Supplier Policies
Firefish Group Supplier Policy
Firefish Ltd and its affiliates, Firefish Data Ltd, The Pineapple Lounge Ltd, The Pineapple Lounge LLC and Firefish USA LLC, form a group of businesses which in this supplier policy shall be referred to as the Firefish Group.
The Firefish Group is known for excellence and quality and strives to be a trusted business partner. Integral to these values are all the suppliers we have relationships with across our business. This supplier policy reflects the business standards the Firefish Group is committed to. To ensure we meet our goals we expect all suppliers working with any of the Firefish Group company to meet this policy.
Suppliers should have in place policies, procedures and best practice which meet all the expectations of this policy, taking into account applicable local/National legislation relevant to where their business operates. Suppliers are also expected to ensure their own onward supply chain complies in the same way.
1. Business & Performance
Quality Assurance
Suppliers shall maintain a high standard of performance and always be in a position to freely and regularly report on the approach, progress and quality of the services being provided. Suppliers must provide services in a professional manner that meet relevant industry standards and any pre-agreed service levels.
Supplier Personnel
Suppliers must have a staff recruitment and vetting process and carry out sufficient personnel background checks to ensure the suitability of their staff working with us and on our clients’ projects. As standard for the U.K. this will include Identity check, Right to Work in U.K., confirmation of reliability and competence for the role being performed checking, for example, previous employment records, CVs and written references. We expect non-UK companies to align to this and conform to any local laws and practises. Suppliers may also be required to conduct further criminal/credit checks on request where a Firefish Group company is under a legal or regulatory obligation to ensure they are carried out.
Our Employee Safety
Suppliers are responsible for taking the safety of any Firefish Group employees into account when providing services or goods on our behalf. Our policy is to ensure that our employees are not put at risk and where relevant, steps to mitigate any risks are agreed and taken in advance.
Sub-contracting
Suppliers must not use sub-contractors without permission from a Firefish Group company and on the understanding that suppliers are responsible for ensuring any sub-contractors meet this supplier policy.
Conflict of interest
Suppliers must not allow bias, conflict of interest, or inappropriate influence of others to override its professional judgements and responsibilities when working with the Firefish Group and are expected to declare any such conflicts under this policy
2. Regulations and Legal
Suppliers are responsible for meeting any and all applicable statutory regulations, which cover but are not limited to, good governance and integrity; registration and transparency, all applicable industrial and professional standards, codes, regulations and international guidelines and the collection of all necessary licenses and permissions in the supply of services.
Intellectual Property Rights (IPR)
Suppliers understand that any developed IPR as part of a research project or working relationship rests with whoever the commissioning client is. Suppliers must ensure that they do not cause any 3rd party IPR conflict when providing services.
Confidentiality
Suppliers will treat all information received relating to our/our clients’ businesses as strictly confidential. Confidential information should not be disclosed to a third party without express permission and on meeting agreed term and conditions.
Data Protection
Suppliers must comply with all applicable legislation in respect of privacy and data protection at all times including, but not limited to, the UK GDPR and EU GDPR. Suppliers must take appropriate technical and organisational measures that are aligned to recognised security standards to protect personal data from unauthorised or unlawful use and from accidental loss, damage or destruction. In particular, suppliers are expected to process any personal data passed to them by a Firefish Group company in accordance with instructions given. If Suppliers believe that any instructions from the Firefish Group are in conflict with any data protection legislation relevant to where their business operates then they must declare this and agree appropriate measures. Additional data processing agreements may be supplied by us or our clients. Suppliers must be notified with the relevant data protection body where applicable e.g. ICO for U.K.
Information Security
Suppliers must hold adequate technical and organisational policies and processes to uphold information security to a level that, at a minimum, meets accepted industry norms and includes an incident management procedure. Protection of information must be present throughout the life cycle of information exchange. Suppliers should possess the means to ensure secure data collection, data use, data transfer, data storage, data retention and data disposal. Suppliers are also expected to meet any specific data security requirements or policies from us or our clients.
3. Corporate and Social Responsibility
Suppliers should actively strive towards being a responsible employer and company paying particular attention to the following:
Anti-Bribery and Corruption
Suppliers must comply with all applicable laws, statutes, regulations, and codes relating to anti-bribery and anti-corruption including but not limited to the Bribery Act 2010. Gifts, entertainment, and hospitality suppliers must not offer, accept or solicit any gifts, entertainment, or hospitality if this could lead anyone to conclude that in doing so, there would be an intent to improperly influence decisions or create advantage related to any of their business dealings.
Discrimination and Harassment
Suppliers should ensure that all their employees are treated with respect and should strive towards a culture that does not tolerate any form of discrimination or harassment including allowing employees to report concerns without fear of retaliation.
Human Rights and Working Conditions
Suppliers should regulate their workplaces and conform to all relevant national and international principles related to Equality and Human Rights including but not limited to the following; Human Rights Act 1998, UN Human Rights Council, EU Charter of Fundamental Rights, The National Living Wage, International Labour Organisation Standards, Modern Slavery Act 2015, Anti- Discrimination laws.
Health and Safety
Suppliers must regulate health & safety in their workplaces and maintain a framework and policy to keep employees safe from harm.
Environmental Sustainability
Suppliers must actively aim to reduce their environmental impact and be able to demonstrate ways they are achieving this.
4. How to comply with this policy
Violations of this supplier policy will be taken seriously. Suppliers must proactively notify their primary contact at the relevant Firefish Group company if they do not meet any element of this policy, if they suspect or become aware of a violation of this policy or if they need to declare a conflict of interest. This is essential to allow both parties to consult and agree corrective or compensating measures.
Measures could involve the following, or similar:
-
- asking a supplier to undergo an audit of its organisation or its supply chain and to report on its’ findings
- recommending or requiring corrective action plans
- in very serious cases, violation of this policy may lead to termination of contract with a supplier
Policy Updates
This policy will be revised and updated from time to time in accordance with changes to relevant regulations, legislation or company policies. Suppliers should check they are referring to the most up to date version of this policy.
