Terminology

Name

Description

CRO
Companies Registration Office
CRA
Charities Regulator
DEASP
Department of Employment and Social Protection
LTD
Limited Company
DAC
Designated Activity Company
ULC
Unlimited Company
CLG
Company Limited by Guarantee
RBO
Register of Beneficial Owners
PPSN
Personal Public Service number
OPCC
OmniPro Corporate Consultants Limited
VIN
Verification Identity Number
IPV
Identified Person Number
VIF
Verification Identity Form
CA2014
Companies Act 2014
4MLD
Fourth Money Laundering Directive

Formations

Notes

1. Company Name

A list of 3 company name options should be provided. OPCC can check and advise the proposed name before the order form is completed however ultimately it is the CRO whom have final say on the name. OPCC does not take responsibility for a name being rejected or accepted. Please see Company Name Guidelines below in on Company Names. A company name may also be reserved with the CRO, this can be done by requesting such from OPCC. An additional charge may be applied for such. 

Guidelines on Company Names

CRO Guidelines for names which if not followed may result in name refusal;

  • It is identical or similar to a name already appearing on the register of companies;
  • It is offensive;
  • It would suggest state sponsorship;
  • Names containing certain words cannot be used unless approved by relevant bodies;
    • For example, the words “bank”, “banker”, “banking”, “banc”, may only be used with the permission of the Central Bank of Ireland
    • Words such as “society”, “co-op” or “co-operative” cannot be used unless prior permission has been sought from and granted by the Registrar of Friendly Societies.
    • The words “University”(Ollscoil), “Regional Technical College”(Ceardcholáiste Réigiúnach) and “Institute of Technology” (Institiúid Teicneolaíochta) cannot be used unless permission has been sought from and granted by the Department of Education.
    • The word “architect” either alone or in combination with any other words or letters, or name, title or description implying that the person is so registered, cannot be used unless a Notice of Determination has been issued by the Royal Institute of the Architects of Ireland (RIAI).
      • This does not apply to the names “landscape architect”, “naval architect”, “architectural technician”, “architectural technologist”, and “interior design architect” and similar terms.
    • If a name includes words which imply specific functions e.g. “holding company”, “group” etc., further information may be required by the CRO to support the application.
      • OPCC can assist with this.
    • In the case of the word “Charity”, further information may be sought by the CRO to support the application.
    • The use of the word “standard” is prohibited.
 
For further information on Company Names please see;https://www.cro.ie/Registration/Company/Incidental-Obligations/Company-Name
 
Name Objection
Section 30 of the Companies Act 2014 states that if your chosen name is too similar to the name of another company, and is accepted for registration by the CRO, through inadvertence or otherwise, an objection on grounds of similarity could be made in writing to the Registrar of Companies within six months following the incorporation of your company and you could be directed by the Registrar to change the company name. In considering whether names are too alike, the Registrar will take account of all relevant factors suggesting similarity and leading to confusion between the names of the two companies.
If the Registrar, pursuant to section 30 Companies Act 2014, directs a company to change its name, such change must take place within six weeks of the date of the Registrar’s direction or such longer period as she may allow. A company that fails to comply with the direction will be eligible for prosecution.

2. Company Type

There are 4 main types of Companies, Private Company Limited by Shares, Designated Activity Company, Company Limited by Guarantee without a Share Capital and a Public Limited Company. The most common type of company used is a Private Company Limited by Shares. Guarantee Companies are usually used for Not-For-Profit Companies or Property Management Companies.
  • Private Company Limited by Shares – Minimum of 1 member – Max 149 members
  • Company Limited by Guarantee without a Share Capital – minimum of 1 member
  • Public Limited Company
  • Unlimited Company

3. Principal Objects Clause/NACE

Object Clause
A detailed description of what activities the Company will carry out should be provided. You are limited to an objects clause of 40 words or less. If you wish to have an objects clause longer than 40 words, this application will have to be submitted manually. A manual submission may result in an additional charge and may take up to 14 days for the Companies Registration Office to form the Company.
For CLG’s whom wish to apply for Charity Status with CRA a main object and three ancillary objects are required. For further detail on requirements for charity status please see CRA website: https://www.charitiesregulator.ie/en/information-for-charities/registering-a-charity
 
