Check our Data Protection Policy below.

1

Introduction and Scope

This Personal Data Protection Policy (“Policy”) describes the privacy practices of Finqware regarding the Processing of Personal Data of the directors, employees and – to the extent applicable – the customers of the Client and/or the relevant Client Affiliates, as part of the provision of Finqware Services to its Clients.

This Policy applies to all Services provided by Finqware to its Clients under the Service Agreements, executed on or after the effective date of this Policy, where Finqware will be acting as Processor, processing  Personal Data on behalf of the Client in accordance with Data Protection Laws and the Client will be acting as Controller.

This Policy does not apply to the collection of Personal Data through our website or through cookies with respect to which Personal data Finqware can be considered Controller; we refer to our separate Website Privacy Statement and Cookies policy for more information in this regard.

This Policy is available through the Finqware website at the following link: www.finqware.com/data-protection/ Finqware reserves the right to update this Policy without consulting or pre-informing its Clients. Notwithstanding the foregoing, the version of the Policy that applies and will continue to apply to a particular Service Agreement will be the version of the Policy that is in effect at the time of the effective date of such Service Agreement, unless amendments are required to comply with Data Protection Laws in which case the most recent version of the Policy published on the website shall apply.

2

Definitions

The capitalized terms listed below have the following meaning in this Policy:

“Client”
means the counterparty to the Service Agreement with Finqware;
“Client Affiliate”
means any legal entity affiliated to the Client;
“Client Data Subjects”
shall mean the former and current directors, officers and employees and customers of the Client and Client Affiliates;
“Controller”, “Processor”, “Processing”, “Personal Data Breach”
shall have the meaning indicated in GDPR;
“Data Protection Audit”
means audits, including data protection compliance questionnaires, carried out by the Client or a third-party on behalf of the Client, with the objective to verify Finqware compliance with the data protection obligations stated in the Service Agreement and this Policy.
“Data Protection Laws”
means in relation to any Personal Data which is Processed in the performance of the Service Agreement, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations;
“Personal Data”
means any information through which a Client Data Subject can be identified directly or indirectly;
“Services”
means services Finqware provides to the Client under the Service Agreement;
“Service Agreement”
means any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between Finqware and the Client;
“Subprocessor”
means any data processor appointed by Processor to process Personal Data on behalf of the Controller;
3

Personal data processed by Finqware

The details of the Personal Data that will be Processed by Finqware on behalf of the Client, including the duration, purpose and types and categories of Personal Data, as well as Subprocessors, if any, will be set out in the Service Agreement.

4

Use of personal data

Finqware shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:

as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Client, or
as required to comply with Data Protection Laws or other laws to which Finqware is subject, in which case Finqware shall (to the extent permitted by law) inform Client of that legal requirement before processing the Personal Data.

In addition, Finqware is allowed to use aggregated data – to the extent this can no longer be considered Personal Data – for analysing purposes, for website and for internal operations,including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.

5

Subprocessing

Finqware may be required to appoint certain third parties, to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the Client authorises Finqware to subcontract the Processing of Personal Data to Subprocessors which are in each case subject to the terms between Finqware and the Subprocessor which are no less protective than those set out in this Policy and the Service Agreement. Finqware will inform the Client in advance of any intended changes concerning the addition or replacement of Subprocessors and thereby give the Client the opportunity to object to such changes. If the Client does not object in writing within fifteen (15) days of receipt of the notice, the Client is deemed to have accepted the new Subprocessor. If the Client does object in writing within fifteen (15) days of receipt of the notice, Finqware and the Client will discuss possible resolutions within a reasonable timeframe and without detriment to the Parties and to their compliance with each of their respective obligations set forth in the Services Agreement.

6

Confidentiality and security

Finqware shall keep the Personal Data confidential and will ensure its staff and Subprocessors are bound by the same confidentiality obligation. Finqware shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to article 32 GDPR. In assessing the appropriate level of security, Finqware shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

7

Co-operating with requests of the client

Finqware shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the Client that relate to the Processing of Personal Data. In particular, Finqware shall co-operate with requests that relate to Client Data Subject rights, Data Protection Impact Assessments and audit rights as described below.