Policy version: v5 2024
Firefish Group Data Security Schedule
Firefish Ltd and its affiliates, Firefish Data Ltd, The Pineapple Lounge Ltd, The Pineapple Lounge LLC and Firefish USA LLC, form a group of businesses which in this security schedule shall be referred to as the Firefish Group. The following sets out the required minimum information security standards for Firefish Group Suppliers. The term Personal Data shall have the meaning given to it in all relevant data protection legislation.
1. EDUCATION, AWARENESS AND TRAINING
1.1 The Supplier must ensure that they have sufficient knowledge and/or training has been received and understood, covering the following topics:
a) the nature of confidential data and Personal Data;
b) Supplier responsibilities in handling confidential data and Personal Data in both digital and physical form including transmission, storage and destruction;
c) proper methods for protecting confidential data and Personal Data including the use of a password policy;
d) computer security concerns including but not limited to web / email threats and malware; wireless network security best practices and safe file deletion and;
e) where applicable, workplace security including building access, reporting of incidents and similar issues.
1.2 Confirmation of Security Awareness Training
a) supplier to confirm on request that training has been completed and where applicable confirm for each member of Supplier Personnel engaged in the provision of Services; and
b) evidence of training can be made available upon request
2. ENCRYPTION
2.1. Encryption and Password Management
The Supplier shall ensure that passwords are managed securely at all times in accordance with good industry practice and shall ensure that all confidential data and Personal Data are protected against unauthorised access or destruction.
2.2. Protection of Data
The Supplier shall (and shall procure that its sub-contractors shall) in accordance with good industry practice, encrypt data stored on all digital or electronic portable storage devices (including computer laptops, PDAs, CDs, diskettes, portable drives, magnetic tapes and other similar devices).
3. ASSET MANAGEMENT
3.1. Back-Up and Archival Media
All back-up and archival media containing confidential data or, or other data used to provide the Services, must be contained in secure, environmentally-controlled storage areas owned, operated, or contracted for by the Supplier.
3.2. Disposal of Redundant Equipment and Media
The Supplier shall ensure that all redundant computer equipment and media shall be disposed of securely, including the secure erasure of all data contained on any such computer equipment and media prior to disposal such that the information cannot be retrieved.
3.3 Disposal of Hard Copy Material
The Supplier shall possess adequate equipment or hold a license with a certified waste disposal firm to ensure that all hard copy material is disposed of securely when no longer needed.
4. ACCESS CONTROL
4.1. Authentication
(a) the Supplier will ensure that unauthorised access to Systems is prevented;
(b) the Supplier will have defined, monitored and well understood procedures in place to prevent unauthorised disclosure, theft, mis-use or modification of information; and
(c) the Supplier shall ensure for themselves and where applicable that all Supplier Personnel having access to the Supplier System are authenticated by using user IDs and passwords or by strong authentication.
4.2. Password Management
(a) passwords must be required for all accounts and generated, used, enforced and changed on a periodic basis in line with good industry practice;
(b) the Supplier will ensure that passwords are set and communicated using a secure procedure;
(c) the Supplier shall ensure the following password management controls:
(i) authentication mechanisms must ensure that they cannot be bypassed to gain unauthorised access to systems;
(ii) authentication data such as passwords must not be stored in a form that allows the authentication data to be recovered in readable or decipherable form; and
(iii) passwords must be complex, use a combination of character classes and be a set minimum length in line with good industry practice.
4.3. User Access Control
(a) all accounts must be used by a sole, identifiable individual, unless the Firefish Group approves in writing the use of shared or generic accounts to access the Systems. Where such us is approved, the Supplier will ensure that there is a record of all users of that generic or shared account; and
(b) the Supplier will ensure that all users with privileges or additional rights to systems are specifically identifiable.
4.4. Shared Environment
If the Supplier provides the Services to the Firefish Group from a location that is shared with one or more third parties, the Supplier shall develop and implement processes to restrict physical and computer system access in any such shared environment. Such access shall be restricted to that portion of the shared environment dedicated to the Services only to Supplier’s employees, subcontractors or agents engaged in performing services relating to the Services.
5. MALWARE PROTECTION
5.1. Virus Protection
(a) the Supplier shall establish and maintain up-to-date protection against Malicious Code;
(b) the Supplier shall protect against transferring Malicious Code to the Firefish Group systems, the Firefish Group clients and other third parties using the Firefish Group Systems using current industry standard methods; and
(c) where updates cannot be applied to a system, the Supplier must deploy appropriate security countermeasures to protect the vulnerable systems.
6. CHANGE AND PATCH MANAGEMENT
6.1. Patch Management
(a) the Supplier shall develop and maintain a patch management strategy that is supported by management controls and supported by patch management procedures; and
(b) security patches and other relevant security vulnerability updates shall be implemented when available and approved, unless this introduces higher business risks. Supplier systems that for any reason cannot be updated should have security measures installed to protect the vulnerable system.
7. PHYSICAL SECURITY CONTROL
7.1. Security Risk Assessments
The Supplier shall conduct regular reviews of its physical security environment. These reviews must be performed and submitted to the Firefish Group upon request when a security incident has occurred; or when there has been a material change to the Services.
7.2. Sites and Asset Security
(a) the Supplier shall ensure that all mobile equipment related to the provision of the Services are protected from unauthorised access, loss or harm in accordance with good industry practice; and
(b) the Supplier shall ensure that they have and use a lockable area for all hard copy Firefish Group data and that no other person other than the Supplier or Supplier personnel has access to this area.
7.3. Access Control
The Supplier shall ensure that access control is in place to ensure only authorised personnel are permitted to enter the Supplier sites and that access is limited to areas required for that individual’s role. The Supplier shall ensure that critical entry points and doors to restricted areas are access controlled.
8. BUSINESS CONTINUITY
8.1 The Supplier will ensure that they have arrangements in place in order to continue to provide Services in case of business interruption/disaster.