NACE Code
A company may not be incorporated and registered unless it appears to the Registrar of Companies that the company, when registered, will carry on an activity in the State. The general nature of the activity and the appropriate NACE Code Classification must be included on the Form A1.In the event that a company is being formed to carry on two or more activities within the State, the particulars to be furnished in the declaration are those relating to the principal activity which the company is being formed to carry on in the State.Further information on NACE codes can be found at:https://www.cro.ie/Registration/Company/Incidental-Obligations/Activity-in-State

4. Share Capital

The authorised share capital figure is the maximum amount of share capital the company can issue – Commonly €1,000,000 or €100,000. This figure may be increased but cannot be decreased unless by a High Court Order. Authorised Share Capital is no longer required under Companies Act 2014 for Limited Companies.The issued share capital is the number of shares being issued to the subscribers – commonly 1 share, 2 shares, 10 shares, 20 shares or 100 shares. A share gives the shareholder a vote in the Company and consideration should be given when deciding the number of shares to be issued to each Shareholder.Shares are usually issued as Ordinary Shares, however other Share Classes may be set up. Please contact OPCC for queries relating to other share classes.The amount per share is the cost of each share – usually €1, shares can also be issued in a different currency. Shares may also be issued at a premium and the amount paid by premium must be disclosed.Companies Limited by Guarantee without a Share Capital need not complete this section.

5. Directors and Secretary Details

Company Director

A minimum of 1 Director is required to set up a LTD Company, and a Minimum of 2 Directors for all other Companies.At least 1 Director must be resident in European Economic Area (EEA). In the absence of an EEA resident Director, a Section 137 Bond must be taken out and filed with the incorporation documentation. OPCC can assist with this is required.A body corporate cannot act as Director.

A Director should disclose all information requested on the form regarding their personal details

Any Director who has been disqualified or restricted from acting as a Director or Secretary or who is an Undischarged Bankrupt in Ireland or in another jurisdiction, must disclose this information to the Companies Registration Office. Failure to disclose this information is an offence and the Director maybe prosecuted in the High Court. A form B74 must be completed and submitted to the Companies

Registration Office together with the A1 Form. If the above relates to a Director please contact OPCC prior to the submission of the Company Order Form.

A list of current or past worldwide directorships held by each Director in the last 5 years should be attached to the order form.

Under Section 35 of Corporate Enforcement Authority Act 2021 the CRO require PPSN for Directors to be submitted. The PPSN must match the Director’s forename, surname and date of birth with DEASP records. Alternatively if a Director has a RBO transaction number or a IPN as supplied by CRO this can be used. The Registrar reserves the right to reject any submission where the details entered on the CRO do not match those details registered with the DEASP. Failure for the PPSN to match DEASP records may result in a delay in registration of your company.

For further information please contact OPCC.

Company Secretary

Every Company must have a Secretary. This can be a natural person or a body corporate.

Under Companies Act 2014 for Limited Companies where there is One Director, that same Director cannot be the Company Secretary.

What if a Director does not have a PPSN?

For Directors whom do not have a PPSN, the Registrar has determined that the Form VIF will be the method to be used to verify the person’s identity. Alternatively if they are in receipt of an RBO Number this can be used. Please inform OPCC if your Director requires has a VIF.

6. Subscriber Details

The number of shares issued to each shareholder must be disclosed. Where the share class is not indicated OPCC will include Ordinary Share Class. If you require a different share class please inform OPCC prior to sending in the order form. There may be additional fee for the drafting and addition of a varying share class into the Constitution of the Company.Each share gives the shareholder a vote in the Company and it is important that the new shareholders decide the number of shares to be issued. Please include total amount paid for shares, if left blank it will be assumed the shares were paid at nominal.If a shareholders agreement is being included please inform OPCC whom may need to adjust the Constitution of the Company accordingly.

7. Registered Office Details

The registered office must be situated in the State. The address must be a physical location and not a post office box number. A letter addressed to the company at its registered office address must be capable of being delivered by An Post. It is very important that the address of the Registered Office is correct, as this is the address all legal documents will be sent.Post incorporation please be aware S.49(a) CA2014 requires that a Company ‘shall display its name in a conspicuous position, in letters easily legible, outside every office or place in which its business is carried on and at its registered office’.

