.
- We will not offer any items of personal inducement to secure business. This is not intended to prohibit appropriate entertainment or the making of occasional gifts of minor value (£150/$150 maximum as a guideline) unless the client has a policy which restricts this.
- We will not accept for our personal benefit goods or services of more than nominal value from suppliers, potential suppliers or other third parties g. Christmas/holiday food or wine gifts, event tickets worth less than £150/$150 per person.
- We will not have any personal or family conflicts of interest within our businesses or with our suppliers or other third parties with whom we do business.
- No corporate contributions of any kind, including the provision of services or materials for less than the market value, may be made to politicians, political parties or action committees, without the prior written approval of the Firefish group Board.
- We will comply with all applicable local laws and regulations, including the UK Modern Slavery Act, Title VII of the Civil Rights Act of 1964, and any other laws with an international reach, such as the US Foreign Corrupt Practices Act, where relevant.
- We will continue to strive to make a positive contribution to society and the environment by: maintaining high standards of marketing ethics; respecting human rights; respecting the environment; supporting community organisations; supporting employee development; and managing significant corporate responsibility risks in our supply chain.
- When we use social media and email in a professional capacity, we will not bring the Firefish Group into disrepute or breach confidentiality with any of our communications. This includes, but is not limited to, making defamatory comments about individuals, other companies or groups, sharing confidential client or internal communication, disclosing personal information without consent, breaching copyright or doing anything that could be considered discriminatory, offensive, bullying or harassment of an individual.
Actual or potential conflicts with this Code should be reported to your MD and/ or Firefish group COO, please copy in the People Team
Please follow our Whistleblowing policy (UK)/Protection Against Retaliation guideline (US) if appropriate, these can be found on the Firefish Group Homepage on Teams under ‘Handbook & People Policies’.