9. ASSURANCE
9.1 the Supplier will provide assurance in any format requested by the Firefish Group that it is meeting the requirements of this Schedule; and
9.2 the Supplier will notify the Firefish Group of any substantive changes to its business circumstances, policies or procedures that may affect its ability to perform their obligations as set out in this Schedule.
Schedule/Policy version: V1_2019
Firefish Group Supplier Data Protection Addendum
This data protection addendum, including its Annexes (“DPA”) forms part of and is incorporated in any agreement entered into between you (“Supplier”) and Firefish for the provision of services (identified as “Services” or otherwise in the applicable agreement (“Services”)) to Firefish (the “Agreement”). This DPA sets out the parties’ agreement regarding and applies to:
i. in Part A, the processing of personal data by Supplier on behalf of Firefish as part of the Services where Firefish is the data controller and Supplier is a data processor (“Data Processing Terms”); and
ii. in Part B, the sharing of personal data by Supplier with Firefish, where both parties act as a data controller (including as joint controllers) (“Controller Terms”)
1. Definitions and interpretation
1.1
Capitalised terms not defined in this DPA shall have the meaning ascribed to them in the Agreement. In this DPA, references to:
“Affiliate” means in respect of a party, any entity which directly or indirectly is controlled by, controls or is under common control with such party.
“Agreement” means any terms and conditions entered into between the Supplier and Firefish for the provision of the Services under which Supplier processes Firefish Personal Data;
“Data Privacy Laws” means all laws applicable to any personal data processed under or in connection with the Agreement, including: (i) Regulation (EU) 2016/679, (ii) the retained EU law version of the General Data Protection Regulation 2016/679/EC (“UK GDPR”) and the UK Data Protection Act 2018; (iii) all associated codes of practice and other binding guidance issued by any supervisory authority or regulator; and (iv) all other equivalent legislation, all as amended, re-enacted and/or replaced and in force from time to time, and the terms personal data, data controller, data processor, processing, and supervisory authority shall have the same meaning as in the applicable Data Privacy Laws;
“Firefish” means Firefish Ltd or its Affiliate (as applicable) being the entity that has entered into the Agreement with Supplier.
“Firefish Group” means Firefish and all of its Affiliates from time to time.
“Firefish Personal Data” means personal data supplied to Supplier by or on behalf of Firefish and processed by Supplier on behalf Firefish, in each case in the performance of the Services.
“Non-Adequate Recipient” means a recipient of personal data which is established in a country or territory which has not been recognised by a relevant competent supervisory authority or another competent authority (including the European Commission) as providing an adequate level of protection (as defined by Data Privacy Laws) to personal data for the transfer and further processing of personal data;
“Restricted Transfer” means a transfer of personal data to a Non-Adequate Recipient which may be rendered permissible under Data Protection Laws where a Transfer Mechanism is validly used to make and govern the transfer;
“Standard Contractual Clauses” or “SCCs” means a set of contractual provisions approved or otherwise recognised by a relevant competent supervisory authority as enabling an international transfer of personal data to be made in compliance with Data Privacy Laws including, in the EEA, the contractual provisions found in decision 2021/914 of the European Commission (“EEA SCCs”) and in the UK, the ICO’s International Data Transfer Agreement and/or the ICO’s International Data Transfer Addendum to the EEA SCCs for the transfer of personal data from the UK (“UK SCCs”);
“Transfer Mechanism” means any means of transferring personal data from a data exporter to a data importer, permitted under Data Privacy Laws, including the Standard Contractual Clauses.
1.2
Except as set out in paragraph 1.1 above or defined differently in this DPA, defined terms used in this DPA shall have the same meaning as set out in the Agreement.
To the extent of any conflict between this DPA and the rest of the Agreement, the terms of this DPA will take precedence.
Part A: DATA PROCESSOR TERMS
1. General
1.1
The subject matter and duration, the nature and the purpose of the processing to be carried out, the type(s) of Firefish Personal Data to be processed, and the categories of data subjects in relation to whom Firefish Personal Data will be processed by Supplier on behalf of Firefish under the Agreement are as set out in Annex 1 except where different provisions are set out in the Agreement or otherwise agreed by the parties in writing.
1.2
To the extent that Supplier processes Firefish Personal Data on Firefish’s behalf in the performance of the Services, Supplier shall be the data processor and Firefish shall be data controller with respect to such processing.
1.3
Each party shall comply with its obligations under the Data Privacy Laws in respect of any personal data it processes in connection with the Services. In the event of inconsistency or conflict between the Data Privacy Laws or approach to compliance of one applicable jurisdiction and another, the requirements of the country that necessitates stricter or additional requirements to protect personal data shall apply.
2. Compliance with Data Privacy Laws
2.1
In relation to the processing of Firefish Personal Data, Supplier warrants, represents and undertakes for itself, and in respect of any sub-processor authorised under this DPA, that at all times it shall:
a) process Firefish Personal Data (including when making an international transfer of Firefish Personal Data) only to the extent necessary in order to provide the Services and then only in accordance with the terms of this DPA and Firefish’s written instructions from time to time (including as set out in the Agreement), unless otherwise required by law. Where Supplier is required by law to process Firefish Personal Data otherwise than as provided by this DPA, it will notify Firefish before carrying out the processing concerned (unless the law also prevents Supplier from doing so for reasons of public interest). If Supplier is aware, or of the opinion, that any instruction given by Firefish breaches Data Privacy Laws, Supplier shall immediately inform Firefish, giving details of the potential breach;
b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Firefish Personal Data transmitted, stored or otherwise processed under this DPA;
c) Take all reasonable steps to ensure that only authorised personnel have access to Firefish Personal Data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to Firefish Personal Data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
d) not do, or omit to do, anything which would cause Firefish to be in breach of its obligations under Data Privacy Laws;
e) not publish, disclose or divulge (and ensure that its personnel do not publish, disclose or divulge) any Firefish Personal Data to a third party unless Firefish has given its prior written consent;
f) ensure that only such of its personnel who may be required by Supplier to assist it in meeting its obligations in connection with the Services will have access to Firefish Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the reliability of such personnel;
g) inform Firefish promptly, and in any event within 24 (twenty-four) hours, of any enquiry or complaint received from a data subject or supervisory authority relating to Firefish Personal Data;
h) at no additional cost, provide full cooperation and assistance to Firefish (and its clients, as applicable) as Firefish (and its client, as applicable) may require to allow Firefish (and its client, as applicable) to comply with its obligations under the Data Privacy Laws, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfilment of data subject’s rights, and any enquiry, notice or investigation by a supervisory authority;
i) allow Firefish (and its client, as applicable) to monitor and audit Supplier’s compliance with the Data Privacy Laws and its obligations under this DPA at any time during normal business hours. Supplier agrees to provide Firefish (and its client, as applicable) promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If Firefish (or its client, as applicable) believes that an on-site audit is necessary, Supplier agrees to give Firefish (and its client, as applicable) reasonable access to Supplier’s premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has on-site. Firefish (and its client, as applicable) is entitled to have the audit carried out by a third party; and
j) at the request and option of Firefish or its client (whether during or following termination of the Services), promptly and as specified by Firefish return and/or destroy all Firefish Personal Data in the possession or control of Supplier.