8. Rejected Submissions

Company Directors
Section 35 of Corporate Enforcement Authority Act 2021, the CRO is required to validate data entered on the Register with DEASP to ensure the details are that of a natural person, failure of the details not matching may result in the submission being rejected.
A new application will need to be completed and uploaded again through the CRO online filing portal with the correct details for the data subject. Under Data Protection legislation, the CRO will not contact the presenter and a letter will be issued to the data subject informing them of such rejection. Common errors for returns being rejected include;
  • PPSN is incorrect,
  • Date of Birth is incorrect, and
  • Mismatch on names.
The company’s Director(s) may be required to contact DEASP to confirm their details. Once OPCC are updated with the Director’s details the application will be resubmitted.
 
General
The CRO have right to return or reject an application on the grounds detailed in an email to the OPCC. OPCC will communicate this to the person listed on the Order Form in order to resolve the issue and resubmit the incorporation. Returned or Rejected Submissions will cause delays to the incorporation process.
An amended Constitution or Form A1 may need to be signed by the parties listed on the order form, if required OPCC will correspond this to the Presenter.

9. Length of Formation

Submission to CRO
In most cases OPCC will submit a Company incorporation through the CRO Fé Phráinn A1 Scheme which has an average turn around time of 5 Working days. Where a manual submission is required the average turn around time is 10 working days.
Companies may be formed quicker or take longer than the stated guidelines above. OPCC cannot guarantee the Company being formed within stated the guidelines.For up to date filing timeline please see CRO website: https://www.cro.ie/en-ie/About-CRO/Whats-New/Daily-Processing-Times

10. Post Incorporation

OPCC is not responsible for an entities Post Incorporation filing e.g.: Annual Return, RBO etc It is the responsibility of the Directors of the entity to ensure all filings are up to date for the Company.

RBO

11. Notes

Beneficial Owner
It is the entities responsibility to supply OPCC with whom their beneficial owners are, OPCC does not take responsibility for the identification of an entities beneficial owner.
Article 3(6), 4AMLD, defines a “beneficial owner” is a natural person who directly or indirectly owns or controls over 25% of the share capital or the voting rights or control by any other means. Control by other means is where an individual, who does not hold more than 25% of the shares or voting rights or ownership interest of an entity, still exercises significant control or influence over the entity.
Article 3(6), 4AMLD, states that “Control through other means may be determined, inter alia, in accordance with the criteria in Article 22(1) to (5) of Directive 2013/34/EU of the European Parliament and of the Council on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings,” In Recital 13 of 4AMLD, control via other means is explained as follows: “Control through other means may, inter alia, include the criteria of control used for the purpose of preparing consolidated financial statements, such as through a shareholders’ agreement the exercise of dominant influence or the power to appoint senior management”.Direct control is where the beneficial owner personally owns or controls a relevant entity by one or more of the following means; • 25% plus one share or• 25% or more of the voting rights, or• 25% or more of the ownership interest, or• has direct control or influence over the company/society via other means.Indirect control is indicated by a shareholding of 25% plus one share or an ownership interest of more than 25% held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s).
 
Shareholders agreement
OPCC will need to review such to establish the beneficial owner. On return of the completed checklist please also return a copy of such shareholders agreement.Golden Share
This allows the holder of such share control over the board of directors of that company. Where such a share is issued by the company, the holder of this share may also be considered the beneficial owner If this is the case for your entity please inform OPCC.
 
Trusts
Bare Trust – assets (shares) held by trustee for the benefit of another person(s). The Beneficiary has the absolute right to the capital and assets within the trust, as well as the income generated from these assets.
Discretionary Trust – assets are held for a group of beneficiaries, who can receive their entitlements as prescribed by the trustee. beneficiaries have no interest in the assets for legal or taxation purposes until such time as the assets (or indeed income accruing thereon) is passed out to them.

12. Incomplete Checklists

If the checklist is returned to OmniPro Corporate Consultants Limited incomplete, the checklist will be returned for completion and the beneficial owner(s) will not be filed on the RBO.

13. Filing as per Order Form

By ticking yes, you are permitting OmniPro Corporate Consultants Limited to file with the RBO the beneficial owner(s) exactly as what was submitted on the Order Form of the company.
As part of the service we will also review your company records, if we note a discrepancy between the details of the checklist we will follow up on such discrepancy. Note however you are ultimately responsible for disclosing who the beneficial owner is.