Client Data Subject rights: Finqware shall co-operate as requested by the Client to enable the Client to comply with its obligations with any exercise of rights by a Client Data Subject in respect of Personal Data and assist Client in its compliance with any assessment, enquiry, notice or investigation as required under Data Protection Laws. Provided in each case that the Client shall reimburse Finqware in full for all costs (including for internal resources and any third party costs) reasonably incurred by Finqware performing its obligation to assist Client in its compliance under this section.

Data Protection Impact Assessment: Finqware shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Data Protection Laws, including Article 35 GDPR, and with any prior consultations to any Supervisory Authority of the Client which are required under Data Protection Laws, including Article 36 GDPR, in each case in relation to Processing of Personal Data by Finqware on behalf of the Client and taking into account the nature of the processing and information available to Finqware.

Audit rights: On reasonable request and notice, Finqware will co-operate in the conduct of any Data Protection Audit or inspection, reasonably necessary to demonstrate Finqware ‘s compliance with the processor obligations laid down in Data Protection Laws and this Policy related to the Service Agreement, provided always that this requirement will not oblige Finqware to provide or permit access to information concerning: (i) Finqware internal pricing information; (ii) information relating to Finqware ‘s other Clients; (iii) any of Finqware non-public external reports. The Client shall avoid causing any damage, injury or disruption to Finqware ‘s equipment, personnel and business in the course of such Data Protection Audit or inspection. A maximum of one Data Protection Audit may be activated under this section in any twelve (12) month period, unless the audit is following upon a Personal Data Breach caused by Finqware in the same period. Any further Data Protection Audit shall be at the Client’s expense.

The Client’s requests provided in this section 7 will be fulfilled in close co-operation with and under supervision of Finqware ‘s Information Security Officer.

8

Deletion or return of client personal data

Finqware will, at the choice of the Client, delete or return the Personal Data at the end of the provision of the Services relating to Processing, unless (i) Data Protection Laws, (ii) any other law or legal act of any government or regulatory authority that applies to the Services, or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by Finqware.

9

Incident management

Finqware shall notify the Client without undue delay after becoming aware of a Personal Data breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a Personal Data breach under Data Protection Laws (Article 33 (3).

10

International transfers of client personal data

Always subject to section 4 of this Policy and in the event the Services require international transfers of Personal Data between Finqware and/or any Subprocessor(s), the following shall apply (insofar relevant):

Transfer to Subprocessors in or from EU.
The Personal Data may be transferred (i) to one or more Subprocessors in one or more Member States of the EEA or Switzerland on the basis of Data Protection Laws pursuant to the Clients permission ex section 5 of this Policy, or (ii) to one or more such Subprocessors in one or more third countries on the basis of an exception under Data Protection Laws, or (iii) on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by Finqware to ensure the protection of the Personal Data, or by the Client, in which case Finqware shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Subprocessor. At the Client’s request, Finqware shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
Other transfers
Where the data protection or privacy law of any country outside the EEA or Switzerland applies to the Personal Data, the Client shall ensure that any cross-border transfer of Personal Data from Finqware to a Subprocessor shall be allowed, by implementing additional safeguards pursuant to Data Protection Laws or as otherwise permitted by Data Protection Laws.
11

Liability

The Client warrants that all Personal Data processed by Finqware on behalf of the Client has been and shall be Processed by the Client in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to Client Data Subjects which described the processing to be undertaken by Finqware pursuant to the Services agreed upon in the Service Agreement.

Finqware shall be liable for the damage caused by Processing only where it has not complied with obligations of Data Protection Laws specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client as indicated in the Service Agreement. Client shall be liable for the damage caused by Processing by Client which infringes Data Protection Laws. Client or Processor shall be exempt from liability under this section 11 if it proves that it is not in any way responsible for the event giving rise to the damage.

Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and where they are, under the Service Agreement, responsible for any damage caused to Client Data Subject by Processing, each Controller or Processor shall be held liable for the entire damage in order to ensure effective compensation of the Client Data Subject(s). Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controller(s) or Processor(s) involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in the previous paragraph.

Save for this section 11 third paragraph, the indemnities, liabilities and exclusions or limitations thereof set out in the Service Agreement, shall also apply to the obligations of the parties pursuant to this Policy and the Service Agreement, and in case of any conflict will prevail.

Contact Us

If you have any queries about this Data Protection Policy or about the privacy practices of Finqware, please send an email to dpo@finqware.com and be sure to indicate the nature of your query.