2.2
Supplier shall, on Firefish’s request, make available to Firefish all information necessary to demonstrate compliance with this DPA and Supplier shall, at Firefish’s sole expense, comply with all reasonable requests from Firefish to allow Firefish’s independent auditors or external representatives to access and inspect Supplier’s records relevant to any Firefish Personal Data processed by it on behalf of Firefish under this Agreement, in each case to enable Firefish to verify that Supplier is complying fully with its obligations under this DPA and under Data Privacy Laws in relation to Firefish Personal Data processed by it on behalf of Firefish.
2.3
Upon completion of the Services, Supplier will delete or return to Firefish all Firefish Personal Data processed by Supplier under this Agreement, except to the extent that Supplier is required by law to retain any copies of Firefish Personal Data.
3. Sub-processors
3.1
Supplier shall not appoint any third party to process Firefish Personal Data (“Sub-processor”) without Firefish’s prior written consent or in accordance with this section 3, and subject in all cases to Supplier:
a) providing reasonable prior written notice to Firefish of the identity and location of the Sub-processor and a description of the intended processing to be carried out by the Sub-processor to enable Firefish to evaluate any potential risks to Firefish Personal Data;
b) imposing legally binding contract terms on the Sub-processor which are the same as those contained in this DPA.
3.2
Supplier acknowledges and agrees that it shall remain liable to Firefish for a breach of the terms of this DPA by a Sub-processor and other subsequent third-party processors appointed by it.
3.3
Firefish consents to Supplier engaging the Sub-processors for the processing of Firefish Personal Data as set out in Annex 1.
3.4
Firefish may object to Supplier’s use of a new Sub-processor on reasonable grounds relating to the protection of personal data, by notifying Supplier in writing no less than 30 days from receipt of Supplier’s notice under paragraph 3.1(a). The parties will promptly negotiate in good faith to resolve Firefish’s concerns, however if after a reasonable period of time (and in case no longer than 30 days from notification of Firefish’s initial objection), the parties cannot agree a suitable resolution, Firefish shall, upon written notice to Supplier, be entitled to terminate those Services under the Agreement that cannot be provided without the use of the contested Sub-processor. Supplier will refund Firefish any fees paid in advance for the terminated Services corresponding to the unexpired term after the effective date of termination.
4. Security breaches
4.1
Supplier shall notify Firefish in the most expedient time possible under the circumstances and in any event within 24 (twenty-four) hours of becoming aware of any actual or suspected accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Firefish Personal Data (“Security Breach“). Supplier shall also provide Firefish with a detailed description of the Security Breach, the type of data that was the subject of the Security Breach and (to the extent known to Supplier) the identity of each affected person(s), as soon as such information can be collected or otherwise becomes available, as well as all other information and co-operation which Firefish may reasonably request relating to the Security Breach.
4.2
Supplier agrees to take action immediately, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of any such Security Breach and, with Firefish’s prior agreement, to carry out any recovery or other action necessary to remedy the Security Breach.
4.3
Supplier may not issue, publish or make available to any third party any press release or other communication concerning a Security Breach without Firefish’s prior written approval.
5. International data transfers
5.1
Supplier shall not make a Restricted Transfer to or process any Firefish Personal Data in a country which is a Non Adequate Recipient without Firefish’s prior written consent (which may be given in the Agreement or this DPA) and only as strictly as necessary for the purpose of the Services.
5.2
If, pursuant to paragraph 5.1, Supplier or any of its Sub-processors are authorised to make a Restricted Transfer of Firefish Personal Data, then Supplier shall ensure that a Transfer Mechanism is put in place to ensure that the transfer complies with Data Privacy Laws and shall comply with such other instructions and shall carry out such other actions as Firefish may notify to it in writing.
5.3
Subject to the requirements of paragraph 5.2, Firefish hereby authorises Supplier to make Restricted Transfers to the extent strictly required for the processing carried out by Sub-Processors approved pursuant to paragraph 4 and Supplier shall ensure that it and the relevant Sub-Processor comply at all times with Data Privacy Laws in respect of the Restricted Transfer, including that the conditions for use of the chosen Transfer Mechanism for the Restricted transfer are met.
Transfers between Supplier and Firefish
5.4
To the extent that, in order for the Supplier to deliver the Services, any Restricted Transfer is required of Firefish Personal Data between Firefish or its Affiliate (acting as an ‘exporter’) and the Supplier (acting as an ‘importer’) or between the Supplier (acting as an ‘exporter’) to Firefish or its Affiliate (acting as an ‘importer’), the parties will ensure that an agreed Transfer Mechanism will govern such Restricted Transfer(s), which may include any relevant provisions of the Standard Contractual Clauses.
5.5
Where a Restricted Transfer set out in paragraph 5.4 would result in the transfer of Firefish Personal Data from the European Economic Area to a Non-Adequate Recipient outside the European Economic Area, Part A of Annex 2 shall apply to such Restricted Transfers.