14. Rejected Submissions

The RBO is required to validate data entered on the central register with DEASP to ensure the details are that of a natural person, failure of the details not matching may result in the submission being rejected.

A new application will need to be completed and uploaded again through the RBO online filing portal with the correct details for the data subject.

Under Data Protection legislation, the RBO will not contact the presenter and a letter will be issued to the data subject informing them of such rejection. It is then the data subject responsibility to confirm their correct details with OPCC. Once OPCC are updated with the beneficial owner(s) details the application will be resubmitted.

Please indicate on the form if you would like us to contact the beneficial owner directly if a rejection occurs. Common errors for returns being rejected are;

  • PPSN is incorrect,

  • Date of Birth is incorrect,

  • Mismatch on names. 

15. BEN2/VIF

For beneficial owners whom do not have a PPSN, the Registrar has determined under Regulation 21(2)(b), SI 110/2019, that the Form BEN2/VIF will be the method to be used to verify the person’s identity.

Please inform OmniPro Corporate Consultants Limited if your beneficial owner requires/ already has an RBO transaction number as supplied by submission of the BEN2.

Any relevant entity that fails to file a PPSN with the RBO where such a number has been assigned to a beneficial owner, and/or submits a BEN2/VIF application where a PPSN exists for the beneficial owner, will have committed an offence and attention is drawn to Regulations 28(5) and 28(7) of S1 110/2019 in this regard.

16. RBO Time Frame

Any entity in existence before 22 June 2019 must deliver the following information to the Central Register by 22 November 2019.
The responsibility of a company/society officers to obtain and confirm beneficial ownership, to keep the register current and the information contained correct, then to deliver such information in prescribed form to the RBO within the relevant time frame.

General

17. Anti-Money Laundering and Customer Due Diligence

OmniPro Corporate Consultants are required to complete Customer Due Diligence on all company formations.

We require you as a Designated Person to confirm under the AML section of the Order Form to confirm that:-

  • You are a designated person as defined in S.25 of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended;

    • If you do not meet the definition of a designated person please contact OPCC.

  • You have performed appropriate Customer Due Diligence on this business relationship in full compliance with the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended;

  • If requested to do so, will forward OPCC , as soon as practicable, any documents (whether or not in electronic form) or information relating to the customer that we have obtained in applying CDD.

18. Payment Terms

All professional fees are subject to VAT at a rate of 23%. Our fee is payable in full upon presentation of the invoice.

If additional work is to be completed outside the scope of the initial application, for example new share class, additional clauses in constitution etc. there may be an additional fee for these services which due for payment on issuance of the invoice.

All invoices are issued in the name of the firm identified as contact details for incorporation purposes in the order form and that firm is solely responsible and liable to discharge the amount due in full. All cheques should be made payable to OmniPro Corporate Consultants.

Payment may made by Bank Transfer, Credit Card and Cheque. Details for bank transfers can be found on the invoice.

19. RBO

It is the responsibility of the company itself to interpret and identify whom the beneficial owner(s) are. Unless requested to do so OPCC will not file the beneficial ownership on your behalf. For further detail please see the RBO Tab in the document.

20. Confidential Information

OmniPro Corporate Consultants Limited shall not disclose, to third parties, any information acquired in the course of our professional work without your specific consent, except where there is a legal right or duty to disclose it.

21. Taxation Advice Not Provided by OmniPro

OPCC has not been engaged to provide tax advise in relation to this Service. Should You wish to engage OPCC for tax advise on your incorporation please contact OPCC.

22. GDPR

During our engagement, you may disclose personal data to OPCC in order to facilitate OPCC in providing our services to you. The processing of personal data is regulated in Ireland by the General Data Protection Regulation EU 2016/679 as supplemented by the Data Protection Act 2018, together with other laws which relate to privacy and electronic communications. We refer to these as the “Data Protection Legislation”. You agree that we are entitled to hold any personal data provided to OPCC that may be obtained during the course of providing the agreed service. You further agree that we may use your personal data for that purpose and in accordance with the requirements of the prevailing Data Protection Legislation.