5.6
Where a Restricted Transfer set out in paragraph 5.4 would result in the transfer of Firefish Personal Data from the Switzerland to a Non-Adequate Recipient outside of Switzerland, Part B of Annex 2 shall apply to such Restricted Transfers.
5.7
Where a Restricted Transfer set out in paragraph 5.4 would result in the transfer of Firefish Personal Data from the UK to a Non-Adequate Recipient outside of the UK, Part C of Annex 2 shall apply to such Restricted Transfers.
5.8
For the purposes of any Restricted Transfers described in paragraphs 5.5 to 5.7 (inclusive) above, the Supplier shall implement and maintain all supplementary measures to ensure compliance with its obligations as data exporter and to render the Restricted Transfer effective and compliant with the Data Privacy Laws.
5.9
the extent that, the parties consider that any specific Restricted Transfers of the nature described in paragraph 5.5 are not adequately protected by the Transfer Mechanisms incorporated into this DPA pursuant to paragraphs 5.5 to 5.7 (inclusive), the parties shall work together to put in a place an alternative or amended Transfer Mechanism to ensure such Restricted Transfers comply with Data Privacy Laws.
New Transfer Mechanisms
5.10
Where any updates or amendments to, or replacement of, a Transfer Mechanism is approved by the competent authority/ies during the term of the Agreement (“New Transfer Mechanism“), the parties will work together to agree and to put in place a New Transfer Mechanism.
6. Indemnity
6.1
Supplier shall indemnify and keep Firefish and its Affiliates (and its or their client, if applicable) fully and effectively indemnified in respect of all losses, damages, costs, charges, expenses and liabilities (including regulatory penalties imposed on Firefish or its Affiliates or its or their client, if applicable) arising out of or in connection with a breach by Supplier or its Sub-processor’s of this DPA or Data Privacy Laws.
Part B: DATA CONTROLLER TERMS
7. Data Discloser / Data Recipient
7.1
Where Supplier provides Services which involve the collection and processing of personal data (which shall be confined to the categories of information set out in the Agreement (“Shared Personal Data”)) as a data controller, the parties acknowledge and agree that Supplier (the “Data Discloser”) may disclose such Shared Personal Data to Firefish (the “Data Recipient”). Each of the Data Discloser and Data Recipient acts as a Data Controller (as the case may be, as Joint Data Controllers) in respect of the Shared Personal Data and each shall comply with the obligations on a Data Controller under Data Privacy Laws in respect of the Shared Personal Data.
8. Discloser obligations
The Data Discloser shall:
a) ensure that it has all necessary consents and notices in place to enable the lawful transfer of the Shared Personal Data to the Data Recipient and any Permitted Recipients (as defined below) for the purposes of the Agreement;
b) give full information to any data subject whose personal data may be processed under this Agreement of the nature such processing;
c) only process Shared Personal Data for the purposes contemplated by the Agreement and in accordance with the consents obtained from the relevant data subjects. Where the Supplier is the Data Discloser, Supplier acknowledges that Firefish may retain certain types of Shared Personal Data (name and contact details) solely for Firefish to perform internal quality control.
d) not disclose or allow access to the Shared Personal Data to anyone other than the parties to the Agreement, the employees and professional advisors of each party, any third parties engaged to perform obligations in connection with these Controller Terms (“Permitted Recipients”);
e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by the Controller Terms; and
f) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
g) The Data Discloser shall not transfer, nor permit any onward transfer by a third party of, any Shared Personal Data outside of the UK, European Economic Area or Switzerland unless the following conditions are fulfilled:
i) appropriate safeguards are provided in relation to the transfer in accordance with the Data Privacy Laws;
ii) the data subject has enforceable rights and effective legal remedies; and
iii) the transferor complies with its obligations under the Data Privacy Laws by providing an adequate level of protection to any Shared Personal Data that is transferred, including by implementing any Transfer Mechanism.
h) To the extent that any Restricted Transfer is required of Shared Personal Data between the Supplier (acting as an ‘exporter’) to Firefish (acting as an ‘importer’) or between Firefish (acting as an ‘exporter’) and the Supplier (acting as an ‘importer’), the parties will ensure that an agreed Transfer Mechanism will govern such Restricted Transfer(s), which may include any relevant provisions of the Standard Contractual Clauses. Where such a Restricted Transfer would result in the transfer of Shared Personal Data:
i) from the European Economic Area to a Non-Adequate Recipient outside the European Economic Area, Part A of Annex 3 shall apply to such Restricted Transfers.
ii) from the Switzerland to a Non-Adequate Recipient outside of Switzerland, Part B of Annex 3 shall apply to such Restricted Transfers.
iii) from the UK to a Non-Adequate Recipient outside of the UK, Part C of Annex 3 shall apply to such Restricted Transfers.
9. Assistance
9.1
Each party shall assist the other in complying with all applicable requirements of the Data Privacy Laws. In particular, each party shall, at its own cost:
a) consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;
b) promptly inform the other Party about the receipt of any exercise of a data subject’s rights under the Data Privacy Laws;
c) provide the other party with reasonable assistance in complying with any exercise of data subject’s rights under the Data Privacy Laws;
d) not disclose or release any Shared Personal Data in response to any exercise of a data subject’s rights without first consulting the other party wherever possible;
e) assist the other party, in responding to any exercise of a data subject’s rights and in ensuring compliance with its obligations under the Data Privacy Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
f) notify the other party without undue delay on becoming aware of any breach of the Data Privacy Laws relating to the Shared Personal Data.
10. Indemnity
10.1
Supplier shall indemnify and keep Firefish and its Affiliates (and its or their client, if applicable) fully and effectively indemnified in respect of all losses, damages, costs, charges, expenses and liabilities (including regulatory penalties imposed on Firefish or its Affiliates or its or their client, if applicable) arising out of or in connection with a breach by Supplier or its Sub-processor’s of these Controller Terms or Data Privacy Laws.
10.2
Nothing shall exclude or limit either party’s liability for fraud or for death or personal injury arising from its negligence, or for any other liability which cannot be excluded or limited as a matter of law. Subject to this, a party’s total aggregate liability for breach of these Controller Terms (including Annex 3 hereto) whether in contract, tort (including negligence), strict liability or otherwise) is limited to £5,000,000.
Annex 1 – Data Protection Particulars
1. Processing by Supplier: For the provision of the Services as set out in the applicable order document to the Agreement (“Work Order”) which may include (services related to market research, recruitment, fieldwork, analysis and reporting).
2. Scope & Nature: See description of Services in the applicable Work Order to the Agreement.
3. Purpose of processing: For the service provision agreed between the parties in the Work Order.
4. Frequency of processing: Processing will be continuous or ad hoc dependent on the nature of service provision.
5. Duration of the processing: For so long as the Services are provided under the Agreement and/or in accordance with Firefish’s written instructions.
6. Data subjects: As set out in the applicable Work Order to the Agreement or as determined by the nature of the Services under the Agreement and which may include:
– For market research services: Market research participants
– For HR/Finance services: Firefish employees/contractors
– For business services: Firefish employees, Firefish Third Parties
7. Types and/or categories of personal data: As set out in the applicable Work Order to the Agreement or as determined by the nature of the Services under the Agreement and which may include:
For market research services:
- Name and contact details (phone and email)
- Age, gender and location
- Address, if any research is to be conducted in a home
- Bank details for incentives paid via BACS
- Audio recordings, video footage and films
- Other types of personal data will be specified on confirmation of each Work Order
- Special Category Personal Data (which includes sensitive personal information such as health status/information, ethnicity, sexual orientation, sex life, political opinions, religious or philosophical beliefs) should only be processed if specified and necessary to provide the Services.
All types of personal data should only be processed on the strict basis that consent has been gained
For HR/Finance services: full name, contact details (phone, email), address, tax data such as NI number, bank details, emergency contact name and contact details, proof of identity and address. If Special Category Data is processed this will include health and criminal background data.
For business services: Firefish employee and Firefish third party contact details which may include IP address/geo-location data
8. Sub-processors: As set out in or in accordance with the Agreement
Annex 2: Data Processor Terms – Incorporation of SCCs (C2P and P2C)
Part A: EEA Transfers
Where the EEA SCCs are agreed as required by the parties for a Restricted Transfer, EEA SCCs are hereby deemed accepted by the parties and incorporated and read as follows:
EEA SCC clause reference | Interpretation – Controller – Processor Module 2 | Interpretation – Processor – Controller Module 4 |
Clause 7 – optional docking clause | Clause is not included | Clause is not included |
Clause 9 – use of sub-processors | OPTION 2: GENERAL WRITTEN AUTHORISATION is chosen. | N/A |
Clause 11 – redress | The optional paragraph within clause 11(a) is removed. | The optional paragraph within clause 11(a) is removed |
Clause 17 – governing law | Irish law shall be included into Clause 17 where a Member State is required to be specified | Irish law shall be included into Clause 17 where a Member State is required to be specified |
Clause 18 – choice of forum and jurisdiction | Irish courts shall be included into Clause 18 where a Member State is required to be specified | Irish courts shall be included into Clause 18 where a Member State is required to be specified |
Part A, Annex I – list of parties | For transfers from Firefish to Supplier: Firefish identified as the data exporter; and Supplier identified as data importer.
|
For transfers from Supplier to Firefish: Supplier identified as the data exporter; and Firefish identified as data importer.
|
Part B, Annex I – description of transfer | Populated with the relevant details of Annex 1 of this DPA | Populated with the relevant details of Annex 1 of this DPA |
Part C, Annex I – competent supervisory authority | The Data Protection Commission of Ireland shall be included where a competent supervisory authority is required to be specified | N/A |
Annex II – technical and organisational measures | As set out in paragraph 2.1(b) of the Data Processor Termsof this DPA | N/A |
Annex III – list of sub-processors | Populated in accordance with the Sub-processor section of Annex 1 of this DPA | N/A |
PART B: EEA Transfers
Swiss Transfers: Where the Swiss Federal Act on Data Protection of June 19, 1992, as amended or replaced (“Swiss FADP”) applies, the EEA SCCs above will apply as follows:
- a) the Swiss Data Protection and Information Commissioner is the exclusive supervisory authority;
- b) the term “member state” must not be interpreted in such a way as to exclude data subjects of Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EEA SCCs; and
- c) references to the GDPR in the EEA SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.
PART C: UK Transfers
Where Standard Contractual Clauses are agreed as required by the Parties for a Restricted Transfer involving any Firefish Personal Data that is subject to the UK Data Protection Law, the EEA SCCs found in PART A, Annex 2 to this DPA are incorporated, as amended by the Information Commissioner’s Office International Data Transfer DPA to the EU Commission Standard Contractual Clauses version B1.0 (the “IDTA”), which is hereby incorporated into this DPA as the Transfer Mechanism for any Restricted Transfers of Firefish Personal Data from the United Kingdom to a Non-Adequate Recipient, as populated by the details set out below:
Part 1: Tables
Table 1: Parties and signatures
Table 1 is populated as follows:
- The details of the Exporter and the Importer are populated with the relevant details of Firefish or (where the transfer is to or from a Firefish Affiliate) its Affiliate and Supplier (each as appropriate for the transfer) as described in the Agreement.
- The Key Contact for Firefish is the DPO, contactable at dataprotection@firefishgroup.com The Key Contact for Supplier is populated with the details of the signatory to the Agreement.
- The signatures to the Agreement to which this DPA relates constitute the signatures confirming each party agreeing (for itself and, as applicable, its relevant Affiliate(s)) to be bound by the IDTA.
Table 2: Selected SCCs, Modules and Selected Clauses
Table 2 is populated as follows:
- The Approved EU SCCs, including the Appendix Information, and with only the following modules, clauses or operational provisions of the Approved EU SCCs brought into effect for the purposes of this DPA.
- The modules and operational clauses in table 2 are populated with the relevant details of Part A, Annex 2 of this DPA.