We shall only process personal data:

  • In order to provide our services to you and perform any other obligations in accordance with our engagement with you;

  • In order to comply with our legal or regulatory obligations; and

  • Where it is necessary for the purposes of our legitimate interests and those interests are not

    overridden by the data subjects’ own privacy rights.

We shall be considered to be a data processor in relation to your client’s personal data. We will comply with all requirements and obligations applicable to OPCC under the data protection legislation in respect of the client’s personal data as set out in Note 24 below.

Our privacy notice which can also be accessed at https://omnipro.ie/privacy-policy/ explains how we process personal data.

Acceptance of these terms of engagement includes your consent and acceptance of our Data Privacy Notice and our compliance with the requirements of the prevailing Data Protection Legislation and the processing of personal data.

23. Data Processor Agreement

23.1.Introduction
23.1.1.

This agreement re processing of personal data (the “Data Processor Agreement”) regulates OmniPro Group (the “Data Processor”) processing of personal data on behalf of the client (the “Data Controller”) and is attached as an attachment to the Professional Service Agreement in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller. For the purposes of this agreement, OmniPro Group refers to all of the Companies listed in Sub-Appendix A of this appendix applicable for this engagement.

23.1.2.

In certain instances, OmniPro Group can assume the responsibility of Data Controller. See Sub-appendix A for a breakdown of such instances. When OmniPro is acting as Data Controller they shall comply with a Data Controllers duty and the client the Data Processors duty as outlined in this agreement.

  

23.2.

Legislation

23.2.1.

The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

  

23.3.

Processing of personal data

23.3.1.

Purpose: The purpose of the processing under the Service Level Agreement is the provision of the Services by the Data Processor as specified in the Service Level Agreement.

23.3.2.

In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.

23.3.3.

”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.

23.3.4.

The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).

 
 

23.4.

Instruction

23.4.1.

The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Main Services as described in the Main Service Level Agreement. Subject to the terms of this DPA and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.

23.4.2.

The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller’s instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.

23.4.3.

The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified.

 
 

23.5.

The Data Processor’s obligations

23.5.1.

Confidentiality

23.5.1.1

The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed.

23.5.1.2.

The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.

23.5.1.3.

Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Main Services and this Data Processor Agreement.

 
 

23.5.2.

The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.

 
 

23.5.3.

Security

23.5.3.1.

The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.

 
 

23.5.4.

The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.

 
 

23.5.5.

Data protection impact assessments and prior consultation

23.5.5.1.

If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.

 
 

23.5.6.

Rights of the data subjects

23.5.6.1.

If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

23.5.6.2.

If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.

 
 

23.5.7.

Personal Data Breaches

23.5.7.1.

The Data Processor shall give immediate notice to the Data Controller if a breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

23.5.7.2.

The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.

 
 

23.5.8.

Documentation of compliance and Audit Rights

23.5.8.1.

Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.

23.5.8.2.

The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.

 
 

23.5.9.

Data Transfers

23.5.9.1.

Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA), [for example, Dropbox or Google]. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.

 
 

23.6.

Sub-Processors

23.6.1.

The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub- Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.

23.6.2.

In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.

23.6.3.

The Data Processor shall complete a written sub-processor agreement with any Sub- Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub- Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.

23.6.4.

The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

23.6.5.

The Data Processor is at the time of entering into this Data Processor Agreement using the Sub- Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.

 
 

23.7.

Remuneration and costs (Optional)

23.7.1.

The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Data Processor Agreement based on the Data Processor’s hourly rates.

23.7.2.

The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms thereof.

 
 

23.8.

Limitation of Liability

23.8.1.

The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Main Service Level Agreement.

23.8.2.

Nothing in this DPA will relieves the processor of its own direct responsibilities and liabilities under the GDPR.

 
 

23.9.

Duration

23.9.1.

The Data Processor Agreement shall remain in force until the Main Service Level Agreement is terminated.

 
 

23.10

Data Protection Officer

23.10.1.

The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.

 
 

23.11.

Termination

23.11.1.

Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data in its possession as provided in the Agreement except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.

 
 

23.12.

Contact

23.12.1

The contact information for the Data Processor and the Data Controller is provided in the Main Service Level Agreement.

Agreement

We agree to the terms of this Data Processor Agreement and have signed the letter of engagement as evidence of acceptance