- For the purposes of Option 4, personal data received from the importer may be combined with personal data collected by the exporter.
Table 3: Appendix Information
Table 3 is populated as follows:
- The list of parties is populated with the details of the parties found in the Agreement (or as applicable such party’s relevant Affiliate).
- A description of the transfer is populated with the details of the DPA and of Annex 1 of the DPA.
- The technical and organizational measures are populated with the details of paragraph 3.1(b) of the DPA.
- The list of Sub-processors is as set out in Part 1 of Annex 1 of this DPA]
Table 4: Ending this DPA when the Approved DPA Changes
Neither party may end this DPA as set out in Section 19 of the IDTA
Annex 3: Controller Terms – Incorporation of SCCs (C2C)
Part A: EEA Transfers
Where the EEA SCCs are required for a Restricted Transfer between the parties acting as data controllers, EEA SCCs are hereby deemed accepted by the parties and incorporated and read as follows:
EEA SCC clause reference | Interpretation – Controller to Controller Module 1 |
Clause 7 – optional docking clause | Clause is not included |
Clause 9 – use of sub-processors | N/A |
Clause 11 – redress | The optional paragraph within clause 11(a) is removed |
Clause 17 – governing law | Irish law shall be included into Clause 17 where a Member State is required to be specified |
18 – choice of forum and jurisdiction | Courts of Ireland shall be included into Clause 18 where a Member State is required to be specified |
Part A, Annex I – list of parties | For transfers from Supplier to Firefish: Supplier identified a data exporter; and Firefish identified as data importer
For transfers from Firefish to Supplier: Firefish identified as data exporter; and Supplier identified as data importer |
Part B, Annex I – description of transfer | For the purpose of the Services as set out in the Work Order to the Agreement. |
Part C, Annex I – competent supervisory authority | The Data Protection Commission of Ireland shall be included where a competent supervisory authority is required to be specified |
Annex II – technical and organisational measures | As set out at paragraph 8.1(f) of the Controller Terms to the DPA and/ or the relevant provisions of the Agreement (as applicable). |
Annex III – list of sub-processors | N/A |
PART B: Swiss Transfers
Swiss Transfers: Where the Swiss Federal Act on Data Protection of June 19, 1992, as amended or replaced (“Swiss FADP”) applies, the EEA SCCs above will apply as follows:
- the Swiss Data Protection and Information Commissioner is the exclusive supervisory authority;
- the term “member state” must not be interpreted in such a way as to exclude data subjects of Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EEA SCCs; and
- references to the GDPR in the EEA SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.
PART C: UK Transfers
Where Standard Contractual Clauses are required by the parties for a Restricted Transfer in accordance with these Controller Terms that is subject to the Data Privacy Laws in the UK, the EEA SCCs found in PART A of this Annex 3 are incorporated, as amended by the Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0 (the “IDTA”), which is hereby incorporated into this DPA as the Transfer Mechanism for any Restricted Transfers by a party from the United Kingdom to the other party as a Non-Adequate Recipient, as populated by the details set out below:
Part 1: Tables
Table 1: Parties and signatures
Table 1 is populated as follows:
- The details of the Exporter and the Importer are populated with the relevant details of Supplier and Firefish (each as appropriate for the transfer) as described in the Agreement.
- The Key Contact for Firefish is the DPO contactable at dataprotection@firefishgroup.com The Key Contact for the Supplier is populated with the details of the signatory to the Agreement.
- The signatures to the Agreement to which this DPA relates constitute the signatures confirming each party agreeing (for itself and, as applicable, its relevant Affiliate(s)) to be bound by the IDTA.
Table 2: Selected SCCs, Modules and Selected Clauses
Table 2 is populated as follows:
- The Approved EU SCCs, including the Appendix Information, and with only the following modules, clauses or operational provisions of the Approved EU SCCs brought into effect for the purposes of this DPA.
- The modules and operational clauses in table 2 are populated with the relevant details of Part A of this Annex 3.
- For the purposes of Option 4, personal data received from the importer may be combined with personal data collected by the exporter.
Table 3: Appendix Information
Table 3 is populated as follows:
- The list of parties is populated with the details of the parties found in the Agreement (or as applicable such party’s relevant Affiliate).
- A description of the transfer is populated with the details at Part A of this Annex 3.
- The technical and organizational measures are populated with the details referred to in Part A of this Annex 3.
Table 4: Ending this Addendum when the Approved Addendum Changes
Neither party may end this Addendum as set out in Section 19 of the ID
Privacy Compliance Addendum
This PRIVACY COMPLIANCE ADDENDUM (“Addendum”) forms part of and is incorporated into any agreement entered into between you, the Vendor, and the Company for the provision of services (identified as “Services” or otherwise in the applicable agreement (“Services”)) to the Company (the “Agreement”). This Addendum sets forth the confidentiality, security and privacy requirements associated with the Services provided by the Vendor to the Company
Now therefore, in consideration of the mutual covenants and agreements in this Addendum, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Company and Vendor agree as follows:
1. Definitions.
1.1 “Agreement” means any terms and conditions entered into between the Vendor and Company for the provision of the Services under which Vendor processes Personal Data subject to COPPA.
1.2 “Company” means the Firefish Group entity that has entered into the Agreement with the Vendor.
1.3 “COPPA” shall mean the U.S. federal law known as the “Children’s Online Privacy Protection Act of 1998”, (15 U.S.C. 6501, et seq.,) and all rules and regulations thereunder, as may be amended or updated from time to time.
1.4 “Firefish Group” means Firefish Ltd or any of its affiliates; The Pineapple Lounge Ltd, The Pineapple Lounge LLC, Firefish Data Ltd, Firefish USA LLC from time to time.
1.5 “Personal Data” shall mean any information that can be traced back to a specific child under 13 years of age, including: first and last name; a home address, or other physical address, including street name and name of a city or town; online contact information; a screen name or user name that functions as online contact information; a telephone number; a social security number; a persistent identifier that can be used to recognize a user over time and across different websites or online services; a photograph, video, or audio file that contains a child’s image or voice; geolocation information sufficient to identify street name and name of a city or town; information concerning the child or the parents of that child that the operator collects from the child online and combines with an identifier described above; and any other information protectable under COPPA.
1.6 “Subprocessor” shall mean subcontractors and vendors engaged by Vendor that will process Company Personal Data.
1.7 “Vendor” shall mean the supplier who has entered into an Agreement for the provision of services to the Company
2. COPPA Compliance.
It is understood that the services provided by Vendor will comply with COPPA and any Personal Data collected shall be used solely for facilitating the purposes of this Agreement and solely for the benefit of Company and not for the benefit of Vendor. Vendor shall disclose to Company all Personal Data collected through the services and will not provide the Personal Data to any third party or use the data to retarget any potential end user. For clarity, Vendor hereby agrees to not collect any Personal Data from any end user in violation of COPPA.
3. Representations and Warranties.
In addition to Vendor’s representations and warranties set forth in the Agreement, Vendor further represents and warrants that: (i) it shall comply with its privacy policy and all laws, rules, regulations related to the processing of Personal Data in all jurisdictions and countries that such data touches; (ii) to the extent it collects Personal Data on its website, it will post a privacy policy that complies with COPPA and which outlines its data collection processes; (iii) its services and technology (and any settings of any technology) are designed to be compliant with and will operate in compliance with COPPA; (iv) it has implemented an internal program designed to identify any changes that need to be made to Vendor’s technologies in order for Vendor to be compliant or continue to be compliant with COPPA; (v) it shall only transfer Personal Data to only Subprocessors that comply with COPPA and shall ensure that each of its Subprocessors comply with COPPA (to the extent COPPA is applicable); (vii) it shall only process Company Personal Data for the purpose of providing services to Company under the Agreement; (viii) it has all the necessary approvals, permission and consents (including verifiable parental consent) to process Company Personal Data; (ix) all Company Personal Data shall be collected, processed and stored through industry-standard security measures including: AES-256 encryption at rest and in motion and transferred on TLS v 1.0+connections; and (x) it will promptly respond to or assist Company to respond to parental requests to change, delete or otherwise provide Personal Data of their child and honor all withdrawals of consent, and it has the necessary mechanisms in place to be sure the parent or legal guardian making the request is actually the real parent or legal guardian of the child.
4. Processing of Personal Data.
When processing Personal Data, Vendor shall:
4.1 implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk and in accordance with applicable requirements of applicable law, including COPPA;
4.2 shall carry out adequate due diligence prior to the appointment of any Subprocessors that will process Company Personal Data to ensure that such party is capable of providing the level of protection for Company Personal Data required by COPPA and the Agreement, and permit Company to approve or reject any Subprocessors prior to Vendor’s engagement of such Subprocessor;
4.3 be liable for the acts and omissions of its Subprocessors to the same extent Vendor would be liable if performing the services of each Subprocessor directly under the terms of this Addendum;
4.4 shall provide Company, upon Company’s request, a description of all Company Personal Data being processed by Vendor and all Subprocessors and all Company Personal Data shared with third parties.
4.5 give notice in writing to Company of any disclosure of Company Personal Data, including any disclosures that it is required to make by applicable law or regulatory body promptly after it becomes aware of such a requirement and in any event prior to making any such disclosure;
4.6 shall only retain Company Personal Data for only as long as necessary to fulfill the purpose of the collection and only as instructed by Company on a project-by-project basis.
5. Security.
Vendor shall implement commercially reasonable safeguards in the design, implementation and hosting of the services that are no less rigorous than accepted commercial best industry practices and shall: (i) describe such practices to Company in writing, and (ii) notify Company without unreasonable delay if it becomes aware of any security vulnerability associated with any services. Vendor shall use best efforts to ensure that the services are secure and function as intended and it shall cause the services, when delivered to or used by any entity or any user, to be free from any viruses, worm or other malicious, unauthorized or disruptive code or feature, including without limitation, any code or feature that prevents or interrupts the use of any Company’s property.
6. Security Incident.
Vendor shall promptly (within 24 hours of becoming aware) notify Company in writing of: (a) any actual or reasonably suspected breach of security, which when reasonably suspected poses a risk to the security, confidentiality or integrity of Company Personal Data; (b) any actual or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, alteration, compromise or disclosure of any Company Personal Data; or (c) any circumstance pursuant to which applicable law requires notification of such breach to be given to affected parties or other activity in response to such circumstance (each, a “Security Incident”). Unless prohibited by applicable law, Vendor shall also notify Company of any third party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity (foreign or domestic). Without limiting the foregoing, Company shall make the final decision on notifying (including the contents of such notice) Company’s clients, employees, service providers, affected individuals and/or the general public of such Security Incident, and the implementation of the remediation plan. Vendor shall reimburse Company for all costs incurred by Company arising out of or in connection with any Security Incident.
7. Indemnification.
Vendor shall defend, indemnify and hold harmless Company and its parent company, subsidiaries and affiliates and their respective directors, officers, employees and agents for any damages, losses, liabilities, penalties, costs and expenses (including reasonable attorneys’ fees) resulting from any action, claim, suit, demand or proceeding that concerns or arises out of Vendor’s breach of this Addendum and/or the negligence or willful misconduct of Vendor or any Subprocessor or third party engaged by Vendor.
8. Deletion or return of Company Personal Data.
Upon termination of the Agreement or Company’s written request, Vendor shall, within 14 days, delete or return (at Company’s election) all copies of those Company Personal Data in its and its Subprocessors’ possession, and provide written certification to Company of such deletion or return.
9. Audit rights.
Upon request, Vendor shall make available to Company all information necessary to demonstrate compliance with this Addendum, and shall fully cooperate with all audits, including inspections, by any Company or its auditor.
10. General Terms.
The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum. Vendor acknowledges and agrees that the terms and conditions of this Addendum shall complement and supplement those set forth in the Agreement. Nothing in this Addendum reduces Vendor’s obligations under the Agreement in relation to the protection of Personal Data or permits Vendor to process (or permit the processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.